Nghia Hoang Pho, a 68-year-old former National Security Agency employee who worked in the NSA's Tailored Access Operations (TAO) division, was sentenced today to 66 months in prison for willful, unauthorized removal and retention of classified documents and material from his workplace—material that included hacking tools that were likely part of the code dumped by the individual or group known as Shadowbrokers in the summer of 2016.
Pho, a naturalized US citizen from Vietnam and a resident of Ellicott City, Maryland, had pleaded guilty to bringing home materials after being caught in a sweep by the NSA following the Shadowbrokers leaks. He will face three years of supervised release after serving his sentence. His attorney had requested home detention.
In a letter sent to the court in March, former NSA Director Admiral Mike Rogers told Judge George Russell that the materials removed from the NSA by Pho "had significant negative impacts on the NSA mission, the NSA workforce, and the Intelligence Community as a whole." The materials Pho removed, Rogers wrote, included:
[S]ome of NSA's most sophisticated, hard-to-achieve, and important techniques of collecting [signals intelligence] from sophisticated targets of the NSA, including collection that is crucial to decision makers when answering some of the Nation's highest-priority questions… Techniques of the kind Mr. Pho was entrusted to protect, yet removed from secure space, are force multipliers, allowing for intelligence collection in a multitude of environments around the globe and spanning a wide range of security topics. Compromise of one technique can place many opportunities for intelligence collection and national security insight at risk.
Rogers told the court that Pho had essentially caused years of signals collection work to have to be abandoned—meaning that none of the tools and techniques he had brought home could continue to be used. Because they were removed from the NSA's secure systems, Rogers wrote, the NSA "was left with no choice but to abandon certain important initiatives, at great economic and operational costs."
Pho, who began working as a developer in TAO in April of 2006, stated in his plea agreement that he had begun taking both hard-copy documents and files classified as Top Secret and Sensitive Compartmented Information (SCI) in 2010, and he continued to do so through March 2015. This material was in both hard copy and digital form. Pho told the judge in a letter that, because of his difficulty with the English language and limited social skills, he struggled to get good performance reviews from his NSA managers. So, he said, he took materials home with him in hopes of boosting his performance at work and getting a good review—potentially boosting his salary so that he would retire at a higher pay grade.
The Justice Department also submitted a separate, classified filing with the judge before sentencing. The NSA and the DOJ have not made any statements directly tying Pho to the Shadowbrokers leaks, but the timing of Pho's collection of materials corresponds with another detail of the investigation into the theft of NSA tools: the detection and uploading of those tools by Kaspersky Lab antivirus tools, which Kaspersky confirmed came from the computer of a Verizon FIOS customer outside Baltimore, Maryland (Ellicott City is just south of Baltimore). The New York Times and Washington Post had previously reported that Israeli intelligence had spotted Russian hackers tapping into Kasperky's network at about the time the files leaked by the Shadowbrokers were stolen.