Senior White House official talks cyber goals, legislative outlook

In a Q&A with FCW , Ari Schwartz, senior director for cybersecurity at the White House, talks about whether legislation can reinforce and complement White House cyber-policy goals.

White House Senior Director for Cybersecurity Ari Schwartz, shown here at a 2011 House Oversight and Government Reform Committee hearing, talked with FCW about whether legislation can reinforce and complement White House cyber-policy goals. (Photo: House Oversight and Government Reform Committee)

FCW recently sat down with Ari Schwartz, senior director for cybersecurity at the White House, to discuss a critical juncture for cybersecurity policy -- namely, whether congressional action can reinforce and complement White House policy goals. The following are edited excerpts of the interview.

FCW: What is at the top of your legislative wish list, something that Congress can accomplish that your office cannot?

Schwartz: If I had to prioritize, [data-breach legislation] is the one I would pick. It is a key issue. It’s one that different parts of the administration have supported. I think we’ve heard it from the Justice Department, from the Commerce Department, from the White House itself, [and] the [Federal Trade Commission]. So I think there’s been wide support for data-breach legislation.

The problem on the Hill for that particular bill is jurisdiction. So they have to find a way to unite. [The Senate Judiciary Committee] has a bill that is different than [the Senate Commerce Committee’s] bill, and they have different agencies and focuses of who should take the lead and how they should go about doing it, in both the Senate and the House. I think it’s solvable, but it would take prioritizing the issue.

On information sharing, which is also a priority for us and something that’s in front of the Hill right now, the problem is getting the right language and figuring out some of the more difficult pieces of it.

FCW: How closely do you conference with Capitol Hill on these different cyber bills?

Schwartz: We have gone up before, especially when we’ve seen things that they need to know about. But they usually come to us and say, “We have a bill,” or “We want to talk about this issue with you.”

FCW: Are you happy with the amount of communication on the issue between your office and Congress?

Schwartz: Yes. When we have [a cyber] incident, it’s completely bipartisan. And when something happens, we reach out to leadership in both the House and Senate.

FCW: Are there members of Congress raising significant privacy issues that you have to contend with?

Schwartz: There have been a lot of privacy concerns about the information-sharing legislation. You see it from someone like [Sens.] Ron Wyden (D-Ore.), [Dick] Durbin (D-Ill.), [Al] Franken (D-Minn.). There are some, like [Sen. Rand] Paul (R-Ky.) and others, on the libertarian side.

FCW: In pursuing your cyber policy goals, how do you decide when to go it alone with an executive order and when to seek legislation?

Schwartz: There are a number of barriers that stand before us on information sharing, and we’ve been asking, particularly the private-sector entities we work with, to help us prioritize those. And then we can go look at them one at a time and figure out which of those we can address through executive authority.

In legislative discussion, people say, “Well, let’s just knock [out all the issues] at the same time.” But that hasn’t been working. So then the question is, how we can look at this in a way that we can come to agreement about some subset of it?

FCW: So do you assess cybersecurity sector by sector to see if executive authority or legislation is more effective?

Schwartz: It’s more, “Tell us what are the barriers that you’re seeing.” So everyone was telling us [it was antitrust]. There were people who told us, “Antitrust is our number one concern.”

FCW: That probably didn’t surprise you.

Schwartz: It surprised the Justice Department more than me, because I had heard it from a bunch of people. They [DOJ] basically tried to find out who had been saying that and were not able to figure that out. And we were able to finally bring people together, have this discussion about what they wanted to see, and then brought that to the Justice Department, Justice Department brought it to the [Federal Trade Commission], and we were able to get this guidance out the door.

[Some firms] are really comfortable with [the guidance] now. Companies that were most hesitant are actually some of the biggest supporters of that guidance.

[That guidance] shows the direction that we’re heading in general in this space because rather than trying to solve every problem having to do with information sharing, we’re going to solve individual problems at this point because that’s what we can do under existing authority.

FCW: How do you balance the pressing need to hire federal cybersecurity hands with ensuring you are getting top talent?

Schwartz: We need [cyber expertise] at every level. There are jobs that are right for people who can pass certificate programs, people who can pass two-year colleges to do cybersecurity. There are people who are going to be four-year specialists, there are going to be people with master’s degrees in cybersecurity. So we are seeing the wide range of different types of options out there.

Obviously, there are not many people that can fill those [high-level] slots. However, it does open up a chain where there are more jobs available lower down. So people are going to get opportunities to prove themselves, and I think a lot of people are going to want to get in this field.

The problem on the Hill for [data-breach legislation] is jurisdiction. So they have to find a way to unite.

FCW: Do you think the government can compete with the private sector in hiring cybersecurity experts?

Schwartz: There’s probably more diversity of jobs in the federal government than in the private sector. I also think that federal government jobs come with a lot of benefits.

That’s not to say that we’re going to win every competition between the private sector and the public sector, but as someone who was in the private sector for many years and came into the government, I think a lot of people would like to be in the federal government.

FCW: Your job title includes the subject of privacy. How are privacy protections built into an issue like continuous monitoring?

Schwartz: It’s about making sure that the information being shared is about the threat and not just the bulk information. In most cases, you don’t need to have the detailed information about threat actors in place.

FCW: Which office of the White House led your response to the Heartbleed OpenSSL vulnerability, and how would you assess that response?

Schwartz: The Office of Management and Budget was the lead in the White House, and we worked very closely with them because we had threat information and some expertise that they didn’t have. But OMB and DHS worked together very closely on it.

FCW: Does the Heartbleed threat make you want to work more closely with the open-source community? How do you ensure that your security efforts are as inclusive of that community as possible?

Schwartz: I think we need to figure that out, how to get [the discussion] wide enough. I’ve been having some discussions with some of the people who are in the Linux group [and with] other researchers to try to talk to them about the problems that they see and how we can get information about them sooner.

But there might be a way to take [those discussions] a level up. None of this has been done before.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.