On Thursday, March 14, National Security Advisor Michael Waltz convened a small group Principals Committee meeting (a meeting of all key national security decision makers except for the President) to discuss policy and military strikes against the Houthis in Yemen using the commercial app Signal, an open-source encrypted messaging service. The group included, among others, Vice President J. D. Vance, Secretary of Defense Pete Hegseth, Secretary of State Marco Rubio, Director of National Intelligence Tulsi Gabbard, and other officials from the Central Intelligence Agency and the National Security Council. A transcript of the meeting came to the attention of the public due to the inadvertent inclusion of The Atlantic’s editor in chief Jeffrey Goldberg in the group. Goldberg thankfully didn’t reveal the contents of the chat, which included timing and methods to be used in the pending strikes, until ten days later, when he published an article in The Atlantic revealing the story. The episode has turned a national security issue into a political spectacle, with the administration downplaying the incident and its detractors attempting to use the issue for as much political gain as can be wrung from it.
Lost in the noise is the implication that government use of a commercial messaging app has been ongoing for quite some time, with uncertain national security risks. The use of Signal makes coordination of national security activities more convenient, because it allows officials to use their cell phones to communicate rather than relying on less flexible but more secure systems housed in Sensitive Compartmented Information Facilities. I will leave it to the National Security Agency to determine whether Signal is secure enough for government use in classified conversations. But this is not the first time in history that commercial communications technologies have been converted into government communications systems.
The most famous adaptation of commercial communications technology was the German Enigma machine, which began its commercial life in 1926. Using a series of rotors to transpose and encode plain text, the machine was intended for secure commercial communications. The German military adopted the machine in 1930, adding a plugboard to further complicate any codebreaking attempts. In its final form, Enigma was capable of generating 158,962,555,217,826,360,000 (158.9 quintillion) possible settings due to the combination of rotor positions, plugboard connections, and rotor selection. The Germans believed Enigma was unbreakable and never lost faith in the machine.
This assumption was an enormous blunder, for first Polish and then British codebreakers cracked Enigma’s secrets through a combination of deduction, mathematics, and the construction of an ingenious machine called the Bombe. By 1944, Allied codebreakers were reading German Enigma traffic in near real time. Some historians have ventured that the intelligence gained shortened the war by two years.
As the story of Enigma shows, commercial communications systems adapted to government service can contain vulnerabilities that make their use risky. If government officials need greater flexibility in their secure communications, then the government should fund a tailored system that is not only flexible, but secure. Relying on a civilian app with unknown coding is problematic at best.
