Cyber privacy from all sides

Ari Schwartz doesn’t have the best timing.

“It’s funny, because I was a privacy advocate after 9/11,” recalled Schwartz, thinking back to the era when security took precedence over all else.

ADVERTISEMENT
“And then I was a security guy working on privacy after the Snowden leaks,” said the long-time digital rights advocate turned top White House National Security Council official.

In other words, by the time Schwartz’s privacy community had its cultural moment, he was on the other side.

“That did not go unnoticed by me,” he added, with a burst of laughter.

After more than a decade of pressing the government on privacy, transparency and online accessibility with the Center for Democracy and Technology (CDT), Schwartz was defending the government’s bruised — and often impenetrable — intelligence community.

“It doesn’t bother me,” Schwartz said of being the “privacy guy” working on security. “I feel like they’re both extremely important and necessary. They’re both clearly spelled out in the Constitution, especially when it comes to government’s role.”

Schwartz — who comes across as structured and pragmatic — found himself well-suited to his dual mandate at the White House, where he started in June 2013 as the director for cybersecurity privacy, civil liberties and policy, the same month that Edward Snowden revealed the government’s secret surveillance underbelly.

“I ended up doing a lot of work on the intelligence reform,” he said, chuckling again, “that I don’t think I had planned to do originally.”

In March 2014, Schwartz became the National Security Council’s senior director on cybersecurity, putting him at the forefront of the administration’s major cyber policy push over the last year. In 2015 alone, the White House issued two executive orders on cyber — one to raise sanctions for hacking, another to encourage private sector information sharing — and shepherded through Congress the biggest cyber bill to date.

“I think it’s important to have a defender of the other side in that atmosphere,” he said. “And knowing both worlds, I think I was able to — particularly in the White House — be a good translator and bring in people who could help to have a real conversation about where we should go and move it forward.”

The approach fits with Schwartz’s grand vision for the Internet as a safe, open forum where everyone has access and a role to play. It’s what brought him to Washington, D.C., 20 years ago.

In those two decades, Schwartz has pushed people to think about the Internet as a long-term proposition.

With the CDT, he formed a coalition to eradicate the spyware that was blanketing people’s computer screens with pop-up ads. After jumping to the government in 2011, Schwartz worked with the Commerce Department, bringing disparate parties together to create the standards that are guiding the Internet’s growth.

He thinks his work has had a “direct role” altering the digital landscape.

“There’s a lot less investment in that kind of short-term gain and a lot more thinking about long-term gain from the Internet perspective,” he said. “I think that’s been good for society.”

Now Schwartz is on yet another side — the private sector — after leaving his White House post in October. The law firm Venable brought on the former Obama administration official as its managing director of cybersecurity services.

When The Hill met with Schwartz, he was still making the rounds with his new clients, working to bridge yet another gap, this time between industry and government.

And when it comes to cybersecurity, that gap could widen into a chasm, given the slew of data breaches that have pummeled companies and the at-times vague guidance from the government on what it expects the industry to do about it.

“On my first day, I talked to a bunch of clients here that really, clearly needed help at just [developing] a more granular vision” on cybersecurity, said Schwartz, sitting in his spacious yet modestly furnished corner office just 1 mile east of 1600 Pennsylvania Ave.

“A lot of companies are dealing with that realization, ‘Oh we have to handle this problem, and we can’t just turn a willfully blind eye to it anymore.’ ”

In December, President Obama signed into law the major cyber bill that took months of cajoling to get through Congress. The measure — which drew ire from the digital privacy community, including Schwartz’s former employer, the CDT — intends to clarify how companies can best swap information on hacking threats with the government without facing legal ramifications.

It will take months to hammer out all the details, and many in the private sector are still wary of regulators as they tiptoe into enforcing security standards.

“It is interesting to hear from this side what the regulators are saying, as opposed to my conversations from the other side with the regulators,” Schwartz said.

Disagreements over encryption standards are also threatening to cleave the tenuous relationship between the private sector and government officials.

The two sides have clashed over the past year regarding government access to secured data. Following the terrorist attacks in Paris and San Bernardino, Calif., the dispute reached a fever pitch.

The FBI and other law enforcement officials warn that extremists and criminals are encrypting their communication to plot deadly attacks and conduct nefarious activities hidden from authorities. They’ve pushed for a policy that would mandate companies hand over locked data when compelled by a court order.

But tech firms such as Apple have stood behind strong encryption, arguing they can’t comply with these court orders because even they can’t crack into their products.

Technologists insist that having any method to access encrypted data puts all secure information at risk. Keeping a key around to unlock encryption means that anyone, including hackers, can use that key, they argue.

Schwartz said the whole debate has been hijacked by empty rhetoric, with security and privacy advocates talking past each other.

“I feel like we haven’t had very many facts,” he said. “That completely frustrates me.”

“This is often pitted as a security vs. privacy conversation,” he added. “It’s actually a security vs. security conversation.”

Schwartz called it the “single competing paradox of the use of encryption.”

“The more we use it, the better protected we are, but that means that law enforcement has less access to it,” he said.

While Schwartz was at the White House, the administration considered a number of technological mandates that would have given law enforcement their desired access to digital devices.

Eventually, officials quietly backed away from pushing any proposal. The White House has been studying the issue since then, leaving many to wonder when — or if — the administration will take a firmer stance on the issue.

“I think we could use with a clear statement from the White House,” Schwartz said.

Such a statement could help bridge that widening gap between opposing sides, he explained.

“The president raised it in discussion, but we haven’t had that kind of crystal clear, ‘Here’s the kind of conversation we want to have,’ ” Schwartz said.

“So I think that is still lacking out there.”