Employee fired for probing bad guys awarded $4.7m
Termination was 'malicious, willful, reckless, wanton'
A jury has awarded a former security analyst for Sandia National Laboratories $4.7m after he was fired for conducting his own investigation into computer attacks and taking his findings to authorities of a separate agency.
The judgment was more than twice the amount sought by Shawn Carpenter, who was dismissed by Sandia in January, 2005, according to FCW.com and other news outlets. The jury said the termination was "malicious, willful, reckless, wanton, fraudulent or in bad faith."
Carpenter initiated his investigation after detecting attacks on Sandia's network that originated from China, Romania, Italy and other countries and have come to be known as Titan Rain. After learning that similar attacks had been unleashed on Army bases and US contractors, Carpenter asked his superiors for permission to reverse-engineer the hacks so he could track down the perpetrators. His request was denied.
But Carpenter investigated them anyway, partly at the request of the FBI. When Sandia officials caught wind of the unsanctioned probe, Carpenter was fired.
A spokesman told us Sandia officials are disappointed and are considering whether to appeal. But he declined our request to discuss, even in the most general terms, their policies relating to the investigation of attacks that target their networks.
The episode underscores the morass confronting those trying to secure some of the world's most sensitive networks. Limited resources and bureaucratic rivalries have long been a challenge in reining in organized crime and espionage, and the growing wave of ever more sophisticated computer-generated rackets is making matters worse.
Notwithstanding some high-profile convictions against botnet ringleaders and other cybercrooks, much of the enforcement these days comes from self-appointed take-down groups such as PIRT (Phishing Incident Reporting and Termination), manned by individuals who donate their time and resources to help eliminate online menaces.
Philip Davis, an attorney who represented Carpenter, told PCWorld the verdict was a "vindication of his decision to do the right thing and turn over the information he obtained to the proper federal authorities in the interests of national security". ®