RLT.Two.Seven: After Action Report: OPSEC25 vs Signalgate-- When Cyberspace Collides

HEADQUARTERS
1st MarDiv (Rein), FMF Pac
San Francisco, CA 90000

From: Commanding Officer, 27th Marine Regt. (Rein)
To: Commanding General, 1st Marine Division (Rein)
Subj. Security Breach: Signal Group Chat, March 2025

Ref: (a) DivO 5750.2B

CLASSIFIED

DISTRIBUTION: "Special": S&C (2); Div (8)

After Action Report:

OPSEC25 vs. Signalgate--When Cyberspace Collides

1. Introduction

a. In March 2025, the world witnessed a major operational security (OPSEC) failure at the highest levels of U.S. government. Dubbed "Signalgate," the incident saw classified military details leaked via the Signal messaging app, sparking a global debate about the intersection of technology, human error, and the enduring importance of OPSEC in the digital age.

b. This report explores the collision between OPSEC principles and the realities of modern encrypted communication platforms, drawing lessons for both public and private sector leaders.

SECTION A OPSEC 2025

SECTION B SIGNALGATE

SECTION C OPSEC VS SIGNALGATE

SECTION D SUPPORTING DOCUMENTS

SECTION A. OPSEC 2025

PART I ORGANIZATIONAL DATA (* incomplete)

1. The primary sponsors and cosponsors of the Operational Security Act of 2025 (S. 1263) are not explicitly listed in the search results, but similar OPSEC and security-related bills in the 119th Congress have been sponsored by: (Senators)

a. Cynthia Lummis [R-WY] (SB238), Ted Budd [R-NC], Thom Tillis [R-NC], Pete Ricketts [R-NE], Rick Scott [R-FL], Tim Sheehy [R-MT].

b. Sponsors: See: SECTION D SUPPORTING DOCUMENTS.

PART II NARRATIVE SUMMARY

1. Background on OPSEC 2025 Legislation

a. Operations Security (OPSEC) refers to measures taken by organizations, particularly within the U.S. government, to protect sensitive information and critical assets from adversaries.

b. The National Operations Security Program (NOP), guided by National Security Presidential Memorandum 28 (NSPM-28), requires all Executive Branch agencies to implement OPSEC programs that identify and protect critical assets, mitigate vulnerabilities, and counter foreign threats.

2. The Bill: Operational Security Act of 2025

a. Bill Title: Operational Security Act of 2025 (S. 1263)

b. Purpose: To establish the Office of Security Training and Counterintelligence within the Executive Office of the President and for other related purposes.

c. Key Provisions:

(1) Creation of a dedicated office to oversee security training and counterintelligence efforts at the highest executive level.

(2) Aims to standardize and strengthen OPSEC programs across federal agencies, in line with the requirements of NSPM-28.

PART III CHRONOLOGY OF SIGNIFICANT EVENTS

1. The Operational Security Act of 2025 (S. 1263) was introduced on April 2, 2025, and referred to committee for consideration.

2. It is part of a broader legislative trend in 2025 to enhance U.S. defense and security measures, as reflected in the National Defense Authorization Act (NDAA) for FY2025, which includes significant investments in cyber intelligence, operations security, and counterintelligence capabilities.

a. The push for enhanced OPSEC in 2025 is closely tied to ongoing national security concerns, particularly in cyberspace, and is supported by bipartisan efforts to standardize and strengthen security practices across the federal government.

b. The NDAA for FY2025, which passed with strong bipartisan support, reflects these priorities by directing new investments in cyber intelligence, OPSEC, and counterintelligence capabilities.

PART IV SEQUENTIAL LISTING OF SIGNIFICANT ASPECTS

1. Identification of Critical Information

a. The first step is to identify what constitutes critical information—specific facts about friendly intentions, capabilities, and activities that, if obtained by adversaries, could be detrimental to operations.

2. Analysis of Threats

a. Assess potential adversaries by examining their capabilities, intentions, and historical patterns.

(1) Gather intelligence on how adversaries might exploit vulnerabilities.

(2) Through electronic surveillance or social engineering.

3. Analysis of Vulnerabilities

a. Identify weaknesses in operations, processes, or behaviors that could lead to the exposure of critical information.

(1) This includes both technical vulnerabilities: (e.g., unsecured networks) and human factors (e.g., predictable routines or careless data handling).

4. Assessment of Risks

a. Evaluate the likelihood and impact of specific threats exploiting identified vulnerabilities.

(1) Prioritize which vulnerabilities require the most attention and resources for mitigation.

5. Application of Countermeasures

a. Implement proportional and actionable security measures to mitigate identified risks.

(1) Countermeasures should be tailored to the operational context and may include technical solutions (encryption, secure communications), behavioral changes (altering routines, training), and layered defenses (defense in depth).

6. Continuous Monitoring and Adaptation

a. OPSEC is an ongoing process.

(1) Continuously monitor for new threats, reassess vulnerabilities, and adapt countermeasures as adversary tactics and the operational environment evolve.

(2) This ensures long-term protection and resilience.

7. Integration of Human Behavior

a. Recognize that human behavior is often the weakest link in security.

(1) Regular training, awareness programs, and fostering a culture of security-mindedness are essential to minimize risks from insider threats and social engineering.

8. Redundancy and Flexibility

a. Employ multiple, overlapping security measures so that if one layer fails, others remain effective.

(1) This redundancy is crucial for adapting to new or unforeseen threats, especially from sophisticated adversaries.

9. Context-Driven Approach

a. Unlike rigid, rule-based frameworks, OPSEC adapts to the specific operational context, considering the value of information, the nature of adversaries, and the unique risk environment.

PART V CIVIL AFFAIRS

Civil Affairs (CA) plays a critical role in modern military operations, especially as the Army adapts to multi-domain operations and increasingly complex environments through 2025 and beyond. The intersection of Civil Affairs and Operations Security (OPSEC) is essential to mission success and force protection.

1. Key Civil Affairs Functions Relevant to OPSEC

a. Population Engagement and Information Gathering:

(1) CA teams are tasked with understanding and influencing the civil component of the operational environment.

(2) This includes identifying key infrastructure, medical resources, and working with non-governmental agencies, which often requires handling sensitive information that, if disclosed, could compromise operational security.

b. Coordination with Partners:

(1) CA teams regularly work with joint, interagency, intergovernmental, and multinational partners. This collaboration increases the risk of inadvertent disclosure of critical information, making robust OPSEC practices vital.

c. Persistent Presence and Relationship Building:

(1) CA forces often physically visit areas of potential future operations to assess civil conditions and establish relationships.

(2) These activities require careful OPSEC measures to prevent adversaries from deducing operational intentions or timelines.

d. Support to Large Scale Combat Operations:

(1) During combat, CA teams accompany lead combat units to help distinguish between friendly, neutral, and threat elements within the civil population, requiring strict control over sensitive information to avoid exploitation by adversaries.

2. OPSEC Considerations for Civil Affairs in 2025

a. Protection of Sensitive Civil Information:

(1) CA teams routinely handle data on local populations, infrastructure, and partner organizations.

(b) OPSEC protocols must ensure this information is protected from adversaries who could use it to disrupt operations or target vulnerable groups.

b. Risk of Information Leakage:

(1) The broad engagement with civilian and partner networks increases the risk of unintentional information leaks. CA personnel must be trained to recognize and mitigate OPSEC vulnerabilities during all phases of interaction.

c. Integration into Planning and Execution:

(1) CA operations are now fully integrated into the planning and execution of military missions, including unconventional warfare and foreign internal defense.

(2) This integration requires continuous OPSEC assessments to adapt to changing threats and environments.

d. Training and Doctrine Updates:

(1) As CA doctrine evolves for 2025 and beyond, OPSEC is embedded in new training tasks, courses, and operational procedures to address the unique challenges of operating in politically sensitive and information-rich environments.

SECTION B. SIGNALGATE

PART I ORGANIZATIONAL DATA

1. Signal Group Chat:

a. Vice President JD Vance, Secretary of Defense Pete Hegseth, Secretary of State Marco Rubio, National Security Advisor Michael Waltz, Director of National Intelligence Tulsi Gabbard, White House Chief of Staff Susie Wiles, Deputy White House Chief of Staff Stephen Miller, U.S. Special Envoy to the Middle East Steve Witkoff.

b. National Security Advisor Waltz mistakenly added journalist Jeffrey Goldberg (The Atlantic) due to a contact list error.

2. Congressional Hearings and Participants

a. Senate Armed Services Committee: Chair: Roger Wicker (R-MS);

Ranking Member: Jack Reed (D-RI).

b. Senate Foreign Relations Committee: Member: Chris Murphy (D-CT).

c. Senate Intelligence Committee: Ranking Member: Mark Warner (D-VA).

d. Notable Senators: Richard Blumenthal (D-CT); John Cornyn (R-TX); Chuck Schumer (D-NY).

3. Witnesses

a. CIA Director John Ratcliffe; DNI Tulsi Gabbard; Pentagon officials (unspecified).

PART II NARRATIVE SUMMARY

1. The Signal group chat compromise (dubbed Signalgate) emerged as a major national security scandal in March 2025 after sensitive discussions about U.S. military operations against Yemen's Houthi rebels were inadvertently exposed. National Security Advisor Michael Waltz accidentally added Jeffrey Goldberg, editor-in-chief of The Atlantic, to a Signal group chat titled "Houthi PC small group."

2. Key events and revelations

a. Leaked content: Secretary of Defense Pete Hegseth shared operational details of impending airstrikes, including aircraft types, missile specifications, attack timelines, and post-strike assessments.

b. CIA Director John Ratcliffe mentioned an undercover officer’s name, while Vance and Hegseth disparaged European allies.

c. Security failures: The Pentagon attributed Waltz’s error to a contact list mix-up (Goldberg’s number was saved under NSC spokesman Brian Hughes’ name).

d. Subsequent reporting revealed Waltz’s team routinely used Signal for official coordination on Ukraine, China, Gaza, and other sensitive matters.

3. Broader vulnerabilities

a. Hegseth participated in a separate "Defense ' Team Huddle" chat with family members and non-cleared individuals, discussing strike timelines.

b. NSC members conducted government business via personal Gmail accounts and shared schedules over Signal.

c. Private contact details and passwords for officials were discoverable online, and Waltz’s public Venmo account revealed NSC staff connections.

4. Official responses

a. The administration insisted no classified information was shared, with Trump stating, “It wasn’t classified.”

b. Security experts countered that operational details like attack timing and methods should have been classified, regardless of technical classification status.

c. A Pentagon investigation confirmed the contact error but downplayed security risks, while watchdog groups sued to preserve chat records under federal law.

5. Implications

a. The leak exposed systemic misuse of encrypted platforms for sensitive discussions, circumventing federal record-keeping laws and creating vulnerabilities for adversaries.

b. Debates centered on whether this reflected negligence or intentional efforts to evade oversight.

PART III CHRONOLOGY OF SIGNIFICANT EVENTS

1. March 11–15, 2025:

a. The "Houthi PC small group" Signal chat is active, involving U.S. national security leaders planning military strikes against Houthi targets in Yemen.

2. March 13 (Thursday):

a. At 4:28 p.m. EDT, Jeffrey Goldberg (editor-in-chief of The Atlantic) is mistakenly added to the Signal group by Waltz, who had saved Goldberg’s contact under NSC spokesman Brian Hughes’ name.

b. The group is configured to auto-delete messages after one to four weeks.

3. March 14 (Friday):

a. Policy discussions begin at 8:05 a.m. EDT, focusing on strike strategies and coordination among senior officials.

4. March 15 (Saturday):

a. Hegseth shares classified operational details, including aircraft types (F-18s, MQ-9 drones), missile systems (Tomahawks), and exact strike timelines (1:45 p.m. EDT explosions).

b. Goldberg confirms strikes via social media reports from Sanaa, Yemen, after seeing real-time updates in the chat.

c. Participants exchange congratulatory messages post-strike, including emojis and praise for Hegseth’s team.

5. March 16 (Sunday):

a. Goldberg exits the chat, triggering a notification to members. He later contacts Waltz and others for clarification.

6. March 24:

a. Goldberg publishes a partially redacted transcript in The Atlantic, verified by NSC spokesman Brian Hughes.

b. The administration disputes claims of classified material being shared.

7. March 25-30:

a. The Atlantic releases the full transcript, omitting only the name of an undercover CIA officer.

b. Senate and House intelligence committees hold hearings on the leak.

c. The Atlantic publishes a second article with the unredacted March 15 chat log.

d. Der Spiegel reports discovering private contact details and passwords of group members online, including Hegseth and Waltz.

e. Wired reveals Waltz’s public Venmo account, linked to NSC staffers, raising security concerns.

f. The Wall Street Journal reports Waltz hosted additional Signal chats on Somalia and Ukraine.

8. April 2025:

a. The Washington Post reveals NSC members, including Waltz, used personal Gmail accounts for government business.

b. Politico details Waltz’s use of Signal for official work on Ukraine, China, and Middle East policy.

c. Reports emerge that Hegseth shared strike details in a separate Signal group (“Defense ' Team Huddle”) with family members and others.

PART IV SEQUENTIAL LISTING OF TECHNICAL ASPECTS

1. Platform Selection

a. Signal was used despite being a publicly available encrypted messaging app not approved for classified government communications.

b. Its end-to-end encryption theoretically protects message content but doesn't prevent screen captures or unauthorized device access.

2. Group Configuration

a. Auto-delete settings: Messages were configured to automatically erase after 1-4 weeks, raising concerns about federal records preservation violations.

b. Group membership: Included 18 participants (later expanded in other chats), mixing senior officials with non-cleared individuals.

3. Security Vulnerabilities

a. Device risks: Use of personal phones (vs. government-issued devices) created exposure to hacking, especially given Russia's active attempts to compromise Signal.

b. Authentication flaws: National Security Advisor Mike Waltz accidentally added a journalist due to contact list mismanagement.

c. Account linkages: Publicly visible Venmo connections and exposed passwords/contact details created secondary attack vectors.

4. Information Shared

a. Operational specifics: Defense Secretary Pete Hegseth disclosed exact strike times ("1215 ET: F-18s LAUNCH"), weapon systems (MQ-9 drones), and target locations in real time.

b. Classified references: Included the name of an undercover CIA officer and sensitive diplomatic discussions.

5. Technical Oversights

a. BYOD (Bring Your Own Device): Officials like Tulsi Gabbard refused to disclose whether they used personal or government phones during congressional hearings.

b. Cross-platform leakage: NSC members copied schedules into Signal and used personal Gmail accounts for government business.

6. Secondary Chats

a. A separate "Defense Team Huddle" group included Hegseth's family members and shared strike windows via the same unsecured platform.

7. Exploit Potential

a. Security experts warned that physical access to any member's phone could enable real-time message monitoring through Signal's linked device feature.

b. This technical profile highlights systemic failures in secure communication protocols within high-level national security operations.

PART V CIVIL AFFAIRS

1. Legal Implications

a. Espionage Act Violations:

(1) Experts argue that sharing classified operational details (e.g., strike timing, weapon systems) via Signal—an unapproved platform—could violate the Espionage Act.

(2) Legal analysts note such disclosures might meet the criteria for "unauthorized removal of classified documents."

b. Federal Records Act Compliance:

(1) The chat was configured to auto-delete messages, potentially breaching laws requiring preservation of official communications. This mirrors criticisms faced by Hillary Clinton’s email practices, with Trump officials now accused of similar hypocrisy.

c. Unauthorized Disclosure:

(1) Including journalist Jeffrey Goldberg in the chat, even inadvertently, risks violating laws against sharing classified information with unauthorized individuals.

2. Political Fallout

a. Hypocrisy Allegations:

(1) Officials like Defense Secretary Pete Hegseth, who previously criticized Clinton’s email use, faced accusations of double standards. Democrats highlighted this contrast.

b. Congressional Scrutiny:

(1) Senate and House Intelligence Committees held hearings to investigate the leak. Senators demanded full transparency, with Mark Warner (D-VA) challenging officials to release unredacted transcripts.

c. International Trust Erosion:

(1) Allies like Canada’s Prime Minister Mark Carney expressed concerns over compromised intelligence-sharing trust, particularly among Five Eyes partners.

3. Operational Security Risks

a. Troop Endangerment:

(1) Experts warned that leaked details (e.g., missile types, strike timelines) could jeopardize missions and personnel.

(2) Such disclosures, if made by service members, would typically result in court-martial.

b. Platform Vulnerabilities:

(1) The National Security Agency had previously warned about Signal’s potential compromise, raising questions about the administration’s choice of communication tools.

4. Administrative Response

a. White House Review:

(1) The administration initiated a review of Signal’s use, with officials noting its widespread adoption might soon end.

b. Deflections and Denials: Hegseth denied sharing "war plans," while the White House insisted no classified material was disclosed. Legal experts dismissed these claims as "political spin."

c. Internal Accountability:

(1) National Security Advisor Mike Waltz took responsibility for mistakenly adding Goldberg, citing a contact list error.

5. Public and Military Sentiment

a. Service Member Criticism:

(1) Military personnel expressed frustration over leadership’s lax security practices, contrasting them with strict standards enforced for lower-ranking troops.

SECTION C OPSEC VS SIGNALGATE

In Signalgate, the failure was not Signal’s encryption but the lack of procedural safeguards: unauthorized users were added without verification, and sensitive data was shared on personal devices susceptible to compromise.

1. The Human Factor: Where OPSEC and Signal Collide

a. Root Cause Analysis

(1) The breach was not a technological flaw but a breakdown in operational discipline and verification.

(2) Officials trusted the group’s membership implicitly, failing to verify identities—mirroring similar failures in corporate environments.

(3) The use of disappearing messages and personal devices also circumvented official records, raising legal and accountability concerns.

2. Wider Implications and Lessons Learned

a. For Governments and Enterprises

(1) Technology is not a substitute for discipline.

(2) Secure apps are only as effective as the policies and practices governing their use.

(3) Identity verification is critical.

(4) Every participant in sensitive communications must be verified, and group membership should be tightly controlled.

(5) Device security matters: Even with encrypted apps, compromised or unlocked devices remain a major risk vector.

(6) Records preservation and accountability: Using ephemeral messaging for official business can undermine transparency and legal compliance.

3. For the Cybersecurity Community

a. OPSEC must evolve: As adversaries become more sophisticated, so must the integration of people, process, and technology in operational security.

b. Cultural change is essential: Security awareness and leadership commitment are as important as technical controls,

SECTION D SUPPORTING DOCUMENTS

Table One: OPSEC Legislation

Aspect	Details
Bill Name	Operational Security Act of 2025 (S. 1263)
Purpose	Establish Office of Security Training and Counterintelligence
Main Sponsors	Not explicitly listed; similar bills sponsored by key Republican senators
Status	Introduced, referred to committee (as of April 2025)
Context/Outcome	Part of broader 2025 defense/security legislative push

Table Two: Civil Affairs and OPSEC

Civil Affairs Aspect	OPSEC Implication
Population engagement	Protect sensitive civil data from adversaries
Partner coordination	Prevent info leaks in multinational environments
Persistent presence	Conceal operational intentions and movements
Combat support	Safeguard info distinguishing friend/foe/neutral
Training & doctrine evolution	Embed OPSEC in all CA operational procedures

CONGRESSIONAL RECORD (02 April 2025, page S2139)

S. 1263: Office of Security Training and Counterintelligence

By Mr. SCHUMER (for himself, Mr.
SCHIFF, and Mr. KIM):
S. 1263. A bill to establish the Office of Se-
curity Training and Counterintelligence in
the Executive Office of the President, and for
other purposes; to the Committee on Home-
land Security and Governmental Affairs.

https://www.congress.gov/119/crec/2025/04/02/171/59/CREC-2025-04-02-pt1-PgS2141-2.pdf

*****************
Data: Perplexity AI
Image: https://www.imdb.com/title/tt0044207/

Report prepared by: JCL, Pvt. USMC (212xxxx-2533) Radio Communications, 27th Regt. Landing Team (RLT) HQ, Duong Son 2, RVN (AT998678).

JTF-SB 2025
3/LRC/cr1/5750
CMCC NR _3__
Ser. No. 040-25
COPY _1 OF 10__COPIES
May 2025

End of Report

RLT.Two.Seven

Pages

Thursday, April 24, 2025

After Action Report: OPSEC25 vs Signalgate-- When Cyberspace Collides

1. Key Civil Affairs Functions Relevant to OPSEC

Table Two: Civil Affairs and OPSEC