Thursday, June 29, 2006

Lawmakers Question Lucrative Hefty Contract of Bush Administration's Cybersecurity Chief; He has no formal technical background in computer security.

ABC News
Cybersecurity Chief's Contract Scrutinized
Lawmakers Question Lucrative Hefty Contract of Bush Administration's Cybersecurity Chief
The Associated Press

WASHINGTON - The Bush administration's cybersecurity chief is a contract employee earning $577,602 over two years under an agreement with a private university that does extensive business with the federal office he manages.

Donald "Andy" Purdy Jr. has been acting director of the Homeland Security Department's National Cyber Security Division for 21 months. His contract with Carnegie Mellon University in Pittsburgh has drawn attention from members of Congress. By comparison, the Homeland Security secretary, Michael Chertoff, makes $175,000 annually.

Purdy is on loan from the school to the government, which is paying nearly all his salary. Meanwhile, Purdy's cybersecurity division has paid Carnegie Mellon $19 million in contracts this year, almost one-fifth the unit's total budget.

Purdy said he has not been involved in discussions over his office's business deals with the school. "I'm very sensitive to those kinds of requirements," Purdy said. "It's not like Carnegie Mellon has ever said to me, 'We want to do this or that. We want more money.'"

Some lawmakers who oversee the department questioned the decision to hire Purdy as acting cybersecurity director. They noted enduring criticism by industry experts and congressional investigators over the department's performance on cybersecurity matters.

Purdy's contract "raises questions about whether the American people are getting their money's worth," Democratic Reps. Bennie Thompson of Mississippi and Loretta Sanchez and Zoe Lofgren, both of California, wrote in a letter to Republicans.

Purdy is a longtime lawyer who has held a number of state and federal legal and managerial jobs. He has no formal technical background in computer security.

His two-year contract expires in October. He said it could be extended two more years. Under the contract, the government pays Purdy $245,481 in salary and benefits a year but not including travel reimbursements; Carnegie Mellon pays $43,320 a year. The Associated Press obtained a copy of Purdy's contract.

Purdy said his salary was commensurate with those of some other government contractors. Purdy works four levels below Chertoff and controls a budget of about $107 million and as many as 44 full-time federal employees.

"Frankly, it's a very competitive market place out there, and I could make a lot more in the private sector," said Purdy, a former White House cybersecurity adviser and the former top lawyer at the U.S. Sentencing Commission.

Purdy's former boss and predecessor as cybersecurity chief, Amit Yoran, earned $131,342 before he resigned abruptly in October 2004. Chertoff agreed one year ago to create a position of assistant secretary over cybersecurity. The job is unfilled, a point of consternation among many security experts.

"Andy has done a pretty good job under the circumstances, working in an 'acting' capacity and buried in the bureaucracy of the department," said Shannon Kellogg, director of government affairs for RSA Security Inc., a leading security firm. "He's had one of the tougher jobs in America."

Carnegie Mellon, which is in the home state of former Homeland Security Secretary Tom Ridge, is highly regarded among experts who study hacker attacks and software flaws.

The university declined to comment on Purdy's salary, citing employee confidentiality. It said it has avoided discussing government contracts with Purdy in his role as chief of the cybersecurity office that awards those contracts.

Some of the school's U.S. contracts preceded Purdy's tenure as cybersecurity chief.

The department said Purdy consulted with ethics lawyers when he signed his employment contract. Purdy is so careful about avoiding potential conflicts that he leaves the room when employees discuss contracts related to Carnegie Mellon's work, said one DHS official, who spoke on condition of anonymity because this official is not authorized to speak with reporters.

Among other activities, Carnegie Mellon helps run the U.S. Computer Emergency Response Team. The team sends urgent e-mails to subscribers about major virus outbreaks and other Internet attacks as they occur, along with detailed instructions to help computer users protect themselves.

The cybersecurity division's flagship achievement under Purdy this year was "Cyber Storm," an exercise to test how the government would respond to devastating Internet attacks. Internal documents show planners were preoccupied in the weeks before the exercise trying to persuade high-ranking officials to attend.

The AP sought copies in February of all records related to the exercise under the Freedom of Information Act. The only documents turned over after four months include e-mails among planners fretting about whether a department undersecretary and others would attend. An official said other internal records were still being reviewed; none of the records already turned over was written by Purdy.

On the Net:

Homeland Security Department:

U.S. Computer Emergency Response Team:

Carnegie Mellon Software Engineering Institute: