My brother used to be an Air Force pilot. (He retired and is now an airline pilot, but that’s not the point of this story.) My family visited his for Christmas one year when he was stationed in Hawaii. One day while we were there I noticed a device needed to be charged. I can’t remember what it was at this point, but it was probably my Kindle. I couldn’t find a wall wart, so I plugged it into my brother’s computer. A few minutes later he noticed and got very worried. It was a work laptop and he would now need to report a security incident.
I say this because military security is a big deal. My Kindle could have been a vector for some enemy of the US to learn Air Force secrets. Thankfully there were other protections and my brother was quickly cleared. But the mere possibility of a security breach was serious business.
It was a big deal a few years ago when Hillary Clinton had State Department emails sent to a private server. Someone on her staff should have flagged the issue before it ever became a story in the news. It’s just an unnecessary risk that she took in order to continue to use her BlackBerry device.
Signal is a great way to secure conversations. Our team uses it when we travel. But we don’t have national secrets. It’s just a convenient way to keep in touch when we can’t rely on text messages as we travel internationally. According to a US Department of Defense memo from October, 2023, Signal is specifically not authorized:
Unmanaged ‘messaging apps,’ including any app with a chat feature, regardless of the primary function, are NOT authorized to access, transmit, process non-public DoD information. This includes but is not limited to messaging, gaming, and social media apps. (i.e., iMessage, WhatsApps, Signal). An Exception to Policy (E2P) request must be submitted by the appropriate Component for use of an unmanaged messaging app that is
critical to fulfilling mission operations at https://rmfks.osd.mil/dode2p.
I don’t know if the current Secretary of Defense got an Exception to Policy. Whether or not he did, he demonstrated why the policy exists when someone in his group chat invited the editor in chief of The Atlantic to a discussion about bombing the Houthi in Yemen.
Nobody who was on the “Houthi PC small group” Signal group can be trusted with national security. Not national security adviser Mike Waltz nor Vice President JD Vance nor Defense Secretary Pete Hegseth nor Secretary of State Marco Rubio nor CIA Director John Ratcliffe nor Director of National Intelligence Tulsi Gabbard. It’s just too easy to invite someone (in this case a journalist) without anyone in the chat noticing. Thankfully the journalist waited until after the attack was completed to go public. But there’s no certainty that will be the outcome in the future.
Ultimately software can’t prevent user error. Systems designed to communicate securely can be configured to reduce the consequences of this sort of mistake. For instance, my brother’s Air Force laptop had some protection against unauthorized USB devices. (Though I don’t have any idea what it consisted of.) These officials, with the exception of the Vice President, are unelected, but appointed for their ability to, for instance, plan a military operation without leaking the details to the public.
This incident should increase our trust in traditional journalism (which held the story until it no longer risked harming the military operation) and decrease our trust in this president who seems unconcerned with this security failure.