The use of the encrypted messaging app Signal is ubiquitous within the Department of Defense. Service members have received briefings about operational security (OPSEC) and information security (INFOSEC) and have taken the dangers of living in a digital world seriously by making sure that the work-related text messages they send on their cell phones are encrypted. The contradiction is that using Signal for official military business is against regulations.
"I have showed the regulation stating that WhatsApp/Signal is not authorized for official comms multiple times to my Brigade Commander and have been ignored," one frustrated soldier told Connecting Vets. They went on to explain that their unit is currently preparing to deploy while senior leaders use these apps to manifest flights and share slides explaining the unit's scheme of maneuver.
A second service member speaking to Connecting Vets on the condition of anonymity related that a recent "Red Corvette" was received by the 82nd Airborne Division and how the message alerting members of the Immediate Response Force to stand by for a possible deployment to Ukraine was passed via Signal. Unit leadership likely had their heart in the right place by using Signal. Few soldiers are issued government cell phones, meaning that alerts like this have to be sent via personally owned cell phones. Using Signal theoretically helps protect the unit's OPSEC as a risk mitigation tactic.
While using Signal as a stop-gap to protect information makes a certain amount of sense, it also grinds against military regulations such as paragraph 3.24 of DOD Instruction 8170.01 which states that service members may, "not use non-DoD-controlled electronic messaging services to process nonpublic DoD information, regardless of the service’s perceived appearance of security (e.g., “private” Instagram accounts, “protected” tweets, “private” Facebook groups, “encrypted” WhatsApp messages)."
The findings of a recent Inspector General report appear to further solidify the intent of this regulation. The IG report was an investigation into allegations made against then-Defense Digital Service Director Brett Goldstein for disrespecting colleagues in the office. While those allegations were disproven, the IG report did find that Goldstein had erred in telling his subordinates to use Signal.
"We substantiated the emergent allegation that Mr. Goldstein used and condoned the use of Signal, an unauthorized electronic messaging and voice-calling application, to discuss official DoD information," the IG report concluded.
Switzerland recently announced new policies for its own military, due to similar concerns with commercial text messaging services being used by their soldiers. Swiss soldiers also used Signal and WhatsApp to communicate, but The AP reports that their military was concerned that the data centers for these services are in the U.S. and the 2018 U.S. Cloud Act would allow the American government to access their data, Swiss military data if soldiers are using these apps to transmit work-related messages. In response, the Swiss created their own messenger service called Threema.
An Army Signals official speaking to Connecting Vets on the condition of anonymity stated that Special Operations Command (SOCOM) had a contract with for text messaging services with Wickr in which the software would be hosted on DOD servers, but the contract cost so much it eventually expired. Connecting Vets has previously reported that JSOC operators have used proprietary text messaging software to receive alerts and work-related messages.
Additional concerns have also been highlighted, as the use of non-governmental communications systems to conduct government business could be used by unscrupulous officials trying to skirt around the Freedom of Information Act. A FOIA request would not cover text messages conducted on personally owned cell phones.
The current contradiction of not being able to use Signal and breaking regulations to do so arises because few service members are issued cell phones and there is no DOD-approved messaging service that they can use on their privately owned cell phones, like Switzerland's Threema service.
Spokesmen for the Secretary of Defense's office and the Army replied to a detailed list of questions pertaining to the use of Signal and other messaging apps used by service members, which is printed in full below.
Why does the Army allow this practice [use of Signal for CUI], and even advocate it, if it is against DOD regulations?
Bruce Anderson, Army spokesperson answered, “DoD and Army regulations are clear. Soldiers are not authorized to process, store, or transmit Controlled Unclassified Information using non-governmental applications or systems.”
Does DOD plan to formally authorize third-party apps like Signal and WhatsApp to then bring the practice in line with regulations?
Russell Goemaere, the Public Affairs Officer for the Office of the Secretary of Defense answered, "In order to be used for official business applications are required to be assessed, approved, and DoD-managed. The DoD has been focusing on delivering various means of providing Service members access to DoD365 collaboration capabilities from their personal devices. While not our primary focus, the DoD is assessing collaboration apps like Signal and WhatsApp for possible approved use on personal and government devices."
As currently written, the regulation does not allow official military business on non-DOD approved systems, yet very few soldiers are issued cell phones forcing them to use their own. If the individual soldier or unit cares about OPSEC given this reality, it then makes sense that they would take their OPSEC into their own hands by using encrypted applications even if not approved. Why hasn't DOD addressed this issue?
"DoD365 provides a messaging capability that is approved for CUI and use on DoD mobile devices. The Services are in the final stages of testing Bring Your Own Approved Device (BYOAD) and Bring Your Own Device (BYOD) solutions that provide access to the DoD365 collaboration capability on service member's personal devices," Goemaere said.
The use of third-party non-approved apps can be used to skirt around the Freedom of Information Act. We all remember the issues surrounding Sec. Clinton's private email server for instance. How does DOD intend to bring official Army business into compliance with FOIA as a FOIA request would not encompass private encrypted chats on personal cell phones?
"Official communication tools comply with FOIA. As an example, DoD has rolled out DoD365 for enterprise use by the entire department, which complies with all relevant laws regarding data retention. DISA has also provided a list of approved telework tools that can be used for communication," Goemaere explained.
Want to get more connected to the stories and resources Connecting Vets has to offer? Click here to sign up for our weekly newsletter.