January 9, 2019 By Kacy Zurkus 3 min read

The Aspen Cybersecurity Group, a nonpartisan subset of The Aspen Institute comprised of government officials, industry-leading experts, and academic and civil leaders, convened in early November to address cybersecurity risks and the actions that must be taken to protect enterprise networks from cyberthreats.

Chaired by Lisa Monaco, distinguished senior fellow at NYU School of Law, U.S. Rep. Will Hurd, and Ginni Rometty, president and CEO of IBM, the 32-member group represents a wide range of organizations, from Symantec and JPMorgan Chase to Stanford University and the 23rd District of Texas. Together, the group determined three requirements to move the national cybersecurity needle forward.

1. Improve Public-Private Collaboration on Cybersecurity Risks

Members of the Aspen Cybersecurity Group agreed that the U.S. is behind others in collaborative efforts and that the gap continues to widen in the absence of a collective framework. What is missing is a set of clearly defined rules on who does what when it comes to sharing information about cybersecurity risks, as well as an established set of shared values.

“The Aspen Cybersecurity Group is publishing ‘An Operational Collaboration Framework for Cybersecurity‘ that addresses the day-to-day and response to serious incidents, defines the who, and spells out the key actions to make it work,” said John Carlin, chair of the Cybersecurity and Technology Program at The Aspen Institute.

The proposed framework states: “This cyber collaboration framework is similar to the National Preparedness System which is used to coordinate responses to natural disasters, terrorism, chemical and biological events in the physical world. As the linkage between the cyber and physical realms increases, using similar organizing constructs for both environments would make coordination between the two realms more seamless.”

2. Develop Cybersecurity Workforce Skills

With a workforce shortage of around 300,000 individuals in cybersecurity, according to a study from CyberSeek, the U.S. is expecting an increase in the existing skills gap, making it all the more challenging protect enterprise networks from cyberthreats. The demand for talent is drastically surpassing supply, despite the awareness that large candidate pools have not yet been tapped.

“Employer requirements aren’t well synced to the skills needed, and awareness of cyber career paths remains low. After months studying the challenge, the Aspen Cybersecurity Group is releasing ‘Principles for Growing and Sustaining the Nation’s Cybersecurity Workforce,’ a mix of principles, partnerships and specific steps employers can take to close the skills gap,” Carlin said.

The framework identifies eight principles, including the adoption of new collar perspectives by broadening the skill sets acceptable to hiring managers in cybersecurity, building more engaging job listings and improving educational opportunities within organizations.

3. Secure Emerging Technology Deployments

Connected devices continue to rapidly expand the internet of things (IoT) marketplace, which has its benefits but does not come without significant risk. The proliferation of connected devices has tremendously expanded attack surfaces.

“The Aspen Cybersecurity Group finds that before billions of new devices are connected to the internet, some with health, life and safety risks, we must have security-by-design and consumer awareness. As a first step in that process, the group endorses a set of ‘IoT Security First Principles‘ to set common expectations for IoT consumers and developers [and] manufacturers alike,” Carlin said.

Paramount to the security of IoT devices is the design of such devices, which is why the group’s first principle is that IoT devices must have baked-in security. Additionally, the framework states the need for transparency not only in product security, but also in product privacy.

“Manufacturers [and] developers should be held accountable for the security of their devices: The responsibilities of all parties should be articulated and there should be an enforcement and redress mechanism; devices should ‘timeout’ if updates are unavailable and the device can no longer meet a minimum standard,” the framework states.

How to Influence Change

“These recommendations are an important set of first steps, but they are initial steps,” Carlin stated. “Solving the problem and addressing current and future risk requires a standing commitment. For too long, no such body has existed to address what the [intelligence community] and others have identified as our top threat.”

The Aspen Cybersecurity Group hopes that by putting forth these recommendations, endorsing existing ideas, and leveraging its combined skills and influence, it can spur action across the intelligence and security community.

More from Government

Updated SBOM guidance: A new era for software transparency?

3 min read - The cost of cyberattacks on software supply chains is a growing problem, with the average data breach costing $4.45 million in 2023. Since President Biden’s 2021 executive order, software bills of materials (SBOMs) have become a cornerstone in protecting supply chains.In December 2023, the National Security Agency (NSA) published new guidance to help organizations incorporate SBOMs and combat the threat of supply chain attacks.Let’s look at how things have developed since Biden’s 2021 order and what these updates mean for…

Roundup: Federal action that shaped cybersecurity in 2023

3 min read - As 2023 draws to a close, it’s time to look back on our top five federal cyber stories of the year: a compilation of pivotal moments and key developments that have significantly shaped the landscape of cybersecurity at the federal level.These stories highlight the challenges federal agencies faced in securing digital infrastructure in the past year and explore the evolving nature of cyber threats, as well as the innovative responses required to address them.New White House cybersecurity strategyThe White House’s…

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

12 min read - As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. X-Force tracks ITG05 as…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today