As the fallout from the Signal group chat continues, a broader question comes to mind: What are the approved methods for communicating sensitive and classified material that Defense Secretary Pete Hegseth, National Security Adviser Mike Waltz, and the others on the chat should have been using instead? Are these networks, devices, and applications approved by the U.S. government up to the task of communicating on the move in the 21st century, or are they clunky relics from a bygone era?
In fact, classified communications within the government are having a golden age of innovation and convenience, thanks in large part to investments and programs started when the COVID pandemic dictated the need for quick changes in how information could be shared securely. There are now myriad tools available to employees across the government, including modern portable electronic devices. These devices are often specially configured versions of common consumer gadgets, such as iPhones and Android phones. They come equipped with messaging software that is essentially a secure version of commercial off-the-shelf products such as the Microsoft Office suite.
These tools require a secure network on which to operate, and the government provides multiple classified networks that cater to different classification levels and uses. The two most widely used networks are the Secret Internet Protocol Router Network (SIPRNet) for classified communication at the secret level and the Joint Worldwide Intelligence Communications System (JWICS) for communications at the top secret level. JWICS is the U.S. government’s most secure network known to the general public.
Encryption, segmentation, and authentication.
Imagine you and a colleague are at a conference and want to discuss something private. Do you find a quiet corner in which to chat? What if someone is listening in? Do you speak in code? What if you’ve only previously met this colleague virtually? How can you be sure they are who they say they are? Classified electronic communications present the same challenges.
The government addresses these challenges in three main ways. First, data is encrypted. This is the equivalent of speaking in code to your colleague. If someone intercepts your messages or overhears your conversation, they would need to crack your code in order to understand what you were saying. Second, data is segmented or separated from unclassified data. Even when connected remotely through a public access point like a cell phone tower, a classified device will create a separate encrypted tunnel through which to transit its data. This would be like you and your colleague entering a locked room at the conference center before starting your sensitive conversation. Even if someone was in the building trying to eavesdrop, they’d be locked out of your room. Third, the government authenticates the identity of all parties using the encrypted, segmented communications channels. This is akin to the conference organizers vetting all attendees and issuing badges for entry. Seeing your colleague with a badge gives you reasonable confidence they are not an impostor who slipped in from off the street.
While the commercial messaging app Signal uses encryption, it lacks segmentation, as its data travels over unclassified commercial networks. Additionally, user authentication is weak—just a phone number suffices to create an account. In contrast, gaining access to a classified government network requires rigorous verification as well as a security clearance.
Are official classified communications methods accessible and convenient?
Shortly after news of the Signal group chat became public, the Pentagon issued an advisory warning the app was being targeted by Russian hacking groups. Regardless of its shortcomings, a commercial app like Signal, installed on an iPhone, is extremely accessible and convenient to use. Can the same be said for government-approved communications tools? While no government-issued device offers the same level of availability and ease of use as a widely available commercial product, the secure solutions that are available for officials needing to keep their communications private come far closer to the phone in your pocket than you might think.
Devices that run on the higher-classification levels supported by the JWICS network are generally less mobile than their SIPRNet counterparts. Traditionally, top secret communications could be conducted only from desktop computers connected to physically separate cables, and all within highly secure physical facilities such as a Sensitive Compartmented Information Facility (SCIF). Tapping into this network from a remote location presents challenges, and while the government may never put full access in the palm of a senior leader’s hand, several programs are underway to increase accessibility. Last year, airmen from the Pacific Air Force Headquarters deployed a new tool that can be set up nearly anywhere to access the JWICS network.
At the secret level, the number of available tools increases exponentially. The National Security Agency (NSA) sets most protocols for secure communications in accordance with a Reagan-era executive order to safeguard national security information. The NSA’s Commercial Solutions for Classified (CSfC) program provides a range of tech that complies with the stringent requirements for accessing classified information.
Over at the Department of Defense, the Defense Information Systems Agency (DISA) maintains a cadre of commercial smartphones and tablets—under a program called DoD Mobility Classified Capability-SECRET (DDMCC-S)—that allows for secure phone calls and protects data being transmitted. These devices come equipped with modern communications tools that would be familiar to a typical commercial user, such as Outlook app capabilities for SIPRNet access. Another available solution is the Windows Data-At-Rest for Secret (WINDAR-S) program, which provides users with a Windows 10-based remote SIPRNet capability, effectively creating a mobile experience that is identical to a traditional desktop access point.
DISA continues to push for the classified deployment of additional commercial products that are widely used on unclassified and public networks. In a conversation with Federal News Network in 2023, Carissa Landymore, the program manager for DISA’s Defense Enterprise Office Solution, confirmed that a classified rollout of the Microsoft 365 suite would retain the same functionality as its commercial counterpart. As of February 2024, DOD365-Sec supported over 257,000 accounts, allowing users to collaborate securely via Outlook, OneDrive, SharePoint, Teams, and other Microsoft tools.
How well does the government manage its own classified communications methods?
In December 2024, the Inspector General for the DoD released the results of a recent audit specifically addressing the cybersecurity of DoD classified mobile devices. The results? Forty recommendations to address findings within the report. While several of the findings and recommendations are themselves classified, the report does share a few unclassified insights into the overall health and history of the classified mobile device landscape.
From a user management perspective, the IG report chastises the DoD for two main weaknesses. First, many devices appeared to be unused, or in the hands of employees who no longer had a valid need to possess a classified mobile device. The second finding addressed the need for a more robust user training program. One particularly damning line from page 24 of the audit: “DoD Components Were Not Prepared for the Increased Demand for Classified Mobile Devices or Enforcing Policy for Senior Officials.”
What should the Signal group have been using?
Using a commercial messaging app for classified discussions was a clear violation of security protocols. Hegseth and Waltz likely had access to DMCC-S devices, which would have allowed them to communicate securely via a classified version of Microsoft Teams. Such a device would have offered the same convenience as Signal while ensuring compliance with classified communication requirements.
Had they utilized the approved tools at their disposal, their conversations would have remained secure—and it’s all but impossible that a journalist would have been inadvertently added to the conversation. While anyone can be invited to a Signal chat, the DoD does not grant access to classified networks to private citizens.
