IT Essentials: The fist, the flag and the flame

The Trump administration has managed to turn a military victory into a resounding opsec defeat

Image:
The emojis national security advisor Mike Waltz used to mark the success of the strikes on Yemen

Is anyone in the White House paying attention to opsec training?

In terms of operational security, how would you rate "adding an investigative journalist to a group chat of US security leaders discussing upcoming strikes on Yemen"? One out of ten? Zero? “The highest level of fuckup imaginable”?

Two weeks ago the editor-in-chief of The Atlantic, Jeffrey Goldberg, was added to a group chat including the US secretary of defence, Trump’s national security advisor and other key officials. This group not only openly talked about top secret military intelligence without vetting who was present, but did so on Signal. Not an approved service, government system or special facility; a commercial messaging app.

That app, by the way, was targeted by Russian intelligence earlier this year – and one chat member, US special envoy for Ukraine and the Middle East Steve Witkoff, was in Russia at the time of the incident.

End-to-end encryption is great, but it’s useless if a chat member’s phone is compromised.

But this isn’t really about Signal, despite what Trump says. It’s about training, and why it really shouldn’t be.

Opsec is a process to stop information from falling into the wrong hands. What that information is depends on individual circumstances, but classified military intelligence is a pretty easy ask for inclusion.

Nevertheless, multiple members of the chat – remember, these people represent the highest level of US government – openly discussed in-depth details of upcoming action, including targets, weapons and attack sequencing.

In the USA, military personnel undergo annual training for info- and opsec, and even that’s less frequent than industry recommendations. How often do government officials do the same? By the sound of things, the answer is either “never,” or “it doesn’t matter, because it will be ignored.”

Reinforcing that are a series of security leaks discovered in the days since the story broke. They include national security adviser Mike Waltz’s Venmo account being left open to the public until this week (echoing the same mistake by JD Vance last year), and personal contact details of several officials - including Waltz, secretary of defence Pete Hegseth and, ironically, director of national intelligence Tulsi Gabbard – searchable online.

Look, I get it, security isn’t always easy; but skipping even the most basic, “Do I know who everyone in this chat is” step? There is no excuse.

It all casts a bit of a shadow on Hegseth’s insistence on Signal that “I will do all we can to enforce 100% OPSEC.”

With European IT leaders increasingly looking away from the USA, John Leonard has talked to Michael Doherty - infrastructure head at semiconductor giant Renesas – about his company’s global strategy.

We also used this week to talk to stakeholders in the quantum space. The NCSC recently advised having plans to quantum-proof your stack in by 2028 – but is that too late? Experts think so, pointing out the “huge opportunity” for the UK to lead in quantum security.

And we’ve two stories about AI this week; the first a podcast episode with Oracle’s head of UK, Siobhan Wilson, about its new build-your-own-agent product; and the second with The Gym Group’s CTO Milan Juza on how AI is shaping the future of fitness (and whether we’ll ever see the Terminator in leg warmers).