“The human is the weakest link in the security chain.”
Recent events in Washington have demonstrated this cliche with clarity.
This week, we’ve all witnessed yet another high-profile security breach involving Signal, the messaging app. A senior member of President Trump’s national security team added Jeffrey Goldberg, the editor-in-chief of The Atlantic, to a private Signal group chat, where they were discussing sensitive military operations against Houthi forces in Yemen.
The conversation included among emojis, detailed strike timings, strategic considerations, and even exchanges celebrating successful initial strikes. Participants included Vice President JD Vance, Defense Secretary Pete Hegseth, CIA Director John Ratcliffe, National Security Adviser Mike Waltz, and other senior officials.
You would imagine behind closed doors all sorts of secrecy and cryptic discussion happens, like in the spy movies. In contrast, we saw fire emojis when discussing bombing another region. But this happens when security is yet again neglected.
“Encryption can’t protect you from stupid.”
Signal offers impressive security features:
- End-to-end encryption that prevents even Signal itself from accessing messages
- Open-source code that can be inspected for vulnerabilities
- Minimal data collection compared to other platforms
- Message auto-deletion capabilities
But none of these protections matter when a user, let alone a high-ranking official, simply adds an unauthorized person to a confidential conversation.
And of course, none of these impressive security features are sufficient for a top level government official handling sensitive national security matters.
Using an encrypted channel is one thing. However, it’s important to know that the information can still be collected, stored, and decrypted.
Other cyberattacks can occur, such as side channels, certificate substitution and device level surveillance, in order to get the information without having to decrypt. This is precisely why discussions of this sensitivity traditionally take place in Sensitive Compartmented Information Facilities. These are secure rooms designed to prevent electronic eavesdropping.
However this is the world we live in. Phishing attacks happen every second, and high-ranking officials post memes and rocket emojis regarding potential attacks, all while using consumer messaging apps.
Comments are closed.