WASHINGTON -- Former National Security Agency contract employee Edward Snowden used a computer thumb drive to smuggle highly classified documents out of an NSA facility in Hawaii, using a portable digital device supposedly barred inside the cyber spying agency, U.S. officials said.
Investigators “know how many documents he downloaded and what server he took them from,” said one official who would not be named while speaking about the ongoing investigation.
Snowden worked as a system administrator, a technical job that gave him wide access to NSA computer networks and presumably a keen understanding of how those networks are monitored for unauthorized downloads.
“Of course, there are always exceptions” to the thumb drive ban, a former NSA official said, particularly for network administrators. “There are people who need to use a thumb drive and they have special permission. But when you use one, people always look at you funny.”
FBI Director Robert Mueller III said Thursday that he expects Snowden to be arrested and prosecuted in this country.
“He is the subject of an ongoing criminal investigation,” Mueller told a House hearing. “We are taking all necessary steps to hold this person responsible for these disclosures.”
Confirmation of a thumb drive solved one of the central mysteries in the case: how Snowden, who worked for contracting giant Booz Allen Hamilton, physically removed classified material from an spy agency famous for strict security and ultra-secrecy.
He acknowledged on Sunday that he gave two news organizations details of secret NSA surveillance programs on telephones and the Internet, but did not say how he had transferred the data. He is believed to be hiding in Hong Kong.
Officials said they still don’t know how Snowden got access to an order marked “Top Secret” from the Foreign Intelligence Surveillance Court, or a highly-classified directive from President Obama authorizing a military target list for cyber attacks. Neither document would be widely shared, or normally available to a low-level NSA employee.
A larger number of NSA employees and contractors might have access to a PowerPoint slide show on PRISM, which uses online data from nine U.S. Internet and technology companies. Snowden said he provided the slides to the Washington Post and The Guardian.
“There is a certain level of information that is not specific to a mission, but helps people who work there understand how the place functions,” the former NSA operator said.
The Pentagon, which includes the NSA, banned connecting thumb drives and other portable storage devices to classified computers after malicious software was discovered on the military’s classified network in October 2008.
The chief suspect was Russian intelligence, and investigators determined that the malware was introduced through a corrupted thumb drive. The years-long effort to clean up the system was code-named Operation Buckshot Yankee. Many of the external drives on Defense Department computers were disabled.
Two years later, Army Pfc. Bradley Manning, an intelligence analyst in Iraq, downloaded hundreds of thousands of classified documents onto thumb drives and computer discs, and transferred the data to the anti-secrecy website Wikileaks.
After that, “there was a lot of focus on this type of insider threat,” the former operator said. “If it is still easy to use a thumb drive, that is a major problem.”
Manning is on trial at Fort Meade, Md., on charges of aiding America’s enemies. If convicted, he could be sentenced to life in prison. He already has pleaded guilty to 10 lesser counts.
In testimony Wednesday, NSA director Gen. Keith Alexander acknowledged “grave concerns” about Snowden’s access to so many secret programs and documents.
“In this case, this individual was a system administrator with access to key parts of the network,” he said. “That is of serious concern to us and something that we have to fix.”