The Department of Justice (DOJ) announced the arrest of Mark Robert Unkenholz, an employee of the National Security Agency (NSA), who held a Top Secret/SCI national security clearance. Upon his arrest, the DOJ unsealed the 26-count indictment, which details the allegation against Unkenholz for the “willful transmission and retention of National Defense Information” (NDI).
Unkenholz
According to Unkenholz social network profile, he described himself as a “technical director” within the Department of Defense for the past 38-plus years. The indictment of Unkenholz describes him as an NSA employee, who was responsible for NSA’s engagement with private industry.
Transmission and retention of secrets
Unkenholz, an individual who has more than 30 years working within the classified environment is charged with sharing Top Secret/SCI and Secret information with an individual, only identified as “R.F” via commercial email systems. More specifically, Unkenholz used his personal email account to transmit classified information to the business email account associated with “R.F.” while “R.F” was employed at two separate companies between February 14, 2018 through June 1, 2020.
The indictment highlights, with precision, how Unkenholz, a trusted insider who, “had lawful access to classified information relating to the national defense” actions placed the shared classified information in accounts on three separate email systems which “were not authorized storage locations for classified NDI.”
The indictment also notes, that while “R.F.” was a trusted individual with a national security clearance during their tenure at “Company 1” (April 2016-2019) and “Company 2” (July 2019-January 2021) that “R.F.” was “not authorized to access or receive classified information.
First take – insider threat realized
While the indictment highlights a multi-year relationship with “R.F.” during which Unkenholz shared with the individual highly classified information via unclassified email channels, it does not highlight aspects, which are important from the insider threat equation.
Unkenholz had to have lifted the information which he shared with “R.F.” from the NSA classified systems and exfiltrated it in an unidentified manner in order to share it via his personal email with “R.F.”. We don’t know if Unkenholz stored it on an electronic device, took a photo of a screen, or printed it out. Regardless of the manner, from 2018-2021, he was able to extract classified information from within NSA.
At least three separate entities and their respective security teams are impacted by this event: NSA, as well as the two companies that employed “R.F.” “R.F.” had classified engagements at two different organizations that required a national security clearance.
How Unkenholz’s deceitfulness was discivered is not shared in the indictment.
- It could have been “R.F.” sharing with the Facility Security Officer (FSO) at his most recent employer that he had accepted classified information in an inappropriate manner.
- It may have been an email audit at Companies 1 or 2 which resulted in the discovery of classified information on their unclassified systems.
- It could have been a colleague at NSA noticed Unkenholz’s removal of classified information – or Unkenholz self-reported.
What we do know is that Unkenholz had access and contact with industry and that the NSA office who communicates and liaises with industry has adequate and sufficiently secure channels of communication that there is no need for an NSA employee to use personal emails.
Now might be an excellent time for FSO’s to remind their constituency on the appropriate handling of classified materials using the Unkenholz indictment as a starting point. In addition, for those who have regular liaison with government entities, to remind all concerned that unauthorized communication channels which are used for convenience and as work-arounds, are not to be tolerated.
