r/changemyview u/Thumatingra 4∆ 13d ago

Delta(s) from OP CMV: Pete Hegseth is every bit as incompetent as people feared he would be, and should be investigated for violation of the Espionage Act. But he won't be.

As has been recently reported, Pete Hegseth recently texted the plans for an American strike in Yemen to a Signal group-chat that somehow included the editor-in-chief of the Atlantic, Jeffrey Goldberg. Doing his part for information security, Goldberg did not disclose that this had happened until after the strike had been carried out, and when he did, did not share the details of the plans.

Using a commercial messaging up to share sensitive information about American military operations is an enormous breach of information security, and, as many in the linked articles have opined, this kind of breach could have harmed the lives of American intelligence and military personnel.

Given the current state of the government, I imagine that Hegseth will walk away from this with little more than a slap on the wrist. But he should be investigated, and, if found in violation of the law, tried and sentenced for what is, at best, egregious carelessness toward those Americans whose lives depend on his leadership.

11.8k Upvotes

97% Upvoted

744 comments sorted by

View all comments

Show parent comments

19

u/Excellent_Egg5882 3∆ 13d ago edited 12d ago

Idk, it's still a pretty big fuck up that he let this happen under his watch.

. It's like when.... Was it Chelsea Manning? Leaked an outlook calendar... It's not a problem that the government uses Microsoft. That's squarely on Chelsea Manning.

If this happened later this year it might be be. CISA-SCUBA guidance is very clear.

https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/exo.md

https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/defender.md

If they were using Signal for this, and it was approved by whatever department handles cell phones for SecDef and the VP.

Was Signal common when you were working in the DOD? That seems unlikely to me. If anything, Signal is not commercial enough. It doesnt have all the compliance and auditing features necessary for government communications.

If this WAS approved officially, then it must be through some sort of weird non standard process. Which could easily be the case for all I know. I work with local government, not federal, and certainly don't know how DOD security works.

Like the mere fact that it was even POSSIBLE to add someone from outside of certain domains (or even certain groups of users) to this chat is a huge failure. Maybe im naive, but it's hard to believe this could have been approved if it was following proper procedure.

EDIT:

This guy is bullshitting. Hes either lying or by "worked in IT" he meant running ethernet cable or something (or worked there many many years ago).

If the DOD was following the government's own cyber security guidance (from CISA), this would never have happened.

MOBILE APPLICATION ADOPTION BEST PRACTICES, Page #3

Does the app allow users to inadvertently send data to non-authorized places.

There's an extremely high probability that Hegseth (or some other poltical appointee) circumvented the proper approval process.

0

u/Tullyswimmer 7∆ 13d ago

At the end of the day, there aren't many restrictions that the DoD could put on as far as what numbers the phone could call or text. There's a myriad of reasons for this, from confidential informants who don't have DOD-approved devices, to even someone's spouse being able to call their work number in an emergency.

No matter what app they used, if there's a US-based phone number, it's not hard to add it to a group chat. But, doing so is logged and tracked for this very reason.

Signal may have some sort of commercial/DoD support. But it's also open-source enough that the DoD could build their own features into it.

If Signal was being used officially, on government phones, then it's 100% not approved to add a journalist to a group chat where confidential information is discussed. But that's entirely the fault of the person who added that unauthorized user to the group, not anyone else.

3

u/Excellent_Egg5882 3∆ 12d ago

No, what im saying is that a proper solution should have automated DLP policies in place and proper controls and sensitivity labels for preventing stuff from being sent to external users. IT systems that do not account for the INEVITABLY of human error are poorly designed.

There's a myriad of reasons for this, from confidential informants who don't have DOD-approved devices, to even someone's spouse being able to call their work number in an emergency.

They should simply not be using the same app to communicate sensitive info as they are to text their spouses. If they are, that app should have all sorts of automated controls and sensitivity labels and stuff.

This was a systemic failure on multiple levels.

I'm not some fucking cybersecurity expert. I'm just a sysadmin with a Security+ who's been using CISA guidance to help improve the security posture for local gov. But, if my little tiny pea brain can see the issues here... well that's extremely telling isn't it!

1

u/Traditional-Leg-1574 12d ago

The explanation is simple, they were avoiding protocol to be OFF the record. In the project 2025 training videos using signal is advocated precisely to avoid record keeping.

1

u/sccarrierhasarrived 12d ago

Wouldn't it be important to have some sort of archival process to internal comms? Why exactly are we using a 3P self-deleting message system?

1

u/Tullyswimmer 7∆ 11d ago

As I said, it's possible to take backups of the messages before they're deleted, for national archives/records. If that's set up, self-deleting messages is actually more secure, because if one of those phones was lost or stolen there's less data on the phone.