Why security officials keep using the Signal app despite risks
When news broke that Trump administration officials, including former national security adviser Mike Waltz and Defense Secretary Pete Hegseth, were using commercial chat apps to share sensitive information, one common response among the president’s supporters was that this wasn’t news. Such apps were everywhere on Capitol Hill. Prior administrations engaged in similar breaches of traditional security protocol, too, they argued.
Trump administration officials favor Signal, the same commercial app that many people in President Joe Biden’s administration used. Hillary Clinton, who set up a nonsecure, private email server in her home while serving as President Barack Obama’s secretary of state in 2009, also famously broke protocol. She sent emails from home, using that server, that were later found to have contained classified information, with a couple deemed “top secret.”
In their defense, Secretary Clinton and other officials have said that the unsanctioned communication methods are, simply put, more convenient. And while Signal is now considered one of the best encrypted apps on the market, its real appeal is that it is far easier to use than the current classified government systems. Those government systems have failed, critics say, to evolve with the technological times – a bipartisan point of frustration.
Why We Wrote This
Breaking protocols around what’s “classified” can stem from trying to ease – or avoid a record of – work communications. Whatever the motive, sidestepping such rules degrades their significance in keeping secrets safe.
But apps like Signal still aren’t ideal, security experts warn. America’s adversaries want secrets and are good at uncovering them. And anything commercial and easier to use is, by default, easier to abuse. Or hack. Or spy on.
U.S. officials are “high-value targets,” says Stephanie Pell, who has taught cyberethics and cybersecurity law at the U.S. Military Academy at West Point. “So it’s incumbent upon officials to communicate securely and to protect national security information.”
Why are national security officials sidestepping security protocols?
There have been charges of hubris and carelessness on both sides of the political aisle on this front. Analysts also see an inclination among some officials to keep certain communications private, not just from spies but also from government recordkeeping. Apps like Signal have features that erase encrypted conversations after a set period – a desirable tool if officials want to sidestep federal requirements to preserve communications conducted on the job, analysts say.
Mr. Waltz, in recent days, also appeared to be using an app called TeleMessage that allows communications to be recorded.
That enables compliance with rules around retaining federal records for oversight reasons, but is “bad in that it is another line of vulnerability,” says Scott Anderson, a fellow in Governance Studies at The Brookings Institution. TeleMessage, for example, suspended all services this week after a hack.
Even conscientious adherents to national security protocols acknowledge that classified U.S. government systems are far from convenient. As a U.S. attorney prosecuting terrorist cases, Ms. Pell often scrambled to find secure spaces to talk business when she traveled. In her own office, she held sensitive conversations only over special phones inside areas hardened against eavesdropping by foreign intelligence agencies.
“Is that more cumbersome than bringing a laptop to a café, which I very much enjoy, or using an app on a phone? Yes, but that’s the bargain,” Ms. Pell says. Being granted a security clearance means agreeing to protect information in exchange for being privy to it, she adds. “We don’t always get to do things just because they’re easier.”
Are classified systems unnecessarily onerous?
During the Cold War, sensitive compartmented information facilities, or SCIFs, were developed as windowless, soundproof rooms to hold classified conversations. They are still used today. Cellphones aren’t allowed in, and while most SCIFs prevent internet access, many top officials have had SCIFs installed in their homes to make it easier to comply with security protocols after hours.
Despite technological advances, national security agencies “have built this communications culture around the idea that classified communications can really only take place in these facilities,” says Richard Forno, who directs the graduate cybersecurity program at the University of Maryland, Baltimore County. The result, he adds, has been “bureaucratic inertia” in developing alternatives.
Given that the government continues to use systems “designed for a different era,” it’s understandable that many officials who must still drive to secure offices to use classified networks think “there has to be a better way of doing this,” Mr. Forno says.
Last month, The Associated Press reported that Secretary Hegseth installed an unsecured internet line in his Pentagon office, bypassing security protocols, to use Signal – a common occurrence among U.S. officials, Mr. Anderson says. Cellphone reception in the Pentagon is notoriously spotty; Mr. Hegseth is reportedly using the line to access Signal so he can coordinate with the national security adviser.
When asked about reports that the defense secretary is using an unsecured line, a Defense Department spokesperson said the information “is classified.”
What can be done for now?
In the Biden administration, Signal chats were frequently used as “tippers,” or heads-up messages telling recipients to check their classified systems. Experts say that’s a reasonably secure way to use the technology.
At the same time, spurred on by current events surrounding Signal, tech developers have fresh impetus to develop and sell secure mobile phones that prevent hacking and tracing.
Congress could also help protect classified information. Though the president decides what’s secret, lawmakers could establish more explicit rules around handling information, ensuring “a certain protocol and level of security,” Mr. Anderson says.
Congress could also establish enforcement mechanisms, he adds. These could include imposing a range of penalties, including criminal prosecution.
Still, observers say, even if the government introduced a new secure type of mobile phone or app, some officials might still look for workarounds if they really want to avoid public records.
In the meantime, the concern is that disregarding long-standing security protocols degrades their significance and endangers those they are meant to protect. If officials from the president on down “aren’t following the rules, then that has a tendency to send the message that they’re not important,” Ms. Pell says.
“Over time, that erodes the respect for why those systems are critical in the first place.”
