As cyber security professionals, we watched in collective horror last month as classified details of American military operations were leaked via Signal after a journalist was mistakenly added to a high-level group chat.
But before we dissect this mishap, let’s clear something up straight away – Signal didn’t fail. The encryption worked perfectly. The security features performed exactly as designed. This was not a technical breach – it was a classic case of human error.
The anatomy of a security faux pas
A high-level government official creates a Signal group to discuss sensitive operations. When adding participants, they select the wrong contact – a journalist instead of a fellow officer. For nearly 18 hours, classified information flows freely before anyone notices. By then, screenshots are taken, and the proverbial cat is not just out of the bag – it is making headlines.
This incident showcases a perfect storm of security failures, none of which involve Signal’s actual security capabilities. It’s as if someone decided to host a top-secret meeting in a public park because the conference room was too far away.
Lessons for CISOs: Avoiding your own Signalgate
1. Shadow IT is the Terminator of the corporate world.
It will always be back. If your secure systems are as user-friendly as a brick wall, people will find workarounds – usually involving consumer-grade tools that prioritise usability over security controls.
2. Device segregation: Not just for prisons anymore.
Personal devices and classified information should be as far apart as possible. Implement strict controls on corporate devices. It’s not just about preventing data leakage; it’s about maintaining clear boundaries between different security domains.
3. User Interface (UI): More than just pretty buttons.
The UI should make dangerous actions difficult and provide clear visual differentiation. Government systems often look clunky for a reason – they’re designed to prevent errors through confirmation screens and visual cues. Your systems don’t need to be clunky, but adding meaningful banners or interventions can be what you need. It’s like having speed bumps in a school zone; sometimes, slowing people down is the point.
4. Training: The “Why” is as important as the “What”.
Simply telling people not to discuss classified operations on personal devices clearly isn’t enough. People need to understand the potential consequences of their actions. It’s the difference between telling someone not to touch a hot stove and explaining why it will hurt. Remember, just because people are aware, doesn’t mean that they care.
Is Signal still safe?
Absolutely. Signal remains one of the most secure messaging platforms available. The problem wasn’t Signal; it was how it was being used. It’s like hitching a caravan to a Ferrari – technically possible, but missing the point entirely.
Best practices for secure communications
For highly sensitive communications:
1. Use purpose-built systems, not consumer apps.
2. Implement formal access controls.
3. Deploy dedicated devices.
4. Create visual differentiation and timely interventions.
5. Implement confirmation procedures for adding new participants.
For general business communications:
1. Establish clear policies on tool usage.
2. Create distinct groups with clear naming conventions.
3. Implement regular security audits.
4. Use enterprise versions of messaging platforms.
5. Train users regularly on secure communication practices.
Managing the human factor
What’s particularly frustrating about this incident is how predictable it was. Security professionals have been warning about these scenarios for years. It’s like watching a slow-motion car crash that’s been in the making for a decade.
Remember, security isn’t just about perfect technology; it’s about understanding human behaviour and designing systems that work with it, not against it. This incident wasn’t caused by Signal being insecure. It was caused by humans being human, using the wrong tools for the job, and a culture that prioritised convenience over security.
In the end, the most sophisticated security system in the world can be undone by human error. Which is why a layered approach is needed which blends technology, processes, and a desire to work with human nature – not against it.
Javvad Malik is lead security awareness advocate at KnowBe4
