Yesterday's big story — that the Secretary of Defense included the editor of The Atlantic in a Signal-based group chat discussing forthcoming plans for strikes against Houthi "rebels" in Yemen — is, in technical terms, really, really bad. But even the obvious critics are missing a few critical side issues. In no particular order:
- Why did senior defense officials have the direct contact information — required with Signal1 — for the editor of a relatively unfriendly general-circulation periodical in the first place?
- Were any (let alone all) of the devices being used Tempest–certified, let alone properly red/black segregated or at the proper level?2
- We know that at least one participant in that group chat was not in an appropriate location (a SCIF) at all times that the chat was occurring; one wonders if any of them were at any time.
- The contrast with the vindictiveness of the Dear Leader's punishment of a major law firm (that at least has "attorney-client privilege" to consider) by, without any COMSEC rationale, withdrawing all security clearances for that firm doesn't look good, either.
- Then there's the contrast with the Dear Leader's prior mishandling of classified information (in all probability, less sensitive than actual impending operational plans) demonstrating a callous disregard for classification.3 I won't gild this particular lily by mentioning other, verified incidents — especially since there might be a listening device in the vase.
Or maybe there's not a contrast at all. Maybe the distinction is much more narcissistic and sociopathic than a focus on the information; maybe the distinction is "what my guys do is always right or at least excusable, and what our opponents do is always wrong and never excusable." Of course, that doesn't hold up well when considering that the Secretary of Defense had at least some clearance for, and experience with, classified information — as a line officer, he necessarily held at least a Secret clearance.
- Perhaps most disturbingly, one must wonder why a "group chat" involving operational planning was considered appropriate at all. The military maintains extensive facilities — like briefing rooms inside Faraday cages — for face-to-face meetings; it also has lots of communication equipment dedicated to classified information and communication. <SARCASM> Apparently, the lives of those involved in the operation, and the operation itself, weren't important enough to justify missing a tee time or whatever else these dorks were doing. </SARCASM>
Frankly, the implications of each these side issues are much worse than the potential grave harm to national security4 of having the discussion in the first place. But I suppose it could have been worse — it could have been Telegram instead of Signal.
- Disclosure: I use Signal extensively, as it's reasonably secure for nonclassified-but-still-confidential communications and relatively touchtypist-friendly. Nonetheless, there are some things that are nonclassified-but-still-confidential that don't go into Signal's systems.
- We'll carefully refrain from pondering that none of a market-leader's devices ever can be Tempest–certified…
- We'll carefully neglect that, in my own experience, about 70% of all materials marked classified are either overclassified as to level or don't justify treatment as "classified" at all. All near-term-execution operational plans involving live munitions are in the other 30%.
- See, e.g., this blawg's prior summary, and in particular the still-in-effect executive order regarding handling of material marked as classified.