When you read that, you have to wonder why someone who was looking out for the nation and their company by trying to catch hackers who were stealing (not trying to steal, but actually succeeding)would be fired, no?
Well when reading what little there is in Rood's article, it appears, if the facts are as stated, that the company was more concerned about the embarrassment and possibility of a negative publicity than they were about catching hackers taking their sensitive materials:
On Feb. 13, a jury in New Mexico concluded Shawn Carpenter had been wrongfully terminated from his job as a computer security expert for the Department of Energy's Sandia, N.M. laboratory. His bosses had told him not to pursue the hackers or discuss the matter outside of work and fired him after he cooperated with FBI counterintelligence investigators.
Whoa. Fired him when he cooperated with the FBI? So what happened?
After discovering the lab's computers had been broken into, Carpenter retraced the hacker's steps, eventually "backhacking" into machines they controlled, where he discovered the sensitive data.
The proverbial smoking gun. Then, apparently Carpenter reported the matter up the chain after which he was told to drop it and not to pursue it further in an attempt to keep the information about the breech within the company (which, btw, is Sandia National Labratory).
Carpenter refused to obey his bosses' orders to end his efforts and keep the information within Sandia; he instead contacted the FBI and worked for months with counterintelligence agents, who told him his information was aiding numerous ongoing investigations.
It is about here that you realize the guy with the common sense is Carpenter. This wasn't something he or his bosses suspected might be happening. This was something, the stealing of national secrets, which was happening. It is counter-intuitive to hide it instead of reporting it unless you're knee deep in a corporate culture which demands the corporation be protected at all costs to include keeping in-house and quiet information about an ongoing (and seemingly successful) espionage effort.
Common sense says Carpenter did the right thing. But not so the Sandia managment:
Soon after his bosses found out, they fired Carpenter.
"I think...he thought that his motive was noble, but I also recall that he was very clearly told the process that had to be followed," a senior executive for the company said in a sworn deposition introduced at the trial. "We have to be able to trust our employees to do the right thing, to follow our direction."
And of course that "direction" which they claimed was the 'right thing' was to cover up and shut up.
The jury in the wrongful firing case didn't buy Sandia's defense either, awarding Carpenter 5 million in damages, twice what he'd asked for.
After delivering their verdict — twice what Carpenter's lawyers had requested — they expressed shock and outrage at the company's actions. "If they [Sandia] have an interest in protecting us, they certainly didn't show it with the way they handled Shawn," one juror told a reporter for the Albuquerque Journal.
Amen. And, for a change, common sense prevailed in the guise of the jury verdict. However, the fact that it required such a verdict in the first place points to the lack of common sense among the management of Sandia.
It makes or might make BUSINESS sense, guys. After reading The Cuckoo’s Egg I’m forced to conclude that computer security is NOT an American strong point. Lockheed and Sandia didn’t want word of this to get out, because if it did, well people would find out that their security SUCKS. To be fair, I have NO knowldege that that is true in this case, BUT it sure makes the orders to Carpenter understandable.
In The Cuckoo’s Egg, BTW, the author was astonished to see that many Federal/Federal Contractor/Business SysAdmins, NEVER changed the default security pass-codes on their operating systems, once they were installed. I am cynical enough to believe that things probably haven’t changed that much since then.
IF the FBI gets involved and the CBO and GAO and any of the other alphabet soup entities, Sandia will likely have a black eye for security. Sandia has had previous security problems. Your contract doesn’t get renewed with bad press. So, we tell Caprenter to stop pursuit at the boundary wire, as it were.
He doesn’t agree and goes onto the FBI, who were probably pretty clueless in this area, too, IMO. Now Lockheed/Sandia can look bad...so we fire Carpenter. Makes sense to me...really. It’s good business sense, here to let him go.
I read about this quite a while ago. How he was able to get to the chinese hackers was truly genius. He tracked their traffic through all sorts of false front servers to a specific router in China. He then installed a hacked firmware on the router to send him emails (to an anon account) whenever it was active.
Nice to see it worked out in his favor. They should have promoted him but I guess we know how Sandia got pass their security issues. By firing employees who found them.
Joe, Here’s an interesting tidbit that may answer your question why Lockheed and Sandia didn’t want to get this out. From Carpenter’s Wikipedia entry (http://en.wikipedia.org/wiki/Shawn_Carpenter):
"...In an ironic twist, Carpenter testified at trial that he found hundreds of pages of detailed schematics and other sensitive documents labeled, "Lockheed Martin Proprietary Information" and "Export Controlled" regarding the Mars Reconnaissance Orbiter stashed on a foreign server in South Korea. He was helping the FBI investigate the stolen Lockheed Martin information along with hundreds of other network breaches at military and United States defense contractors when Sandia officials fired him."
It also has this comment, about what his wife said at the trial of her husband:
"...Carpenter’s wife, Dr. Jennifer Jacobs, testified at the trial. Dr. Jacobs, a former Sandia scientist, nuclear engineer, West Point graduate, and Army Reserve Major, said Sandia management questioned her loyalty to the company after her husband was fired. Dr. Jacobs left Sandia and was later appointed as a White House Fellow, and was a Director at the National Security Council. In an interview with the Albuquerque Journal, Dr. Jacobs stated, "The point for us all along was this is bad for the country to have contractors like Sandia Corporation behaving this way — with impunity. And if other citizens don’t do this, it’s the beginning of the end for our country. That’s what we kept coming back to: This is what we have to do, because it’s what we expect of others."
It sounds like Sandia managers probably made her life miserable too. She is a West Point graduate, nuclear engineer and White House Fellow to boot. The people running this place sound like idiotic thugs.
*SIGH* Robert we’d have to Rightsize you TOO, obviously...it is or was cheaper to let them go than to secure the real and electronic perimeter...after all that costs cash, and can never be shown to be effective, "PROVE" Sandia National is secure, you can’t, so when someone discovers the perimeter ISN’T secure, we fire them...
Are you folks REALLY that simple? It is obvious I am at least middle-level management material here. You guys seem to act as if this security means something...
And to one extent it IS pointless, at least in re: Nuclear secrets. SNL is trying or not trying to hold on to "secrets" that really aren’t all that secret, SNL knows it, Lockheed knows it, and so they really aren’t as concerned as they might be, but they are concerned about contract renewal, costs, and bad PR. The Carpenter’s impacted all three.
I completely disagree with your upbeat assessment that "we are indeed fortunate that the lab is being run by a private sector organization" timactual. The glaring problem with this is that Sandia National Laboratories does a large amount of nuclear weapons stockpile stewardship and development work. If employees are at will, they really have no protections if they bring up quality or security concerns. As an employee, it is simply not worth the risk to me to press management with security issues or product quality issues. I’ve seen what happens, and this case is only the tip of the iceberg that is in the public eye. Employees who keep their mouths shut and do what they’re told keep getting their nice paychecks and benefits. Senior managers perceive people like this guy as threats, given all of the trouble that Los Alamos has had. Believe me, they are happy as hell as long as the attention stays focused on Los Alamos. This case shifted some of that attention down south to Sandia. I don’t know what I would do if I found a serious security problem. I have a family to support, a large mortgage payment and large medical bills for one of my children. I simply could not afford to risk losing my job and benefits. This place should have more protections for employees, so they can speak their mind without fearing they will be suddenly unemployed.