Ex-NSA staffer jailed for taking malware work home - where it was detected by his Kaspersky anti-virus software

Five-and-a-half years for Nghia Hoang Pho for taking top-secret NSA malware home

A National Security Agency (NSA) staffer has been jailed for inadvertently allowing NSA malware to be leaked to Kaspersky Lab.

Nghia Hoang Pho took the files - which included NSA malware tools - home to work on them in the hope, he says, of winning promotion. However, the files were apprehended by the anti-virus software the 68-year-old NSA employee was running on his home PC, and exfiltrated back to Kaspersky Lab's base for analysis.

Pho was the source of claims back in October 2017 that Kaspersky's anti-virus software network had been used to identify and exfiltrate NSA malware. That malware was identified as Equation Group malware - a family of nation state malware believed to have been created by the NSA.

Kaspersky claims its software was not doing anything that every other anti-virus software package doesn't also do - uploading suspicious files identified during routine PC anti-virus scans for analysis by security specialists back at base.

Following an internal inquiry, Kaspersky co-founder Eugene Kaspersky admitted that the company had almost immediately recognised the significance of the exfiltrated files and a decision was made at a high level in the company to delete the archived files.

Nevertheless, in the aftermath of the furore, Kaspersky's software was banned from US government computers, while security agencies also urged big business in the US to ditch Kaspersky. The company has also shifted certain security operations out of Russia in a bid to further protect users.

"Removing and retaining such highly classified material displays a total disregard of Pho's oath and promise to protect our nation's national security," said Maryland district attorney Robert Hur sentencing Pho.

"As a result of his actions, Pho compromised some of our country's most closely held types of intelligence, and forced NSA to abandon important initiatives to protect itself and its operational capabilities, at great economic and operational cost."

While five-and-a-half years inside one of America's correctional institutes might seem like hard luck for a guy who only wanted promotion, its less than the maximum punishment of 10 years and lower than the eight years prosecutors wanted for Pho.

IT security failings are, increasingly, costing CIOs and CEOs their jobs. With business utterly dependent on IT, it's not enough for senior executives to dismiss security as ‘techie stuff'. At Computing's Enterprise Security & Risk Management Live event, hear from the National Crime Agency, ex-hackers and big-business CISOs to learn about how they are tackling cyber security. For more information, check out the dedicated event website. Attendance is FREE to IT leaders and senior IT pros.