Analyst Who Accidentally Leaked NSA Software Given Five More Years In Prison Than General Who Handed Classified Info To His Mistress

from the 'somebodies'-score-another-win-over-the-'nobodies' dept

An NSA employee will be headed to prison for inadvertently exposing the agency’s malware stash.

Nghia Hoang Pho, 68, of Ellicott City, Maryland, and a naturalized U.S. citizen originally of Vietnam, was sentenced today to 66 months in prison, to be followed by three years of supervised release, for willful retention of classified national defense information. According to court documents, Pho removed massive troves of highly classified national defense information without authorization and kept it at his home.

Pho’s leaks were different than other NSA leaks. First reported last year by a couple of press outlets, the NSA TAO (Tailored Access Operations) tools were exposed to the outside world by anti-virus software , which correctly labeled it as malware. These malware samples drew the attention of hackers who then targeted Pho’s laptop to exfiltrate NSA hacking tools. The NSA exploits and malware made their way into the public domain, kicking off a crippling wave of ransomware that has since been repurposed to mine for cryptocurrency on infected computers.

The DOJ’s press release has a lot to say about the seriousness of the offense and the seriousness of the FBI in tracking down government employees who carelessly handle classified code. In particular, it offers up this self-serving garbage to justify locking someone up for taking their work home with them.

“Pho’s intentional, reckless and illegal retention of highly classified information over the course of almost five years placed at risk our intelligence community’s capabilities and methods, rendering some of them unusable,” said Assistant Attorney General Demers. “Today’s sentence reaffirms the expectations that the government places on those who have sworn to safeguard our nation’s secrets. I would like to thank the agents, analysts and prosecutors whose hard work brought this result.

This sentence does nothing of the sort. To those not closely watching these things (i.e., people who’d never read this press release in the first place), it may seem like the DOJ is serving up justice. But for those of us who’ve seen certain people — like General Petraeus — mishandle classified info in a much more egregious fashion (giving his mistress, and biographer, access to top secret info) and walk away from it pretty much unscathed, this statement from the DOJ is not just hollow. It’s hypocritical.

Even the judge handling the case saw through the DOJ’s double standard. Josh Gerstein of Politico reports the judge had plenty to say about the DOJ’s prosecutorial efforts, especially in light of the fact Pho never directly gave anyone else access to the NSA’s classified hacking stash.

[O]ne of the most striking aspects of Tuesday’s sentencing was [Judge George] Russell’s lament that top government officials seem to have escaped with little more than a slap on the wrist for engaging in similar behavior.

Russell seemed particularly perturbed that former CIA Director David Petraeus managed to get probation after admitting he kept highly classified information in his home without permission, shared it with his girlfriend and lied to investigators.

“Did he do one day in prison?” the clearly frustrated judge asked. “Not one day. … What happened there? I don’t know. The powerful win over the powerless? … The people at the top can, like, do whatever they want to do and walk away.”

It’s nice to hear this from a judge, even if there’s nothing the judge can actually do about it. Russell could only sentence Pho, not clawback Petraeus’ unearned freedom and post-conviction cakewalk. Judge Russell might be less willing to help the government apply its sentencing double standard in the future, but his statements to the DOJ have probably only assured the agency will try to steer clear of his court in the future.

Filed Under: , , , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Analyst Who Accidentally Leaked NSA Software Given Five More Years In Prison Than General Who Handed Classified Info To His Mistress”

Subscribe: RSS Leave a comment
33 Comments
ShadowNinja (profile) says:

So… moral of the story… never use anti-virus if you work for the NSA? Meaning you’ll potentially be at the mercy of a ton of malware…?

Like seriously, try to blame it on Russia as much as you want for which anti-virus it was, but at the end of the day can’t any competent anti-virus have done the same thing?

Seems this basically puts NSA employees in a lose-lose situation. If you thought they had trouble finding people willing to work for them before, imagine how bad it is now.

Anonymous Coward says:

Re: Re: Re:

Exactly right. Government laws and regulations specifically prohibit the transfer of classified information onto unauthorized devices or computers.

It’s also supposed to be kept in controlled facilities, not lugged home. What got Pho into trouble is that he violated all that, copying stuff onto his personal laptop and taking it home with him.

Instead, Pho violated all this and lugged it home, working on it outside the controlled environment, against regulation and the law. And he did it for years, not just once. His actions exposed it, albeit unexpectedly, because of the anti-virus software, but if he hadn’t taken it home on personal equipment, he wouldn’t have had that problem.

Tim Cushing ignores all of this and makes it out as if it’s okay to haul classified data around when it’s not. And he ignores that the sentencing is for the years of mishandling data. More years than Patreus, but I would have argued that Patreus and others also deserve equivalently harsh sentences, given their level of responsibility.

bob stewart says:

Re: Re: Re: So what do we do about certain others

Yep he done wrong, as did the sailor that had photos of the inside of a nuke sub on his phone. In this case the judge mentions the general and his mistress. But the elephant in the room is Hilary Clinton with her 30k emails on her closet server. Reportedly real time copies were being sent to Beijing. Apparently she can not be prosecuted because of her last name exemption.

bob says:

Re: Re:

Unfortunately the general public aren’t recognizing the smell because the stench has been around so long people have become accustomed to it.

Every now again someone will detect a fresh batch of crap being served but it becomes hard to differentiate when what you are served is always brown and usually has an off putting small anyway. So most are content to accept the government’s dropping because it takes too much work to test everything.

Hopefully you weren’t eating while reading that.

Anonymous Coward says:

Re: Re:

The general public doesn’t even know who General Petraeus and Nghia Hoang Pho is. The general public often avoids watching the news entirely, and those that do are often only peripherally aware of criminal justice issues and come predisposed to personal biases of either “Law and Order” guilty till proven innocent, or “The Man Won AGAIN” innocent because it’s all a Conspiracy against the People.

If people were “waking up” to “smell the bullshit” we’d see considerable changes to local budgets to fund crime labs, public defender offices, banning extrajudicial civil forfeiture, and reigning in of abuses by LEO and DA offices of civil rights abuses and tightening ethics rules over “trying defendants in the press”, plus a push to make double jeopardy apply to both civil and criminal law. This isn’t happening.

The People basically don’t care about Issues till they get caught in the meat grinder those Issues create. By then it’s way too late. I’ve seen this plenty of times in my personal life to friends or friends of the family rather than myself.

Anonymous Coward says:

How'd they find the laptop?

These malware samples drew the attention of hackers who then targeted Pho’s laptop to exfiltrate NSA hacking tools.

There’s an unexplained leap here. Pho’s laptop uploads software to Kaspersky, then somehow this "draws attention" of people who track it back to him. Is the Kaspersky database public, and how would anyone figure out who sent it data? Seems like it would have to be an inside job, either someone working for Kaspersky (hacking into infected machines on the side, or selling/leaking data about them) or someone who first hacked into Kaspersky.

Virus data collection systems are obviously going to be major hacking/bribery targets. It seems reckless to write antivirus software that uploads stuff non-anonymously.

Will B. says:

To a degree, I blame the judge here.

After all, the legal system relies on precedent to clarify law, and General Petraeus set a loud-and-clear precedent that the proper sentencing for blatant mishandling of classified information is probation and a slap on the wrist. The judge was cognizant enough of that to comment frustratedly on that… but not brave or disruptive enough to cite it as precedent to avoid giving a man guilty of a significantly lesser crime a significantly harsher penalty? He can moan about the power structure all he wants, but he’s still playing into it.

Hugo S Cunningham (profile) says:

Re: To a degree, I blame the judge here.

What Pho did caused vastly more damage than what Petraeus did.

It is made quite clear to new employees the importance of following strict procedures on safeguarding classified information. It is explained, among other things, that jury-rigged home systems are more likely to have security holes than carefully designed government workplaces.

As for Petraeus’s poor judgement, I would cut him some slack on grounds of “combat fatigue.” For months he had been at the center of an intense battle, saving hundreds of thousands of lives by breaking a murderous insurgency among Iraqi Sunnis. A society that cannot figure out how to protect its heroes does not deserve to be protected itself.

That One Guy (profile) says:

Re: Re: Yeah, no...

If Pho caused more damage it’s because the NSA had, and kept, a treasure trove of extremely dangerous tools around that got out into the wild thanks to his poor judgement in taking a copy of that home. Stupid to be sure, but hardly deliberate or done in malice.

As for Patraeus’ getting a pass because of ‘combat fatigue’, no, not even remotely. Here’s a few quotations from a previous article linked above as to what his ‘poor judgement’ involved:

While he was commander of coalition forces in Afghanistan, Petraeus “maintained bound, five-by-eight inch notebooks that contained his daily schedule and classified and unclassified notes he took during official meetings, conferences and briefings,” the U.S. Attorney’s Office for the Western District of North Carolina writes in a statement of fact regarding the case…

All eight books “collectively contained classified information regarding the identifies of covert officers, war strategy, intelligence capabilities and mechanisms, diplomatic discussions, quotes and deliberative discussions from high-level National Security Council meetings… and discussions with the president of the United States.”

The books also contained “national defense information, including top secret/SCI and code word information,” according to the court papers. In other words: These weren’t just ordinary secrets. This was highly, highly classified material.

Petreaus retained those Black Books after he signed his debriefing agreement upon leaving DOD, in which he attested “I give my assurance that there is no classified material in my possession, custody, or control at this time.” He kept those Black Books in an unlocked desk drawer.

In an interview on October 26, 2012, he told the FBI:

(a) he had never provided any classified information to his biographer, and (b) he had never facilitated the provision of classified information to his biographer.

You do not get to write eight notebooks filled with that sort of information, keep them, lie about having kept them and passed them out to others, and then blame it on ‘combat fatigue’. If he was that brain-fried then he should have been stripped of rank and dismissed from the military immediately for not being competent to so much as hold a gun, never mind give orders to those that were.

Anonymous Coward says:

The NSA exploits and malware made their way into the public domain,

(Emphasis added.)

If only works by the Federal government were not public domain, the NSA could have had a copyright on this malware and then copyright law could have saved us from this horrible event. The hackers would be pirates for copying the software without approval, assuming they were brave enough to defy copyright law in the first place. Remember, violating copyright is the worst computer crime you can commit, so even elite hackers are wise to steer clear.

That One Guy (profile) says:

'I'm powerless, utterly powerless', said the JUDGE

It’s nice to hear this from a judge, even if there’s nothing the judge can actually do about it. Russell could only sentence Pho, not clawback Petraeus’ unearned freedom and post-conviction cakewalk.

Yeah, I’m not buying that he was powerless in this situation. If nothing else he could have resigned rather than handed out the sentence, making a public declaration that he’d rather look for another job rather than make such a grossly unjust ruling considering the other case.

Even barring the nuclear option however the idea that he had no control over the sentencing, such that he had to hand out the sentence he did I find rather difficult to swallow, given the other case. Was he really limited such that he couldn’t simply point to the precedent set by the other case, note that the punishment handed out for deliberate sharing of classified information was vastly lower, and as such accidental sharing should carry an equal if not lesser sentence?

With the judge handing out the sentence unintentional stupidity is being punished significantly worse than deliberate ‘malice’/greed.

That Anonymous Coward (profile) says:

Judge learns the even & fair legal system isn’t.

Imagine what would happen if he saw the difference in sentences for the same amounts of cocaine but 1 powder 1 a rock.

The legal system is a weapon & a shield.
Same crime, wildly different outcomes if one of them is special.
Huh, I wonder if thats where they got the idea to let cops murder, maim, rape, force medical testing on citizens & never manage to punish them for doing it (unless it has been spelled out in a legal precedent that shoving your fingers into a suspects rectum on the street might somehow violate that persons rights).
Banks destroyed the world economy… bringing a case would have been to hard, said by the DoJ lawyer who now workds for Goldman Sachs.
Yet they had lots of time to attempt to destroy Abacus who didn’t cause the problems, get a bailout, or paid tiny fines compared to the damage they caused.

tom (profile) says:

Two more data points for the High Officials skate while minions suffer:
Hillary Clinton was found to have mishandled classified info while Secretary of State yet no charges were even brought.

A US sailor was jailed for taking pictures inside a sub.

https://www.foxbusiness.com/features/navy-sailor-jailed-for-submarine-photos-hillary-clinton-committed-more-serious-acts

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...