U.S. intelligence officials are investigating the possibility that recent leaks of sensitive National Security Agency hacking tools did not stem from the alleged theft of classified materials by a Pentagon contractor whose arrest was made public this week.
Current and former U.S. officials briefed on the matter told NBC News that investigators so far have found no evidence that Harold T. Martin III, a Maryland resident who was charged with taking home reams of documents from his Top Secret job inside the NSA, sold or distributed the material. They haven't ruled it out, however, and they are looking into whether his home computers could have been hacked.
Still, officials say they are examining other possibilities to explain the recent leaks, which seem to have originated well after Edward Snowden began his forced exile in Russia three years ago. One is that there could be a third, still unidentified government insider stealing classified information. Another is that the leaks were the result of one of the NSA’s own hackers being sloppy or careless about hiding his tools, which were then swiped by an outside party.
Let our news meet your inbox. The news and stories that matters, delivered weekday mornings.
"There probably is another person, but it's probably more innocuous than the other two cases," one former senior official told NBC News. He added that it likely stemmed from "incompetence and complacency." The material leaked, he said, was "not the Holy Grail -- it was a byproduct of the Holy Grail."
Nearly all NSA hacking tools are on the internet, the official said, if you know where to look. "We hide in the noise," he said. The theory, he added, is that a government hacker left his tools in a place where others could find them -- for example, on a non-NSA server.
The current and former officials say the leaks in question include a suite of NSA hacking tools put up for sale in August by a group identifying itself as the Shadow Brokers. Snowden himself tweeted in August that Russia may have had a hand in that disclosure.
The investigation into the leaks led the FBI to Martin, who had been taking home classified documents for many years, officials say. His motives have not been established.
Whether or not he distributed the material he allegedly took, the Martin case raises enormous questions--and is provoking internal soul searching--about security at the nation's digital spy agency, current and former officials say.
The former senior official told NBC News there were debates at NSA over the years about how far to go in monitoring employees and contractors, and the decision often went in the direction of respecting the privacy of employees.
For example, the former official said, officials opted not to track every time an employee entered and left the building to determine whereabouts.
"You can't have too much Big Brother," a current intelligence official said, without noting the irony that he was speaking about an agency criticized for snooping on innocent Americans.
In hindsight, the former official said, the NSA should have done more on security and counterintelligence. At the same time, the current official said, there is broad recognition that the likelihood of leaks and unauthorized disclosures has risen significantly in a world where trust in institutions is plummeting.
Many new security procedures were implemented after the Snowden leaks, but those procedures somehow didn't immediately snare Martin. One official cautioned, however, that he may have taken most of the classified material home before the Snowden affair.
Not every keystroke by every NSA employee is monitored, officials said, and nor is every person searched every day when leaving the facility. Thumb drives and other portable devices are largely prohibited but there are many exceptions for many reasons. Employees who are deployed can take classified laptops with them.
Ken Dilanian is a correspondent covering intelligence and national security for the NBC News Investigative Unit.