THE ROW over Mike Waltz’s security slip-up rages on. On March 11th America’s national security adviser accidentally added Jeffrey Goldberg, the editor-in-chief of the Atlantic, a magazine, to a group chat on Signal, an encrypted messaging app. Days later Mr Waltz and a succession of American officials including J.D. Vance, the vice-president, Pete Hegseth, the secretary of defence, Tulsi Gabbard, the director of national intelligence, and John Ratcliffe, the director of the CIA, used the group to discuss air strikes on Yemen. How serious a breach was this?
On March 25th the White House denied that “war plans” or any other classified material was sent in the chat. Ms Gabbard and Mr Ratcliffe, speaking to the Senate’s intelligence committee, issued similar denials. “There was no classified material that was shared,” declared Ms Gabbard. On March 26th Mr Waltz insisted on social media that the chat included neither locations nor “sources and methods”, referring to means of intelligence collection. He added: “NO WAR PLANS.”
These denials are hard to square with the evidence. On March 15th Mr Hegseth told his colleagues precisely when two waves of F-18 jets, armed MQ-9 drones and Tomahawk missiles would launch, when the “strike window” would open and when the targets would be hit (“THIS IS WHEN THE FIRST BOMBS WILL DEFINITELY DROP”). Mr Waltz later provided an update on the effect: “We had positive ID of him walking into his girlfriend’s building and it’s now collapsed,” he wrote, implying that America had real-time surveillance, such as a drone overhead.
Mr Hegseth has mocked the idea that this information was classified. “Those are some really shitty war plans,” he wrote on March 26th. But several former and current Pentagon officials told The Economist that such details would have been classified—“unquestionably”, said one. A classification guide published by Ms Gabbard’s agency in 2016 specifies that information “providing indication or advance warning that the US or its allies are preparing an attack” is considered top secret—the highest level of classification, applied to information which could cause “grave damage” to national security if released—and “NOFORN”, which means that in general it may not be sent to non-Americans. Another guide published in 2012 by the Pentagon’s Central Command, which conducted the strikes, says that the date and time of operations, the movement of aircraft and schedules should be classified “secret”, one notch down.
In theory, Mr Hegseth is empowered to declassify material. That reasoning was employed by his boss, Donald Trump, to justify his retention of hundreds of classified records at Mar-a-Lago on leaving office in 2021. But the Brennan Centre for Justice, an advocacy group, says that the president—and presumably Mr Hegseth—cannot declassify documents or secrets merely “by thinking about it” and without telling anyone else. Mr Trump’s theory was never tested in court.
The dispute raises questions of security as well as legality. Signal is often considered more secure than WhatsApp or other apps, because its code is open-source and subject to scrutiny. It is commonly used by officials in America and Europe, though not normally for planning military operations. In February Google’s Threat Intelligence Group warned that Russian intelligence services were attempting to compromise Signal users by exploiting the app’s ability to link multiple devices, a type of “phishing” attack that relies on human error rather than a technical flaw. Britain’s armed forces tell personnel that Signal should not be used for any detailed information, such as names, dates, times and locations, according to someone familiar with the guidance.
In practice, however, Signal is not the problem. Most users are unlikely to be compromised and the app is a better choice than unencrypted text messages or other, less robust services. “One of the first things that happened when I was confirmed as CIA director was Signal was loaded onto my computer at the CIA,” Mr Ratcliffe told senators, “as it is for most CIA officers.” The question is whether some American officials might be using Signal on insecure devices. On March 26th Steve Witkoff, Mr Trump’s lead envoy for Russia-Ukraine peace talks, denied claims that he had taken part in the chat group from Moscow. He said he only regained access to his personal devices on his return to America, suggesting that was how he communicated with the group.
Signal and its ilk can protect messages in transit, ie, as they travel from device to device. They cannot protect users if their phone has already been compromised by spyware, potentially allowing a hacker to view its screen and keystrokes before any encryption is applied. That is why American officials are supposed to discuss sensitive information in special rooms known as Sensitive Compartmented Information Facilities, or SCIFs, into which they cannot take personal devices and which are shielded from electronic eavesdropping. Some senior officials, including Mr Hegseth and Ms Gabbard, travel with special equipment that allows them access to classified “high side” systems on the move.
Many Pentagon officials are up in arms about the leaks and Ms Gabbard’s and Mr Ratcliffe’s denials to the Senate. “There was a resounding sense of disgust at the lack of accountability,” says a serving official. “They put people at risk. Had any of us done the same our careers would be over at best and we would face jail time at worst.” Mr Trump, who once tweeted a detailed photograph taken by an American spy satellite, one of the country’s most closely guarded secrets, is more relaxed. “If it was up to me, everybody would be sitting in a room together,” he insisted. “The room would have solid lead walls and ceiling and a lead floor. But, you know, life doesn’t always let you do that.” ■