Posts

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

18 USC 793e in the Time of Shadow Brokers and Donald Trump

Late last year, a Foreign Affairs article by former Principal Deputy Director of National Intelligence Sue Gordon and former DOD Chief of Staff Eric Rosenbach asserted that the files leaked in 2016 and 2017 by Shadow Brokers came from two NSA officers who brought the files home from work.

In two separate incidents, employees of an NSA unit that was then known as the Office of Tailored Access Operations—an outfit that conducts the agency’s most sensitive cybersurveillance operations—removed extremely powerful tools from top-secret NSA networks and, incredibly, took them home. Eventually, the Shadow Brokers—a mysterious hacking group with ties to Russian intelligence services—got their hands on some of the NSA tools and released them on the Internet. As one former TAO employee told The Washington Post, these were “the keys to the kingdom”—digital tools that would “undermine the security of a lot of major government and corporate networks both here and abroad.”

One such tool, known as “EternalBlue,” got into the wrong hands and has been used to unleash a scourge of ransomware attacks—in which hackers paralyze computer systems until their demands are met—that will plague the world for years to come. Two of the most destructive cyberattacks in history made use of tools that were based on EternalBlue: the so-called WannaCry attack, launched by North Korea in 2017, which caused major disruptions at the British National Health Service for at least a week, and the NotPetya attack, carried out that same year by Russian-backed operatives, which resulted in more than $10 billion in damage to the global economy and caused weeks of delays at the world’s largest shipping company, Maersk. [my emphasis]

That statement certainly doesn’t amount to official confirmation that that’s where the files came from (and I’ve been told that the scope of the files released by Shadow Brokers would have required at least one more source). But the piece is as close as anyone with direct knowledge of the matter — as Gordon would have had from the aftermath — has come to confirming on the record what several strands of reporting had laid out in 2016 and 2017: that the NSA files that were leaked and then redeployed in two devastating global cyberattacks came from two guys who brought highly classified files home from the NSA.

The two men in question, Nghia Pho and Hal Martin, were prosecuted under 18 USC 793e, likely the same part of the Espionage Act under which the former President is being investigated. Pho (who was prosecuted by Thomas Windom, one of the prosecutors currently leading the fake elector investigation) pled guilty in 2017 and was sentenced to 66 months in prison; he is processing through re-entry for release next month. Martin pled guilty in 2019 and was sentenced to 108 months in prison.

The government never formally claimed that either man caused hostile powers to obtain these files, much less voluntarily gave them to foreign actors. Yet it used 793e to hold them accountable for the damage their negligence caused.

There has never been any explanation of how the files from Martin would have gotten to the still unidentified entity that released them.

But there is part of an explanation how files from Pho got stolen. WSJ reported in 2017 that the Kaspersky Anti-Virus software Pho was running on his home computer led the Russian security firm to discover that Pho had the NSA’s hacking tools on the machine. Somehow (the implication is that Kaspersky alerted the Russian government) that discovery led Russian hackers to subsequently target Pho’s computer and steal the files. In response to the WSJ report, Kaspersky issued their own report (here’s a summary from Kim Zetter). It acknowledged that Kaspersky AV had pulled in NSA tools after triggering on a known indicator of NSA compromise (the report claimed, and you can choose to believe that or not, that Kaspersky had deleted the most interesting parts of the files obtained). But it also revealed that in that same period, Pho had briefly disabled his Kaspersky AV and downloaded a pirated copy of Microsoft Office, which led to at least one backdoor being loaded onto his computer via which hostile actors would have been able to steal the NSA’s crown jewels.

Whichever version of the story you believe, both confirm that Kaspersky AV provided a way to identify a computer storing known NSA hacking tools, which then led Pho — someone of sufficient seniority to be profiled by foreign intelligence services — to be targeted for compromise. Pho didn’t have to give the files he brought home from work to Russia and other malicious foreign entities. Merely by loading them onto his inadequately protected computer and doing a couple of other irresponsible things, he made the files available to be stolen and then used in one of the most devastating information operations in history. Pho’s own inconsistent motives didn’t matter; what mattered was that actions he took made it easy for malicious actors to pull off the kind of spying coup that normally takes recruiting a high-placed spy like Robert Hanssen or Aldrich Ames.

In the aftermath of the Shadow Brokers investigation, the government’s counterintelligence investigators may have begun to place more weight on the gravity of merely bringing home sensitive files, independent of any decision to share them with journalists or spies.

Consider the case of Terry Albury, the FBI Agent who shared a number of files on the FBI’s targeting of Muslims with The Intercept. As part of a plea agreement, the government charged Albury with two counts of 793e, one for a document about FBI informants that was ultimately published by The Intercept, and another (about an online terrorist recruiting platform) that Albury merely brought home. The government’s sentencing memo described the import of files he brought home but did not share with The Intercept this way:

The charged retention document relates to the online recruitment efforts of a terrorist organization. The defense asserts that Albury photographed materials “to the extent they impacted domestic counter-terrorism policy.” (Defense Pos. at 37). This, however, ignores the fact that he also took documents relating to global counterintelligence threats and force protection, as well as many documents that implicated particularly sensitive Foreign Intelligence Surveillance Act collection. The retention of these materials is particularly egregious because Albury’s pattern of behavior indicates that had the FBI not disrupted Albury and the threat he posed to our country’s safety and national security, his actions would have placed those materials in the public domain for consumption by anyone, foreign or domestic.

And in a declaration accompanying Albury’s sentencing, Bill Priestap raised the concern that by loading some of the files onto an Internet-accessible computer, Albury could have made them available to entities he had no intention of sharing them with.

The defendant had placed certain of these materials on a personal computing device that connects to the Internet, which creates additional concerns that the information has been or will be transmitted or acquired by individuals or groups not entitled to receive it.

This is the scenario that, one year earlier, was publicly offered as an explanation for the theft of the files behind The Shadow Brokers; someone brought sensitive files home and, without intending to, made them potentially available to foreign hackers or spies.

Albury was sentenced to four years in prison for bringing home 58 documents, of which 35 were classified Secret, and sending 25 documents, of which 16 were classified Secret, to the Intercept.

Then there’s the case of Daniel Hale, another Intercept source. Two years after the Shadow Brokers leaks (and five years after his leaks), he was charged with five counts of taking and sharing classified documents, including two counts of 793e tied to 11 documents he took and shared with the Intercept. Three of the documents published by The Intercept were classified Top Secret.

Hale pled guilty last year, just short of trial. As part of his sentencing process, the government argued that the baseline for his punishment should start from the punishments meted to those convicted solely of retaining National Defense Information. It tied Hale’s case to those of Martin and Pho explicitly.

Missing from Hale’s analysis are § 793 cases in which defendants received a Guidelines sentence for merely retaining national defense information. See, e.g., United States v. Ford, 288 F. App’x 54, 61 (4th Cir. 2008) (affirming 72-month sentence for retention of materials classified as Top Secret); United States v. Martin, 1:17-cr-69-RDB) (D. Md. 2019) (nine-year sentence for unlawful retention of Top Secret information); United States v. Pho, 1:17-cr-00631 (D. Md. 2018) (66-month sentence for unlawful retention of materials classified as Top Secret). See also United States v. Marshall, 3:17-cr-1 (S.D. TX 2018) (41-month sentence for unlawful retention of materials classified at the Secret level); United States v. Mehalba, 03-cr-10343-DPW (D. Ma. 2005) (20-month sentence in connection with plea for unlawful retention – not transmission – in violation of 793(e) and two counts of violating 18 U.S.C. 1001; court departed downward due to mental health of defendant).

Hale is more culpable than these defendants because he did not simply retain the classified documents, but he provided them to the Reporter knowing and intending that the documents would be published and made available to the world. The potential harm associated with Hale’s conduct is far more serious than mere retention, and therefore calls for a more significant sentence. [my emphasis]

Even in spite of a moving explanation for his actions, Hale was sentenced to 44 months in prison. Hale still has almost two years left on his sentence in Marion prison.

That focus on other retention cases from the Hale filing was among the most prominent national references to yet another case of someone prosecuted during the Trump Administration for taking classified files home from work, that of Weldon Marshall. Over the course of years of service in the Navy and then as a contractor in Afghanistan, Marshall shipped hard drives of classified materials home.

From the early 2000s, Marshall unlawfully retained classified items he obtained while serving in the U.S. Navy and while working for a military contractor. Marshall served in the U.S. Navy from approximately January 1999 to January 2004, during which time he had access to highly sensitive classified material, including documents describing U.S. nuclear command, control and communications. Those classified documents, including other highly sensitive documents classified at the Secret level, were downloaded onto a compact disc labeled “My Secret TACAMO Stuff.” He later unlawfully stored the compact disc in a house he owned in Liverpool, Texas. After he left the Navy, until his arrest in January 2017, Marshall worked for various companies that had contracts with the U.S. Department of Defense. While employed with these companies, Marshall provided information technology services on military bases in Afghanistan where he also had access to classified material. During his employment overseas, and particularly while he was located in Afghanistan, Marshall shipped hard drives to his Liverpool home. The hard drives contained documents and writings classified at the Secret level about flight and ground operations in Afghanistan. Marshall has held a Top Secret security clearance since approximately 2003 and a Secret security clearance since approximately 2002.

He appears to have been discovered when he took five Cisco switches home. After entering into a cooperation agreement and pleading guilty to one count of 793e, Marshall was (as noted above) sentenced to 41 months in prison. Marshall was released last year.

Outside DOJ, pundits have suggested that Trump’s actions are comparable to those of Sandy Berger, who like Trump stole files that belong to the National Archives and after some years pled guilty to a crime that Trump since made into a felony, or David Petraeus, who like Trump took home and stored highly classified materials in unsecured locations in his home. Such comparisons reflect the kind of elitist bias that fosters a system in which high profile people believe they are above the laws that get enforced for less powerful people.

But the cases I’ve laid out above — particularly the lesson Pho and Martin offer about how catastrophic it can be when someone brings classified files home and stores them insecurely, no matter their motives — are the background against which career espionage prosecutors at DOJ will be looking at Trump’s actions.

And while Trump allegedly brought home paper documents, rather than the digital files that Russian hackers could steal while sitting in Moscow, that doesn’t make his actions any less negligent. Since he was elected President, Mar-a-Lago became a ripe spying target, resulting in at least one prosecution. And two of the people he is most likely to have granted access to those files, John Solomon and Kash Patel, each pose known security concerns. Trump has done the analog equivalent of what Pho did: bring the crown jewels to a location already targeted by foreign intelligence services and store them in a way that can be easily back-doored. Like Pho, it doesn’t matter what Trump’s motivation for doing so was. Having done it, he made it ridiculously easy for malicious actors to simply come and take the files.

Under Attorneys General Jeff Sessions and Bill Barr, DOJ put renewed focus on prosecuting people who simply bring home large caches of sensitive documents. They did so in the wake of a costly lesson showing that the compromise of insecurely stored files can do as much damage as a high level recruited spy.

It’s a matter of equal justice that Trump be treated with the same gravity with which Martin and Pho and Albury and Hale and Marshall were treated under the Trump Administration, for doing precisely what Donald Trump is alleged to have done (albeit with far fewer and far less sensitive documents). But as the example of Shadow Brokers offers, it’s also a matter of urgent national security.

Mike Flynn Seizes the Rope to Hang Himself With: Probation for Petraeus

The government and Mike Flynn submitted several motions today:

Eventually, I’ll hit them all in this post. But for now, I’m going to address just the government reply to Flynn’s sentencing memo, because I read it very very differently than virtually everyone who has read it.

A number of people are shocked by what seems to be the government’s deference to Mike Flynn in the memo, particularly their recommendation for a guidelines sentence — which might include probation. It’s true, the memo mentions probation over and over.

As set forth below, the government maintains that a sentence within the Guidelines range – to include a sentence of probation – would be appropriate and warranted in this case.

[snip]

Here, the applicable Guidelines range already encompasses a potential penalty of probation and there is no lower possible penalty for the offense of conviction.

[snip]

Based on all of the relevant facts and for the foregoing reasons, the government submits that a sentence within the Guidelines range of 0 to 6 months of incarceration is appropriate and warranted in this case, agrees with the defendant that a sentence of probation is a reasonable sentence and does not oppose the imposition of a sentence of probation.

The memo then goes on to nod to the issues Flynn raised. It acknowledges, then rebuts, Flynn’s complaints about what he claims is the government asking him to lie about FARA. But, the government notes, regardless of who is right, it wouldn’t change the guidelines sentence.

Importantly, regardless of whether or not the Court considers the defendant’s FARA false statements in fashioning its sentence, the applicable Guidelines range is still 0 to 6 months of incarceration.

It notes Flynn’s apparent backtracking on acknowledgement of responsibility. But, the government notes, regardless of who is right, it wouldn’t change the guidelines sentence.

But again, this makes no difference to the applicable Guidelines range – a two-level reduction in his base offense level would still result in a range of 0 to 6 months of incarceration.

Thus far, the government is doing precisely what it did in its own sentencing memo, emphasize that the government position has not changed. It asked for a guidelines sentence in December 2018, it asked for a guidelines sentence earlier this month, and it is recommending a guidelines sentence here. Anything outside those guidelines is Judge Emmet Sullivan’s decision.

Where the memo is absolutely fucking genius, though, is where it addresses Flynn’s emphasis that because he was a General forever, he should get probation. Every memo Flynn has submitted of late has basically argued that because he gave his life to the country, he should get special treatment.

As the government notes, in the very last words of their memo, that has happened in the past.

In terms of comparative sentences in cases involving arguably similarly-situated defendants, we note that there are several cases involving high-ranking government officials where probationary sentences were imposed. Former National Security Advisor Sandy Berger stole classified information from the National Archives, destroyed that information, and then lied to the government about his conduct. At the government’s recommendation, based in part on Berger’s cooperation with the government, he received a probationary sentence. See Gov’t Sent’g Mem. at 9, United States v. Berger, No. 05-mj-00175 (D.D.C. Sept 6. 2005) (Doc. 13); see also Factual Basis for Plea (D.D.C. Apr. 1, 2005) (Doc. 6). Likewise, after General David Petraeus pleaded guilty to the unauthorized retention and removal of classified documents, in violation of 18 U.S.C. § 1924, he received a probationary sentence. United States v. Petraeus, No. 15-cr-47 (W.D.N.C.). Here, the Court should consider these and other arguably analogous cases, along with all of the other relevant facts in this case, in fashioning a sentence that is “sufficient but not greater than necessary” to satisfy the statutory sentencing requirements under Title 18, United States Code, Section 3553(a).

Boy oh boy do these prosecutors look reasonable, huh, noting that powerful people sometimes get probation for things the little people go to prison for.

Except we know how Emmet Sullivan feels about Generals who think they should get special treatment because they’re high-ranking Generals, because he said so explicitly when Rob Kelner raised David Petraeus back in December 2018.

MR. KELNER: In addition, I would note there have been other high profile cases, one involving a four-star general, General Petraeus.

THE COURT: I don’t agree with that plea agreement, but don’t —

[snip]

THE COURT: All right. Let me just say this. I probably shouldn’t. Having said that, I probably shouldn’t. I don’t agree with the Petraeus sentence. I’m sorry. I don’t see how a four-star general gives classified information to someone not authorized to receive it and then is allowed to plead to a misdemeanor, but I don’t know anything about it. Maybe there were extenuating circumstances. I don’t know. It’s none of my business, but it’s just my opinion.

And that has no impact — I would not take that into consideration in whatever sentence I impose here. Just based upon what I know about that case, I just disagreed with it. That’s all.

Yes, the prosecutors look totally docile in this memo. They’re disputing Flynn’s point, but ultimately they’re recommending the same thing they’ve always recommended, a guidelines sentence. They’re doing that because it inoculates them against any claim that their decision not to have Flynn testify affected his sentence, and they’re doing so to make clear that what Flynn is doing, in requesting to blow everything up, he’s doing even though the same guidelines sentence remains on the table. What comes next will be entirely his own fault.

And, yes, they mention probation, just like Flynn did. But in doing so, they almost certainly did so in a way that only exacerbates Sullivan’s innate disgust with powerful people who ask for special treatment.

Shorter the Neocons: Let Our General Go!

Neocon scribes Eli Lake and Josh Rogin published a piece asserting that the man whose COIN theories failed in 3 different war theaters is making a comeback undermined only by his extramarital affair.

By all outward appearances, David Petraeus appears to be mounting a comeback. The former general landed a job at powerhouse private-equity firm KKR, has academic perches at Harvard and the University of Southern California and, according to White House sources, was even asked by the President Barack Obama’s administration for advice on the fight against Islamic State. Yet it turns out that the extramarital affair that forced him to resign as director of the Central Intelligence Agency is still hanging over him.

Yet that’s not actually what their article describes. Instead, it explores why it is that the FBI investigation into David Petraeus for leaking information to his mistress, not fucking her, is ongoing.

Curiously, these two journalists exhibit no shred of curiosity about why the GOP Congress continues to investigate the Benghazi attack, an investigation that started exactly contemporaneously with the Petraeus leak investigation — or, for that matter, why all the investigations have avoided questions about Petraeus’ training failures in Libya.

Instead, they see in this particular 2 year counterintelligence investigation a conspiracy to silence the fine General.

[Retired General Jack] Keane questions whether the Petraeus FBI probe lasting this long may be driven by something other than a desire to investigate a potential crime. “It makes you wonder if there is another motivation to drag an investigation out this long,” he said.

[snip]

Petraeus allies both inside and outside the U.S. intelligence community and the military express a concern that goes beyond a criminal probe: that the investigation has caused Petraeus to trim his sails — that one of the most informed and experienced voices on combating terrorism and Islamic extremism is afraid to say what he really thinks, a sharp juxtaposition to Bob Gates and Leon Panetta, two former defense secretaries who have not been shy about criticizing Obama’s national security team.

[snip]

But what does seem surprising, to many who know and have worked with him, is that the views he has been expressing are so at odds with what he has said and implied in the past.

For example, when Petraeus was inside Obama’s administration in his first term, he advocated for more troops inside Afghanistan and made the case for arming Syrian moderate forces. But when asked this summer about that effort, Petraeus demurred and focused on Obama’s new $500 million initiative in 2014 to train Syrian rebels. “I strongly support what’s being done now,” he said. “Half a billion dollars is a substantial amount of resourcing to train and equip.”

Petraeus’s rhetoric on Iraq and Syria differs sharply not only from his past positions, but from that of many retired generals of his generation and of his biggest supporters.

To support their conspiracy theory, they not only cite noted leaker Pete Hoekstra, but Lake and Rogin ignore a whole load of other details, such as how long leak investigations normally take. Even the investigation into and punishment of Sandy Berger — which they cite — took 18 months from leak to guilty plea, plus another two years until he relinquished his license. The investigation into Donald Sachtleben — or rather, the UndieBomb 2.0 leak that Sachtleben was singularly held responsible for — took 15 months, even with his computer  in custody and Sachtleben on bond most of that time. John Kiriakou was charged almost 4 years after his leaks, and two after Pat Fitzgerald was appointed to find a head for the CIA. Thomas Drake was indicted over 4 years after the investigation into Stellar Wind leaks started and almost 3 years after the FBI raided the homes of those associated with Drake’s whistleblowing. Jeffrey Sterling was indicted 7 years after FBI first started looking into leaks to James Risen.

Leak investigations can take a long time. That’s not a good thing, as they leave the targets of those investigations in limbo through that entire time. Petraeus is, comparatively, doing better off than most of the others I named above. Indeed, in paragraph 7, Lake and Rogin reveal that Petraeus, in fact, has gotten preferential treatment, in that his security clearance hasn’t been stripped.

To wit: Petraeus is ostensibly being investigated for mishandling classified material and yet he retains his security clearance.

Even Hoss Cartwright had his security clearance stripped for allegedly leaking details of StuxNet to the press. Heck, based on this detail, one has just as much evidence to support a counter-conspiracy theory that Petraeus is getting lax treatment because he’s got damning information on Obama (not one I’m adopting, mind you, but it does illustrate what one can do with an absence of evidence).

If warmongers like Jack Keane want to make drawn out leak investigations a cause, they would do well to make it a principle, not a singular conspiracy theory used to explain why David Petraeus isn’t being more critical of Obama’s efforts not to escalate into another failed counterinsurgency.

Is it possible, after all, that Petraeus is silent because he realizes what a hash he has made of the Middle East?

The National Security Advisor Exception Under the Espionage Act

When the FBI found sensitive — though it turned out, unclassified — documents in Thomas Drake’s basement, he was charged under the Espionage Act. When the Army found hundreds of thousands of classified — but not Top Secret — cables on Bradley Manning’s computer, they charged him with Espionage and Aiding the Enemy.

But when the FBI found Top Secret documents on Sudan — our actual enemy, if sanctions count — in Reagan National Security Advisor Robert McFarlane’s basement, it decided to investigate him for illegal lobbying.

The FBI has searched the apartment of former Reagan administration national security adviser Robert McFarlane for evidence of whether he lobbied for the government of Sudan, in violation of federal law.

The search warrant is on file in federal district court in Washington. It shows agents seized items this month including handwritten notes about Sudan and White House documents with classifications up to Top Secret.

From this I can only assume that McFarlane is being subjected to the same double standard that Clinton’s National Security Advisor Sandy Berger was (represented, it should be noted, by former Criminal Division chief Lanny Breuer), when he snuck 9/11 related documents out of the Archives, yet only plead guilty to a misdemeanor.

When National Security Advisors take top secret documents, they’re called lobbyists, not spies.

I can’t wait to find out what Condi Rice will be called if she’s ever caught with sensitive documents in her basement.