Light Dark
January 9, 2019 By Kacy Zurkus 3 min read
Government
Risk Management

The Aspen Cybersecurity Group, a nonpartisan subset of The Aspen Institute comprised of government officials, industry-leading experts, and academic and civil leaders, convened in early November to address cybersecurity risks and the actions that must be taken to protect enterprise networks from cyberthreats.

Chaired by Lisa Monaco, distinguished senior fellow at NYU School of Law, U.S. Rep. Will Hurd, and Ginni Rometty, president and CEO of IBM, the 32-member group represents a wide range of organizations, from Symantec and JPMorgan Chase to Stanford University and the 23rd District of Texas. Together, the group determined three requirements to move the national cybersecurity needle forward.

1. Improve Public-Private Collaboration on Cybersecurity Risks

Members of the Aspen Cybersecurity Group agreed that the U.S. is behind others in collaborative efforts and that the gap continues to widen in the absence of a collective framework. What is missing is a set of clearly defined rules on who does what when it comes to sharing information about cybersecurity risks, as well as an established set of shared values.

“The Aspen Cybersecurity Group is publishing ‘An Operational Collaboration Framework for Cybersecurity‘ that addresses the day-to-day and response to serious incidents, defines the who, and spells out the key actions to make it work,” said John Carlin, chair of the Cybersecurity and Technology Program at The Aspen Institute.

The proposed framework states: “This cyber collaboration framework is similar to the National Preparedness System which is used to coordinate responses to natural disasters, terrorism, chemical and biological events in the physical world. As the linkage between the cyber and physical realms increases, using similar organizing constructs for both environments would make coordination between the two realms more seamless.”

2. Develop Cybersecurity Workforce Skills

With a workforce shortage of around 300,000 individuals in cybersecurity, according to a study from CyberSeek, the U.S. is expecting an increase in the existing skills gap, making it all the more challenging protect enterprise networks from cyberthreats. The demand for talent is drastically surpassing supply, despite the awareness that large candidate pools have not yet been tapped.

Learn More

“Employer requirements aren’t well synced to the skills needed, and awareness of cyber career paths remains low. After months studying the challenge, the Aspen Cybersecurity Group is releasing ‘Principles for Growing and Sustaining the Nation’s Cybersecurity Workforce,’ a mix of principles, partnerships and specific steps employers can take to close the skills gap,” Carlin said.

The framework identifies eight principles, including the adoption of new collar perspectives by broadening the skill sets acceptable to hiring managers in cybersecurity, building more engaging job listings and improving educational opportunities within organizations.

3. Secure Emerging Technology Deployments

Connected devices continue to rapidly expand the internet of things (IoT) marketplace, which has its benefits but does not come without significant risk. The proliferation of connected devices has tremendously expanded attack surfaces.

“The Aspen Cybersecurity Group finds that before billions of new devices are connected to the internet, some with health, life and safety risks, we must have security-by-design and consumer awareness. As a first step in that process, the group endorses a set of ‘IoT Security First Principles‘ to set common expectations for IoT consumers and developers [and] manufacturers alike,” Carlin said.

Paramount to the security of IoT devices is the design of such devices, which is why the group’s first principle is that IoT devices must have baked-in security. Additionally, the framework states the need for transparency not only in product security, but also in product privacy.

“Manufacturers [and] developers should be held accountable for the security of their devices: The responsibilities of all parties should be articulated and there should be an enforcement and redress mechanism; devices should ‘timeout’ if updates are unavailable and the device can no longer meet a minimum standard,” the framework states.

How to Influence Change

“These recommendations are an important set of first steps, but they are initial steps,” Carlin stated. “Solving the problem and addressing current and future risk requires a standing commitment. For too long, no such body has existed to address what the [intelligence community] and others have identified as our top threat.”

The Aspen Cybersecurity Group hopes that by putting forth these recommendations, endorsing existing ideas, and leveraging its combined skills and influence, it can spur action across the intelligence and security community.

 |  |  |  |  | 
Kacy Zurkus

More from Government
October 17, 2023

Cyber experts applaud the new White House cybersecurity plan

4 min read - First, there was a strategy. Now, there’s a plan. The Biden Administration recently released its plan for implementing the highly anticipated national cybersecurity strategy published in March. The new National Cybersecurity Strategy Implementation Plan (NCSIP) lays out specific deadlines and responsibilities for the White House’s vision for cybersecurity. The plan is being managed by the White House’s Office of the National Cyber Director (ONCD). Cybersecurity experts have applauded the Administration’s plan as well as the new implementation calendar. For example,…

September 19, 2023

How the FBI Fights Back Against Worldwide Cyberattacks

5 min read - In the worldwide battle against malicious cyberattacks, there is no organization more central to the fight than the Federal Bureau of Investigation (FBI). And recent years have proven that the bureau still has some surprises up its sleeve. In early May, the U.S. Department of Justice announced the conclusion of a U.S. government operation called MEDUSA. The operation disrupted a global peer-to-peer network of computers compromised by malware called Snake. Attributed to a unit of the Russian government Security Service,…

September 18, 2023

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature