The U.S. Department of Justice announced on Dec. 1 that former National Security Agency developer Nghia Hoang Pho pleaded guilty to charges that he took classified information to his home. Russian operatives allegedly subsequently hacked Pho, gaining access to the secret information stored on his computer.
Pho worked for the NSA's Tailored Access Operations (TAO) Unit from 2006 until 2016 and had access to data and documents that included classified and top secret national defense information. The TAO Unit first gained public notoriety in December 2013 when documents leaked by NSA whistleblower Edward Snowden revealed some of the group's activities.
"The NSA's TAO involved operations and intelligence collection to gather data from target or foreign automated information systems or networks and also involved actions taken to prevent, detect, and respond to unauthorized activity within Department of Defense information systems and computer networks, for the United States and its allies," the DOJ stated.
Not only did Pho have access to classified TAO information, but he was also helping to develop what the DOJ plea agreement refers to as "highly classified, specialized projects."
"According to the plea agreement, beginning in 2010 and continuing through March 2015, Pho removed and retained U.S. government documents and writings that contained national defense information, including information classified as Top Secret and Sensitive Compartmented Information," the DOJ stated. "This material was in both hard copy and digital form, and was retained in Pho’s residence in Maryland."
According to a report in the New York Times, Pho's home computer was running antivirus software from Russian security firm Kaspersky Lab. The Kaspersky Lab software in turn was allegedly exploited by Russian hackers, who then were able to steal secret NSA information from Pho's home system.
Kaspersky Lab has been under intense scrutiny this year, and U.S. government agencies have taken steps to ban its software, claiming that it was being used by the Russian government to steal information. On Oct. 25, Kaspersky Lab released its own analysis and determined that a single incident happened in 2014 where source code from the NSA-linked Equation group was sent to Kaspersky Lab's servers.
Pho is the latest in a series of U.S. government employees and contractors with high-level security clearance that took classified information home.
On June 5, NSA contractor Reality Winner was charged with leaking classified documents in connection with Russian tampering with U.S. voter registration systems. In October 2016, NSA contractor Harold Martin was charged with stealing confidential information from the spy agency. Back in 2013, Snowden also took information from the NSA and then leaked it to media outlets.
No doubt, the NSA reviewed its own security processes and procedures in the wake of the Snowden case. Yet despite the various measures that the NSA has taken to secure itself, Pho was still able to take information home with him, exposing both himself and national security to risk.
The answer to defending against insider threats and nation-state level attackers is one that the NSA actually knows well. In a February 2016 session at the USENIX Enigma conference, Rob Joyce, chief of NSA's TAO, the same group that Pho worked for, explained how to defend against advanced persistent threats and how attackers operate.
So why then was Pho able to take information home and then subsequently be allegedly hacked by Russian hackers? Clearly there is more tightening of policies that needs to occur within the NSA and likely elsewhere within the U.S. intelligence community.
Having the right policies in place and then making sure they are actually enforced can sometimes be very different things. It's a similar challenge that many organizations face with software patching. Most organizations know that they need to patch their systems for vulnerable applications and components, yet unpatched systems continue to show up as the root causes of major breaches, including most notably the Equifax breach.
Pho is likely not the last NSA employee to contradict the organization's security policies. But if the NSA does its job right, lessons learned and better enforcement could help to limit the risk and make secret information leakage a rarer occurrence in the future.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.