Signals Crossed: US War Strategy Sent Directly To Journalist

By now you’ve seen news headlines with sentiments ranging from The Sky is Falling to There is Nothing to See Here and everything in between. We do know that National Security Advisor, Mike Waltz has taken full responsibility for accidentally sending covert US attack plans to a journalist from The Atlantic Monthly. At the heart of the controversy is the popular encypted messaging app Signal, but the lingering questions could send future US wartime strategies into uncertainty.

On March 25, 2025, President Trump and US Secretary of Defense Pete Hegseth both denied that any classified information was leaked through the use of the Signal app, although they do not provide any evidence to explain their positions. Meanwhile, editors at The Atlantic have published the chats containing many names, places, aircraft and military targets before they were set to engage. This would obviously put US lives and strategy in danger if it were leaked into the wrong hands. At this time, it appears that only a journalist was mistakenly included in the chats and that no other non-invited parties had access to the content, but calls for a formal investigation into the matter have begun. Earlier this month, Hegseth ordered suspension of Pentagon’s offensive cyberoperations against Russia which also seemed to raise more than a few eyebrows in the security community.

Since this story is still unfolding, I feel it is more important to underline the technology in question here rather than keeping political score. However, I will say that this is not a surprise when considering past incidents involving Trump and his administration. You may recall back in 2018 when Trump posted images onto Twitter that he took with his smartphone during a classified meeting concerning Iran’s failed rocket launch. When anyone becomes comfortable with technology that is so easy to operate and share, breaks in confidentiality are inevitable. We develop, manufacture and sell wireless security tools (including cell phone detectors) to many government agencies precisely for this reason, but if best practices are not adhered to by our top leaders, it’s understandable when others also fail to adopt them.

Could this leak have been much worse than it was? Absolutely, but let’s use this security failure as a teaching moment to review the messaging platforms available to the public, US intelligence and our enemies as well. As secure messaging becomes a growing concern, it’s important to compare Signal with other major platforms like WhatsApp, Telegram, and iMessage. Each offers encryption, but their security models, metadata policies, and potential vulnerabilities vary significantly. Here’s what you need to know before choosing the right messaging app for privacy and security.

WhatsApp: The Pros and Pitfalls

WhatsApp is one of the most widely used messaging platforms, leveraging the Signal Protocol for end-to-end encryption (E2EE). Its vast user base makes global communication easy, and features like two-step verification add an extra layer of security. However, WhatsApp’s ownership by Meta raises concerns. The platform collects metadata on communication patterns and has been susceptible to spyware attacks. Additionally, backup encryption is optional, which means stored messages could be at risk if not properly secured.

Telegram: Secure or Just Convenient?

Telegram is known for its cloud-based functionality, allowing seamless access across multiple devices. It offers features like Secret Chats with E2EE, though this setting is not enabled by default. Users can also sign up anonymously with a username instead of a phone number. Despite these benefits, Telegram has significant security drawbacks. Standard chats lack end-to-end encryption, and the app relies on proprietary encryption that has not undergone extensive independent audits. Furthermore, Telegram stores metadata that could potentially be accessed by authorities.

iMessage: Apple’s Walled Garden

Apple’s iMessage provides end-to-end encryption for messages sent between Apple devices, ensuring security in transit and at rest. Two-factor authentication (2FA) enhances account protection, making it a strong choice for Apple users. However, the encryption does not extend to messages sent to non-Apple devices, which default to standard SMS. Additionally, iCloud backups can store message data unless users disable this feature. The closed-source nature of iMessage also limits external security audits, leaving some uncertainty about its overall security posture.

Signal: The Gold Standard or a Flawed Solution?

Signal is widely regarded as the most secure messaging app available today. It employs industry-leading encryption using the Signal Protocol, which ensures forward secrecy through advanced cryptographic techniques. Unlike other platforms, Signal retains minimal metadata, making it nearly impossible for third parties to trace communication patterns. As an open-source application, it is regularly audited by security professionals, further strengthening its reputation.

Despite these advantages, Signal has limitations that cybersecurity professionals should consider. One major drawback is its reliance on phone number-based registration, which makes users vulnerable to SIM-swapping attacks unless they enable Registration Lock. Additionally, while Signal’s encryption is strong, endpoint security remains a risk—if a device is compromised through malware or phishing attacks, encrypted messages can still be accessed. The app also lacks formal government security certifications such as FIPS 140-2 and Common Criteria validation, making it unsuitable for classified communications. Moreover, Signal does not offer enterprise-level features like centralized administration or compliance logging, which are essential for corporate use.

Should Cybersecurity-Focused Organizations Use Signal?

For personal use and general privacy, Signal remains one of the best choices due to its encryption, transparency, and nonprofit business model. However, organizations with strict compliance requirements should proceed with caution. Companies bound by regulations such as FISMA or NIST 800-53 may need enterprise-grade messaging solutions like Wickr, Threema, or Matrix-based platforms. Additionally, encryption alone is not enough—organizations must implement strong endpoint security policies to protect against device compromises.

The U.S. government’s recent hesitation regarding Signal underscores concerns about its suitability for classified or highly sensitive communications. While Signal offers robust privacy protections for individuals, cybersecurity professionals must weigh its vulnerabilities before adopting it as an official communication tool. As the secure messaging landscape continues to evolve, organizations should carefully assess their specific needs to choose the most appropriate platform.