Reverse hacker wins $4.3M in suit against Sandia Labs
Shawn Carpenter used his own hacking techniques to probe outside breach
Computerworld - Shawn Carpenter, a network security analyst at Sandia National Laboratories who was fired in January 2005 for his independent probe of a network security breach at the agency, has been awarded $4.3 million by a New Mexico jury for wrongful termination.
In announcing its decision yesterday, the jury also awarded Carpenter $350,000 for emotional distress and more than $36,000 for lost wages, benefits and other costs.
A spokesman from Sandia expressed "disappointment" with the verdict and said the lab will consider whether to appeal it or not.
The highly publicized case involved Carpenter's investigation of a network break-in at Sandia in 2003.
After initially telling superiors about the incident, Carpenter launched an independent, months-long investigation during which he used hacking techniques of his own to eventually trace the attacks back to a Chinese cyberespionage group. The group, called Titan Rain by federal authorities, was believed responsible for carrying out similar attacks against a large number of U.S. government, military and commercial interests.
Carpenter shared information from his investigation, initially with individuals at the Army Counterintelligence Group and later with the FBI.
When Sandia officials learned of the investigation and of his sharing information with the FBI and other outside agencies, they terminated him for inappropriate use of confidential information that he had gathered in his role as a network security manager for the laboratory.
Yesterday's verdict is a "vindication of his decision to do the right thing and turn over the information he obtained to the proper federal authorities in the interests of national security," said Philip Davis, one of the attorneys who represented Carpenter in his lawsuit.
The verdict highlights "the jury's belief that Shawn Carpenter is a patriot and did what he did to protect the national interest," Davis said. "That was more important than Sandia's own interest in taking care of itself."
The size of the punitive damages at $4.3 million is more than twice of what was sought and sends an "unambiguous message that national security comes first," he said.
Ira Winkler, an independent security consultant and author of Spies Among Us who has also written for Computerworld, said the verdict was "incredibly justified. Frankly, I think people [at Sandia] should go to jail" for ignoring some of the security issues that Carpenter was trying to highlight with his investigation.
After Carpenter's termination, the investigations into the Titan Rain group appear to have gone nowhere, said Winkler, a former National Security Agency analyst. He added that while the Carpenter award is welcome, it would ultimately be paid with taxpayer money.
"This whole thing is costing them nothing," Winkler said. "Whatever legal fees they are running up is just being passed back to the U.S. government," he said.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!