NSA worker who took secrets home cost the agency dear: claim
The man, Vietnamese American Nghia Hoang Pho, 70, of Ellicot City, Maryland, entered a guilty plea on 1 December to the charge of taking national defence information home from 2010 to 2015 and retaining it at his residence.
Admiral Mike Rogers, who was NSA chief until May this year, wrote to US District Court Judge George Russell, who is set to sentence Pho in Baltimore on Tuesday, that the negative effects of Pho’s actions had also resulted in a loss of trust among NSA colleagues and essential partners. Rogers’ March letter was published by the American website Politico.
Prosecutors are seeking a jail term of at least eight years for Pho, while his own counsel is requesting no jail time, but a long period of home confinement. Pho has claimed he took the classified material home so he could craft a review that would bring a pay hike which would increase his income when he retired.
Pho was a member of the NSA’s Tailored Access Operations unit, an elite hacking group. A number of exploits created by the TAO were leaked on the Web by a group known as the Shadow Brokers whose identity is still unknown, despite a long-running investigation by the NSA’s counter-intelligence arm, the Q Group, and the FBI. Later leaks by the Brokers are publicly available on the Web.
In his letter, Rogers said the NSA had trusted Pho, who worked on intelligence-gathering tools, to “protect those tools and our nation’s security”, adding that Pho had betrayed that trust.
No connection has yet been clearly shown between Pho and the Shadow Brokers, but there has been at least one media report that claimed exploits from Pho’s PC had been exfiltrated by Russian hackers who then released them, either through the Shadow Brokers or by themselves under the same name.
The NSA exploits are claimed to have leaked to the Russians through Pho’s use of Kaspersky Lab’s anti-virus software; like any A-V solution, the software uploads suspicious files to a server for later analysis and when it encountered the NSA files on this man’s machine, it did the same.
How the Russians obtained these exploits has never been made clear with the obvious implication being that after they reached Kaspersky’s Moscow offices, they were handed over to government hackers. Kaspersky has denied handing over any files.
Politico cited “experts” who found Rogers’ letter to be unusual. Steven Aftergood, who tracks classified information policy for the Federation of American Scientists, told the website: “The letter from Rogers is actually quite extraordinary in its candour, both about the nature of signals intelligence … and the consequences when it’s not secured.
“This looks like a letter he wrote himself. … It has all the hallmarks of deeply felt sincerity.”
Rogers said in the letter: “The fact that such a tremendous volume of highly classified, sophisticated collection tools was removed from secure space and left unprotected, especially in digital form on devices connected to the Internet, left the NSA with no choice but to abandon certain important initiatives, at great economic and operational cost.”
Berkeley computer science and security researcher Nick Weaver told Politico that the material taken home by Pho appeared to hacking tools. “… That sentence is actually a big deal,” he said. “NSA’s response suggests that because of the possibility of compromise they had to redo a lot of platforms to prevent attribution [to the NSA.] That is interesting, although it could very well just be out of an abundance of caution.”
The latest bid to try and track down the Shadow Brokers was when a group of researchers from the University College London carried out a study on the privacy-focused digital currency Zcash and said they may have found a way to track who received payment for the NSA exploits that were put on sale by the Brokers.
Contacted for comment, former NSA hacker Jake Williams said he thought it was a stretch to link Pho to the Shadow Brokers.
“There’s a correlation between the tools they claim he took home and what Shadow Brokers released, but that doesn’t make him the source. I think it’s possible he’s a source, but I don’t think it’s plausible that he’s the only source,” said Williams, a former member of TAO himself, who now runs his own infosec outfit, Rendition Infosec.
He said, in addition, the government was not making an accusation of collusion with any foreign power or outside source.
“An eight-year sentence seems a little overboard for someone who just used bad judgment taking classified material home. I wonder how much of the sentence recommendation is an effort to distract from the fact that the source for the Shadow Brokers leaks hasn’t been publicly identified,” Williams said.