End-to-end encrypted messaging app Signal is widely recognized for its robust security features, making it a popular choice for everyday communication. However, cybersecurity experts caution against its use by government officials for discussions involving national security. This advisory comes in the wake of an incident where members of former President Donald Trump’s national security team inadvertently included a journalist in a group chat that was sharing sensitive information about military operations targeting the Iran-aligned Houthi rebel group.
What is Signal?
Signal has built a reputation as a messaging platform that prioritizes user privacy and security through end-to-end encryption, which ensures that messages remain confidential and untraceable. The company has been vocal in its opposition to governmental pressures aimed at compromising its privacy technologies, notably criticizing the UK government for attempting to persuade Apple to create back doors that would allow access to user data.
Meredith Whittaker, Signal’s president, highlighted a significant cybersecurity breach last year, where a substantial amount of American data was reportedly stolen by a Chinese hacking group known as “Salt Typhoon.” Whittaker pointed out that the attack was facilitated by exploiting vulnerabilities—specifically, back doors—integrated into telecommunications systems. She emphasized the inherent risks of such vulnerabilities, stating,
“The fundamental issue is simple: encryption is mathematics and mathematics doesn’t discriminate between a government investigator and a criminal hacker — a back door is a back door and if it’s there, anyone can enter.”
How secure is Signal?
Cybersecurity professionals generally regard Signal as one of the most secure messaging applications available. Liam O’Shannessy, executive director at CyberCX, noted that Signal’s secure messaging protocols have been adopted by competitors like WhatsApp. However, he acknowledged that while encrypted messaging services like Signal are among the safest options, they are not infallible.
O’Shannessy explained that cybercriminals can potentially access devices remotely, which could compromise Signal’s security on those devices. This risk is particularly pronounced with Signal’s desktop application, as desktop systems are often more vulnerable to malware than mobile devices. He stated,
“If you’re in a group chat, it only takes one member of the group’s device to be compromised.”
Dr. William Stoltz from the Australian National University echoed these concerns, noting that vulnerabilities can arise from other applications installed on a user’s device that may undermine its security. He elaborated that foreign intelligence services frequently attempt to compromise devices through malware, which can enable them to capture sensitive communications, including those conducted via encrypted messaging apps. He remarked,
“The reality is there’s the security of the app, and then there’s the security of your own device. But what it comes down to is how secure is the person’s device.”
In many cases, particularly those unrelated to national security, O’Shannessy highlighted that human error poses the most significant risk when sharing sensitive information on Signal. He noted,
“[The risk] will always be the recipient and whether they might screenshot or forward — even accidentally — the information you share with them.”
Should government officials be using Signal to discuss national security?
Defense experts have raised alarms regarding the potential legal implications of using apps like Signal for transmitting classified information, suggesting it could violate the Espionage Act. The group chat incident involved sharing sensitive details, including air-strike targets and the identity of an active CIA officer, typically kept confidential. High-ranking officials, including Vice-President JD Vance and Defense Secretary Pete Hegseth, were reportedly part of this breach.
Retired Australian Army Major General Mick Ryan expressed concern over the implications of such a security lapse, stating,
“It’s dangerous on multiple levels. Firstly, you risk the compromise of the operation, which ultimately puts the lives of military personnel at risk.”
He added that the incident reflects a systemic weakness in communication practices that adversaries could exploit, indicating a troubling level of confidence in the app’s security.
What do governments usually do?
Typically, when handling classified information related to military operations, government officials convene in Secure Compartmentalized Information Facilities (SCIFs). Dr. Stoltz noted that these secure environments are essential for safeguarding sensitive communications, as they are designed to meet stringent cyber and physical security standards. He remarked,
“So the fact that these communications are happening in this kind of unsecured ways is pretty, pretty incredible.”
Professor Toby Murray from the University of Melbourne, who has experience in the Department of Defence, emphasized that there are specific government-approved systems for transmitting classified information, with Signal not being among them. He stated,
“In the [Australian] Department of Defence, there are separate computer networks that are used for storing and sending classified information.”
Securing devices also involves ensuring their integrity throughout the supply chain, according to cybersecurity expert Richard Buckland. He explained that governments implement measures to prevent tampering with technology used for sensitive communications, asserting that only specially secured devices should be utilized for high-level security matters. Buckland quipped,
“I’m not saying high school kids are running national security [but] it looks like what you’d get if high school kids were running national security.”
