Quick Signalgate explainer

On Monday this week, a group of senior officials in the Trump administration accidentally added a journalist to a chat group discussing attack plans in Yemen. It was a blindingly stupid and careless thing to do. All things considered, the reporter, Jeffrey Goldberg, handled it well – verifying authenticity and reporting only non-classified material. Here's some up-to-date coverage at the time of this writing.

Here Are the Attack Plans That Trump’s Advisers Shared on Signal

The administration has downplayed the importance of the text messages inadvertently sent to The Atlantic’s editor in chief.

The AtlanticJeffrey Goldberg, Shane Harris

You can read all kinds of political analysis elsewhere. I want to talk here about secure government communications, for folks who don't understand the nuance.

The national defense and intelligence community – Department of Defense, Department of National Intelligence, CIA, NSA and others – have strict rules about the devices and the software that they use to communicate secret information. Encryption, networking and applications like email are all rigorously reviewed to be sure that they're secure. You're not allowed to install other, non-approved applications on those devices. You're not allowed to connect non-approved devices to those secure networks.

All of this is to keep malicious code off of secure networks and secure devices.

Signal is a messaging application that provides end-to-end encryption for chats. If you and I and a few of our friends are planning a dinner meet-up over Signal, then our plans are somewhere between very hard and impossible for an eavesdropper to intercept and read. Before a message leaves my phone, it's encrypted with a good algorithm that's really hard to break. It stays encrypted until it's received on your phone, by your copy of the Signal app. My messages to you, yours to me, yours and mine to our friends are all encrypted differently. Thanks to some interesting math and good algorithms, this multi-way encryption works like magic.

A friend who works in the national intelligence community tells me that those folks actually think Signal's pretty good. If you want secure messaging, it's an excellent choice. I use it!

The Trump officials were using Signal on their private phones. The problem with that isn't Signal. It's the private phones.

Your phone lets you download apps from app stores and install them. It lets you visit web sites and receive messages from people you don't know. There are lots of ways for bad guys to install malware on your phone. Once it's there, it can collect and transmit information without your knowledge. It can capture data you enter from the phone keyboard as you enter it, reading your messages before they're encrypted. It can take snapshots of your phone screen every second and send the images to a remote server, reading whatever you're looking at.

This isn't hypothetical. "Zero-day exploits" are ways that bad actors can gain control of your device quickly and install the kind of malware described above, getting access to your data and activity. The Cybersecurity and Infrastructure Security Agency, or CISA, maintains a list of known zero-day exploits, all of which are known to have been used by bad guys. They're available for Android phones and iPhones.

Foreign spies actively develop and use exploits like these, targeting government officials and others of particular interest. Pegasus is a spyware system for mobile phones that was used by the Israeli government internationally.

From an information security point of view, the only safe assumption is that at least one of the phones in the government group chat was compromised, and the messages in the thread were read by our adversaries. Secretary of Defense Hegseth reported to the group in the thread that "we are currently clean on OPSEC," or operational security, unaware that an uncleared journalist was listening in. These are not sophisticated people who understand and are careful about security. Even if they had been, zero-day exploits bypass protections and experts to infect personal devices all the time.

Leaking battle plans to enemies is a disaster. There's another casualty here, though.

Allied governments often share sensitive intelligence with one another, to prevent terrorism or other dangerous activity. When a government gives that intelligence to an ally, it explicitly trusts the ally to protect it.

The United States has, for decades, been part of an international intelligence sharing agreement with the United Kingdom, Canada, Australia and New Zealand. This group, called the Five Eyes, has used information sharing to coordinate their work and to protect the world. I'm not cleared, don't know details, but I'm absolutely confident that the group has averted countless disasters in the past.

Each of those partners must look at the abysmal security practices of the Trump group with dismay. The people in the chat are at the very top of intelligence organizations in the US. They have access to all sorts of information, including information shared in the past among the Five Eyes partners. Each of those partners must assume their secrets have been discussed on compromised private devices, leaked to other bad guys.

I would be shocked if any of our international intelligence partners is sharing information with us now. They can have no faith in its security when top officials are so cavalier in their practices. At least one of the eyes – America – is effectively blinded. I fear what that means for stopping future disasters.