NSA contractor arrested in biggest breach of U.S. secrets pleads guilty

Harold T. Martin III, who worked in the NSA’s Tailored Access Operations hacking unit, admitted his guilt more than two years after his arrest in what may be the biggest breach of classified information in history. FBI agents who swarmed his modest home south of Baltimore in 2016 found stacks of documents and electronic storage devices stashed in his car, home and even a garden shed.

But investigators never found proof that Martin, who was working on a doctorate in information systems at the time of his arrest, had shared the stolen secrets with anyone else, though there is evidence he may have considered doing so.

Wearing a gray jail jersey with white stripes and a neatly trimmed beard, Martin stood and answered the judge’s questions in a clear, calm voice. “It’s time we closed this Pandora’s box,” the defendant said at one point, his most extensive statement in court.

Martin pleaded guilty to one count of willful retention of defense information. Judge Richard D. Bennett said he would approve and impose the prescribed sentence, which was negotiated between prosecutors and defense lawyers. Sentencing was set for July.

His lawyers, James Wyda and Deborah Boardman, have argued that he was simply an eccentric hoarder who started taking work home and could not stop. “His actions were the product of mental illness. Not treason,” his lawyers said in a statement. They called him a “patriot” and said he was “deeply remorseful.”

Robert K. Hur, the U.S. attorney for Maryland, called the scale of the information taken by Martin “breathtaking in its scope” and said the nine-year sentence would be the longest ever imposed for illegal retention of secrets.

Poring over the piles of material they found in their searches, investigators were astonished to discover that for 20 years, Martin, known as Hal, had been carrying classified material out of the NSA and other security agencies where he had worked. At the time of his arrest, he was working for Booz Allen Hamilton — the same intelligence contractor that had employed Edward Snowden, who flew to Hong Kong in 2013 and gave journalists a large trove of NSA documents.

Along with the Snowden and Martin cases, another NSA worker, Nghia Pho, was sentenced in September to 5 1/2 years in prison after taking home secret material describing the agency’s hacking tools. Intelligence officials believe the tools and related documents were then stolen from Pho’s home computer by Russian hackers. A young NSA linguist named Reality Winner was sentenced in August to five years and three months for leaking a classified document on Russian election hacking to The Intercept, an online publication.

But perhaps the most damaging leak of all was discovered around the time of Martin’s arrest in August 2016, when a mysterious group calling itself the Shadow Brokers announced an online auction of a long list of software exploits the NSA used to break into foreign computer networks. The Shadow Brokers eventually made the stolen cyberweapons public, and other countries and criminal groups began using them for hacking and theft around the world.

FBI investigators focused on Martin after getting a tip from Kaspersky Lab, a Russian cybersecurity company. Two Kaspersky employees had gotten cryptic messages from Martin — calling himself “HAL999999999” — via Twitter that seemed to be offering secrets, as Politico first reported in January. The assistance was a bit ironic, because U.S. intelligence officials have sometimes accused Kaspersky of being too close to Russian intelligence, charges the company denies.

“Shelf life, three weeks,” Martin wrote in one of his cryptic texts, seeming to suggest that he was offering material on a time-limited basis.

But shortly after sending the messages, he blocked on Twitter the two Kaspersky employees he had just contacted, so they could not respond.

The FBI quickly linked the HAL999999999 Twitter account to Martin, and agents were soon searching his modest house in Glen Burnie, a Baltimore suburb. They discovered a staggering total of 50 terabytes of government data, a virtual library’s worth, much of it classified at a high level.

Investigators at first believed Martin might be the Shadow Brokers, who had posted their first announcement of their auction of NSA hacking tools a half-hour after Martin blocked the two Kaspersky workers on Twitter. They found the same NSA exploits in Martin’s vast collection of stolen material.

But the Shadow Brokers continued to post taunting manifestoes and stolen software for months after Martin was jailed. It appears the investigators eventually concluded that Martin was not the source of the Shadow Brokers’ material, at least not wittingly.

Government officials have never charged anyone in the Shadow Brokers breach, and speculation has centered on two possible perpetrators: Russian intelligence or disgruntled NSA insiders. If FBI and NSA security officers have made progress in solving the case, they have not said anything about it in public.

According to court filings, Martin first agreed to plead guilty in January 2018. But negotiations subsequently fell apart, and the plea came more than a year after it was first expected. Martin has been incarcerated since his arrest, and the 2 1/2 years he has served will be counted toward his sentence.

This article originally appeared in The New York Times.