The Bush administration’s cybersecurity chief is being paid $577,000 under a two-year agreement with the university that employs him and also does extensive business with the federal office he manages.
Donald “Andy” Purdy Jr. has been acting director of the Homeland Security Department’s National Cyber Security Division for 21 months. His contract, which has drawn attention from members of Congress, is paying him more than the $175,000 annual salary that Homeland Security Secretary Michael Chertoff earns.
Purdy is employed by Carnegie Mellon University in Pittsburgh, which has loaned him to the Homeland Security Department in exchange for the government paying nearly all of his salary. Meanwhile, Purdy’s cybersecurity division has paid Carnegie Mellon $19 million in contracts this year, almost one-fifth the unit’s total budget.
Purdy said he has not been involved in discussions over his office’s business deals with the school.
Some lawmakers who oversee the Homeland Security Department questioned the decision to hire Purdy as acting cybersecurity director. They noted enduring criticism by industry experts and congressional investigators over the department’s performance on cybersecurity matters.
Purdy’s contract “raises questions about whether the American people are getting their money’s worth,” Democratic Reps. Bennie Thompson of Mississippi and Loretta Sanchez and Zoe Lofgren, both of California, wrote in a letter to Republicans.
Purdy, a longtime attorney who has held a number of state and federal legal and managerial jobs, has no formal, technical background in computer security.
His two-year contract expires in October, but he said it could be extended two more years. Under the contract, the government pays Purdy $245,481 in salary and benefits — but not including travel reimbursements — with Carnegie Mellon paying $43,320. The Associated Press obtained a copy of Purdy’s contract.
Purdy said his salary was commensurate with those of some other government contractors. Purdy works four levels below Chertoff within the Homeland Security Department and controls a budget of roughly $107 million and as many as 44 full-time federal employees.
“Frankly, it’s a very competitive market place out there, and I could make a lot more in the private sector,” said Purdy, a former White House cybersecurity adviser and the former top lawyer at the U.S. Sentencing Commission.
Purdy’s former boss and predecessor as cybersecurity chief, Amit Yoran, earned $131,342 before he resigned abruptly in October 2004. Chertoff agreed one year ago to create a position of DHS assistant secretary over cybersecurity, but the job hasn’t been filled.
“Andy has done a pretty good job under the circumstances, working in an ‘acting’ capacity and buried in the bureaucracy of the department,” said Shannon Kellogg, director of government affairs for RSA Security Inc., a leading security firm. “He’s had one of the tougher jobs in America.”
Carnegie Mellon is highly regarded among experts who study hacker attacks and software flaws. Its Software Engineering Institute works closely with the Defense Department, which last year renewed a five-year, $411 million contract with the research center.
The university declined to comment on Purdy’s salary, citing employee confidentiality. It said it has avoided discussing government contracts with Purdy in his role as chief of the cybersecurity office that awards those contracts.
The Homeland Security Department said Purdy consulted with ethics lawyers when he signed his contract. Purdy is so assiduous about avoiding potential conflicts that he leaves the room when employees discuss contracts related to Carnegie Mellon’s work, said one DHS official, who spoke on condition of anonymity because this official is not authorized to speak with reporters.
Among other activities, Carnegie Mellon helps run the U.S. Computer Emergency Response Team, which sends urgent e-mails to subscribers about major virus outbreaks and other Internet attacks as they occur, along with detailed instructions to help computer users protect themselves.