NSA’s Latest Leak Debacle Explained

No Intelligence Community leaker has ever been unmasked and arrested this fast—here’s why

Yesterday began splendidly for The Intercept, the online news outlet which specializes in leaking the secrets of Western intelligence. They had a genuine bombshell on their hands—a current above-Top Secret document from the National Security Agency, which is that outlet’s preeminent bugbear. Moreover, the intelligence report The Intercept got its hands on deals with the hottest topic in Washington these days: Russian meddling in last year’s election.

Only published by NSA on May 5, after months of analysis, the highly classified report’s wordy title indicates its importance:

Russia/Cybersecurity: Main Intelligence Directorate Cyber Actors [Redacted] Target U.S. Companies and Local U.S. Government Officials Using Voter Registration-Themed Emails, Spoof Election-Related Products and Services, Research Absentee Ballot Email Addresses; August to November 2016 (TS//SI//OC//REL to US, FVEY//FISA)

Translated into normal English, this NSA signals intelligence study of cyber-espionage by the Russian General Staff’s Main Intelligence Directorate (GRU for short) demonstrates that Kremlin agents indeed attempted to covertly influence last year’s presidential election—precisely as Hillary Clinton and her backers have insisted. The political import of this leak is therefore genuinely massive.

The report’s high classification further indicates that this is a special NSA assessment worthy of attention. To translate it:

TS = Top Secret, the highest classification level in the Intelligence Community

SI = Special Intelligence, meaning this information was derived from SIGINT intercepts

OC = Originator Controlled, meaning this report cannot be disseminated or released without NSA’s permission

REL to USA, FVEY = This report can be released to Americans and other members of the Five Eyes intelligence alliance (Britain, Canada, Australia, and New Zealand), assuming those individuals have the appropriate clearances

FISA = This report contains information obtained under the Foreign Intelligence Surveillance Act, meaning a classified warrant was issued to spy on American(s)

The substance of what The Intercept reported leaves no doubt that GRU made serious efforts last summer and fall to influence our election. In particular, as part of a coordinated covert campaign against our political system, Kremlin cyber-agents sent spear-phishing emails to more than 100 local election officials just days before the November 8 election. At a minimum, this NSA assessment establishes that Vladimir Putin’s recent claim that his government “never engaged” in hacking Western elections was a bald-faced lie.

Although the leaked NSA report doesn’t attempt to assess how much influence this GRU operation had on the election of Donald Trump as our 45th president, it leaves little doubt that Kremlin meddling may have tainted the integrity of that election. Small wonder that The Intercept’s SIGINT scoop was the talk of Washington—and social media—by midday Monday.

However, that elation proved short-lived, since yesterday afternoon the Department of Justice issued a press release announcing the arrest of the very person who had leaked the above-Top Secret NSA report which The Intercept had posted only hours before. Here the spy-catchers got Monday’s real bombshell scoop. Although the DoJ press release did not state that the person in custody was the leaker, quick analysis of the case left no room for doubt.

Taken into custody was the improbably named Reality Winner, a 25-year-old defense contractor assigned to what DoJ politely termed “a U.S. Government agency facility in Georgia.” In fact, Winner was assigned to NSA Georgia, an intelligence site administered by the U.S. Army for NSA, located on Fort Gordon in Augusta. This is a major operation, little known to the public, which employs some 4,000 people – military, civilian, and contractors like Winner.

Winner’s motivation in leaking the NSA report hasn’t yet been ascertained, but examination of her social media output reveals a collection of trendy left-wing views plus a loathing for President Trump. A former U.S. Air Force linguist with Top Secret security clearances, she was hired only this February to work for Pluribus International Corporation, a defense contractor which provides workers at numerous Defense Department and Intelligence Community facilities. Here she followed a customary pattern: a young person with intelligence skills and security clearances obtained in uniform accepting a far more lucrative position—often doubling her salary at least—doing essentially the exact same job she did while in the Air Force.

Whatever her motivations for leaking that NSA report, Winner’s tradecraft was thoroughly inept. According to the FBI affidavit, she emailed The Intercept from her NSA unclassified computer system—notwithstanding that such systems are clearly marked with a sticker cautioning users that they consent to employer monitoring by logging on.

On May 9, Winner searched NSA’s internal computer network, which contains highly classified intelligence, and found the just-issued report about GRU cyber shenanigans, printed it off, snuck it out of her office, and mailed it to The Intercept. She thereby left an easily found audit trail, since NSA tracks all printing off classified systems, plus Winner was one of only six people in the whole agency who printed that particular report.

Her downfall came on May 30, when representatives of The Intercept approached NSA, seeking comment on their hot scoop based on a stolen NSA report. The agency, true to form, declined to comment, but by showing NSA the purloined assessment, the inept muckrakers sealed Winner’s fate.

This is because the agency can easily determine exactly where and when a document was printed inside any NSA office worldwide. Quick analysis revealed a very short list of suspects, and Winner was high on it. A search of Winner’s work IT systems by NSA investigators left no doubt that she was the leaker.

Following procedure, NSA counterintelligence informed the FBI that they had caught a leaker, and her case was referred to the Bureau on June 1 for arrest and prosecution. Just two days later, after she was taken into custody at her home in Augusta, Winner confessed to an FBI agent that she had improperly accessed the GRU report, printed if off, then mailed it to The Intercept. Winner’s future is grim, since the charge she faces, 18 U.S. Code § 793 (Gathering, transmitting or losing defense information), can bring up to 10 years in Federal prison.

Many questions arise from her case. Although she was caught with admirable celerity, NSA—and our whole Intelligence Community—must be asked if their security clearance process is functioning properly. Moreover, the “need to know” principle—once sacrosanct among spooks—has failed, yet again. Why was Winner, a linguist specializing in Iran and Afghanistan, able to access an above-Top Secret report on Russian cyber-espionage so effortlessly?

While we’re at it, why are so many IC jobs still being outsourced to pricey contractors, who constitute the lion’s share of our problem with leakers and turncoats of late? While Booz Allen Hamilton must be breathing a sigh of relief since Winner wasn’t their employee—unlike Edward Snowden and Harold Martin, NSA’s other recent miscreants—fundamental questions about overuse of unreliable defense contractors linger.

Regardless, Congress and the public have been energized by Reality Winner’s crime, and GRU  cyber-meddling in our 2016 election is an issue which now must be addressed as a core part of KremlinGate. Perhaps that fact will comfort Winner in prison. But the real prize goes to The Intercept, which outed its golden source inside NSA in record time. Nobody in our Intelligence Community has ever been arrested for leaking spy secrets even before the leak goes public. That’s a record which seems likely to stand the test of time.

John Schindler is a security expert and former National Security Agency analyst and counterintelligence officer. A specialist in espionage and terrorism, he’s also been a Navy officer and a War College professor. He’s published four books and is on Twitter at @20committee.