http://www.time.com/time/magazine/article/0,9171,1098961,00.html
unday, Aug. 28, 2005
The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop
Them)
An exclusive look at how the hackers called TITAN RAIN are stealing
U.S. secrets
By NATHAN THORNBURGH
It was another routine night for Shawn Carpenter. After a long day
analyzing computer-network security for Sandia National Laboratories,
where much of the U.S. nuclear arsenal is designed, Carpenter, 36,
retreated to his ranch house in the hills overlooking Albuquerque,
N.M., for a quick dinner and an early bedtime. He set his alarm for 2
a.m. Waking in the dark, he took a thermos of coffee and a pack of
Nicorette gum to the cluster of computer terminals in his home
office. As he had almost every night for the previous four months, he
worked at his secret volunteer job until dawn, not as Shawn
Carpenter, mid-level analyst, but as Spiderman--the apt nickname his
military-intelligence handlers gave him--tirelessly pursuing a group
of suspected Chinese cyberspies all over the world. Inside the
machines, on a mission he believed the U.S. government supported, he
clung unseen to the walls of their chat rooms and servers, secretly
recording every move the snoopers made, passing the information to
the Army and later to the FBI.
The hackers he was stalking, part of a cyberespionage ring that
federal investigators code-named Titan Rain, first caught Carpenter's
eye a year earlier when he helped investigate a network break-in at
Lockheed Martin in September 2003. A strikingly similar attack hit
Sandia several months later, but it wasn't until Carpenter compared
notes with a counterpart in Army cyberintelligence that he suspected
the scope of the threat. Methodical and voracious, these hackers
wanted all the files they could find, and they were getting them by
penetrating secure computer networks at the country's most sensitive
military bases, defense contractors and aerospace companies.
Carpenter had never seen hackers work so quickly, with such a sense
of purpose. They would commandeer a hidden section of a hard drive,
zip up as many files as possible and immediately transmit the data to
way stations in South Korea, Hong Kong or Taiwan before sending them
to mainland China. They always made a silent escape, wiping their
electronic fingerprints clean and leaving behind an almost
undetectable beacon allowing them to re-enter the machine at will. An
entire attack took 10 to 30 minutes. "Most hackers, if they actually
get into a government network, get excited and make mistakes," says
Carpenter. "Not these guys. They never hit a wrong key."
Goaded by curiosity and a sense that he could help the U.S. defend
itself against a new breed of enemy, Carpenter gave chase to the
attackers. He hopped just as stealthily from computer to computer
across the globe, chasing the spies as they hijacked a web of far-
flung computers. Eventually he followed the trail to its apparent
end, in the southern Chinese province of Guangdong. He found that the
attacks emanated from just three Chinese routers that acted as the
first connection point from a local network to the Internet.
It was a stunning breakthrough. In the world of cyberspying, locating
the attackers' country of origin is rare. China, in particular, is
known for having poorly defended servers that outsiders from around
the world commandeer as their unwitting launchpads. Now Chinese
computers appeared to be the aggressors.
If so, the implications for U.S. security are disturbing. In recent
years, the counterintelligence community has grown increasingly
anxious that Chinese spies are poking into all sorts of American
technology to compete with the U.S. But tracking virtual enemies
presents a different kind of challenge to U.S. spy hunters. Foreign
hackers invade a secure network with a flick of a wrist, but if the
feds want to track them back and shut them down, they have to go
through a cumbersome authorization process that can be as tough as
sending covert agents into foreign lands. Adding in extreme
sensitivity to anything involving possible Chinese espionage--
remember the debacle over alleged Los Alamos spy Wen Ho Lee?--and the
fear of igniting an international incident, it's not surprising the
U.S. has found it difficult and delicate to crack these cases.
In Washington, officials are tight-lipped about Titan Rain, insisting
all details of the case are classified. But high-level officials at
three agencies told TIME the penetration is considered serious. A
federal law-enforcement official familiar with the investigation says
the FBI is "aggressively" pursuing the possibility that the Chinese
government is behind the attacks. Yet they all caution that they
don't yet know whether the spying is official, a private-sector job
or the work of many independent, unrelated hands. The law-enforcement
source says China has not been cooperating with U.S. investigations
of Titan Rain. China's State Council Information Office, speaking for
the government, told TIME the charges about cyberspying and Titan
Rain are "totally groundless, irresponsible and unworthy of refute."
Despite the official U.S. silence, several government analysts who
protect the networks at military, nuclear-lab and defense- contractor
facilities tell TIME that Titan Rain is thought to rank among the
most pervasive cyberespionage threats that U.S. computer networks
have ever faced. TIME has obtained documents showing that since 2003,
the hackers, eager to access American know-how, have compromised
secure networks ranging from the Redstone Arsenal military base to
NASA to the World Bank. In one case, the hackers stole flight-
planning software from the Army. So far, the files they have vacuumed
up are not classified secrets, but many are sensitive and subject to
strict export-control laws, which means they are strategically
important enough to require U.S. government licenses for foreign use.
Beyond worries about the sheer quantity of stolen data, a Department
of Defense (DOD) alert obtained by TIME raises the concern that Titan
Rain could be a point patrol for more serious assaults that could
shut down or even take over a number of U.S. military networks.
Although he would not comment on Titan Rain specifically, Pentagon
spokesman Bryan Whitman says any attacks on military computers are a
concern. "When we have breaches of our networks, it puts lives at
stake," he says. "We take it very seriously."
As cyberspying metastasizes, frustrated network protectors say that
the FBI in particular doesn't have enough top-notch computer gumshoes
to track down the foreign rings and that their hands are often tied
by the strict rules of engagement. That's where independents--some
call them vigilantes--like Carpenter come in. After he made his first
discoveries about Titan Rain in March 2004, he began taking the
information to unofficial contacts he had in Army intelligence.
Federal rules prohibit military-intelligence officers from working
with U.S. civilians, however, and by October, the Army passed
Carpenter and his late-night operation to the FBI. He says he was a
confidential informant for the FBI for the next five months. Reports
from his cybersurveillance eventually reached the highest levels of
the bureau's counterintelligence division, which says his work was
folded into an existing task force on the attacks. But his FBI
connection didn't help when his employers at Sandia found out what he
was doing. They fired him and stripped him of his Q clearance, the
Department of Energy equivalent of top-secret clearance. Carpenter's
after-hours sleuthing, they said, was an inappropriate use of
confidential information he had gathered at his day job. Under U.S.
law, it is illegal for Americans to hack into foreign computers.
Carpenter is speaking out about his case, he says, not just because
he feels personally maligned--although he filed suit in New Mexico
last week for defamation and wrongful termination. The FBI has
acknowledged working with him: evidence collected by TIME shows that
FBI agents repeatedly assured him he was providing important
information to them. Less clear is whether he was sleuthing with the
tacit consent of the government or operating as a rogue hacker. At
the same time, the bureau was also investigating his actions before
ultimately deciding not to prosecute him. The FBI would not tell TIME
exactly what, if anything, it thought Carpenter had done wrong.
Federal cyberintelligence agents use information from freelance
sources like Carpenter at times but are also extremely leery about
doing so, afraid that the independent trackers may jeopardize
investigations by trailing foes too noisily or, even worse, may be
bad guys themselves. When Carpenter deputized himself to delve into
the Titan Rain group, he put his career in jeopardy. But he remains
defiant, saying he's a whistle-blower whose case demonstrates the
need for reforms that would enable the U.S. to respond more
effectively and forcefully against the gathering storm of cyberthreats.
A TIME investigation into the case reveals how the Titan Rain attacks
were uncovered, why they are considered a significant threat now
under investigation by the Pentagon, the FBI and the Department of
Homeland Security and why the U.S. government has yet to stop them.
Carpenter thought he was making progress. When he uncovered the Titan
Rain routers in Guangdong, he carefully installed a homemade bugging
code in the primary router's software. It sent him an e-mail alert at
an anonymous Yahoo! account every time the gang made a move on the
Net. Within two weeks, his Yahoo! account was filled with almost
23,000 messages, one for each connection the Titan Rain router made
in its quest for files. He estimates there were six to 10
workstations behind each of the three routers, staffed around the
clock. The gang stashed its stolen files in zombie servers in South
Korea, for example, before sending them back to Guangdong. In one,
Carpenter found a stockpile of aerospace documents with hundreds of
detailed schematics about propulsion systems, solar paneling and fuel
tanks for the Mars Reconnaissance Orbiter, the NASA probe launched in
August. On the night he woke at 2, Carpenter copied a huge collection
of files that had been stolen from Redstone Arsenal, home to the Army
Aviation and Missile Command. The attackers had grabbed specs for the
aviation-mission-planning system for Army helicopters, as well as
Falconview 3.2, the flight-planning software used by the Army and Air
Force.
Even if official Washington is not certain, Carpenter and other
network-security analysts believe that the attacks are Chinese
government spying. "It's a hard thing to prove," says a network-
intrusion-detection analyst at a major U.S. defense contractor who
has been studying Titan Rain since 2003, "but this has been going on
so long and it's so well organized that the whole thing is state
sponsored, I think." When it comes to advancing their military by
stealing data, "the Chinese are more aggressive" than anyone else,
David Szady, head of the FBI's counterintelligence unit, told TIME
earlier this year. "If they can steal it and do it in five years, why
[take longer] to develop it?"
Within the U.S. military, Titan Rain is raising alarms. A November
2003 government alert obtained by TIME details what a source close to
the investigation says was an early indication of Titan Rain's
ability to cause widespread havoc. Hundreds of Defense Department
computer systems had been penetrated by an insidious program known as
a "trojan," the alert warned. "These compromises ... allow an unknown
adversary not only control over the DOD hosts, but also the
capability to use the DOD hosts in malicious activity. The potential
also exists for the perpetrator to potentially shut down each host."
The attacks were also stinging allies, including Britain, Canada,
Australia and New Zealand, where an unprecedented string of public
alerts issued in June 2005, two U.S. network-intrusion analysts tell
TIME, also referred to Titan Rain--related activity. "These
electronic attacks have been under way for a significant period of
time, with a recent increase in sophistication," warned Britain's
National Infrastructure Security Co-Ordination Center.
Titan Rain presents a severe test for the patchwork of agencies
digging into the problem. Both the cybercrime and counterintelligence
divisions of the FBI are investigating, the law-enforcement source
tells TIME. But while the FBI has a solid track record cajoling
foreign governments into cooperating in catching garden-variety
hackers, the source says that China is not cooperating with the U.S.
on Titan Rain. The FBI would need high-level diplomatic and
Department of Justice authorization to do what Carpenter did in
sneaking into foreign computers. The military would have more
flexibility in hacking back against the Chinese, says a former high-
ranking Administration official, under a protocol called "preparation
of the battlefield." But if any U.S. agency got caught, it could
spark an international incident.
That's why Carpenter felt he could be useful to the FBI. Frustrated
in gathering cyberinfo, some agencies have in the past turned a blind
eye to free-lancers--or even encouraged them--to do the job. After he
hooked up with the FBI, Carpenter was assured by the agents assigned
to him that he had done important and justified work in tracking
Titan Rain attackers. Within a couple of weeks, FBI agents asked him
to stop sleuthing while they got more authorization, but they still
showered him with praise over the next four months as he fed them
technical analyses of what he had found earlier. "This could very
well impact national security at the highest levels," Albuquerque
field agent Christine Paz told him during one of their many
information-gathering sessions in Carpenter's home. His other main
FBI contact, special agent David Raymond, chimed in: "You're very
important to us," Raymond said. "I've got eight open cases throughout
the United States that your information is going to. And that's a
lot." And in a letter obtained by TIME, the FBI's Szady responded to
a Senate investigator's inquiry about Carpenter, saying, "The [FBI]
is aggressively pursuing the investigative leads provided by Mr.
Carpenter."
Given such assurances, Carpenter was surprised when, in March 2005,
his FBI handlers stopped communicating with him altogether. Now the
federal law-enforcement source tells TIME that the bureau was
actually investigating Carpenter while it was working with him.
Agents are supposed to check out their informants, and intruding into
foreign computers is illegal, regardless of intent. But two sources
familiar with Carpenter's story say there is a gray area in
cybersecurity, and Carpenter apparently felt he had been unofficially
encouraged by the military and, at least initially, by the FBI.
Although the U.S. Attorney declined to pursue charges against him,
Carpenter feels betrayed. "It's just ridiculous. I was tracking real
bad guys," he says. "But they are so afraid of taking risks that they
wasted all this time investigating me instead of going after Titan
Rain." Worse, he adds, they never asked for the passwords and other
tools that could enable them to pick up the investigative trail at
the Guangdong router.
Carpenter was even more dismayed to find that his work with the FBI
had got him in trouble at Sandia. He says that when he first started
tracking Titan Rain to chase down Sandia's attackers, he told his
superiors that he thought he should share his findings with the Army,
since it had been repeatedly hit by Titan Rain as well. A March 2004
Sandia memo that Carpenter gave TIME shows that he and his colleagues
had been told to think like "World Class Hackers" and to retrieve
tools that other attackers had used against Sandia. That's why
Carpenter did not expect the answer he claims he got from his bosses
in response to Titan Rain: Not only should he not be trailing Titan
Rain but he was also expressly forbidden to share what he had learned
with anyone.
As a Navy veteran whose wife is a major in the Army Reserve,
Carpenter felt he could not accept that injunction. After several
weeks of angry meetings--including one in which Carpenter says Sandia
counterintelligence chief Bruce Held fumed that Carpenter should have
been "decapitated" or "at least left my office bloody" for having
disobeyed his bosses--he was fired. Citing Carpenter's civil lawsuit,
Sandia was reluctant to discuss specifics but responded to TIME with
a statement: "Sandia does its work in the national interest lawfully.
When people step beyond clear boundaries in a national security
setting, there are consequences."
Carpenter says he has honored the FBI's request to stop following the
attackers. But he can't get Titan Rain out of his mind. Although he
was recently hired as a network-security analyst for another federal
contractor and his security clearance has been restored, "I'm not
sleeping well," he says. "I know the Titan Rain group is out there
working, now more than ever." --With reporting by Matthew Forney/
Beijing and Brian Bennett, Timothy J. Burger and Elaine Shannon/
Washington
Copyright © 2005 Time Inc. All rights reserved.unday, Aug. 28, 2005
The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop
Them)
An exclusive look at how the hackers called TITAN RAIN are stealing
U.S. secrets
By NATHAN THORNBURGH
It was another routine night for Shawn Carpenter. After a long day
analyzing computer-network security for Sandia National Laboratories,
where much of the U.S. nuclear arsenal is designed, Carpenter, 36,
retreated to his ranch house in the hills overlooking Albuquerque,
N.M., for a quick dinner and an early bedtime. He set his alarm for 2
a.m. Waking in the dark, he took a thermos of coffee and a pack of
Nicorette gum to the cluster of computer terminals in his home
office. As he had almost every night for the previous four months, he
worked at his secret volunteer job until dawn, not as Shawn
Carpenter, mid-level analyst, but as Spiderman--the apt nickname his
military-intelligence handlers gave him--tirelessly pursuing a group
of suspected Chinese cyberspies all over the world. Inside the
machines, on a mission he believed the U.S. government supported, he
clung unseen to the walls of their chat rooms and servers, secretly
recording every move the snoopers made, passing the information to
the Army and later to the FBI.
The hackers he was stalking, part of a cyberespionage ring that
federal investigators code-named Titan Rain, first caught Carpenter's
eye a year earlier when he helped investigate a network break-in at
Lockheed Martin in September 2003. A strikingly similar attack hit
Sandia several months later, but it wasn't until Carpenter compared
notes with a counterpart in Army cyberintelligence that he suspected
the scope of the threat. Methodical and voracious, these hackers
wanted all the files they could find, and they were getting them by
penetrating secure computer networks at the country's most sensitive
military bases, defense contractors and aerospace companies.
Carpenter had never seen hackers work so quickly, with such a sense
of purpose. They would commandeer a hidden section of a hard drive,
zip up as many files as possible and immediately transmit the data to
way stations in South Korea, Hong Kong or Taiwan before sending them
to mainland China. They always made a silent escape, wiping their
electronic fingerprints clean and leaving behind an almost
undetectable beacon allowing them to re-enter the machine at will. An
entire attack took 10 to 30 minutes. "Most hackers, if they actually
get into a government network, get excited and make mistakes," says
Carpenter. "Not these guys. They never hit a wrong key."
Goaded by curiosity and a sense that he could help the U.S. defend
itself against a new breed of enemy, Carpenter gave chase to the
attackers. He hopped just as stealthily from computer to computer
across the globe, chasing the spies as they hijacked a web of far-
flung computers. Eventually he followed the trail to its apparent
end, in the southern Chinese province of Guangdong. He found that the
attacks emanated from just three Chinese routers that acted as the
first connection point from a local network to the Internet.
It was a stunning breakthrough. In the world of cyberspying, locating
the attackers' country of origin is rare. China, in particular, is
known for having poorly defended servers that outsiders from around
the world commandeer as their unwitting launchpads. Now Chinese
computers appeared to be the aggressors.
If so, the implications for U.S. security are disturbing. In recent
years, the counterintelligence community has grown increasingly
anxious that Chinese spies are poking into all sorts of American
technology to compete with the U.S. But tracking virtual enemies
presents a different kind of challenge to U.S. spy hunters. Foreign
hackers invade a secure network with a flick of a wrist, but if the
feds want to track them back and shut them down, they have to go
through a cumbersome authorization process that can be as tough as
sending covert agents into foreign lands. Adding in extreme
sensitivity to anything involving possible Chinese espionage--
remember the debacle over alleged Los Alamos spy Wen Ho Lee?--and the
fear of igniting an international incident, it's not surprising the
U.S. has found it difficult and delicate to crack these cases.
In Washington, officials are tight-lipped about Titan Rain, insisting
all details of the case are classified. But high-level officials at
three agencies told TIME the penetration is considered serious. A
federal law-enforcement official familiar with the investigation says
the FBI is "aggressively" pursuing the possibility that the Chinese
government is behind the attacks. Yet they all caution that they
don't yet know whether the spying is official, a private-sector job
or the work of many independent, unrelated hands. The law-enforcement
source says China has not been cooperating with U.S. investigations
of Titan Rain. China's State Council Information Office, speaking for
the government, told TIME the charges about cyberspying and Titan
Rain are "totally groundless, irresponsible and unworthy of refute."
Despite the official U.S. silence, several government analysts who
protect the networks at military, nuclear-lab and defense- contractor
facilities tell TIME that Titan Rain is thought to rank among the
most pervasive cyberespionage threats that U.S. computer networks
have ever faced. TIME has obtained documents showing that since 2003,
the hackers, eager to access American know-how, have compromised
secure networks ranging from the Redstone Arsenal military base to
NASA to the World Bank. In one case, the hackers stole flight-
planning software from the Army. So far, the files they have vacuumed
up are not classified secrets, but many are sensitive and subject to
strict export-control laws, which means they are strategically
important enough to require U.S. government licenses for foreign use.
Beyond worries about the sheer quantity of stolen data, a Department
of Defense (DOD) alert obtained by TIME raises the concern that Titan
Rain could be a point patrol for more serious assaults that could
shut down or even take over a number of U.S. military networks.
Although he would not comment on Titan Rain specifically, Pentagon
spokesman Bryan Whitman says any attacks on military computers are a
concern. "When we have breaches of our networks, it puts lives at
stake," he says. "We take it very seriously."
As cyberspying metastasizes, frustrated network protectors say that
the FBI in particular doesn't have enough top-notch computer gumshoes
to track down the foreign rings and that their hands are often tied
by the strict rules of engagement. That's where independents--some
call them vigilantes--like Carpenter come in. After he made his first
discoveries about Titan Rain in March 2004, he began taking the
information to unofficial contacts he had in Army intelligence.
Federal rules prohibit military-intelligence officers from working
with U.S. civilians, however, and by October, the Army passed
Carpenter and his late-night operation to the FBI. He says he was a
confidential informant for the FBI for the next five months. Reports
from his cybersurveillance eventually reached the highest levels of
the bureau's counterintelligence division, which says his work was
folded into an existing task force on the attacks. But his FBI
connection didn't help when his employers at Sandia found out what he
was doing. They fired him and stripped him of his Q clearance, the
Department of Energy equivalent of top-secret clearance. Carpenter's
after-hours sleuthing, they said, was an inappropriate use of
confidential information he had gathered at his day job. Under U.S.
law, it is illegal for Americans to hack into foreign computers.
Carpenter is speaking out about his case, he says, not just because
he feels personally maligned--although he filed suit in New Mexico
last week for defamation and wrongful termination. The FBI has
acknowledged working with him: evidence collected by TIME shows that
FBI agents repeatedly assured him he was providing important
information to them. Less clear is whether he was sleuthing with the
tacit consent of the government or operating as a rogue hacker. At
the same time, the bureau was also investigating his actions before
ultimately deciding not to prosecute him. The FBI would not tell TIME
exactly what, if anything, it thought Carpenter had done wrong.
Federal cyberintelligence agents use information from freelance
sources like Carpenter at times but are also extremely leery about
doing so, afraid that the independent trackers may jeopardize
investigations by trailing foes too noisily or, even worse, may be
bad guys themselves. When Carpenter deputized himself to delve into
the Titan Rain group, he put his career in jeopardy. But he remains
defiant, saying he's a whistle-blower whose case demonstrates the
need for reforms that would enable the U.S. to respond more
effectively and forcefully against the gathering storm of cyberthreats.
A TIME investigation into the case reveals how the Titan Rain attacks
were uncovered, why they are considered a significant threat now
under investigation by the Pentagon, the FBI and the Department of
Homeland Security and why the U.S. government has yet to stop them.
Carpenter thought he was making progress. When he uncovered the Titan
Rain routers in Guangdong, he carefully installed a homemade bugging
code in the primary router's software. It sent him an e-mail alert at
an anonymous Yahoo! account every time the gang made a move on the
Net. Within two weeks, his Yahoo! account was filled with almost
23,000 messages, one for each connection the Titan Rain router made
in its quest for files. He estimates there were six to 10
workstations behind each of the three routers, staffed around the
clock. The gang stashed its stolen files in zombie servers in South
Korea, for example, before sending them back to Guangdong. In one,
Carpenter found a stockpile of aerospace documents with hundreds of
detailed schematics about propulsion systems, solar paneling and fuel
tanks for the Mars Reconnaissance Orbiter, the NASA probe launched in
August. On the night he woke at 2, Carpenter copied a huge collection
of files that had been stolen from Redstone Arsenal, home to the Army
Aviation and Missile Command. The attackers had grabbed specs for the
aviation-mission-planning system for Army helicopters, as well as
Falconview 3.2, the flight-planning software used by the Army and Air
Force.
Even if official Washington is not certain, Carpenter and other
network-security analysts believe that the attacks are Chinese
government spying. "It's a hard thing to prove," says a network-
intrusion-detection analyst at a major U.S. defense contractor who
has been studying Titan Rain since 2003, "but this has been going on
so long and it's so well organized that the whole thing is state
sponsored, I think." When it comes to advancing their military by
stealing data, "the Chinese are more aggressive" than anyone else,
David Szady, head of the FBI's counterintelligence unit, told TIME
earlier this year. "If they can steal it and do it in five years, why
[take longer] to develop it?"
Within the U.S. military, Titan Rain is raising alarms. A November
2003 government alert obtained by TIME details what a source close to
the investigation says was an early indication of Titan Rain's
ability to cause widespread havoc. Hundreds of Defense Department
computer systems had been penetrated by an insidious program known as
a "trojan," the alert warned. "These compromises ... allow an unknown
adversary not only control over the DOD hosts, but also the
capability to use the DOD hosts in malicious activity. The potential
also exists for the perpetrator to potentially shut down each host."
The attacks were also stinging allies, including Britain, Canada,
Australia and New Zealand, where an unprecedented string of public
alerts issued in June 2005, two U.S. network-intrusion analysts tell
TIME, also referred to Titan Rain--related activity. "These
electronic attacks have been under way for a significant period of
time, with a recent increase in sophistication," warned Britain's
National Infrastructure Security Co-Ordination Center.
Titan Rain presents a severe test for the patchwork of agencies
digging into the problem. Both the cybercrime and counterintelligence
divisions of the FBI are investigating, the law-enforcement source
tells TIME. But while the FBI has a solid track record cajoling
foreign governments into cooperating in catching garden-variety
hackers, the source says that China is not cooperating with the U.S.
on Titan Rain. The FBI would need high-level diplomatic and
Department of Justice authorization to do what Carpenter did in
sneaking into foreign computers. The military would have more
flexibility in hacking back against the Chinese, says a former high-
ranking Administration official, under a protocol called "preparation
of the battlefield." But if any U.S. agency got caught, it could
spark an international incident.
That's why Carpenter felt he could be useful to the FBI. Frustrated
in gathering cyberinfo, some agencies have in the past turned a blind
eye to free-lancers--or even encouraged them--to do the job. After he
hooked up with the FBI, Carpenter was assured by the agents assigned
to him that he had done important and justified work in tracking
Titan Rain attackers. Within a couple of weeks, FBI agents asked him
to stop sleuthing while they got more authorization, but they still
showered him with praise over the next four months as he fed them
technical analyses of what he had found earlier. "This could very
well impact national security at the highest levels," Albuquerque
field agent Christine Paz told him during one of their many
information-gathering sessions in Carpenter's home. His other main
FBI contact, special agent David Raymond, chimed in: "You're very
important to us," Raymond said. "I've got eight open cases throughout
the United States that your information is going to. And that's a
lot." And in a letter obtained by TIME, the FBI's Szady responded to
a Senate investigator's inquiry about Carpenter, saying, "The [FBI]
is aggressively pursuing the investigative leads provided by Mr.
Carpenter."
Given such assurances, Carpenter was surprised when, in March 2005,
his FBI handlers stopped communicating with him altogether. Now the
federal law-enforcement source tells TIME that the bureau was
actually investigating Carpenter while it was working with him.
Agents are supposed to check out their informants, and intruding into
foreign computers is illegal, regardless of intent. But two sources
familiar with Carpenter's story say there is a gray area in
cybersecurity, and Carpenter apparently felt he had been unofficially
encouraged by the military and, at least initially, by the FBI.
Although the U.S. Attorney declined to pursue charges against him,
Carpenter feels betrayed. "It's just ridiculous. I was tracking real
bad guys," he says. "But they are so afraid of taking risks that they
wasted all this time investigating me instead of going after Titan
Rain." Worse, he adds, they never asked for the passwords and other
tools that could enable them to pick up the investigative trail at
the Guangdong router.
Carpenter was even more dismayed to find that his work with the FBI
had got him in trouble at Sandia. He says that when he first started
tracking Titan Rain to chase down Sandia's attackers, he told his
superiors that he thought he should share his findings with the Army,
since it had been repeatedly hit by Titan Rain as well. A March 2004
Sandia memo that Carpenter gave TIME shows that he and his colleagues
had been told to think like "World Class Hackers" and to retrieve
tools that other attackers had used against Sandia. That's why
Carpenter did not expect the answer he claims he got from his bosses
in response to Titan Rain: Not only should he not be trailing Titan
Rain but he was also expressly forbidden to share what he had learned
with anyone.
As a Navy veteran whose wife is a major in the Army Reserve,
Carpenter felt he could not accept that injunction. After several
weeks of angry meetings--including one in which Carpenter says Sandia
counterintelligence chief Bruce Held fumed that Carpenter should have
been "decapitated" or "at least left my office bloody" for having
disobeyed his bosses--he was fired. Citing Carpenter's civil lawsuit,
Sandia was reluctant to discuss specifics but responded to TIME with
a statement: "Sandia does its work in the national interest lawfully.
When people step beyond clear boundaries in a national security
setting, there are consequences."
Carpenter says he has honored the FBI's request to stop following the
attackers. But he can't get Titan Rain out of his mind. Although he
was recently hired as a network-security analyst for another federal
contractor and his security clearance has been restored, "I'm not
sleeping well," he says. "I know the Titan Rain group is out there
working, now more than ever." --With reporting by Matthew Forney/
Beijing and Brian Bennett, Timothy J. Burger and Elaine Shannon/
Washington
Copyright © 2005 Time Inc. All rights reserved.
---
You are currently subscribed to telecom-cities as: archive@mail-archive.com
To unsubscribe send a blank email to [EMAIL PROTECTED]
To set DIGEST mode and only receive one list message per day with all the daily
traffic, please visit the list website at
http://www.informationcity.org/telecom-cities
