I recently stopped to wonder how many people remember Clifford Stoll and the Hanover Hackers. Back in the mid-1980s, the then-system administrator from the Department of Energy found a minor accounting error that he chose to investigate ad nauseam, and he ended up discovering a group of hackers operating on behalf of the KGB.
Cliff did most of the work on his own and maybe conducted a few questionable maneuvers along the way. During that time, he spent months trying to get law enforcement agencies to take him seriously. He was eccentric. And at that time there were few people responsible for investigating such espionage. In the end though, Cliff Stoll was rewarded for his work with a well deserved bestseller. The almost-20-year-old book should actually be required reading for all security professionals.
Today, we read about the case of Shawn Carpenter, a security professional who up until recently worked at the same Energy Department. The reason that he's no longer there is because, like Stoll, he discovered and investigated what is likely a group of hackers breaking in on behalf of a foreign government, in this case the Chinese. Sadly, the Carpenter case, also referred to as Titan Rain, shows how little we've advanced in the last two decades. We may even have slipped some as the threat has grown exponentially in that time. It's pathetic that despite the fact that Carpenter was working closely with the FBI, he was fired from his Department of Energy position for not letting the issue drop.
Essentially, Carpenter found a hacking operation working against his employer, Sandia Labs. He went to Sandia's counterintelligence group, which apparently was concerned about their image, and told him to drop it. He then worked with U.S. Army counterintelligence, which eventually passed him on to the FBI. Sandia Labs didn't want him investigating this as part of his job, so he investigated it at his house after hours. He regularly reported his findings to the FBI. After a short time, the FBI asked him to hold off, which he did. The FBI seemed to understand that for Carpenter to get the great results that he did, which included actually tracking the attack back to its source, he hacked into a few key systems and basically installed spyware. The practice helped determine the scope of the hacker's work, which was apparently immense. It was also critical for counterintelligence purposes to know what the Chinese entities were targeting.
In the end, because hacking into computer systems is illegal, Carpenter was fired by Sandia and stripped of his security clearance. At least that was the official reason. The reality was that the counterintelligence chief wanted him punished for disobeying his demands not to inform outside law enforcement agencies.
According to Time magazine, Sandia Labs' counterintelligence chief wanted Carpenter severely punished. He was "concerned" that Carpenter disobeyed his superiors. From my thinking, this is akin to a store clerk running into the manager's office and saying that masked gunmen walked into the store, and the store manager punishes the clerk for not being at the cash register.
I am typically not a defender of vigilantes and the like who flaunt laws, because they believe they have a higher calling. Not only are their acts likely criminal, but they run the risk of compromising legitimate investigations or offensive information warfare initiatives. However, this case is different.
Carpenter was regularly in contact with the FBI, who had the option of arresting him for his actions, and actually had a duty to, if the acts were criminal. The information that he turned up was invaluable, or at least was invaluable until everything was made public. I don't know what precipitated the release of details of an active investigation in Time and other news venues; however, if it was due to the actions of the DoE security staff, they are actually responsible for a major security compromise. As I say in my book, Spies Among Us, the worst thing that can happen to an intelligence or law enforcement operation is that the existence of it can be compromised. China now knows that key routers were compromised, as well as what we know about their operations, and can shift their tactics and launch points.
Carpenter's work was likely a major counterintelligence coup for the U.S. government. Like Stoll's work two decades ago, it's clear that a major intelligence operation would have continued unabated. In lesser hands, it's likely that Carpenter's work could have gone very wrong. However, he appears to have worked with law enforcement's blessing. Carpenter is no cybervigilante; he our modern-day Cliff Stoll.
What's changed in 20 years? Sensitive government systems are still widely vulnerable. Our adversaries are now more efficient, running around the clock operations with more systematic attack strategies. Law enforcement and military intelligence authorities are still overwhelmed by the attacks.
The only difference now though is that the Department of Energy is now punishing the people doing the investigations on their own time -- under the watchful eye of law enforcement.