The Lock & Key Lounge — An ArmorText Original Podcast
Welcome to The Lock & Key Lounge, the official podcast from ArmorText, the leader in secure out-of-band communications. Each episode brings you into the conversation with the sharpest minds in cybersecurity, law, critical infrastructure, intelligence, and government. We go beyond the headlines and vendor buzzwords to unpack real-world challenges—from incident response and cybercrime innovation to legal landmines, boardroom decisions, and threat intelligence at scale.
Pull up a chair, pour a drink, and join us as we explore what it takes to stay resilient in a world where operational security, compliance, and communication have never been more intertwined.
Available wherever you stream your podcasts, or right here on ArmorText.com.
The Lock & Key Lounge — An ArmorText Original Podcast
Podcast #2 Government Employees and Official Business
Signal-gate Unlocked:Striking the Balance Between Secure Communications and Legal Oversight in Government
Our guest Marisa chairs the White Collar, Government Investigations & Regulatory Compliance Practice Group at Benesch. A former state and federal prosecutor, she has successfully tried more than 15 complex criminal cases to verdict. Marisa handles a wide range of investigations, including bribery, corruption, Foreign Corrupt Practices Act (FCPA) violations, and high-stakes cybersecurity matters. She regularly advises companies and individuals facing civil or criminal investigations, guiding them through regulatory scrutiny and helping them develop proactive compliance strategies.
She’s recently authored client bulletins dissecting the so-called “Salt Typhoon” breaches and the conflicting or even contradictory stances taken by different U.S. agencies on secure communications—especially ephemeral messaging.
This episode of The Lock & Key Lounge was initially slated to continue our discussion with Marisa on the advisability of using consumer E2EE apps like Signal for government communications, recent developments from 'Signal-gate' compel us to focus sharply on the serious legal and operational pitfalls exposed by such guidance. Today, we’ll delve into how these recommendations, aimed at bolstering operational security, clash with the intricate requirements of laws like the Presidential Records Act and broader operational security concerns that extend beyond mere encryption.
Hello, this is Navroop Mitter, founder of ArmorText. I'm delighted to welcome you to this episode of The Lock & Key Lounge, where we bring you the smartest minds from legal, government, tech, and critical infrastructure to talk about groundbreaking ideas that you can apply now to strengthen your cybersecurity program and collectively keep us all safer. You can find all of our podcasts on our site, armortext.com, and listen to them on your favorite streaming channels. Be sure to give us feedback.
[00:00:30–00:02:07] Navroop:Hello, and welcome to The Lock & Key Lounge podcast. I am Navroop Mitter, your host for today, and I'm delighted to welcome back Marisa T. Darden to our program.
Marisa T. Darden:Thanks for having me. I love that you used the T.
Navroop:Marisa is the chair of the White Collar Government Investigations and Regulatory Compliance Practice Group at Benesch. Marisa is a former state and federal prosecutor who has successfully tried more than 15 complex criminal cases to verdict. She handles a range of investigations, including bribery, corruption, the Foreign Corrupt Practices Act, and high-stakes cybersecurity matters. Marisa regularly advises companies and individuals facing civil or criminal investigations, helping them navigate regulatory scrutiny and develop forward-looking compliance strategies. She's recently authored client bulletins dissecting the so-called Salt Typhoon breaches and the conflicting or even contradictory stances taken by different US agencies on secure communications, and in particular, ephemeral messaging. Now, today's episode of The Lock & Key Lounge was initially slated to continue our discussion with Marisa on the advisability of using consumer and then encrypted applications, like Signal, for government communications. But with recent developments from Signalgate, it's compelled us to focus sharply on the serious legal and operational pitfalls exposed by such guidance. Today, we'll delve into how these recommendations aimed at bolstering operational security clash with the intricate requirements of laws like the Presidential Records Act and broader operational security concerns that extend beyond mere encryption. And with that, Marisa, ready to get started?
Marisa:Let's dive in.
[00:02:08–00:04:24] Navroop:Awesome. Okay. Well, like we said, while we wanted to originally talk about Salt Typhoon, we're obviously going to address Signalgate given that it's just happened in the last few days. Considering recent events, how do you view the risks posed by ephemeral messaging for government employees, especially in light of Signalgate?
Marisa:Yeah, I think that the most interesting thing about what people are talking about—sort of the fallout of Signalgate—is how crazy it seems that national security work could be discussed or talked about on such a somewhat open channel. I wonder if this actually doesn't happen a lot more, and people just don't get caught, because there are very strict protocols, rules, regulations, guidelines—in some cases, like you said, in the Presidential Records Act and in some other national security spaces—laws about what individual government employees can and can't do with their cell phones or other secure messaging information and how they can disseminate information. But it's really easy in a modern age to get sloppy, or cut corners, or do other things. I read a couple of articles, I think, that talked about other government officials who have used Signal in the past, but more for just logistics, right? Meeting at four, or let's have a discussion about X at three, not to actually make or disseminate highly classified material amongst leadership executives. So, I think that if there's one thing to take away from Signalgate, from a risk standpoint or from a corporate standpoint, it's that this is why technology has to stay relevant with the times, because the way we communicate with each other and the way that we disseminate information has so radically changed, and the laws haven't kept up. And, in many respects, government agencies haven't kept up. As you talked about, there's a lot of wide-ranging guidance now about how to be a private actor and appropriately abide by the rules. So, we have to have a larger national conversation about how we can update our technology overall.
[00:04:24–00:06:16] Navroop:That makes sense. I'm sure that, given everything that's going on, inspector generals are probably a little bit worried about their ability to investigate unauthorized communications channels, something that could potentially lead to penalties.
Marisa:Yeah, so inspectors general have a wide-ranging authority. And, just for folks maybe who don't know, there's something like 49 federal agencies under the government umbrella. There may be more or less, depending on the day these days, but almost every independent federal agency has its own inspector general that has authority to investigate various violations of state, federal, or local law—most of the time federal law—as it pertains to the agency in which it serves. And the FBI has an inspector general. Most people don't know about that. And sometimes they have different names, but every agency has one. And so, if you're talking about the National Security Administration or something that deals with high-level national intelligence, the inspectors general in those agencies would have a heightened sense of how to go about reviewing whether their employees have violated either organizational protocol, or written guidance, or rules or laws related to their conduct and their scope of employment. And they are nervous. I mean, irrespective of sort of the uncertainty of being a federal employee these days anyway, they lack, in many cases, the tools to properly have a clear understanding of whether this is happening more frequently than they catch.
[00:06:17–00:08:36] Navroop:To that point, we've all certainly heard rumors of previous generations of consumer-focused and then encrypted messaging applications being used by even our intelligence services. I do know that, being in the beltway here in DC, we've often heard references to use of the old wickr.me product, right? The consumer-focused version of Wickr that was being used often in unapproved capacities. Now they would tell you that, well, we're using it in the following ways, and that's kind of okay. And everyone would just kind of squint at things. But an example that is a little hard to squint at, that actually comes from the previous—well, two administrations ago now—would be Jared Kushner's use of WhatsApp. I think that kind of highlighted similar concerns, right? When he was using WhatsApp to communicate official business with MBS.
Marisa:Yeah.
Navroop:And actually violating the Presidential Records Act.
Marisa:Well, I mean, that case has a whole host of interesting national security questions and implications. Because, if you recall, at the time in which Jared Kushner was caught sort of doing this, I'm not sure he even had full security clearance to be working on much of the profile that he was assigned. And there's so many questions that still remain about what and under what circumstances he disseminated information. So, the other thing that I think is highlighted with Jared Kushner's case and some of these others is the growing interconnectedness of our world, right? So 10 years ago, even 30 years ago, if you had sensitive material information that you needed to communicate to another government agent, you were supposed to go to a SCIF or like a secure facility and actually turn your phone in and make sure that you were wanded for devices or whatever. And in a lot of—I know the presidential motorcade and like various other high-ranking officials, they travel with the facility to make a temporary SCIF wherever they go. But I don't know if Jared Kushner have that ability. When you are traveling internationally, that's obviously very difficult to replicate. And that's another example of why inspectors general have lost a lot of control over how this information is flowed and stored, because we don't just sit in rooms like we used to or like prior generations would have.
[00:08:37–00:11.32] Navroop:Now, I imagine one of the challenges, though, is that for the longest time, everyone has focused only one aspect of what it means to communicate in a secure manner. And that's whether or not you had strong encryption in place, right? In particular, forms of end-to-end encryption. I think that's where a lot of this desire to use Signal or WhatsApp stems from is that, hey, we were told this is a more secure way to communicate because it provides end-to-end encryption. But for officials or agencies that want more than just stronger encryption, how should they also balance the need for security with obligations under acts like FOIA or the Presidential Records Act? What do they need to start thinking about doing?
Marisa:Well, I think we need to have a much more wholesome conversation about what records companies and businesses need to retain versus what the cost is going to be to do that. And businesses and my clients are grappling with this all over the place, because, particularly if you're in a highly regulated industry, there is no standard record retention policy within the Justice Department or in any formal guidance that I've seen unless you're talking about the healthcare industry, or like HIPAA records, or electronic medical records, or something of that nature. And so, we're counseling clients all the time to re-examine their automatic deletion settings on their devices. We're really questioning whether this BYOD device policy that we all went to some years ago was a good idea, because now you've lost—even if you have a stringent policy in place about Bring Your Own Device and the records that a company is empowered to seize from your personal device—you lose a lot of control over how you track what your employees are doing if they're paying the bill on their phone. And so, a lot of companies are thinking about whether they're going to go back to providing devices to their senior employees, at least, to try to take back that control. And another issue in the private sector that I think probably has implications for government agencies as well, is when you talk to third parties or you have third-party vendors, for example, or you do a lot of sales work, particularly in foreign countries, there's always a high risk of fraud, or corruption, or bribery that your sales folks are doing on your behalf. And you want to make sure that you can capture and retain whatever text messages or ephemeral messages they're using to communicate with government agencies and government employees, which has natural corruption implications under the department's guidance—or at least used to—before we stopped prosecuting the Foreign Corrupt Practices Act. And so, you've got to think about how you want, what technological solutions exist so that you can be prepared to give that data over, but not keep every single text, because that would be cost prohibitive.
[00:11:33–00:14.42] Navroop:Marisa, thinking specifically now about Signalgate, recently a judge issued orders to actually preserve all the communications, despite the fact that originally the communications had been set up to expire—I believe it was in a week's time. Can you help us walk through the potential legal liabilities and/or potential repercussions of ignoring official archiving requirements, especially in light of the recent judicial rulings on these Signal communications?
Marisa:Yeah, well, I think this exact case really highlights a lot of the issues that we're seeing in the marketplace with the type of apps that we have typically on our phones as individual consumers, right? If you don't have a good sense of even how your settings work, or you're like me and you are a technological moron, and you don't know how your settings are even set, you probably don't have any aptitude to be able to keep the data that would otherwise be required of you, either by your employer, or by a judge, or some other intervening authority. And so, the idea that we're even having a conversation about highly sensitive intelligence information needing to be preserved without automatically doing that is why you don't use these apps in the first place for this type of thing. So, number one, something like this should have automatically been preserved. That seems like a no-brainer. But if it wasn't, the idea that a judge had to intervene to do so is remarkable in and of itself. Now, there are a host of—there's the Presidential Records Act that obviously, I think, would apply. There's also some national security laws that require a certain amount of records retention. I think there's also federal government and agency guidance about the types of records and how you're supposed to keep them. I know the Department of Justice has a pretty stringent records retention policy as it relates to criminal prosecutions, as an example. And so, the judge ordering that, I think, will help people understand the need for it. If, for some reason, this administration decides that they're not interested in doing that, the most immediate consequence would be sanctions from the judge—some sort of either economic fine or contempt of court, something of that nature. But it's really hard, again, when we talk about the inspectors general and other enforcement mechanisms here, if the government isn't interested in policing itself, there's not a ton of repercussions. And we're very quickly mounting towards a constitutional crisis because, if the Trump administration says we're not preserving it, what is a federal judge empowered to do? The enforcement mechanism would be to have the marshal services go over to the White House and put them under arrest? They're not gonna do that. So, I don't really have good answers for how, in this extreme example, you would really ensure that that data was properly preserved and penalize somebody appropriately or accordingly if they lack the desire to do so.
[00:14:43–00:15:38] Navroop:Now, while that seems like a really extreme example of a federal judge sending US marshal services to the White House, I can imagine that for lower-level employees within various government agencies, that wouldn't seem so absurd, right? Is that something where a judge would probably go ahead and enact that, sending marshals or others over?
Marisa:I think this would play out very differently in a random employee violating the Presidential Records Act, for example, or failing to preserve material that was ordered to be preserved, either by a supervisor or by a court. In some cases, there are criminal prosecutions that have happened because of this. I know they looked into prosecuting Jared Kushner when he was using WhatsApp. I think the department ultimately declined that case. But there would be a host of other repercussions, including in leading up to federal prosecution, jail, and other financial penalties.
[00:15:39–00:19:25] Navroop:Fascinating. You know, if we think about—again, this is more just regular, everyday government employees rather than the exceptional set of persons currently working very closely with the administration and the White House. For everyone else, what practical measures can government employees take if they're worried about eavesdropping or foreign interception, but they also want to ensure compliance?
Mairsa:I don't even know really what the answer—a good answer—to that question, Navroop, but maybe you can tell me what apps or other materials are in the marketplace now that might help prevent the individual employees from having to make that decision in the first place.
Navroop:Ooh, putting me on the spot now. Okay. So, I think you've actually given some great advice up until this point, right? So, if I think about this, one of the things you mentioned in the previous episode we taped, which was geared towards the private sector—where I think it's equally applicable here—was that folks actually use pre-approved, sanctioned platforms, ones where that ability to establish a chain of trust for any retained archives was kind of already built in, right, or understood, and for which the organization had already planned what their standard operating procedure would be should they have logs requested of them. And so, I think a big part of this is actually working with the agency that employs you to understand what appropriate options have been pre-approved, what are the secure platforms of choice, and also to proactively ask them what role they have to play, if any, in ensuring any appropriate logs are maintained to comply with archiving laws so that it doesn't fall to you as an individual after the fact, having to say, well, wait, I was told I could use X, but X doesn't provide these kinds of logs, and therefore I don't have Y or Zed to provide to you. So. I think that would be a good starting point. In terms of products that actually do that, absolutely, ArmorText is actually built around the ability to have end-to-end encrypted communications, but also end-to-end encrypted retention and review, but I'd rather not dive into our product right here in detail. But hopefully that is close enough to an answer for folks who are looking to answer that question.
Marisa:Yeah, that sounded good to me. I think the follow-up—and what's really important about what you said—is having a level of trust and a dialogue with the legal team in your environment, whether it's an agency, a regulatory function, or a private business, that you have these regular communications with your tech teams, your compliance teams, your procurement teams, and the general counsel's office to make sure everybody's on the same page about what's allowed, what's acceptable, and how you're going to retain that information. And keep up on the language and the guidance of the time. You talked at the top of the podcast about the conflicting guidance that's been issued by the government in this area. For example, the FBI has a certain idea about how to retain data and how to properly use end-to-end encrypted platforms and the type of retention policies they would be expecting. And for example, a Department of Justice investigation that was eligible for cooperation points. And then, CISA has come out with its own guidance that seems to be—I think CISA came first and then the FBI did—but it was conflicting guidance about how you're supposed to do that and what the retention policy should look like. And so, that's a good call to make to your outside lawyer, your outside counsel, to try to be up on the times, up on your industry, up on the expectations, and hopefully try to maintain an open line in communication.
[00:19:25–00:20:46] Navroop:That's right. The CISA and FBI guidance to move communications to end-to-end encrypted applications like Signal in the wake of the Salt Typhoon breaches seemed genuinely to be a good idea when it comes to the communications of private citizens. But for organizations and/or even government employees for whom there may be regulatory, statutory, legal requirements for preservation, the guidance seemed to be lacking in nuance and/or oblivious to the fact that such requirements might exist, right? They just weren't addressed. It's not they were addressed negatively—they just weren't discussed at all. And so, I think to your point then, right, you would want to speak with counsel about having received such guidance and whether or not there are obvious conflicts with any previous directives you may have received around retention. And, if there are, seeking their guidance very clearly on how to actually meet whatever requirements are being expected to be moving forward.
Marisa:Yeah, I mean, I think the point also about the government seems to me to reinforce the idea that a lot of the people who are making the policies don't actually do the work, because if they had worked in the private sector or they had been out sort of on the ground, they would know that the practical application is the whole point of the policy in the first place.
[00:20:46–00:22:54] Navroop:Yeah, and that actually brings us to an interesting question then, right? Are there instances where the ephemeral consumer applications might be sanctioned or even less tolerated for certain government communications, right? What are those sets of communications where you're definitely not going to be using a signal or a WhatsApp?
Marisa:I think that there are probably some federal agencies that are already doing this because I could imagine, for example—not to bring up current events—but USAID would be a great example of this, because they work in third-world countries. They work in places that don't have the kind of infrastructure that you would expect in the United States. I am confident that they have some guidance about how to talk to individuals and how to make communications in foreign countries that don't have broadband, for example, or internet. As most of you probably know, as most of the rest of the world doesn't use Apple messaging or whatever, everybody's on some third-party app, some end-to-end user encrypted system. And so, they probably do have some better guidance about this, but it's not going to be consistent. And so, this is a place where I think Congress or some larger governing body needs to take a hard look at this so that there's consistency and uniformity across the government.
Navroop:But I think that's a good point, though, right? For someone working in USAID, they're likely to run into scenarios where the only real method of communication is likely to be one that doesn't have the levels of security and/or enterprise controls that we've been discussing. What I would imagine, though, that for people, say, working in, I don't know, the intelligence agencies or ODNI or DOD, that there would probably be a lot more stress on formal permissions and/or the potential dangers of adopting consumer applications like a Signal because of the sensitive or classified context in which they work.
Marisa:Agreed, agreed. And there's no way that CIA's covert operations team doesn't have a policy about this.
[00:22:55–00:25:02] Navroop:Well, so, and I guess what that brings me to then is, could Congress really come up with some sort of uniform standard to apply, or is it going to end up having to be more nuanced than that? Are there going to be certain use cases for which we say, yes, A is acceptable, but under this context, A is not acceptable and instead use B, because Congress can't really come up with a uniform standard if those nuanced cases, like the intelligence sector versus USAID, have differing needs, no?
Marisa:Well, Navroop, what your answer tells me—or what your question tells me—is that you don't read laws every day like the rest of us in the whole world do, because every single law as written, every single statute as written, has umpteen carve-outs for different exceptions. That's their game; that's what they love to do. So, I could—I mean, I agree with you. There is a lot of nuance here, but in terms of, sort of some bright-line rules and bright-line tests, it seems like there could be a much more cohesive look at how Congress wants the government to operate as a whole, or what type of retention records would be standard. I think I mentioned this on the last podcast. There was, at least under the Biden administration, a real effort to integrate Big Data into criminal prosecutions and the Department of Justice. And so, I could see, as the government continues to embrace technology and AI tools, thinking through some sort of standardized communication system that would work for a lot of the work that the government does—not all, obviously.
Navroop:Fair enough, and you're right. I don't read laws all day long. I have plenty of other things I could read to put me to bed at night.
Marisa:Very dry, very dry.
Navroop:100%. I agree. I've had to read a few, and I do not know how to do it. Thankfully, I have great lawyers who help us with it. But with that said, that actually makes a lot of sense, right? So, it sounds like some sort of uniform standard, but with sufficient carve-outs for those more nuanced use cases where clearly the uniform standard could not apply as is.
Marisa:Yeah.
[00:25:03–00:27:02] Navroop:All right. Well, next, let's look forward to what trends we might see concerning personal device usage and ephemeral messaging in government circles. Do you see people changing and going back to a world in which they're now carrying two, three, four-plus phones? Are we going back to those days? What are the trends you think are coming up?
Marisa:So, most Department of Justice lawyers have two phones. They've always had devices issued by the government. And when I was a federal prosecutor, I had two phone numbers and two phones. So, I could see that probably, again—not just in the government, but also in the private sector—sort of going back to all the rage, just because it's too hard to try to capture some of this data. And you learn too late if you have a real problem that you can't retain certain text messages or information that an individual employee has on their phone. So, I could see that being a big trend. In the wake of the Signal scandal, I could see some very specific rules or guidance issued to government employees about what they can and cannot do, both on their personal devices and on their work phones. And, by the way, I still don't even know how this works—how this could have worked—because when you are issued a Department of Justice phone device, it's locked down. You can't just download Signal. It doesn't even allow you to do that. So, the idea that these executives and these huge, important government actors had Signal on their phones, downloaded and could use it in this way is just mind-boggling in a lot of ways. But I think the other big trend that we're gonna see is at least a conversation about retention policies and how long you should be retaining Slack messages and Teams messages, in addition to whatever people might have on their phones.
[00:27:03–00:28:08] Navroop:All right, and with that, Marisa, I think we are nearing the end of our time. But once again, if you've got time for one last final question, I've got a little bit more of a fun one for you.
Marisa:I'm game. Let's do it.
Navroop:Awesome, all right. So, the last time you were on the program, we were talking about the libation you would turn to to celebrate with your team. I believe you said you would turn to a nice glass of Barolo. Given everything going on, have you switched over to anything harder? And, if so, what?
Marisa:Well, yeah, if, like me, you're not sleeping these days nearly as well as you used to, sometimes a little heavier cocktail sometimes makes the evening pass a bit easier. So, I guess if I were gonna amp it up from a Barolo, I'd probably go with Clase Azul tequila with a little bit of lime.
Navroop:Clase Azul tequila with a little bit of lime. I like it. All right, so next time, we might be doing that instead of a nice glass of Barolo.
Marisa:I'm in. Let's do it.
Navroop:Awesome. Marisa, thank you for joining us on this latest episode of The Lock & Key Lounge podcast. It was a pleasure having you on.
Marisa:Thank you for having me.
[00:28:09–00:28:42] Narrator (Matt Calligan of ArmorText):We really hope you enjoyed this episode of The Lock & Key Lounge.
If you're a cybersecurity expert or you have a unique insight or point of view on the topic—and we know you do—we'd love to hear from you. Please email us at lounge@armortext.com or our website:armortext.com/podcast. I'm Matt Calligan, Director of Revenue Operations here at ArmorText, inviting you back here next time, where you'll get live, unenciphered, unfiltered, stirred—never shaken—insights into the latest cybersecurity concepts.