US Defense Secretary Pete Hegseth definitely broke the rules when he sent sensitive information to a Signal chat group, say Pentagon auditors, but he’s not the only one using insecure messaging, and everyone needs better training.
The Pentagon Office of Inspector General on Thursday released two reports, one specifically dealing with the “Signalgate” incident, and a second that found Hegseth’s massive OPSEC failure was just the latest in a long line of similar failures among DoD employees with regard to the use of improper methods of communication.
For those who’ve forgotten about Hegseth’s Signal snafu, the incident involved sending sensitive operational details about airstrikes on Houthi rebels in Yemen to a Signal group that included The Atlantic editor-in-chief Jeffrey Goldberg. As any journalist would when catching wind of such a juicy story, Goldberg published a story about it, but withheld the messages in the interest of not publishing what may have been classified information.
He later published the messages in a follow-up story after Trump administration officials, Hegseth included, denied that the content of the discussion was either classified or sensitive despite including a mission timeline as well as details about the types of aircraft and munitions being used.
As anyone with a modicum of sense would think, those details are definitely sensitive. The DoD OIG believes so, at least, finding that the Signal messages repeated material taken from a USCENTCOM email labeled “SECRET//NOFORN” and contained operational details that should have been handled at the secret level.
But here’s the rub: As the ultimate DoD authority figure, Hegseth has unilateral authority to declare something declassified, even if, say, the email he pulled it from to share it on Signal marked it as secret.
That’s all well and good, but even though Hegseth insisted he’d declassified what he sent, the OIG found he still broke Pentagon rules by using both a personal device and a nonapproved commercial messaging app to share it.
As a result, said inspectors, Hegseth risked “potential compromise of sensitive DoD information, which could cause harm to DoD personnel and mission objectives.” Luckily that didn’t happen this time around, but it seems like the OIG is convinced there very well may be a next time.
A single drop in a sea of bad OPSEC
Hegseth won’t be facing any actual penalties for his violation of Pentagon policy, however – unless one considers a bit of remedial security training to be a punishment. The OIG only asked US Central Command’s security office to review classification procedures and ensure documents are properly marked due to the incident. That’s not because Hegseth is covered in Teflon like his boss, though: It’s because the DoD’s compliance with such rules is universally bad.
“Although the Secretary did not comply with [DoD regs], we are not making a recommendation because the use of Signal to send sensitive, nonpublic, operational information is only one instance of a larger, DoD-wide issue,” the OIG said in its report, which brings us to the second report the Inspector General published on Thursday.
According to that report, which evaluated prior investigations as part of an attempt to determine how bad the Pentagon is at keeping secret information secret, Signalgate might be the most public example of a serial problem, but it’s hardly the only one.
“We found that DoD policy provides specific processes and procedures for classifying, declassifying, and protecting controlled and classified information,” the second report noted. Unfortunately, Pentagon personnel “did not consistently comply with federal law and DoD policies for electronic messaging and records retention,” that the DoD hadn’t fully implemented prior recommendations related to the use of unofficial electronic messaging systems, and that such failures “may have jeopardized DoD operations or missions.”
The report on this broader DoD issue, auditors noted, was triggered by Signalgate.
As a result, Hegseth and other “political appointees, general officers, flag officers, and members of the Senior Executive Service” ought to be required to undertake a custom-tailored bit of cyber training “with a knowledge assessment,” according to auditors.
Additionally, the OIG asked that the DoD CIO actually get its hands on a DoD-controlled messaging service that meets the Pentagon’s needs, establish a procedure for granting waivers to use public messaging services, and update cyber training to include the impacts of unauthorized disclosures.
The DoD didn’t respond to questions for this story. ®