US National Security Advisor Mike Waltz, who initiated the now-infamous group chat orchestrating a US assault against the Yemen-based Houthis on March 15, is seemingly hinting that the secure messaging platform Signal may possess security flaws.
“I didn’t notice this individual in the group,” Waltz informed Fox News about Atlantic editor in chief Jeffrey Goldberg, whom Waltz invited into the chat. “Whether he did it intentionally or it occurred through some other technical means, is what we’re attempting to ascertain.”
Waltz’s suggestion that Goldberg might have breached the chat was followed by a report from CBS News stating that the US National Security Agency (NSA) issued a warning to its personnel last month regarding a security “vulnerability” found in Signal.
However, the reality is much more captivating. If Signal indeed harbors vulnerabilities, then nations like China and Russia, along with other US adversaries, suddenly have new motivation to uncover them. Concurrently, the NSA is under pressure to identify and rectify any weaknesses as swiftly as possible—and likewise, ensure that commercial smartphones are devoid of backdoors—entry points that enable unauthorized individuals to bypass standard security authentication methods to access a device’s contents.
This is crucial for anyone desiring to maintain their communications in privacy, which should encompass all of us.
It’s widely recognized that the NSA’s aim is to infiltrate and intercept foreign networks. (During President George W. Bush’s term, the NSA executed warrantless surveillance of domestic communications as well—oversight that several district courts determined to be unlawful before those verdicts were later overturned by appellate courts. To this day, numerous legal scholars argue that the program infringed upon federal privacy safeguards.) Nevertheless, the agency possesses a secondary, complementary duty: safeguarding US communications from those aiming to spy on them. In other words: While one division of the NSA intercepts foreign communications, another division prevents foreign entities from doing the same to Americans.
These missions did not contradict one another during the Cold War, when allied and enemy communications were entirely distinct. However, in the present day, all parties utilize the same computers, the same software, and the same networks. This engenders a conflict.
When the NSA identifies a technological flaw in a service like Signal (or acquires one on the bustling clandestine vulnerability market), should it exploit it covertly, or disclose it to facilitate a fix? Since at least 2014, a US government interagency “equities” process has been employed to determine if it serves the national interest to exploit a specific security vulnerability or remedy it. The trade-offs are often intricate and challenging.
Waltz—together with Vice President J.D. Vance, Defense Secretary Pete Hegseth, and other officials in the Signal group—have made the trade-offs significantly more complex. Signal is both widely accessible and heavily utilized. Smaller governments that lack the resources for their own military-grade encryption rely on it. Journalists, human rights advocates, persecuted populations, dissidents, corporate leaders, and criminals globally utilize it. Many of these groups pique the NSA’s interest.
Simultaneously, as we’ve now learned, the application is being utilized for operational US military communications. Therefore, what course of action does the NSA take if it uncovers a security flaw in Signal?
In the past, it might have opted to keep the flaw under wraps and leverage it to monitor adversaries. Now, if the agency chooses this path, it risks another party discovering the same vulnerability and using it against the US government. Furthermore, if it were later revealed that the NSA could have rectified the issue but chose not to, the repercussions could be severe for the agency.
Smartphones pose a similar dilemma. The primary risk of eavesdropping on a Signal conversation stems from the personal devices that run the app. While it remains largely uncertain whether the US officials involved had installed the app on personal or government-issued devices—although Witkoff implied on X that the program was on his “personal gadgets“—smartphones are consumer products, absolutely unsuitable for confidential US government discussions. An entire sector of spyware firms markets capabilities to remotely breach smartphones for any nation willing to invest. More advanced nations possess more intricate operations. Just last year, attacks later linked to China attempted to access both President Donald Trump and Vance’s smartphones. Previously, the FBI—as well as law enforcement organizations in other nations—have pressured both Apple and Google to incorporate “backdoors” into their phones to facilitate court-authorized surveillance more easily.
These backdoors would create, evidently, another vulnerability to be exploited. A different assault from China in the past year accessed similar capabilities integrated within US telecommunications infrastructures.
The vulnerabilities equities have shifted against compromised smartphone security and toward protecting the devices that senior government figures now utilize for discussing military secrets. This also indicates that they have shifted against the US government retaining Signal vulnerabilities—and toward full transparency.
This is potentially optimistic news for Americans who wish to converse privately without any entity, governmental or otherwise, eavesdropping. We are unaware of the pressures the Trump administration may be exerting to align intelligence agencies, but it’s not irrational to be concerned that the NSA might renew its surveillance of domestic communications.
Due to the Signal chat disclosure, it’s now less probable that they will exploit vulnerabilities in Signal to achieve that goal. Likewise, malicious actors such as drug trafficking organizations may also feel reassured using Signal. Their protection against the US government lies in the fact that the US government shares their vulnerabilities. Nobody desires their secrets to be laid bare.
I have long supported a “defense dominant” cybersecurity approach. As long as smartphones are carried by every government official, law enforcement officer, judge, CEO, and nuclear facility operator—and now that they are being used for what the White House now refers to as “sensitive,” if not entirely classified discussions among cabinet members—we require them to be as secure as possible. This means no government-imposed backdoors.
We may uncover more about how officials—including the US vice president—came to be utilizing Signal on what seem to be standard consumer smartphones, in an apparent violation of the regulations on governmental records. It’s improbable that they fully considered the implications of their actions.
Nonetheless, those implications are substantial. Other nations, potentially including US allies, will now have significantly more motivation to compromise Signal’s security than they did previously, and greater incentives to hack US government smartphones than before March 24.
For precisely this reason, the US government faces urgent motivations to safeguard them.
This article was initially published in Foreign Policy.