The Signal Problem And A Solution

Improving Government Security

Signal is an encrypted communication app that supports voice, video and text. Its use in a high level government meeting appears to have led to the compromise of information, but it also appears that the use of Signal by administration officials was permitted not only in the Trump administration, but under Biden as well. Judging from statements made by CIA Director John Ratcliffe, Signal was authorized “for work.” “Signal,” he said, “was loaded onto my computer at the CIA, as it is for most CIA officers.”

US-Signal-chat-scandal

What is murky is whether Signal can be used for classified information. In the past, commercial-grade encryption was not permissible for classified work – a rule made by the National Security Agency (NSA), which has long demanded that special secure equipment be used.

In the CIA, it is fair to say, most of the work is classified, although Ratcliffe, referring to The Atlantic magazine incident, said the compromised meeting was not classified, a position echoed by the administration. Ratcliffe also said he never used Signal for any classified work.

US-Signal-chat-scandal
CIA Director John Ratcliffe.

National Security Adviser Mike Waltz, commenting on the Atlantic compromise, said, “No locations. No sources and methods. NO WAR PLANS. Foreign partners had already been notified that strikes were imminent.” In short, no classified information.

Waltz’s statement was published on X and released officially from the White House.

Classified information is “data deemed sensitive to national security and requires protection against unauthorized disclosure, determined by the U.S. government through executive orders, statutes, or regulations. Access is restricted to authorized individuals with proper security clearances and a ‘need to know.’” It is up to the originators of the information to say whether or not it should be classified, and to specify the level of classification.

In the case of The Atlantic compromise, the originators – in this case, primarily the Secretary of Defense – say the information was not classified.

Capabilities and Vulnerabilities

The government has secure telephones, secure enclosures and secure software that enables different levels of classified communications. A good example is SIPRNet which is a DOD version of the Internet featuring government-authorized encryption and means to authenticate users. SIPRNet works for information classified up to the Secret level. (The government has different levels of classification and controls who has access to that information.)

US-Signal-chat-scandal
SIPRNet for classified information and NIPRNet for unclassified data.

In assessing the Signal issue, it is important to note that commercial security software has outclassed anything from the government when it comes to ease of use, flexibility, access to a full range of communications options, and efficiency. Just as commercial smartphones are ubiquitous today, commercial apps to facilitate communications and information access, including artificial intelligence, are increasingly powerful.

There are, of course, plenty of downsides. Smartphones are highly vulnerable to hacking, and Smartphone operating systems leave a lot to be desired when it comes to security. Furthermore, the plethora of apps, invented by persons here and abroad, most without any accountability, are a source for spying and malware. There is no assured vetting process to protect users, and when something is finally exposed as dangerous, that exposure may be long after the app has been propagated. Even when a person is using a secure app for communications, the user may not know that malware operating silently in the background is broadcasting a non-encrypted version of a conversation.

We don’t know what phones government officials are using, but it is a good bet they are commercial devices. Signal, for example, works only on Android and iPhone phones plus desktop computers.

The inclusion of The Atlantic in a government-only conversation exposed a critical vulnerability in using commercial software. Once a user is signed up to Signal (which means supplying a name and phone number), he or she can participate in secure events if a user invites him. Signal does not manage who calls whom; that is up to the user and the user host for group conversations.

The Lesson for the Future

Including the editor of The Atlantic in a government-only conversation was, obviously, an error. However, it showed a significant vulnerability in using the Signal app as it is for sensitive government communications. The lesson to be learned is that the government can do better by having its own, upgraded special version of Signal to replace a purely commercial application.

The US government should have its own version or equivalent of Signal.

If the government wanted to have its own “Signal” equivalent, it could start by (a) providing a robust means to authenticate who is on a chat, including video ID and (b) using government-supplied encryption instead of the commercial encryption used by Signal. In that case, NSA would have to manage the encryption keys (including session keys).

The government could also require that commercial apps on a government-employee authorized smartphone are vetted for security, requiring government-use commercial smartphones to obtain apps only through a government-operated online store (GovStore) that would also authenticate users. (Such a GovStore also could clean out suspicious apps from an existing smartphone and conduct a security check of the phone’s operating system and files.)

A key advantage of a managed approach is to improve the security environment while, at the same time, supporting new apps and new platforms as they come along. While there would be some lag, necessary when you impose a supervisory scheme, on the whole it would keep pace with technology and varied applications.

Secured commercial phones using a government version of Signal would help protect US Security and avoid errors in future.

Source: author’s blog

Leave a Comment

Your email address will not be published. Required fields are marked *

*