The Federal Bureau of Investigation arrested a National Security Agency contractor working for Booz Allen Hamilton and charged him with stealing highly classified documents. Harold T. Martin III, of Glen Burnie, Md was charged in a criminal complaint filed in late August that became public Wednesday.
The classified material allegedly contained code used by the U.S. for hacking government systems in Russia, China, North Korea, and Iran. Martin was charged with theft of government property and unauthorized removal and retention of classified materials, according to the criminal complaint (PDF) filed in United States District Court in Baltimore.
According to U.S. Attorney’s Office District of Maryland, on Aug. 27, search warrants were executed at Martin’s residence including two storage sheds and a motor vehicle. According to a statement by the AG’s office, investigators found hard copy documents and digital information that was the “property of the United States and contained highly classified information of the United States, including Top Secret and Sensitive Compartmented Information (SCI).”
For federal investigators, the arrest has an uncomfortable ring of familiarity to the 2013 theft of a treasure trove of highly damaging secret documents by former NSA contractor Edward Snowden. Snowden also worked for Booz Allen Hamilton. However, documents allegedly stolen by Martin were limited in scope compared to those released by Snowden.
“We have made an arrest of an individual who’s involved in taking classified information. And what I think it points out for the private sector — and others more generally — is this problem of insider threats,” said John Carlin, assistant Attorney General for National Security, Department of Justice, while attending a conference at the Massachusetts Institute of Technology on Wednesday.
Carlin declined to comment on the charges against Martin, but said companies need to be vigilant against external and internal threats. “Whether it’s economic espionage or traditional espionage, the focus on those who are trusted within our companies, within our government who can exploit that trust can cause enormous harm,” he said.
According to investigators the alleged theft of documents did not appear to be an act of espionage. Motives behind the alleged theft of documents are still unknown.
In a statement released by Martin’s attorneys they said: “We have not seen any evidence. But what we know is that Hal Martin loves his family and his country. There is no evidence that he intended to betray his country.”
Ed McAndrew, a former federal cybercrime prosecutor and partner at law firm Ballard Spahr, said it was too early to tell the extent of the damage Martin has allegedly caused to the intelligence community. “At these early stages it’s really hard to know. But anytime someone with a top secret FBI clearance is removing classified documents of this nature from a facility you’ve got the potential for very significant harm.”
McAndrew said part of the potential harm inflected with the disclosure of these documents is not just the release of a particular file. “It’s also revealing the sensitive sources, methods and capabilities that the government is using in this area. It’s not about a particular hacking tool, but how that tool works and who it’s used against,” he said.
According to reports by the New York Times, authorities are trying to determine who Martin allegedly may have passed sensitive data off to or if Martin passed information to a hacking group that goes by Shadow Brokers that was tied to a similar leak of classified NSA code earlier this year.
In September, the Shadow Brokers released exploits allegedly belonging to the Equation Group, a hacking group thought to be inside or working for the National Security Agency. The exploits targeted vulnerabilities in networking gear made by Cisco, Juniper and others, and also included a number of zero days.
At the time, security experts suspected Shadow Brokers may have gained access to the Equation Group tools remotely. But with the arrest of Martin, security experts such as McAndrew are reconsidering earlier assumptions.
“Insider threats are among the most pernicious that organizations face,” McAndrew said. But, he added, when caught they do offer more hope for remediation compared to remote hackers. “In the case of Martin, law enforcement got the body and the source documents and files. But we will have to wait and see what data may have already been disseminated.”
An initial court appearance was held for Martin in U.S. District Court in Baltimore on Aug. 29; Martin remains detained. If convicted, according to the DoJ, Martin faces a maximum sentence of one year in prison for the unauthorized removal and retention of classified materials, and 10 years in prison for theft of government property.