Credit Patrick Semansky/Associated Press
WASHINGTON — The F.B.I. secretly arrested a National Security Agency contractor in recent weeks and is investigating whether he stole and disclosed highly classified computer code developed to hack into the networks of foreign governments, according to several senior law enforcement and intelligence officials.
The theft raises the embarrassing prospect that for the second time in three years, an insider has managed to steal highly damaging secret information from the N.S.A. In 2013, Edward J. Snowden, who was also a contractor for the agency, took a vast trove of documents that were later passed to journalists, exposing N.S.A. surveillance programs in the United States and abroad.
The contractor was identified as Harold T. Martin III, 51, of Glen Burnie, Md., according to a criminal complaint filed in late August. He was charged with theft of government property, and unauthorized removal or retention of classified documents. During an F.B.I. raid of his house, agents seized documents and digital information stored on electronic devices. A large percentage of the materials found in his house and car contained highly classified information.
At the time, F.B.I. agents interviewed Mr. Martin, and he initially denied having taken the documents and digital files. The agency later said he had stated that he knew he was not authorized to have the materials. According to the complaint, he told the agency that “he knew what he had done was wrong and that he should not have done it because he knew it was unauthorized.”
In a brief statement issued on Wednesday, lawyers for Mr. Martin said: “We have not seen any evidence. But what we know is that Hal Martin loves his family and his country. There is no evidence that he intended to betray his country.”
The information believed stolen by Mr. Martin — who like Mr. Snowden worked for the consulting firm Booz Allen Hamilton, which is responsible for building and operating many of the agency’s most sensitive cyberoperations — appears to be different in nature from Mr. Snowden’s theft.
Mr. Martin is suspected of taking the highly classified computer code developed by the agency to break into computer systems of adversaries like Russia, China, Iran and North Korea. Two officials said that some of the information the contractor is suspected of taking was dated.
Officials said Mr. Martin did not fit any of the usual profiles of an “insider threat,” and it is unclear whether he had political motives, as Mr. Snowden did when he exposed programs that he said violated the privacy of American citizens.
An administration official said the case had been handled secretively not in order “to keep this guy from becoming another N.S.A. martyr,” but because it was a continuing law enforcement case and the hope was that Mr. Martin would cooperate. The official said investigators suspected that Mr. Martin might have taken the material before Mr. Snowden’s actions became public.
The official said that at the moment it did not look like an espionage case, but added the caveat that it is a continuing investigation. At the same time, the official said that investigators think Mr. Martin is not politically motivated — “not like a Snowden or someone who believes that what we were doing was illegal and wanted to publicize that.”
Motivation is one of many unanswered questions about the case. It is not clear when and how the authorities first learned the contractor’s identity, when they believe he began taking information, or whether he passed it to people outside the government. It is also not known whether he is believed to be responsible for a leak of classified N.S.A. code attributed to a group calling itself the Shadow Brokers, or whether he had any role in a series of leaks of N.S.A. intercepts involving Japan, Germany and other countries that WikiLeaks has published since last year.
“We’re struggling to figure him out,” the official said, speaking on the condition of anonymity because no indictment has been publicly released.
Mr. Martin was charged in United States District Court in Baltimore. The government is allowed to charge people and bring them before a court in secret. That happens most often when defendants are cooperating or negotiating plea deals, or out of fear for their safety. But the secrecy could also indicate that the Justice Department requested it while analyzing the evidence, and that defense lawyers agreed.
For the N.S.A., which spent two years and hundreds of millions, if not billions, of dollars repairing the damage done by Mr. Snowden, a second insider leaking the agency’s information would be a devastating blow. The agency’s director, Adm. Michael Rogers, who previously ran the Navy’s Fleet Cyber Command, was brought in to restore the agency’s credibility, open it to more scrutiny and fix the problems that allowed Mr. Snowden to sweep up hundreds of thousands of documents.
Adm. Michael Rogers, the N.S.A. director, in March. Credit Jim Wilson/The New York Times
It is also a potential setback for the Obama administration, which has sustained a series of huge disclosures of classified information. Along with Mr. Snowden’s revelations, the antisecrecy group WikiLeaks in 2010 disclosed hundreds of thousands of State and Defense Department documents.
In response to those leaks, the administration has said it will crack down on the disclosures of classified information and that it has pursued more leak cases than all previous administrations combined.
The administration has prosecuted eight people for disclosing classified information to the news media, compared with three under all previous administrations. But the crackdown has sometimes backfired. Mr. Snowden, for example, has said he was inspired by the example of two previous leakers, Thomas Drake and Chelsea Manning, who claimed to have made disclosures to reveal government wrongdoing. The latest leak suggests again that the unprecedented string of prosecutions has not deterred all leaks.
Two former agency officials said that even as the Media Leaks Task Force, as the Snowden cleanup operation was called, was underway, there were rumors that a second insider was harvesting the agency’s most secret data. But many inside the agency thought the leaks were leftovers from the Snowden episode. Some C.I.A. officials, meanwhile, quietly speculated that the N.S.A. had a “mole,” which many inside the N.S.A. doubted.
It is also potentially devastating for Booz Allen, which has built much of its business on providing highly technical services to the N.S.A. and other intelligence agencies.
A spokesman for Booz Allen declined to comment on Wednesday.
As investigators look into Mr. Martin’s case, it is almost certain that they will focus on whether the contractor was behind a leak in August that exposed a collection of electronic tools used by the N.S.A. to break into networks around the world. That material, released by a group calling itself the Shadow Brokers, was thought by outside experts to have been obtained by hacking rather than from an insider. Now, in light of the arrest, that assumption may have to be revised. The code released by the Shadow Brokers was dated from 2013, meaning that it almost certainly has been overtaken by more recent code.
At the time of the Shadow Brokers release, many experts speculated that an N.S.A. operator had accidentally left some of the code on a computer server in a foreign nation — such servers are often used to hide the connection to the agency and to facilitate network break-ins — and that the code had been obtained by Russia.
Mr. Snowden, in exile in Russia, wrote on Twitter that “circumstantial evidence and conventional wisdom indicates Russian responsibility” for publishing the code. He interpreted it as a warning shot to the American government in case it was thinking of imposing sanctions against Russia in the cybertheft of documents from the Democratic National Committee.
At the time, the agency would not even return phone calls inquiring about the leak of the code, and froze out former employees with deep contacts in the agency. But in recent days officials said it was not clear that Russia was involved.
Bruce Schneier, an author on information security and fellow at Harvard’s Kennedy School, has tracked post-Snowden leaks from the N.S.A. and speculated about their possible source. But he had not heard that the government had identified any leaker.
Mr. Schneier noted that the agency has aggressively recruited in recent years at gatherings of young, tech-savvy programmers, including those who specialize in hacking. But officials have worried that the innovative free spirits they need to penetrate foreign computer systems may also include at least a few who are motivated by Mr. Snowden’s example. The current suspect, however, does not appear to fit that profile.
“I wouldn’t call it an epidemic,” Mr. Schneier said. “But there’s a handful of leaks that clearly did not come from Snowden.” He said events in recent years might both encourage and intimidate would-be leakers.
“On one side, there’s the inspiration of Snowden,” he said. “On the other, there’s the counterbalancing force of an agency coming down on you like a ton of bricks. Snowden is in exile. Manning is in prison.”
The tension between secrecy and public scrutiny at the nation’s biggest intelligence agency goes back decades. But since Mr. Snowden’s disclosures, and the rise of a sister military organization, United States Cyber Command, also led by Admiral Rogers, there has been a determined effort to speak more openly about the agency, its mission and the future of cyberconflict.
While the agency previously saw a few memos made public — in 2003, a linguist with its British equivalent was arrested after leaking to the news media a single N.S.A. memo calling for a “surge” of intercepts at the United Nations — it had not experienced a mass leak until Mr. Snowden’s disclosures. He used an inexpensive bit of software to sweep up data in the agency’s Hawaii networks, undetected. At the time, officials said that would not have been possible at Fort Meade, where data is far more protected. That claim will now come under far more scrutiny.