Insecure use of Signal app part of wider Department of Defense problem, suggests Senate report

The Signalgate scandal that enveloped US Secretary of Defense Pete Hegseth in March appears to be symptomatic of a wider lax attitude towards the use of non-approved messaging apps by officials and employees, a Senate Committee has concluded.

In March, the US Senate Committee on Armed Services set out to examine issues raised by the Signalgate incident: the need to clarify the existing rules on using “non-controlled” apps, and looking at whether Defense Secretary Hegseth adhered to them in his use of Signal, and whether his actions were evidence of a wider culture of insecure app usage within the Department of Defense (DoD).

This week’s dual reports have come back with a mixed assessment of these points. Broadly, what Hegseth was accused of doing – communicating sensitive information using a third-party messaging app – appears to have been happening at the DoD in less serious contexts since at least 2020.

This mirrors issues familiar to enterprises: unsanctioned or unmanaged messaging apps, including ones touting end-to-end encryption (E2EE) security, quickly become an IT backchannel that can invisibly undermine carefully-assembled security, compliance, and data retention policies.

Shadow communications

The first report, an assessment of the Defense Secretary’s use of the Signal app to communicate with senior colleagues in advance of a military operation against Yemen on March 15, is used to illustrate the point. It confirms the widely reported fact that two hours before the raid, Hegseth revealed details of the operation to a Signal group of 19 people, including a journalist who had been added to it in error.

In doing so, the report agrees he violated security policies by sending sensitive information from a personal device, and using the non-approved Signal app in a way that revealed important operational details in advance of the strike. The report ducks the issue of whether this information was classified at the time it was sent, noting that Hegseth was senior enough to determine this for himself.

The second background report has uncovered evidence of a more general culture of shadow communications in the DoD, including widespread use of video-conferencing apps during the Covid 19 pandemic.  

The evidence gathered is sparse and partly redacted, making it difficult to assess the seriousness of any breaches. Because the scope of its remit was limited to the evidence from previous audits, one of the committee’s recommendations is to undertake a more comprehensive assessment of unsanctioned app usage inside the DoD. There’s also a question mark around how old audits analyzed by a Senate committee could accurately measure something that, by its nature, is hidden and only recorded on personal devices.

Nevertheless, the report says it is certain that Hegseth’s actions were not an isolated example, noting that staff had “used non-DoD-controlled electronic messaging systems for a variety of reasons. For example, some personnel used them because of the systems’ perceived appearance of security. As a result, DoD personnel increased the risk of exposing sensitive DoD information to our adversaries and did not comply with the legal obligation to retain and preserve official records.”

In short, while there was no evidence that unsanctioned app use is routine or normalized, it is likely that enough staff are using them to make a serious breach possible at some point. The report concludes that one of the reasons staff have taken to these messaging apps was that they lack convenient alternatives. It recommends developing approved apps to remove this need, implementing a training program to ensure existing communication regulations are complied with, and limiting the authority to use messaging apps to senior staff, in specific circumstances.

What’s surprising about this is that it has taken a major political row at government level to raise an issue that enterprise CISOs have been grappling with for years: the effects of BYOD, shadow IT (and now shadow AI), and unsanctioned apps that creep into organizations without anyone realizing it.

Over the last two decades, the rise of mobile devices, the cloud, and apps has radically de-centralized IT in ways that top-down management models struggle to control. Meanwhile, nothing has changed; the Signal app at the center of this scandal remains hugely popular on both sides of the political divide, despite the appearance of additional issues with the technology. 

This article originally appeared on CSOonline.