Lawmakers Question Two-Year, $577,000 Contract for Bush Cybersecurity Chief
The Bush administration's cybersecurity chief is being paid $577,000 under
a two-year agreement with the university that employs him and also does extensive
business with the federal office he manages.
Donald "Andy" Purdy Jr. has been acting director of the Homeland
Security Department's National Cyber Security Division for 21 months. His contract,
which has drawn attention from members of Congress, is paying him more than
the $175,000 annual salary that Homeland Security Secretary Michael Chertoff
Purdy is employed by Carnegie Mellon University in Pittsburgh, which has loaned
him to the Homeland Security Department in exchange for the government paying
nearly all of his salary. Meanwhile, Purdy's cybersecurity division has paid
Carnegie Mellon $19 million in contracts this year, almost one-fifth the unit's
Purdy said he has not been involved in discussions over his office's business
deals with the school.
Some lawmakers who oversee the Homeland Security Department questioned the
decision to hire Purdy as acting cybersecurity director. They noted enduring
criticism by industry experts and congressional investigators over the department's
performance on cybersecurity matters.
Purdy's contract "raises questions about whether the American people are
getting their money's worth," Democratic Reps. Bennie Thompson of Mississippi
and Loretta Sanchez and Zoe Lofgren, both of California, wrote in a letter to
Purdy, a longtime attorney who has held a number of state and federal legal
and managerial jobs, has no formal, technical background in computer security.
His two-year contract expires in October, but he said it could be extended
two more years. Under the contract, the government pays Purdy $245,481 in salary
and benefits -- but not including travel reimbursements -- with Carnegie Mellon
paying $43,320. The Associated Press obtained a copy of Purdy's contract.
Purdy said his salary was commensurate with those of some other government
contractors. Purdy works four levels below Chertoff within the Homeland Security
Department and controls a budget of roughly $107 million and as many as 44 full-time
"Frankly, it's a very competitive market place out there, and I could
make a lot more in the private sector," said Purdy, a former White House
cybersecurity adviser and the former top lawyer at the U.S. Sentencing Commission.
Purdy's former boss and predecessor as cybersecurity chief, Amit Yoran, earned
$131,342 before he resigned abruptly in October 2004. Chertoff agreed one year
ago to create a position of DHS assistant secretary over cybersecurity, but
the job hasn't been filled.
"Andy has done a pretty good job under the circumstances, working in an
'acting' capacity and buried in the bureaucracy of the department," said
Shannon Kellogg, director of government affairs for RSA Security Inc., a leading
security firm. "He's had one of the tougher jobs in America."
Carnegie Mellon is highly regarded among experts who study hacker attacks and
software flaws. Its Software Engineering Institute works closely with the Defense
Department, which last year renewed a five-year, $411 million contract with
the research center.
The university declined to comment on Purdy's salary, citing employee confidentiality.
It said it has avoided discussing government contracts with Purdy in his role
as chief of the cybersecurity office that awards those contracts.
The Homeland Security Department said Purdy consulted with ethics lawyers when
he signed his contract. Purdy is so assiduous about avoiding potential conflicts
that he leaves the room when employees discuss contracts related to Carnegie
Mellon's work, said one DHS official, who spoke on condition of anonymity because
this official is not authorized to speak with reporters.
Among other activities, Carnegie Mellon helps run the U.S. Computer Emergency
Response Team, which sends urgent e-mails to subscribers about major virus outbreaks
and other Internet attacks as they occur, along with detailed instructions to
help computer users protect themselves.