Join us at Binding Hook Live on October 27 at Underbelly Boulevard Soho in London

Join us at Binding Hook Live

Hooked! #2: A big month for spies in phones

Katharine Khamhaengwong • 17 April 2025

The biggest cybersecurity news story of the last month had, ironically, nothing to do (directly) with hackers, espionage, or software backdoors. Instead, Signalgate was a dramatic reminder that the most secure systems are still vulnerable to human error.

Mike Waltz stands to US president Donald Trump’s right at the first full cabinet meeting of his second term, on 26 February 2025. Photo: The White House

Hello and welcome to the second edition of Hooked!, Binding Hook’s new monthly current events newsletter. In Hooked!, we draw on our latest publications and growing archive of expert research, analysis, and commentary to reflect on a recent security and technology event.

The biggest cybersecurity news story of the last month had, ironically, nothing to do (directly) with hackers, espionage, or software backdoors. Instead, Signalgate was a dramatic reminder that the most secure systems are still vulnerable to human error.

If you somehow missed that one, US national security adviser Mike Waltz accidentally added Jeffery Goldberg, editor-in-chief of The Atlantic, to a group chat where Trump administration officials including vice president JD Vance and Secretary of Defense Pete Hegseth detailed an imminent plan to bomb Yemen, identified a CIA officer, and then celebrated the aftermath of the bombing. Waltz had apparently saved Goldberg’s number under the contact for then Trump spokesperson Brian Hughes, now spokesperson for the national security council.

The incident raised serious concerns about the security of US government communications, though Trump administration representatives maintain that no classified information was shared. The chat included, among other things, the time, place, and type of weapons of the attack. This could have put members of the US military at serious risk, if the accidental member of the chat had been someone other than a perplexed journalist.

Meanwhile, despite Waltz’s claims that Goldberg’s contact was ‘sucked’ into his phone or that Goldberg hacked him, and Trump’s claim that Signal might be ‘defective’, cybersecurity experts are pretty clear: this was an ‘operator issue’, exacerbated by disregard for conventional US government communications rules, which would have mandated the use of specific, non-internet connected devices running internal encrypted communication tools, rather than publicly available apps like Signal.

Of course, just because this incident was down to operator error, that doesn’t mean that mobile devices aren’t subject to a wide range of threats. Signal itself has recently been identified as a key vector for Russian intelligence services looking to obtain intelligence from Ukrainian forces. More generally, the rise of end-to-end encryption in messaging services such as Signal has prevented would-be listeners from eavesdropping on conversations, driving the use of more intrusive means of accessing data from target devices. While many governments have developed their own capabilities in this area, the main growth has come from commercially available spyware.

Last year, France and the United Kingdom launched a multistakeholder initiative to begin governing spyware and other commercial cyber intrusion capabilities, known as the Pall Mall Process. Several Binding Hook and Virtual Routes affiliates were present at the latest meeting, including Virtual Routes Colloquium leader and former European Cybersecurity Fellow Lena Riecke, who writes this week in Binding Hook about the still unresolved issues – vaguely defined terms, limited accountability mechanisms, and disparate government approaches – that might inhibit successful implementation.

For further spyware reading, Binding Hook managing editor James Shires has previously published suggested principles for regulating cyber-intrusion technologies. We have also published an insightful review of Laurent Richard and Sandrine Rigaud’s Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy; warnings about the risks to democracy, civil society, and journalism; and other tools that can be used to prevent spyware-linked human rights abuses.

There were some positive developments from all this – Signalgate led to massive increases in Signal downloads, as many Americans learned about the app, and there has been a burst of digital privacy coverage in mainstream media. Perhaps these widespread concerns can lead to more public support for and interest in efforts to combat spyware abuse.

Until next month,

Katharine Khamhaengwong

Binding Hook Editor

Katharine Khamhaengwong

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.