Scoop: Musk and Hegseth’s email directive endangers national security, whistleblowers allege
Unencrypted inboxes and aggregate information leave the US exposed
Welcome to a Monday night edition of Progress Report.
I’ve been in the thick of reporting on the Trump administration’s rapid degradation of government and the impact it’s having on working people. Tonight, I have a scoop on the administration’s impact on national security.
If you have a leak or important information for me, you can reach me on Signal at jordanz.97.
Note: Unlike many journalists, I’ve gone fully independent, with no special advertising deals or close relationships with powerful politicians to temper what I write. My only loyalty is to you, the reader, and to the cause of progress — economic justice, democracy, human rights, and standing up to corruption.
You can help keep Progress Report afloat and build that network for just $5 a month — every subscription helps!
The government-wide “5 bullet point” directive continues to put classified information and national security at risk, sources familiar with Department of Defense (DoD) reporting process tells Progress Report.
In late February, federal workers received an email demanding that they list five things that they did each week in emails to their managers. The initiative, hatched by Elon Musk, was launched with little consultation and met with resistance from heads of agencies, in part due to security concerns. Later, DoD workers were instructed by Secretary of Defense Pete Hegseth to send the emails, but withhold classified and sensitive information.
Sources say those precautions are inadequate to protect the agency’s operations and staffers.
Collecting unencrypted puzzle pieces
Every Friday, DoD employees receive an email from a generic email address from the office of the Undersecretary of Defense for Personnel and Readiness. Employees are instructed to reply with the summary of their activities, with their supervisor copied on the email.
The system is loaded with security red flags and weak points, whistleblowers say. The email address does not live on a secure military server, and responses land in an unsigned inbox that lacks an ECA safety certificate. That means that the inbox can’t accept emails that meet the DoD’s enhanced encryption standard, forcing employees to send their bullet points via unencrypted email to a less safe server.
While the messages are not permitted to contain explicitly classified information, they by nature must each contain bits of intelligence that, when compiled, could reveal top-level secrets and national security plans in the aggregate.
In other words, people can’t send the whole jigsaw puzzle, but if someone had access to every piece, it wouldn’t be hard to construct the entire thing, especially with the help of publicly accessible information like LinkedIn profiles.
“Someone can figure out where DoD functions are housed, who works on them, who they report to, and who works on classified info,” one source said. “Our adversaries, were they to gain access to this inbox, would know the structure of the entire DoD, which groups are working on what and where those groups are located. They could find out the locations and dates of military exercises, important meetings, and other sensitive events.”
For example: one employee could write that they supported a military exercise in a certain location but withhold the date, while another could give the date but leave out the location. It wouldn’t take long for a hacker to develop a full picture of the exercise, compromising US security.
The information could reveal important details about the DoD’s work on big picture items like artificial intelligence, tactical munitions, and deception strategies, while interested parties could also quickly profile individuals with important clearances and target them for phishing or blackmail.
“You could target people to turn them into assets, or you could threaten to strategically target locations to disable our main operations, or hobble specific programs in a worst-case scenario,” a source explained. “You could figure out which military installations work on what technologies or research areas.”
An unusual process, without explanation
The DoD already required employees to keep their supervisors up to date on their activities each week, in what are known as Weekly Action Reports. Those reports are filtered through various layers of management, who take out sensitive information and limit submissions to what higher leadership really wants to know at a given time.
Instead of paring down reports to the essentials as they move up the chain, the bullet point directive floods top management with hundreds of thousands of emails every week. There’s little indication of what the reports are used for — Musk allegedly sought to assess some government employees’ value with the emails, but the DoD is not facing any budget cuts.
Employees have raised the red flags and inquired about the purpose of the emails, but have met with disinterest and confusion. High-ranking officials say they don’t know the purpose of the emails, and leadership does not seem particularly worried about the gaps in security.
Alarm has grown since the group chat fiasco, which saw The Atlantic editor Jeffrey Goldberg added to a Signal thread about military strikes in Yemen. There is a sense that DoD officials do not take security particularly seriously, and that there may not be any reason for the emails.
I’ve emailed the Department of Defense for comment but have yet to hear back.
Wait, Before You Leave!
Progress Report has raised over $7 million dollars for progressive candidates and causes, breaks national stories about corrupt politicians, and delivers incisive analysis, and goes deep into the grassroots.
None of the money we’ve raised for candidates and causes goes to producing this newsletter or all of the related projects we put out. In fact, it costs me money to do this. So, I need your help.
For just $5 a month, you can buy a premium subscription that includes:
Premium member-only newsletters with original reporting
Financing new projects and paying new reporters
Access to upcoming chats and live notes
You can also make a one-time donation to Progress Report’s GoFundMe campaign — doing so will earn you a shout-out in the next weekend edition of the newsletter!
Always great Jordan-keep up the good work!!
Dumb & dumber! A drunk & a drug addict! Quite a pair of very sick degenerates! Ugh!!!