HOUSE_OVERSIGHT_020187.jpg

35 By late July, NSA investigators made their initial assessment. They determined that most of the material had been taken from sealed-off areas, known in intelligence-speak as “compartments,” which in this case were files stored on computers that were isolated from any network. Each compartment electronically tracked all the activities that occur in them on their logs, including the password identity of any person who has gained entry to any compartment. From a forensic examination of these logs, NSA investigators were quickly able to reconstruct the timeline of the theft. The logs showed that an unauthorized party had begun copying files in mid-April, which was just days after Snowden began his job at the Center. The breach illicit activity ended just before Snowden’s last day of work there. So this piece fit in with Snowden’s guilt. The size of the theft was another matter. Ledgett was certainly in a position to know. Not only had he been in charge of the National Threat Center at the time of the Snowden breach, but he personally supervised the NSA’s damage assessment team. And, in the shake-up that followed that followed, he would replace Inglis as Deputy Director of the NSA. According to Ledgett, the perpetrator, moving from compartment to compartment, had “touched” 1.7 million documents. Of these “touched” documents, according to the analysis of the logs, more than one million of them were moved in mid-May by the unauthorized party to an auxiliary computer intended to be used for temporary storage by authorized service personnel. Finally, the data was transferred from this auxiliary computer to thumb drives. This download occurred just days before Snowden’ left the NSA on May 17, 2013, having told the agency that he needed a leave of absence to undergo medical treatment in Japan. The FBI further established from airport records that Snowden flew to Hong Kong the next day presumably with thumb drives containing, by the government’s calculation, over one million documents. To be sure, the quantity of stolen documents does not necessarily reveal the damage, and can itself be misleading. Many documents that do not reveal current or known sources or methods and others may have little value to an enemy. And a large portion of the 1.7 million documents may have been duplications. But the quality of some of these documents is another matter. Just one document that exposed a source or method of which enemies are unaware can be of immense value. For example, one of the missing documents taken by Snowden provided what Ledgett called “a roadmap” to the NSA’s current secret operations. That single document would reveal to an adversary such as Russia, China or Iran, according to Ledgett, “what we know, what we don’t know, and, implicitly, a way to protect themselves.” And there were many documents in the Snowden breach that met these criteria, according to a National Security official at the Obama White House. The breach had happened on the watch of General Alexander, who headed both the NSA and the US Cyber Command, in 2013. A short, compact man with military bearing, Alexander closely followed the investigation as it developed over the summer of 2013. By then, of course, the whole world knew that Snowden had stolen a vast trove of NSA documents. But General Alexander saw major inconsistencies developing between Snowden own account of the theft and what had HOUSE_OVERSIGHT_020187