About Us

CDA Team, past and present

O. Sami Saydjari: President and Founder

Mr. O. Sami Saydjari is the founder and President of Cyber Defense Agency. Under his leadership and guidance, Mr. Saydjari has attracted twenty of the nation's top security experts to create a uniquely superb national asset to help defend the country's most important information systems. He provides vision and expertise for building a research and consulting organization that creates effective systematic defenses for high-value systems against aggressive cyber- attack. Mr. Saydjari has over 20 years experience performing and directing information assurance research, including 13 years as a leader at the National Security Agency and three years as a Defense Advanced Projects Agency (DARPA) Program Manager of Information Assurance where he created one of the most significant investments in information assurance in the nation's history.

Before founding the Cyber Defense Agency, Mr. Saydjari was a Senior Staff Scientist in SRI International s Computer Science Laboratory, where he was the program leader of the Cyber Defense Research Center (CDRC). Prior to SRI, Mr. Saydjari was the Information Assurance Program Manager for DARPA's Information Systems Office.

Mr. Saydjari is an internationally recognized security expert. He has been featured in various publications and broadcast including a feature on PBS Frontline. He is the "On the Horizon" department editor for IEEE Security and Privacy Journal. He also has the honor of serving on board of directors for two distinguished professional non-profit boards advising government leadership on cyber defense policy: Cyber Conflict Studies Association and Professionals for Cyber Defense.

Mr. Saydjari earned his M.S. in Computer Science from Purdue University. The Director of NSA named Mr. Saydjari an NSA fellow in 1993 and 1994. He has published more than a dozen technical papers in the field of information security and has presented the results of his research at both such as the National Cryptologic Quarterly, the National Computer Security Conference, IEEE Security and Privacy Conference, and the ACM New Security Paradigms Workshop.

For complete list of publications, press here.

Dan Thomsen: Chief Information Officer & Research Scientist

Dan Thomsen is Chief Information Officer & Research Scientist at Cyber Defense Agency. As such, he plays a key role in implementing security solutions. He has twenty years experience in the security industry specializing in computer security research, security design and software engineering.

Prior to joining CDA, Mr. Thomsen held several security professional positions at Tresys Technology, LLC and Security Computing Corporation. Mr. Thomsen has made significant contributions to the management of security policy, both role-based access control and the high assurance type enforcement mechanism. Mr. Thomsen has also created high assurance multilevel applications, balancing security, functionality and cost to meet the highest levels of assurance.

Mr. Thomsen is a sought after speaker on computer security topics. He has been a featured guest on Minnesota Public Radio for three different shows and has also been on four local television interviews. He has been published in twenty seven different publications in workshops, magazines, book chapters and journals.

Mr. Thomsen has an M.S. in Computer Science, B.A. in Computer Science and Mathematics from University of Minnesota. Mr Thomsen plays an active role on the Annual Computer Security Applications Conference (ACSAC) program committee for ten years. He was ACSAC 2005 and 2006 conference chair and past program chair. He has also been on the program committee for Security Patterns workshop, ESORICS, ACM SIGMAT, and IFIP working 11.3 on database security as well as a senior member of IEEE.

For complete list of publications, press here.

Dr. Carol Muehrcke: Director of Strategic Planning

Dr. Carol Muehrcke is the Director of Strategic Planning for Cyber Defense Agency. She is responsible for helping determine the CDA long- term strategic plan and coordinating those efforts. She has 13 years of experience in security-related product development and assurance.

Prior to CDA, she led commercial software development projects to bring new security technologies to market, including the 3Com Embedded Firewall, where this technology was transferred from the DARPA Autonomic Distributed Firewall (ADF) program. She previously led the assurance effort for major NSA-sponsored development programs for high assurance Guard systems.

Additionally, Dr. Muehrcke has 9 years experience in systems engineering for advanced manufacturing systems at Bell Laboratories. Her specialties include analytic assurance methods and integration with software development, requirements engineering, architecture level trust analysis and project management.

Dr. Muehrcke has a Ph.D., in Mathematics from Rutgers University and an A.B. in Mathematics from Reed College.

Jeremy Epstein

Jeremy Epstein is Senior Computer Scientist with SRI International, and a consultant to CDA. His research interests include security architecture, software assurance and voting system security. Prior to joining SRI, Jeremy spent almost nine years as head of product security for Software AG, an international COTS software vendor, where he was responsible for both security functionality and assurance, including establishing assurance requirements, security training programs, incident handling, red teaming, and assessment of static and dynamic security assessment tools. Jeremy holds an M.S. in Computer Science from Purdue University, and has published extensively in computer security conferences, magazines, and journals. In addition to consulting for CDA, he is also on the advisory board of Verified Voting Foundation and the Open Source Digital Voting Foundation, and is vice president and a member of the board of directors for the Applied Computer Security Associates.

Rich Feiertag

Rich Feiertag has more than 40 years of experience in architecture, design, and software development of large complex systems including operating systems, embedded systems, distributed systems, agent-based systems, and networks. He has focused on systems with exceptional requirements for security, reliability, and fault and intrusion tolerance, both in developing new techniques for the development of such systems and applying such techniques to new and existing systems. Recently, Mr. Feiertag has focused on intelligent application of security countermeasures for systems based on an evaluation of the risk imposed by threats to the system's mission and the benefits and costs those countermeasures accrue. Mr. Feiertag has successfully managed many projects involving high technical risk, developing innovative solutions to difficult problems and has published numerous technical papers.

Sue Rho

Ms. Rho has more than 30 years of experience designing and developing high assurance systems. Most recently, she worked on developing a detailed engineering plan for DARPA's National Cyber Ranger Phase I project. As part of the Sparta team, she worked on developing the knowledge management architecture to capture range and test management experience across tests.

Prior to the NCR work, she managed the security development effort for a DAPRA program, called UltraLog during which she developed an adaptive security architecture that integrated the contributions of the program's seven contractors to ensure that the capabilities they developed worked together as an integrated whole. Adaptation was achieved by developing policy-based security mechanisms and using KAoS policy management to dynamically change policies to adapt to changing threat conditions.

She also led the development of a suite of tools, called Proteus, that support dynamic configuration of security mechanisms. Proteus allows component developers to specify the security properties and dependencies for components and then uses a reasoning engine based on Jess to check the security requirements of components for their consistency. If requirements are consistent, Proteus locates applicable security mechanisms that comply with the requirements; if it can't find a security mechanism that can satisfy a particular requirement, it notifies the user for assistance. If all the requirements can be satisfied, it generates the configuration file to build the system.

Ms. Rho also managed the development of several formal verification systems. At Aerospace Corporation, she led the State Delta Verification System, developed to prove the correctness of microcode programs. At Trusted Information Systems, she worked on correctness of C compilers by leading the effort to define semantics of the C language and the development of a C verifier that showed the compiler generated object code satisfies its C program semantics.

Rick Smith

Dr. Rick Smith is a consultant with Cyber Defense Agency. In addition to his association with CDA, Dr. Smith is a faculty member at the University of St. Thomas and consults in the civilian sector through Cryptosmith LLC (www.cryptosmith.com). He has written extensively on information security including two books: "Authentication," published in 2002, and "Internet Cryptography," published in 1997.

Dr. Smith has over thirty years of experience in the computer field, over half of which has focused on information security. Dr. Smith developed software for the ARPANET and developed the high assurance networking interface for the LOCK trusted computing system. He was also the lead system engineer on the Standard Mail Guard, one of the earliest "off-the-shelf" multilevel network devices. Since then he has provided design consulting and assurance for a variety of multilevel and cross-domain systems, and for Type 1 cryptographic systems.

Dr. Smith holds a B.S. in engineering from Boston University, and an M.S. and Ph.D. in computer science from the University of Minnesota. He also holds a CISSP, with companion certifications in Security Architecture and Security Engineering; the latter is the NSA-sponsored certification in information security.

Martin Solum

Martin Solum is a computer systems professional with over 15 years of technical experience in a broad range of information technology settings and disciplines. He has completed many information system & control system integration, software development (mostly Java programming), research & development and assessment projects. For the last few years his primary focus has been on industrial control system security issues. His experience with industrial control systems devices includes setting up a control systems lab and producing representative network traffic with the devices for a passive security logging project. Experience on that project included basic set-up and operation of Rockwell ControlLogix 5000 & ProSoft communication modules using RSLogix\RSLinx, the KoyoDL405 using Automation Direct DirectSoft5 & NetEdit, SEL2032/SEL351S substation communications processor using SEL 5020 settings assistant, the GE D20 substation using ConfigPro, & the Modicon Quantum 140 using Unity Pro. Additional software interfaces included the jamod (Java-based Modbus) Java library, the TriangleMicroworks Protocol Test Harness software, the ASE 2000 RTU Test set, various network & industrial protocols including EthernetIP/CIP, Modbus, DNP3, SEL, Telnet, FTP, TFTP protocols using network management/diagnostic & probing tools e.g. Wireshark, Snort and Scapy.

Rico Valdez

Rico Valdez is an experienced Information Security Engineer with over 14 years experience in Information Technology. He holds a BS degree in Computer Engineering from the University of New Mexico and an MS in Electrical and Computer Engineering from Johns Hopkins University. For the last 11 years, Mr. Valdez has focused his professional career in the fields of Red Teaming, attack development, and adversary modeling. He has been a key participant on Red Teams for several DARPA programs as well as various commercial organizations. In addition to his work with Red Teams, Mr. Valdez has performed research in related fields such as attack development, risk assessments, information security metrics, and adversary modeling, and has worked with the NSA on performing a large-scale risk assessment of the Global Information Grid (GIG). Most recently, Mr. Valdez has been working in a forensics capacity, analyzing current attack methodologies, and their impacts in a large, distributed computing environment. He is well-versed in assessment tools and exploitation methods, as well as adversarial thinking and attack development.