Posts

31 Flavors of Stolen Classified Documents

/130 Comments/in , /by

In days ahead, there’ll be a heated discussion of what kind of sentence Espionage Act defendant Donald Trump might face. But even among the really experienced people — who correctly point out that Trump’s sentence would be a tiny fraction of the total 400 max he faces — I think the discussions are wrongly conceived. To explain why, I plan to return to my argument that the Mar-a-Lago indictment is tactical.

But first, I want to emphasize the magnitude of the fact DOJ charged Trump with hoarding 31 documents, each charged as an individual count and described, with classification markings, in the indictment. Virtually all of these documents are the type that the government is normally loathe to include at trial, and yet DOJ piled them on, compartmented document on top of compartmented document. The decision to commit to presenting all of them at trial is really remarkable, and must be (and is not being) accounted for in discussions of potential sentencing.

As background I’d like to review five similar prosecutions.

Daniel Hale

First consider two recent prosecutions (Chelsea Manning’s court martial, after which she was sentenced 35 years, is a third) where the indictments listed a long catalog of stolen documents like DOJ did with Trump: Hal Martin and Daniel Hale.

In Hale’s case, the indictment first listed all 23 documents he printed out from his job at a defense contractor, only four of which were as sensitive as most of the documents Trump was charged for hoarding.

DOJ only described the 11 documents that were published by The Intercept (document H, the fourth TS document, was not published by The Intercept and so not included in the charged documents). It then charged five counts:

  • 18 USC 793(c) for taking the 11 documents ultimately published
  • 18 USC 793(e) for taking and sharing the files with Jeremy Scahill
  • 18 USC 793(e) for causing to be published the files
  • 18 USC 798(a)(3) for sharing 4 SIGINT documents (documents A, D, E, and K, above)
  • 18 USC 641 for taking the files, charged to include the 11 that got published and a few other unclassified documents that they had proof he had taken

Hale pled guilty to one count without a plea agreement immediately before trial and got a 45 month sentence. He is due to be released in July 2024.

Had Hale gone to trial, the government wouldn’t have had to expose any new information (though it would need to declassify it), because every charged document had been published already. So DOJ really risked very little by charging all 11 documents published by The Intercept. Any damage was already done.

Hal Martin

The way DOJ charged Hal Martin, though, is more akin to how DOJ has charged Trump.

Martin, remember, was arrested, guns-a-blazing, immediately after Shadow Brokers pegged him as the source of the documents being released in 2016. When the FBI searched his home, they found stacks and stacks of documents, including in his car. It took six months to charge Martin, presumably because DOJ had to do an investigation into what and why he had taken — including whether he was Shadow Brokers or had wilfully leaked the documents to Shadow Brokers. Unlike Trump, he was in pre-trial custody that whole time.

In the end, there were no dissemination charges (ultimately, the public record in his case is inconclusive whether he wilfully leaked these documents or not, but if he did, DOJ either couldn’t prove it or chose not to try). As DOJ did with Trump, each of a bunch of documents, a total of 20, were charged as separate counts.

There are descriptions of each of these 20 documents in the indictment, but not classification markers. The indictment describes that they were a mix of Secret, Top Secret, and SCI.

DOJ presumably got sign-off from the agencies to present these documents at trial, but after a very long pre-trial process, Martin ultimately pled guilty in March 2019 to one count of 18 USC 793(e) as part of a plea agreement, with an agreed on sentence of 9 years, one year short of the 10-year max. He’s scheduled for release in May 2024.

Nghia Pho

By comparison, Nghia Pho — the other presumed source of Shadow Brokers, from whom hackers stole a bunch of NSA files loaded onto his home computer — entered into a plea agreement from the start. His Information didn’t describe any of the documents he took home, though suggested many were TS/SCI. Pho was sentenced to 66 months. Pho, who was in his 60s when he was sentenced and is now 72, is due for release in September.

This is the way DOJ normally prefers to treat those responsible for leaks and other compromises, because the prosecution does little additional damage. Of course, there was never a chance in hell such an approach would work for Trump.

Note that Thomas Windom, who is one of the lead January 6 prosecutors, was on the Pho prosecution team.

Jeremy Brown

Two other relevant cases involve Floridians prosecuted in the last year. With Oath Keeper Jeremy Brown, the government did list and present the five documents, all classified Secret, he was accused of hoarding. They used the Silent Witness rule to present the classified documents at trial, all of which were far more dated and less sensitive than the ones Trump is accused of stealing. Here’s how they described that process in the pre-trial process.

First, the government would provide each juror, the Court, and the defense with a binder of unredacted copies of the Classified Documents. The same process was followed in Mallory, 40 F.4th at 173, and it would enable the jurors to examine the Classified Documents while the government elicits unclassified testimony about the same from its expert witness. As in Mallory, the defense would be permitted to follow the same procedures during cross examination and/or with its own cleared expert, should the defense choose to retain one. Id. This procedure ensures that the jury has full access to the information it needs to fulfill its obligations. Id. at 178 (“But a review of the record reveals that the silent witness rule denied the jury none of the information on which Mallory based his defense.” (emphasis in original)). Second, the government will have Bates and line numbers added to the Classified Documents to enable the witness, the government, and the defense to direct the jurors to specific portions of the material.

Brown was only convicted of one of five Espionage Act counts, but nevertheless was sentenced to 87 months for the document as well as the illegal weapons he was convicted of hoarding.

Robert Birchum

Finally, there’s Robert Birchum, a retired Lieutenant Colonel who was just sentenced to 36 months a few weeks ago. Birchum was found hoarding over 300 documents he had collected before 2008, in 2017, six years ago. The Air Force declined to court martial him, and he was honorably discharged (it sounds like the Air Force really valued the counterinsurgency work he did). The first his case was made public was in January, when he was charged by Information with one count of 793(e). That Information did describe two documents he was charged with:

two documents classified at the TOP SECRET/SCI level from the National Security Agency (NSA) relating to the national defense that discuss the NSA’s capabilities and methods of collection of information.

The government asked for a bottom of guidelines sentence of 78 months, emphasizing Birchum’s abuse of a position of trust and the sensitivity of the documents he took. Among other things Birchum raised at sentencing is that he was so important to the Air Force, they sent him back to Afghanistan even after diagnosing him with PTSD. He also invoked all the high ranking people, including Trump, who had brought classified records home.

Among others, Mr. Birchum’s case now shares a stage with the current President of the United States, the former President and Vice-President of the United States, and a former Secretary of State. Looking a bit further back in time, one can see examples of other high-level government executives involved in the same type of offenses, including a former national security adviser who pled guilty to knowingly removing classified documents from the National Archives and a former CIA director and retired four-star general who pled guilty to sharing classified documents with his biographer and mistress. Both the former national security adviser and the former CIA director were sentenced to pay a fine and probation. No charges have been bought against any of the other individuals noted above. Similar cases involving lower-level government employees that did result in prison sentences typically involved attempts to obstruct the investigation or actual dissemination of the information or both.

He was sentenced to 36 months.

The reason I laid all this out is to suggest how remarkable it was that DOJ listed 31 documents Trump allegedly stole. Of the cases above, they did so with less sensitive, dated records that Brown was charged with, with the 11 documents already published in Hale’s case, and then the catalog of documents charged against Martin, some of which may also have been compromised as part of the Shadow Brokers release. If Martin’s charged documents were already compromised as part of the Shadow Brokers case, it means that among these cases, there is no precedent for the government choosing to charge a catalog of incredibly sensitive documents like they have with Trump.

That’s one reason I keep harping on the footnote in a DOJ filing in the Trump case from last September, invoking the Pho case (where we know the documents were badly compromised) to suggest that sometimes the Intelligence Community has to operate on the assumption that programs have been compromised and shut them down.

Once the government loses positive control over classified material, the government must often treat the material as compromised and take remedial actions as dictated by the particular circumstances. Depending on the type and volume of compromised classified material, such reactions can be costly, time consuming and cause a shift in or abandonment of programs. In this case, the fact that such a tremendous volume of highly classified, sophisticated collection tools was removed from secure space and left unprotected, especially in digital form on devices connected to the Internet, left the NSA with no choice but to abandon certain important initiatives, at great economic and operational cost.

We know one of the 31 documents charged against Trump — the document described in Count 8 that fell out of a box in the storage closet — would be treated as compromised, particularly if someone knocked the box over or is believed to have found it (remember that there are no cameras inside the storage room).

I can’t emphasize this point enough: One possible explanation for the catalog of charges against Trump is that the IC knows, or made a decision last September to assume, that all of these documents have been compromised. It’s one of the most likely ways to explain DOJ’s willingness to include all of them in charges, just like they did with the documents charged against Hale.

That possibility is not being factored into any of the discussions about sentencing, and it should be. The IC likely has to assume that the many intelligence services that targeted Mar-a-Lago, including two known Chinese infiltrators, found some of these documents, or maybe just the musicians and partygoers who could have had access while they were taking a shit.

Importantly, all the documents charged remained in an unsecured storage room after it became public that there were classified documents among the ones that Trump had delivered to NARA in January 2022. (Note, among the really sensitive documents that weren’t included in Trump’s charges are ones classified HCS-O, describing HUMINT operations.)

The Pho and Birchum examples show that DOJ would far prefer negotiating a plea agreement in advance, to minimize further damage to national security. But Trump made quite clear after the search last year, he was unwilling to go quietly.

The only one of these five who went to trial was Brown, and DOJ used the Silent Witness rule for him. That rule is rightly controversial even with disfavored shithole defendants like Brown (or Kevin Mallory, who was convicted of spying for China using it). I simply can’t imagine using the Silent Witness rule in a trial with a former President. The issues of legitimacy are too great. And so, if this thing goes to trial, I assume redacted copies of all these documents would be introduced as evidence that would get shared with the public.

Which is why I point to the Martin case as the one most similar to Trump. My read of that case is that DOJ charged so many documents — just 20, though, rather than 31 — as part of the coercion process to get Martin to plead.

The problem, in Donald Trump’s case, is that he has more incentive to start a civil war than plead guilty to these charges.

Those are some of the assumptions — not to mention that by charging this in West Palm Beach, where Aileen Cannon was likely to and did get the assignment — that Jack Smith must have had in mind when he charged the MAL case like he did.

With every other similarly situated defendant, DOJ has pursued strategies to get the defendant to plead before exacerbating the damage of the compromise at trial. But with Donald Trump, they’re facing a uniquely intransigent defendant. And that is what Jack Smith was facing when he decided to charge this case this way.

Devlin Barrett’s “People Familiar with the Matter”

/39 Comments/in , /by

As Devlin Barrett’s sources would have it, a man whose business ties to the Saudis include a $2 billion investment in his son-in-law, a golf partnership of undisclosed value, and a new hotel development in Oman would have no business interest in stealing highly sensitive documents describing Iran’s missile systems.

I’ll let you decide whether the claim, made in Barrett’s latest report on the stolen documents case, means the FBI is considering the issue very narrowly or Barrett’s sources are bullshitting him.

That review has not found any apparent business advantage to the types of classified information in Trump’s possession, these people said. FBI interviews with witnesses so far, they said, also do not point to any nefarious effort by Trump to leverage, sell or use the government secrets. Instead, the former president seemed motivated by a more basic desire not to give up what he believed was his property, these people said.

Barrett has a history of credulously repeating what right wing FBI agents feed him for their own political goals, which means it’s unclear how seriously to take this report. Particularly given several critical details Barrett’s story does not mention:

  • Trump’s efforts, orchestrated in part by investigation witness Kash Patel, to release documents about the Russian investigation specifically to serve a political objective
  • The report, from multiple outlets, that Jay Bratt told Trump’s lawyers that DOJ believes Trump still has classified documents
  • Details about classified documents interspersed with a Roger Stone grant of clemency and messages — dated after Trump left the White House — from a pollster, a book author, and a religious leader; both sets of interspersed classified documents were found in Trump’s office
  • The way Trump’s legal exposure would expand if people like Boris Epshteyn conspired to help him hoard the documents or others like Molly Michael accessed the classified records

To be sure: I think a good many of the documents Trump stole — including the most sensitive ones — were stolen as trophies. We know that’s why Trump stole his love letters with Kim Jong Un. And the visible contents of the FBI’s search photograph show that the most highly classified documents were stored along with Time Magazine covers.

But this report, from sources described as “people familiar with the matter,” bespeaks a partial view of the investigation, one Barrett hasn’t bothered to supplement (or challenge) with public records.

That description, “people familiar with the matter,” is the same one Barrett uses to remind readers that he got the scoop on the Iranian missile documents that his sources don’t think the Saudis would have any interest in, and his scoop that Trump stole documents about some country’s defense system (which, if the country is Iran, Saudi Arabia, or Israel, would be of acute interest to Trump’s golf partners, too).

The Washington Post has previously reported that among the most sensitive classified documents recovered by the FBI from Mar-a-Lago were documents about Iran and China, according to people familiar with the matter.

At least one of the documents seized by the FBI at Mar-a-Lago on Aug. 8 describes Iran’s missile program, according to these people, who spoke on the condition of anonymity to describe an ongoing investigation. Other documents described highly sensitive intelligence work aimed at China, they said. The Post has also reported that some of the material focuses on the defense systems of a foreign country, including its nuclear capabilities.

There’s no guarantee that these “people familiar with the matter” are the same sources for both the information about the most sensitive documents Trump stole and the current understanding about Trump’s motive. It could be that Barrett is using the same vague description to protect his source(s).

But they could be the same sources. Indeed, the blind spots in Barrett’s reporting may stem from having sources familiar with the national security review of the documents, but not necessarily the ongoing investigation into it. Some of the WaPo’s past reporting on this story seems to come from people who’ve seen the unredacted affidavit, but not necessarily the investigative files.

And that’s interesting, among other reasons, because the leak to Barrett about the most sensitive documents has formed the primary harm claimed by Trump’s lawyers in filing after filing after filing, starting literally the day after Judge Aileen Cannon cited leaks in her original order enjoining the criminal investigation.

The Government is apparently not concerned with unauthorized leaks regarding the contents of the purported “classified records,” see, e.g., Devlin Barrett and Carol D. Leonnig, Material on foreign nation’s nuclear capabilities seized at Trump’s Mara-Lago, WASH. POST (Sept. 6, 2022), https://www.washingtonpost.com/nationalsecurity/2022/09/06/trump-nuclear-documents/, and would presumably be prepared to share all such records publicly in any future jury trial. However, the Government advances the untenable position in its Motion that the secure review by a Court appointed and supervised special master under controlled access conditions is somehow problematic and poses a risk to national security.

Trump cites Barrett’s work right alongside EO 13526 as “Other Authorities” central to Trump’s argument:

In any case, given the precedent of Nghia Pho (which may still be the only 18 USC 793 case cited by DOJ in this proceeding), it may not matter if Trump stole all or only some of these documents because he’s a narcissist. Trump brought a stack of classified documents to a foreign intelligence target and left them unprotected as multiple suspect foreigners infiltrated his resort. He continued to hoard such documents even after it was publicly reported that he had brought classified documents home.

During Trump’s Administration two men were sent to prison because, by bringing highly classified documents home for motives that had nothing to do with leaking, they made the documents accessible to Russian-linked sources, actions that ultimately led to a devastating compromise of US intelligence resources. Under Donald Trump’s DOJ, Pho and Hal Martin were not given a pass because they were serving their own ego.

So there’s no reason Trump’s narcissism, alone, should be a basis not to charge him.

“Sometimes We Fall in Love with Our Sources”

/24 Comments/in /by

Fifteen years ago, during the Scooter Libby trial, I had lunch with James Gordon Meek, a national security reporter then at NY Daily News. I remember I was bitching that journalists at the trial continued to treat Robert Novak as credible even though his testimony about what led to his exposure of Valerie Plame’s identity had changed four times by that point. He explained, very matter of factly, that “sometimes we fall in love with our sources,” particularly intelligence sources.

I had little contact with him after that until 2018 or 2019, when we spoke several times about the Russian investigation.

Meek’s comment has, obviously, stuck with me over the years. All the more so as I read Rolling Stone’s story describing how — over the course of ten minutes on April 27 — Meek’s home had been searched, and we’re only hearing about it almost six months later. There’s even a version of what Meek told me years ago in the story: “To his detractors within ABC, Meek was something of a “military fanboy.'” Meek got a lot of stories by being very close to his military sources.

The story has, predictably, generated a lot of concern about Meek’s treatment at the hands of Merrick Garland’s DOJ.

But there are details in the story that offer at least part of an explanation.

First, his attorney is quoted, complaining that this story is out there.

“Mr. Meek is unaware of what allegations anonymous sources are making about his possession of classified documents,” his lawyer, Eugene Gorokhov, said in a statement. “If such documents exist, as claimed, this would be within the scope of his long career as an investigative journalist covering government wrongdoing. The allegations in your inquiry are troubling for a different reason: they appear to come from a source inside the government. It is highly inappropriate, and illegal, for individuals in the government to leak information about an ongoing investigation. We hope that the DOJ [Department of Justice] promptly investigates the source of this leak.”

Meek’s lawyer, at least, is not trying to generate the kind of media attention that would immediately raise questions about his treatment as a journalist the way — say — Project Veritas’ lawyers did when James O’Keefe and others were searched. If he had concerns about Meek’s treatment or the propriety of the search, I highly doubt he would respond this way, by complaining that the search was made public.

Details in the story suggest Meek responded to the search differently than Project Veritas in other ways, too. He appears to have moved.

In the raid’s aftermath, Meek has made himself scarce. None of his Siena Park neighbors with whom Rolling Stone spoke have seen him since, with his apartment appearing to be vacant.

He withdrew from a project recounting the rescue of former US intelligence partners in Afghanistan around the time of the search.

“He contacted me in the spring, and was really distraught, and told me that he had some serious personal issues going on and that he needed to withdraw from the project,” Mann tells Rolling Stone. “As a guy who’s a combat veteran who has seen that kind of strain — I don’t know what it was — I honored it. And he went on his way, and I continued on the project.”

Mann says he hasn’t heard from Meek since.

And — first — his producer on a documentary about four Special Forces guys killed in Niger by ISIS, and then he himself resigned from ABC “abruptly.”

“He fell off the face of the Earth,” says one. “And people asked, but no one knew the answer.”

An ABC representative tells Rolling Stone, “He resigned very abruptly and hasn’t worked for us for months.”

[snip]

Adding intrigue, sources say another ABC News investigative journalist, Brian Epstein, also abruptly and inexplicably left the network a few months before Meek. Epstein also worked as a director, producer, and cinematographer on 3212 Un-Redacted (Hulu stopped Emmy campaigning after Meek apparently went AWOL, and the documentary ultimately failed to receive a nomination). Epstein told Rolling Stone, “I’m not commenting on this story,” before abruptly hanging up. 

Short of ABC turning the two reporters in themselves, resigning while under legal investigation would be the last thing you’d do, in part for the legal protection a big media outlet can offer.

All of which suggests there’s something about this story — or perhaps follow-ups — that led Meek and Epstein to withdraw.

As alluded to above, the story claims — citing “sources familiar” — that FBI found classified information on a laptop.

Sources familiar with the matter say federal agents allegedly found classified information on Meek’s laptop during their raid. One investigative journalist who worked with Meek says it would be highly unusual for a reporter or producer to keep any classified information on a computer.

I’m not sure I buy that it’s unusual for reporters to keep classified information on a computer — a laptop, after all, can be air-gapped, and fully encrypted information stored in digital form can be safer than papers lying around. But if it wasn’t air-gapped, it could make the classified information available, even unwittingly, to hostile entities. In the wake of the Nghia Pho compromise, the government has focused renewed attention on such possible modes of compromise. If Meek had obtained classified information in the course of reporting and the government believed the real goal — one he may not have understood — was its compromise, you might see something like this.

Meek and his attorney have, for whatever reason, chosen not to make a public case out of this search. But “sources familiar” just did so whether Meek wanted it to happen or not.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Trust: In Bid for Stay, DOJ Likened Trump to Catastrophic Intelligence Compromise

/92 Comments/in , , /by

There’s a detail in DOJ’s request for a stay of Judge Aileen Cannon’s injunction on using stolen Trump documents to investigate Trump that hasn’t gotten enough attention.

A footnote modifying a discussion about the damage assessment the Intelligence Community is currently doing referenced a letter then-NSA Director Mike Rogers wrote in support of Nghia Pho’s sentencing in 2018. [This letter remains sealed in the docket but Josh Gerstein liberated it at the time.]

[I]n order to assess the full scope of potential harms to national security resulting from the improper retention of the classified records, the government must assess the likelihood that improperly stored classified information may have been accessed by others and compromised. 4

4 Departments and agencies in the IC would then consider this information to determine whether they need to treat certain sources and methods as compromised. See, e.g., Exhibit A to Sentencing Memorandum, United States v. Pho, No. 1:17-cr-631 (D. Md. Sept. 18, 2018), D.E. 20-1 (letter from Adm. Michael S. Rogers, Director, National Security Agency) (“Once the government loses positive control over classified material, the government must often treat the material as compromised and take remedial actions as dictated by the particular circumstances.”).

Even on its face, the comment suggests the possibility that the Intelligence Community is shutting down collection programs because Trump took documents home.

But the analogy DOJ made between Trump and Pho, by invoking the letter, is even worse.

I’ve written about Pho, who with Hal Martin, is believed to be the source of the files leaked by Shadow Brokers and, with them, two devastating global malware attacks, WannaCry and NotPetya.

Over a month ago, I suggested that the IC likely had Pho and Martin in mind as they considered the damage Trump may have done by doing the same thing; taking highly classified files home from work.

[T]he lesson Pho and Martin offer about how catastrophic it can be when someone brings classified files home and stores them insecurely, no matter their motives — are the background against which career espionage prosecutors at DOJ will be looking at Trump’s actions.

But with the footnote, I’m no longer the only one to make such an analogy. DOJ did so too, in an unsuccessful effort to get Judge Cannon to understand the magnitude of the breach she was coddling.

As you read this letter, replace Pho’s name with Trump’s. It reads almost seamlessly.

That’s the analogy DOJ made between Trump and someone his own DOJ prosecuted aggressively.

Pho retained classified information outside of properly secured spaces and by doing so caused very significant and long-lasting harm to the NSA, and consequently to the national security of the United States.

[snip]

[T]he exposure of the United States’ classified information outside of secure spaces may result in the destruction of intelligence-gathering efforts used to protect this nation. Mr. Pho, who voluntarily assumed this responsibility, ignored his oath to his country and the NSA by taking classified information outside of secure spaces, thereby placing that information in significant jeopardy.

[snip]

Mr. Pho’s conduct in improperly and unlawfully retaining national defense information, which included highly classified information, outside of secure space had significant negative impacts on the NSA mission.

[snip]

Techniques of the kind Mr. Pho was entrusted to protect, yet removed from secure space, are force multipliers, allowing for intelligence collection in a multitude of environments around the globe and spanning a wide range of national security topics. Compromise of one technique can place many opportunities for intelligence collection and national security at risk.

By removing such highly classified materials outside of secure space, Mr. Pho subjected those materials to compromise. It is a fundamental mandate in the Intelligence Community that classified material must be handled and stored in very specific and controlled ways. If classified material is not handled or stored according to strict rules, then the government cannot be certain that it remains secret. Once the government loses positive control over classified material, the government must often treat the material as compromised and take remedial actions as dictated by the particular circumstances. Depending on the type and volume of compromised classified material, such reactions can be costly, time consuming and cause a shift in or abandonment of programs. In this case, the fact that such a tremendous volume of highly classified, sophisticated collection tools was removed from secure space and left unprotected, especially in digital form on devices connected to the Internet, left the NSA with no choice but to abandon certain important initiatives, at great economic and operational cost.

In addition, NSA was faced with the crucial and arduous task of accounting for all of the exposed classified materials, including TOP SECRET information, the unauthorized disclosure of which, by definition, reasonably could be expected to cause exceptionally grave damage to the national security. Accounting for all of the exposed classified material was necessary so that NSA could attempt to assess the damage that resulted from the classified and diverted critical resources away from NSA’s intelligence-gathering mission.

The detrimental impacts of Mr. Pho’s activities are also felt in other less tangible ways, including a loss of trust among colleagues and essential partners who count on NSA to conduct its mission.

[snip]

Trust is an essential component of all of the work that is done by NSA employees. It is affirmed by our sworn oath to uphold and defend the Constitution, sealed by our signed obligations to protect national defense information.

[snip]

This trust extends to a circle with other U.S. intelligence agencies, who share valuable intelligence insights; military personnel, who share details of their operational plans; and international partners, who share their sovereign secrets with us, all for common objectives.

[snip]

Future decisions about sharing will be weighted with considerations of the breach of trust by one party.

There’s little that distinguishes Pho’s compromise from Trump’s. While Trump didn’t load all this stuff online like Pho did, he brought it to a thinly-protected country club aggressively targeted by foreign intelligence services — a more obvious target than Pho’s desktop computer.

And whether the IC knows about the extent of the compromise right now, or whether something he made available will shut down shipping and hospitals and drug manufacturing in two years time, as Pho’s compromises did, the IC has to act as if these files have already been compromised.

That’s what the footnote says.

As I said, Trump’s own DOJ ratcheted up prosecutions in the wake of the Pho and Martin compromises. And now Trump — along with a judge he appointed — are trying to make sure he evades the same justice that his own DOJ demanded of others.

Update: Clarified that Martin and Pho are believed to be the source of the files leaked by Shadow Brokers, but not the leakers themselves.

Go to emptywheel resource page on Trump Espionage Investigation.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

18 USC 793e in the Time of Shadow Brokers and Donald Trump

/112 Comments/in , , , /by

Late last year, a Foreign Affairs article by former Principal Deputy Director of National Intelligence Sue Gordon and former DOD Chief of Staff Eric Rosenbach asserted that the files leaked in 2016 and 2017 by Shadow Brokers came from two NSA officers who brought the files home from work.

In two separate incidents, employees of an NSA unit that was then known as the Office of Tailored Access Operations—an outfit that conducts the agency’s most sensitive cybersurveillance operations—removed extremely powerful tools from top-secret NSA networks and, incredibly, took them home. Eventually, the Shadow Brokers—a mysterious hacking group with ties to Russian intelligence services—got their hands on some of the NSA tools and released them on the Internet. As one former TAO employee told The Washington Post, these were “the keys to the kingdom”—digital tools that would “undermine the security of a lot of major government and corporate networks both here and abroad.”

One such tool, known as “EternalBlue,” got into the wrong hands and has been used to unleash a scourge of ransomware attacks—in which hackers paralyze computer systems until their demands are met—that will plague the world for years to come. Two of the most destructive cyberattacks in history made use of tools that were based on EternalBlue: the so-called WannaCry attack, launched by North Korea in 2017, which caused major disruptions at the British National Health Service for at least a week, and the NotPetya attack, carried out that same year by Russian-backed operatives, which resulted in more than $10 billion in damage to the global economy and caused weeks of delays at the world’s largest shipping company, Maersk. [my emphasis]

That statement certainly doesn’t amount to official confirmation that that’s where the files came from (and I’ve been told that the scope of the files released by Shadow Brokers would have required at least one more source). But the piece is as close as anyone with direct knowledge of the matter — as Gordon would have had from the aftermath — has come to confirming on the record what several strands of reporting had laid out in 2016 and 2017: that the NSA files that were leaked and then redeployed in two devastating global cyberattacks came from two guys who brought highly classified files home from the NSA.

The two men in question, Nghia Pho and Hal Martin, were prosecuted under 18 USC 793e, likely the same part of the Espionage Act under which the former President is being investigated. Pho (who was prosecuted by Thomas Windom, one of the prosecutors currently leading the fake elector investigation) pled guilty in 2017 and was sentenced to 66 months in prison; he is processing through re-entry for release next month. Martin pled guilty in 2019 and was sentenced to 108 months in prison.

The government never formally claimed that either man caused hostile powers to obtain these files, much less voluntarily gave them to foreign actors. Yet it used 793e to hold them accountable for the damage their negligence caused.

There has never been any explanation of how the files from Martin would have gotten to the still unidentified entity that released them.

But there is part of an explanation how files from Pho got stolen. WSJ reported in 2017 that the Kaspersky Anti-Virus software Pho was running on his home computer led the Russian security firm to discover that Pho had the NSA’s hacking tools on the machine. Somehow (the implication is that Kaspersky alerted the Russian government) that discovery led Russian hackers to subsequently target Pho’s computer and steal the files. In response to the WSJ report, Kaspersky issued their own report (here’s a summary from Kim Zetter). It acknowledged that Kaspersky AV had pulled in NSA tools after triggering on a known indicator of NSA compromise (the report claimed, and you can choose to believe that or not, that Kaspersky had deleted the most interesting parts of the files obtained). But it also revealed that in that same period, Pho had briefly disabled his Kaspersky AV and downloaded a pirated copy of Microsoft Office, which led to at least one backdoor being loaded onto his computer via which hostile actors would have been able to steal the NSA’s crown jewels.

Whichever version of the story you believe, both confirm that Kaspersky AV provided a way to identify a computer storing known NSA hacking tools, which then led Pho — someone of sufficient seniority to be profiled by foreign intelligence services — to be targeted for compromise. Pho didn’t have to give the files he brought home from work to Russia and other malicious foreign entities. Merely by loading them onto his inadequately protected computer and doing a couple of other irresponsible things, he made the files available to be stolen and then used in one of the most devastating information operations in history. Pho’s own inconsistent motives didn’t matter; what mattered was that actions he took made it easy for malicious actors to pull off the kind of spying coup that normally takes recruiting a high-placed spy like Robert Hanssen or Aldrich Ames.

In the aftermath of the Shadow Brokers investigation, the government’s counterintelligence investigators may have begun to place more weight on the gravity of merely bringing home sensitive files, independent of any decision to share them with journalists or spies.

Consider the case of Terry Albury, the FBI Agent who shared a number of files on the FBI’s targeting of Muslims with The Intercept. As part of a plea agreement, the government charged Albury with two counts of 793e, one for a document about FBI informants that was ultimately published by The Intercept, and another (about an online terrorist recruiting platform) that Albury merely brought home. The government’s sentencing memo described the import of files he brought home but did not share with The Intercept this way:

The charged retention document relates to the online recruitment efforts of a terrorist organization. The defense asserts that Albury photographed materials “to the extent they impacted domestic counter-terrorism policy.” (Defense Pos. at 37). This, however, ignores the fact that he also took documents relating to global counterintelligence threats and force protection, as well as many documents that implicated particularly sensitive Foreign Intelligence Surveillance Act collection. The retention of these materials is particularly egregious because Albury’s pattern of behavior indicates that had the FBI not disrupted Albury and the threat he posed to our country’s safety and national security, his actions would have placed those materials in the public domain for consumption by anyone, foreign or domestic.

And in a declaration accompanying Albury’s sentencing, Bill Priestap raised the concern that by loading some of the files onto an Internet-accessible computer, Albury could have made them available to entities he had no intention of sharing them with.

The defendant had placed certain of these materials on a personal computing device that connects to the Internet, which creates additional concerns that the information has been or will be transmitted or acquired by individuals or groups not entitled to receive it.

This is the scenario that, one year earlier, was publicly offered as an explanation for the theft of the files behind The Shadow Brokers; someone brought sensitive files home and, without intending to, made them potentially available to foreign hackers or spies.

Albury was sentenced to four years in prison for bringing home 58 documents, of which 35 were classified Secret, and sending 25 documents, of which 16 were classified Secret, to the Intercept.

Then there’s the case of Daniel Hale, another Intercept source. Two years after the Shadow Brokers leaks (and five years after his leaks), he was charged with five counts of taking and sharing classified documents, including two counts of 793e tied to 11 documents he took and shared with the Intercept. Three of the documents published by The Intercept were classified Top Secret.

Hale pled guilty last year, just short of trial. As part of his sentencing process, the government argued that the baseline for his punishment should start from the punishments meted to those convicted solely of retaining National Defense Information. It tied Hale’s case to those of Martin and Pho explicitly.

Missing from Hale’s analysis are § 793 cases in which defendants received a Guidelines sentence for merely retaining national defense information. See, e.g., United States v. Ford, 288 F. App’x 54, 61 (4th Cir. 2008) (affirming 72-month sentence for retention of materials classified as Top Secret); United States v. Martin, 1:17-cr-69-RDB) (D. Md. 2019) (nine-year sentence for unlawful retention of Top Secret information); United States v. Pho, 1:17-cr-00631 (D. Md. 2018) (66-month sentence for unlawful retention of materials classified as Top Secret). See also United States v. Marshall, 3:17-cr-1 (S.D. TX 2018) (41-month sentence for unlawful retention of materials classified at the Secret level); United States v. Mehalba, 03-cr-10343-DPW (D. Ma. 2005) (20-month sentence in connection with plea for unlawful retention – not transmission – in violation of 793(e) and two counts of violating 18 U.S.C. 1001; court departed downward due to mental health of defendant).

Hale is more culpable than these defendants because he did not simply retain the classified documents, but he provided them to the Reporter knowing and intending that the documents would be published and made available to the world. The potential harm associated with Hale’s conduct is far more serious than mere retention, and therefore calls for a more significant sentence. [my emphasis]

Even in spite of a moving explanation for his actions, Hale was sentenced to 44 months in prison. Hale still has almost two years left on his sentence in Marion prison.

That focus on other retention cases from the Hale filing was among the most prominent national references to yet another case of someone prosecuted during the Trump Administration for taking classified files home from work, that of Weldon Marshall. Over the course of years of service in the Navy and then as a contractor in Afghanistan, Marshall shipped hard drives of classified materials home.

From the early 2000s, Marshall unlawfully retained classified items he obtained while serving in the U.S. Navy and while working for a military contractor. Marshall served in the U.S. Navy from approximately January 1999 to January 2004, during which time he had access to highly sensitive classified material, including documents describing U.S. nuclear command, control and communications. Those classified documents, including other highly sensitive documents classified at the Secret level, were downloaded onto a compact disc labeled “My Secret TACAMO Stuff.” He later unlawfully stored the compact disc in a house he owned in Liverpool, Texas. After he left the Navy, until his arrest in January 2017, Marshall worked for various companies that had contracts with the U.S. Department of Defense. While employed with these companies, Marshall provided information technology services on military bases in Afghanistan where he also had access to classified material. During his employment overseas, and particularly while he was located in Afghanistan, Marshall shipped hard drives to his Liverpool home. The hard drives contained documents and writings classified at the Secret level about flight and ground operations in Afghanistan. Marshall has held a Top Secret security clearance since approximately 2003 and a Secret security clearance since approximately 2002.

He appears to have been discovered when he took five Cisco switches home. After entering into a cooperation agreement and pleading guilty to one count of 793e, Marshall was (as noted above) sentenced to 41 months in prison. Marshall was released last year.

Outside DOJ, pundits have suggested that Trump’s actions are comparable to those of Sandy Berger, who like Trump stole files that belong to the National Archives and after some years pled guilty to a crime that Trump since made into a felony, or David Petraeus, who like Trump took home and stored highly classified materials in unsecured locations in his home. Such comparisons reflect the kind of elitist bias that fosters a system in which high profile people believe they are above the laws that get enforced for less powerful people.

But the cases I’ve laid out above — particularly the lesson Pho and Martin offer about how catastrophic it can be when someone brings classified files home and stores them insecurely, no matter their motives — are the background against which career espionage prosecutors at DOJ will be looking at Trump’s actions.

And while Trump allegedly brought home paper documents, rather than the digital files that Russian hackers could steal while sitting in Moscow, that doesn’t make his actions any less negligent. Since he was elected President, Mar-a-Lago became a ripe spying target, resulting in at least one prosecution. And two of the people he is most likely to have granted access to those files, John Solomon and Kash Patel, each pose known security concerns. Trump has done the analog equivalent of what Pho did: bring the crown jewels to a location already targeted by foreign intelligence services and store them in a way that can be easily back-doored. Like Pho, it doesn’t matter what Trump’s motivation for doing so was. Having done it, he made it ridiculously easy for malicious actors to simply come and take the files.

Under Attorneys General Jeff Sessions and Bill Barr, DOJ put renewed focus on prosecuting people who simply bring home large caches of sensitive documents. They did so in the wake of a costly lesson showing that the compromise of insecurely stored files can do as much damage as a high level recruited spy.

It’s a matter of equal justice that Trump be treated with the same gravity with which Martin and Pho and Albury and Hale and Marshall were treated under the Trump Administration, for doing precisely what Donald Trump is alleged to have done (albeit with far fewer and far less sensitive documents). But as the example of Shadow Brokers offers, it’s also a matter of urgent national security.

Twitter Only Had SMS 2FA When Hal Martin’s Twitter Account DMed Kaspersky

/11 Comments/in /by

In a post late last month, I suggested that the genesis of FBI’s interest in Hal Martin may have stemmed from a panicked misunderstanding of DMs Martin sent.

What appears to have happened is that the FBI totally misunderstood what it was looking at (assuming, as the context seems to suggest, that this is a DM, it would be an account they were already monitoring closely), and panicked, thinking they had to stop Martin before he dropped more NSA files.

Kim Zetter provides the back story — or at least part of one. The FBI didn’t find the DMs on their own. Amazingly, Kaspersky Lab, which the government has spent much of the last four years demonizing, alerted NSA to them.

As Zetter describes, the DMs were cryptic, seemingly breaking in mid-conversation. The second set of DMs referenced the closing scenes of both the 2016 version of Jason Bourne and Inception.

The case unfolded after someone who U.S. prosecutors believe was Martin used an anonymous Twitter account with the name “HAL999999999” to send five cryptic, private messages to two researchers at the Moscow-based security firm. The messages, which POLITICO has obtained, are brief, and the communication ended altogether as abruptly as it began. After each researcher responded to the confusing messages, HAL999999999 blocked their Twitter accounts, preventing them from sending further communication, according to sources.

The first message sent on Aug. 13, 2016, asked for him to arrange a conversation with “Yevgeny” — presumably Kaspersky Lab CEO Eugene Kaspersky, whose given name is Yevgeny Kaspersky. The message didn’t indicate the reason for the conversation or the topic, but a second message following right afterward said, “Shelf life, three weeks,” suggesting the request, or the reason for it, would be relevant for a limited time.

The timing was remarkable — the two messages arrived just 30 minutes before an anonymous group known as Shadow Brokers began dumping classified NSA tools online and announced an auction to sell more of the agency’s stolen code for the price of $1 million Bitcoin. Shadow Brokers, which is believed to be connected to Russian intelligence, said it had stolen the material from an NSA hacking unit that the cybersecurity community has dubbed the Equation Group.

[snip]

The sender’s Twitter handle was not familiar to the Kaspersky recipient, and the account had only 104 followers. But the profile picture showed a silhouette illustration of a man sitting in a chair, his back to the viewer, and a CD-ROM with the word TAO2 on it, using the acronym of the NSA’s Tailored Access Operations. The larger background picture on the profile page showed various guns and military vehicles in silhouette.

The Kaspersky researcher asked the sender, in a reply message, if he had an email address and PGP encryption key they could use to communicate. But instead of responding, the sender blocked the researcher’s account.

Two days later, the same account sent three private messages to a different Kaspersky researcher.

“Still considering it..,” the first message said. When the researcher asked, “What are you considering?” the sender replied: “Understanding of what we are all fighting for … and that goes beyond you and me. Same dilemma as last 10 min of latest Bourne.” Four minutes later he sent the final message: “Actually, this is probably more accurate” and included a link to a YouTube video showing the finale of the film “Inception.”

As it is, it’s an important story. As Zetter lays out, it makes it clear the NSA didn’t — couldn’t — find Martin on its own, and the government kept beating up Kaspersky even after they helped find Martin.

But, especially given the allusions to the two movies, I wonder whether these DMs actually came from Martin at all. There’s good reason to wonder whether they actually come from Shadow Brokers directly.

Certainly, that’d be technically doable, even though court filings suggest Martin had far better operational security than your average target. It would take another 16 months before Twitter offered Authenticator 2 factor authorization. For anyone with the profile of Shadow Brokers, it would be child’s play to break SMS 2FA, assuming Martin used it.

Moreover, the message of the two allusions fits solidly within both the practice of cultural allusions as well as the themes employed by Shadow Brokers made over the course of the operation, allusions that have gotten far too little notice.

Finally, that Kaspersky would get DMs from someone hijacking Martin’s account would be consistent with other parts of the operation. From start to finish, Shadow Brokers used Kaspersky as a foil, just like it used Jake Williams. With Kaspersky, Shadow Brokers repeatedly provided reason to think that the security company had a role in the leak. In both cases, the government clearly chased the chum Shadow Brokers threw out, hunting innocent people as suspects, rather than looking more closely at what the evidence really suggested. And (as Zetter lays out), Martin would be a second case where Kaspersky was implicated in the identification of such chum, the other being Nghia Pho (the example of whom might explain why the government responded to Kaspersky’s help in 2016 with such suspicion).

Mind you, there’s nothing in the public record — not Martin’s letter asking for fully rendered versions of his social media so he could prove the context, and not Richard Bennett’s opinion ruling the warrants based off Kaspersky’s tip were reasonable, even if the premise behind them proved wrong — that suggests Martin is contesting that he sent those DMs. That said, virtually the entire case is sealed, so we wouldn’t know (and the government really wouldn’t want us to know if it were the case).

As Zetter also lays out, Martin had a BDSM profile that might have elicited attention from hostile entities looking for such chum.

A Google search on the Twitter handle found someone using the same Hal999999999 username on a personal ad seeking female sex partners. The anonymous ad, on a site for people interested in bondage and sado-masochism, included a real picture of Martin and identified him as a 6-foot-4-inch 50-year-old male living in Annapolis, Md. A different search led them to a LinkedIn profile for Hal Martin, described as a researcher in Annapolis Junction and “technical advisor and investigator on offensive cyber issues.” The LinkedIn profile didn’t mention the NSA, but said Martin worked as a consultant or contractor “for various cyber related initiatives” across the Defense Department and intelligence community.

And when Kaspersky’s researchers responded to Martin’s DM, he blocked their accounts, suggesting he treated the communications unfavorably (or, if someone had taken over the account, they wanted to limit any back-and-forth, though Martin would presumably have noted that).

After each researcher responded to the confusing messages, HAL999999999 blocked their Twitter accounts, preventing them from sending further communication, according to sources.

Martin’s attorneys claim he has a mental illness that leads him to horde things, which is the excuse they give for his theft of so many government files. That’s different than suggesting he’d send strangers out-of-context DMs that, at the very least, might make him lose his clearance.

So I’d like to suggest it’s possible that Martin didn’t send those DMs.

Hal Martin Manages to Obtain a Better Legal Outcome than Reality Winner, But It Likely Doesn’t Matter

/61 Comments/in /by

I’d like to comment on what I understand happened in a Hal Martin order issued earlier this month. In it, Judge Richard Bennett denied two requests from Martin to throw out the warrants for the search of his house and cell site tracking on his location, but granted an effort to throw out his FBI interrogation conducted the day they raided his house.

Hal Martin did not tweet to Shadow Brokers

The filing has received a bit of attention because of a redaction that reveals how the government focused on Martin so quickly: a Tweet (apparently a DM) he had sent hours before the Shadow Brokers files were first dropped on August 13, 2016.

The passage has been taken to suggest that Martin DMed with Shadow Brokers before he published any files.

That’s impossible, for two reasons.

First, it is inconsistent with Shadow Brokers’ known timeline. Shadow Brokers didn’t set up a Twitter account until after the first batch of files were initially posted. And both the Martin warrant — dated August 25 — and the search — which took place the afternoon of August 27 — preceded the next dump from Shadow Brokers on August 28.

But it’s also impossible for how Bennett ruled.

While the underlying motion remains sealed (like virtually everything else in this case), Martin was arguing the warrant used to obtain his Twitter content and later search his house was totally unreasonable under the Fourth Amendment. It’s clear from a letter Martin sent the judge asking for his social media accounts as they actually appeared that he believes the FBI read the content of his Tweet out of context. And the judge actually considered the argument that the search was unreasonable to have merit, and in ruling that the FBI did have substantial basis for the search warrant, conceded that in another context the Tweet would not appear to be so damning.

Significantly, the Fourth Amendment exclusionary rule does not bar the admission of evidence obtained by officers acting in reasonable reliance on a search warrant issued by a magistrate later,found to be invalid. United States v. Leon, 468 U.S. 897,913-14 (1984). The evidence will be suppressed only if (1) the issuing judge was misled by information that the affiant knew or should have known was false, (2) the judge “wholly abandoned” her neutral role, (3) the affidavit was “so lacking in indicia of probable cause as to render official belief in its existence entirely unreasonable,” or (4) the warrant is so facially deficient that no reasonable officer could presume it to be valid. !d. at 923 (citations omitted).

[snip]

In this case, there was a substantial basis for the Magistrate’s fInding of probable cause to issue the search warrant for information associated with the Defendant’s Twitter account. See Upton, 466 U.S. at 728. The affIdavit provides that the Defendant’s Twitter messages [redacted] in which he requested a meeting [redacted] and stated “shelf life, three weeks” – were sent just hours before what was purported to be stolen government property was advertised and posted on multiple online content-sharing sites, including Twitter. (ECF No. 140-1 ~~ 14-23.) Further, and signifIcantly,the affIant averred that the Defendant was a former government contractor who had accessto the information that appeared to be what was purported to be stolen government property that was publicly posted on the Internet. (Id. ~~ 25-27.) Thus, although the Defendant’s Twitter messages could have had any number of innocuous meanings in another setting, these allegations regarding the context of Defendant’s messages provide a substantial basis for the Magistrate’s conclusion that there was a “fair probability” that evidence of the crime of Theft of Government Property, in violation of 18 U.S.c. ~ 641, would be found in information associated with the Defendant’s Twitter account. See Gates, 462 U.S. at 238.

You would never see language like this if Martin really were tweeting with Shadow Brokers, particularly not given the timeline (as it would suggest that he knew of Shadow Brokers before he ever posted). The warrant would, in that case, not be a close call at all. Indeed, the language is inconsistent with Martin’s interlocutor having anything to do with Shadow Brokers.

What appears to have happened is that the FBI totally misunderstood what it was looking at (assuming, as the context seems to suggest, that this is a DM, it would be an account they were already monitoring closely), and panicked, thinking they had to stop Martin before he dropped more NSA files.

Hal Martin got a similar FBI interrogation to Reality Winner’s thrown out

The sheer extent of FBI’s panic is probably what made Martin’s effort to get his FBI interrogation thrown out more successful than Reality Winner’s effort.

Their interrogations were similar. Ten FBI Agents came to Winner’s house, whereas nine SWAT team members, plus eight other FBI Agents, and a few Maryland State Troopers came to Martin’s. In both cases, the FBI segregated the NSA contractors in their home while Agents conducted a search. In Winner’s case, they also segregated her from her pets. In Martin’s case, they segregated him from his partner, Deborah Shaw, and when they did finally let him talk to her, they told Martin “you can’t touch her or any of that stuff.” When the NSA contractors wanted to get something from another part of their home, the FBI accompanied them.

Aside from the even greater number of FBI Agents and that Martin had a partner to be separated from, the biggest difference in Martin’s case is that that they set off a flash-bang device to disorient Martin, and the FBI originally put him face down on the ground and handcuffed him. Those factors, Bennett judged, meant it was reasonable for Martin to believe he was under arrest, and therefore the FBI should have given him a Miranda warning.

That is, on the afternoon of the interrogation, approximately 17-20 law enforcement officers swarmed the Defendant’s property. The Defendant was initially approached by nine armed SWAT agents, handcuffed, and forced to lay on the ground. During the four-hour interrogation, the Defendant was isolated from his partner, his freedom of movement was significantly restricted, and he was confronted with incriminating evidence discovered on his property. In this police dominated environment, a reasonable person in the Defendant’s position would have believed he was not free to leave, notwithstanding the agents’ statements to the contrary.

So unlike Winner, Martin will have his interrogation (in which he admitted to taking files home from his job as a contractor and explained how he did so) thrown out.

But it probably won’t matter.

As a reminder, the FBI charged Martin with taking home 20 highly classified files in February 2017, but they included no allegation that he (willfully) served as a source for Shadow Brokers. It’s possible they know he was an inadvertent source for Shadow Brokers (unlike Nghia Pho, who was likely also a source for Shadow Brokers, they charged Martin for 20 files, larding on the legal exposure; they charged Pho with taking home just one file, while getting him to admit that he could have been charged for each individually). But an earlier opinion in this case ruled that the government only has to prove that by taking hordes of files from of his employers that included National Defense Information, he knowingly possessed the ones he got charged for.

In any case, Martin has already been in jail for 28 months, almost half the amount of time that Pho will serve for doing the same thing, and his trial is not due to start on June 17, a full 34 months after he was arrested. As with Winner, the delay stems from the Classified Information Protection Act process, which ensures that — once the government successfully argues that the secrets in your head make it impossible to release you on bail for fear a foreign intelligence agency will steal those secrets — you serve the equivalent of a sentence before the government even has to prove your guilt.

Again, it may be that Martin unwittingly served as a source for Shadow Brokers. But if he didn’t, then the heavy hand they’re taking with him appears to stem from sheer embarrassment at fucking up with the initial panicked pursuit of him.

Update: Corrected the post to reflect that the search actually preceded the August 28 dump.

The Two Legitimacy Problems with the Nghia Pho Sentence

/5 Comments/in /by

Nghia Pho was sentenced to 5 years and 6 months yesterday. He is presumed to have been one of the sources for the files released by Shadow Brokers (though I have been told he couldn’t be the sole source).

The government had asked for 8 years, just a month short of the top of the guidelines for the crime to which he pled guilty (though the government could have charged him much more aggressively and gotten far more time). In sentencing Pho, however, Judge George Russell seemed persuaded by Pho attorney Robert Bonsib’s point that David Petraeus did no jail time for what actually would have been a worse offense had he also been charged with sharing with his mistress the code word intelligence he mishandled and then lying about both to the FBI, as well as if the government admitted that the information Petraeus shared actually did show up in Paula Broadwell’s hagiography of the general.

Russell seemed particularly perturbed that former CIA Director David Petraeus managed to get probation after admitting he kept highly classified information in his home without permission, shared it with his girlfriend and lied to investigators.

“Did he do one day in prison?” the clearly frustrated judge asked. “Not one day. … What happened there? I don’t know. The powerful win over the powerless? … The people at the top can, like, do whatever they want to do and walk away.”

Admittedly, the unstated presumption that Pho’s mishandling of NSA’s hacking tools led to first their leak then the downstream malware attacks tied to them seems to justify the government’s call for a harsh sentence and is reflected in statements from both Russell and prosecutor.

Russell called Pho’s actions “extraordinarily serious.” He also rejected claims that it was an isolated mistake, noting that Pho took the top-secret material to his home for years.

[snip]

Little was said at Tuesday’s hearing about what information may have escaped Pho’s control or where it wound up, although Windom used very strong language about the impact of Pho’s actions, calling it “devastating.”

And it also explains the language of Pho’s remorse — denying the things that might have been suspected of the release.

“I admit it but I do not betray the U.S.A.,” the white-haired, glasses-wearing engineer said in broken English. “I do not betray this country. … I do not send anything to anybody or on the internet. I do not make profit on this information. … I cannot damage this country.”

It also might explain the terms of the plea agreement, one part of which remains sealed.

There’s something that remains unexplained, however — at least not credibly. Pho continues to claim that he brought the NSA’s hacking tools home because he needed them to write his Employee Performance Assessments. (h/t Josh Gerstein for obtaining the documents)

I need extra times and information about what I worked on, cut and paste, to create a good EPA at home and hope that I will have a chance to be promoted this time hence I received a good high-three average salaries before I go to the retirement in next four years (2019) when my clearance will be expired.

I was devoted to EPA promotion, encircle by EPA/promotion and the last high-three salaries that made me blind to violate the security policy of the Agency.

But as the government noted in their sentencing memo, this was not a one-off in advance of writing a yearly EPA. Rather, Pho continued doing this over the course of five years, and did so with materials unrelated to his work.

For a period of at least five years, the defendant removed Top Secret and Sensitive Compartmented Information (“SCI”) from secure space at the National Security Agency (“NSA”) and retained it in his home–an unsecure residence.

[snip]

This assertion [that he did this solely for EPAs] is belied by the facts. The defendant did not take home and retain classified information consistently for five years to work on an annual performance review. This argument especially does not apply to the classified material found in his home that was unrelated to his work or any personnel evaluation. [citations removed]

The government also notes that Pho knew better than to load these materials onto his computer (as a guy who coded malware, that should be all the more true).

The defendant claims that he stored massive troves of classified information at his home without the intention of placing national security at risk. The defendant goes so far as to say, directly, that he “did handle the information with care.” His actions speak to his intentions, and the facts do not support his contentions. For years, the defendant received training on how and where to store classified information and on why such precautions were critical to protecting national security. The defendant well knew that the mere removal of classified information from secure spaces, in itself, could endanger national security, and that retaining classified information in an unsecure location compounded this danger. Indeed, in his plea agreement, the defendant admitted that his extensive training informed him that “unauthorized removal of classified materials and transportation and storage of those materials in unauthorized locations risked disclosure and transmission of those materials, and therefore could endanger the national security of the United States and the safety of its citizens.

This is a point that Admiral Rogers repeated in his (March 5) letter on the sentencing.

Mind you, even a year after Pho was discovered, it was still possible for even a translator to stick thumb drives into Top Secret computers at Fort Meade, as evidenced by Reality Winner’s actions (actions that were not charged). In the same way that Pho knew well that putting hacking tools on a computer attached to the Internet would be colossally stupid, the government itself has known the risks of leaving computers accessible to removable media since before Chelsea Manning’s leaks. They’re not exactly in a position to lecture.

That said, there’s something that still doesn’t add up about this and Pho’s claimed motive for it, which may be why when this story first broke, three different theories for why he brought the files home got leaked to the press. Maybe it was just ego fed by resentment that he (as reported in his letter) wasn’t getting promotions at the same rate as his colleagues, which doesn’t make for a very good excuse to having exposed the NSA’s crown jewels.