Here’s the obverse of what we generally get to report on. Not the incompetence of Homeland Insecurity; but, a taxpayer-funded research lab which assigns someone to track computer security — then, fires him for sharing his findings with the FBI!

A New Mexico district court jury has awarded $4.3 million in punitive damages to a fired Sandia National Laboratories cybersecurity analyst who went to federal authorities with information about national security breaches.

The jury determined Tuesday that the handling of Shawn Carpenter’s firing was “malicious, willful, reckless, wanton, fraudulent or in bad faith.”

In addition to the punitive damages, the jury awarded him $35,661 for lost wages and benefits, $1,875 for counseling costs and $350,000 for emotional distress, the Albuquerque Journal reported in a copyright story Wednesday.

Carpenter told supervisors he was working with an outside agency, but it wasn’t until the FBI talked to Sandia counterintelligence did the lab fully learn of his work. Three months later, he was fired.

Firing whistleblowers is dumb enough, anyway. You’re just keeping more attorneys employed on a commission basis. But, when you’re living off the pork of mostly military research — and you hinder security — I think you’ve raised bureaucratic incompetence to a new level.



  1. Mac Guy says:

    “His job involved finding breaches in Sandia’s computer networks. He followed the trail of hackers around the world in 2004 and discovered stolen documents about troop movements, body armor and more.”

    Rock on! This guy chipped in his buck-o-five.

  2. ECA says:

    Lucky bastard…

  3. SN says:

    I love this quote from the employer…

    Sandia said, “We are disappointed with the verdict but still maintain that when employees step beyond clear boundaries in a national security setting there should be consequences.”

    Is he saying that notifying the FBI about genuine security breaches involving our nation’s national security is somehow “stepping beyond clear boundaries in a national security setting”?! How the frick does that many any sense?!

  4. jbellies says:

    He was lucky that he didn’t meet the same fate that Randal Schwartz underwent at the hands of Intel:

    http://www.lightlink.com/spacenka/fors/

  5. Kevin says:

    It will take the courts to create common sense of government red tape. In governemnt jobs it is all CYA, be quiet, do not embarace your supervisors for incompentance, make your supervisor look good.

    If this was a commercial employer he would have been fired also.

  6. KagatoAMV says:

    I’d really like to read more about this. I wonder what Sandia’s process was to determine that this guy should be fired. Did he stop doing the job he was being paid for to pursue hackers? Or did his boss just not like the fact that he helped the FBI?

  7. Gig says:

    Let’s look at from the employer’s point of view. He didn’t notify his employers of what he found and he most likely did it on their time.

    I’m quite sure SNL has their own in-house measures to notify the proper authorities and he bypassed them.

    This isn’t a whistle blower case. It’s not like he found out that SNL or someone they were covering for was doing anything wrong.

    That said, there really isn’t enough info in the story to tell if the jury was right or wrong but from the hugging that was going on I’d say the guy’s lawyer did a good job making the jury feel sorry for him which one would expect a lawyer to do if he didn’t have a real good case.

  8. Roland says:

    7, if you read the new mexico article, you’d read that he did inform his superiors but was rebuffed and told to only deal with Sandia matters. The info he dug up was extra and being a good citizen he took matters into his own hands when his bosses sat on the info… he was probably fired for divulging “confidential” info without clearance… They should probably sue Sandia for contempt for standing idly by when clear and present danger to the US national government is occurring…

  9. tallwookie says:

    pwned

  10. GigG says:

    #8, no what it said was…

    His job involved finding breaches in Sandia’s computer networks. He followed the trail of hackers around the world in 2004 and discovered stolen documents about troop movements, body armor and more. He testified that his bosses told him to concern himself only with Sandia.

    Eventually, he shared his findings with the FBI.

    Carpenter told supervisors he was working with an outside agency, but it wasn’t until the FBI talked to Sandia counterintelligence did the lab fully learn of his work.

  11. jbellies says:

    I’m with tallwookie on this one!

    “I’m quite sure SNL has their own in-house measures to notify the proper authorities and he bypassed them.”

    And I’m not quite sure. That Sandia seems to have told him to ignore the smoke, and later to have fired him for doing just that civic duty, shows that they had other irons in the fire, other priorities. Of course, they’re a corporation, and they are patriotic only to black ink, to the bottom line. It warms the cockles of my heart to see that they lost a bundle on this one–pending the inevitable appeals up to the Supreme Court, of course.

  12. TJGeezer says:

    I wonder who’ll get fired from Sandia now because of all the (justifiably) bad publicity – the manager who actually sat on this potentially important intel, or the more junior guy got got tasked to pass the decision on to Carpenter about staying inside the SNL chain link fence.

  13. Mr. Fusion says:

    #12, I’m afraid the short answer is no one. If they fire the junior guy, then look for another law suit. They won’t fire the manager simply because he probably knows too much.

  14. JToso says:

    I’ll let the hackers in then…

  15. ECA says:

    whats is interesting, is locatiing spamers and hackers..

    If you know much about spamers, you KNWO that the companies they try to send you to, KNOW who they are, or the company they work for…And HOW they pay them.
    with that info, you can do ALOt of things to find the bastards..
    why isnt ower Gov doing it?

    As to hackers…
    the smart one are hard to find, but the idea comes with “More info, More chance” and with a few systems monitoring Whats going on…you can track the incoming Hacks.
    SAMe question, Why dont the Gov know this?

  16. Roland says:

    Gig, you don’t know how to read ?
    He testified that his bosses told him to concern himself only with Sandia

    obviously this meant he told his superiors about this and was told to sit on it! Why else would they tell him to “concern himself only with Sandia”….

    Let’s look at from the employer’s point of view. He didn’t notify his employers of what he found and he most likely did it on their time.

    was your comment so I corrected you by saying that he did…

  17. fastflux says:

    Gig — It seems that you are:

    (a) Not a very thorough reader
    (b) A employee of Sandia National Laboratories public relations
    (c) Not very bright
    (d) All of the above

    Yes, let’s try and be objective and “look at it from the employer’s point of view”. Ok, from what we know from the Albuquerque Journal has reported from every day of trial (let’s assume that it is accurate), we know this:

    1) There was absolutely no documentation whatsoever (emails, memos, handwritten notes, etc) generated during the one month “investigation” that Sandia management conducted. If it isn’t documented, it doesn’t exist. Seems sort of strange to me, but whatever.

    2) In a meeting with Carpenter and a bunch of Sandia executives, Sandia’s Chief of Counterintelligence told Carpenter, “You’re lucky to have such understanding management. If I were your manager, I would have decapitated you. There at least would have been blood on the floor.” Those comments seem a bit harsh, considering that Carpenter took the information to authorities that could actually do something about the problems. When Carpenter took the information to his managers (not one, but two), he was told “We don’t care about any of this; we only care about Sandia’s computers”. Since documents on troop movements, body armor, and other sensitive DOD memos were being stolen, I think that taking this information to Army Intelligence is probably a good step.

    3) Sandia Corporation has clear policies and procedures in place to ensure that employees are treated fairly. Since Sandia Corporation is an at will employer, these policies are employees’ only protections. Sandia ignored all of their own policies, and kicked his butt out the door — despite the fact that he was working with the Army and the FBI. It was only when they found out that he had gone outside the corporation (to the proper authorities that were eager to stem the hemmorhage of sensitive information) when he was fired.

    4) You make it sound like because of “all the hugging that was going on” was because Carpenter had some advantage by having a good attorney. Guess what — Sandia Corporation and Lockheed Martin (Sandia is a wholly-owned subsidiary of Lockheed) have an army of attorneys and bottomless bucket of taxpayer dollars to hire other attorneys to defend them. Since I live in the Albuquerque area (and from a few simple Google searches), I know that Sandia hired a whole law firm (besides the in-house attorneys) to defend them. They must have spent millions of taxpayer dollars on the defense, and will likely spend millions more on their appeals.

    What planet are you from? It’s fairly obvious from your comments that you have no clue what legal hoops have to be navigated before a judge even allows a case to go to trial. This is to weed out all of the frivilous BS that clogs our country’s court dockets up. Do you think randomly selected jurors are so ignorant that Carpenter’s lawyer could trick them and the judge into a large judgment because “they feel sorry for him”? This trial was a week and a half long.

    5) If you are “quite sure” that Carpenter bypassed in-house measures for informing the proper authorities, what are your sources for this information? What? You don’t have any? That’s what I thought.

    6) Do you even know what a whistleblower is? And no, it doesn’t have anything to do with people blowing air through a device that produces a high-pitched noise.

    7) I forgot (e) — A complete dolt.

  18. Kelly says:

    Wow. And this kind of crap is going on after 9/11? I’m not sure what these government agencies have learned, if anything, if people like this are in charge. I wonder what kind of other craziness is going on at this place.

  19. Kelly says:

    Carpenter story from the Albuqerque Journal:

    URL: http://www.abqjournal.com/news/metro/537833metro02-14-07.htm

    Wednesday, February 14, 2007
    Sandia Hacker Gets $4 Million
    By Scott Sandlin
    Copyright © 2007 Albuquerque Journal; Journal Staff Writer
    A jury delivered a strong— and expensive— message to Sandia National Laboratories on Tuesday, awarding more than $4 million to a cybersecurity analyst who was fired after going “over the fence” to the FBI with information about national security breaches.
    The 13-person state district court jury determined that Sandia’s handling of Shawn Carpenter’s termination was “malicious, willful, reckless, wanton, fraudulent or in bad faith.”
    “If they (Sandia) have an interest in protecting us, they certainly didn’t show it with the way they handled Shawn,” said juror Ed Dzienis, a television editor.
    The verdict was a “clear and unambiguous” message to Sandia and other contractors “that the national security, and not the interest of the corporation, is and must always be their primary concern,” Carpenter attorney Phil Davis said.
    Jurors awarded Carpenter $387,537 in lost wages, benefits and damages for emotional distress resulting from his January 2005 firing by Sandia Corp., which operates the lab.
    But the jury’s big message was in the punitive damages.
    Jurors, after hearing a week of testimony before Judge Linda Vanzi, more than doubled the $2 million requested by Carpenter attorneys Thad Guyer, Stephani Ayers and Davis.
    Carpenter, whose job involved finding breaches in Sandia’s computer networks, followed the trail of computer hackers around the globe in the latter half of 2004. His “backhacking” discovered stolen documents about troop movements, body armor and more, but he testified that his bosses told him to concern himself only with Sandia.
    After agonizing discussions with his wife, then a Sandia researcher and later a White House fellow, he instead reached out almost immediately to the Army Research Laboratory. He eventually was passed to the FBI and shared his findings with that agency during a series of meetings, some of which he recorded.
    Although Carpenter had told line supervisors he was working with an unspecified outside agency, Sandia fully learned of his work when the FBI talked to Sandia counterintelligence. Less than three months later, Sandia officials fired him after meetings in which no minutes were taken and no record made until after the fact.
    Jury forewoman Alex Scott said jurors were upset by the lack of documentation of that process and by the “reckless behavior on the part of Sandia to not have adequate policies in place for employees about hacking, and the cavalier attitude about national security and global security.”
    Jurors were not unanimous, however. The civil jury required 10 of 13 to vote on a question before moving to the next one. Juror Elizabeth Bornholdt, a retired home economist, said she did not believe Carpenter had done all he could to secure authorization for backhacking before going outside Sandia with the information. She said the case wasn’t as “cut and dried” as some jurors saw it.
    She voted against liability for Sandia, but even she said the corporation had been “lax” about following up when Carpenter told his supervisors that he was working with an outside agency. And she said top management “didn’t seem to know what was going on.”
    Juror David Miertschin, an architect, said he found “egregious” the comments made by Sandia counterintelligence chief Bruce Held during a meeting to decide Carpenter’s fate.
    Held told Carpenter that if he’d been working for him and had done such unauthorized work, he would have been “decapitated, or at least would have left the room bloody.” Held said the comment was a relic of his earlier CIA career and he was reprimanded for it, but Miertschin said he was disturbed by how Held and subsequent witnesses minimized the comments.
    The special verdict form submitted to the jury does not disclose the numerical breakdown of the vote.
    Carpenter cried as the verdict was read.
    Jurors later hugged Carpenter as he joined his lawyers in the jury room.
    Sandia released a statement saying an appeal is under consideration.
    “We are disappointed with the verdict but still maintain that when employees step beyond clear boundaries in a national security setting, there should be consequences,” Sandia spokesman Michael Padilla said.
    Carpenter, now working with a top-secret clearance for a State Department contractor in the Washington, D.C., area, said he felt a powerful sense of exoneration. But even before the verdict, he said he would be happy to have had his day in court.
    “The point for us all along was this is bad for the country to have contractors like Sandia Corp. behaving this way— with impunity,” said his wife, Jennifer Jacobs, a nuclear engineer and West Point graduate who testified in the trial.
    “And if other citizens don’t do this, it’s the beginning of the end for our country. That’s what we kept coming back to: This is what we have to do, because it’s what we expect of others.”
    ——————————————————————————–
    More on this story from the Journal’s archive:
    Jurors Get Sandia Hacker Case Feb. 13, 2007
    Testimony Ends in Sandia Suit Feb. 10, 2007
    Sandia Boss Details Firing Feb. 9, 2007
    FBI Wanted ‘Backhacking’ Employee Feb. 8, 2007
    Man Describes ‘Backhacking’ Feb. 7, 2007
    Analyst Sues Over Firing Feb. 6, 2007
    Battle Against Hackers Costs Employee Job Sept. 15, 2005
    All content copyright © ABQJournal.com and Albuquerque Journal and may not be republished without permission. Requests for permission to republish, or to copy and distribute must be obtained at the the Albuquerque Publishing Co. Library, 505-823-3492.


0

Bad Behavior has blocked 5808 access attempts in the last 7 days.