Analyst Who Accidentally Leaked NSA Software Given Five More Years In Prison Than General Who Handed Classified Info To His Mistress

Authored by techdirt.com and submitted by q5WwLCdo

An NSA employee will be headed to prison for inadvertently exposing the agency's malware stash.

Nghia Hoang Pho, 68, of Ellicott City, Maryland, and a naturalized U.S. citizen originally of Vietnam, was sentenced today to 66 months in prison, to be followed by three years of supervised release, for willful retention of classified national defense information. According to court documents, Pho removed massive troves of highly classified national defense information without authorization and kept it at his home.

Pho's leaks were different than other NSA leaks. First reported last year by a couple of press outlets, the NSA TAO (Tailored Access Operations) tools were exposed to the outside world by anti-virus software , which correctly labeled it as malware. These malware samples drew the attention of hackers who then targeted Pho's laptop to exfiltrate NSA hacking tools. The NSA exploits and malware made their way into the public domain, kicking off a crippling wave of ransomware that has since been repurposed to mine for cryptocurrency on infected computers.

The DOJ's press release has a lot to say about the seriousness of the offense and the seriousness of the FBI in tracking down government employees who carelessly handle classified code. In particular, it offers up this self-serving garbage to justify locking someone up for taking their work home with them.

“Pho’s intentional, reckless and illegal retention of highly classified information over the course of almost five years placed at risk our intelligence community’s capabilities and methods, rendering some of them unusable,” said Assistant Attorney General Demers. “Today’s sentence reaffirms the expectations that the government places on those who have sworn to safeguard our nation’s secrets. I would like to thank the agents, analysts and prosecutors whose hard work brought this result.

This sentence does nothing of the sort. To those not closely watching these things (i.e., people who'd never read this press release in the first place), it may seem like the DOJ is serving up justice. But for those of us who've seen certain people -- like General Petraeus -- mishandle classified info in a much more egregious fashion (giving his mistress, and biographer, access to top secret info) and walk away from it pretty much unscathed, this statement from the DOJ is not just hollow. It's hypocritical.

Even the judge handling the case saw through the DOJ's double standard. Josh Gerstein of Politico reports the judge had plenty to say about the DOJ's prosecutorial efforts, especially in light of the fact Pho never directly gave anyone else access to the NSA's classified hacking stash.

[O]ne of the most striking aspects of Tuesday's sentencing was [Judge George] Russell's lament that top government officials seem to have escaped with little more than a slap on the wrist for engaging in similar behavior. Russell seemed particularly perturbed that former CIA Director David Petraeus managed to get probation after admitting he kept highly classified information in his home without permission, shared it with his girlfriend and lied to investigators. "Did he do one day in prison?" the clearly frustrated judge asked. "Not one day. ... What happened there? I don't know. The powerful win over the powerless? ... The people at the top can, like, do whatever they want to do and walk away."

It's nice to hear this from a judge, even if there's nothing the judge can actually do about it. Russell could only sentence Pho, not clawback Petraeus' unearned freedom and post-conviction cakewalk. Judge Russell might be less willing to help the government apply its sentencing double standard in the future, but his statements to the DOJ have probably only assured the agency will try to steer clear of his court in the future.

OnARedditDiet on October 1st, 2018 at 22:03 UTC »

I think this may have a lot to do with known harm and known knowns.

If Petraeus was tried the government may need to discuss the actual materials that were leaked. By taking a plea deal they don't need to talk about classified documents.

On the other hand, everyone knows what came from the NSA.

NoShowbizMike on October 1st, 2018 at 20:05 UTC »

What still is not covered is the NSA hoarding 0-day bugs (and weakening encryption) instead of reporting them to the software companies. In the 1980s, the NSA was tasked not just with computer security for the government but for all Americans. They have gone against this by hiding security flaws and manipulating encryption standards to lower security. If the NSA can exploit these flaws, surely others will learn to. This is why backdoors like the FBI propose is extremely shortsighted.

TL;DR If the NSA did their jobs, the NSA software leaks would not have been such a problem.

TelemetryGeo on October 1st, 2018 at 19:26 UTC »

As I recall from the case...This wasn't an accidental leak. He smuggled out a bunch of NSA hacking tools to practice with at home. He had Kaspersky anti virus on his home computer and THAT software sent all the hacking tools to the FSB.