27-03-2025
The Signal scandal is even dumber than it looks
Advertisement
That's not the only boneheaded decision revealed by this week's self-inflicted leak. It appears, from the now-published exchange, that the administration may be ignoring other basic cybersecurity protocols. Here's how.
Get Starting Point
A guide through the most important stories of the morning, delivered Monday through Friday.
Enter Email
Sign Up
Relying on Signal for security
Signal is more secure than your average chat app, but it falls far short of military standards. 'Any normal person would have been arrested already' for discussing military operations on Signal, said
Signal features end-to-end encryption that's supposed to be much more secure than standard voice and chat smartphone apps. In fact, last December, the US
But the federal advisory didn't say that Signal was suitable for use in conducting airstrikes. And according to Schneier, it's not even close.
For one thing, military-grade systems use their own custom-made encryption algorithms. For another, the phones they run on feature custom-made operating systems, not the standard iOS or Android software found on consumer phones.
Relying on consumer-grade phones
Hackers are constantly on the hunt for ways to crack iOS and Android systems. This could enable them to smuggle spyware onto a supposedly secure phone. Once the device is compromised, Signal messages could be intercepted before they were encrypted.
Advertisement
'Those systems are not secure in any important sense,' said Dan O'Dowd, chief executive of Green Hills Software, a California company that makes hardened phone systems for military use.
This isn't news to the Trump administration. During last year's election, the Trump campaign began using Green Hills secure phones after learning that phones used by Trump and Vice President JD Vance were attacked by China-based hackers. Yet the president's national security team failed to take the hint.
Connecting one Signal-equipped phone to another is designed to be easy — maybe too easy. Hackers believed to be based in Russia have used phishing emails to trick people into connecting their Signal accounts to cybercriminals looking to steal sensitive data. NPR reports that the Pentagon last week alerted all personnel to avoid using Signal to discuss even unclassified military matters, because of the phishing threat.
In addition,
the German magazine Der Spiegel on Wednesday said it has uncovered mobile phone numbers, email addresses and passwords used by national security adviser Mike Waltz, defense secretary Pete Hegseth, and director of national intelligence Tulsi Gabbard. The sensitive information was found in the records of commercial data brokers and in files published by hackers on underground web sites, the magazine said.
But a military-grade system isn't vulnerable this way, Schneier said. Each participant in a chat has to have a secure device and must be cleared in advance to participate in such communications. 'A military-grade encryption product is not going to have the ability to link random people to it,' Schneier said. So forget about a journalist stumbling in by accident. 'It's restricted in the mistakes it can make,' Schneier said.
Advertisement
Disregarding government transparency
There's one more troubling aspect to the Signal affair — its possible damage to our right to know what our leaders are doing.
Signal is famous for offering 'disappearing messages,' which can be programmed to delete themselves after 24 hours from every device that receives them. It's a handy way to ensure that a user's careless comments won't come back to haunt her. But it runs headlong into the government's responsibility to keep accurate records of official activities.
It's not a new question, either. In 2021, the Defense Department's
It's unclear whether the messages intercepted by Goldberg were intended to self-delete. But it doesn't inspire confidence when government officials make critical decisions using a technology that can automatically cover their tracks.
Hiawatha Bray can be reached at
