A civilian NSA employee recently resigned after being stripped of his security clearance for allowing former agency contractor Edward Snowden to use his personal log-in credentials to access classified information, according to an agency memo obtained by NBC News.
In addition, an active duty member of the U.S. military and a contractor have been barred from accessing National Security Agency facilities after they were "implicated" in actions that may have aided Snowden, the memo states. Their status is now being reviewed by their employers, the memo says.
The Feb. 10 memo, sent to congressional intelligence and judiciary committees this week, provides the first official account of a sweeping NSA internal inquiry aimed at identifying intelligence officials and contractors who may been responsible for one of the biggest security breaches in U.S. history. The memo is unclassified but labeled "for official use only."
"Unbeknownst to the civilian, Mr. Snowden was able to capture the password, allowing him even greater access to classified information."
While the memo's account is sketchy, it suggests that, contrary to Snowden's statements, he used an element of trickery to retrieve his trove of tens of thousands of classified documents: "At Snowden's request," the civilian NSA employee, who is not identified by name, entered his password onto Snowden's computer terminal, the memo states.
"Unbeknownst to the civilian, Mr. Snowden was able to capture the password, allowing him even greater access to classified information," the memo states.
The memo states that the civilian employee was unaware that Snowden "intended to unlawfully disclose classified information." Nevertheless, by sharing with Snowden his personal "public key infrastructure" certificate -- a system of highly secure credentials that provided greater access to NSA's internal computer system -- the employee "failed to comply with security obligations," the memo states. As a result, the employee's security clearance was revoked in November and the NSA has notified the Justice Department that he recently resigned. (A public key infrastructure certificate is a highly secure system of password and log-in exchanges designed to protect against unauthorized access to sensitive computer networks.)
The memo does not explain what actions the U.S. military member and the contractor took that caused them to lose their access to NSA facilities.
"Has anybody been disciplined at NSA for dropping the ball so badly?"
The Feb. 10 memo was signed by Ethan Bauman, the NSA's director of legislative affairs. It was sent to the congressional committees after repeated questions from senior members about whether the NSA intended to hold any of its employees accountable for the security lapses that enable Snowden to gain access to massive volumes of classified documents that he later leaked to the news media
"Has anybody been disciplined at NSA for dropping the ball so badly?" Senate Judiciary Committee Chairman Sen. Patrick Leahy, D-Vt., demanded of NSA Director Gen. Keith Alexander at a Dec. 11 hearing. Alexander at the time replied that the agency had three "cases" that "we're currently reviewing." (An NSA spokeswoman Vanee Vines declined comment Wednesday night, writing in an email: "I don't have anything for your story.")
The question of how Snowden was able to obtain as much classified material as he did while working at a remote NSA station in Hawaii has been the subject of intensive investigation by the U.S. intelligence community for months.
Reuters reporters Mark Hosenball and Warren Strobel reported in November that Snowden used login credential and passwords provided "unwittingly" by colleagues at the Hawaii spy base. The Reuters report said Snowden "may have persuaded between 20 and 25 fellow workers" to give him their passwords. But the NSA never publicly commented on that report and Snowden appeared to deny it during a public Google chat on Jan. 23.
"Was the privacy of your co-workers considered while you were stealing their log-in and password information?" Snowden was asked during the chat.
"With all due respect to Mark Hosenball, the Reuters report that put this out there was simply wrong," Snowden replied. "I never stole any passwords, nor did I trick an army of co-workers."
In response to a request for comment, Jesselyn Radack, a legal adviser to Snowden in the U.S., said, "Edward Snowden stands by his denial on Jan. 23. NSA has a documented history of scapegoating innocent employees for its own failures, … manufacturing evidence against them and misleading Congress."
Related: Snowden docs: British spies used sex, 'dirty tricks'
First published February 12 2014, 7:11 PM