By Jaikumar Vijayan
February 26, 2007
A New Mexico jury recently awarded Shawn Carpenter $4.3 million in a
wrongful termination lawsuit against his former employer Sandia National
The former network intrusion detection analyst was fired in January 2005
after he shared information relating to an internal network compromise
with the FBI and the U.S. Army. Sandia alleged that Carpenter had
inappropriately shared confidential information he had gathered in his
role as a security analyst for the laboratory.
Carpenter said he had done so only for national security reasons. He
said his independent investigations of a May 2004 breach had unearthed
evidence showing that the intruders who had broken into Sandia's
networks belonged to a Chinese hacking group called Titan Rain that also
had attacked other sensitive networks and stolen U.S. military and other
Carpenter until last Friday worked with the U.S. Department of State's
Cyber Threat Analysis Division. He is currently a principal research
analyst at NetWitness Corp., a start-up headed by Amit Yoran, former
director of the National Cyber Security Division of the Department of
Homeland Security. In this interview conducted via e-mail, Carpenter
talks about the case.
What's your reaction to the verdict?
It is almost a guarantee that Sandia will appeal and drag it out for
years. They don't have any incentive to resolve the case, as the
taxpayers are footing the bill. Besides the cadre of attorneys they
already have on staff, they hired a local firm, Bannerman & Williams, to
assist them in the litigation.
We've indicated our willingness to negotiate over the course of the
suit, but they expressed no desire to talk. The one offer they made at a
settlement conference ordered by the court was so pathetic that it
wouldn't have even covered a few months of my legal expenses. All along,
I wanted my day -- OK, week and a half -- in court, and to have the
opportunity to tell a jury my side of the story.
Since Sandia is an "at will" employer -- and they regularly remind you
of this if you press issues -- people fear for their jobs. Of the
several hundred colleagues I worked with during my career there, a grand
total of two still talk to me -- even after the verdict. My friends in
computer security that are still working there think their phones are
tapped by Sandia counterintelligence, and are terrified to even call me
from home. We clearly demonstrated for the jury that it is an
environment of fear, created expressly to keep the employees in line.
What prompted you to conduct that independent investigation into the
Sandia intrusion in the first place?
As a network intrusion detection analyst, I regularly used similar
"back-hacking" techniques in the past to recover stolen Sandia password
files and retrieve evidence to assist in system and network compromise
We were able to better defend our networks as a direct result of the
intelligence we gained. I authored in-depth analyses of these intrusions
that were sent for reporting and educational purposes to the Department
of Energy's (DOE) Computer Incident Advisory Capability (CIAC),
investigators at the DOE Inspector General (IG), Sandia
Counterintelligence, DOE Cyber Counterintelligence, Sandia IT management
and my entire department. Even to a novice, it was obvious after reading
the analyses how intelligence was gleaned on the adversaries.
For example, phrases substantially similar to this were used in my
reports: "I used their credentials to access the systems in Brazil and
China, identify their hacking tool caches, and [pulling] down all of
their tools, e-mails and other information to aid in their
identification." Numerous exhibits of these activities were presented at
trial for the jurors. In a meeting with them after the verdict was
rendered, even the less cyber-savvy folks understood what the e-mails
What were you hoping to achieve through this investigation?
My objective started out with a purpose similar to the other
investigations I engaged in while at Sandia. The difference in this
instance was that the rabbit hole went much deeper than I imagined.
In late May of 2004, one of my investigations turned up a large cache of
stolen sensitive documents hidden on a server in South Korea. In
addition to U.S. military information, there were hundreds of pages of
detailed schematics and project information marked "Lockheed Martin
Proprietary Information Export Controlled" that were associated with the
Mars Reconnaissance Orbiter. Ironically, Sandia Corp., the private
company that manages Sandia National Laboratories, is a subsidiary of
Lockheed Martin Corp. It was this discovery that prompted my meeting
with [supervisors] and when I was told that "it was not my concern."
Later, I turned it over to the U.S. Army and the FBI and helped
investigate how it was taken and where the path led.
Are you at liberty to disclose what sort of back-hacking you did?
Not at this point, but I will be able to discuss the activities in more
detail at an unclassified level in the future.
What happened to all of the information that you uncovered relating to
the Titan Rain operation? Has it been used in any way to deal with the
problem of Chinese hackers?
All of the information and analyses I conducted and any conclusions I
reached were given to the FBI. The information relevant to the U.S. Army
was given to them. I cannot answer your last question because it likely
encompasses classified information.
You claimed you never were given an opportunity to get the information
you uncovered to the proper authorities at the other organizations. Why
I attempted several times to find a Sandia channel to get the
information to the organizations that were impacted. At the first
meeting with my supervisor and the Sandia information security manager,
[the supervisor] stated "we don't care about any of this. We only care
about Sandia computers."
After I insisted that there must be a way to throw the information "over
the fence" to Sandia's counterintelligence organization or other federal
and military authorities, he said that I was forbidden from doing this,
and that it "wasn't my job." A Sandia counterintelligence manager and my
immediate supervisor recanted pages of their previously sworn deposition
testimony and conceded that a meeting that they allegedly had with me to
provide me with a channel to get the information to the proper
authorities never happened.
Why do you think Sandia acted the way it did?
This was the first time that my activities uncovered evidence that
entities outside Sandia were compromised, and data was being stolen.
They were not willing to contact the proper authorities because outside
law enforcement would certainly inquire about how the data was obtained
-- bringing unwelcome scrutiny upon Sandia. It was a case of putting the
interests of the corporation over those of the country.
What happened then?
During my last meeting with Sandia management, a semicircle of
management was positioned in chairs around me and Bruce Held [Sandia's
chief of counterintelligence]. Mr. Held arrived about five minutes late
to the meeting and positioned his chair inches directly in front of
mine. Mr. Held is a retired CIA officer, who evidently ran paramilitary
operations in Africa, according to his deposition testimony.
At one point, Mr. Held yelled, "You're lucky you have such understanding
management if you worked for me, I would decapitate you! There would at
least be blood all over the office!" During the entire meeting, the
other managers just sat there and watched. At the conclusion of the
meeting, Mr. Held said, "Your wife works here, doesn't she? I might need
to talk to her." [Editor's note: In court testimony, Held admitted using
the word "decapitated" and that he wouldn't contest using the word
"blood" although he didn't recall saying it. He also apologized for
using those terms.]
Indeed, my wife did work there -- in Sandia's International Programs
section, working on nuclear counter-proliferation, port and border
security issues. In the context of that meeting, it was a chilling
comment. Shortly after the meeting, which management described at trial
as "a fact-finding session with Mr. Carpenter," my director showed up at
my office, escorted me to the gate and stripped me of my badge. That was
the last time I was ever at Sandia. [Carpenter's wife resigned and is
now a White House fellow working as a special assistant to top-ranking
How big of a threat do foreign hackers pose to secure government and
military networks here in the U.S? What needs to be done about the issue
and by whom?
A brief overview of open source press reporting for the past couple of
years clearly indicates that there is a very serious threat posed by
foreign hackers to U.S. infrastructure, government and military
A great deal of the research and development for military programs and
government projects is carried about by defense contractors; these
corporations are attractive targets for skilled adversaries. The cyber
realm is a unique environment that provides an appealing risk-to-benefit
ratio, low chance of attribution and a minimal investment for
adversaries to conduct sophisticated operations. Why spend millions on
R&D when you can just steal it?
Subscribe to the InfoSec News RSS Feed