Skip to Main Content

David Brumley was appointed to lead Carnegie Mellon CyLab Security and Privacy Institute. Brumley is the third director of the campus-wide cybersecurity research and education center, and succeeds Electrical and Computer Engineering Professor Virgil Gligor, who is stepping down after seven years to focus on his research.

Brumley, whose research focuses on software security and program analysis, began as an assistant professor in the Department of Electrical and Computer Engineering after receiving his Ph.D. from Carnegie Mellon’s School of Computer Science in 2009. He was later promoted to Associate Professor and most recently served as CyLab’s Technical Director.

Brumley, an advocate for cybersecurity outreach, is the faculty sponsor of picoCTF, a high school computer security competition that has drawn over 10,000 student participants in each of the past two years it has been held. Brumley also leads a student cybersecurity team that has received acclaim at international cybersecurity competitions. The team received first place rankings at the DefCon “Capture the Flag” cybersecurity competition—dubbed the “Super Bowl of Hacking”—in 2013 and 2014.

Bosch recognizes Brumley

Coinciding with his appointment as the director of CyLab, Brumley was named the Bosch Distinguished Professor in Security and Privacy Technologies. The professorship was made possible with a $2.5 million dollar donation from Bosch, and it will always be awarded to the director of CyLab.

The goal of the new professorship is to support two critical research areas, including the creation of breakthrough technologies that enable internet-scale systems that connect the physical and cyber domains securely; and the development of next-generation technologies that enable and ultimately guarantee the use of personal data in accordance with individual privacy preferences in a ubiquitous computing world.

“As a global company focused on innovation and improving the quality of life, we work to provide innovative technological solutions to challenges facing our society now and in the future. The Internet of Things brings considerable promise, but also concern surrounding the security of our connected environment and the privacy of personal data,” said Jiri Marek, senior vice president, Bosch Research and Technology Center – North America. “This Distinguished Professor position will address these concerns with research to find breakthrough technologies and a holistic approach to security.”


Source: Carnegie Mellon University

David Brumley

Q&A with David Brumley

How have connected devices changed the cybersecurity landscape?

When we look at connected devices like home thermostats and other Internet of Things (IoT) devices, we know software will have bugs and other vulnerabilities. We need to ensure that devices are automatically updated at the same speed as smart phones because connected devices will be attacked just as much. A patch can only be placed if these devices are connected to the internet, but they are not always connected. Connectivity is a huge problem. IoT security and privacy are research thrusts in CyLab.

There are nearly 1 million unfilled positions in cybersecurity in the US. Why is it difficult to fill cybersecurity positions in the United States?

Even though security and privacy professionals can easily command 6-figure salaries, there’s a problem with the current perception of cybersecurity as a profession, and I believe there are things we can do to change this.

First, we need to stop stigmatizing hackers. Many of us hear in the news about hackers going rogue, but that isn’t representative of the profession as a whole. The hackers I know are curious, imaginative professionals who can find the unexpected chinks in the armor. They can take a computer and bend it to their will.

People need to start recognizing cybersecurity as a uniquely skilled profession; IT professionals can’t be rebranded as security. Cybersecurity is a unique way of thinking. In this profession, we are competing with intelligent adversaries who are always looking for the open window when the door is locked.

Finally, everyone—from the seven-year-old playing games on an iPad to the utilities technician controlling your town’s power grid—needs to understand basic cybersecurity and privacy hygiene.

To initiate cyber education, at CMU, we run picoCTF, the hacking competition for high school students in which over 10,000 students have participated. Many discover they have a knack for computer security and decide pursue a degree in the field. Cybersecurity is a practice sport, and our hacking competition could become a template for educational activities on a national scale.