A brigade of paratroopers deployed in early January to the Middle East in the wake of mounting tensions with Iran has been asked by its leadership to use two encrypted messaging applications on government cell phones.
The use of the encrypted messaging applications Signal and Wickr by the 82nd Airborne’s Task Force Devil underscores the complexity of security and operations for U.S. forces deployed to war zones where adversaries can exploit American communications systems, cell phones and the electromagnetic spectrum.
But it also raises questions as to whether the Department of Defense is scrambling to fill gaps in potential security vulnerabilities for American forces operating overseas by relying on encrypted messaging apps available for anyone to download in the civilian marketplace.
“All official communication on government cell phones within TF Devil has been recommended to use Signal or Wickr encrypted messaging apps,” Maj. Richard Foote, a spokesman for the 1st Brigade Combat Team, told Military Times.
“These are the two apps recommended by our leadership, as they are encrypted and free for download and use,” Foote said.
Foote added that there is no operational discussions via the apps and an extra layer of security is provided because users must go through virtual private networks.
However, there are government transparency concerns with the use of encrypted messaging apps like Signal and Wickr, which feature auto-delete functions where messages are erased after a set period of time. Electronic communications and text messages sent as part of official government business are part of the public record, and should be accessible via a Freedom of Information Act request.
The Department of Defense did not respond to queries from Military Times regarding government records keeping policies and whether Signal and Wickr have been audited for security flaws by the DoD. Military Times has reached out to the National Security Agency, and has yet to receive a response.
Operational planners and military commanders rely on government cell phones for basic menial tasks from scheduling and daily muster even when deployed overseas.
Foote told Military Times that there is “no requirement for extensive use of cell phones for work communication” for the deployed 82nd paratroopers.
“If cell phones are used, we have taken the best steps, readily available, to ensure the best security of our transmissions,” Foote explained
“To be clear, the term “official communication” in this setting refers to coordination of assets, sharing of meeting time changes, etc. There is no operational discussion on these platforms,” Foote said.
Adversaries like Iran, which boast robust cyber and electronic warfare capabilities can glean much information from phone collections and basic text messages that could highlight daily patterns on an installation or sudden shifts and changes in schedules — potential indications of pending operations.
But Foote explained to Military Times that the 82nd’s government cell communications include an extra layer of security.
“When official business is being conducted via cell, it is done on the apps over VPN-protected [virtual private network] connections…systems reviewed and recommended by our Communications and Cyber sections,” Foote said.
In 2016, Signal received a positive security review when it was audited by the International Association for Cryptologic Research.
“We have found no major flaws in the design,” IACR said in its 2016 security audit of Signal.
A former military intelligence operator who has extensive experience working with the special operations community told Military Times that the Signal app was “very secure” with no known bugs.
He explained that the 82nd Airborne’s reliance on the app for government cell communications wasn’t necessarily an indication that the DoD was behind the curve on protecting cellphone security for deployed troops. The former intelligence operator said he believed the DoD was just being lazy.
“Unfortunately, those apps are more secure than texting in the clear, which is more or less the alternative. Granted, if a hostile party has access to the handset, that encryption isn’t particularly helpful,” a former U.S. defense official told Military Times.
The former U.S. defense official, who spoke to Military Times on condition of anonymity because he was not authorized to speak on the record, said the DoD should use commercial applications as long as they are tested and meet security requirements.
“I don’t have confidence that DoD could build a unique texting system with proper security protocols that would beat any commercial, off the shelf, version,” the former official said.
With regards to transparency and records keeping requirements, Foote said he “cannot confirm if any personnel have Signal or Wickr settings which allow auto-delete of messages at this time.”
Military Times has not been able to confirm if Signal and Wickr have been audited for security flaws and vulnerabilities by the DoD.
Officials from Signal and Wickr did not immediately respond to requests for comment.