The residents of Colorado Springs awoke this morning to the surprising news that their neighbor, Jareh Sebastian Dalke, was in federal custody and was facing three felony counts associated with violations of the Espionage Act by attempting to transmit national defense information to an officer or agent of a foreign government.
The criminal complaint, prepared by the counterintelligence division within FBI Denver field office, details Dalke’s perfidy. Between August 1 and September 26, Dalke who was a former employee of the National Security Agency (NSA), used a “particular email account” (the description of the email account would lead one to believe “proton mail” was being used by Dalke.) to volunteer and then continue to communicate to an FBI online covert employee (OCE), thinking the OCE represented an unidentified foreign government, “a country with many interests that are adverse to the United States.” Over the course of the eight weeks, Dalke, sent “excerpts and full documents” which had classification markings associated with three separate government agencies to the foreign government’s representative, the OCE.
Interestingly, Dalke’s tenure may be one of the shortest in the history of the NSA, as he entered on duty on June 6 this year, and he resigned on July 1, less than a month later. His reasoning for departing? He had a family emergency in Colorado to attend to, and he expected it would take approximately nine months. He resigned and anticipated reapplying in the future and being rehired.
In June, upon entering on duty at the NSA, Dalke was assigned as a “information system security designer” at an agency location in the Washington D.C. metro area. As an NSA civilian employee, Dalke was required to have a Top Secret national security clearance with SCI (special compartmented information) access to highly classified programs.
NSA insider risk program failure
Ask any insider risk management program manager, and they will tell you that the majority of purposeful theft of data from an employer occurs within the 90 days prior to the individual’s departure. Dalke printed documents over the course of a week, beginning on June 17, two weeks prior to his departure. Do new employees to NSA have a probation period during which they are more closely monitored? Does the insider threat risk management program at NSA monitor employee behavior within its network for anomalous access in violation of the need-to-know principles? Did Dalke limit his theft of classified documents to that which he had natural access? When Dalke gave his notice, a few days before his departure, was there a review of his network activities within the NSA during his 28 days of employ, or was the notification from the FBI that they were in possession of classified material which appears to have originated within NSA?
The paper trail
The NSA digital forensic inspection of their system logs pertaining to the initial three documents that the OCE had received from Dalke showed to the inspectors that, “Dalke was the only NSA employee to have printed all of these documents.” Clearly, when Dalke was printing these documents at NSA during his period of employment, he was unaware of the Reality Winner case. She too printed out a classified document and the forensic investigation showed that she was one of a handful of individuals who had printed out the classified document.
Motivation to commit espionage
Given that Dalke was with the NSA for less than a month, it is hard to fathom that his actions were driven by anything other than greed, financial need, or a little of both. In late August, Dalke told the OCE that he was in debt to the tune of $237,000 of which $93,000 was coming due. Dalke’s request for $85,000 was to help him with that payment. He noted to the OCE that his access was to the information of specific interest to the government the OCE represented.
The reality was, Dalke had no access, though he had reapplied for a position within NSA with a start date in the late-spring of 2023 and had been contacted by an NSA recruiter who was unaware of the counterespionage investigation of Dalke.
The money trail
Clearly, Dalke wanted to be paid for the classified information he was sharing. On August 9 Dalke provided a cryptocurrency address to the OCE for payment for the classified information he had provided. (Jonathan Toebbe had used this same methodology to accept payments from the “foreign government.”)
The OCE agreed and the payment from the FBI landed in Dalke’s cryptocurrency account. Shortly after receiving the payment, Dalke deposited a like amount in the “exchange account” which then converted the cryptocurrency into dollars, and finally withdrew the amount. Three days later, he deposits the same dollar amount into an account of a bank with branches in Colorado.
Dalke’s counterintelligence antenna
As in many cases where impersonal communication is being used, the individual committing the crime isn’t sure with whom they are engaging and thus attempt to create a circumstance that allows for verification and peace of mind. We saw this in the Toebbe case where he demanded a signal be made at the Brazilian embassy.
Dalke was no different. He asked that the OCE to “provide verification of the association with [a foreign government], through a posting on an official website or through a report in one of the “media services associated with the government.” Dalke explained that he had reached out via “multiple published channels to gain a response,” including the Russian foreign intelligence (SVR) TOR site, and given the multiple avenues of approach to initiate the relationship, he just wanted to make sure he knew with whom he was communicating.
Covert communications
In mid-September Dalke requested a covert and secure means to “digitally transfer additional sensitive information in Denver, CO.” He had, without revealing where he resided (Colorado Springs approximately, 70 miles from Denver), expressed an interest in traveling to Denver for this “transfer of sensitive information.” Dalke claimed that he purloined the information from the NSA. He proposed the electronic exchange meeting take place on either 28 or 29 September. Eventually, after much back and forth, the OCE told Dalke to be prepared to travel to the Denver area to conduct the covert communication exchange and transmit to the OCE the sensitive documents.
In an email, OCE provide Danke with “unique information Dalke would need to access the secure connection and instructed Dalke to go to the Union Station in downtown Denver, CO, on September 28, between 11:30 and 3:30 PM to complete the transmission. “
Dalke was arrested when he arrived in Denver to transmit the sensitive information.