High expectations and hacking

A recent Forrester Research report found that as far as CEOs are concerned, IT groups perform up to expectations (hooray!), but those expectations are low (boo). In other words, CEOs think about IT the way Congress thinks about the proposed surge of troops to Iraq: They're willing to vote against it, but the vote will be nonbinding.

Yep, low expectations are part and parcel of what people expect of complex situations and large organizations. Consider the case of Shawn Carpenter: He expected that his employer, Sandia National Labs, as well as the Army and the FBI, would care about national security enough to do something about a major hacking attack. His expectations were way too high.

In 2004 Carpenter discovered that Chinese hackers had been mounting a series of attacks on major American networks. These attacks had been in progress since at least 2003, and the U.S. government (in the guise of the Army and the FBI, as far as I can tell) even had a name for them: Titan Rain.

Carpenter found out that Sandia Labs was under attack, so he took the story to Sandia's security wonks. Popular opinion has it that the Sandia security people wanted to avoid "embarrassment" and wanted him to drop it.

Carpenter didn't drop it. He somehow got tied in with U.S. Army counterintelligence, which, in turn, hooked him up with the FBI. Eventually, the FBI got cold feet and also requested that Carpenter desist.

You may wonder why the FBI would get chicken-hearted. The reason was Carpenter was hacking to find the hackers and in the process doing things that are illegal, such as cracking routers and installing spyware.

It was at this point that Sandia found out what Carpenter was doing (again, how they found out isn't clear) and not only fired him, but also had his security clearance canceled. The word on the street (I love that phrase, but actually it was Time Magazine) is that the head of Sandia's security wanted him "punished for disobeying his demands not to inform outside law enforcement agencies."

Carpenter took Sandia to court in 2006 and last week prevailed, with the jury finding Sandia guilty of firing Carpenter "in violation of public policy." Better yet for Carpenter, they awarded him $4.7 million in damages! Of course, Sandia will appeal, but at least Carpenter has been vindicated. He also got his security clearance back and is working for another government department.

Various commentators have characterized Carpenter as "pig-headed" and "stubborn," and certainly he was committed to finding the hackers in a way that wasn't self-preserving. On the other hand, he sincerely believed that what he was doing was in the national interest, and we should applaud him for that.

Now, what of his illegal hacking? Obviously the FBI must have been encouraging him for the obvious reason that he could get results quickly and they couldn't. As I understand it, if the FBI wants to attempt such activities, it has to fill out forms in triplicate, after which they are lost, found, lost again, buried in soft peat for three months and recycled as fire lighters.

Which raises the interesting question of how can we protect our network and computer assets if our security agencies are hamstrung by laws designed for the public at large? You'd have to be insanely optimistic to think that hacking of our assets by random hostile foreigners is not going to get much worse.

I have a suggestion: Let's call open season. Let's take all of the antihacking legislation off the books and make it the responsibility of computer owners to keep their own assets safe. Let's create a culture of online paranoia so that we take security seriously.

Of course, my suggestion reeks of high expectations. We all want that cozy feeling that comes with the false sense of safety, and if Congress were to vote on such a proposal it would approve it. As long as it was nonbinding.

Insider Shootout: Best security tools for small business
Join the discussion
Be the first to comment on this article. Our Commenting Policies