On Monday, editor-in-chief of The Atlantic Jeffrey Goldberg revealed that he had apparently been added to a group chat on the encrypted app Signal between high-level U.S government officials planning a military operation over the weekend. Virginia Tech cybersecurity and social platform experts France Bélanger, Aaron Brantly, Jimmy Ivory and Anthony Vance explain what Signal is, how it works, and how such a breach of national security could happen.

​​Signal’s end-to-end encryption makes it the most secure messaging app available to civilians, and the Senate has approved Signal for staff use in the past. “In general, it is a more secure way to communicate compared to other apps and tools,” says Bélanger.

But using it for official government communications makes those conversations vulnerable to advanced spyware technologies.

“The application, while excellent for safeguarding communications of human and democracy rights activists, has not been verified for use within the U.S. Intelligence Community,” says Brantly.

“The leak highlights the role of human error in security leaks and breaches. While Signal may not be the ideal platform for communicating sensitive national security information, this leak was caused by user error rather than a technical limitation of the platform's security features,” Ivory said. “Such an error is not unprecedented. In 2023 security information was accidentally leaked because of mistyped email addresses, and in 2021, it was found the military institutions in Europe were using relatively unsecure platforms for sensitive communication.”



According to the Verizon 2024 Data Breach Investigations Report, 68% of cybersecurity breaches involve the human element, which involves people being tricked. But another 28% of incidents were due to errors that people made. Meanwhile, an IBM Cyber security intelligence report claims up to 95% of security breaches are caused by human error.



“Signal is not an appropriate channel to have these discussions because of the lack of process and procedures to ensure that communications are handled appropriately,” says Vance. “Including a member of the press in this discussion is Exhibit No. 1 for why these processes and procedures are important.”

Signal works the same way as standard messaging apps on iOS, Android, or WhatsApp, making accidentally adding someone “absolutely easy to do,” says Bélanger.

This is especially true “if the included journalist’s name or number is similar to a person intended to be included in the group,” says Vance. “This, again, highlights the need for formal processes and procedures.”



“The practice of not using SCIFs (Secure Compartmented Information Facilities) for the planning and implementation of conflict with a foreign state is an egregious breach of national security protocols, said Brantly. “That the principals group was using this as a means of communications is a profound violation of US classification laws and standards and constitutes a grave threat to U.S. national security.”

About Bélanger
France Bélanger holds the titles of University Distinguished Professor, R. B. Pamplin Professor, and Tom & Daisy Byrd Senior Faculty Fellow in the Accounting and Information Systems Department within the Pamplin College of Business at Virginia Tech. An author, researcher, educator, consultant, and advocate for information privacy, she has studied issues surrounding the topic for two decades and written about the subject for the majority of her 200 published articles.

About Brantly
Aaron Brantly, an associate professor of political science and director of the Tech4Humanity lab at Virginia Tech, has worked on issues related to cybersecurity from multiple angles, including human rights and development, intelligence and national security, and military cybersecurity. His interests span the political science and computer science divide.

About Ivory
Jimmy Ivory's primary research interests deal with social and psychological dimensions of new media and communication technologies, particularly the content and effects of video games, virtual environments, and simulations. In particular, much of his research focuses on the content and effects of technological features of new entertainment media, such as video games. Read more here.

About Vance
Anthony Vance is a Professor and Commonwealth Cyber Initiative Fellow in the Department of Business Information Technology of the Pamplin College of Business at Virginia Tech. His research focuses on how to help individuals and organizations improve their cybersecurity posture, particularly from behavioral, organizational, and neuroscience perspectives.

Schedule an interview
To schedule an interview, contact Mike Allen in the media relations office at mike.allen@vt.edu or 540-400-1700 or Noah Frank at nafrank@vt.edu or 805-453-2556.

Contacts:

Tags

Share this story