The starting lineup of the US national security team reviewed, approved, monitored, and celebrated a military strike against the Houthis.
On Signal.
Everyone is railing about the dissemination of what is clearly classified information on what we presume are insecure devices (their personal cell phones), and a pretty-damn-secure-but-clearly-unclassified communications system (Signal). Anyone who has held a security clearance and dealt with classified information will tell you this is the opposite of how you are supposed to do things.
For ordinary folks, this sort of activity would result in arrest, trial, and prison.
As this post was being drafted everyone involved still had their jobs.
But this isn’t about all that. People at the highest echelons of government play fast and loose with classified information all the time. Every story you read about “secret plans” or “sensitive discussions” or like content are all government officials sharing classified information with people who are not authorized to have it (reporters) to support political goals.
No, this is about the fact that the top echelon of our national security apparatus – people who have access to the most advanced security technology available – feel like the only way to get shit done is to use Signal. Not the DRSN. Not DMCC-TS. Signal.
Replace “national security apparatus” with, well, just about any institution anywhere. Throw up a bunch of security requirements and provide people with inadequate or cumbersome or high-friction means of meeting those requirements. They’re going to figure out a way around them.
Every. Time.
You need a password: password
It needs to be long and complex: password123
You need to lock your screen or after a certain time we’ll lock it for you: oh really?
Set aside your politics. Set aside your personal opinions of the people involved. Assume good intent and that like most people they want to perform well and at a high level. How is what happened different from what goes on every day in outfits just like yours?
On the flip side, I’m not running down DISA/NSA/everyone involved in building and operating secure systems. They’ve got an extremely difficult job. But if we assume those involved are aware of the resources available to them and still feel compelled to do what they did, something clearly has to change with regards to design, UI/UX, functionality, etc.
I’ve made a lot of assumptions here, and this is an evolving story that isn’t over yet. I’m prepared to be wrong about intent and other factors, but let’s please not lose track of the fact that most security solutions are the enemy of productivity, and the more serious your job, the greater the negative impact that has on things.