Analyst Who Accidentally Leaked NSA Software Given Five More Years In Prison Than General Who Handed Classified Info To His Mistress
from the 'somebodies'-score-another-win-over-the-'nobodies' dept
An NSA employee will be headed to prison for inadvertently exposing the agency's malware stash.
Nghia Hoang Pho, 68, of Ellicott City, Maryland, and a naturalized U.S. citizen originally of Vietnam, was sentenced today to 66 months in prison, to be followed by three years of supervised release, for willful retention of classified national defense information. According to court documents, Pho removed massive troves of highly classified national defense information without authorization and kept it at his home.
Pho's leaks were different than other NSA leaks. First reported last year by a couple of press outlets, the NSA TAO (Tailored Access Operations) tools were exposed to the outside world by anti-virus software , which correctly labeled it as malware. These malware samples drew the attention of hackers who then targeted Pho's laptop to exfiltrate NSA hacking tools. The NSA exploits and malware made their way into the public domain, kicking off a crippling wave of ransomware that has since been repurposed to mine for cryptocurrency on infected computers.
The DOJ's press release has a lot to say about the seriousness of the offense and the seriousness of the FBI in tracking down government employees who carelessly handle classified code. In particular, it offers up this self-serving garbage to justify locking someone up for taking their work home with them.
“Pho’s intentional, reckless and illegal retention of highly classified information over the course of almost five years placed at risk our intelligence community’s capabilities and methods, rendering some of them unusable,” said Assistant Attorney General Demers. “Today’s sentence reaffirms the expectations that the government places on those who have sworn to safeguard our nation’s secrets. I would like to thank the agents, analysts and prosecutors whose hard work brought this result.
This sentence does nothing of the sort. To those not closely watching these things (i.e., people who'd never read this press release in the first place), it may seem like the DOJ is serving up justice. But for those of us who've seen certain people -- like General Petraeus -- mishandle classified info in a much more egregious fashion (giving his mistress, and biographer, access to top secret info) and walk away from it pretty much unscathed, this statement from the DOJ is not just hollow. It's hypocritical.
Even the judge handling the case saw through the DOJ's double standard. Josh Gerstein of Politico reports the judge had plenty to say about the DOJ's prosecutorial efforts, especially in light of the fact Pho never directly gave anyone else access to the NSA's classified hacking stash.
[O]ne of the most striking aspects of Tuesday's sentencing was [Judge George] Russell's lament that top government officials seem to have escaped with little more than a slap on the wrist for engaging in similar behavior.
Russell seemed particularly perturbed that former CIA Director David Petraeus managed to get probation after admitting he kept highly classified information in his home without permission, shared it with his girlfriend and lied to investigators.
"Did he do one day in prison?" the clearly frustrated judge asked. "Not one day. ... What happened there? I don't know. The powerful win over the powerless? ... The people at the top can, like, do whatever they want to do and walk away."
It's nice to hear this from a judge, even if there's nothing the judge can actually do about it. Russell could only sentence Pho, not clawback Petraeus' unearned freedom and post-conviction cakewalk. Judge Russell might be less willing to help the government apply its sentencing double standard in the future, but his statements to the DOJ have probably only assured the agency will try to steer clear of his court in the future.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: classified info, david petraeus, double standards, high court, leaks, low court, nghia hoang pho, nsa, nsa tao, sentencing
Reader Comments
Subscribe: RSS
View by: Time | Thread
New Government Morale Motto
Doubling down on your double down is more than double more fun.
[ link to this | view in chronology ]
Re: New Government Morale Motto
[ link to this | view in chronology ]
Like seriously, try to blame it on Russia as much as you want for which anti-virus it was, but at the end of the day can't any competent anti-virus have done the same thing?
Seems this basically puts NSA employees in a lose-lose situation. If you thought they had trouble finding people willing to work for them before, imagine how bad it is now.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
It's also supposed to be kept in controlled facilities, not lugged home. What got Pho into trouble is that he violated all that, copying stuff onto his personal laptop and taking it home with him.
Instead, Pho violated all this and lugged it home, working on it outside the controlled environment, against regulation and the law. And he did it for years, not just once. His actions exposed it, albeit unexpectedly, because of the anti-virus software, but if he hadn't taken it home on personal equipment, he wouldn't have had that problem.
Tim Cushing ignores all of this and makes it out as if it's okay to haul classified data around when it's not. And he ignores that the sentencing is for the years of mishandling data. More years than Patreus, but I would have argued that Patreus and others also deserve equivalently harsh sentences, given their level of responsibility.
[ link to this | view in chronology ]
Re: Re: Re:
Tim Cushing ignores all of this and makes it out as if it's okay to haul classified data around when it's not.
[Citation Needed].
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
"Ok, yea yea yea... whoa whoa whoa what none of those previous statements or reality supports your conclusion."
[ link to this | view in chronology ]
Re: Re: Re:
There are multiple sets of rules that are applicable depending upon your level of wealth. Like Donald could murder someone in main street, CEOs can steal at will with no repercussions - but that is totally cool with you.
[ link to this | view in chronology ]
So what do we do about certain others
Yep he done wrong, as did the sailor that had photos of the inside of a nuke sub on his phone. In this case the judge mentions the general and his mistress. But the elephant in the room is Hilary Clinton with her 30k emails on her closet server. Reportedly real time copies were being sent to Beijing. Apparently she can not be prosecuted because of her last name exemption.
[ link to this | view in chronology ]
Re:
Or use one of those operating systems that works well without anti-virus software because it doesn't run the attacker code and is natively set with the appropriate permissions to prevent malicious code from running.
[ link to this | view in chronology ]
The general public is waking up and they smell the bullshit.
[ link to this | view in chronology ]
Re:
Every now again someone will detect a fresh batch of crap being served but it becomes hard to differentiate when what you are served is always brown and usually has an off putting small anyway. So most are content to accept the government's dropping because it takes too much work to test everything.
Hopefully you weren't eating while reading that.
[ link to this | view in chronology ]
Re:
If people were "waking up" to "smell the bullshit" we'd see considerable changes to local budgets to fund crime labs, public defender offices, banning extrajudicial civil forfeiture, and reigning in of abuses by LEO and DA offices of civil rights abuses and tightening ethics rules over "trying defendants in the press", plus a push to make double jeopardy apply to both civil and criminal law. This isn't happening.
The People basically don't care about Issues till they get caught in the meat grinder those Issues create. By then it's way too late. I've seen this plenty of times in my personal life to friends or friends of the family rather than myself.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
How'd they find the laptop?
There's an unexplained leap here. Pho's laptop uploads software to Kaspersky, then somehow this "draws attention" of people who track it back to him. Is the Kaspersky database public, and how would anyone figure out who sent it data? Seems like it would have to be an inside job, either someone working for Kaspersky (hacking into infected machines on the side, or selling/leaking data about them) or someone who first hacked into Kaspersky.
Virus data collection systems are obviously going to be major hacking/bribery targets. It seems reckless to write antivirus software that uploads stuff non-anonymously.
[ link to this | view in chronology ]
To a degree, I blame the judge here.
After all, the legal system relies on precedent to clarify law, and General Petraeus set a loud-and-clear precedent that the proper sentencing for blatant mishandling of classified information is probation and a slap on the wrist. The judge was cognizant enough of that to comment frustratedly on that... but not brave or disruptive enough to cite it as precedent to avoid giving a man guilty of a significantly lesser crime a significantly harsher penalty? He can moan about the power structure all he wants, but he's still playing into it.
[ link to this | view in chronology ]
Re: To a degree, I blame the judge here.
It is made quite clear to new employees the importance of following strict procedures on safeguarding classified information. It is explained, among other things, that jury-rigged home systems are more likely to have security holes than carefully designed government workplaces.
As for Petraeus's poor judgement, I would cut him some slack on grounds of "combat fatigue." For months he had been at the center of an intense battle, saving hundreds of thousands of lives by breaking a murderous insurgency among Iraqi Sunnis. A society that cannot figure out how to protect its heroes does not deserve to be protected itself.
[ link to this | view in chronology ]
Yeah, no...
If Pho caused more damage it's because the NSA had, and kept, a treasure trove of extremely dangerous tools around that got out into the wild thanks to his poor judgement in taking a copy of that home. Stupid to be sure, but hardly deliberate or done in malice.
As for Patraeus' getting a pass because of 'combat fatigue', no, not even remotely. Here's a few quotations from a previous article linked above as to what his 'poor judgement' involved:
While he was commander of coalition forces in Afghanistan, Petraeus “maintained bound, five-by-eight inch notebooks that contained his daily schedule and classified and unclassified notes he took during official meetings, conferences and briefings,” the U.S. Attorney’s Office for the Western District of North Carolina writes in a statement of fact regarding the case...
All eight books “collectively contained classified information regarding the identifies of covert officers, war strategy, intelligence capabilities and mechanisms, diplomatic discussions, quotes and deliberative discussions from high-level National Security Council meetings… and discussions with the president of the United States.”
The books also contained “national defense information, including top secret/SCI and code word information,” according to the court papers. In other words: These weren’t just ordinary secrets. This was highly, highly classified material.
Petreaus retained those Black Books after he signed his debriefing agreement upon leaving DOD, in which he attested “I give my assurance that there is no classified material in my possession, custody, or control at this time.” He kept those Black Books in an unlocked desk drawer.
In an interview on October 26, 2012, he told the FBI:
(a) he had never provided any classified information to his biographer, and (b) he had never facilitated the provision of classified information to his biographer.
You do not get to write eight notebooks filled with that sort of information, keep them, lie about having kept them and passed them out to others, and then blame it on 'combat fatigue'. If he was that brain-fried then he should have been stripped of rank and dismissed from the military immediately for not being competent to so much as hold a gun, never mind give orders to those that were.
[ link to this | view in chronology ]
(Emphasis added.)
If only works by the Federal government were not public domain, the NSA could have had a copyright on this malware and then copyright law could have saved us from this horrible event. The hackers would be pirates for copying the software without approval, assuming they were brave enough to defy copyright law in the first place. Remember, violating copyright is the worst computer crime you can commit, so even elite hackers are wise to steer clear.
[ link to this | view in chronology ]
'I'm powerless, utterly powerless', said the JUDGE
It's nice to hear this from a judge, even if there's nothing the judge can actually do about it. Russell could only sentence Pho, not clawback Petraeus' unearned freedom and post-conviction cakewalk.
Yeah, I'm not buying that he was powerless in this situation. If nothing else he could have resigned rather than handed out the sentence, making a public declaration that he'd rather look for another job rather than make such a grossly unjust ruling considering the other case.
Even barring the nuclear option however the idea that he had no control over the sentencing, such that he had to hand out the sentence he did I find rather difficult to swallow, given the other case. Was he really limited such that he couldn't simply point to the precedent set by the other case, note that the punishment handed out for deliberate sharing of classified information was vastly lower, and as such accidental sharing should carry an equal if not lesser sentence?
With the judge handing out the sentence unintentional stupidity is being punished significantly worse than deliberate 'malice'/greed.
[ link to this | view in chronology ]
Re: 'I'm powerless, utterly powerless', said the JUDGE
[ link to this | view in chronology ]
Re: Re: 'I'm powerless, utterly powerless', said the JUDGE
Oh I'm not saying he should't have been punished, he screwed up and it had serious consequences. However to make the punishment for leaking sensitive data on accident worse than doing it deliberately is beyond absurd and not at all just.
[ link to this | view in chronology ]
Hasn't it felt...
[ link to this | view in chronology ]
- Another excuse for when your boss asks you to finish your work at home.
[ link to this | view in chronology ]
Imagine what would happen if he saw the difference in sentences for the same amounts of cocaine but 1 powder 1 a rock.
The legal system is a weapon & a shield.
Same crime, wildly different outcomes if one of them is special.
Huh, I wonder if thats where they got the idea to let cops murder, maim, rape, force medical testing on citizens & never manage to punish them for doing it (unless it has been spelled out in a legal precedent that shoving your fingers into a suspects rectum on the street might somehow violate that persons rights).
Banks destroyed the world economy... bringing a case would have been to hard, said by the DoJ lawyer who now workds for Goldman Sachs.
Yet they had lots of time to attempt to destroy Abacus who didn't cause the problems, get a bailout, or paid tiny fines compared to the damage they caused.
[ link to this | view in chronology ]
2 sets of rules, not laws..
wew are living by separate Rules...and THAT is against the laws of this land ALL the way back..
[ link to this | view in chronology ]
Department of Justice
[ link to this | view in chronology ]
Re: Department of Justice
Then the idea that Money corrupts those that have NONE..
The wonderful ideals of religion, and those that take advantage of it..
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Hillary Clinton was found to have mishandled classified info while Secretary of State yet no charges were even brought.
A US sailor was jailed for taking pictures inside a sub.
https://www.foxbusiness.com/features/navy-sailor-jailed-for-submarine-photos-hillary-clinton-com mitted-more-serious-acts
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]