In September 2023, financial behemoth Goldman Sachs fired several top executives for violating the firm’s communications policy. Wall Street bankers are not allowed to use “off-channel” communications—like text messaging or WhatsApp—for work functions because government regulators require banks to keep careful records of business-related communications. Off-channel communications are also notoriously insecure.1
The rules make sense. How else could regulators ensure that financial actors are acting legally? How else could firms keep track of their employees’ conduct? How else could the banks safeguard their clients’ private data, curtail insider trading, and fend off hackers?
In an era of advanced information warfare, sophisticated adversaries in a military setting will not hesitate to exploit fragile communication systems. There are two basic reasons to consolidate all military communications into formal, on-channel methods: accountability and security. Nevertheless, substantial numbers of service members rely on personal channels for official military business. This fact would repulse the average Wall Street regulator but has yet to do so in the U.S. military.
Accountability Requires Monitoring
It is impossible to maintain an adequate level of professionalism and ethics without proper accountability. While these high standards are not unique to the military, the stakes are higher in the military than in most other organizations. Of note, the Navy ethos emphasizes professionalism, integrity, respect, leadership, discipline, commitment, and accountability.
On-channel communications are a solution to simplify compliance and recordkeeping (together, monitoring), the necessary structural tools that establish a culture of accountability. Monitoring creates conditions for consistent good behavior by setting standards and providing evidence about whether those standards are being met. It is an unfortunate but indisputable fact that people behave worse when they think that they will not be held to account. Anonymized online contexts are a popular example of this problem.2 But the problem is really about accountability, not anonymity: Whether or not online trolls use their real names, they do not believe they will be held responsible for their conduct.3
Compliance refers to adherence to a set of predefined standards and protocols. For military communications, this includes encryption standards, classification protocols, and using approved devices or channels. Noncompliance is more than deviation; breaches of protocol can put the entire system at risk. Recordkeeping, on the other hand, is the process of documenting communications so they are secure and retrievable. Records to document compliance or noncompliance are a deterrent against bad behavior and are used as evidence during investigations.
Monitoring may sound boringly bureaucratic or vaguely Orwellian, but civilian employees routinely submit to employer monitoring when they engage in their work. Most people understand that emails and browsing history on a work laptop are not as private as on a personal device. In the financial sector, whole bodies of law are dedicated to disclosure and recordkeeping, and they were made especially stringent after the 2001 Enron scandal and 2008 subprime mortgage crisis. Government employees are also subject to robust monitoring because the government is accountable to the American people.
The military is also democratically accountable to everyday Americans, who deserve to know what their military is doing. Yet, military communications are too often trafficked through untracked and insecure messaging systems. These monitoring failures can be disastrous in battlefield contexts.
Information Security Requires Information Control
On-channel communications improve the protection of sensitive information, the detection of cyberattacks, and the ability to thwart insider attacks. The U.S. military is the custodian of vast amounts of sensitive information, from service members’ health records to detailed tactical plans to nuclear launch codes. Yet, countless service members primarily communicate at the unclassified level with their ships and squadrons using the same basic mobile apps that any civilian might use, such as WhatsApp, Slack, Signal, GroupMe, or iMessage.4 Frequently, service members use a combination to perform their routine tasks.
While not classified, these communications about normal work-related activities are being transmitted off-channel in a way that puts operational movements and personal data at risk. While one might have great faith in Signal’s sophisticated encryption, the U.S. military should have the final word on how its messages are secured and transmitted, not Signal. This poses a serious control problem. The only way the government can guarantee the protection of sensitive military information is to be the entity responsible for protecting it.
Meanwhile, the best cyberwarriors are experts at concealment. The SolarWinds hack, for instance, broadly affected federal government networks without detection for months.5 Russian hackers were able to hide in plain sight, making it difficult to stop the attack before it escalated.6 When information is sent via off-channel systems, however, there is no way to internally check the underlying system to certify its security controls.
But outside attacks are not the only problem with off-channel communications. From an Army major who killed 13 at Fort Hood in 2009 to a neo-Nazi private first class who disseminated information about bomb construction on social media in 2019, insiders pose a significant threat.7 Insiders are authorized to access sensitive military systems, and they can commit espionage, destroy data, and spread sensitive information through off-channel platforms. Furthermore, domestic extremists in the military often use off-channel platforms to recruit and radicalize others without having to convince them to move to a prohibited platform.
The most important objective of on-channel communications is not rooting out insider threats, however, but avoiding inadvertent insider negligence. Most service members who use off-channel communication platforms are not doing it because they are trying to sabotage their missions. Rather, they are on those platforms precisely because they want to perform their missions well, and they need an efficient and effective platform for communicating with their units.
Addressing the Reality of Off-Channel Communications
Robust monitoring should be the norm for all military communications, even unclassified information. From an aviator’s radio calls to a sailor’s informal message about his work tasks for the day, operators should assume their words are being monitored. Suspicious or alarming messages should be flagged as irregular and investigated. This might sound drastic, but countless firms already do this. Moreover, a service member’s purely private communications should not be accessed unless an investigation into bad behavior is already underway. The goal of monitoring is not to invade a service member’s privacy. Indeed, one of the chief advantages to separating personal communication channels from professional channels is the ability to monitor the professional channels while ignoring the private ones.
Service members should be able to email from their phones. Email is indispensable to every professional organization. Sailors should be able to check their inboxes and send work emails from personal devices. Service members who can email when they are not at their desks will be more efficient, responsive, and effective.
A secure messaging platform should be developed for all nonclassified information. The military should have its own version of Signal, WhatsApp, or Slack that everyone uses. In 2016, the Defense Advanced Research Projects Agency launched a project to develop a secure messaging platform using blockchain technology.8 In 2022, the Department of Defense said that it was in the “final stages of testing” secure messaging solutions that would be accessible on service members’ phones.9 It is now 2024, and no such service is available. This must be a top priority, or service members will continue to use off-channel solutions that are impossible to monitor and secure.
While a single platform may present a centralized target, robust security measures and continuous monitoring can minimize risks. In fact, it will likely be easier to secure a centralized platform because resources can be focused on one system. While those concerned that a centralized system will be insecure emphasize external risks, they disregard or deemphasize internal ones.
Although the technological challenge is real, the military does not need to build this technology from scratch. Indeed, the problem is not innovation—messaging and email can no longer be considered innovative—but implementation. Fortunately, implementation is easier to tackle than innovation, and there is no excuse to ignore the pressing problem of off-channel communications.
Convenient On-Channel Communications
Rolling out on-channel platforms will not thwart all bad behavior, and the technical challenge of implementing these recommendations is formidable. No doubt, some sailors will still use personal channels to discuss official military business. But the mere existence of a centralized platform for communication will vastly reduce the amount of off-channel messaging. Most sailors will not divulge sensitive information on unofficial channels if they have an official option, and those who do should be disciplined. Dismissing the need for a secure on-channel solution because a few bad actors may circumvent that system would do more harm than good.
The private sector has relied on email and secure internal messaging systems for decades. It is fast, efficient, secure, and ensures accountability. The regulated financial industry is a convenient example because the stakes are high in finance: Trillions of dollars in confidential transactions that materially affect the lives and livelihoods of millions of Americans is no small matter. Yet, bankers can rely on email and encrypted messaging systems to relay private, deal-related information with billions of dollars at stake every day.
If a Wall Street executive wants to let her team know the agenda for the next day’s meeting, she does not text or send a WhatsApp chat. She sends an email. If junior bankers want to send calendar details about their group’s holiday party, they will send emails, not Signal messages. Bankers also use internal messaging systems to discuss deal-related information on an ad hoc basis. The military should be no different.
In the 21st century, service members should be able to reach into their pockets and send emails to their commanding officers on a channel the military can monitor and record. Military leaders must accept there is no perfectly secure system, but perfection cannot be the enemy of good enough when it comes to how servicemembers transmit digital information. The trade-off is between the unsecure personal channels being used today and the formal channels that must be widely adopted. Postpone the solution any longer and the military will fall further behind in the rapidly evolving information landscape.
1. Jeff Bell, “Tips for Texting without Compromising Your Privacy and Security,” Forbes, 24 November 2021.
2. Joel Stein, “Why We’re Losing the Internet to the Culture of Hate,” Time, 29 August 2016.
3. Michael J. Coren, “Internet Trolls Are Even More Hostile When They’re Using Their Real Names, a Study Finds,” Quartz, 27 July 2016.
4. Jack Murphy, “Troops Use Signal for Deployment Planning and Rapid Reaction Call Outs, But It Is Also against DoD Regulations,” Audacy, 12 January 2023; Tim Cushing, “Because the Defense Department’s Secure Communications Options Don’t Work for Everyone, Soldiers Are Turning to Signal and Whatsapp,” Techdirt, 28 January 2022; and Billy Mitchell, “Military Personnel Used Banned Apps on DoD-Issued Mobile Devices, IG Found,”
DefenseScoop, 10 February 2023.
5. Sue Halpern, “After the SolarWinds Attack, We Have No Idea What Cyber Dangers We Face,” The New Yorker, 25 January 2021.
6. Dina Temple-Raston, “A ‘Worst Nightmare’ Cyberattack: The Untold Story of the Solar Winds Hack,” NPR.org, 16 April 2021.
7. Kyle Rempfer, “The Mass Shooting at Fort Hood Was 10 Years Ago, on Nov. 5, 2009,” Army Times, 5 November 2019; and John Hanna, “’Satanist’ Ex-Soldier Sentenced to 2 ½ Years in Bomb Plot,” Army Times, 19 August 2020.
8. Mohit Kumar, “DARPA Wants to Build Ultra Secure Messaging App for U.S. Military,” The Hacker News, 24 April 2016.
9. Cushing, “Because the Defense Department’s Secure Communications Options.”