Nation’s cybersecurity chief returns to CMU

After two years and a questionable $19,577,602 in salaries and contracts, the nation’s cybersecurity chief is returning to Carnegie Mellon.

Donald “Andy” Purdy has been on loan from the university to the Department of Homeland Security’s (DHS) National Cyber Security Division (NCSD) for the last two years. His term as acting director, which ended last Tuesday, has not been without controversy.

The Associated Press reported on September 22 that Purdy was leaving a position in which he “worked under an unusual agreement with a private university that does extensive business with the office he manages.”

The article referred to $19 million in funding that Carnegie Mellon’s Software Engineering Institute (SEI) received from DHS’s cybersecurity division, which Purdy directed, over the last two years, to help improve the security of industries and federal agencies. Purdy, meanwhile, was still a university employee and was paid $577,602 for the last two years. CBS News, The Washington Post, and other international media outlets printed the article.

What the article did not mention was that the $19 million was a continuation of a contract from 2001, three years before the government requested Purdy.

“There wasn’t any new activity going on. It was all a continuation, but with a broader scope,” said Richard Pethia, the SEI’s manager of the computer emergency response team (CERT) coordination center. “The government adds, deletes, and changes tasks over time as priorities change.”

CERT has worked with the federal government since the early ’90s, helping the government make and meet cyber security standards in banking, insurance, law enforcement, telecommunications, and other key industries.

“I was not associated with decisions to increase or change things. None of it is fabrication, but it lacks clarity,” Purdy said, referring to the Associated Press reports.

Purdy returned to Carnegie Mellon last Wednesday. Still a university employee, he will support efforts to implement a national cybersecurity strategy, such as SEI’s new Resiliency Engineering work.

Last June, three ranking Democrats from the federal government’s House Committee on Homeland Security sent a letter to ranking Republicans complaining about Purdy’s contract. In addition, the letter cited a Government Accounting Office report claiming that the NCSD “has not fully addressed any of the key responsibilities” related to cybersecurity.

“There were many millions of dollars unaccounted for,” said Carrie Brooks, the communications director for Representative Loretta Sanchez (D–Calif.).

The Department of Homeland Security reimbursed Carnegie Mellon about $245,000 a year for Purdy’s salary, while Carnegie Mellon contributed an additional $43,000.

“The sheer value of the salary — which outpaces not only the salaries of the Department Secretary, but also Members of Congress, the Vice-President, and the Justices of the Supreme Court ... raises questions about whether the American People are getting their money’s worth,” stated the letter, dated June 15, from Representatives Sanchez, Bennie Thompson (D–Mich.), and Zoe Lofgren (D–Calif.).

“I met with the staff of [that] House committee in August, and they didn’t ask me any questions about the IPA during that,” said Purdy. IPA refers to the Intergovernmental Personnel Act, a program begun in 1971. Under an IPA, which lasts two years, the government can hire non-federal employees to take leave from their outside positions and then reimburse their salaries.
“When government isn’t able to find a skill set, they are able to go to industry and institutions to find someone with the background and skills needed to fill that job,” Pethia said.

A month later, during public testimony, the cybersecurity chief’s IPA was brought up again. Purdy said that during his supervisor’s testimony, a member of the committee asked him to speak and answer questions about his IPA.

“Given the fact that they had met with me in August without asking me any questions about the IPA, I was surprised that in the middle of the hearing they asked me to testify,” he said. “It didn’t seem like they prepared in the most efficient way for the public hearing.”

Purdy has been working for Carnegie Mellon since November of 2003. Prior to his work at the SEI, Purdy was involved with federal sentencing commissions.

“I was very active in trying to understand criminal offenses in technology,” he said. Among the kinds of technology Purdy focused on were counterfeiting, ID theft, and cellular telephone cloning.

Pethia said the SEI hired Purdy to help CERT coordinate with cyber laws and policy.

“He was working and had a good working relationship with people in the [Department of Homeland Security],” Pethia said. “Some people say he doesn’t know about security. With the President’s Critical Infrastructure Protection Board, he spent years reviewing findings of earlier groups. He went around the country, too, meeting thousands of system operators, system users, network operators, technology producers, and security experts.”

Carnegie Mellon has long been recognized for the SEI’s work with the federal government, dating back to 1988 with the inception of the CERT program.

“Our charter is to protect anyone on the Internet,” Pethia said. “There are over 200 incident response groups, many of them are trained by us.”

Government entities in Australia, Japan, and England, as well as ExxonMobil, Microsoft, Oracle, and over 600 other tech vendors are among the SEI’s collaborators.

With only a decade or two of worldwide Internet activity, cybersecurity is still a developing industry, compared with other more tangible forms of security, such as that at airports or borders.

New laws and standards are being implemented regularly across the globe, according to Pethia, who claims that Purdy is one of the few experts with a combined understanding of law, operational security issues, and private and government sector organization interaction.

“If you’re Exxon or Coca-Cola, what do you do to meet international commands?” he said. “Andy is looking at the interface between privacy and security law, and enterprise and security management.”