What a Privacy Activist Turned Top White House Adviser Thinks About Cybersecurity
One-time civil liberties activist now forges compromises between government and industry on network security and surveillance activities.
In 2011, Nextgov spotlighted a handful of "emerging leaders" -- including Ari Schwartz, then the first-ever Internet policy adviser for the National Institute for Standards and Technology.
Today, Schwartz, 43, is no longer emerging. He has emerged.
Schwartz, who hails from the world of privacy activism, is now the White House senior director for cybersecurity. During the heat of the anti-surveillance movement, he was placed on the White House National Security Council staff to instill civil liberties into cybersecurity and signals intelligence policies.
Before taking the White House gig, Schwartz advised three Commerce Department secretaries on, among other tech issues, how to develop voluntary cyber standards in accordance with a landmark executive order.
He recently spoke with Nextgov about negotiating with operatives, the growing number of privacy-conscious citizens and his smartphone-craving children.
Civil Liberties Group: We Need More People Like Schwartz
First off, know that Schwartz's former colleagues at the Center for Democracy and Technology civil liberties group do not give give him a hard time about working with government snoops.
“They’ve never referred to me as ‘the spy,'" he said.
They hardly see joining the federal government as going to the dark side. In fact, they view it as a benefit.
"I think that we absolutely need to have people like Ari Schwartz, who do care about privacy and who do care about due process and in protecting civil liberties, in positions where they are able to translate that passion and that respect for human rights into the way the government does business," said Harley Geiger, senior counsel at CDT. "There should not be a purity test for this. What matters in the end is what you are advocating for, what you stand for and what you are pushing."
Schwartz said he enjoys it when old co-workers call to get the inside word.
“If they hear a rumor, they’ll call me up. If it’s something that I can talk about, I will give them some details," Schwartz said. "I think that’s really one of the worst things that happens in Washington -- when something gets reported or [comes out] through the rumor mill, and they hear the worst of it first, rather than hearing it from the people who are trying to put it together. So we try to reach out to people pretty early in the process."
One former colleague counts Schwartz’ candor as crucial to good government.
Jim Dempsey, also a senior counsel at the center, said: “The key thing about Ari, like the best public servants, is that he combines a passion for the issues, a commitment to the administration and the government he serves, and absolute honesty. You know he is fighting for privacy and other values, and you know he will never mislead you.”
Schwartz on Data Collection: I'm Just a Citizen
As a father and public figure, Schwartz perhaps is more conscious than ever before of the need for privacy.
“I have a family and I have kids, and I think of a lot of things in my personal life -- relating to my children -- as being very private and personal. It concerns me if information like that were to get out,” he said. And “I think communications -- when taken out of context -- often can raise a lot of concerns, so I do worry about what companies and what the government does with communications and making sure that it is used properly and that personal privacy is being protected.”
His kids aren't subject to the type of call or Internet monitoring that has engulfed the Obama administration in controversy -- but Schwartz is. His 7-year-old and 10-year-old don't have smartphones and aren't on Facebook yet.
"They have iPods," he said. The 10-year-old complains, “Everyone has a phone,” except for him.
However, Schwartz acknowledges communications could be swept up in some of the government’s signals intelligence activities.
“I’m a citizen just like everyone else. It depends on what type of collection it is,” he said.
Obama on Jan. 17 announced a directive to hone data collections. Under the guidance, “we have these areas where bulk data still can be collected. They are a very limited set of areas. I think it would exclude many of my communications and other private citizens’ communications, but I don‘t think it completely rules that out. It’s not out of the question at all.”
Cyber Framework a Key Accomplishment
Schwartz said he takes exceptional pride in the creation of voluntary cyber standards for hospitals, power companies and other life-critical U.S. industries.
“Everywhere I go, people thank me for the work we did on the cybersecurity framework and how it got better over time: The trust from the private sector to keep it voluntary; from the privacy groups, we hear that they are glad we were able to keep the Fair Information Practice Principles in the document despite the heavy pressure that we got from industry on that," he said.
“When you start to see announcements related to and around cyber insurance, that’s pretty fulfilling because that was the original goal, to build it into the marketplace without a regulatory effort. Just like [with the proviso] 'Do you have smoke alarms?' for fire insurance, which is built into most regular business policies."
The business community, for the most part, seems grateful for the compromise Schwartz helped forge.
The U.S. Chamber of Commerce called the framework "a remarkable success" last month.
"The Chamber, sector-based coordinating councils and associations, companies and other private and public entities collaborated closely with NIST in developing the framework," Ann M. Beauchesne, vice president of the Chamber's National Security and Emergency Preparedness Department, wrote in an Oct. 10 letter to NIST officials.
She specifically cited Schwartz and his efforts to translate the paper rubric into actionable steps.
Schwartz recently remarked industry support for the framework has "exceeded expectations.” That recognition "is constructive and helps keep the private sector engaged in using the framework and promoting it with business partners,” Beauchesne said.
Threat-Sharing Still Lags
Still, some companies take issue with the administration’s policies on exchanging tips about cyber threats.
"The information-sharing discussion puts too little emphasis on improving government-to-business sharing. The Chamber wants to expand government-to-business information sharing, which is progressing but needs improvement," Beauchesne said.
As an example, she pointed to a recent unfavorable inspector general report that found, as of July, only three of 16 key industries – energy, communications and defense – were using a service that shares classified cyberthreat intelligence.
While the number of participating sectors has risen to eight, it is unclear how many firms within those categories have signed up.
Schwartz’s former bosses at Commerce confirm Schwartz was instrumental in the final cyber concessions, as well as other policy formulations, such as a green paper on digital copyright policy issues.
"Ari's work on cybersecurity stands out in particular, because of his ability to build bridges between different stakeholders and drive consensus," Commerce Deputy Secretary Bruce Andrews told Nextgov.
To read the full interview with Ari Schwartz as it appears in the November-December issue of Government Executive magazine, click here.
NEXT STORY: Parsing Rand Paul’s ‘No’ Vote on NSA Reform