A New Mexico jury’s verdict earlier this week in favor of network security analyst Shawn Carpenter reinforces the longstanding conclusion that laboratory and departmental mismanagement has systematically jeopardized our nation’s nuclear security apparatus. Officials at Sandia National Laboratory and the Department of Energy (DoE) had repeatedly reproached and ignored Carpenter’s findings on a series of cyber security breaches by a group dubbed Titan Rain (possibly connected to the Chinese government) that threatened not only Sandia, but other US government, military, and commercial interests as well.
In an interview after the ruling with Computerworld, Carpenter identified the reaction to his findings as “a case of putting the interests of the corporation [Sandia’s manager Lockheed Martin] over those of the country.” This involved far more than turning a blind eye to Carpenter’s concerns. He states:
During my last meeting with Sandia management, a semicircle of management was positioned in chairs around me and Bruce Held [Sandia's chief of counterintelligence]. Mr. Held arrived about five minutes late to the meeting and positioned his chair inches directly in front of mine. Mr. Held is a retired CIA officer, who evidently ran paramilitary operations in Africa, according to his deposition testimony.
At one point, Mr. Held yelled, "You're lucky you have such understanding management… if you worked for me, I would decapitate you! There would at least be blood all over the office!" During the entire meeting, the other managers just sat there and watched. At the conclusion of the meeting, Mr. Held said, "Your wife works here, doesn't she? I might need to talk to her.”
Since Sandia is an "at will" employer -- and they regularly remind you of this if you press issues -- people fear for their jobs. Of the several hundred colleagues I worked with during my career there, a grand total of two still talk to me -- even after the verdict. My friends in computer security that are still working there think their phones are tapped by Sandia counterintelligence, and are terrified to even call me from home. We clearly demonstrated for the jury that it is an environment of fear, created expressly to keep the employees in line.
Carpenter’s experiences at Sandia are shocking enough, yet numerous investigations by the Government Accountability Office (GAO) and the Department of Energy’s Inspector General (pdf) point to a record of department-wide (pdf) cyber security failures, often resulting from management practices. In a Special Report (pdf) released last December, the Inspector General identified cyber security as one of the “most significant challenges” facing DoE in 2007.
Likewise, a GAO report (pdf) from January determined that the NNSA’s security program for US nuclear labs had faced difficulties in “most notably cyber security.” One particular instance in 2006 where a hacker obtained the names and social security numbers of 1,502 NNSA personnel from a computer system in New Mexico traces a situation disturbingly similar to Titan Rain. A Special Inquiry (pdf) by the Inspector General concluded:
Witnesses provided their rationale for the actions taken in this matter. However, we concluded that the Department’s handling of this matter was largely dysfunctional and that the operational and procedural breakdowns were caused by questionable managerial judgments; significant confusion by key decision makers as to lines of authority, responsibility, and accountability; poor internal communications, including a lack of coordination and a failure to share essential information among key officials; and, insufficient follow-up on critically important issues and decisions. Additionally, we found that the Department lacked clear guidance on procedures for notifying employees when personnel data is compromised. The bifurcated organizational structure of NNSA within the Department further complicated the situation.
In the NNSA hacking case, roughly one year went by after the security breach was discovered before management took any action. After Shawn Carpenter’s discovery of an even greater security threat, Sandia management explicitly refused to address it and went so far as to fire Carpenter. These episodes and others like them beg the question, “How competent are those in charge of such critical security matters?” Assuming they are competent, then what are they actually working to protect – their own public image, corporate interests, or national security? In a telling move, Lockheed Martin is already considering an appeal in the Carpenter case.
-- John Pruett
In the interest of disclosure, it should be noted that POGO has worked with Carpenter's attorney, Lynne Bernabei, on previous occasions unrelated to Carpenter's lawsuit.
(Correction: Carpenter changed his legal counsel over one year ago. Since then, his lead counsel has been whistleblower attorney Thad Guyer, former GAP litigation director. He also received assistance from Stephani Ayers, also formerly of GAP, and Phil Davis, co-director of the New Mexico ACLU.)