Reverse hacker wins $4.3M in suit against Sandia Labs

Computerworld - Shawn Carpenter, a network security analyst at Sandia National Laboratories who was fired in January 2005 for his independent probe of a network security breach at the agency, has been awarded $4.3 million by a New Mexico jury for wrongful termination.

In announcing its decision yesterday, the jury also awarded Carpenter $350,000 for emotional distress and more than $36,000 for lost wages, benefits and other costs.

A spokesman from Sandia expressed "disappointment" with the verdict and said the lab will consider whether to appeal it or not.

The highly publicized case involved Carpenter's investigation of a network break-in at Sandia in 2003.

After initially telling superiors about the incident, Carpenter launched an independent, months-long investigation during which he used hacking techniques of his own to eventually trace the attacks back to a Chinese cyberespionage group. The group, called Titan Rain by federal authorities, was believed responsible for carrying out similar attacks against a large number of U.S. government, military and commercial interests.

Carpenter shared information from his investigation, initially with individuals at the Army Counterintelligence Group and later with the FBI.

When Sandia officials learned of the investigation and of his sharing information with the FBI and other outside agencies, they terminated him for inappropriate use of confidential information that he had gathered in his role as a network security manager for the laboratory.

Yesterday's verdict is a "vindication of his decision to do the right thing and turn over the information he obtained to the proper federal authorities in the interests of national security," said Philip Davis, one of the attorneys who represented Carpenter in his lawsuit.

The verdict highlights "the jury's belief that Shawn Carpenter is a patriot and did what he did to protect the national interest," Davis said. "That was more important than Sandia's own interest in taking care of itself."

The size of the punitive damages at $4.3 million is more than twice of what was sought and sends an "unambiguous message that national security comes first," he said.

Ira Winkler, an independent security consultant and author of Spies Among Us who has also written for Computerworld, said the verdict was "incredibly justified. Frankly, I think people [at Sandia] should go to jail" for ignoring some of the security issues that Carpenter was trying to highlight with his investigation.

After Carpenter's termination, the investigations into the Titan Rain group appear to have gone nowhere, said Winkler, a former National Security Agency analyst. He added that while the Carpenter award is welcome, it would ultimately be paid with taxpayer money.

"This whole thing is costing them nothing," Winkler said. "Whatever legal fees they are running up is just being passed back to the U.S. government," he said.