Management Laboratory

Management Laboratory

Leadership Lab: Management Competencies

Other Related Articles in Leadership Lab: Management Competencies

Waking Sleeping Dogs: Information Security Ethics

Eric Conrad
Conrad Eric MGT421 leadership competencies paper
The Grasso Case

I worked as the manager of network and security engineering for a large healthcare provider. My boss, a 36-year veteran of the company, was vice president of infrastructure and operations. A 5th-degree black belt in Karate, he had a poster in his office recounting Shaolin Buddhist principles:

"Study - Practice - Teach"
"Work free of praise or criticism"
"Seek simple solutions"
"Assume the lead"
"Listen to learn"
"Dare to risk"
"Match words to actions"
"Defend the defenseless"
I studied that poster during meetings, reflecting on the timeless qualities of strong leadership. They applied directly to information security. My boss and I usually agreed on the right approach, even when others disagreed. Complex issues became simple when viewed through the prism of: what is best for the patients? Are we defending the defenseless?

In September 2007 we were alerted to an article titled "Officials: Man living with parents had over 150,000 child porn images."[1] At that time the suspect, Matthew Grasso, was an employee of a member facility. HR called to discuss a possible investigation: had a crime occurred on company property? This raised ethical issues:
  • Should we investigate? We had no request from law enforcement, and had no indication that any crime had occurred on company property
  • If we investigated and discovered evidence of crime, what should we do?
  • What if the company suffered bad press from association with a suspected criminal?
My boss and I discussed the issue. We agreed that we should investigate and turn over any evidence to law enforcement. Defend the defenseless.

We explained our plan to our leadership, and everyone agreed. Management, information security, human resources, and the public relations and legal teams were on the same page. I felt proud of my company: others may have let sleeping dogs lie. We committed to do the right thing.

I worked with another engineer on my team to investigate, carefully performing a forensic investigation of three systems accessed by Grasso. We both kept handwritten notes in journals with numbered pages. The integrity of the data was assured every step of the way. We maintained a provable chain of custody.

Unfortunately, I found evidence of crime: the forensic timeline showed access to a webmail account called ‘grasso666,’ as well as a 2nd account. Text-based forensic tools showed disturbing emails exchanged with odd senders and receivers, some using poorly-written English.

I will never forget the text of those emails: they were truly disturbing. After a 15-year information security career with numerous forensic investigations, I thought I had seen it all. I hadn’t. The phrase ‘sick to your stomach’ is not simply a phrase: I was nauseated.

Our lawyer contacted the district attorney’s office. A detective from the state police crime lab later arrived with a warrant to retrieve the three disks. He was quite appreciative of our work, thanking us for volunteering to share the evidence, and complimenting us on our forensic skills. He mentioned they were aware of the grasso666 account, but not the 2nd email account. We provided new email, and perhaps new senders and receivers. New evidence.

I created a Google News alert for Grasso. It alerted when he plead guilty on July 22nd 2008, sentenced to four years in a house of correction. The prosecutor stated ‘even after his initial arraignment, where he was barred from accessing the Internet from his computer, Grasso, a shipping and receiving clerk, was caught cleaning out an e-mail account using a computer at work.’[2]

Counterfeit Cisco Equipment

In early 2008 we suspected that some of our Cisco network equipment was bogus. A new order of fiber transceivers appeared to be legitimate, but the labels didn’t look right, used an older Cisco logo, and smudged easily. The serial numbers were not listed on the box label, and did not follow typical Cisco numbering scheme. We sent a few suspect transceivers to Cisco Brand Protection labs. They confirmed our suspicions: counterfeit.

I began to collect the equipment from the new order, all sold by the same vendor. We also discovered older equipment with the same tell-tale signs: strange labels, non-standard serial numbers. Patterns emerged, and we correlated many previous network failures. The counterfeit gear was of low quality, and suffered a high failure rate. Patient care was affected.

My boss was in the hospital, recovering from a dangerous blood clot. In his absence I encountered a surprising amount of internal resistance to my investigation. I realize in retrospect: the sharks were circling.

Further research showed the vendor had purchased new $500 ‘Cisco’ parts for $50, or 90% off list. The vendor marked them up 500% and sold them to us for $250. They also mixed the counterfeit equipment with "gray market" gear that was legitimate Cisco, but did not have a transferable software license. These actions violated their Cisco reseller agreement, which required them to buy quality parts from approved sellers.

I tried to return the entire order, both counterfeit and gray market, requesting a full refund. The vendor resisted, and made a "plausible deniability" argument, claiming, "We didn’t know it was counterfeit!"

I explained they violated their reseller agreement, bought equipment of unknown quality from suspect channels, sold hardware with no valid software license, and passed the risk on to our patients. I asked, "If someone pulls up in a van and offers to sell you a $1000 hi-def TV for $100, can you honestly claim you ‘didn’t know’ it was stolen?"

A group of coworkers disagreed. A director said, "It’s in and it’s working; what’s the big deal?" A peer of mine worried the vendor would "get crushed." He had a different prism.

The equipment was in and working; software upgrades and support were minor issues. Deadlines were looming. I was overreacting.

I handled the investigation and tried to let my boss recover. Others did not. Given half the story, he called me from the hospital and said, "This counterfeit thing is overblown." There was a project with an urgent deadline, and the equipment needed to be deployed.

I updated him on my investigation. He agreed; we would continue to find and remove any counterfeit equipment in production. continue to push the vendor to do the right thing. Defend the defenseless. With his support, we negotiated a full refund for the recent order.

I began to tackle the older questionable equipment -- some sold by this vendor, as well as two others. They all sold us the same odd transceivers, with smudgy labels, weird serial numbers, and high failure rates. It was still in production. It had to go.

I left the company early that summer. I resigned for many reasons, but the single biggest reason was the counterfeit showdown. Doing the right thing should not be that hard. My boss continued to work on the counterfeit issue.

He was forced out of the company six weeks later, told to take a demotion and a pay cut. They ordered him to report to his former direct report (my former peer), who backed the counterfeit vendor, and who worried they would be "crushed."

My boss refused. Thirty six years of service ended.

I don’t know that the counterfeit situation contributed to his fall, but I suspect it did. He angered powerful people. He got in the way.

Over $50,000 of older suspected counterfeit equipment remained in production the day he left.

Sleeping Dogs

My boss had a conversation with a friend in early 2009. He recounted the counterfeit Cisco story. The friend said, "maybe you should look the other way."

The friend raised an interesting point. Is playing the white knight worth it? Tilt your lance against windmills, and fight unpopular battles? Are you doing the right thing, or are you merely being foolish by angering and empowering your enemies?

Should you instead pick your battles, and let some sleeping dogs lie? Leave the older suspected counterfeit gear in place. Don’t make waves. Live to fight another day.

My boss and I discussed the issue. We agreed that if we could go back in time, we would fight the same fight. Ethics are not conditional: child porn suspects must be investigated and counterfeit equipment must be removed. The prism of "what is best for the patients" made it crystal-clear. The defenseless must be defended.

Confirmation came from an unlikely source when, after almost 8 months of silence, the Google News alert for Grasso referenced a new article by the BBC titled "Child pornography 'links in USA'".[3] It described the arrests in Europe of eight child pornography suspects, lead by Detective Inspector Stuart Hood, who "spoke to police in the US about a man who used an e-mail address "grasso666".[4]

A tangible sense of nausea returned as I read the email quoted in the article; I had seen email just like it before, with text-based forensic tools, on one of the disks I analyzed in late 2007.

What would have happened if we had decided to let sleeping dogs lie? What if we had not investigated, or not shared the results with law enforcement? What if Grasso’s 2nd account was not discovered by law enforcement? What if links were not established to these European suspects as a result? What if they were still free?

Working with law enforcement isn’t just the right thing to do; it may literally help prevent future crime.

The ethical decisions we make do not occur in a vacuum. We are connected; our decisions make waves. It’s important to do the right thing not only on principal, but also because our decisions matter. They echo and reverberate.

Some sleeping dogs must be woken.

1 "Officials: Man living with parents had over 150,000 child porn images." Lawrence Eagle Tribune, September 20, 2007
2 "Judge shows leniency in child porn case." Lawrence Eagle Tribune, July 22, 2008
3 "Child pornography 'links in USA'”, BBC News Online. Retrieved on 03/10/2009. Link: