Light Dark
January 9, 2019 By Kacy Zurkus 3 min read
Government
Risk Management

The Aspen Cybersecurity Group, a nonpartisan subset of The Aspen Institute comprised of government officials, industry-leading experts, and academic and civil leaders, convened in early November to address cybersecurity risks and the actions that must be taken to protect enterprise networks from cyberthreats.

Chaired by Lisa Monaco, distinguished senior fellow at NYU School of Law, U.S. Rep. Will Hurd, and Ginni Rometty, president and CEO of IBM, the 32-member group represents a wide range of organizations, from Symantec and JPMorgan Chase to Stanford University and the 23rd District of Texas. Together, the group determined three requirements to move the national cybersecurity needle forward.

1. Improve Public-Private Collaboration on Cybersecurity Risks

Members of the Aspen Cybersecurity Group agreed that the U.S. is behind others in collaborative efforts and that the gap continues to widen in the absence of a collective framework. What is missing is a set of clearly defined rules on who does what when it comes to sharing information about cybersecurity risks, as well as an established set of shared values.

“The Aspen Cybersecurity Group is publishing ‘An Operational Collaboration Framework for Cybersecurity‘ that addresses the day-to-day and response to serious incidents, defines the who, and spells out the key actions to make it work,” said John Carlin, chair of the Cybersecurity and Technology Program at The Aspen Institute.

The proposed framework states: “This cyber collaboration framework is similar to the National Preparedness System which is used to coordinate responses to natural disasters, terrorism, chemical and biological events in the physical world. As the linkage between the cyber and physical realms increases, using similar organizing constructs for both environments would make coordination between the two realms more seamless.”

2. Develop Cybersecurity Workforce Skills

With a workforce shortage of around 300,000 individuals in cybersecurity, according to a study from CyberSeek, the U.S. is expecting an increase in the existing skills gap, making it all the more challenging protect enterprise networks from cyberthreats. The demand for talent is drastically surpassing supply, despite the awareness that large candidate pools have not yet been tapped.

Learn More

“Employer requirements aren’t well synced to the skills needed, and awareness of cyber career paths remains low. After months studying the challenge, the Aspen Cybersecurity Group is releasing ‘Principles for Growing and Sustaining the Nation’s Cybersecurity Workforce,’ a mix of principles, partnerships and specific steps employers can take to close the skills gap,” Carlin said.

The framework identifies eight principles, including the adoption of new collar perspectives by broadening the skill sets acceptable to hiring managers in cybersecurity, building more engaging job listings and improving educational opportunities within organizations.

3. Secure Emerging Technology Deployments

Connected devices continue to rapidly expand the internet of things (IoT) marketplace, which has its benefits but does not come without significant risk. The proliferation of connected devices has tremendously expanded attack surfaces.

“The Aspen Cybersecurity Group finds that before billions of new devices are connected to the internet, some with health, life and safety risks, we must have security-by-design and consumer awareness. As a first step in that process, the group endorses a set of ‘IoT Security First Principles‘ to set common expectations for IoT consumers and developers [and] manufacturers alike,” Carlin said.

Paramount to the security of IoT devices is the design of such devices, which is why the group’s first principle is that IoT devices must have baked-in security. Additionally, the framework states the need for transparency not only in product security, but also in product privacy.

“Manufacturers [and] developers should be held accountable for the security of their devices: The responsibilities of all parties should be articulated and there should be an enforcement and redress mechanism; devices should ‘timeout’ if updates are unavailable and the device can no longer meet a minimum standard,” the framework states.

How to Influence Change

“These recommendations are an important set of first steps, but they are initial steps,” Carlin stated. “Solving the problem and addressing current and future risk requires a standing commitment. For too long, no such body has existed to address what the [intelligence community] and others have identified as our top threat.”

The Aspen Cybersecurity Group hopes that by putting forth these recommendations, endorsing existing ideas, and leveraging its combined skills and influence, it can spur action across the intelligence and security community.

 |  |  |  |  | 
Kacy Zurkus

More from Government
August 14, 2024

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

May 30, 2024

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

April 18, 2024

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature