Snowden smuggled out data on thumb drive, officials say

WASHINGTON — Former National Security Agency contract employee Edward Snowden used a computer thumb drive, a portable data storage device that is supposedly barred inside the spying agency, to smuggle highly classified documents out of an NSA facility in Hawaii, according to U.S. officials.

Investigators “know how many documents he downloaded and what server he took them from,” said an official who would not be named discussing the investigation. Another official said experts were still trying to identify everything that Snowden apparently copied.

Confirmation of the thumb drive solved one of the central mysteries in the case: how Snowden, who worked only three months at the NSA outpost, physically removed so much classified material from a spy agency famous for strict security and hyper-secrecy.

It also raised fresh questions about the NSA’s failure to protect its classified networks three years after Pfc. Bradley Manning, an Army intelligence analyst in Iraq, moved hundreds of thousands of documents onto thumb drives and computer disks and transferred the data to the anti-secrecy website WikiLeaks.

Snowden, 29, worked for Booz Allen Hamilton as a computer systems administrator at the NSA’s Threat Operations Center, which opened early last year in the mountains of central Oahu. The technical position gave him wide access to the spy agency’s global computer networks and presumably a keen understanding of how they are monitored for unauthorized downloads.


“Of course, there are always exceptions” to the ban on portable storage devices, particularly for network administrators, a former NSA official said. “There are people who need to use thumb drives, and they have special permission. But when you use one, people always look at you funny.”

Robert S. Mueller III, the FBI director, said Thursday that he expected Snowden to be arrested and prosecuted in this country. Snowden is believed to hiding in a private residence in Hong Kong.

“He is the subject of an ongoing criminal investigation,” Mueller told the House Judiciary Committee. “These disclosures have caused significant harm to our nation, and our safety. We are taking all necessary steps to hold this person responsible for these disclosures.”

Intelligence agencies are conducting a damage assessment to determine, among other things, how Snowden ransacked NSA servers without detection, and how to ensure no one else can.

“It’s clear that he attempted to go places that he was not authorized to go,” said Rep. Mike Rogers (R-Mich.), who chairs the House Intelligence Committee.

Rogers said the focus now was “to determine exactly what information he may have gotten.… But, candidly, nobody really knows the answer to that today.”

Snowden’s description to the South China Morning Post, a Hong Kong newspaper, of extensive NSA hacking in China “goes beyond his original” aim to expose surveillance on Americans, Rogers said.

It raises the question of whether Snowden has “a relationship with a foreign government,” the congressman said.

Snowden acknowledged Sunday that he gave two news organizations details of secret NSA programs that collect millions of calling records every day from U.S. telephone companies, and a separate program to obtain emails and other online data from nine major Internet and technology companies, but he did not say how he had transferred the data.

Officials said they still didn’t know how Snowden copied an order marked “Top Secret” from the Foreign Intelligence Surveillance Court or a highly classified directive from President Obama authorizing a potential target list for cyber attacks. Neither document would be widely shared or normally available to a low-level NSA employee.

A larger number of NSA employees and contractors might have access to a PowerPoint slide show on PRISM, the Internet program. Snowden said he provided the slides to the Washington Post and Britain’s Guardian newspaper.

“There is a certain level of information that is not specific to a mission, but helps people who work there understand how the place functions,” the former NSA official said.

The Pentagon, which includes the NSA, banned connecting thumb drives and other portable storage devices to classified computers after malicious software was discovered on the military’s classified network in October 2008.

The chief suspect was Russian intelligence, and investigators determined that the malware was introduced through a corrupted thumb drive. The years-long effort to clean up the system was code-named Operation Buckshot Yankee. Many of the external drives on Defense Department computers were disabled.

After the Manning case in 2010, “there was a lot of focus on this type of insider threat,” the former official said. “If it is still easy to use a thumb drive, that is a major problem.”

Manning is undergoing a court-martial near the NSA headquarters at Ft. Meade, Md., on charges of aiding the enemy and violating the Espionage Act. He has pleaded guilty to 10 counts of misusing classified information.

House members pressed Mueller on whether the programs exposed by Snowden were overly broad. Rep. John Conyers Jr. (D-Mich.) said he planned to introduce legislation to sharply narrow the NSA’s ability to collect data on Americans.

Mueller defended the secret collections, saying judges, Congress and the Department of Justice inspector general’s office all approved the programs.