The following case illustrates the ethical issues involved with national security and the dual allegiances of national lab employees to their government contractor and the federal government. As with any case, it is tempting to creating a hero or villain out of an individual rather than focusing on the interests of governments and corporations. Although the authors have attempted to provide an unbiased account of the events and give equal weight to the perspectives of all actors, most of the sources have focused on Carpenter's role.
Sandia National LaboratoriesEdit
Sandia National Laboratories is an organization known as a "GOCO," meaning government run, contractor operated. In the case of Sandia, the contractor is Lockheed Martin. Specifically, Sandia is one of three "weapons labs" in the United States, meaning that it is run by the National Nuclear Security Administration (NNSA) in the Department of Energy (DOE). The purpose of Sandia National Labs is best reflected by their mission statement:
"We develop technologies to sustain, modernize, and protect our nuclear arsenal, prevent the spread of weapons of mass destruction, defend against terrorism, protect our national infrastructures, ensure stable energy and water supplies, and provide new capabilities to our armed forces."
This mission statement shows the obvious importance of both physical and network security at Sandia National Labs.
To provide this network security, Sandia National Labs employs an entire department of security analysts whose job it is to recover stolen files and retrieve evidence following a network or system breach. This information is used not only to identify and aid in capturing the intruder, but also to figure out the vulnerabilities in the computer network that were exploited and how to prevent future intrusions. One of these employees was Shawn Carpenter.
In September 2003, Carpenter was investigating a network breach at Lockheed Martin when he first found evidence of a group of highly skilled and aggressive hackers. Several months later, Carpenter witnessed a similar attack at Sandia. After learning that the Army had experienced intrusions that appeared to follow the same patterns, Carpenter concluded that these hackers posed a greater threat than anyone had thought. He then began to "back-hack" the intruders, tracing them to servers in South Korea, Hong Kong, and Taiwan before ultimately pinpointing their origin to Guangdong, a province in southern China. Carpenter would later discover that this group of hackers was code-named Titan Rain by US authorities and was central to several ongoing investigations. In May 2004, Carpenter found many stolen documents stashed on a server in South Korea. These files included Lockheed Martin plans for NASA's Mars Reconnaissance Orbiter as well as flight and mission planning software stolen from Redstone Arsenal, headquarters of the Army Aviation and Missile Command.
After finding these files, Carpenter met with his supervisors at Sandia, hoping to pass along the information he had gathered to the affected parties. Their response, however, was not what Carpenter expected. According to Carpenter, he was told "We don't care about any of this. We only care about Sandia computers." Carpenter said he tried to find a way to give his findings to Sandia's counterintelligence department or to the authorities, but was told he was forbidden from doing so, that it "wasn't [his] job." Against Sandia's wishes, Carpenter began communicating his discoveries with contacts in Army intelligence. A short time later, the Army sent Carpenter to the FBI, as federal regulations prevent military intelligence officers from collaborating with civilians. Beginning in October 2004, Carpenter worked as a confidential informant for the FBI, feeding them the information he had gathered on Titan Rain's activities. Within a few weeks, Carpenter's FBI handlers told him to stop actively hacking Titan Rain, however Carpenter continued to give them previously gathered information and analysis. At the same time they were accepting Carpenter's contributions, the FBI was also investigating him. FBI agents are supposed to validate all their informants and Carpenter's actions were illegal, as it is against U.S. law for American citizens to hack into foreign computers. In March 2005, the FBI ceased all communication with Carpenter, although they eventually decided against prosecuting him.
In January 2005, Sandia discovered that Carpenter was working with the FBI on the Titan Rain case and fired him, claiming his actions constituted an improper use of confidential information he had obtained at his job.
Three main groups, Shawn Carpenter, Bruce Held and Sandia National Laboratories, and the FBI, each faced different ethical issues.
For Carpenter, the central conflict was between performing the duties in his job contract and supporting his national government. As part of his job, Carpenter regularly back-hacked into foreign servers to retrieve Sandia information or passwords. His reports to his supervisors made his tactics clear even to a nonexpert. However, the Titan Rain case was obviously more complex and could have more severe repercussions than his normal investigations. In Carpenter's own words, "The difference in this instance was that the rabbit hole went much deeper than I imagined."
Moreover, Carpenter was a Navy veteran and his wife was in the Army reserve at the time of the incident. In the Navy, Carpenter had been trained that national security was his top priority. When a purported "National" Lab dismissed evidence of a major security threat, Carpenter's military training and career interests came into conflict. He felt that Sandia's actions were "a case of putting the interests of the corporation over those of the country." Carpenter's wife, Jennifer Jacobs, claims, "This is what we have to do, because it's what we expect of others." She raises the possibility that Carpenter acted in a self-interested form of morality. He stood up to Sandia in the hopes that other professionals in similar circumstances would do the same. In that way, the nation would be more secure.
Sandia National Labs and Bruce HeldEdit
To analyze the prospective of Sandia in this case, it is first important to know how Sandia is managed. As mentioned above, Sandia is operated by Lockheed Martin for the Department of Energy. The original purpose of contractors operating national laboratories was to move liability from the DOE to the contractor. If it became public that data was stolen from Sandia and numerous other Lockheed-operated facilities, then it would reflect poorly on the company as a whole. Also, an investigation of the data loss would bring unwanted scrutiny to the counterintelligence work at Sandia. Poor publicity can lead to contractors either failing to secure future contracts or even losing current contracts; therefore it was in Lockheed's best interest for the data theft to remain hidden. As a Lockheed-operated facility, all employees at Sandia technically worked for the company, and it could be argued that it is professional for employees to do what is best for the company.
Another factor in the decision making at Sandia National Labs is based on the highly secure environment. Security at the lab is intense; Carpenter said in an interview that of all of his colleagues at Sandia, only two are still willing to talk to him to this day due to a fear of wire-tapping at both home and work. Employees are also reminded that Sandia is an "at-will" employer, which Carpenter claims is to keep employees in line and make them fear for their jobs. This fear-based environment is best shown by Bruce Held, Sandia's Chief of Counterintelligence at the time of the events. In Carpenter's termination interview, Held allegedly said: "You're lucky you have such understanding management. If you worked for me, I would decapitate you! There would at least be blood all over the office!" Although Carpenter was the source for this quote, Held later testified that he remembered using the word "decapitate" and would not contest that he had said "blood."
Sandia's official statement concerning Carpenter's termination was: "Sandia does its work in the national interest lawfully. When people step beyond clear boundaries in a national security setting, there are consequences." Based on the prospective of Sandia in this case, it is doubtful that this official statement reflects the entirety of Sandia's justifications in the way they handled Shawn Carpenter's case.
From the FBI's perspective, Carpenter was both a liability and a valuable asset. Hacking into foreign computers is illegal. Even when Carpenter was performing his regular job and retrieving stolen Sandia information, he was breaking the law. On the other hand, the Titan Rain investigation was important to national security interests and the US government cannot gather the same information as Carpenter. In order to hack into foreign computers, the FBI would have to get the approval of the Department of Justice and a high-level diplomat. While the military could legally launch a full-scale investigation, the justification would be "preparation for war." Freelancers like Carpenter are able to provide the government with valuable information without creating diplomatic tension with China. The FBI's request for Carpenter to cease investigating Titan Rain, while simultaneously using the information he provided, makes sense within this context.
Following his dismissal, Carpenter sued Sandia National Labs for wrongful termination. On February 13, 2007, a jury awarded him $387,537 in compensation for lost wages and emotional distress, and $4 million in punitive damages. They cited Sandia's "cavalier attitude about national security and global security" in addition to a lack of records of Carpenter's dismissal and the events leading up to it.
Carpenter's case begs the question of whether patriotism is included in professional ethics. Even if Carpenter's information wasn't directly relevant to Sandia, it was critical to national security. At the same time, there must be a clear dividing line between corporations and the US military and law enforcement. Although in this case, the FBI and the New Mexico court system agreed that Carpenter's actions did not justify his termination, at what point would he have gone too far? Also, what is the proper response of a government contractor to the potentially illegal activities of their employees?
- Sandia page on GOCOs: http://www.sandia.gov/about/history/goco/
- Sandia's Official Website: http://www.sandia.gov/mission/index.html
- Vijayan, Jaikumar. Q&A: Reverse hacker describes ordeal (February 26, 2007). Computer World. Retrieved April 20, 2011 from Computer World website: http://www.computerworld.com/s/article/9011832/Q_A_Reverse_hacker_describes_ordeal_
- Thornburgh, Nathan. The invasion of the Chinese cyberspies(August 29, 2005). Time Magazine. Retrieved April 20, 2011 from Time website: http://www.time.com/time/magazine/article/0,9171,1098961,00.html
- Sandlin, Scott. Sandia hacker gets $4 million; analyst fired for FBI contact (February 14, 2007). Albuquerque Journal. Retrieved April 26, 2011 from Lexis Nexis Academic.