Interview with Sandia Whistleblower

Interesting interview with Shawn Carpenter, the Sandia National Labs whistleblower who just won a $4.3 million lawsuit for wrongful termination.

What prompted you to conduct that independent investigation into the Sandia intrusion in the first place? As a network intrusion detection analyst, I regularly used similar “back-hacking” techniques in the past to recover stolen Sandia password files and retrieve evidence to assist in system and network compromise investigations.

We were able to better defend our networks as a direct result of the intelligence we gained. I authored in-depth analyses of these intrusions that were sent for reporting and educational purposes to the Department of Energy’s (DOE) Computer Incident Advisory Capability (CIAC), investigators at the DOE Inspector General (IG), Sandia Counterintelligence, DOE Cyber Counterintelligence, Sandia IT management and my entire department. Even to a novice, it was obvious after reading the analyses how intelligence was gleaned on the adversaries.

For example, phrases substantially similar to this were used in my reports: “I used their credentials to access the systems in Brazil and China, identify their hacking tool caches, and [pulling] down all of their tools, e-mails and other information to aid in their identification.” Numerous exhibits of these activities were presented at trial for the jurors. In a meeting with them after the verdict was rendered, even the less cyber-savvy folks understood what the e-mails represented.

What were you hoping to achieve through this investigation? My objective started out with a purpose similar to the other investigations I engaged in while at Sandia. The difference in this instance was that the rabbit hole went much deeper than I imagined.

In late May of 2004, one of my investigations turned up a large cache of stolen sensitive documents hidden on a server in South Korea. In addition to U.S. military information, there were hundreds of pages of detailed schematics and project information marked “Lockheed Martin Proprietary Information Export Controlled” that were associated with the Mars Reconnaissance Orbiter. Ironically, Sandia Corp., the private company that manages Sandia National Laboratories, is a subsidiary of Lockheed Martin Corp. It was this discovery that prompted my meeting with [supervisors] and when I was told that “it was not my concern.” Later, I turned it over to the U.S. Army and the FBI and helped investigate how it was taken and where the path led.

Tags: hacking, military, whistleblowers

Posted on March 12, 2007 at 6:56 AM • 30 Comments

Comments

scandial • March 12, 2007 7:46 AM

“My friends in computer security that are still working there think their phones are tapped by Sandia counterintelligence, and are terrified to even call me from home. We clearly demonstrated for the jury that it is an environment of fear, created expressly to keep the employees in line.”

“… a semicircle of management was positioned in chairs around me and Bruce Held [Sandia’s chief of counterintelligence]. Mr. Held arrived about five minutes late to the meeting and positioned his chair inches directly in front of mine … At one point, Mr. Held yelled, “You’re lucky you have such understanding management… if you worked for me, I would decapitate you! There would at least be blood all over the office!” During the entire meeting, the other managers just sat there and watched … At the conclusion of the meeting, Mr. Held said, “Your wife works here, doesn’t she?”

Nice. I’ll send Sandia my CV in just a moment.

http://www.sandia.gov/about/community/

How do such incompetent companies come to be?

Mike Sherwood • March 12, 2007 8:07 AM

The sad thing is that $4.3m is a drop in the bucket, so there is no disincentive for Sandia to continue to act in exactly the same way.

The back-hacking the guy did as part of his job likely crossed some legal boundaries. It’s much more cost effective and safer from a management standpoint to not call attention to activities that could lead to uncomfortable questions. After all, the management is motivated by the organization’s short term goals. Information about crimes not perpetrated by or against the company does not help or hinder those short term goals.

I think the Dilbert view on company values is right on. If your company has a values statement, it’s because no one would have guessed you held those values if they weren’t prominently displayed. Sandia touts integrity on their community page. The company I work for also mentions integrity on many of its documents. I think it’s a reminder that integrity is a fine hobby to engage in off the clock, but leave it at the door when you come to work.

It’s unfortunate that companies behave in this manner, but I would be surprised if any large organization behaved differently.

Kevin Lyda • March 12, 2007 8:21 AM

“It’s unfortunate that companies behave in this manner, but I would be surprised if any large organization behaved differently.”

We get the organisations we expect.

Philippe • March 12, 2007 9:35 AM

Kevin,

No we don’t. It’s upon the leaders (owners, directors, shareholders…) of these organisations to act with the values they promote. Us, as employees, to act with the values we have. The two don’t necessarily coincide… If they differ, we usually have a problem. Very often the values that are promoted by our leaders are very different than what they apply themselves.

Dom De Vitto • March 12, 2007 10:01 AM

Now, I hate to gloat…

I work for Virgin Media, and the company morals are real nice – because the man that owns the Virgin brand, and 10%, (Sir Richard Branson) makes sure everyone loves working here.

e.g. We get regular [small, silly] presents, and I just attended one of about 20 (national) ‘Launch Parties’, around 1000 people in a club with free booze, food and travel (from 100 miles away!).

Of course, the company laid off a lot of staff last year in a big merger, and 9% (1000) more are expected this year, but while you’re here, you’re well treated!

Schlumberger is another company that I can personally say treats it’s employees very well – Summer Parties, with kids entertainment etc.!

In both cases the people at the top realized that staff are the company, and not ‘resource’.

Paperclips don’t increase share price, people do.

Sofa • March 12, 2007 10:14 AM

You may look into Pelco at Pelco.com Not only do we build the best surveillance systems in the world but we are the most ethical company you will ever meet. Never had a layoff, 2400 people strong or so. Customer service second to none. Call 24/7 you will always get a real person and an engineer to solve your problem, no automated systems. I’m not sure what qualifies as big, but we do about $500M a year in revenue. Its a company built from the ground up to be ethical and supportive in everything you do.

Kurzleg • March 12, 2007 10:36 AM

I suppose they thought that Carpenter may have or may still hack into their system, steal classified info and sell it. Never mind that he reported his findings and wanted to communicate them more widely so that measures could be taken to prevent future hacks. What’s weird is that aside from answering difficult questions, what’s the worst that could happen to Scandia Corp? I very much doubt they’d lose their contract to operate the lab what with Lockheed Martin being their parent company.

Nobby Nuts • March 12, 2007 10:38 AM

@Various people who work for nice companies

I think the point here isn’t how nice a company is to work for under normal circumstances. Sandia may well be a nice place to work, so long as you stick within the unwritten rules and don’t stick your head over the parapet.

It’s the way they behave when something unusual happens, particularly if it has implications on the external perception of the company that makes the difference. Sadly, most or at least many companies would do as Sandia did, I expect.

merkelcellcancer • March 12, 2007 11:04 AM

What everyone fails to recognize here is that Sandia Labs is the military government infrastructure.

Ed • March 12, 2007 12:22 PM

@merkelcellcancer

Indeed, and this is precisely how the military operates. For passing information out to the military security guys, you are a patriotic hero. For passing it over recalcitrant and unpatriotic bosses, you are a national disgrace. Far, far too many investigations uncover unexpected connections, and the sheer scale of resulting coverups large and small boggles my mind — and that’s only for those I know about myself.

RG3 • March 12, 2007 5:10 PM

@scandial:

I wouldn’t call the company incompetent. Unethical, hypocritical, bordering on illegal – yes. But not incompetent. They know exactly what they’re doing. This issue, while unfortunate, is not the end of the world for them.

David • March 12, 2007 6:54 PM

Bruce Held [Sandia’s chief of counterintelligence… {who} is a retired CIA officer…and evidently ran paramilitary operations in Africa]…yelled, “You’re lucky you have such understanding management… if you worked for me, I would decapitate you! There would at least be blood all over the office!”

As I understood the article, I’m most shocked that Mr. Held was angry that an employee put patriotism above short-term company loyalty. I would have expected that his allegiance was first to his country, then to his company and lastly to his own personal interest. that it appears his priorities are reversed makes me glad he’s not working for the CIA anymore.

Isn’t going to your own management to covertly bring this information to the government intelligence groups the right thing to do? Wouldn’t those organisations have cut a lot of slack to Sandia for bringing it forth? Heck, I’d have expected them to get covert “kudos” that would translate into increased revenue at some point.

/sigh, I’d hate to think that it’s naive of me to think that, in their hearts, our field/working counter-intel folks and similar domestic contracting firms are actually out trying to protect our country’s best interests as they see it.

Scandial • March 12, 2007 7:57 PM

“I wouldn’t call the company incompetent. Unethical, hypocritical, bordering on illegal – yes. But not incompetent …”

I see where you are coming from but I’m not convinced. Your argument appears to be a variation of the “Dictators make the trains run on time” argument; it’s true but is it really the best way? I suspect that Scandia don’t have much serious competition due to their market share but what happens if another serious player offers similar services without the security f***ups?

Scandia’s management culture probably has a lot to do with macho management and hiring “trusted” people like Bruce Held and goodness knows how many ex-military spooks. When, if ever, was Bruce Held or his like put under the spotlight to determine their true efficiency?

If you are a major defence contractor and you cannot be honest with your customer then there is a real problem (which will just be swept under the carpet).

Kevin Lyda • March 13, 2007 3:08 AM

Perhaps I should expand on my comment.

When I say “we get the organisations we expect,” I mean that if we blindly accept inferior organisations that’s what we’ll get. Not just as employees of a company or members of a political party, buy as citizens and consumers in general.

If you accept that companies do nasty crap and don’t do things to change that, companies will do nasty crap.

It is not just up to employers and directors to change things. Employees can organise unions, consumers can organise boycotts, political activists can organise caucuses or push to get one of their own elected. The first step to that is setting your expectations correctly. If you expect crap you’ll probably accept it to.

anonymous Sandian • March 13, 2007 3:21 PM

Sandia National Laboratories provides an excellent working environment, excellent benefits, contributes millions to the local economy and charitable organizations, and makes substantial contributions to protecting the national security of our country. I should know, because I’ve worked here for over two decades. We’ve provided exceptional service in the national interest for more than sixty years.

Sandia took the proper actions in terminating this individual’s employment. When employees step beyond clear boundaries in a national security setting, there are consequences. As such, Carpenter was rightfully shown the door. Sandia has very clear Corporate Policy Requirements in place that govern work with outside agencies; Carpenter made a personal decision not to follow these channels. Sandia management is committed to the values of integrity, service to the nation and teamwork. In my time here, I have found it to be a place exemplary character and values.

There is no place at an institution like Sandia for people like Carpenter.

Jack C Lipton • March 13, 2007 3:57 PM

Ummmmm…

I recall an article entitled “Is your boss a sociopath?” that pointed out that corporations– especially the publicly traded ones– are themselves sociopathic.

Scandial • March 13, 2007 5:21 PM

@anonymous Sandian

I cannot decide if that is subtle sarcasm or you are for real. Do you have anything to say about the allegations against Sandia in the article? National security my ass – Sandia blew it in a big way and tried to intimidate the guy who blew the whistle on them.

Oh wait a minute. I get it now. Bruce Held was holding a big knife to your neck when you wrote that.

Anonymous Sandian #2 • March 13, 2007 6:33 PM

I would hope that Sandia makes substantial contributions to the country, given the billions of tax dollars that flow in here every year. The very large punitive damages award ($4.3m), and the fact that it was allegedy more than twice what Carpenter and his attorneys even asked for (ABQ journal quote), has been a hot topic of water cooler discussions here. At first, people only spoke openly about it outside of the gates. The “facts” of his firing could not be more different, depending on who is doing the talking (ie SNL management & SNL Lab News vs the Albuquerque Journal, who apparently had a reporter there every day at trial).

Completely absent from internal SNL communications (Lab News & SNL-wide emails from Hunter) are threats against him and his wife, who was also an SNL employee until she apparently resigned to work at the White House. Threatening an employee with decapitation, paired with not-so-subtle menacing remarks about their Sandia-employed spouse somehow fail to embody Hunter’s tired words regarding Sandia’s “exemplary character and values” we have heard repeatedly in the wake of this thing.

I work here too, but have only been here a measly 8 years. It took me almost 3 1/2 years to get my DOE Q clearance. I wish someone in SNL managment would explain to the employee population how it is that Carpenter is currently working at the U.S. State Dept. with a top secret security clearance. Most Sandians DO UNDERSTAND what a top secret clearance is, and that they don’t hand them out to criminals, as managers here have consistently implied Carpenter is.

Albuquerque is a great city to live in, and the Lab does make a positive impact to the local economy and charities. That has nothing to do with what happened with this employee, though. I’m glad I have a job and a decent paycheck, but this kind of situation makes people nervous and paranoid. Something seems incredibly dubious about all of this. In an email to employees, Hunter said he was “disappointed with the verdict.” I wonder if his “disappointment” extends to the CI manager that seems to be stuck in his paramilitary days with the CIA. No employee should have to put up with this nonsense.

Anyone in need of a top-notch Oracle developer? 🙂

beezle • March 13, 2007 10:33 PM

I agree with the earlier posters that integrity is not at the top of the list at this joint. After reading the interview, it sounds like a laugh a minute. I think I’ll pass on sending my resume there.

lokibot • March 14, 2007 10:42 PM

It looks like Carpenter’s old buddies might not be overly paranoid:

URL: http://www.abqjournal.com/news/metro/395764metro10-05-05.htm

Wednesday, October 5, 2005
Sandia Bosses Secretly Tapped Workers’ Calls
By John Fleck
Copyright © 2005 Albuquerque Journal; Journal Staff Writer
Security managers at Sandia National Laboratories routinely recorded telephone and radio conversations of other security workers for at least two years, an Energy Department investigation has found.
Conversations with people outside Sandia also were recorded without their knowledge or consent.
The Inspector General’s investigators found no national security justification for the recordings, and no authorization.
Instead, calls “on issues relating to leave, overtime, training, scheduling, and discipline” were routinely recorded without workers’ consent, the investigators found.
The report said DOE had determined the practice was not in compliance with policy and that there were “similar issues at Los Alamos National Laboratory.” A final report has not been issued for LANL.
According to the investigators’ report:

Audible “beep” tones in the recording machines, intended to inform people they were being recorded, were disabled.

Files of recorded conversations were kept on individual employees.

Recordings were preserved for at least two years with no policies in place to safeguard their use.
According to the report, the inappropriate recording was stopped after the Inspector General’s Office issued a formal “Management Alert” about the issue in May.
Sandia spokesman John German declined comment, saying management is reviewing the recommendations and findings in the report.
Sandia, managed by Lockheed Martin Corp. for the Department of Energy, designs and maintains U.S. nuclear weapons. As such, security at Sandia Labs is tight.
Federal law and Energy Department regulations permit limited recording of conversations on DOE-owned phones for counterintelligence and law enforcement purposes with written authorization.
Managers of Sandia’s guard force told investigators they believed that routine recording of employee conversations was permitted because the guards had been informed of it during a meeting of all guards.
Investigators found that notification did not happen until Jan. 19, nearly two years after routine recording began.
Recording is permitted under DOE regulations when the employees are informed and give their consent. In such cases, DOE regulations require a tone every 15 seconds to remind the parties the conversation is being recorded.
The investigators found that the “beep” tones on the equipment being used at Sandia had been disabled.

erasmus • March 15, 2007 1:18 PM

Why does this sort of thing happen?
It doesn’t have to, and as some other folks have said, other organisations respect their employees, and their employees can embody and, in turn, help shape the ethos of their organisation.

Perhaps people at SNL should track down a copy of Dixon’s “On the psychology of military incompetence”, esp. given the large number of ex-military/CIA personnel employed there.

Jan Theodore Galkowski • March 15, 2007 1:47 PM

@Ed,

regarding: “For passing information out to the military security guys, you are a patriotic hero. For passing it over recalcitrant and unpatriotic bosses, you are a national disgrace. Far, far too many investigations uncover unexpected connections, and the sheer scale of resulting coverups large and small boggles my mind — and that’s only for those I know about myself.”

agreed. and the same company that waves the patriotic flag and urges its employees to work long hours “for the good of the country” cuts the government off at their knees during negotiations on feature vs price, shortchanges testing, and puts soldiers, sailors, and airmen at extra risk in order to increase profits. sure, it’s the “American way”.

Vincent • March 19, 2007 11:16 PM

Simply put, we are doomed if situations like Carpenter’s continue to occur. Rather than the expected streamlining of intelligence, we see this case that even the FBI seemingly had no control over. How is it that Lockheed’s interests of keeping this guy quiet overshadowed the national interests? Are our intelligence agencies so incompetent and powerless that the private sector interests outweigh the national interests? What the hell is happening to this country?

whistleblower • March 19, 2007 11:52 PM

It is refreshing to know that there are still some ethical, courageous, and patriotic individuals such as Mr. Carpenter. Too many large corporations tout themselves as having integrity and ethical standards, only to turn against their employees who report alleged illegal activities and violations of company ethical standards.

It is hard to believe that in a time of war a corporation would put profits above integrity. It is unconscionable that a Southern California utility would sell metrology software to the US Army knowing that it had critical bugs and was incomplete. Even that was not enough. They went on to collect the money for the incomplete Mudcats Metrology Suite without disclosing they had not delivered a complete product.

It goes without saying that they terminated the employee who had the courage to blow the whistle.

JT • March 21, 2007 12:59 AM

It is extremely unfortunate that there are many recent examples of corporate profiteering over genuine service to country. The treatment of Carpenter by Lockheed and Sandia lowers the bar to truly disgraceful levels. The lack of conscience and integrity necessary to threaten an employee with visions of blood and decapitation, coupled with threats to a spouse sets a new low standard. Congressional hearings are certainly in order to get at the roots of such abuses of authority.

yourpalatSNL • March 26, 2007 6:37 PM

I can attest from first-hand experience that the public testimony and verdict against Sandia management is fully consistent with my personal experience on the hostility to staff in reporting controversial matters. More than a few within Sandia management will not hesitate to cover up, even to the point of truly endangering national security if their or their political overseers’ careers, power, or reputation are at risk. They also do not hold themselves to the same standards of consequences for serious violations of security regulations and clearance infractions. Sandia used to be a nonpartisan technical resource to the US government. Since Lockheed-Martin’s ascendance, many staff have reported evidence within legal oversight channels about serious potential misconduct. If a conscientious employee carries out their explicit legal and contractual obligation to report evidence of potential wrongdoing and waste, fraud, and abuse, it is at their own risk. Sandia staff take that risk because our conscience requires it, and because we bear a trust to our fellow citizens to do the job we get paid to do. This is all well known to Congress, who is trying again to pass whistleblower protections over the protests of the Bush Administration. More power to them!

Breakpoint • June 14, 2007 10:13 AM

There is one final possibility to consider here, which I offer just as food for thought, even though I consider the probability low.

Consider the possibility that a mixture of real, but low-value, actual information and MODIFIED, but originally high-value, deliberate misinformation, were left in a moderately accessible location for purposes of 1) supplying certain types of incorrect restricted technical data to slake the desire for that data (presuming the errors were not noticed) and/or 2) identifying the capabilities, operating modes, and possibly the identities of enemy intelligence personnel.

Likely? Probably not. But possible, and interesting to consider.

Why is Sandia Still Open • September 5, 2007 4:12 PM

I too used to work at Sandia, but left several years ago. I simply couldn’t put up with the constant mistakes that were being made and the associated cover-ups. Sandia is a $1B mistake that’s a left over from World War II. It’s time to shut it down.

JungleBook • March 24, 2014 9:42 PM

This is so true much even today – it has gotten worse –

yourpalatSNL • March 26, 2007 6:37 PM

Robert • February 7, 2015 5:12 PM

I very much hope “breakpoint” is right. If! it is that what happened, than I see why Sandia wouldn’t want to tell it for its defense. In this case, I see no reason for them to appeal the court’s decision. I also know that both Carpenter and Held were “promoted” in better jobs after the incident. Anyway, dis-information always fairs better than standard protection.

Schneier on Security

Interview with Sandia Whistleblower

Comments

Leave a comment Cancel reply