Reverse hacker wins $4.3M in suit against Sandia Labs
Shawn Carpenter used his own hacking techniques to probe outside breach
Computerworld - Shawn Carpenter, a network security analyst at Sandia National Laboratories who was fired in January 2005 for his independent probe of a network security breach at the agency, has been awarded $4.3 million by a New Mexico jury for wrongful termination.
In announcing its decision yesterday, the jury also awarded Carpenter $350,000 for emotional distress and more than $36,000 for lost wages, benefits and other costs.
A spokesman from Sandia expressed "disappointment" with the verdict and said the lab will consider whether to appeal it or not.
The highly publicized case involved Carpenter's investigation of a network break-in at Sandia in 2003.
After initially telling superiors about the incident, Carpenter launched an independent, months-long investigation during which he used hacking techniques of his own to eventually trace the attacks back to a Chinese cyberespionage group. The group, called Titan Rain by federal authorities, was believed responsible for carrying out similar attacks against a large number of U.S. government, military and commercial interests.
Carpenter shared information from his investigation, initially with individuals at the Army Counterintelligence Group and later with the FBI.
When Sandia officials learned of the investigation and of his sharing information with the FBI and other outside agencies, they terminated him for inappropriate use of confidential information that he had gathered in his role as a network security manager for the laboratory.
Yesterday's verdict is a "vindication of his decision to do the right thing and turn over the information he obtained to the proper federal authorities in the interests of national security," said Philip Davis, one of the attorneys who represented Carpenter in his lawsuit.
The verdict highlights "the jury's belief that Shawn Carpenter is a patriot and did what he did to protect the national interest," Davis said. "That was more important than Sandia's own interest in taking care of itself."
The size of the punitive damages at $4.3 million is more than twice of what was sought and sends an "unambiguous message that national security comes first," he said.
Ira Winkler, an independent security consultant and author of Spies Among Us who has also written for Computerworld, said the verdict was "incredibly justified. Frankly, I think people [at Sandia] should go to jail" for ignoring some of the security issues that Carpenter was trying to highlight with his investigation.
After Carpenter's termination, the investigations into the Titan Rain group appear to have gone nowhere, said Winkler, a former National Security Agency analyst. He added that while the Carpenter award is welcome, it would ultimately be paid with taxpayer money.
"This whole thing is costing them nothing," Winkler said. "Whatever legal fees they are running up is just being passed back to the U.S. government," he said.
- Where You Mitigate Heartbleed Matters Read this article to learn more about why customers must choose the most strategic point in the network at which to deploy their...
- Mitigating Multiple DDoS Attack Vectors It's time to rethink and refine the enterprise security architecture, so organizations can remain agile and resilient against future threats. Download this infographic...
- Looking to the Horizon: SDN Software-defined networking is one of the hottest buzzwords of 2014, but saying exactly what SDN is can be a challenge. SDN has its...
- The Challenge of a Wider Network As virtualization becomes more popular on wide area networks, IT administrators are finding that virtual machines (VMs) are touchy about latency and packet...
- Cloud BI in Action: Recorded Webinar of Customer, Kony, Inc. See how Kony, Inc., a leading enterprise mobility company, is using TIBCO Jaspersoft for Amazon Web Services and Redshift to achieve embedded analytics...
- Cloud BI Overview: Jaspersoft for AWS Check out this overview of Jaspersoft for AWS, to easily and affordably build business intelligence solutions as well as embed visualizations and analytics... All Network Security White Papers | Webcasts