“The main issue isn’t whether Signal is secure, it’s that it shouldn’t be used for communicating potentially classified info,” says David Choffnes, an associate professor of computer science.
U.S. national security officials reportedly used Signal, a popular messaging app available to the public, to communicate sensitive military plans.
Northeastern University cybersecurity experts say that apps such as Signal are more secure than other communication methods because they deploy end-to-end encryption.
But tools such as Signal are not sanctioned for official government communications, not least because they possess no safeguards to prevent the sharing of information with individuals without the proper clearance, says David Choffnes, executive director of the Cybersecurity and Privacy Institute at Northeastern University.
“The main issue isn’t whether Signal is secure — it is! — it’s that it shouldn’t be used for communicating potentially classified info,” says Choffnes, an associate professor of computer science.
“The latter needs to use communication tools that prevent sharing information to parties who don’t have clearance,” Choffnes says. “Signal, on the other hand, is designed to make it easy for groups of people to communicate irrespective of clearance.”
Senior Trump administration officials reportedly communicated planned airstrikes on Houthi rebels in Yemen via the Signal app, mistakenly including Jeffrey Goldberg, the editor in chief of The Atlantic magazine.
How did Goldberg enter the conversation?
He claims he was inadvertently added to a group chat discussing the sensitive national security plans, beginning when he received a Signal invitation from a user identified as Michael Waltz — Waltz is the national security adviser — on March 11.
Users of Signal — or similar apps like Telegram or WhatsApp — can invite anyone from their address book into a chat or conversation.
“So the issue is that national security officials were using an unsanctioned tool for communication and then preposterously added a reporter to their thread, whereas if they used official tools available to them via existing federal systems, such a mistake would never have happened,” Choffnes says.
After accepting the invitation from Waltz, Goldberg says he was then added to a Signal chat group called “Houthi PC small group.” Over the next few days, he was privy to a high-level conversation about sensitive plans to attack the Houthis.
That conversation culminated in Secretary of Defense Pete Hegseth reportedly sharing details about the planned strikes. Goldberg writes that Hegseth texted “operational details of forthcoming strikes on Yemen, including information about targets, weapons the U.S. would be deploying, and attack sequencing.”
“The world found out shortly before 2 p.m. Eastern time on March 15 that the United States was bombing Houthi targets across Yemen,” Goldberg wrote.
“I, however, knew two hours before the first bombs exploded that the attack might be coming,” he wrote. “The reason I knew this is that Pete Hegseth, the secretary of defense, had texted me the war plan at 11:44 a.m. The plan included precise information about weapons packages, targets and timing.”
It’s not clear why the officials were using Signal instead of official channels.
“It’s incredibly careless and foolish. It boggles the mind,” Ryan Ellis, an associate professor at Northeastern University whose research focuses on communication law and policy, infrastructure politics and cybersecurity. “We’re talking about the director of the CIA; the director of national intelligence; we’re talking about the vice president; we’re talking about the national security adviser and the secretary of defense. This kind of lapse or poor judgement is almost incomprehensible.”
Ellis notes that national defense and classified information is supposed to be shared through very specific channels — systems that are well-safeguarded to protect communications from foreign adversaries. “Additionally, there are federal records laws that require the use of specific systems and backups so that records can be obtained,” he says.
“There’s no encryption software in the world that is going to prevent you from making a blunder if you directly send classified information to a journalist accidentally,” Ellis says.