Ex-White House Cyber Chief Joins with Tech Firms to Tackle Bug Bounties


Issues to be addressed range from the global debate over encryption to the minutia of the federal cybersecurity budget.

The former White House senior cybersecurity director has rallied major security vendors to lobby lawmakers and agencies on cyber regulations, under a new umbrella organization.

The issues they intend to tackle range from the global debate over encryption to the minutia of the federal cybersecurity budget, said Ari Schwartz, coordinator of the new Coalition for Cybersecurity Policy and Law.

On Thursday, founding members Arbor Networks, Cisco, Intel, Microsoft, Oracle, Rapid7 and Symantec formally launched the coalition. Their first action was providing the Commerce Department with written comments and criticisms on voluntary cyber standards that Schwartz helped write and carry out.

Writing the regulations through the interagency process was “a lot more contentious” than gathering together cybersecurity vendors to draft a response to them, said Schwartz, a nearly five-and-a-half year veteran of the administration. “We haven't had major disagreements at this point yet," he said. 

(As a former career federal employee, Schwartz is not barred from representing companies to discuss broad programs he handled, he said).  

Today, there is a duel playing out on a world stage between Apple and the FBI over a court order requesting the tech titan develop, essentially, new malware that can override security controls in the iPhone 5C. The bureau says it needs a way to see the encrypted contents of the model used by one of the San Bernardino shooters.

The preferred method to do this would be “brute-forcing” entry with existing password-guessing malware, but Apple’s enhanced protections on the iPhone could freeze the lock after too many guesses.

The coalition has yet to settle on a position.

“Obviously, encryption tools are central to making a lot of cybersecurity products work, so it is something that we discuss internally,” said Schwartz, also now a managing director for Venable LLP. At the same time, the group does not want to duplicate campaigns run by other privacy and tech groups in the encryption space.

The group’s aim is to serve as a resource for policymakers on complex subjects sensitive to coalition members and, perhaps, misunderstood inside Washington.

“When I was in government, I was always wanting to know what the people actually practicing this say,” Schwartz said.

One upcoming topic they expect to take on is “bug bounties” and security vulnerability reporting, both of which involve pointing out hacker holes in software to manufacturers.

Commerce’s National Telecommunications and Information Administration is holding public meetings to understand current procedures in the real world as the agency formulates guidelines.

In addition, the coalition plans to address policies announced yesterday on sharing tips about cyberthreats between private companies and Department of Homeland Security emergency responders.

Alerts “can include, for example, the subject line of a spear phishing email, or the IP address of the computer from which it originated,” DHS Secretary Jeh Johnson said in a statement.

Homeland Security also released interim privacy rules detailing precautions the government will take to ensure companies strip out personal information from the tips shared with the feds.

“We welcome feedback from privacy advocates and private sector participants in the Automated Indicator Sharing system as we continue to develop the final documents ahead of their statutory deadline in June,” Johnson said.

Some of the recommendations the coalition presented Thursday to Commerce’s National Institute of Standards and Technology point to inadequacies with the current rubric, called “The Cybersecurity Framework.”

The core blueprint for companies to follow is silent on the security of the “supply chain,” a consequence of globalization that makes it challenging to know if parts of a product have been tainted between production and installation, according to the comments.

Vendor selection; the detection of vulnerabilities in components; and procedures for controlling software design should be included in the framework, the companies advised.

Unsurprisingly, the cybersecurity vendors praised the overall guidance in draft comments, saying, “The Cybersecurity Framework is driving the use of products and services provided by the coalition’s members, which is a positive development for the security of the nation’s critical infrastructure.”

When asked how he felt critiquing his previous work at the White House, Schwartz said, “There's nothing in there that's true criticism,” adding there are items “to look out for in the future as the framework is changed.”

(Image via /Shutterstock.com)