In a Q&A with FCW , Ari Schwartz, senior director for cybersecurity at the White House, talks about whether legislation can reinforce and complement White House cyber-policy goals.
White House Senior Director for Cybersecurity Ari Schwartz, shown here at a 2011 House Oversight and Government Reform Committee hearing, talked with FCW about whether legislation can reinforce and complement White House cyber-policy goals. (Photo: House Oversight and Government Reform Committee)
FCW recently sat down with Ari Schwartz, senior director for cybersecurity at the White House, to discuss a critical juncture for cybersecurity policy -- namely, whether congressional action can reinforce and complement White House policy goals. The following are edited excerpts of the interview.
FCW: What is at the top of your legislative wish list, something that Congress can accomplish that your office cannot?
Schwartz: If I had to prioritize, [data-breach legislation] is the one I would pick. It is a key issue. It’s one that different parts of the administration have supported. I think we’ve heard it from the Justice Department, from the Commerce Department, from the White House itself, [and] the [Federal Trade Commission]. So I think there’s been wide support for data-breach legislation.
The problem on the Hill for that particular bill is jurisdiction. So they have to find a way to unite. [The Senate Judiciary Committee] has a bill that is different than [the Senate Commerce Committee’s] bill, and they have different agencies and focuses of who should take the lead and how they should go about doing it, in both the Senate and the House. I think it’s solvable, but it would take prioritizing the issue.
On information sharing, which is also a priority for us and something that’s in front of the Hill right now, the problem is getting the right language and figuring out some of the more difficult pieces of it.
FCW: How closely do you conference with Capitol Hill on these different cyber bills?
Schwartz: We have gone up before, especially when we’ve seen things that they need to know about. But they usually come to us and say, “We have a bill,” or “We want to talk about this issue with you.”
FCW: Are you happy with the amount of communication on the issue between your office and Congress?
Schwartz: Yes. When we have [a cyber] incident, it’s completely bipartisan. And when something happens, we reach out to leadership in both the House and Senate.
FCW: Are there members of Congress raising significant privacy issues that you have to contend with?
Schwartz: There have been a lot of privacy concerns about the information-sharing legislation. You see it from someone like [Sens.] Ron Wyden (D-Ore.), [Dick] Durbin (D-Ill.), [Al] Franken (D-Minn.). There are some, like [Sen. Rand] Paul (R-Ky.) and others, on the libertarian side.
FCW: In pursuing your cyber policy goals, how do you decide when to go it alone with an executive order and when to seek legislation?
Schwartz: There are a number of barriers that stand before us on information sharing, and we’ve been asking, particularly the private-sector entities we work with, to help us prioritize those. And then we can go look at them one at a time and figure out which of those we can address through executive authority.
In legislative discussion, people say, “Well, let’s just knock [out all the issues] at the same time.” But that hasn’t been working. So then the question is, how we can look at this in a way that we can come to agreement about some subset of it?
FCW: So do you assess cybersecurity sector by sector to see if executive authority or legislation is more effective?
Schwartz: It’s more, “Tell us what are the barriers that you’re seeing.” So everyone was telling us [it was antitrust]. There were people who told us, “Antitrust is our number one concern.”
FCW: That probably didn’t surprise you.
Schwartz: It surprised the Justice Department more than me, because I had heard it from a bunch of people. They [DOJ] basically tried to find out who had been saying that and were not able to figure that out. And we were able to finally bring people together, have this discussion about what they wanted to see, and then brought that to the Justice Department, Justice Department brought it to the [Federal Trade Commission], and we were able to get this guidance out the door.
[Some firms] are really comfortable with [the guidance] now. Companies that were most hesitant are actually some of the biggest supporters of that guidance.
[That guidance] shows the direction that we’re heading in general in this space because rather than trying to solve every problem having to do with information sharing, we’re going to solve individual problems at this point because that’s what we can do under existing authority.
FCW: How do you balance the pressing need to hire federal cybersecurity hands with ensuring you are getting top talent?
Schwartz: We need [cyber expertise] at every level. There are jobs that are right for people who can pass certificate programs, people who can pass two-year colleges to do cybersecurity. There are people who are going to be four-year specialists, there are going to be people with master’s degrees in cybersecurity. So we are seeing the wide range of different types of options out there.
Obviously, there are not many people that can fill those [high-level] slots. However, it does open up a chain where there are more jobs available lower down. So people are going to get opportunities to prove themselves, and I think a lot of people are going to want to get in this field.
The problem on the Hill for [data-breach legislation] is jurisdiction. So they have to find a way to unite.
FCW: Do you think the government can compete with the private sector in hiring cybersecurity experts?
Schwartz: There’s probably more diversity of jobs in the federal government than in the private sector. I also think that federal government jobs come with a lot of benefits.
That’s not to say that we’re going to win every competition between the private sector and the public sector, but as someone who was in the private sector for many years and came into the government, I think a lot of people would like to be in the federal government.
FCW: Your job title includes the subject of privacy. How are privacy protections built into an issue like continuous monitoring?
Schwartz: It’s about making sure that the information being shared is about the threat and not just the bulk information. In most cases, you don’t need to have the detailed information about threat actors in place.
FCW: Which office of the White House led your response to the Heartbleed OpenSSL vulnerability, and how would you assess that response?
Schwartz: The Office of Management and Budget was the lead in the White House, and we worked very closely with them because we had threat information and some expertise that they didn’t have. But OMB and DHS worked together very closely on it.
FCW: Does the Heartbleed threat make you want to work more closely with the open-source community? How do you ensure that your security efforts are as inclusive of that community as possible?
Schwartz: I think we need to figure that out, how to get [the discussion] wide enough. I’ve been having some discussions with some of the people who are in the Linux group [and with] other researchers to try to talk to them about the problems that they see and how we can get information about them sooner.
But there might be a way to take [those discussions] a level up. None of this has been done before.