A jury has awarded a former security analyst for Sandia National Laboratories $4.7m after he was fired for conducting his own investigation into computer attacks and taking his findings to authorities of a separate agency.
The judgment was more than twice the amount sought by Shawn Carpenter, who was dismissed by Sandia in January, 2005, according (http://www.fcw.com/article97661-02-13-07-Web) to FCW.com and other news outlets. The jury said the termination was "malicious, willful, reckless, wanton, fraudulent or in bad faith."
Carpenter initiated his investigation after detecting attacks on Sandia's network that originated from China, Romania, Italy and other countries and have come to be known as Titan Rain. After learning that similar attacks had been unleashed on Army bases and US contractors, Carpenter asked his superiors for permission to reverse-engineer the hacks so he could track down the perpetrators. His request was denied.
But Carpenter investigated them anyway, partly at the request of the FBI. When Sandia officials caught wind of the unsanctioned probe, Carpenter was fired.
A spokesman told us Sandia officials are disappointed and are considering whether to appeal. But he declined our request to discuss, even in the most general terms, their policies relating to the investigation of attacks that target their networks.
The episode underscores the morass confronting those trying to secure some of the world's most sensitive networks. Limited resources and bureaucratic rivalries have long been a challenge in reining in organized crime and espionage, and the growing wave of ever more sophisticated computer-generated rackets is making matters worse.
Notwithstanding some high-profile convictions against botnet ringleaders and other cybercrooks, much of the enforcement these days comes from self-appointed take-down groups such as PIRT (http://www.castlecops.com/pirt) (Phishing Incident Reporting and Termination), manned by individuals who donate their time and resources to help eliminate online menaces.
Philip Davis, an attorney who represented Carpenter, told PCWorld (http://www.pcworld.com/article/id,129067-c,legalissues/article.html) the verdict was a "vindication of his decision to do the right thing and turn over the information he obtained to the proper federal authorities in the interests of national security". ®
Subscribe to:
Post Comments (Atom)
1 comment:
I've worked here for over ten years, and it has been bad ever since Lockheed took over. They are a bunch of incompetent managers that only care about the money. I was happy when he won. This article was in the local news here.
Wednesday, February 14, 2007
Sandia Hacker Gets $4 Million
By Scott Sandlin
Copyright © 2007 Albuquerque Journal; Journal Staff Writer
A jury delivered a strong— and expensive— message to Sandia National Laboratories on Tuesday, awarding more than $4 million to a cybersecurity analyst who was fired after going "over the fence" to the FBI with information about national security breaches.
The 13-person state district court jury determined that Sandia's handling of Shawn Carpenter's termination was "malicious, willful, reckless, wanton, fraudulent or in bad faith."
"If they (Sandia) have an interest in protecting us, they certainly didn't show it with the way they handled Shawn," said juror Ed Dzienis, a television editor.
The verdict was a "clear and unambiguous" message to Sandia and other contractors "that the national security, and not the interest of the corporation, is and must always be their primary concern," Carpenter attorney Phil Davis said.
Jurors awarded Carpenter $387,537 in lost wages, benefits and damages for emotional distress resulting from his January 2005 firing by Sandia Corp., which operates the lab.
But the jury's big message was in the punitive damages.
Jurors, after hearing a week of testimony before Judge Linda Vanzi, more than doubled the $2 million requested by Carpenter attorneys Thad Guyer, Stephani Ayers and Davis.
Carpenter, whose job involved finding breaches in Sandia's computer networks, followed the trail of computer hackers around the globe in the latter half of 2004. His "backhacking" discovered stolen documents about troop movements, body armor and more, but he testified that his bosses told him to concern himself only with Sandia.
After agonizing discussions with his wife, then a Sandia researcher and later a White House fellow, he instead reached out almost immediately to the Army Research Laboratory. He eventually was passed to the FBI and shared his findings with that agency during a series of meetings, some of which he recorded.
Although Carpenter had told line supervisors he was working with an unspecified outside agency, Sandia fully learned of his work when the FBI talked to Sandia counterintelligence. Less than three months later, Sandia officials fired him after meetings in which no minutes were taken and no record made until after the fact.
Jury forewoman Alex Scott said jurors were upset by the lack of documentation of that process and by the "reckless behavior on the part of Sandia to not have adequate policies in place for employees about hacking, and the cavalier attitude about national security and global security."
Jurors were not unanimous, however. The civil jury required 10 of 13 to vote on a question before moving to the next one. Juror Elizabeth Bornholdt, a retired home economist, said she did not believe Carpenter had done all he could to secure authorization for backhacking before going outside Sandia with the information. She said the case wasn't as "cut and dried" as some jurors saw it.
She voted against liability for Sandia, but even she said the corporation had been "lax" about following up when Carpenter told his supervisors that he was working with an outside agency. And she said top management "didn't seem to know what was going on."
Juror David Miertschin, an architect, said he found "egregious" the comments made by Sandia counterintelligence chief Bruce Held during a meeting to decide Carpenter's fate.
Held told Carpenter that if he'd been working for him and had done such unauthorized work, he would have been "decapitated, or at least would have left the room bloody." Held said the comment was a relic of his earlier CIA career and he was reprimanded for it, but Miertschin said he was disturbed by how Held and subsequent witnesses minimized the comments.
The special verdict form submitted to the jury does not disclose the numerical breakdown of the vote.
Carpenter cried as the verdict was read.
Jurors later hugged Carpenter as he joined his lawyers in the jury room.
Sandia released a statement saying an appeal is under consideration.
"We are disappointed with the verdict but still maintain that when employees step beyond clear boundaries in a national security setting, there should be consequences," Sandia spokesman Michael Padilla said.
Carpenter, now working with a top-secret clearance for a State Department contractor in the Washington, D.C., area, said he felt a powerful sense of exoneration. But even before the verdict, he said he would be happy to have had his day in court.
"The point for us all along was this is bad for the country to have contractors like Sandia Corp. behaving this way— with impunity," said his wife, Jennifer Jacobs, a nuclear engineer and West Point graduate who testified in the trial.
"And if other citizens don't do this, it's the beginning of the end for our country. That's what we kept coming back to: This is what we have to do, because it's what we expect of others."
Post a Comment