Srsly Risky Biz: The Signalgate clown show - Risky Bulletin

Summary4 min read

Risky Bulletin Episode Summary: "Srsly Risky Biz: The Signalgate Clown Show"

Release Date: March 27, 2025
Host: Patrick Gray
Guest: Tom Uren, Policy and Intelligence Editor

Introduction

In the latest episode of Risky Bulletin, host Patrick Gray delves into a critical cybersecurity debacle within the Trump administration, aptly titled "Signalgate." Joining him is Tom Uren, the team's policy and intelligence editor, who provides in-depth analysis of recent developments and their implications for national security.

Signalgate: A Breach in Cybersecurity Protocols

The episode centers around a significant security lapse where an editor from The Atlantic infiltrated a group chat used by senior Trump administration officials to plan a military strike. This unauthorized access, referred to as "Signalgate," has raised alarms about the safeguarding of sensitive communications.

Key Points Discussed:

Unauthorized Use of Signal for Sensitive Communications

Patrick Gray opens the discussion by highlighting the severity of using Signal, a widely recognized secure messaging platform, for high-stakes government communications. He emphasizes the breach's ramifications:

"The messages that we've seen, thankfully didn't seem to involve cutting and pasting top secret documents into Signal, but there was absolutely reportable intelligence in that group chat."
— Patrick Gray [02:12]
Security Vulnerabilities Due to Personal Device Usage

Tom Uren underscores the inherent risks of utilizing personal devices for official communications:

"These kinds of leaks are inevitable. So in a way, this is like the best possible outcome for the Trump admin in that it ended up with a journalist and not a foreign intelligence service."
— Tom Uren [02:42]

Uren further elaborates on the probability of device compromises within the group chat:

"They consider everything in these signal conversations already to be exposed to foreign intelligence services."
— Patrick Gray [03:45]
Implications for National Security

The use of Signal and personal devices potentially exposed critical operational details, such as the timing and sequence of military actions involving F-18s. This exposure could have allowed adversaries to preemptively mobilize defenses, thereby endangering U.S. forces.

"If the Houthis were able to see this, they may have been able to mobilize their air defense to certain areas because they would anticipate this attack and it may have actually endangered U.S. forces."
— Patrick Gray [04:12]
Reactions and Accountability

The incident has sparked rumors of resignations within the administration. Interestingly, Patrick notes a shift in President Trump's usual stance:

"Trump seems to be not so impressed with his people on this. He actually seems to understand that this is not cool."
— Patrick Gray [07:05]

However, the underlying issues of secure communication practices remain unaddressed.

The Need for a Security Mindset

Tom Uren emphasizes the absence of a robust security mindset among officials involved in Signalgate. The reliance on Signal, despite its reputation, is insufficient against sophisticated threats targeting personal devices.

"It's just so many more ways that personal devices can be compromised compared to government secure systems."
— Tom Uren [05:43]

He advocates for the exclusive use of government-secure systems that are isolated from vulnerabilities inherent in personal devices.

Reinstating the Cybersecurity Supply Chain Risk Bulletin (CSRB)

Shifting focus, the conversation transitions to the Cybersecurity Supply Chain Risk Bulletin (CSRB), which was disbanded early in the Trump administration. Recent proposals advocate for its revival to bolster cybersecurity measures.

Key Insights:

Current State and Recommendations

Tom critiques the existing discourse surrounding the CSRB, particularly a letter from House Homeland Security Subcommittee Chair Andrew Garabrino, which calls for a review and reinstatement of the CSRB to ensure it aligns with original intents.

"The CSRB is not perfect. It could definitely be better... It has proven that it's done good reports."
— Tom Uren [12:59]
Comparative Analysis with the National Transportation Safety Board (NTSB)

Uren contrasts the CSRB with the NTSB, highlighting inherent differences in cybersecurity's complexity compared to transportation safety, where specific faults can be directly addressed.

"There's not a way that you can cut, cut and paste from the NTSB to get to, to a CSRB that would work today."
— Tom Uren [13:09]
Urgency in Reviving the CSRB

Emphasizing the ongoing threats, such as the Salt Typhoon compromise of U.S. telecommunications, Uren advocates for the immediate reinstatement of the CSRB to address pressing cybersecurity issues without delay.

"Waiting to try and make it perfect is not the right way to do that."
— Tom Uren [14:07]

Conclusion and Forward Look

As the episode wraps up, Patrick Gray reiterates the importance of robust cybersecurity frameworks and the lessons learned from the Signalgate incident. He encourages listeners to subscribe to the Seriously Risky Business newsletter for comprehensive analyses and insights.

"Perfect is the enemy of good. You heard it here first."
— Patrick Gray [14:07]

Key Takeaways

Signalgate Highlights Critical Security Failures: The unauthorized access to high-level government communications via Signal and personal devices exposes severe vulnerabilities.
Necessity of a Security-First Approach: Adopting secure, government-sanctioned communication platforms is paramount to safeguarding national security interests.
Reinstating and Strengthening the CSRB: Reviving the Cybersecurity Supply Chain Risk Bulletin is essential to address and mitigate ongoing and future cybersecurity threats effectively.

For a deeper dive into these discussions, subscribe to the Seriously Risky Business newsletter at Risky Biz.

Loading summary

Transcript32 lines

[00:00]
Patrick Gray
Foreign and welcome to Seriously Risky Business, the podcast we do here at Risky Biz hq, all about cyber policy and intelligence. My name is Patrick Gray. We'll be checking in with our policy and intelligence editor, Tom Uren in just a minute. And we're going to talk through his newsletter this week, which you can subscribe to at Risky Biz. Before we get started, we'd like to say a big thanks to the William and Flora Hewlett foundation for supporting Tom's work with us here and. And also to Lawfare Media for syndicating Tom's weekly column. And yeah, we do have a sponsor this week as well, which is Sublime Security. I'm actually an advisor with Sublime Security, so obviously I'm going to say they're awesome, but they really are. They're an email security platform, like a cloud email security platform. And really what they've done is just re engineer and re implement, you know, a cloud based email security platform that's much more contemporary, much more modern, much more flexible, and actually adapts to each environment that it's in. It's very, very good. So if you're actually on the hunt for an email security platform, you definitely need to check out Sublime Security. But Tom, thank you for joining me. Obviously, the big story this week is what we're calling Signal Gate, where an editor from the Atlantic was dropped into a group chat where a military strike was being planned by senior Trump government officials. Obviously, this is bad for a number of reasons. Those sorts of discussions are supposed to take place on government systems usually located within skiffs. Um, now, since we spoke about it on the weekly show yesterday, there have been some developments in the story. We have confirmation that some of the participants in this group chat were using personal devices, which I'm not too surprised by. And also Jeffrey Goldberg, the Atlantic reporter or editor, has released a full the full content of everything that he saw on Signal, because this story's really blown up. I mean, the messages that we've seen, thankfully didn't seem to involve cutting and pasting top secret documents into Signal, which is something. But there was absolutely reportable intelligence in that group chat. And, you know, it doesn't look any better. You know, nothing we've seen in the last 24 hours makes this less bad.
[02:12]
Tom Uren
Yeah. So I guess my big picture takeaway from all of this is that it just should never should have happened. So no one in that thread should be thinking that this is okay. The signal is okay for these kinds of communications and that kind of procedure, that way of thinking means that These kinds of leaks are inevitable. So in a way, this is like the best possible outcome for the Trump admin in that it ended up with a journalist and not a foreign intelligence service.
[02:43]
Patrick Gray
Yeah, they didn't, they didn't accidentally add someone from the Russian embassy. So, I mean, in that way it's good.
[02:48]
Tom Uren
Yeah, yeah. Like that's the best possible spin you have, but it would have happened eventually. Now, they wouldn't necessarily have added the Russian embassy per se, but there would be a foreign intelligence service who would get onto one of those devices, would have had access to this group chat and potentially many others. So the way that they were doing things was a security breach just waiting to happen.
[03:12]
Patrick Gray
Well, I mean, I'd go a step further, actually. I've been talking about this with, you know, various people in the United States who are experienced in these matters, and they have said that, you know, given the use of personal devices here, that one of those endpoints would be, you know, I asked them, do you think one of them is compromised? And they said, undoubtedly. So they consider everything in these signal conversations already to be exposed to foreign intelligence services. And I don't think that's being hysterical. I think it's entirely accurate to say anything posted into these group chats is winding up with an FIS.
[03:46]
Tom Uren
Yeah, yeah. So the group, I think it had 20, 30 members. And so when you sort of think of the chances of any individual device being compromised, I think it starts to add up. It's small for any, and you've got.
[03:58]
Patrick Gray
20 participants, and they're using their mobile device and often they're using the desktop client as well. So we could be talking 30 to 40 devices, really, that are the target set there, which is, funnily enough, this is why you use government devices in a skiff. Right? Like, that's the whole point.
[04:12]
Tom Uren
Yeah, yeah. So I think it's also that their high priority targets, it's not 20 or 30 random people. There's this incredible tweet from Steve Witkoff, who is the US Middle east envoy, and he basically says, it's all right, guys, don't worry, I was using my. I didn't have access because I was using my personal device and not a secure government device.
[04:35]
Patrick Gray
No, he said it the other way around because he was in Moscow. Right. So people are like, oh, my God, he was doing this from Moscow. And he said, no, don't worry, I wasn't doing it in Moscow because I only had my government device with me, not my personal device, Thus, thus proving that the signal conversation was taking place on his personal device. Like, you know, how, how did he think this was better?
[04:56]
Tom Uren
It's ludicrous. I spent several minutes just laughing about that. Like, that makes it. And that, I think, underlines that there's no understanding of why or what you should be doing to keep these things secure, these conversations secure, and the, like, the take home message is you just shouldn't be having them on signal in the first place. Now, signal is like, good, it's probably got the best reputation, but there's just so many more ways that personal devices can be compromised compared to government secure systems. And like, a lot of it just boils down to we don't let government secure systems connect to the Internet. And like, that's a big difference.
[05:43]
Patrick Gray
It is a big difference. And how, you know, like, yeah, absolutely, that's a big difference. And when you look at some of the material here that was exposed, I mean, you're talking about now, you know, Steve Hegseth has said, oh, you know, we were not putting war plans in there, but there is a description of like, the timing and sequence of events, the fact that F18s were going to be used. I mean, you know, if the Houthis were able to see this, they may have been able to mobilise their air defence to certain areas because they would have, you know, they would anticipate this attack and it may have actually endangered U.S. forces. So it is, it is a very big deal. There is rumours kicking off at the moment in D.C. about possible resignations. Like by the time we've even finished editing this, this podcast, there may have been resignations, surprisingly. And, you know, we covered this yesterday. Trump seems to be not so impressed with his people on this. He actually seems to understand that this is not cool, which almost surprised me because his normal response is just to attack everyone. But you still feel like the right lessons are not really being learned here and that, you know, their focus, the focus out of the Trump camp has really been about saying that this, you know, this journalist is a sneaky devil who wound up in this group chat and not really, you know, they haven't really copped most of the people involved, Trump excluded. Let's, let's be fair to him. Most of the people involved in this seem to be, not really, you know, re examining, reevaluating their choices, let's say.
[07:05]
Tom Uren
I feel like having a strong security mindset. Like it is a mindset and if you're even in this situation, you're not thinking that way. And I think you learn a tactical lesson which is don't use signal, rather than like actually sort of incorporating into you. Yeah, that's right. That's. That's what I feel like. So that group chat had the Director of National Intelligence, the director of the CIA, Trump's national security adviser. And as far as we know, not one of them said, hey, it might be a good idea to have this conversation somewhere else. And that, like, just to me is kind of mind blowing. And rather than saying, yes, we made a mistake, there was probably just a bit too much, you know, we put a bit too much detail in those conversations, which I think you could. That's at least an argument. No one's made that argument. They've just said it's at least an argument.
[08:02]
Patrick Gray
It's not a good one, but it's an argument. Right?
[08:04]
Tom Uren
Yeah, yeah, yeah. And they're saying, well, you know, Heth has the declassification authority, so it's okay.
[08:11]
Patrick Gray
Because by talking about it in an insecure way, he declassified it.
[08:16]
Tom Uren
That's right, exactly. It's kind of like. What's the word? You know, when you put the wagons together, forming a. Circling the wagons, circling the wagon. That's what you're. That's the American analogy that I'm unfamiliar with. And instead of just saying, saying, yeah, okay, we need to re examine how we communicate. We shouldn't have had those wagons out there in the first place, I guess.
[08:38]
Patrick Gray
Yeah. Now, obviously we've mentioned this on the show previously, but you worked in government service for a long time. You worked in the intelligence community. You have reacted like everybody else I know who's like former ic, which is just to like, laugh their head off about this because it's so bad. I mean, I think there is a disconnect in this, the way this is being covered, like, in the sense that people who really know this stuff are just sort of horrified and kind of oddly amused because it's just so bizarre that they keep laughing about it. Whereas, yeah, I think a lot of the people, A lot of people in the public don't necessarily understand that the issue here is the existence of these sorts of group chats in the first place, not the fact that one was exposed.
[09:18]
Tom Uren
Yeah.
[09:19]
Patrick Gray
That said, I think I feel like the media has done a pretty good job covering this. Right. And honing in on what the issues are.
[09:24]
Tom Uren
Yeah, I don't think it's. It's like signal was never an answer to the kind of problems that they're having. Like, the problem is we want to discuss things in real time and having a fairly like fairly open discussion on signal is. Is just not the answer. I think the Biden administration, reportedly, they would use SIGNAL to say things like, hey, you should go to a secure system and we'll have a chat there. That seems like a reasonable way to do it. I think you could also have said Hegseth. Could have said, yes, all systems are go, and we'll have more information later. That I think would be a reasonable.
[10:00]
Patrick Gray
F18s are about to take off, weather looks good.
[10:03]
Tom Uren
Exactly. And then they subsequently talk about particular targets and whether they've killed them or not. I don't think that's appropriate for signal.
[10:13]
Patrick Gray
Well, and they also expose the fact that they had CIA folks on the ground who were spotting and things like that. They did. They did give up information they shouldn't have. Anyway, look, we've talked heaps about this on the main show. We've talked about it. Now, if people want to read in more detail, Tom's take, head over to Risky Biz and read seriously Risky Business, I've read it. It's a very good piece of analysis, and I'd recommend you all, you all check it out. You did cover something else this week, which is the CSRB and about how it deserves a rerun. It deserves to be spun back up because it was essentially disbanded in the very early stages of the Trump. There's been this letter circulating, though, from some committee member talking about CSRB and talking about how we need an inquiry to make sure that it matched the original intent as Biden expressed it, and that it lived up to its vision and blah, blah, blah, blah. Now you're saying. I mean, I've read that letter as well. I mean, it seems pretty reasonable stuff. But your argument here is that, like, let's not slow it down. CSRB is unquestionably good. Let's just get it back up and running and then worry about fine tuning it later.
[11:16]
Tom Uren
Yeah, yeah. So the letters from the chair of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, Andrew Garabrino. So the main thing I have a problem with is he says we should review the csrb, make sure that it's fit for purpose, and then get it back going. And I say, no, the CSRB is not perfect. It could definitely be better. He identifies, like, transparency, how the committee's made up, how you select incidents to review, and how you come to recommendations like, fair enough. Those are all things that I think are a bit undefined or were a bit undefined in the previous operation of the board. However, I think that it has proven that it's done good reports. And Garabrino also compares it to the ntsb and he says it's not as well structured and defined as the ntsb. And I think that's just not the way cybersecurity is. So when I look back at the previous CSRB reports and like the very, very highest level summary just basically boiled down to massive problems like supply chain security is underdone. So that was the log 4J report lapsus. The nice sort of high level summary is current cybersecurity practices just are ineffective against a new breed of hackers. And the Microsoft report is Microsoft security culture sucks. And so it's not like the NTSB where you can say these bolts on this plane were not tightened. Manufacturers go and make sure that those bolts are tightened and report.
[13:00]
Patrick Gray
Yeah, I mean, it's a much smaller supply chain, you know, isn't it? When you're talking about like aircraft manufacturers, there's not as many of them as like software vendors. And, you know, it's, it's a different, it's a different thing.
[13:09]
Tom Uren
And you can trace back faults to very, very specific things, whereas the kind of like big picture problems are still huge. And so I don't think that there is a way that you can cut, cut and paste from the NTSB to get to the, to a CSRB that would work today. And so I think it's like you've got to learn by doing. You've got to move fast and break things, I guess, which seems to be.
[13:36]
Patrick Gray
I mean, it sounds like really ultimately what you're saying is it was a mistake to disband it.
[13:40]
Tom Uren
Yeah. So I think there's big problems like the salt typhoon compromise of US telcos, which as far as I can tell is still ongoing. And the CSRB was in the midst or just starting to kick off its review of that. I think it's a real shame that it got interrupted. I'd like to see it running back as soon as possible and waiting to try and make it perfect is not the right way to do that.
[14:08]
Patrick Gray
Perfect is the enemy of good. You heard it here first.
[14:11]
Tom Uren
Exactly.
[14:12]
Patrick Gray
All right, we're going to wrap it up there. Tom, you're in. Thank you so much for joining me to walk through your newsletter this week again. Anyone wants to subscribe to that, head over to Risky Biz, where you can get it in your inbox every week. Pleasure to chat to you as always, mate. And we'll do it all again next week. Cheers.
[14:26]
Tom Uren
Thanks, Patrick.