Who’s actually to blame?
It doesn’t matter what IS he was running at home. It doesn’t matter what AV he was running and what it did with the malware.
The big question is why an agency like the NSA wasn’t running any form of data leak protection software or preventing anyone sticking a USB key into a company device to copy sensitive information onto it.
Hardly inspires confidence in their “security” abilities.