Share this article on:
Powered by MOMENTUMMEDIA
Breaking news and updates daily.
While politicians and commentators alike question just how a journalist was added to a confidential military planning chat session, Penten’s chairman and co-founder explains how secure communications should work.
Senior members of the Trump administration made headlines this week after it was revealed that sensitive military and policy plans had been shared during a chat session on the Signal messaging app.
Adding insult to injury, the use of the app and the sharing of potentially damaging information on an application that is not meant to be used for such discussions was the fact that the editor of The Atlantic discovered the chat after somehow being accidentally added to the group.
Jeffrey Goldberg at first thought the discussion – which included the US Secretary of Defense Pete Hegseth, National Security Adviser Mike Waltz, and the Director of National Intelligence, Tulsi Gabbard – was a hoax or an attempt to disseminate misinformation. But when he realised the high-level discussion was around plans to bomb targets in Yemen, he decided to wait and see if the bombs did indeed drop.
The bombs dropped, just as Hegseth had explained in by-the-minute detail. When Goldberg reached out to the National Security Council, it confirmed the chat was real.
The revelation alarmed Republicans and Democrats alike. Everything from the use of a commercial application to the sharing of detailed military plans on a clearly insecure platform raised eyebrows around the world. To get to the meat of why such discussions should never be shared on a messaging app like Signal, we reached out to the co-founder and chairman of Australian-owned digital security firm Penten, Matthew Wilson, to answer some questions about what has come to be called ‘Signalgate’.
Cyber Daily: What are the implications of using an app like Signal for such serious policy/planning sessions?
Matthew Wilson: Governments explicitly forbid sharing classified information on consumer apps like Signal – and with good reason. No matter how secure these consumer apps may appear, they’re not built or operated to government standards for classified information: there’s no control, no audit, and no assurance.
Cyber Daily: What would be the normal procedure for a conversation at this level of government for a military strike?
Matthew Wilson: Each government has different policies and procedures for sharing information relating to military operations, depending on its level of classification.
For example, if information related to a military strike was deemed top secret, some governments require that the information can only be shared within an appropriate government facility, and in accordance with strict policies.
Some governments, agencies, and organisations have adopted mobile communications technologies that enable classified information to be shared securely. Such tools already exist, are approved, and are in use in the UK and Australia. These tools exist because pioneering government organisations in the UK and Australia have been listening to their people. They recognised the need for modern apps on modern phones and built the technology and policies to support it.
Cyber Daily: Is there any threat posed by the fact that several of the participants of the chat were overseas at the time, in either Saudi Arabia or Russia?
Matthew Wilson: That messages were allegedly shared on a consumer app while the user was in a foreign country does increase the risk profile, but such a security challenge can be solved with the right system.
Cyber Daily: What should happen, both in policy and personal responsibility terms, now that all this has come out?
Matthew Wilson: When government officials use consumer apps to share sensitive information, we shouldn’t rush to blame the individual solely. We need to also ask: Did the organisation equip the individual appropriately to do their job, securely and effectively?
People know the risks and are still using consumer apps. This isn’t careless or rogue behaviour. It’s a symptom – it tells us that people are trying to fill a capability gap. They simply haven’t been given the tools they need.
Government organisations that handle sensitive and classified information need to conceive and adopt an approach that is user-centric rather than relying on old policies and simply hoping for compliance.
At a policy level, it starts with the recognition that we live in an increasingly mobile world. Procedurally, we then need to provide those who are responsible for sensitive information with the mobile tools they need to do their job, securely and effectively.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.