Q&A: Reverse hacker describes ordeal

Sandia put lab's interests over those of the country, security analyst says

A New Mexico jury recently awarded Shawn Carpenter $4.3 million in a wrongful termination lawsuit against his former employer Sandia National Laboratories.

The former network intrusion detection analyst was fired in January 2005 after he shared information relating to an internal network compromise with the FBI and the U.S. Army. Sandia alleged that Carpenter had inappropriately shared confidential information he had gathered in his role as a security analyst for the laboratory.

Carpenter said he had done so only for national security reasons. He said his independent investigations of a May 2004 breach had unearthed evidence showing that the intruders who had broken into Sandia's networks belonged to a Chinese hacking group called Titan Rain that also had attacked other sensitive networks and stolen U.S. military and other classified documents.

Security analyst Shawn Carpenter
Security analyst Shawn Carpenter

Carpenter until last Friday worked with the U.S. Department of State's Cyber Threat Analysis Division. He is currently a principal research analyst at NetWitness Corp., a start-up headed by Amit Yoran, former director of the National Cyber Security Division of the Department of Homeland Security. In this interview conducted via e-mail, Carpenter talks about the case.

What's your reaction to the verdict? It is almost a guarantee that Sandia will appeal and drag it out for years. They don't have any incentive to resolve the case, as the taxpayers are footing the bill. Besides the cadre of attorneys they already have on staff, they hired a local firm, Bannerman & Williams, to assist them in the litigation.

We've indicated our willingness to negotiate over the course of the suit, but they expressed no desire to talk. The one offer they made at a settlement conference ordered by the court was so pathetic that it wouldn't have even covered a few months of my legal expenses. All along, I wanted my day -- OK, week and a half -- in court, and to have the opportunity to tell a jury my side of the story.

Since Sandia is an "at will" employer -- and they regularly remind you of this if you press issues -- people fear for their jobs. Of the several hundred colleagues I worked with during my career there, a grand total of two still talk to me -- even after the verdict. My friends in computer security that are still working there think their phones are tapped by Sandia counterintelligence, and are terrified to even call me from home. We clearly demonstrated for the jury that it is an environment of fear, created expressly to keep the employees in line.

What prompted you to conduct that independent investigation into the Sandia intrusion in the first place? As a network intrusion detection analyst, I regularly used similar "back-hacking" techniques in the past to recover stolen Sandia password files and retrieve evidence to assist in system and network compromise investigations.

We were able to better defend our networks as a direct result of the intelligence we gained. I authored in-depth analyses of these intrusions that were sent for reporting and educational purposes to the Department of Energy's (DOE) Computer Incident Advisory Capability (CIAC), investigators at the DOE Inspector General (IG), Sandia Counterintelligence, DOE Cyber Counterintelligence, Sandia IT management and my entire department. Even to a novice, it was obvious after reading the analyses how intelligence was gleaned on the adversaries.

For example, phrases substantially similar to this were used in my reports: "I used their credentials to access the systems in Brazil and China, identify their hacking tool caches, and [pulling] down all of their tools, e-mails and other information to aid in their identification." Numerous exhibits of these activities were presented at trial for the jurors. In a meeting with them after the verdict was rendered, even the less cyber-savvy folks understood what the e-mails represented.

What were you hoping to achieve through this investigation? My objective started out with a purpose similar to the other investigations I engaged in while at Sandia. The difference in this instance was that the rabbit hole went much deeper than I imagined.

In late May of 2004, one of my investigations turned up a large cache of stolen sensitive documents hidden on a server in South Korea. In addition to U.S. military information, there were hundreds of pages of detailed schematics and project information marked "Lockheed Martin Proprietary Information Export Controlled" that were associated with the Mars Reconnaissance Orbiter. Ironically, Sandia Corp., the private company that manages Sandia National Laboratories, is a subsidiary of Lockheed Martin Corp. It was this discovery that prompted my meeting with [supervisors] and when I was told that "it was not my concern." Later, I turned it over to the U.S. Army and the FBI and helped investigate how it was taken and where the path led.

Are you at liberty to disclose what sort of back-hacking you did? Not at this point, but I will be able to discuss the activities in more detail at an unclassified level in the future.

What happened to all of the information that you uncovered relating to the Titan Rain operation? Has it been used in any way to deal with the problem of Chinese hackers? All of the information and analyses I conducted and any conclusions I reached were given to the FBI. The information relevant to the U.S. Army was given to them. I cannot answer your last question because it likely encompasses classified information.

You claimed you never were given an opportunity to get the information you uncovered to the proper authorities at the other organizations. Why was that? I attempted several times to find a Sandia channel to get the information to the organizations that were impacted. At the first meeting with my supervisor and the Sandia information security manager, [the supervisor] stated "we don't care about any of this. We only care about Sandia computers."

After I insisted that there must be a way to throw the information "over the fence" to Sandia's counterintelligence organization or other federal and military authorities, he said that I was forbidden from doing this, and that it "wasn't my job." A Sandia counterintelligence manager and my immediate supervisor recanted pages of their previously sworn deposition testimony and conceded that a meeting that they allegedly had with me to provide me with a channel to get the information to the proper authorities never happened.

Why do you think Sandia acted the way it did? This was the first time that my activities uncovered evidence that entities outside Sandia were compromised, and data was being stolen. They were not willing to contact the proper authorities because outside law enforcement would certainly inquire about how the data was obtained -- bringing unwelcome scrutiny upon Sandia. It was a case of putting the interests of the corporation over those of the country.

What happened then? During my last meeting with Sandia management, a semicircle of management was positioned in chairs around me and Bruce Held [Sandia's chief of counterintelligence]. Mr. Held arrived about five minutes late to the meeting and positioned his chair inches directly in front of mine. Mr. Held is a retired CIA officer, who evidently ran paramilitary operations in Africa, according to his deposition testimony.

At one point, Mr. Held yelled, "You're lucky you have such understanding management& if you worked for me, I would decapitate you! There would at least be blood all over the office!" During the entire meeting, the other managers just sat there and watched. At the conclusion of the meeting, Mr. Held said, "Your wife works here, doesn't she? I might need to talk to her." [Editor's note: In court testimony, Held admitted using the word "decapitated" and that he wouldn't contest using the word "blood" although he didn't recall saying it. He also apologized for using those terms.]

Indeed, my wife did work there -- in Sandia's International Programs section, working on nuclear counter-proliferation, port and border security issues. In the context of that meeting, it was a chilling comment. Shortly after the meeting, which management described at trial as "a fact-finding session with Mr. Carpenter," my director showed up at my office, escorted me to the gate and stripped me of my badge. That was the last time I was ever at Sandia. [Carpenter's wife resigned and is now a White House fellow working as a special assistant to top-ranking government officials.]

How big of a threat do foreign hackers pose to secure government and military networks here in the U.S? What needs to be done about the issue and by whom? A brief overview of open source press reporting for the past couple of years clearly indicates that there is a very serious threat posed by foreign hackers to U.S. infrastructure, government and military networks.

A great deal of the research and development for military programs and government projects is carried about by defense contractors; these corporations are attractive targets for skilled adversaries. The cyber realm is a unique environment that provides an appealing risk-to-benefit ratio, low chance of attribution and a minimal investment for adversaries to conduct sophisticated operations. Why spend millions on R&D when you can just steal it?

Related News and Discussion:

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies