The Aspen Cybersecurity Group, a nonpartisan subset of The Aspen Institute comprised of government officials, industry-leading experts, and academic and civil leaders, convened in early November to address cybersecurity risks and the actions that must be taken to protect enterprise networks from cyberthreats.
Chaired by Lisa Monaco, distinguished senior fellow at NYU School of Law, U.S. Rep. Will Hurd, and Ginni Rometty, president and CEO of IBM, the 32-member group represents a wide range of organizations, from Symantec and JPMorgan Chase to Stanford University and the 23rd District of Texas. Together, the group determined three requirements to move the national cybersecurity needle forward.
1. Improve Public-Private Collaboration on Cybersecurity Risks
Members of the Aspen Cybersecurity Group agreed that the U.S. is behind others in collaborative efforts and that the gap continues to widen in the absence of a collective framework. What is missing is a set of clearly defined rules on who does what when it comes to sharing information about cybersecurity risks, as well as an established set of shared values.
“The Aspen Cybersecurity Group is publishing ‘An Operational Collaboration Framework for Cybersecurity‘ that addresses the day-to-day and response to serious incidents, defines the who, and spells out the key actions to make it work,” said John Carlin, chair of the Cybersecurity and Technology Program at The Aspen Institute.
The proposed framework states: “This cyber collaboration framework is similar to the National Preparedness System which is used to coordinate responses to natural disasters, terrorism, chemical and biological events in the physical world. As the linkage between the cyber and physical realms increases, using similar organizing constructs for both environments would make coordination between the two realms more seamless.”
2. Develop Cybersecurity Workforce Skills
With a workforce shortage of around 300,000 individuals in cybersecurity, according to a study from CyberSeek, the U.S. is expecting an increase in the existing skills gap, making it all the more challenging protect enterprise networks from cyberthreats. The demand for talent is drastically surpassing supply, despite the awareness that large candidate pools have not yet been tapped.
“Employer requirements aren’t well synced to the skills needed, and awareness of cyber career paths remains low. After months studying the challenge, the Aspen Cybersecurity Group is releasing ‘Principles for Growing and Sustaining the Nation’s Cybersecurity Workforce,’ a mix of principles, partnerships and specific steps employers can take to close the skills gap,” Carlin said.
The framework identifies eight principles, including the adoption of new collar perspectives by broadening the skill sets acceptable to hiring managers in cybersecurity, building more engaging job listings and improving educational opportunities within organizations.
3. Secure Emerging Technology Deployments
Connected devices continue to rapidly expand the internet of things (IoT) marketplace, which has its benefits but does not come without significant risk. The proliferation of connected devices has tremendously expanded attack surfaces.
“The Aspen Cybersecurity Group finds that before billions of new devices are connected to the internet, some with health, life and safety risks, we must have security-by-design and consumer awareness. As a first step in that process, the group endorses a set of ‘IoT Security First Principles‘ to set common expectations for IoT consumers and developers [and] manufacturers alike,” Carlin said.
Paramount to the security of IoT devices is the design of such devices, which is why the group’s first principle is that IoT devices must have baked-in security. Additionally, the framework states the need for transparency not only in product security, but also in product privacy.
“Manufacturers [and] developers should be held accountable for the security of their devices: The responsibilities of all parties should be articulated and there should be an enforcement and redress mechanism; devices should ‘timeout’ if updates are unavailable and the device can no longer meet a minimum standard,” the framework states.
How to Influence Change
“These recommendations are an important set of first steps, but they are initial steps,” Carlin stated. “Solving the problem and addressing current and future risk requires a standing commitment. For too long, no such body has existed to address what the [intelligence community] and others have identified as our top threat.”
The Aspen Cybersecurity Group hopes that by putting forth these recommendations, endorsing existing ideas, and leveraging its combined skills and influence, it can spur action across the intelligence and security community.