TechWeb

Former HP Chief Security Strategist: Company's Leak Investigation Crossed The Line

Sep 28, 2006 (06:09 PM EDT)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=193100422


A former chief security strategist at Hewlett-Packard says executives should have called in federal investigators to handle the boardroom leak instead of getting caught up in shady spying tactics.

Ira Winkler, now president and acting CEO of Internet Security Advisors Group (ISAG), joined HP in 2001 and served as both chief security strategist and chief security evangelist until he resigned in 2004. He served as a consultant there, advising HP clients on their own security strategies. Winkler says he left because of changes in HP's management style, which he saw as moving away from "The HP Way" style and toward a focus on shorter-term goals.

The trouble HP has found itself in in recent weeks can be traced to a particular decision, he says: Executives decided to handle the internal investigation into a boardroom media leak on their own, instead of calling in law enforcement. The company turned to intelligence ruses that are more common in the murky world of corporate espionage, he claims, than in interactions with employees and the press. When they did that, Winkler says HP stepped out of any kind of gray area and went way over the line.

Before Winkler worked at HP, he spent seven years as an intelligence and computer systems analyst with the National Security Agency from the mid-1980s to 1991. He went on to work at Computer Sciences Corp., an information technology services company, and the SAIC, a research and engineering company. He founded ISAG, a consulting and security services marketing firm, in 1997.

He is also the author of Spies Among Us and Corporate Espionage and is a frequent speaker at conferences in the security community.

In an interview with InformationWeek.com, Winkler talks about bad decisions he believes the company made in its boardroom leak investigation, where he thinks investigators crossed the line, and how common he thinks these kinds of intelligence schemes are in corporate America.

Q: Do you think the investigation was warranted? Let me clearly state that this George Keyworth deserves to be strung up by his toes. He's the guy who actually leaked the information. But the investigative tactics they used were lower than the behavior of this guy. ... You can't turn up all these private records unless [you're] handing out Social Security numbers. An HP executive got somebody's Social Security number from HP records and provided that to the investigator. That's dirty hands, clearly. ... These people should go to jail and never be in corporate America again. You don't take a Social Security number and hand it over for somebody to commit fraud against an individual.

Q: HP's CEO, Mark Hurd, says he was unaware that anything illicit or unlawful was going on in the investigation. Should he have known? If he didn't know, he should have known. When you're overlooking it, you're even worse than that person himself. You could stop that behavior, and you could prevent it in the future. You give a monkey a gun, and it's your responsibility what happens.

Q: With Patricia Dunn's resignation last week, do you think she's taking the fall? She didn't take the fall until the stock price dropped. The "fall" she initially took was resigning as chair effective four months from now, but remaining on the board. That's laughable. It sounds like she was in charge, so she was the most visible. Her leaving was a visible modification.

Q: Did you see any of these investigative tactics, like pretexting and sending out e-mail tracers, while you were with the company? I didn't see it when I was there. I wasn't involved in those matters, [but] I would have gone to the police with that.




Q: How far can an investigation go? You're over the line when you start pretending to be somebody else, when you go out and supposedly don't know what methods are being used. If you don't know, you're trying not to know. These people are acting like babes in the woods. ... These are big people running a Fortune 500 company. They should have known. If you're in a Fortune 500 company, you can't act naive and say, "I never thought anybody would do anything illegal."

Q: Where exactly did HP cross the line from legal investigation to unethical or even illegal tactics? Surveillance. It's perfectly legal in theory. You can follow anybody, sadly, as long as you're not harassing them in other ways. You see [companies] monitor e-mail for proper usage. You see them monitor Web usage. They could monitor telephone traffic. There are a lot of things they could do. There's nothing wrong with letting people know you're going to monitor their systems at work--even cell phone usage if the company paid for it. That's all well and good for the company to look at without a problem. Most large companies monitor that kind of thing.

Q: Sure, but when did the trouble start? When you start infringing upon users' private lives, that's another thing. If you have to lie about being that person, then clearly you've stepped over the line. These types of tactics are typically used for competitive data. This was being used to investigate their own people.

Q: Are these all common corporate practices, and it's just that HP was just unlucky enough to get caught, or was what HP did really outrageous? The hiring of private investigators that might in turn hire third parties that commit questionable acts is nothing new. However, these tactics are usually used for competitive purposes. When you're starting to investigate your own employees like that, and you're taking employee records and giving them to private investigators so they can pull phone records, that's well beyond the line. Also, investigating journalists is way over the line. Competition is one thing, but when you're starting to investigate journalists, something is just not right. ... This is an investigation that ran amok.

Q: What should HP have done? When they believed there was this level of investigation required, they should have gone to the FBI and the SEC.

Q: Do you think the competitive environment that HP is working in drove them to dig hard to find this media leak and plug it? If this was such a competitive blow, they should have gone immediately to the SEC or the FBI. This was personal. ... It was a member of their family betraying them. I fully agree that's 100% fully accurate. But do you act like a vigilante or a Fortune 11 company that takes the higher road so your actions don't overshadow the originating actions?

Q: Are you hoping this will have the positive effect of speeding up pretexting legislation? [That] should have occurred a decade ago. We see pretexting on a daily basis where people are being stalked, and it's being used for financial crimes. For that, Congress sits back and does nothing. This is front-page news, and now Congress is calling hearings. ... Hearings have been going on, but how many hearings do you need to understand that pretexting invades the privacy of individuals everywhere, and it's used to further other crimes and cause personal damage. Legislation to prevent pretexting is long overdue.

Q: Will this case change the way companies handle future internal investigations? I think companies will be on a slight notice, especially for internal investigations. I think this will keep them within the lines for the short term and just make them sneakier for the long term. There will be some hesitance up front, but you can bet your bottom dollar that people who tend to contract these types of services will not be long deterred.