A National Cybersecurity Agenda for Resilient Digital Infrastructure

FOREWORD

ASPEN CYBERSECURITY GROUP

ACKNOWLEDGMENTS

PURPOSE AND SCOPE

ACTION STEPS AT A GLANCE

EDUCATION AND WORKFORCE DEVELOPMENT

SECURING THE INTERNET’S PUBLIC CORE

SUPPLY CHAIN SECURITY

MEASURING CYBERSECURITY

PROMOTING OPERATIONAL COLLABORATION

ADDITIONAL PRIORITIES

FOREWORD

In 1858, a public health crisis gripped the city of London. Successive cholera outbreaks spread by contaminated water were killing thousands. The river Thames was so polluted that Parliament refused to meet. As London’s population exploded, no one had invested in the basic wastewater infrastructure necessary to manage the consequences of cramming millions of people into one of the world’s first metropolises. After decades of failing to safeguard access to clean water, the government finally embarked on an unprecedented civil works project to retrofit the entire city with its first sewer system.

Cyberspace today resembles London in 1858. Just as water provides the foundation for human health, the Internet has become the delivery platform and interface for nearly every aspect of our economy and daily life. And like the cholera that thrived in the polluted waterways of London, malicious actors are exploiting our society’s stubborn reluctance to invest in the security and resilience of our technology. We built our digital society on a shaky foundation, entrusting our most critical data and activities to systems and tools that were not originally designed with security as a core objective. The revolutionary openness of the Internet was world-altering, but today that very same openness increasingly is used as the vector to poison the entire digital ecosystem. And we simply do not have the infrastructure, practices, and institutions to disinfect it.

We consistently underestimate how bad actors might weaponize our technology against us and cause real harm. During the COVID-19 pandemic, we have seen nation-states target the intellectual property of drug developers and criminal groups disrupt already-stressed hospitals with ransomware. A denial-of-service attack shut down the New Zealand stock exchange. All manner of actors are spreading mis- and disinformation about the sources of coronavirus, dangerous and unconfirmed treatments, stay-at-home orders, the efficacy of vaccines, and more.

Yet despite more than a decade of studies, warnings, and high-profile attacks—including incidents that cost companies like Merck, Maersk, and FedEx hundreds of millions of dollars—the government’s investment in cybersecurity prevention and response falls woefully short. After the 9/11 attacks, the U.S. government wholly and totally committed to confronting terrorist organizations. It created a new cabinet department (the Department of Homeland Security) and new federal leadership (the Office of Director of National Intelligence and National Counterterrorism Center). It designated billions of dollars of funding toward state and local preparedness. The entire federal apparatus mounted a herculean effort to reorient budgets, processes and priorities.

We see no similar mobilization toward securing the Internet and our digital lives. Warnings of a “Cyber 9/11” have not supplied the trigger. Neither have the untold billions of dollars in damages already caused by cybercrime, ransomware, intellectual property theft, and espionage.

The cybersecurity community’s tendency to treat cybersecurity as a problem to be solved has not been effective. Instead, we need to convey cybersecurity as an inextricable element of the digital infrastructure on which all society’s priorities depend. Cyberspace is modern life, and we simply cannot use it without cybersecurity. It is critical to the way we work, the way we bank, the way we shop, the way we drive. The unprecedented events of 2020 have underscored that technology and security are now also central to the way we vote, the way we deliver health care—even the way we spend time with our loved ones amid a pandemic. With as many as half of the American workforce operating from home, multinational corporations are running on Zoom and Slack. Digital technology should be treated like water and cybersecurity as the foundation for keeping it clean. As our digital dependencies intensify, our way of life will not be possible without better cybersecurity risk management. Digital resilience must become central to everything we do.

As the White House changes hands and Congress begins a new term, there is ample opportunity to find bipartisan consensus on key cybersecurity priorities. This document outlines achievable action steps for federal policymakers to make rapid progress toward a more resilient digital infrastructure. Some can be accomplished in weeks or months; others will take years. Fortunately, the federal government is not alone. Cyberspace is ultimately the domain of civil society and private enterprise, sectors teeming with experts who can guide the White House and Congress as they grapple with the difficult tradeoffs inherent to any cybersecurity policy decision. In crafting the National Cybersecurity Agenda, the Aspen Cybersecurity Group sought input from a diverse network of partners in academia and industry. Together, we stand ready and willing to assist policymakers in cultivating a secure, reliable, and productive cyberspace.

ASPEN CYBERSECURITY GROUP

The Aspen Cybersecurity Group is a standing, public-private forum to bridge the gap between policymakers, industry executives, security professionals, and civil society leaders. It aims to operationalize consensus solutions to the hardest cybersecurity problems by cultivating honest dialogue and forging lasting partnerships between government agencies, companies, nonprofits, and individuals.

CURRENT MEMBERS
Kate Adams, General Counsel, Apple
Gen. Keith Alexander, Co-CEO, IronNet Cybersecurity
Sara Andrews, CISO, PepsiCo
Monika Bickert, Head of Global Policy Management, Facebook
John Carlin, Chair, Cyber & Technology Program, The Aspen Institute
Vint Cerf, Chief Internet Evangelist, Google
Lucy Fato, General Counsel, AIG
Sue Gordon, Founder, GordonVentures LLC
Dr. Lorrie Faith Cranor, Director, CyLab Security & Privacy Institute, Carnegie Mellon University
Michael Daniel, President and CEO, Cyber Threat Alliance
Jim Dempsey, Executive Director, Center for Law & Technology, UC-Berkeley
Don Dixon, Co-Founder & Managing Director, ForgePoint Capital
Lynn Good, CEO, Duke Energy
Alex Gorsky, CEO, Johnson & Johnson
Yasmin Green, Director of Research, Jigsaw
Gen. Michael Hayden, Principal, The Chertoff Group
Susan Hennessey, Executive Editor, Lawfare
Rep. Will Hurd, Ranking Member, Subcommittee on Intelligence Modernization and Readiness, House Permanent Select Committee on Intelligence
Chris Inglis, Managing Director, Paladin Capital Group
Sean Joyce, Partner, PwC
Rep. James R. Langevin, Chairman, Intelligence and Emerging Threats and Capabilities Subcommittee, House Committee on Homeland Security
Herb Lin, Senior Research Scholar, Stanford University
Brad Maiorino, Chief Strategy Officer, FireEye
Jeanette Manfra, Director, Government Security and Compliance, Google
Chandra McMahon, CISO, CVS Health
Lisa Monaco, former White House Homeland Security Advisor and Partner, O’Melveny & Myers
Craig Newmark, Founder, craigslist and Craig Newmark Philanthropies
Mary O’Brien, General Manager, IBM Security
Dr. Greg Rattray, Adjunct Professor, Columbia University
Former Rep. Mike Rogers, Former Chair, House Intelligence Committee
David Sanger, National Security Correspondent, New York Times
Dr. Phyllis Schneck, CISO, Northrop Grumman
Bruce Schneier, Fellow and Lecturer, Harvard Berkman-Klein Center
Alex Stamos, Director, Stanford Internet Observatory
Kathy Warden, Chairman, President, and CEO, Northrop Grumman
Michelle Zatlyn, Co-Founder and Chief Operating Officer, Cloudflare
Jonathan Zittrain, Director, Harvard Berkman-Klein Center
Jane Harman (ex-officio)
Michael Chertoff (ex-officio)

ACKNOWLEDGMENTS

The Aspen Cybersecurity Group is a forum for a diverse range of voices, and this report draws on the advice and expertise of a variety of outside partners and colleagues across industry, government, and civil society. As with any attempt to distill the collective wisdom of an entire community, our efforts have relied on the counsel of too many individuals to acknowledge here. But we would like to give special thanks to people and organizations who graciously volunteered their time to reflect on the challenges ahead of us and help craft a path toward progress.

This report was compiled, managed, and written by David Forscey, Managing Director of the Aspen Cybersecurity Group, with assistance from the entire team at Aspen Digital, including Savilla Pitt, Beth Semel, Garrett Graff, Carner Derron, and Vivian Schiller. Special thanks to Betsy Cooper, Meha Ahluwalia, Mai Sistla, Dominique Harrison, and Kristine Gloria for their contributions on some of the report’s most important sections.

Individuals:

Marene Allison Sharon Bradford Franklin David Mussington
John Bansemer Jay Healey David O’Brien
Laura Bate Trey Herr Allison Peters
Kristin Berdan Yurie Ito Michael Prebil
David Clark Ryan Kalember Philip Reiner
Larry Clinton Elena Kvochko Diane Rinaldo
Gary Corn Nick Leiserson Paul Rosenzweig
Jennifer Daskal Tim Maurer Ross Schulman
Mieke Eoyang Marian Merritt Ari Schwartz
Gregory Falco Erin Miller Steven Trush
Alan Friedman Mark Montgomery Sam Visner
Michael Garcia Travis Moore Beau Woods
Harley Geiger Sarah Morris Jamil Jaffer
Tracie Grella Ben Moskowitz

Organizations:

Atlantic Council MITRE
American University National Governors Association
Berkman Klein Center for Internet and Society National Initiative for Cybersecurity Education
Columbia University National Institute for Standards and Technology
Consumer Reports Open Technology Institute
Carnegie Endowment for International Peace Proofpoint
Cybersecurity Coalition R Street Institute
CyberGreen Technology for Global Security
Global Cyber Alliance Third Way
Institute for Cyber Law, Policy, and Security (Pitt Cyber) University of California Berkeley
Internet Security Alliance U.S. Cyberspace Solarium Commission

SPECIAL ACKNOWLEDGMENTS

This report is made possible thanks to the generosity and support of the William and Flora Hewlett Foundation and Craig Newmark Philanthropies.

PURPOSE AND SCOPE

This agenda is designed to assist federal policymakers in prioritizing, planning, and executing actionable cybersecurity initiatives whose goals are achievable in the next four years. Its intended audience is political appointees and career officials across the executive branch, federal lawmakers and their staff teams, and professional staff on congressional committees.

Note that this is not a framework for a national cybersecurity strategy, although most of its content should figure into one. Such comprehensive strategic framework would need to describe clear roles for the private sector and civil society in addition to government—and operate at a global scale.

The next administration and Congress cannot simultaneously address the wide array of cybersecurity risks confronting modern society. Policymakers in the White House, federal agencies, and Congress should zero in on the most important and solvable problems. To that end, this report covers five priority areas where we believe cybersecurity policymakers should focus their attention and resources as they contend with a presidential transition, a new Congress, and massive staff turnover across our nation’s capital.

  • Education and Workforce Development
  • Public Core Resilience
  • Supply Chain Security
  • Measuring Cybersecurity
  • Promoting Operational Collaboration

Each section defines the problem, makes the case for prioritizing it, establishes measurable outcomes, outlines obstacles that stymied past efforts, and details tangible action steps to overcome those obstacles.

This report is designed to be modular, with each section and its subsidiary recommendations able to stand on their own. We hope this will allow champions of specific focus areas to pick and choose based on changing political and business realities.

In selecting the five categories, the Aspen Cybersecurity Group sought to highlight initiatives that:

  1. Create leverage by offering “the greatest advantage to the defender over attackers at the least cost and greatest scale”;
  2. Benefit from an established technical or organizational foundation that can facilitate rapid progress; and
  3. Are relevant to the industry stakeholders, researchers, and security thought leaders whose buy-in is essential.

While technically out-of-scope, some topics are too important to omit without mention. In the section on Additional Priorities, we briefly address other areas that demand urgent attention from federal policymakers.

ACTION STEPS AT A GLANCE

Education and Workforce

Appropriate new grant funding and direct grantmaking agencies to support organizations dedicated to grow the representation of underrepresented communities in the cybersecurity field.
Change how employers recruit cybersecurity workers to diversify and expand the talent pool.
Authorize and fund a national repository of K-12 cybersecurity resources.
Create and scale an industry-to-school pipeline for part-time instructors.
Elevate and scale apprenticeship models.
Create a leadership structure for coordinating federal cybersecurity workforce activities.
Improve equitable access to broadband Internet services for all communities.
Expand pay flexibility for all federal departments and agencies.
Increase funding for CyberCorps: Scholarship for Service to expand its focus.

Public Core Resilience

Designate the commercial space sector as critical infrastructure.
Publish a national strategy to secure the public core.
Create a new cyberspace office within the U.S. State Department.

Supply Chain Security

Promote security transparency.
Publish a national industrial base strategy to maximize competition and innovation.
Promote financial support for free and open source software.

Measuring Cybersecurity

Establish a Bureau of Cyber Statistics.
Assess the cost-effectiveness of cybersecurity frameworks and risk analysis tools.
Improve state and local law enforcement’s ability to report cybercrime incidents.
Establish a cross-sector partnership on modeling cybersecurity risk.

Operational Collaboration

Establish a National Cyber Director (NCD) to enhance public-private operational collaboration for proactive disruption and cyber event response.
Update federal law enforcement employee incentives to reward disruption of adversary operations.
Create a personnel exchange program between companies and federal agencies.
Direct and publish a review of legal barriers to deeper intelligence and operational coordination between federal agencies and private companies.
Create a framework to measure the outcomes of disruption and event response activities.