A series of leaks has rocked the National Security Agency over the past few years, resulting in digital spy tools strewn across the web that have caused real damage both inside and outside the agency. Many of the breaches have been relatively simple to carry out, often by contractors like the whistleblower Edward Snowden, who employed just a USB drive and some chutzpah. But the most recently revealed breach, which resulted in state secrets reportedly being stolen by Russian spies, was caused by an NSA employee who pleaded guilty Friday to bringing classified information to his home, exposing it in the process. And all, reportedly, to update his resume.
The Justice Department Friday announced that Nghia Hoang Pho, a 67-year-old from Ellicott City, Maryland, has admitted to willful retention of national defense information. He’ll face up to 10 years in prison, but is free until his sentencing in early April. Pho is a naturalized United States citizen originally from Vietnam. Pho illegally mishandled classified information in spite of being an agent in the NSA’s elite Tailored Access Operations foreign hacking group (now called Computer Network Operations) from 2006 to 2016. Though it’s somewhat astonishing that someone with his position and training would cause such a basic breach, Pho brought classified data and paper documents to his home between 2010 and 2015. The New York Times, which originally reported on Pho’s case before his identity was known, notes that he seems to have been charged in March 2015.
“In connection with his employment, Pho held various security clearances and had access to national defense and classified information. Pho also worked on highly classified, specialized projects,” the DoJ said in a statement on Friday. “Pho removed and retained US government documents and writings that contained national defense information, including information classified as Top Secret and Sensitive Compartmented Information.”
‘Classified data is highly sensitive and shouldn’t be able to be removed. It shows that TAO didn’t have good controls over that data.’
David Kennedy, TrustedSec
That information didn’t stay on Pho’s computer. Instead, Pho appears to be the NSA employee from whom Russia stole valuable data, by compromising the Kaspersky antivirus software on a then-unidentified NSA employee’s personal computer. Because antivirus software has deep and far-reaching permissions, Russian intelligence used its hooks into Kaspersky to lift files, and any number of secrets. Kaspersky has repeatedly denied any association with the Russian government.
Pho stands out among recent NSA leak culprits in that he specifically worked as a developer for TAO, which would have brought him into contact with a diverse array of sensitive NSA data, systems, and materials. One would also have thought an elite programmer focused on developing advanced hacking tools would know better than to put classified data at risk by transporting it to his house.
“It’s not a mistake that’s supposed to be common,” says David Kennedy, the CEO of TrustedSec, who formerly worked at the NSA and with the Marine Corps’ signal intelligence unit. “Lax practices, for sure. Classified data is highly sensitive and shouldn’t be able to be removed. It shows that TAO didn’t have good controls over that data.”
The fact that Pho was a developer is significant, though, says Jake Williams, founder of the security firm Rendition Infosec, who formerly worked for TAO at the NSA (a fact that wasn’t public until the NSA leakers known as the Shadow Brokers revealed it in April).
“CNO developers are usually experts in a very narrow field and often don’t really understand how their tools are used in operations, so his lack of operations security is not as surprising as it should be.” Williams says. “There’s also an intense pressure to get the mission done, so the idea that a developer would take work home is not at all surprising.”
Apparently, though, Pho wasn’t focused entirely on work. The New York Times reports that the TAO developer brought home the materials so he could update his resume. The case documents don’t give much indication of what types of data and materials Pho took and left on his personal computer. The frantic investigation into valuable NSA tools stolen by Russian spies, though, indicates that Pho may have exposed more than just resume materials.
Other NSA leaks have come from contractor Reality Winner, who sent classified information to The Intercept in September, and Harold Martin, another contractor, who was charged in October 2016 for bringing terabytes of NSA data to his house, like Pho.
Pho stands out, though, both for the apparent audaciousness of his actions, and his affiliation with TAO, a highly regarded unit within the world’s most powerful intelligence apparatus. If someone like that can accidentally cause a critical NSA breach, there’s no telling who else might have as well.