Tuesday, February 13, 2007

Sandia 'Back-Hacker' Wins $4.3M Judgment Against Sandia Labs - UPDATE

Bob Brewin writes on FCW.com:

Shawn Carpenter, who was fired by Sandia National Laboratories in January 2005 for conducting backhacking operations against intruders he discovered on Sandia networks, won a $4.3 million wrongful discharge suit against the labs today. Backhacking occurs when networks are attacked and someone on the hacked network responds with a counterhack or attack.

Carpenter, who worked in Sandia’s computer security operations organization, started detecting attacks against Sandia networks in 2002, according to court records in the 2nd District Court of New Mexico. Carpenter brought the attacks to the attention of Sandia and other government agencies, including the Army Research Laboratory and the FBI.

More here.

Background: "Titan Rain: The Invasion Of The Chinese"

UPDATE: 11:24 PST 02/15/2007: Time.com also has an update on this story here.

1 Comments:

At Sun Feb 25, 09:47:00 PM PST, Anonymous Anonymous said...

The Albuquerque Journal ran a series of stories during the trial. This story was top fold front page the day after the verdict:

URL: http://www.abqjournal.com/news/metro/537833metro02-14-07.htm


Wednesday, February 14, 2007
Sandia Hacker Gets $4 Million
By Scott Sandlin
Copyright © 2007 Albuquerque Journal; Journal Staff Writer
A jury delivered a strong— and expensive— message to Sandia National Laboratories on Tuesday, awarding more than $4 million to a cybersecurity analyst who was fired after going "over the fence" to the FBI with information about national security breaches.
The 13-person state district court jury determined that Sandia's handling of Shawn Carpenter's termination was "malicious, willful, reckless, wanton, fraudulent or in bad faith."
"If they (Sandia) have an interest in protecting us, they certainly didn't show it with the way they handled Shawn," said juror Ed Dzienis, a television editor.
The verdict was a "clear and unambiguous" message to Sandia and other contractors "that the national security, and not the interest of the corporation, is and must always be their primary concern," Carpenter attorney Phil Davis said.
Jurors awarded Carpenter $387,537 in lost wages, benefits and damages for emotional distress resulting from his January 2005 firing by Sandia Corp., which operates the lab.
But the jury's big message was in the punitive damages.
Jurors, after hearing a week of testimony before Judge Linda Vanzi, more than doubled the $2 million requested by Carpenter attorneys Thad Guyer, Stephani Ayers and Davis.
Carpenter, whose job involved finding breaches in Sandia's computer networks, followed the trail of computer hackers around the globe in the latter half of 2004. His "backhacking" discovered stolen documents about troop movements, body armor and more, but he testified that his bosses told him to concern himself only with Sandia.
After agonizing discussions with his wife, then a Sandia researcher and later a White House fellow, he instead reached out almost immediately to the Army Research Laboratory. He eventually was passed to the FBI and shared his findings with that agency during a series of meetings, some of which he recorded.
Although Carpenter had told line supervisors he was working with an unspecified outside agency, Sandia fully learned of his work when the FBI talked to Sandia counterintelligence. Less than three months later, Sandia officials fired him after meetings in which no minutes were taken and no record made until after the fact.
Jury forewoman Alex Scott said jurors were upset by the lack of documentation of that process and by the "reckless behavior on the part of Sandia to not have adequate policies in place for employees about hacking, and the cavalier attitude about national security and global security."
Jurors were not unanimous, however. The civil jury required 10 of 13 to vote on a question before moving to the next one. Juror Elizabeth Bornholdt, a retired home economist, said she did not believe Carpenter had done all he could to secure authorization for backhacking before going outside Sandia with the information. She said the case wasn't as "cut and dried" as some jurors saw it.
She voted against liability for Sandia, but even she said the corporation had been "lax" about following up when Carpenter told his supervisors that he was working with an outside agency. And she said top management "didn't seem to know what was going on."
Juror David Miertschin, an architect, said he found "egregious" the comments made by Sandia counterintelligence chief Bruce Held during a meeting to decide Carpenter's fate.
Held told Carpenter that if he'd been working for him and had done such unauthorized work, he would have been "decapitated, or at least would have left the room bloody." Held said the comment was a relic of his earlier CIA career and he was reprimanded for it, but Miertschin said he was disturbed by how Held and subsequent witnesses minimized the comments.
The special verdict form submitted to the jury does not disclose the numerical breakdown of the vote.
Carpenter cried as the verdict was read.
Jurors later hugged Carpenter as he joined his lawyers in the jury room.
Sandia released a statement saying an appeal is under consideration.
"We are disappointed with the verdict but still maintain that when employees step beyond clear boundaries in a national security setting, there should be consequences," Sandia spokesman Michael Padilla said.
Carpenter, now working with a top-secret clearance for a State Department contractor in the Washington, D.C., area, said he felt a powerful sense of exoneration. But even before the verdict, he said he would be happy to have had his day in court.
"The point for us all along was this is bad for the country to have contractors like Sandia Corp. behaving this way— with impunity," said his wife, Jennifer Jacobs, a nuclear engineer and West Point graduate who testified in the trial.
"And if other citizens don't do this, it's the beginning of the end for our country. That's what we kept coming back to: This is what we have to do, because it's what we expect of others."
--------------------------------------------------------------------------------
More on this story from the Journal's archive:
Jurors Get Sandia Hacker Case Feb. 13, 2007
Testimony Ends in Sandia Suit Feb. 10, 2007
Sandia Boss Details Firing Feb. 9, 2007
FBI Wanted 'Backhacking' Employee Feb. 8, 2007
Man Describes 'Backhacking' Feb. 7, 2007
Analyst Sues Over Firing Feb. 6, 2007
Battle Against Hackers Costs Employee Job Sept. 15, 2005
All content copyright © ABQJournal.com and Albuquerque Journal and may not be republished without permission. Requests for permission to republish, or to copy and distribute must be obtained at the the Albuquerque Publishing Co. Library, 505-823-3492.

 

Post a Comment

<< Home