The ‘Signalgate’ inspector general’s report calls for just one change to prevent the failure from happening again

A United States An inspector general’s report made public today found that Defense Secretary Pete Hegseth could have put U.S. forces and military operations at risk by using the consumer messaging service Signal to share sensitive, real-time details in March about a planned attack on Houthi rebels in Yemen. The IG first shared the classified report with Congress on Tuesday.

The report contains only one direct recommendation: that the head of US Central Command’s Office of Special Security “review the command’s classification procedures for compliance” with DoD regulations and, if necessary, “issue additional procedures to ensure the proper marking of classified information.” The report also cites another IG release on the use of “electronic messaging systems not controlled by the Department of Defense” and its recommendation that the Department of Defense “improve training for senior DoD officials on the proper use of electronic devices.”

The incident the inspector general was investigating is called SignalGate, because senior US officials used the platform for communications that would normally have gone through secure government channels. Most notably, Michael Waltz, the US national security adviser at the time, accidentally invited journalist Jeffrey Goldberg, editor-in-chief of The Atlantic, to the signal conversation as well. Goldberg subsequently publicized the existence of the chat and its mistaken inclusion—which revealed in real time some of the dangers of using a consumer app for top-secret government and military jobs. Meanwhile, in addition to very specific information about the attack, including details like when the bomb was dropped, Hexett at one point tweeted, “We’re clear on opsec right now,” referring to the security of the operation.

The IG report notes that Hegseth is the “primary authority on classification within the Department of Defense” and thus decides what information should be classified and whether to classify information.

“We concluded that the Secretary transmitted sensitive, non-public, operational information that we determined did not need to be classified via Signal Chat on his personal cell phone,” the IG wrote in the report. “However, because the Secretary indicated that he used the Signal application on his personal cell phone to send nonpublic DOD information, we conclude that the Secretary’s actions did not comply with DoD Directive 8170.01, which prohibits the use of a personal device for official business and the use of an unauthorized commercially available messaging application to send nonpublic information.”

The report states that Hexett “was not interviewed” for the inspector general’s report and instead provided a written statement about the events of Signalgate. The Defense Department did not immediately respond to WIRED’s request for comment.

Signal is the gold standard secure messaging app for consumer use. It encrypts messages and calls end-to-end so that only the sender and receiver can access them, not outside eavesdroppers or even the signal itself. And Signal also collects very little metadata, so the company knows next to nothing about its users and has nothing to hand over if it receives requests from law enforcement. No matter how great the signal, the “threat model” used by individual consumers differs from that of high-ranking government and military officials.