Analyst Who Accidentally Leaked NSA Software Given Five More Years In Prison Than General Who Handed Classified Info To His Mistress

from the 'somebodies'-score-another-win-over-the-'nobodies' dept

An NSA employee will be headed to prison for inadvertently exposing the agency's malware stash.

Nghia Hoang Pho, 68, of Ellicott City, Maryland, and a naturalized U.S. citizen originally of Vietnam, was sentenced today to 66 months in prison, to be followed by three years of supervised release, for willful retention of classified national defense information. According to court documents, Pho removed massive troves of highly classified national defense information without authorization and kept it at his home.

Pho's leaks were different than other NSA leaks. First reported last year by a couple of press outlets, the NSA TAO (Tailored Access Operations) tools were exposed to the outside world by anti-virus software , which correctly labeled it as malware. These malware samples drew the attention of hackers who then targeted Pho's laptop to exfiltrate NSA hacking tools. The NSA exploits and malware made their way into the public domain, kicking off a crippling wave of ransomware that has since been repurposed to mine for cryptocurrency on infected computers.

The DOJ's press release has a lot to say about the seriousness of the offense and the seriousness of the FBI in tracking down government employees who carelessly handle classified code. In particular, it offers up this self-serving garbage to justify locking someone up for taking their work home with them.

“Pho’s intentional, reckless and illegal retention of highly classified information over the course of almost five years placed at risk our intelligence community’s capabilities and methods, rendering some of them unusable,” said Assistant Attorney General Demers. “Today’s sentence reaffirms the expectations that the government places on those who have sworn to safeguard our nation’s secrets. I would like to thank the agents, analysts and prosecutors whose hard work brought this result.

This sentence does nothing of the sort. To those not closely watching these things (i.e., people who'd never read this press release in the first place), it may seem like the DOJ is serving up justice. But for those of us who've seen certain people -- like General Petraeus -- mishandle classified info in a much more egregious fashion (giving his mistress, and biographer, access to top secret info) and walk away from it pretty much unscathed, this statement from the DOJ is not just hollow. It's hypocritical.

Even the judge handling the case saw through the DOJ's double standard. Josh Gerstein of Politico reports the judge had plenty to say about the DOJ's prosecutorial efforts, especially in light of the fact Pho never directly gave anyone else access to the NSA's classified hacking stash.

[O]ne of the most striking aspects of Tuesday's sentencing was [Judge George] Russell's lament that top government officials seem to have escaped with little more than a slap on the wrist for engaging in similar behavior.

Russell seemed particularly perturbed that former CIA Director David Petraeus managed to get probation after admitting he kept highly classified information in his home without permission, shared it with his girlfriend and lied to investigators.

"Did he do one day in prison?" the clearly frustrated judge asked. "Not one day. ... What happened there? I don't know. The powerful win over the powerless? ... The people at the top can, like, do whatever they want to do and walk away."

It's nice to hear this from a judge, even if there's nothing the judge can actually do about it. Russell could only sentence Pho, not clawback Petraeus' unearned freedom and post-conviction cakewalk. Judge Russell might be less willing to help the government apply its sentencing double standard in the future, but his statements to the DOJ have probably only assured the agency will try to steer clear of his court in the future.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Anonymous Anonymous Coward (profile), 1 Oct 2018 @ 11:20am

    New Government Morale Motto

    Double your standards, double your fun.

    Doubling down on your double down is more than double more fun.

    reply to this | link to this | view in chronology ]

  • icon
    ShadowNinja (profile), 1 Oct 2018 @ 12:12pm

    So... moral of the story... never use anti-virus if you work for the NSA? Meaning you'll potentially be at the mercy of a ton of malware...?

    Like seriously, try to blame it on Russia as much as you want for which anti-virus it was, but at the end of the day can't any competent anti-virus have done the same thing?

    Seems this basically puts NSA employees in a lose-lose situation. If you thought they had trouble finding people willing to work for them before, imagine how bad it is now.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 Oct 2018 @ 12:44pm

      Re:

      I read the moral as "don't take classified info home with you even if you never plan to share it with anyone".

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 1 Oct 2018 @ 4:40pm

        Re: Re:

        Exactly right. Government laws and regulations specifically prohibit the transfer of classified information onto unauthorized devices or computers.

        It's also supposed to be kept in controlled facilities, not lugged home. What got Pho into trouble is that he violated all that, copying stuff onto his personal laptop and taking it home with him.

        Instead, Pho violated all this and lugged it home, working on it outside the controlled environment, against regulation and the law. And he did it for years, not just once. His actions exposed it, albeit unexpectedly, because of the anti-virus software, but if he hadn't taken it home on personal equipment, he wouldn't have had that problem.

        Tim Cushing ignores all of this and makes it out as if it's okay to haul classified data around when it's not. And he ignores that the sentencing is for the years of mishandling data. More years than Patreus, but I would have argued that Patreus and others also deserve equivalently harsh sentences, given their level of responsibility.

        reply to this | link to this | view in chronology ]

        • icon
          That One Guy (profile), 1 Oct 2018 @ 5:21pm

          Re: Re: Re:

          Tim Cushing ignores all of this and makes it out as if it's okay to haul classified data around when it's not.

          [Citation Needed].

          reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 1 Oct 2018 @ 7:26pm

          Re: Re: Re:

          It's interesting how you managed to whine about someone ignoring something while ignoring what was written.

          reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 2 Oct 2018 @ 7:30am

          Re: Re: Re:

          reading your comment was like watching a Jordan Peterson video

          "Ok, yea yea yea... whoa whoa whoa what none of those previous statements or reality supports your conclusion."

          reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 2 Oct 2018 @ 10:19am

          Re: Re: Re:

          What have you to say about the differences in sentencing, or lack thereof.

          There are multiple sets of rules that are applicable depending upon your level of wealth. Like Donald could murder someone in main street, CEOs can steal at will with no repercussions - but that is totally cool with you.

          reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 Oct 2018 @ 3:33pm

      Re:

      "never use anti-virus "

      Or use one of those operating systems that works well without anti-virus software because it doesn't run the attacker code and is natively set with the appropriate permissions to prevent malicious code from running.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Oct 2018 @ 12:18pm

    "this statement from the DOJ is not just hollow. It's hypocritical."

    The general public is waking up and they smell the bullshit.

    reply to this | link to this | view in chronology ]

    • identicon
      bob, 1 Oct 2018 @ 12:47pm

      Re:

      Unfortunately the general public aren't recognizing the smell because the stench has been around so long people have become accustomed to it.

      Every now again someone will detect a fresh batch of crap being served but it becomes hard to differentiate when what you are served is always brown and usually has an off putting small anyway. So most are content to accept the government's dropping because it takes too much work to test everything.

      Hopefully you weren't eating while reading that.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 Oct 2018 @ 1:04pm

      Re:

      The general public doesn't even know who General Petraeus and Nghia Hoang Pho is. The general public often avoids watching the news entirely, and those that do are often only peripherally aware of criminal justice issues and come predisposed to personal biases of either "Law and Order" guilty till proven innocent, or "The Man Won AGAIN" innocent because it's all a Conspiracy against the People.

      If people were "waking up" to "smell the bullshit" we'd see considerable changes to local budgets to fund crime labs, public defender offices, banning extrajudicial civil forfeiture, and reigning in of abuses by LEO and DA offices of civil rights abuses and tightening ethics rules over "trying defendants in the press", plus a push to make double jeopardy apply to both civil and criminal law. This isn't happening.

      The People basically don't care about Issues till they get caught in the meat grinder those Issues create. By then it's way too late. I've seen this plenty of times in my personal life to friends or friends of the family rather than myself.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Oct 2018 @ 12:42pm

    How'd they find the laptop?

    These malware samples drew the attention of hackers who then targeted Pho's laptop to exfiltrate NSA hacking tools.

    There's an unexplained leap here. Pho's laptop uploads software to Kaspersky, then somehow this "draws attention" of people who track it back to him. Is the Kaspersky database public, and how would anyone figure out who sent it data? Seems like it would have to be an inside job, either someone working for Kaspersky (hacking into infected machines on the side, or selling/leaking data about them) or someone who first hacked into Kaspersky.

    Virus data collection systems are obviously going to be major hacking/bribery targets. It seems reckless to write antivirus software that uploads stuff non-anonymously.

    reply to this | link to this | view in chronology ]

  • identicon
    Will B., 1 Oct 2018 @ 1:25pm

    To a degree, I blame the judge here.

    After all, the legal system relies on precedent to clarify law, and General Petraeus set a loud-and-clear precedent that the proper sentencing for blatant mishandling of classified information is probation and a slap on the wrist. The judge was cognizant enough of that to comment frustratedly on that... but not brave or disruptive enough to cite it as precedent to avoid giving a man guilty of a significantly lesser crime a significantly harsher penalty? He can moan about the power structure all he wants, but he's still playing into it.

    reply to this | link to this | view in chronology ]

    • icon
      Hugo S Cunningham (profile), 2 Oct 2018 @ 8:00am

      Re: To a degree, I blame the judge here.

      What Pho did caused vastly more damage than what Petraeus did.

      It is made quite clear to new employees the importance of following strict procedures on safeguarding classified information. It is explained, among other things, that jury-rigged home systems are more likely to have security holes than carefully designed government workplaces.

      As for Petraeus's poor judgement, I would cut him some slack on grounds of "combat fatigue." For months he had been at the center of an intense battle, saving hundreds of thousands of lives by breaking a murderous insurgency among Iraqi Sunnis. A society that cannot figure out how to protect its heroes does not deserve to be protected itself.

      reply to this | link to this | view in chronology ]

      • icon
        That One Guy (profile), 2 Oct 2018 @ 3:57pm

        Yeah, no...

        If Pho caused more damage it's because the NSA had, and kept, a treasure trove of extremely dangerous tools around that got out into the wild thanks to his poor judgement in taking a copy of that home. Stupid to be sure, but hardly deliberate or done in malice.

        As for Patraeus' getting a pass because of 'combat fatigue', no, not even remotely. Here's a few quotations from a previous article linked above as to what his 'poor judgement' involved:

        While he was commander of coalition forces in Afghanistan, Petraeus “maintained bound, five-by-eight inch notebooks that contained his daily schedule and classified and unclassified notes he took during official meetings, conferences and briefings,” the U.S. Attorney’s Office for the Western District of North Carolina writes in a statement of fact regarding the case...

        All eight books “collectively contained classified information regarding the identifies of covert officers, war strategy, intelligence capabilities and mechanisms, diplomatic discussions, quotes and deliberative discussions from high-level National Security Council meetings… and discussions with the president of the United States.”

        The books also contained “national defense information, including top secret/SCI and code word information,” according to the court papers. In other words: These weren’t just ordinary secrets. This was highly, highly classified material.

        Petreaus retained those Black Books after he signed his debriefing agreement upon leaving DOD, in which he attested “I give my assurance that there is no classified material in my possession, custody, or control at this time.” He kept those Black Books in an unlocked desk drawer.

        In an interview on October 26, 2012, he told the FBI:

        (a) he had never provided any classified information to his biographer, and (b) he had never facilitated the provision of classified information to his biographer.

        You do not get to write eight notebooks filled with that sort of information, keep them, lie about having kept them and passed them out to others, and then blame it on 'combat fatigue'. If he was that brain-fried then he should have been stripped of rank and dismissed from the military immediately for not being competent to so much as hold a gun, never mind give orders to those that were.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Oct 2018 @ 1:35pm

    The NSA exploits and malware made their way into the public domain,

    (Emphasis added.)

    If only works by the Federal government were not public domain, the NSA could have had a copyright on this malware and then copyright law could have saved us from this horrible event. The hackers would be pirates for copying the software without approval, assuming they were brave enough to defy copyright law in the first place. Remember, violating copyright is the worst computer crime you can commit, so even elite hackers are wise to steer clear.

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 1 Oct 2018 @ 5:32pm

    'I'm powerless, utterly powerless', said the JUDGE

    It's nice to hear this from a judge, even if there's nothing the judge can actually do about it. Russell could only sentence Pho, not clawback Petraeus' unearned freedom and post-conviction cakewalk.

    Yeah, I'm not buying that he was powerless in this situation. If nothing else he could have resigned rather than handed out the sentence, making a public declaration that he'd rather look for another job rather than make such a grossly unjust ruling considering the other case.

    Even barring the nuclear option however the idea that he had no control over the sentencing, such that he had to hand out the sentence he did I find rather difficult to swallow, given the other case. Was he really limited such that he couldn't simply point to the precedent set by the other case, note that the punishment handed out for deliberate sharing of classified information was vastly lower, and as such accidental sharing should carry an equal if not lesser sentence?

    With the judge handing out the sentence unintentional stupidity is being punished significantly worse than deliberate 'malice'/greed.

    reply to this | link to this | view in chronology ]

    • icon
      nasch (profile), 2 Oct 2018 @ 6:31am

      Re: 'I'm powerless, utterly powerless', said the JUDGE

      I doubt he considered the sentence he handed down to be unjust, rather the lack of punishment of Patraeus was the injustice. Not punishing this guy doesn't do anything to right that wrong.

      reply to this | link to this | view in chronology ]

      • icon
        That One Guy (profile), 2 Oct 2018 @ 3:42pm

        Re: Re: 'I'm powerless, utterly powerless', said the JUDGE

        Oh I'm not saying he should't have been punished, he screwed up and it had serious consequences. However to make the punishment for leaking sensitive data on accident worse than doing it deliberately is beyond absurd and not at all just.

        reply to this | link to this | view in chronology ]

  • icon
    Zof (profile), 1 Oct 2018 @ 5:45pm

    Hasn't it felt...

    Kinda like they have something on kaspersky they haven't been talking about? I bet this is it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Oct 2018 @ 7:16pm

    "I don't want to go to jail."
    - Another excuse for when your boss asks you to finish your work at home.

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 1 Oct 2018 @ 8:04pm

    Judge learns the even & fair legal system isn't.

    Imagine what would happen if he saw the difference in sentences for the same amounts of cocaine but 1 powder 1 a rock.

    The legal system is a weapon & a shield.
    Same crime, wildly different outcomes if one of them is special.
    Huh, I wonder if thats where they got the idea to let cops murder, maim, rape, force medical testing on citizens & never manage to punish them for doing it (unless it has been spelled out in a legal precedent that shoving your fingers into a suspects rectum on the street might somehow violate that persons rights).
    Banks destroyed the world economy... bringing a case would have been to hard, said by the DoJ lawyer who now workds for Goldman Sachs.
    Yet they had lots of time to attempt to destroy Abacus who didn't cause the problems, get a bailout, or paid tiny fines compared to the damage they caused.

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 1 Oct 2018 @ 8:48pm

    2 sets of rules, not laws..

    If we dont hold up THOSE we are SUPPOSED to respect, to a higher requirements...WHAT GOOD IS LAW??
    wew are living by separate Rules...and THAT is against the laws of this land ALL the way back..

    reply to this | link to this | view in chronology ]

  • identicon
    Annonymouse, 1 Oct 2018 @ 10:07pm

    Department of Justice

    Orwell was right Dammit

    reply to this | link to this | view in chronology ]

    • icon
      ECA (profile), 2 Oct 2018 @ 10:49am

      Re: Department of Justice

      Orwell saw that Any government can be taken advantage of And/or corrupted..
      Then the idea that Money corrupts those that have NONE..
      The wonderful ideals of religion, and those that take advantage of it..

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Oct 2018 @ 11:44pm

    Same old story in tge USA! It doesn't matter the crime, it's who you are/were, not what you did! The less 'friends in high places' that you have, the less pushback there is, the easier it is to be prosecuted 'to the full extent of the law'! And give the prosecutor the fame he is trying to get!

    reply to this | link to this | view in chronology ]

  • icon
    tom (profile), 2 Oct 2018 @ 6:05am

    Two more data points for the High Officials skate while minions suffer:
    Hillary Clinton was found to have mishandled classified info while Secretary of State yet no charges were even brought.

    A US sailor was jailed for taking pictures inside a sub.

    https://www.foxbusiness.com/features/navy-sailor-jailed-for-submarine-photos-hillary-clinton-com mitted-more-serious-acts

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.