JFK and the Houthis: Haste Makes Waste of Security
After much fanfare, the long-anticipated release of the final tranche of JFK assassination files didn’t fail to deliver, though perhaps just a bit more than the public expected. Rather than simply exposing buried truths of the Kennedy assassination, the files also exposed the personal information, including social security numbers, of a parade of people associated with the decades-long investigation, many of whom are still alive today.
At first blush, at least, it seemed a rookie mistake since blotting out social security numbers is de rigueur as documents pass through the redaction process.
“Social security numbers follow a predictable pattern and are relatively easy to identify using technology,” says Bugcrowd co-founder Casey Ellis. But these sorts of documents also pose multiple challenges, he says, pointing to “the enormous quantity of data in the documents themselves and the typically high false-positive rates associated with SSN detection, and the fact that much of the included data is handwritten, making detection of PII more difficult.”
Those charged with redacting the files should have accounted for that. But it seems the theater surrounding the release of details leading up to and following that awful morning in Dallas, which had such a profound effect on this country, overrode both caution and prudence.
Quite simply, says Chris Gray, Field CTO at Deepwatch, the PII “should have never been made public.” And while Gray remains neutral on whether the files in toto should have been released, “the speed, and as we are seeing, the carelessness, with which it has been done, however, has a price.”
Gray rightly maintains that “an acceptable level of care should have been used to differentiate between the details of the case and needlessly specific personally identifiable information (PII). Simply choosing to keep that information redacted would have served the purpose of making the story plain without causing undue harm to individuals who were simply doing their jobs some 61+ years ago.”
He believes the fallout will land the case in court. “It is one thing to reveal what should be public information, but it is completely another to provide the details that, effectively, compromise a senior citizen’s identity for theft and misuse,” he says. “Such legal actions will, hopefully, cause the administration to demonstrate increased care for those who may be affected.”
That might be wishful thinking. The administration’s response to a more serious breach — the “inadvertent” inclusion of a journalist into a Signal chat that detailed an imminent attack on Houthis in Yemen by a tight group of high-ranking people charged with the security and defense of this country — makes that outcome seem less likely.
At the time of this writing, the principals involved in that breach have played bob and weave with the Senate Intelligence Committee, downplayed the sensitivity of the information shared over a commercial app (a minute-by-minute sequence leading to the attack, detailed weaponry and specific targets), and roundly assailed the messenger, The Atlantic’s editor-in-chief Jeffrey Goldberg. Who, by the way, no one in the group seemed to notice had been added to the chat by Waltz, until he told them. And indeed, during the conversation, Defense Secretary Pete Hegseth had declared the space safe, noting, “We are currently clean on OpSec.”
A Bigger Issue
These back-to-back incidents, while disconcerting individually, conjure up a bigger issue about the state of security and the protection of sensitive information, whether it’s PII or war plans, in the second Trump term.
The approach has been sloppy, whether due to inexperience, speed, or simply a cavalier attitude toward security. There’s plenty of evidence of all three. And if the past reveals the future, then security is in for a rough ride. During his first term, Trump showed little consideration for protecting intelligence, revealing information Israel operatives had shared with the U.S. to Russians visiting the White House. Likewise, his response to questions about classified documents stored willy-nilly in boxes in a bathroom at Mar-a-Lago after he left office was to pounce on investigators, prosecutors and the courts.
There is no reason to believe that much has changed this time around — except perhaps a reluctance among members of the administration, Congress and other officials to raise the guardrails and provide oversight. Early on, the CIA, in an effort to comply with a Trump order, revealed the names of more than 200 recent hires in an unsecured email, compromising their ability to serve as operatives in the field. And DOGE exposed a secret CIA base.
No one knows for certain what process was followed when the JFK files were redacted, but the effort was inexplicably rushed. And despite past alerts and guidance from various intel and military agencies which warned against — and in some cases forbade — the use of Signal and other commercial applications regardless of encryption prowess, Waltz, DNI Tulsie Gabbard and Hegseth, did just that during Saturday’s group chat, perhaps even using their own personal devices, another no-no. Equally alarming? Special Envoy Steve Witkoff, also included in the group, was apparently in Russia, though he says he didn’t use Signal there, while Gabbard was online while traveling in Southeast Asia.
These questions become even more stark against the backdrop of the speedy, systematic dismantling or retooling of long-held policies, checks and balances and safety nets intended to protect the U.S. If not completely gutted CISA has been greatly pared down; the administration has decided to suspend offensive action against Russia’s cyber activities (particular troubling and relevant since Russia has long wanted to crack Signal); and inspectors general, prosecutors, and FBI agents have been let go in startling numbers. Similarly, there is no transparency into the security and privacy protocols, if any, being followed by the young DOGE bros as they tromp through government systems, apparently with permissions that exceed “read-only.”
Shore up Oversight, Act Quickly
While the administration’s cybersecurity and privacy strategies and its commitment remain a mystery, what to do about it and how to shore up security do not. And here’s where speed is crucial — and welcomed. The administration must act quickly to:
- Aggressively probe security slips and breaches that have occurred in the first two months of this presidency, paying more than just lip service and not getting derailed by the “I don’t know” and “I can’t say while there is a review underway” assertions. The devices of all those involved in the Houthi attack group should already have been confiscated, partly to determine if they’re infected with malware or have been otherwise compromised.
- Set clear protocols with teeth — to be effective, they must be enforced. While it is unclear whether heads will roll for current security events, they most certainly should in the future, when principals cavalierly toss security measures to the wind.
- Do a tech check, making sure technology, software and security measures are up to date — and maybe, as one pundit suggested, put the tech boy geniuses at DOGE to work on secure apps that make it easy and safe for increasingly mobile defense, intel and security forces to communicate and pass sensitive data.
- Learn from mistakes. Those are President Trump’s own words when asked about the Signal chat scandal. But that also means admitting mistakes and taking responsibility for them.
- Prioritize transparency. The government shouldn’t operate in the dark. Congress, the White House, and, to some extent, the public need to know what operatives are doing…and how they’re doing it.
- To that end, shore up oversight. Congress seems lukewarm on meeting its oversight responsibilities, and its commitment to doing so often falls along party lines. Security should be bipartisan. In addition, to be effective, oversight needs to come at the agency, department and team levels.
Once those and other steps are taken, then maybe this administration can confidently declare, “We are currently clean on OpSec.”
