Sandia Cyber Warrior Awarded 4.7 Million
Shawn Carpenter has been awarded a 4.7 Million dollar judgement for wrongful termination suit for being fired from Sandia National Laboratories. Shawn was fired because he shared cyber security attack information with the FBI and Army over the objections of his supervisors.
From FCW here:
ALBUQUERQUE – Shawn Carpenter, who was fired by Sandia National Laboratories in January 2005 for conducting backhacking operations against intruders he discovered on Sandia networks, won a $4.3 million wrongful discharge suit against the labs today. Backhacking occurs when networks are attacked and someone on the hacked network responds with a counterhack or attack.
Carpenter, who worked in Sandia’s computer security operations organization, started detecting attacks against Sandia networks in 2002. Carpenter brought the attacks to the attention of Sandia and other government agencies, including the Army Research Laboratory and the FBI.
Despite Carpenter’s discovery of widespread hacking from abroad against Sandia networks, the lab decided to rein him in.
In January 2005, Sandia terminated Carpenter for insubordination and for using Sandia information outside the lab.
Guyer said the $4.3 million in punitive damages and $350,000 for psychological stress that Carpenter won in the suit proves that Carpenter did the right thing with his backhacking, which Sandia had alleged violated the law. A panel of 13 jurors heard the case.
Guyer said Carpenter’s persistence in pursuing attackers in cyberspace despite Sandia’s increasing resistance makes him a true U.S. hero and a patriot.
Im an unsure of the extent of this so-called “back-hacking.” Running port scans against multiple attacking hosts to determine a profile of the attacking machines is actually something that many security organizations do, althought they don’t talk about it. This helps them to determine whether or not attacks are originating from botnets, worm-affected webservers or home PC’s. Most of the security reports available from such companies as Symantec, Lurhq and Verisign employ some scanning techniques to profile attacking hosts.
I don’t know the details of the case, but I highly suspect that Carptenter used his own resources- or a University’s resources- to launch the probes against the attacking hosts. But if Shawn Carpenter used government equipment to do more than just port scanning and banner grabbing, Sandia may have been correct that it was illegal- but only technically.
But even so, Sandia should have been willing to cooperate in whatever way possible with the FBI and the Army to determine the source and scope of the attack. Failing to do so, especially in the wake of the 9/11 attacks, showed extreme arrogance on the part of the elitists that head our Nuclear Labs.
Some familiar with the case are calling for jail time. From PCWorld here:
Ira Winkler, an independent security consultant and author of Spies Among Us who has also written for Computerworld, said the verdict was “incredibly justified. Frankly, I think people [at Sandia] should go to jail” for ignoring some of the security issues that Carpenter was trying to highlight with his investigation.
I have been a huge critic of the fools that run Sandia and LANL as well. I’m not too sure about jail time, but these managers at Sandia are not fit to manage the cyber security of a Burger King. Why they continue to have jobs at the Nuclear Labs is beyond me.
These people are fools. They’ve proven time and time again that they only care about the corporation, and not the country. They are given billions of taxpayer dollars every year to help protect our country. Here is the story the Albuquerque Journal ran the day after the verdict. They published daily coverage of the trial, and the behavior of Sandia officials is simply shocking. His wife evidently worked there too, and it sounds like they went after her also.
URL: http://www.abqjournal.com/news/metro/537833metro02-14-07.htm
Wednesday, February 14, 2007
Sandia Hacker Gets $4 Million
By Scott Sandlin
Copyright © 2007 Albuquerque Journal; Journal Staff Writer
A jury delivered a strong— and expensive— message to Sandia National Laboratories on Tuesday, awarding more than $4 million to a cybersecurity analyst who was fired after going “over the fence” to the FBI with information about national security breaches.
The 13-person state district court jury determined that Sandia’s handling of Shawn Carpenter’s termination was “malicious, willful, reckless, wanton, fraudulent or in bad faith.”
“If they (Sandia) have an interest in protecting us, they certainly didn’t show it with the way they handled Shawn,” said juror Ed Dzienis, a television editor.
The verdict was a “clear and unambiguous” message to Sandia and other contractors “that the national security, and not the interest of the corporation, is and must always be their primary concern,” Carpenter attorney Phil Davis said.
Jurors awarded Carpenter $387,537 in lost wages, benefits and damages for emotional distress resulting from his January 2005 firing by Sandia Corp., which operates the lab.
But the jury’s big message was in the punitive damages.
Jurors, after hearing a week of testimony before Judge Linda Vanzi, more than doubled the $2 million requested by Carpenter attorneys Thad Guyer, Stephani Ayers and Davis.
Carpenter, whose job involved finding breaches in Sandia’s computer networks, followed the trail of computer hackers around the globe in the latter half of 2004. His “backhacking” discovered stolen documents about troop movements, body armor and more, but he testified that his bosses told him to concern himself only with Sandia.
After agonizing discussions with his wife, then a Sandia researcher and later a White House fellow, he instead reached out almost immediately to the Army Research Laboratory. He eventually was passed to the FBI and shared his findings with that agency during a series of meetings, some of which he recorded.
Although Carpenter had told line supervisors he was working with an unspecified outside agency, Sandia fully learned of his work when the FBI talked to Sandia counterintelligence. Less than three months later, Sandia officials fired him after meetings in which no minutes were taken and no record made until after the fact.
Jury forewoman Alex Scott said jurors were upset by the lack of documentation of that process and by the “reckless behavior on the part of Sandia to not have adequate policies in place for employees about hacking, and the cavalier attitude about national security and global security.”
Jurors were not unanimous, however. The civil jury required 10 of 13 to vote on a question before moving to the next one. Juror Elizabeth Bornholdt, a retired home economist, said she did not believe Carpenter had done all he could to secure authorization for backhacking before going outside Sandia with the information. She said the case wasn’t as “cut and dried” as some jurors saw it.
She voted against liability for Sandia, but even she said the corporation had been “lax” about following up when Carpenter told his supervisors that he was working with an outside agency. And she said top management “didn’t seem to know what was going on.”
Juror David Miertschin, an architect, said he found “egregious” the comments made by Sandia counterintelligence chief Bruce Held during a meeting to decide Carpenter’s fate.
Held told Carpenter that if he’d been working for him and had done such unauthorized work, he would have been “decapitated, or at least would have left the room bloody.” Held said the comment was a relic of his earlier CIA career and he was reprimanded for it, but Miertschin said he was disturbed by how Held and subsequent witnesses minimized the comments.
The special verdict form submitted to the jury does not disclose the numerical breakdown of the vote.
Carpenter cried as the verdict was read.
Jurors later hugged Carpenter as he joined his lawyers in the jury room.
Sandia released a statement saying an appeal is under consideration.
“We are disappointed with the verdict but still maintain that when employees step beyond clear boundaries in a national security setting, there should be consequences,” Sandia spokesman Michael Padilla said.
Carpenter, now working with a top-secret clearance for a State Department contractor in the Washington, D.C., area, said he felt a powerful sense of exoneration. But even before the verdict, he said he would be happy to have had his day in court.
“The point for us all along was this is bad for the country to have contractors like Sandia Corp. behaving this way— with impunity,” said his wife, Jennifer Jacobs, a nuclear engineer and West Point graduate who testified in the trial.
“And if other citizens don’t do this, it’s the beginning of the end for our country. That’s what we kept coming back to: This is what we have to do, because it’s what we expect of others.”
——————————————————————————–
More on this story from the Journal’s archive:
Jurors Get Sandia Hacker Case Feb. 13, 2007
Testimony Ends in Sandia Suit Feb. 10, 2007
Sandia Boss Details Firing Feb. 9, 2007
FBI Wanted ‘Backhacking’ Employee Feb. 8, 2007
Man Describes ‘Backhacking’ Feb. 7, 2007
Analyst Sues Over Firing Feb. 6, 2007
Battle Against Hackers Costs Employee Job Sept. 15, 2005
All content copyright © ABQJournal.com and Albuquerque Journal and may not be republished without permission. Requests for permission to republish, or to copy and distribute must be obtained at the the Albuquerque Publishing Co. Library, 505-823-3492.
Yeah, they still don’t get it, do they? Working with the FBI and the Army is exactly what you do in a “national security setting.” Refusing to collaborate is what the country did BEFORE 9-11.
The democrats in control of congress are looking for a whipping boy to show that they are strong on National Security. Let’s hope they focus on Sandia. There are plenty of other contractors that can handle the nuclear labs, provide security, and handle the situation with more class.