\n
<\/p>\n
U.S. National Security Advisor Mike Waltz, who started the now-infamous group chat coordinating a U.S. attack against the Yemen-based Houthis on March 15, is seemingly now suggesting that the secure messaging service Signal has security vulnerabilities.<\/p>\n
\u201cI didn\u2019t see this loser in the group,\u201d Waltz told<\/a> Fox News about Atlantic<\/em> editor in chief Jeffrey Goldberg, whom Waltz invited<\/a> to the chat. \u201cWhether he did it deliberately or it happened in some other technical mean, is something we\u2019re trying to figure out.\u201d<\/p>\n<\/p><\/div>\n U.S. National Security Advisor Mike Waltz, who started the now-infamous group chat coordinating a U.S. attack against the Yemen-based Houthis on March 15, is seemingly now suggesting that the secure messaging service Signal has security vulnerabilities.<\/p>\n \u201cI didn\u2019t see this loser in the group,\u201d Waltz told<\/a> Fox News about Atlantic<\/em> editor in chief Jeffrey Goldberg, whom Waltz invited<\/a> to the chat. \u201cWhether he did it deliberately or it happened in some other technical mean, is something we\u2019re trying to figure out.\u201d<\/p>\n Waltz\u2019s implication that Goldberg may have hacked his way in was followed by a report<\/a> from CBS News that the U.S. National Security Agency (NSA) had sent out a bulletin to its employees last month warning them about a security \u201cvulnerability\u201d identified in Signal.<\/p>\n The truth, however, is much more interesting. If Signal has vulnerabilities, then China, Russia, and other U.S. adversaries suddenly have a new incentive to discover them. At the same time, the NSA urgently needs to find and fix any vulnerabilities quickly as it can\u2014and similarly, ensure that commercial smartphones are free of backdoors\u2014access points that allow people other than a smartphone\u2019s user to bypass the usual security authentication methods to access the device\u2019s contents.<\/p>\n That is essential for anyone who wants to keep their communications private, which should be all of us.<\/p>\n It\u2019s common knowledge<\/span> that the NSA\u2019s mission is breaking into and eavesdropping on other countries\u2019 networks. (During President George W. Bush\u2019s administration, the NSA conducted warrantless taps into domestic communications as well\u2014surveillance that several<\/a> district courts ruled<\/a> to be illegal before those decisions were later overturned<\/a> by appeals courts. To this day, many legal experts maintain<\/a> that the program violated federal privacy protections.) But the organization has a secondary, complementary responsibility: to protect U.S. communications from others who want to spy on them. That is to say: While one part of the NSA is listening into foreign communications, another part is stopping foreigners from doing the same to Americans.<\/p>\n Those missions never contradicted during the Cold War, when allied and enemy communications were wholly separate. Today, though, everyone uses the same computers, the same software, and the same networks. That creates a tension.<\/p>\n When the NSA discovers a technological vulnerability in a service such as Signal (or buys one on the thriving clandestine vulnerability market), does it exploit it in secret, or reveal it so that it can be fixed? Since at least 2014, a U.S. government interagency \u201cequities\u201d process<\/a>\u00a0has been used to decide whether it is in the national interest to take advantage of a particular security flaw, or to fix it. The trade-offs are often complicated and hard.<\/p>\n Waltz\u2014along with Vice President J.D. Vance, Defense Secretary Pete Hegseth, and the other officials in the Signal group\u2014have just made the trade-offs much tougher to resolve. Signal is both widely available and widely used. Smaller governments that can\u2019t afford their own military-grade encryption use it. Journalists, human rights workers, persecuted minorities, dissidents, corporate executives, and criminals around the world use it. Many of these populations are of great interest to the NSA.<\/p>\n At the same time, as we have now discovered, the app is being used for operational U.S. military traffic. So, what does the NSA do if it finds a security flaw in Signal?<\/p>\n Previously, it might have preferred to keep the flaw quiet and use it to listen to adversaries. Now, if the agency does that, it risks someone else finding the same vulnerability and using it against the U.S. government. And if it was later disclosed that the NSA could have fixed the problem and didn\u2019t, then the results might be catastrophic for the agency.<\/p>\n Smartphones present a similar trade-off. The biggest risk of eavesdropping on a Signal conversation comes from the individual phones that the app is running on. While it\u2019s largely unclear whether the U.S. officials involved had downloaded the app onto personal or government-issued phones\u2014although Witkoff suggested on X that the program was on his \u201cpersonal devices<\/a>\u201d\u2014smartphones are consumer devices, not at all suitable for classified U.S. government conversations. An entire industry of spyware companies sells capabilities to remotely hack smartphones for any country willing to pay. More capable countries have more sophisticated operations. Just last year, attacks that were later attributed to China attempted<\/a> to access both President Donald Trump and Vance\u2019s smartphones. Previously, the FBI\u2014as well as law enforcement agencies in other countries<\/a>\u2014have pressured both Apple and Google to add \u201cbackdoors\u201d in their phones to more easily facilitate court-authorized eavesdropping.<\/p>\n These backdoors would create, of course, another vulnerability to be exploited. A separate attack from China last year accessed<\/a> a similar capability built into U.S. telecommunications networks.<\/p>\n The vulnerabilities equities have swung against weakened smartphone security and toward protecting the devices that senior government officials now use to discuss military secrets. That also means that they have swung against the U.S. government hoarding Signal vulnerabilities\u2014and toward full disclosure.<\/p>\n This is plausibly<\/span> good news for Americans who want to talk among themselves without having anyone, government or otherwise, listen in. We don\u2019t know what pressure the Trump administration is using to make intelligence services fall into line, but it isn\u2019t crazy to worry<\/a> that the NSA might again start monitoring domestic communications.<\/p>\n Because of the Signal chat leak, it\u2019s less likely that they\u2019ll use vulnerabilities in Signal to do that. Equally, bad actors such as drug cartels may also feel safer using Signal. Their security against the U.S. government lies in the fact that the U.S. government shares their vulnerabilities. No one wants their secrets exposed.<\/p>\n I have long advocated for a \u201cdefense dominant\u201d cybersecurity strategy. As long as smartphones are in the pocket of every government official, police officer, judge, CEO, and nuclear power plant operator\u2014and now that they are being used for what the White House now calls calls \u00a0\u201csensitive<\/a>,\u201d if not outright classified conversations among cabinet members\u2014we need them to be as secure as possible. And that means no government-mandated backdoors.<\/p>\n We may find out more about how officials\u2014including the vice president of the United States\u2014came to be using Signal on what seem to be consumer-grade smartphones, in a apparent breach of the laws on government records<\/a>. It\u2019s unlikely that they really thought through the consequences of their actions.<\/p>\n Nonetheless, those consequences are real. Other governments, possibly including U.S. allies, will now have much more incentive to break Signal\u2019s security than they did in the past, and more incentive to hack U.S. government smartphones than they did before March 24.<\/p>\n For just the same reason, the U.S. government has urgent incentives to protect them.<\/p>\n<\/p><\/div>\n
\n
\n