search menu icon-carat-right cmu-wordmark

A New CTO and Technical Strategy for the SEI

Kevin Fall

I recently joined the Carnegie Mellon Software Engineering Institute (SEI) as deputy director and chief technology officer (CTO). My goal in this new role is to help the SEI advance computer science, software engineering, cybersecurity, and related disciplines to help ensure that the acquisition, development, and operation of software-dependent systems have lower cost, higher quality, and better security. I have spent the past two decades conducting a range of research and development activities, and I have served on various Department of Defense (DoD) advisory boards. In this blog posting, I'd like to talk a little bit about my background and outline the priorities I'm pursuing at the SEI. In subsequent blog postings, I'll describe the SEI technical strategy in more detail.

My Introduction to Software

I became interested in programming and reverse engineering (analyzing copy protection schemes) while in high school in southern California, where I learned to program in 6502 assembly language and BASIC on an Apple ][. This sparked my interest in software, especially operating systems.

My first summer job was writing software, primarily a code de-obfuscation system, for a small training company in Manhattan Beach, California. During my undergraduate studies in computer science at the University of California, Berkeley (UC Berkeley), I spent two summers as an intern at TRW (now Northrop Grumman) in Redondo Beach where I was introduced to Berkeley UNIX (the Berkeley Software Distribution or BSD) and the C programming language. Ultimately, I worked on BSD UNIX itself, where I developed TCP/IP software targeted for deployment on the Cray X/MP and integrated Massachusetts Institute of Technology's (MIT) Kerberos Authentication system (now the basis for authentication in Windows environments) into the BSD authentication framework. I also authored the BSD version of the cat program, perhaps the most widely used basic program in the system.

While I was working at Berkeley integrating Kerberos into BSD, Robert Morris' worm hit the Internet. Using some of the reverse-engineering skills I had acquired earlier, I helped in de-obfuscating the binary code comprising the worm. Coincidentally, this incident would be the primary motivator for the Defense Advanced Research Projects Agency (DARPA) to sponsor the creation of the SEI's CERT Division.

During the summer, after I left UC Berkeley, I joined MIT's Project Athena doing further work on Kerberos prior to joining the PhD program in computer science and engineering at UC San Diego (UCSD). My research at UCSD focused on operating system support for multimedia. While in graduate school at UCSD, I consulted for the San Diego Supercomputer Center (then run by General Atomics) and for the Center for Communications Research (one of the Institute for Defense Analysis (IDA's) federally funded research and development centers (FFRDCs).

Early Professional Career

After graduating with a PhD from UCSD, I was hired to work with the Network Research Group at Lawrence Berkeley National Laboratory, which produced the tcpdump and pcap tools, numerous other TCP/IP improvements, and the NS2 network simulator, for which I served as chief architect. In this role, I added a novel emulation capability, enabling the intermixing of real-world network traffic with simulated traffic. In addition, I worked with Sally Floyd to produce a number of detailed analyses of TCP's congestion control algorithms.

My involvement with internet technologies in the late 1990's afforded me the opportunity to work in a startup company, NetBoost, that built hardware and software for arbitrary manipulation of network traffic. The primary use of NetBoost's technology was for building a hardware-accelerated intrusion detection system. NetBoost was acquired by Intel Corporation in 1999. After this acquisition, I worked in a product group at Intel in the area of network processors (CPUs designed to manipulate networks traffic), then moved on to a research division.

Intel had established a set of independent labs ("lablets") at the University of Washington, UC Berkeley, Carnegie Mellon University (CMU), and the University of Cambridge (England). I joined the UC Berkeley lab in 2001 and worked on various aspects of networking, including communications in especially challenging environments, for which I became an IEEE Fellow in 2009. In 2011, Intel changed its university-engagement-strategy, and these labs were re-structured as smaller "Intel Science and Technology Centers" (ISTCs), which are still present at various locations, including CMU. I left Intel shortly thereafter, completing the textbook TCP/IP Illustrated Volume 1 (second edition), which was published in November 2011. I joined Qualcomm in 2011, where I worked mostly on adaptive video streaming until the end of 2012.

My Service On DoD Advisory Boards

While I was working at Intel and Qualcomm, I also spent time on a number of DoD advisory boards. I was a member of the Defense Science Study Group (DSSG), a DARPA-sponsored program that connects academics and academically-leaning industry members with the DoD and other government agencies. I later served as a consultant for the Defense Science Board, where I represented the potential effects of cyber attack and defense for the purpose of understanding its capabilities relative to other types of attacks and defenses, including nuclear, directed energy, chemical, conventional explosives.

In 2008, I began my four-year term as a member of the Air Force Scientific Advisory Board (AF SAB), and, consequently, a special government employee. While there, I met Professor Doug Schmidt, then deputy director and CTO of the SEI. We worked together on a recently-released study that assessed the technologies and policies associated with assuring cyber situational awareness for the U.S. Air Force. Doug and my immediate predecessor, Professor Bill Scherlis, have provided me with a great deal of advice and context about the research and transition activities at the SEI, for which I am immensely grateful.

Progress Thus Far at the SEI

Since joining the SEI in January of this year, I have been busy with a range of projects, including reviews of proposals and subsequent selection of our FY 2014 research projects. The selected research projects include a method for quantifying uncertainty in early lifecycle cost analysis (QUELCE), techniques for automated discovery of vulnerabilities in x86 binaries, and a multi-faceted project involving several parts of CMU's School of Computer Science that focus on technologies needed by soldiers and first responders operating at the tactical edge (EETS). You'll be able to read more about many of these projects in upcoming postings on the SEI Blog and forthcoming web sites.

We recently presented the strategic direction and results of our proposal process to the SEI's Technical Advisory Group (TAG) and Joint Advisory Committee Executive Group (JAC-EG) that report to our DoD government sponsors at the Assistant Secretary of Defense for Research and Engineering (ASD(R&E)). Likewise, we also recently presented this material to the SEI's Board of Visitors (BoV), which reports to the provost at CMU. Thanks to hard work by many members of the SEI, these reviews have gone exceptionally well. Indeed, members of the TAG, JAC-EG and BoV have offered many constructive suggestions and connected the SEI with fruitful collaboration opportunities.

Strategic Direction

My background and experience as a product developer, researcher, and an adviser to the DoD have taught me several things. First, the best research often comes from working on real problems with real users. Second, working with high-quality colleagues breeds high-quality work, so growing our connections with the best researchers and practitioners will help bring out the best in our technical staff. Third, rigid stovepipes lead to duplication, inefficiency, and sometimes conflict. Based on these observations, I have assembled the following goals for myself, the office of the CTO, and other groups at the SEI over the coming months. We intend to

Develop an even higher quality and cohesive research program. Within the scope of visibility and responsibility for oversight that the CTO's office has at the SEI, I want to ensure research projects are of high quality. In particular, each funded project at the SEI must have a clearly stated motivation and intellectual merit, along with a grounded understanding of the parties that can benefit from the work and the estimated timeframe involved. As deputy director for research, I also want to ensure the SEI's research program is cohesive, and that the SEI's portfolio of projects explores and defines important areas that best leverage our talents and capabilities, while also creating useful techniques, methods, and tools for our government, industry, and academic stakeholders.

Increase collaboration with CMU and other academic researchers. The SEI is one of only two, DoD-sponsored FFRDCs operated by a university. As such, we have a special opportunity and obligation to participate with academia to ensure that our sponsors have access to the most innovative and game-changing technology and ideas available. We are positioned to advance this goal in a way unavailable in the past now that our DoD ASD(R&E) sponsor has enabled us to designate work as "fundamental research," which enables it to be published in a timely manner. I am committed to effectively leveraging the expertise and collaboration opportunities available to the SEI as part of CMU. We are also seeking to expand our engagement with other academic and service lab researchers.

  • Enhance accessibility to SEI's work. From an operational perspective, I also want to make it easier for sponsors, partners, and software professionals to interact and collaborate with the SEI. In addition to the fundamental research designation mentioned above, we are reorganizing to make us more structurally efficient, to facilitate collaboration across the SEI's divisions, and to foster feedback loops among various groups of researchers and practitioners. This reorganization includes an internal and external "knowledge management" effort to ensure members of the SEI community can easily determine what type of work we are doing and have done in the past. In addition, we are mining our own expertise and best-known methods derived from research insights and from experience gained through working with our customers.

My goal in writing this blog posting was to introduce SEI blog readers to my background and provide some insights into what I see as the shape of things to come at the SEI. I am excited about the opportunities in front of us and the structural changes we are undertaking. I believe we will continue to build upon our legacy of success in software research and transition with help from you.

I've been working with members of the SEI's Tech Council to craft a strategic research plan that I will describe in later blog postings. Please don't hesitate to contact the office with ideas, thoughts, constructive suggestions, or other comments. You may also send an email to, or leave feedback in the comments section below. Thanks!

Additional Resources

For more information on SEI research activities, please visit


Get updates on our latest work.

Each week, our researchers write about the latest in software engineering, cybersecurity and artificial intelligence. Sign up to get the latest post sent to your inbox the day it's published.

Subscribe Get our RSS feed