The Aspen Cybersecurity Group, a nonpartisan subset of The Aspen Institute comprised of government officials, industry-leading experts, and academic and civil leaders, convened in early November to address cybersecurity risks and the actions that must be taken to protect enterprise networks from cyberthreats.

Chaired by Lisa Monaco, distinguished senior fellow at NYU School of Law, U.S. Rep. Will Hurd, and Ginni Rometty, president and CEO of IBM, the 32-member group represents a wide range of organizations, from Symantec and JPMorgan Chase to Stanford University and the 23rd District of Texas. Together, the group determined three requirements to move the national cybersecurity needle forward.

1. Improve Public-Private Collaboration on Cybersecurity Risks

Members of the Aspen Cybersecurity Group agreed that the U.S. is behind others in collaborative efforts and that the gap continues to widen in the absence of a collective framework. What is missing is a set of clearly defined rules on who does what when it comes to sharing information about cybersecurity risks, as well as an established set of shared values.

“The Aspen Cybersecurity Group is publishing ‘An Operational Collaboration Framework for Cybersecurity‘ that addresses the day-to-day and response to serious incidents, defines the who, and spells out the key actions to make it work,” said John Carlin, chair of the Cybersecurity and Technology Program at The Aspen Institute.

The proposed framework states: “This cyber collaboration framework is similar to the National Preparedness System which is used to coordinate responses to natural disasters, terrorism, chemical and biological events in the physical world. As the linkage between the cyber and physical realms increases, using similar organizing constructs for both environments would make coordination between the two realms more seamless.”

2. Develop Cybersecurity Workforce Skills

With a workforce shortage of around 300,000 individuals in cybersecurity, according to a study from CyberSeek, the U.S. is expecting an increase in the existing skills gap, making it all the more challenging protect enterprise networks from cyberthreats. The demand for talent is drastically surpassing supply, despite the awareness that large candidate pools have not yet been tapped.

“Employer requirements aren’t well synced to the skills needed, and awareness of cyber career paths remains low. After months studying the challenge, the Aspen Cybersecurity Group is releasing ‘Principles for Growing and Sustaining the Nation’s Cybersecurity Workforce,’ a mix of principles, partnerships and specific steps employers can take to close the skills gap,” Carlin said.

The framework identifies eight principles, including the adoption of new collar perspectives by broadening the skill sets acceptable to hiring managers in cybersecurity, building more engaging job listings and improving educational opportunities within organizations.

3. Secure Emerging Technology Deployments

Connected devices continue to rapidly expand the internet of things (IoT) marketplace, which has its benefits but does not come without significant risk. The proliferation of connected devices has tremendously expanded attack surfaces.

“The Aspen Cybersecurity Group finds that before billions of new devices are connected to the internet, some with health, life and safety risks, we must have security-by-design and consumer awareness. As a first step in that process, the group endorses a set of ‘IoT Security First Principles‘ to set common expectations for IoT consumers and developers [and] manufacturers alike,” Carlin said.

Paramount to the security of IoT devices is the design of such devices, which is why the group’s first principle is that IoT devices must have baked-in security. Additionally, the framework states the need for transparency not only in product security, but also in product privacy.

“Manufacturers [and] developers should be held accountable for the security of their devices: The responsibilities of all parties should be articulated and there should be an enforcement and redress mechanism; devices should ‘timeout’ if updates are unavailable and the device can no longer meet a minimum standard,” the framework states.

How to Influence Change

“These recommendations are an important set of first steps, but they are initial steps,” Carlin stated. “Solving the problem and addressing current and future risk requires a standing commitment. For too long, no such body has existed to address what the [intelligence community] and others have identified as our top threat.”

The Aspen Cybersecurity Group hopes that by putting forth these recommendations, endorsing existing ideas, and leveraging its combined skills and influence, it can spur action across the intelligence and security community.

More from Government

The Biden Administration’s 2023 Cybersecurity Strategy

4 min read - The Biden Administration recently introduced a new national cybersecurity strategy, expected to aggressively address an increasingly complex and dangerous threat landscape. Improving cybersecurity may not be the top priority for the Biden Administration, but it is an issue that the White House has been focused on since the earliest days of President Biden’s tenure. For example, in May 2021, Biden issued an executive order that emphasized sharing information about threats and modernizing cybersecurity across the federal government. In 2022, President…

4 min read

What’s Going Into NIST’s New Digital Identity Guidelines?

4 min read - One of this year’s biggest positive cybersecurity events comes from the National Institute of Standards and Technology (NIST). For the first time since 2017, NIST is updating its digital identity guidelines. These new guidelines will help set the course for best practices in handling digital identity for organizations across all sectors. What is Digital Identity? To grasp the update’s importance, it helps to understand the role of digital identity in an organization’s security posture. In its 2017 guidelines, NIST defines…

4 min read

Who Will Be the Next National Cyber Director?

4 min read - After Congress approved his nomination in 2021, Chris Inglis served as the first-ever National Cyber Director for the White House. Now, he plans to retire. So who’s next? As of this writing in January of 2023, there remains uncertainty around who will fill the role. However, the frontrunner is Kemba Walden, Acting Director of the National Cyber Director’s office. Walden is a former Microsoft executive who joined the National Cyber Director’s office in May. Before her appointment, Walden was the…

4 min read

How Much is the U.S. Investing in Cyber (And is it Enough)?

3 min read - It’s no secret that cyberattacks in the U.S. are increasing in frequency and sophistication. Since cyber crime impacts millions of businesses and individuals, many look to the government to see what it’s doing to anticipate, prevent and deal with these crimes. To gain perspective on what’s happening in this area, the U.S. government’s budget and spending plans for cyber is a great place to start. This article will explore how much the government is spending, where that money is going…

3 min read