By Richard Esposito, Matthew Cole and Robert Windrem
Edward Snowden accessed some secret national security documents by assuming the electronic identities of top NSA officials, said intelligence sources.
"Every day, they are learning how brilliant [Snowden] was," said a former U.S. official with knowledge of the case. "This is why you don't hire brilliant people for jobs like this. You hire smart people. Brilliant people get you in trouble."
Snowden was a Honolulu-based employee of Booz Allen Hamilton, an NSA contractor. His job gave him system administrator privileges on the NSA's intranet, NSAnet. He reportedly used his privileges to download 20,000 documents.
The NSA still doesn't know exactly what Snowden took. But its forensic investigation has included trying to figure out which higher level officials Snowden impersonated online to access the most sensitive documents.
The NSA has as many as 40,000 employees. According to one intelligence official, the NSA is restricting its research to a much smaller group of individuals with access to sensitive documents. Investigators are looking for discrepancies between the real world actions of an NSA employee and the online activities linked to that person's computer user profile. For example, if an employee was on vacation while the on-line version of the employee was downloading a classified document, it might indicate that someone assumed the employee's identity.
The NSA has already identified several instances where Snowden borrowed someone else's user profile to access documents, said the official.
Each user profile on NSAnet includes a level of security clearance that determines what files the user can access. Like most NSA employees and contractors, Snowden had a "top secret" security clearance, meaning that under his own user profile he could access many classified documents. But some higher level NSA officials have higher levels of clearance that give them access to the most sensitive documents.
As a system administrator, according to intelligence officials, Snowden had the ability to create and modify user profiles for employees and contractors. He also had the ability to access NSAnet using those user profiles, meaning he could impersonate other users in order to access files. He borrowed the identities of users with higher level security clearances to grab sensitive documents.
Once Snowden had collected documents, his job description also gave him a right forbidden to other NSA employees– the right to download files from his computer to an external storage device. Snowden downloaded a reported 20,000 documents onto thumb drives before leaving Hawaii for Hong Kong on May 20.
Snowden's documents became the basis for a series of articles in the Guardian and the Washington Post detailing the extent of the U.S. government's collection of data and metadata on emails and phone calls.
"The damage, on a scale of 1 to 10, is a 12," said a former intelligence official.
The NSA declined to comment.
Snowden has been charged with theft and violations of the Espionage Act. He is now in Russia, where he has been granted temporary asylum.
Richard Esposito is the Senior Executive Producer for Investigations at NBC News. Matthew Cole is an investigative reporter at NBC News. He can be reached at firstname.lastname@example.org. Robert Windrem is an investigative reporter at NBC News. He can be reached at email@example.com.
More from NBC News Investigations:
- How Snowden did it
- US doesn't know what Snowden took, sources say
- Glenn Greenwald's partner detained by British security