The unsettling saga of signal-gate

In a shocking breach of communication protocols that has sent ripples through national security circles, a recent Signal messaging app incident has laid bare the precarious state of digital communication among high-ranking government officials in the US.

The incident, first reported by Atlantic editor-in-chief Jeffrey Goldberg, reveals how a sensitive national security discussion was inadvertently compromised when Goldberg was accidentally added in a Signal group chat.

The leaked chat included several prominent figures including the US Vice President JD Vance, Defence Secretary Pete Hegseth, Secretary of State Marco Rubio, Trump Advisor Stephen Miller, Special Envoy to the Middle East Steve Witkoff, White House Chief of Staff Susie Wiles, Director of National Intelligence Tulsi Gabbard.

Whilst Trump blamed the app being defective, ironically Hegseth had previously been vocal about secure communications, once criticising Hillary Clinton’s use of a private email server.

In 2016, he argued that any security professional would be “fired on the spot” for such reckless handling of sensitive information.

A digital security nightmare unfolds

Cybersecurity experts are unanimous in their condemnation. The leak was ‘absolutely ridiculous on so many levels’, said one official at the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Homeland Security’s digital safety arm. ‘They are discussing classified material on an unsanctioned platform, which should result in someone being in jail’.

The stark assessment highlights the gravity of the security breach. The chat, which was discussing the U.S. military strikes in Yemen, violated multiple critical security protocols:

• Officials were using Signal, a personal messaging app, for discussions that should occur in secure, government-controlled environments.

• Messages were set to disappear after a week, potentially violating federal record-keeping laws (or maybe intentional to avoid having any records of such conversations).

• A journalist was inexplicably added to a chat discussing sensitive military operations.

In another concerning revelation, an investigation by Der Spiegel uncovered that personal contact information and passwords of senior U.S. security officials, including National Security Adviser Mike Waltz, Director of National Intelligence Tulsi Gabbard, and Defence Secretary Pete Hegseth, were readily accessible online.

Utilising commercial search engines and data from previous breaches, journalists retrieved mobile numbers, email addresses, and in some cases, passwords linked to these officials.

Notably, some of these contact details were associated with social media profiles and messaging apps like WhatsApp and Signal, potentially exposing them to security threats such as spyware installation.

This discovery raises significant concerns about the vulnerability of high-ranking officials to cyber threats and underscores the urgent need for enhanced cybersecurity measures within government ranks.

The technology behind the breach

Signal is a communication app like WhatsApp, celebrated for its end-to-end encryption.

Signal has become a popular communication tool across journalists, political activists, and various government departments.

The app’s primary selling point is its security features where messages are encrypted so that only the sender and recipient can read them and the company claims that they do not retain message content or extensive metadata (believe it or not).

WhatsApp, with over 2 billion users worldwide, has long promoted itself as a secure messaging platform as well, emphasising its end-to-end encryption (E2EE).

This means that only the sender and recipient should be able to read messages, theoretically preventing even WhatsApp or its parent company Meta (formerly Facebook) from accessing them.

WhatsApp backs up data in the cloud which is not end to end encrypted by default, which means that can be accessed by the government agencies or hackers. Meta is also suspected of ‘cooperating’ with government agencies when required.

If a hacker gains access to a device via spyware (such as Pegasus, used by governments to target individuals), they can bypass encryption by reading messages directly on the phone.

Attackers really don’t need to go to great lengths to break the encryption if they can see the messages as they are typed or received by the user. So having a secure mobile app does not mean the whole communication between two parties would remain secure.

While encrypted messaging apps like Signal provide robust communication protection, they cannot fully mitigate the inherent security risks associated with personal devices. Personal smartphones fundamentally lack the advanced security infrastructure of government-issued, monitored devices, making them susceptible to multiple critical vulnerabilities.

Malware can bypass app-level encryption, enabling potential keystroke logging, screen recording, and unauthorised system access.

Even physical proximity poses significant risks, as devices can be photographed, recorded, or accessed through shoulder surfing techniques. Sophisticated hackers can further exploit vulnerabilities by tricking users into installing compromised applications, creating convincing phishing mechanisms, or manipulating existing apps through social engineering tactics.

The fundamental lesson is that encryption represents just one layer of digital security and comprehensive protection requires a holistic approach addressing device integrity, user awareness, and systematic security protocols. Ultimately, the most secure communication occurs through controlled environments with multiple layers of technological and human-driven safeguards.

Tod Beardsley, a former CISA staffer, emphasised the risk, noting, “It is not hard to peek on a Signal chatter’s screen, and we don’t know who else was in eyeball range when these messages were written.”

Political and security implications

The incident has drawn significant political attention. Fourteen senators, including Elizabeth Warren, Tim Kaine, and Cory Booker, have written to President Trump, highlighting the violation of the Presidential Records Act.

While the White House and Hegseth maintain that no classified information was leaked, the incident raises critical questions about government communication practices across the globe where many government official take things very lightly and may use WhatsApp or Signal for classified communication, considering them to be safe.

Governments worldwide have repeatedly banned apps and mobile manufacturers over security fears, but the current incident merely hints at a deeper, more alarming vulnerability.

The real risk lies in the unknown—how many officials are unwittingly using personal devices that could already be compromised, believing they are operating on a secure communication platform?

CIA Director John Ratcliffe acknowledged the widespread use of Signal in intelligence circles during a recent Senate Intelligence Committee hearing, stating that his communications were “entirely permissible and lawful.”

Cybersecurity experts unanimously recommend:

• Strict adherence to secure communication protocols within any government organisation

• Use of designated secure communication facilities

• Comprehensive training on digital security

• Implementation of multi-factor authentication

• Regular security audits of communication practices

The incident serves as a stark reminder of the challenges posed by rapidly evolving communication technologies.

As digital platforms become increasingly sophisticated, so too must our approaches to protecting sensitive information.

For government officials, the message is clear: convenience must never compromise national security.

The article does not necessarily reflect the opinion of Business Recorder or its owners