Sep 28, 2006 (06:09 PM EDT)
Former HP Chief Security Strategist: Company's Leak Investigation Crossed The Line

Read the Original Article at InformationWeek

1   2  
A former chief security strategist at Hewlett-Packard says executives should have called in federal investigators to handle the boardroom leak instead of getting caught up in shady spying tactics.

Ira Winkler, now president and acting CEO of Internet Security Advisors Group (ISAG), joined HP in 2001 and served as both chief security strategist and chief security evangelist until he resigned in 2004. He served as a consultant there, advising HP clients on their own security strategies. Winkler says he left because of changes in HP's management style, which he saw as moving away from "The HP Way" style and toward a focus on shorter-term goals.

The trouble HP has found itself in in recent weeks can be traced to a particular decision, he says: Executives decided to handle the internal investigation into a boardroom media leak on their own, instead of calling in law enforcement. The company turned to intelligence ruses that are more common in the murky world of corporate espionage, he claims, than in interactions with employees and the press. When they did that, Winkler says HP stepped out of any kind of gray area and went way over the line.

Before Winkler worked at HP, he spent seven years as an intelligence and computer systems analyst with the National Security Agency from the mid-1980s to 1991. He went on to work at Computer Sciences Corp., an information technology services company, and the SAIC, a research and engineering company. He founded ISAG, a consulting and security services marketing firm, in 1997.

He is also the author of Spies Among Us and Corporate Espionage and is a frequent speaker at conferences in the security community.

In an interview with InformationWeek.com, Winkler talks about bad decisions he believes the company made in its boardroom leak investigation, where he thinks investigators crossed the line, and how common he thinks these kinds of intelligence schemes are in corporate America.

Q: Do you think the investigation was warranted? Let me clearly state that this George Keyworth deserves to be strung up by his toes. He's the guy who actually leaked the information. But the investigative tactics they used were lower than the behavior of this guy. ... You can't turn up all these private records unless [you're] handing out Social Security numbers. An HP executive got somebody's Social Security number from HP records and provided that to the investigator. That's dirty hands, clearly. ... These people should go to jail and never be in corporate America again. You don't take a Social Security number and hand it over for somebody to commit fraud against an individual.

Q: HP's CEO, Mark Hurd, says he was unaware that anything illicit or unlawful was going on in the investigation. Should he have known? If he didn't know, he should have known. When you're overlooking it, you're even worse than that person himself. You could stop that behavior, and you could prevent it in the future. You give a monkey a gun, and it's your responsibility what happens.

Q: With Patricia Dunn's resignation last week, do you think she's taking the fall? She didn't take the fall until the stock price dropped. The "fall" she initially took was resigning as chair effective four months from now, but remaining on the board. That's laughable. It sounds like she was in charge, so she was the most visible. Her leaving was a visible modification.

Q: Did you see any of these investigative tactics, like pretexting and sending out e-mail tracers, while you were with the company? I didn't see it when I was there. I wasn't involved in those matters, [but] I would have gone to the police with that.