The Signalgate Messages Have Been Released and Oh, My God

Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on news.risky.biz.

The Signalgate Messages Have Been Released and Oh, My God

The Trump administration's cavalier disregard for common-sense security protocols is blatantly inviting serious security breaches. This week exposed the absence of any kind of security culture at the highest levels of the U.S. national security community.

The story of how The Atlantic editor in chief was inadvertently added to a high-level U.S. national security discussion covering plans for military action against Houthi rebels in Yemen has been well covered in the media, so we won't rehash it all.

In short, The Atlantic's Jeffrey Goldberg was added to a Signal group chat in which senior U.S. officials discussed plans for military action against Houthi rebels in Yemen. The group chat included Vice President Vance, Defence Secretary Pete Hegseth, CIA Director John Ratcliffe and Director of National Intelligence Tulsi Gabbard, among others.

This chat was occurring on personal devices too. U.S. Special Envoy to the Middle East, Steve Witkoff, didn't participate. Why? Because he was travelling to Moscow with his special secure government device and didn't have his PERSONAL PHONE with him.

Steve Witkoff on X

After the story broke, Pete Hegseth, U.S. secretary of defense, and other members of the administration downplayed the content of the group chat messages. When asked by Fox News about the leaks, Hegseth replied with an ad hominem attack on Goldberg. When asked a second time, Hegseth didn't deny the veracity of the group chat but said that "nobody was texting war plans."

On Thursday, Goldberg published the entire Signal exchange (here on X). The good news is America's secretary of defense wasn't cutting and pasting highly classified documents into it. The bad news is, well, everything else about this.

For a foreign intelligence service, the chat has a wealth of reportable material.

First, Vance, Waltz, and Hegseth had what Goldberg calls "a fascinating policy discussion" about the timing of potential attacks against the Houthis and implications for foreign policy, particularly for relations with Europe.

Then there is Hegseth's pre-attack update to the chat:

TEAM UPDATE:
TIME NOW (1144et): Weather is FAVORABLE. Just CONFIRMED w/ CENTCOM we are a GO for mission launch.
1215et: F-18s LAUNCH 1st strike package)
1345: "Trigger Based" F-18 1st Strike Window Starts (Target Terrorist is @ his Known Location so SHOULD BE ON TIME) - also, Strike Drones Launch (MQ-9s)
1410: More F-18s LAUNCH (2nd strike package)
1415: Strike Drones on Target (THIS IS WHEN THE FIRST BOMBS WILL DEFINITELY DROP, pending earlier "Trigger Based" targets)
1536: F-18 2nd Strike Starts - also, first sea-based Tomahawks launched.

We can see why Hegseth says these are not "war plans," but regardless, he posted classified material into a Signal chat because … convenience?

Signal has a good reputation, but it cannot provide the same guarantees as secure government systems. Partly, this is because secure government systems are more robustly isolated from the internet.

In contrast, Signal messages can be accessed by adversaries by compromising the computer or phone the app is running on. Worse, anyone on the internet can phish you if you are on Signal. Last month, Mandiant even published a report describing how Russian intelligence services do this.

That the group chat was called "Houthi PC small group" is also very concerning. The <subject> <group composition> <size> naming convention implies a multitude of different groups focused on Russia-knows-what topics.

Goldberg left the group once he realized it was genuine:

…I removed myself from the Signal group, understanding that this would trigger notification to the group's creator, "Michael Waltz," that I had left. No one in the chat had seemed to notice that I was there. And I received no subsequent questions about why I left—or, more to the point, who I was.

As easy as ghosting on Tinder.

Politico reports Michael Waltz, Trump's national security adviser and the person who added Goldberg to the group chat, is under pressure. Although he's the person most directly responsible for this particular incident, wrong numbers are a fact of life. If you use Signal for sensitive group chats, leaks will eventually happen, either accidentally or because of adversary action.

Hegseth also deserves a fair share of the blame. Signal is entirely inappropriate for the information he sent to the group, regardless of whether it was technically "a war plan" or not.

But why, in a group chat containing the U.S.'s top national security officials, did no one say, "Hey, perhaps we should talk about this elsewhere"?

The CSRB Deserves a Sequel

The Cyber Safety Review Board (CSRB) was disbanded as part of the Trump administration's transition arrangements, but it is valuable and should be reestablished without delay.

The CSRB was set up by a 2021 Biden executive order to review significant cyber incidents and produce recommendations to drive improved security. We were fans because it produced impactful reports about serious security problems including Lapsus$ and Microsoft's cascade of security failures. These reports drove real change, including a commitment by Microsoft’s CEO to prioritize security above all else.

The CSRB was reviewing the compromise of U.S. telecommunications infrastructure by a Chinese state-backed group known as Salt Typhoon when it was disbanded in January this year. The future of the CSRB has not been clear to us.

Last week, however, the chair of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, Rep. Andrew Garbarino (R-N.Y.), urged the Trump administration to first review the operation of the CSRB "as it considers reconstituting the board."

In his letter to Kristi Noem, secretary of the Department of Homeland Security, Garbarino wrote:

…I am concerned that the CSRB's structure inhibited the Board’s ability to fulfill its mandate. Although the CSRB is often likened to the National Transportation Safety Board (NTSB), this comparison falls short in several ways. The CSRB lacks independence, transparency, and the authorities to perform like the NTSB. Therefore, to ensure any new CSRB's effectiveness, I request a thorough review of the Board’s structure prior to its reconstitution[.]

In our view, the cybersecurity industry and its regulatory apparatus is not mature enough for an organization that mimics the NTSB to work effectively. Early last year we wrote:

There are, however, massive differences between how NTSB accident investigations flow through to action in the transportation sector and how recommendations from the CSRB are converted into action.
In a recent Boeing 737 incident, for example, NTSB discoveries resulted in the Federal Aviation Administration grounding aircraft and ordering operators to inspect specific bolts. The problem is discrete, there are a relatively small number of stakeholders and regulators have authorities that ensure compliance.
None of that exists in the cyber security space. The problems are broad, there are usually large numbers of stakeholders and regulators have limited clout.

Garbarino's letter gives us the strong impression that he'd like clear and defined criteria for the CSRB rather than the somewhat loosey goosey way the board operated. But cybersecurity problems right now aren't amenable to cut-and-dried solutions. For example, look at our high-level summaries of the CSRB's reports to date:

• Log4j: Supply chain security is massively underdone.
• Lapsus$: Current cybersecurity practices are ineffective against a new breed of hackers.
• Microsoft's Exchange Intrusion: Microsoft's security culture sucks.

Garbarino asks that the department produce a report that answers questions such as:

1. How is a cyber incident selected for review by the CSRB?
2. What are the selection criteria for CSRB members? Does this differ for private-sector and federal government members?
3. Would a subpoena authority help or hinder the ability of the CSRB, under the current construct, to perform its reviews?
4. Is the NTSB the correct model to base the organization and structure of the CSRB?

These are good questions and worth addressing. However, there are real and pressing cybersecurity problems that need to be addressed right now, including the ongoing Salt Typhoon compromise of U.S. telecommunications infrastructure.

Waiting for a report to deliver the perfect CSRB structure is a mistake. We strongly recommend a "learn by doing" approach in which the board's work continues in parallel with a review of its operation.

Three Reasons to Be Cheerful This Week:

1. Over 300 scammers arrested: INTERPOL announced that over 300 suspected cyber scammers in seven African countries were arrested as part of Operation Red Card. The suspects were arrested for a variety of alleged scams including phone hacking using malware sent via malicious links, online casino and investment fraud, and large-scale SMS phishing. The seven participating countries were Benin, Côte d'Ivoire, Nigeria, Rwanda, South Africa, Togo, and Zambia.
2. The anti-stalkerware hacking crusade: At least 25 stalkerware companies have been hacked since 2017, according to TechCrunch (stalkerware is surveillance software marketed to individuals and is often used for spying on spouses or partners). Activist hackers have claimed responsibility for at least some of these hacks and hope to destroy the industry because they consider it unethical. They are having some impact, but hacks and data breaches often result in rebranding rather than permanent closure. TechCrunch has more coverage.
3. Meta's tailored misinformation approach: Meta says it will combat misinformation in the upcoming Australian federal election, including by using third-party fact checkers. 404 Media points out that these are the methods the company dropped in the U.S. and replaced with a Community Notes model. We are hopeful this indicates that governments have some influence over the type of fact-checking model that U.S. tech giants impose on their populace.

Shorts

Starlink Terminals Popping Up Like Mushrooms

It's not just its Signal group chats that make us worry about the Trump administration's security practices. The New York Times reports Starlink WiFi is now available across the White House campus.

There is no concrete evidence the installation introduces security vulnerabilities. However, the reason WiFi in places like the White House is often patchy is that it takes time and effort to implement it with appropriate security measures.

Risky Biz Talks

In our latest "Between Two Nerds" discussion, Tom Uren and The Grugq talk about why people studying cyber operations are fascinated by zero-days. These are vulnerabilities or exploits that have been found in a system before the vendor or manufacturer is made aware of them, and so no fix exists.

From Risky Biz News:

Cyberattack hits Ukraine's state railway: Ukraine's state railway company, Ukrzaliznytsia, says that a "massive targeted cyber attack" has taken down its online ticketing system over the weekend.

The incident took place on Sunday night. In a Facebook post, Ukrzaliznytsia blamed the incident on "the enemy," a term Ukrainians use to describe Russia.

The company's website is currently down, and officials are restoring from backups. The incident was very likely a data wiper attack, which Russian hackers have employed on numerous occasions since Russia's invasion in February 2022.

[More on Risky Bulletin]

The looming epochalypse: I'll start this newsletter edition by saying from the get-go that today's topic—the Year 2038 problem—isn't new at all.

For the younglings and padawans in the audience who have never heard of it, the Year 2038 problem, also known as the Epochalypse, is the equivalent of the Y2K bug, but for Linux and other Unix-based systems.

It refers to how these systems store time values in 32-bit integers and how the current time is getting close to reaching that integer's upper limit. From Umbelino's write-up:

Many computer systems track time using a 32-bit signed integer that counts seconds since 1970-01-01T00:00:00Z (known as "Unix time"). This approach has a mathematical limitation: when this counter reaches its maximum value on 2038-01-19 03:14:08 UTC, affected systems will roll over to negative numbers, causing them to interpret the date as 1901-12-13T20:45:52Z.

[More on Risky Bulletin, including why the epochalypse will be more challenging to fix than the Y2K bug.]

Hacktivists claim cyber-sabotage of 116 Iranian ships: An anti-regime hacktivist group has claimed credit over a cyberattack that crippled the on-ship communication systems of 116 Iranian ships.

The ships are operated by the National Iranian Tanker Company (50) and the Islamic Republic of Iran Shipping Company (66).

A group named LabDookhtegan took credit for the sabotage. The attack allegedly targeted the VSAT satellite communication systems of the two companies, where the group wiped data storage devices.

[More coverage at Risky Bulletin]