Getting your Trinity Audio player ready...

In 2018, the state legislature gave Montreat College, which has fewer than 1,000 students, $2 million to use toward building a regional cybersecurity training center in nearby Black Mountain in Buncombe County. 

The next year, legislators upped the ante by agreeing to give Montreat $20 million for the regional facility known as the Carolina Cyber Center. The eight-figure sum to a private, Christian college was unprecedented. 

The massive allocation came as a shock to cybersecurity professors within the University of North Carolina System and the state’s community colleges, which has seven schools that were already federally recognized for cybersecurity research and training.

Some legislators voiced similar concerns. During a nearly 90-minute debate in October 2019, then-state Rep. John Autry, a Democrat from Mecklenburg County, proposed an amendment to shift the $20 million to the public colleges. It failed by a vote of 51-51

Former state Rep. John Ager, who represented western Buncombe County, was the lone Democrat to join with Republicans to support the funding. Then and now, Republicans control both chambers.

“Montreat College is an important institution in my [former] district, and like many small colleges it was struggling to survive,” Ager told The Assembly in an email. “The Center would be an economic engine for Buncombe County, as well as a regional hub. The promise was that there would be links to UNC-Asheville, local high schools, the newly opened School of Science and Math in Morganton, [Asheville-Buncombe] Tech and other institutions.”

Ager had believed he had several other Democrats on board the morning of the vote, but as his colleagues Googled “Montreat College,” they saw problems: Only roughly one in three students finished their degree within eight years; the school had no cybersecurity department and only a handful of professors for the specialty; and Montreat’s recently adopted “Community Life Covenant” required all employees to agree to “Biblical principles” like disavowing same-sex marriage and abortion. His fellow Democratic supporters peeled away.

Excerpt from former Rep. Darren Jackson’s (D) N.C. House floor debate on Montreat’s funding in 2019.

Outside of the legislature, there was also opposition coming from the right. The Civitas Institute, a conservative think tank that has since merged with the John Locke Foundation, argued the money could be better invested in the existing cybersecurity programs at public universities and should have gone through a formal grant process. 

“There are valid questions about how this was outsourced,” Leah Byers, then a policy analyst with Civitas, told Carolina Public Press in 2019. 

After the bill passed, then-Gov. Roy Cooper vetoed it, saying it “fails to adequately fund state cybersecurity and data analytics needs while sending a substantial capital earmark outside the state’s proven university system.”

Legislators were unable to override Cooper’s veto. But that wasn’t the end of Montreat’s quest for state funds. In 2021, budget writers gave the college $30 million for “cybersecurity programs.” Two years later, lawmakers allocated $8 million for the cyber center, bringing the sum for its development to $10 million.

Combined, the state gave the private school a total of $40 million over five years. But Montreat has struggled to spend the money, using less than $3 million to date. While the school once rented space in Asheville for the cyber center, it now holds virtual classes out of a building on Montreat’s campus. 

Excerpt from former Rep. Grier Martin’s (D) N.C. House floor debate on Montreat’s funding in 2019.

The college has scaled back its ambitions from a 75,000 square-foot facility to 50,000. It billed the state about $400,000 for strategic and master plans that include not just the center, but nine new residential halls, a new dining hall, new baseball and softball fields, roads, and about 1,100 parking spots. 

Montreat had 962 students last fall, with roughly a third of them in online and graduate programs.

The lack of construction of the cyber center is a “disappointment” to Ager, who left the legislature in January 2023. “I was hoping it was going to create some economic impact in the area and be good for Buncombe County and beyond.”

The money going to a new program at a private university, and not one of the state’s existing programs, puzzles Bill Chu, a University of North Carolina at Charlotte professor who helped start the university’s College of Computing in 2001. He was an inaugural department chair and taught cybersecurity.

“Definitely the students, they have benefited from it,” Chu said of money going to Montreat, “but I’m not sure what the impact for the state would be.” 

Montreat President Paul Maurer says the state’s money will be put to good use. It hasn’t started construction because it needs another $15 million, he said. He declined to say where that money might come from. 

“We are excited about building this building, which we see as a regional center, to reach a 250-mile radius around Asheville,” Maurer said. He said Montreat could convene cybersecurity leaders from various industries “to problem solve, build relationships, build trust.”

Montreat’s ‘Swing For the Fences’

When Montreat College’s board hired Maurer as president in 2014, the school was on the verge of collapse. The former president resigned the prior year after shuttering programs and laying off staff. An attempted merger with another small, Christian college failed in 2014 after faculty issued a no-confidence vote in the Montreat Board of Trustees.

But a $6 million contribution from an anonymous, out-of-state donor spurred the trustees to launch the college’s “All In” fund-raising campaign.

Montreat started a bachelor’s degree in cybersecurity in Maurer’s initial year with eight students in the major. 

Montreat College has fewer than 1,000 students. (Carolyn de Berry for The Assembly)

“My first year, I didn’t know anything about cybersecurity,” Maurer, who has a master’s in divinity and a doctorate in political science, told The Assembly. “Probably a year in, I looked around my cabinet table … and I said, I’m reading about cybersecurity three or four days a week on the front page of The New York Times. Maybe we’ve got something here, and maybe we should swing for the fences.”

As the world has become more digital so has crime, with hackers seeking to disrupt businesses and their customers, as well as governments and their operations. Sometimes, they steal valuable personal data. 

“Definitely the students, they have benefited from it, but I’m not sure what the impact for the state would be.” 

Bill Chu, UNCC professor

In 2015, hackers secured 37 million users’ data from Ashley Madison, a website that helps married people have clandestine affairs. Over 100 million customers of health care companies like Anthem, Premera Blue Cross, and Excellus Blue Cross Blue Shield have had their identifying information stolen.

Maurer believed Montreat would reap federal funds to rapidly grow its cybersecurity program, thinking more graduates were in the nation’s interest. The college became the first registered educational client for David Thompson of Charlotte, a lobbyist who had worked on behalf of defense contractors for a D.C. firm. But money from Congress for the nascent program didn’t flow. 

With Thompson’s help, the school achieved federal accreditation from the National Security Administration to be a “Center for Academic Excellence in Cybersecurity Defense” in 2017.

Without federal funding, Thompson and Maurer looked to the state. They found allies in two top legislators who were roommates in Raleigh, then-state Rep. Jason Saine, who was chair of the House Information Technology Committee, and Sen. Ralph Hise, who had a history of backing noncompetitive multimillion-dollar appropriations to Christian organizations.

Excerpt from former Rep. Larry Pittman’s (R) N.C. House floor debate on Montreat’s funding in 2019.

The request from a religiously affiliated, private college was “fairly unusual” at the time, said former Rep. Chuck McGrady, a Republican from Henderson County who was then a co-chair of the House Appropriations Committee. 

“It’s not uncommon for state appropriations to fund work being done by nonprofits, so that was not the surprise,” McGrady said. “The surprise here was that clearly, a state entity—one of the University System campuses, or a set of community colleges—could have jumped into the space to do this work. Yet we put money with a private college.”

When Montreat got its initial $2 million state appropriation, the bill’s language did not require legislative oversight, like filing regular reports; the state agency charged with disbursing those funds also did not require Montreat to report how the money was spent. State law says the agency needed to hold Montreat and any subgrantee “accountable for the legal and appropriate expenditure of grant funds,” and to make expenditure reports available for oversight, monitoring, and evaluation. 

The millions the legislature has given the private, Christian college to create the Carolina Cyber Center is unprecedented. (Carolyn de Berry for The Assembly)

According to Maurer, the money went for hiring an executive director in 2020, launching the cyber center, and external outreach, like their annual conference. Maurer wouldn’t share expense reports showing how Montreat spent that state money. Tax records show the center’s director was paid about $170,000 a year for two years. State law at that time said no more than $120,000 a year in state grants could be used to pay an employee.

When the legislature awarded Montreat $30 million “for cybersecurity programs” in 2021, the state budget office required the college to record expenditures. Montreat has spent just shy of $600,000 over two years, and state records show little to no money spent on educational programs.

The college paid board member Ned J. Kiser and his business, which “helps organizations and Christian ministries,” over $105,000 in 2022 for facility master planning. Maurer initially told The Assembly that Montreat had not paid Kiser, but later recanted and said Kiser was paid for planning. He said he wasn’t sure whether Kiser was a trustee when they hired him, though Kiser had joined the board in 2020, according to the college’s website. 

“The surprise here was that clearly, a state entity—one of the University System campuses, or a set of community colleges—could have jumped into the space to do this work. Yet we put money with a private college.”

Chuck McGrady, former state representative

Montreat spent $60,000 of the state funds on The Relevate Group, a Tennessee nonprofit doing business as “THINQ Media” founded by Christian authors Gabe and Rebekah Lyons.

Montreat billed taxpayers $20,000 for the Lyons’ “Cultural Summit,” which seeks to organize the next generation of Christian leaders. Maurer spoke at the summit, and said that they entered into a partnership so Gabe Lyons could “help distribute the talk and materials” to his network. (While Maurer’s original talk has 4,000 views on YouTube, it garnered 14 views when re-aired. The Lyons’ podcast has just 14 ratings on Spotify, 180 on Apple Music.)

The Assembly asked Maurer if state funds should be used for companies that promote exclusively Christian events. Maurer said he thinks “there’s a faith-based element to [Gabe Lyons’] audience, but it’s certainly not exclusively that.”

Excerpt from Rep. Dean Arp’s (R) N.C. House floor debate on Montreat’s funding in 2019.

State funds intended to support cybersecurity programs instead largely paid for the campus’ master plan for its existing Montreat campus and a future campus in Black Mountain. More than $365,000 went to architectural firms, a law firm, and to Niles Bolton Associates, an Atlanta-based planning firm, to produce a “fly-through video.” 

The $8 million state grant awarded to Montreat for the cyber center from the state’s capital and infrastructure fund has only been billed $27,000 for construction of an access road to the Black Mountain campus. Maurer said the entire $8 million appropriation is to build a road to traverse a largely undeveloped, 89-acre parcel owned by the school. 

The Assembly shared how the college spent taxpayer money with some current and former legislators, and several expressed concerns. 

“These are all troubling expenditures to me, and if true, a betrayal of the trust I had in Dr. Maurer,” said Ager, the Democrat who supported the funding.

Saine, the former lawmaker, is a UNC-Charlotte alum and was one of the university’s biggest boosters in the legislature. After a UNCC professor criticized the funding in an August 2019 Carolina Public Press article, Saine said that he reached out to his alma mater’s legislative liaison, as well as the community college liaison, about why legislators hadn’t heard from them on cybersecurity requests. 

Saine said he learned that UNCC and Montreat “collaborate together in the educational process,” including on a federal grant submission in 2018, but said that his alma mater didn’t have a similar initiative.

Christy Jackson, a spokesperson for UNC-Charlotte, said that since then the university “has had no formal relationship with Montreat related to cybersecurity.” Jackson did not directly answer whether the university’s liaison, Betty Doster, brought concerns about funding a private college to the legislature or the UNC System Board of Governors. 

The Assembly asked UNC System President Peter Hans, who at the time of Montreat’s initial funding was president of the community college system, if either system pushed back on funding going to Montreat for something the state schools could do.

“That was a decision of the legislature, of course,” Hans said. “I would refer them to you.” 

Excerpt from Rep. Zack Hawkins’ (D) N.C. House floor debate on Montreat’s funding in 2019.

When Montreat got $30 million in 2021, the state legislature was rolling in surplus money as federal dollars for COVID response flowed into state coffers. 

“Part of it is we had so much money to invest, and it was an allowable expense,” Saine previously told The Assembly about multimillion dollar state grants to private organizations for economic development. 

Three weeks after he resigned from the legislature last year, a Washington think tank listed Saine as senior vice president for RBX, lobbyist Thompson’s company that also does business as Edgepoint, LLC. Saine told The Assembly he was briefly a contractor for Thompson, but declined further comment.

“I left public office,” Saine said via a text message. “It’s someone else’s responsibility now.”

Hise, Saine’s Senate counterpart who supported the Montreat funding, did not return requests for comment. During debate in 2019, Hise mistakenly said Montreat was the only college in the state other than North Carolina State University to have federal cybersecurity accreditation.

Networking 

In April 2019, Mark Sorrells was three months into his new job as a senior vice president at Fayetteville Tech Community College when he found himself rubbing elbows with college, government, and industry leaders at a cybersecurity conference in Pensacola, Florida.

Sorrells’ colleagues running the college’s cybersecurity workforce development program wanted then-president Larry Keen to attend the conference and learn from experts about the sector’s hiring crisis. “If I’m going, you’re going,” Sorrells said Keen told him.

The pair heard from government leaders about a desperate need to fill positions as federal employees retire. They listened to industry representatives talk about the need for students to apply their classroom knowledge while at school, making them ready for a job on day one. They also met Maurer for the first time, who was there with Thompson.

The four believed that together they could make a difference in training the state’s cybersecurity workforce. 

Sorrells’ idea was a partnership between Fayetteville Tech and Montreat to build a statewide network of two- and four-year colleges that would boost the pipeline of cybersecurity employees and fortify the state’s security. 

“People said, ‘We don’t have a [cybersecurity] workforce strategy for North Carolina—we like this,’” Sorrells recalled.

The Carolina Cyber Network was first funded by the state in 2020 with nearly $3.3 million. That funding was in addition to the large appropriations Montreat College received. 

Of the network funds, Montreat got 51 percent or $1.6 million, for “accepting some responsibility to implement plans for a portion of Carolina Cyber Network,” according to a memorandum of understanding. Fayetteville Tech received $1.4 million, and Thompson’s company Edgepoint landed about $250,000.

Sorrells, Thompson, and the director of the cyber center at Montreat are the three executive directors of the network. They select which colleges can become—and remain—members, and which receive grants. 

The state legislature has given the Carolina Cyber Network nearly $28.3 million in grants, most of which it shares with the network’s member institutions. 

An Assembly analysis found that Montreat College received an outsized share of the network’s grants. 

Of the $11 million in funding awarded in 2021—nearly all of which has been spent—state records show $7 million was awarded in grants. The typical college received $200,000 in grant funding, but Montreat received $3.8 million in grants from the Carolina Cyber Network, 54 percent of subgrant funds. 

The network also picked up the tab for software licenses for Montreat and its cyber center at a cost of $566,500. Thompson’s company got at least $850,000 to help colleges get federal cybersecurity accreditation. 

Thompson said some of Montreat’s grants went to a cyber range—which is like a shooting range to test cyber skills—and a security operations center that contracts with the state Department of Information Technology. But he said most of the network’s money going to Montreat and Fayetteville Tech “is being divvied out for capacity building in the member schools.”

Thompson wears multiple hats: CEO of RBX, director of the Carolina Cyber Network, college consultant, and lobbyist. Fayetteville Tech has paid him for travel, consulting, and helping to secure college accreditations from the NSA. Montreat has hired him for lobbying, consulting, and accreditations. In addition to being paid for the work, his company gets an additional $22,727.27 each time a college he works with gets accredited. 

The network only allows schools that are seeking accreditation or may need re-accreditation as a Center for Academic Excellence, for which Thompson’s company is recognized by the state as a sole source. 

“I really don’t see a conflict of interest at all,” Thompson said, noting that he gives a steep discount for network schools’ accreditation. “We’re supporting the goals of what has become the best example of a cyber workforce ecosystem in the country.”

The LLC Thompson uses to conduct his lobbying work, Edgepoint, reported $750,000 in income for federal lobbying on behalf of Montreat since 2016, and just under $1.7 million for lobbying on behalf of Fayetteville Tech, Catawba Valley, and Gaston community colleges.

“I really don’t see a conflict of interest at all. We’re supporting the goals of what has become the best example of a cyber workforce ecosystem in the country.”

David Thompson, lobbyist and executive director of the Carolina Cyber Network

At least three community colleges have separately contracted with Thompson for RBX’s consulting services. None shared required documentation for using a sole source, nor received approval as required under the state code governing consultant contracts. 

While community colleges are usually exempt from going through the state Department of Information Technology, David Sullivan, the vice president of legal services for Fayetteville Tech said the university was told to consult with the department as RBX was a “cybersecurity-related service.” Sullivan did not provide documentation showing RBX as a sole source.

UNCC, A&T Largely Excluded

The Carolina Cyber Network included three four-year schools and eight community colleges when it launched in 2021. But missing from the list were many of the state’s universities with longstanding, renowned cybersecurity programs and their professors. 

In 2001, UNC-Charlotte was the first university in North Carolina to be federally accredited in cybersecurity defense, and the 11th nationwide. Today there are more than 450 schools with the designation, including 23 in North Carolina. Each year, over 100 students graduate from UNC-Charlotte’s computer science program with a cybersecurity concentration. The university also offers a master’s in cybersecurity, which graduates about 50 students a year.

UNC-Charlotte also hosts the state’s longest running and oft sold-out cybersecurity conference, which is well attended by representatives from banking, healthcare, energy, and government. For years the school has coordinated with a network of public and private universities, community colleges, and industry members on research, education, and workforce development through a coalition called the North Carolina Partnership for Cybersecurity Excellence. But UNCC is not part of the Carolina Cyber Network.

“I’m a little bit puzzled, I guess is the right way to put it,” said Chu, the UNCC cybersecurity program’s founding chair. “This [the network] is a great initiative; the more the better for the state. We wanted to figure out a way to connect with the cyber network, and they didn’t seem to be really that interested.”

Excerpt from former state Sen. Kirk deViere’s (D) N.C. Senate floor debate on Montreat’s funding in 2019.

Hossein Sarrafzadeh, a professor and director of the Center of Excellence in Cybersecurity Research, Education and Outreach at North Carolina A&T State University, had a similar experience.

The center on the Greensboro campus trains 350 undergraduates and 25 doctoral students each year. They have an undergraduate cybersecurity certificate where students apply what they’ve learned while working for regional businesses.

Dr. Hossein Sarrafzadeh leads the Center of Excellence in Cybersecurity Research, Education and Outreach at N.C. A&T in Greensboro. (Carolyn de Berry for The Assembly)
Inside A&T’s Sensitive Compartmented Information Facility.
Sarrafzadeh explains drone models.

“This is not an academic course; we teach them how to run a security operations center, how to work as an analyst, how to do forensics work, how to ethically hack an institution, how to [penetration] test institutions, so we give them a lot of hands-on skills,” Sarrafzadeh said. 

N.C. A&T’s security operations center, known as a “SOC,” is well known in the industry. The center and the university’s cybersecurity programs have been funded by the National Science Foundation, the Department of Defense, the National Security Administration, and Department of Education.

Sarrafzadeh previously submitted a proposal to the cyber network; he was happy to share access to the SOC with the other campuses. But the proposal crumbled. 

“There was so much we could do together,” Sarrafzadeh said. “They’re paying millions for something called a cyber range, and we’re building a cyber range—[A&T’s] could be their network’s cyber range, and give services at less cost.”

He wants to collaborate. “We just hope that Montreat is more inclusive and more focused on getting cyber security people into the network, rather than just people that they trust,” Sarrafzadeh said.

Sorrells, now president of Fayetteville Tech, said he has had to be choosy with who he admits to the network.

He looks for buy-in from the top level of leadership, how the program builds the workforce, and whether the institution can add a new economic sector to their portfolio—for example, military, manufacturing, and health care.

The North Carolina Community College System did not respond to The Assembly’s requests for comment about the Carolina Cyber Network. 

Community colleges who are members of the Carolina Cyber Network expressed gratitude for the network grants they received, and the importance of their programs. 

“This past year, Wake Tech had over 1,100 degree and non-degree cybersecurity students, the most of any program at our college, and I would imagine one of the largest cyber programs in the state,” said President Scott Ralls.

“We are proud to be a part of this collaborative project,” said a spokesperson for Johnston Community College, which has received $205,000 from the network. “JCC does not play a role in determining the allocation of funds to member institutions. We trust that the administrators of the grant are ensuring transparency and compliance with applicable state and federal guidelines.”

Teaching Ethics

Some legislators told The Assembly that North Carolina’s public universities weren’t doing cybersecurity training or teaching ethics, which the UNC System schools strongly contest. 

Maurer said Montreat is better positioned to teach cybersecurity ethics than public universities and colleges. 

“We have a unique opportunity as a faith-based institution, because we teach to character and ethics in all of our classrooms, we hire to character and ethics in our hiring practices. The state doesn’t do that anymore; they can’t do it anymore,” Maurer told The Assembly.

At a 2022 conference, Maurer said: “Every two-year and four-year college in the United States that teaches cybersecurity teaches offensive hacking. That means that our university system is teaching our students how to steal your stuff.” 

Professors at Appalachian State University, N.C. A&T, North Carolina State University, and UNC-Charlotte all rejected Maurer’s assertions.

Former state Rep. Ray Russell. (Ava Anzalone for The Assembly)

“Before we teach a student hacking, we teach them ethics, and that’s a requirement,” Sarrafzadeh said. “Ethics is very important, but it has to be done by people who know and understand both ethics and also the applications.”

Former state Rep. Ray Russell, a Democrat from Boone who began teaching computer science in the 1980s, was gobsmacked. The man best known for his weather forecasts is a former minister who has taught computer science at App State, where third- and fourth-year students in his seminar learn ethics.

“Over and over again, we said to our students that we don’t want people who just have technical skills, we want people with the right values,” Russell said. “That was important to us. We kicked kids out of the program for misusing computer resources.”

Maurer said he was asked by the National Security Agency to write a book on ethics and cybersecurity, which he co-wrote with Montreat trustee and cybersecurity expert Ed Skoudis. In the book, The Code of Honor, the authors say that the problem with cybersecurity is not a technical problem, but a people problem. 

Russell scoffed at that notion. 

“You think China or Russia is going to stop an attack because you hired people who read a book on ethics?” Russell said.

Ren Larson is a staff reporter at The Assembly. She previously worked for The Texas Tribune and ProPublica’s investigative team, and as a data reporter with The Arizona Republic. She holds a master’s of public policy and an M.A. in international and area studies from the University of California, Berkeley.