United States v. Schulte

436 F.Supp.3d 698

UNITED STATES of America,

v.Joshua Adam SCHULTE, Defendant.

S2 17 Cr. 548 (PAC)

United States District Court, S.D. New York.

Signed January 29, 2020

Filed January 31, 2020

Matthew Joseph Laroche, David William Denton, Jr., Sidhardha Kamaraju, United States Attorney's Office Southern District of New York, New York, NY, Scott Kurtis McCulloch, U.S. Department of Justice, Washington, DC, for Plaintiff.

Sabrina P. Shroff, Law Offices of Sabrina P. Shroff, Sean Michael Maher, The Law Offices of Sean M. Maher, PPLC, James Matthew Branden, Law Office of James M. Branden, Lauren Martine Dolecki, Debevoise & Plimpton LLP, Edward S Zas, Matthew B. Larsen, New York, NY, Allegra Glashausser, Federal Defenders of New York, Inc., Brooklyn, NY, Defendant.

OPINION & ORDER

PAUL A. CROTTY, United States District Judge Defendant Joshua Schulte ("Defendant" or "Schulte") is charged in a fifteen-count superseding indictment with, inter alia , (1) three counts of violating 18 U.S.C. § 793, for theft of classified information from the Central Intelligence Agency ("CIA") and transmission of that information to WikiLeaks (Counts One through Three); (2) another count of violating § 793, for unlawful disclosure and attempted disclosure of classified information from the MCC (Count Four); (3) four counts of violating 18 U.S.C. §§ 641 and 1030, for unauthorized accessing of CIA computer systems and theft of classified information (Counts Five through Eight); (4) two counts of violating 18 U.S.C. §§ 1001 and 1503, for false statements made to the FBI during its investigation (Counts Nine and Ten); and (5) one count of violating 18 U.S.C. § 401(3), for violating the protective order (Count Eleven).

The Government moves for partial closure of the courtroom during the testimony of certain CIA witnesses who are expected to testify at trial and for additional witness security measures aimed at protecting these individuals' identities from public disclosure, (See Dkts. 199, 263.) The motion is granted.

BACKGROUND

I. Relevant Factual Allegations¹

Defendant Joshua Schulte, a former CIA employee, has been indicted for stealing national defense information and transmitting it to Wikileaks. At the CIA, Schulte worked within the Center for Cyber Intelligence ("CCI"), Engineering Development Group ("EDO"). His responsibilities included developing classified cyber tools, including tools that were designed to, among other things, covertly exfiltrate data from computers, While at the CIA, Schulte was a systems administrator of DEVLAN, the computer network used by EDO, DEVLAN included a suite of software known as Atlassian, which included programs: Confluence (EDG's Wikipedia-like page in which users could comment on work), Stash (the repository for, among other things, source code), Jira, Bamboo, and Crowd.

Beginning in the summer of 2015, Schulte began having significant problems at the CIA arising out of certain management actions and a feud with another EDG employee ("Employee-1"). The problems escalated in the fall of 2015 when Employee-1 emailed his Branch Supervisor complaining about Schulte's behavior at the CIA. Later that day, Schulte sent an email to the Branch Supervisor claiming that Employee-1 was abusive towards others in the workplace, and that Employee-1 had made a death threat against Schulte.

For Schulte, problems at the CIA workplace continued into 2016. He disagreed with actions taken by CIA management, such as the decision to enlist a contractor to build a tool that was similar to one Schulte was attempting to develop, Schulte raised concerns about the contractor potentially jeopardizing other tools and operations.

At the same time, Schulte's interpersonal issues with Employee-1 further deteriorated. Schulte complained to CCI security about the incidents with Employee-1, Eventually on March 23, 2016, Schulte sought a protective order against Employee-1 in state court. As a result of the feud, Schulte and Employee-1 were reassigned to new branches within EDO to separate them, Schulte complained that CIA management was retaliating against him because he had made a security complaint against Employee-1.

In April 2016, after changing branches, Schulte's administrative privileges to two projects overseen by the previous branch, Project-1 and Project-2, were revoked, Schulte confronted a server administrator ("Server Administrator-l") about Schulte's administrative privileges to Project-1, Server Administrator-1 informed Schulte that because Schulte had been moved to a different branch, Schulte no longer needed administrative privileges, Schulte disagreed, and claimed he was still supposed to work on projects that he had worked on in his prior branch and should have administrative privileges.

Schulte then falsely told Server Administrator-1 that the Branch Supervisor had approved reinstating Schulte's administrative privileges for Project-1, Server Administrator-1 reported that he would discuss Schulte's privileges with the Branch Supervisor. Unbeknownst to anyone in EDG, however, Schulte reinstated his own administrative privileges. Schulte's actions caused significant concern within CCI because they violated CIA policy and called into question whether Schulte could be trusted with classified information.

Following Schulte's reinstatement of his own privileges, CCI management tasked Server Administrator-1 and two other server administrators ("Server Administrator-2" and "Server Administrator-3") with removing all of Schulte's administrative privileges to DEVLAN, As part of their work, the Server Administrators changed the administrator passwords and removed administrative secure shell ("SSH") keys, which were a method that administrators used to access DEVLAN. In the process of deleting these keys, the Server Administrators inadvertently missed a key that Schulte possessed, which allowed Schulte to continue to access DEVLAN as an administrator and specifically, to access the Atlassian suite programs.

Schulte met with his Division Supervisor about reinstating his own administrative rights and he received a memo warning that stated "do not attempt to restore or provide yourself with administrative rights to any project and/or system for which they have been removed." Schulte signed the memo, acknowledging he understood its prohibitions. Immediately following this meeting with the Division Supervisor, Schulte began attempting to access various parts of DEVLAN as a system administrator, despite knowing he was prohibited from doing so, Schulte was able to access the DEVLAN system using the specific secure key that was inadvertently not deleted. Nevertheless, Schulte emailed his Division Supervisor and confirmed that all of his private keys with access had been destroyed or revoked.

On April 20, 2016, Schulte used this key to access DEVLAN without permission and steal repositories of CIA cyber tools and source code. Schulte subsequently transferred the information to Wikileaks. Schulte resigned from the CIA in November 2016.

On March 7, 2017, Wikileaks published the first installment in a series of leaks containing information from the CIA's system ("Vault 7 Leaks"), The leaks disclosed by Wikileaks contained information from Confluence and Stash, two programs housed on DEVLAN. The Vault 7 Leaks are the largest illegal disclosure of CIA information in the agency's history and have caused catastrophic damage to national security, The information published includes, Inter alia , information about EDG tools that had been stored in Stash and information from Confluence, The leaks were accompanied by a press release, in which Wikileaks claimed that the information had been given to Wikileaks by "a source who wished to raise policy questions that need to be debated in public, including whether the CIA's hacking capabilities exceeded its mandate powers and the problem of public oversight of the agency," The press release indicated that the source wanted to "initiate a public debate about the security, creation, use, proliferation, and democratic control of cyberweapons."

II. Procedural Background

On November 26, 2019, the Government Filed an in camera classified motion for witness protection measures pursuant to Section 6 of the Classified Information Procedures Act concerning witnesses from the CIA that will testify at trial. The motion was supported by an from the CIA [redacted]. The Government filed a letter publicly the same day stating that it had filed a motion seeking limited courtroom closure for certain CIA witnesses, (See Gov. Nov. 26, 2019 Letter, Dkt, 199.)

The Government seeks an order imposing protective measures aimed at preventing disclosure of the identities of certain CIA employees expected to testify at trial. The Government seeks different witness protection measures for different employees.² The Government is seeking partial closure of the courtroom for ten witnesses (together "Protected Witnesses"). (See Gov. Classified Witness Protection Mot., Nov. 26, 2019; Gov. Jan. 23, 2020 Letter, Dkt. 263.) Specifically, the Government seeks;

(1) Limited courtroom closure during protected witnesses' testimony, with only the parties, the jury, the defendant's family, and one pool reporter permitted in the courtroom. During this partial closure of the courtroom (1) a live feed of the testimony would be broadcast simultaneously to an adjoining courtroom, and (2) transcripts of the testimony to be released publicly as soon as feasible, which would typically be on the evening after the day of testimony.³

(2) Protected witnesses to use a non-public entrance to enter and exit the courtroom

(3) Certain CIA employees to testify under pseudonyms⁴ (4) Prohibition on sketching or other recording of their faces, and pixilation of any publicly released images of their faces

(5) Precluding cross-examination that would reveal aspects of the witnesses' true identities

In seeking closure, the Government filed supporting declarations [redacted]. Certain...