What the Signal Chat Incident Reveals About Insider Risk

Cybersecurity classified top secret

Recent news demonstrates the well-known fact among those managing insider risk programs, which is that a careless employee actions can potentially escalate into a dangerous situation. Jeffery Goldberg, editor-in-chief of The Atlantic, shared how he was accidentally added to a Signal (commercial secure communications application) “Principles Group” to discuss the active battle plans with respect to the March 15 U.S. bombings in Yemen.  

The Signal Chat group consisted of a number of senior government officials including Vice President J.D. Vance and Secretary of Defense Pete Hegseth. 

Who’s to Blame? 

According to Goldberg’s piece, he was contacted by the National Security Advisor and added to the Signal Group. Some may critique and say he should have announced himself or self-removed himself. Yes to both counts. Yet in security incidents, intent is rarely an adequate defense. Carelessness with national security information comes at a high cost. 

Secure communications and the non-malicious insider

The United States government has secure communication systems available throughout the administration. With the exception of National Counterterrorism Center nominee Joe Kent, who Goldberg identified as being in the chat, every one of the senior administration individuals has organizational access to secure communications that have been approved for use by the National Security Agency to carry and protect classified communications. Is Signal a part of the bevy of options available? Not likely. 

Why was Signal used? Only those in the national security advisor’s office can answer that question. One would think that briefings on how to communicate securely have been provided. It isn’t entirely clear as to why Signal was used. While private communications methods can be more cumbersome, when it comes to national security, solutions that expedite communication but don’t offer adequate security aren’t the right answer. Processes and procedures for classified communications exist, and within their own field of intelligence (Communications Security, or COMSEC). We should also remind ourselves to take a breath when adding names to sensitive communications.   

Related News

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher, served 30+ years within the Central Intelligence Agency. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” (Syngress, March 2008). He is the founder of securelytravel.com