Nine While Nine and I’m waiting for the…bus: Vignettes

Sunk low into a love seat of questionable cleanliness,  I’m on my front porch looking out over our postage-stamp yard’s summer christmas lights wondering how to start this unusually personal post.  It’s 3:30 in the morning, I can’t see my feet or the creepy things potentially marching by them, and it’s entirely possible that one of my “neighbors” may try to “reallocate” my laptop for their own use against my will.  My housemates and our assorted temporary residents are either asleep or quietly going through their nocturnal motions.  Cocooned in both mist and the sounds of the Savages in my headphones, I’m perfectly at home.

Almost.

Which brings me to the trigger for this post: A spontaneous rationally ill-advised 2am almost 5-hour $15 bus trip to New York City from DC earlier this week to meet @Wh1t3Rabbit while he was passing through. At 226 miles each way, the food court conversation, quick tour of the CyBit floor, and 90 minute talk Raf gave might seem to be weak justifications for the trip to most; but not to me.  Instead, it reminded me of my life growing up…

…Telling my parents I was visiting “friends” 5 miles away and quietly hopping a Greyhound bus from Daytona Beach to go 260+ miles to meet other efnet IRC ops in South Beach, Miami…then Begging on the phone that night to “stay the night to work on a project”

…Dating a girl because someone dropped me off at a party 30 miles away and it took so many weeks to find a ride back from the hosts house that she and I figured getting together was the only sensical thing to do…

…Carrying a 486 PC on another Greyhound bus all the way from Florida to NC to move in with a guy I originally met on a BBS before heading to Finland to move in with a girl (my future and ex wife) I met on Geocities…

…standing in the rain at Kezar stadium in San Francisco for hours on end – with nowhere to stay that night myself – redboxing to my “ten years older than me online girlfriend” trying to talk her out of suicide by telling her to think of her 7 cats…

…being kidnapped by German Tori Amos fans in Tampa I met on IRC for two days because I had no money, no phone numbers memorized, and I couldn’t actually remember how to get back to my dorm (at the college I only went to one class at the entire semester)..

…Deciding in 10 minutes to use a random $200 “scholarship” check I got (for no good reason I could tell) to fly to Oklahoma to go meet “Stella” from IRC for a couple of nights…telling no one else…and coming back to find my suitemates knocking on my bedroom door telling me to “get the hell off the computer and come eat”…and quietly disappearing into another online friend’s house…only the first time no one knew where I was living…

…couch crashing as a lifestyle…first in a little hacker compound and later in another BBS hangout…

…dropping a friend off at the airport but enjoying the conversation so much I bought a round trip ticket to sit next to her and got on the return flight a few hours later…

…legitimately having to ask “which state am I in?” after getting off of an airplane…

…blowing an emergency roadblock with a friend and heading into an area of Florida completely on fire…and finding the only other living soul back there was a lost pizza delivery dude…

…waking up on a complete empty train…in a metal cavern…walking out the door…following a yellow line…up a few steps…and walking through yet another metal door into a night club…(apparently, they put train cars on ferries in some parts of the world)…

…calling home collect from Sweden with only $80 in my pocket, unable to find Geocities girl and realizing that no matter how far from home you are in the US, you can always *walk* back….

…putting a sheet up as a bedroom door because it had been broken down so many times by friends, family, and strangers that no one wanted to bother putting up a new door…

Anyway. You get the idea.  I’ve spent a lot of time with every material possession of any importance to me fitting into a backpack and having a very flexible definition of “secure safe personal space”; that backpack was “home” to me more than any physical location was.  Much older now than I was in most of those vignettes and having lived a more grounded adulthood, it was only this recent New York trip that made me realized how much that lifestyle is still with me.  I mean, I knew that I enjoy a relatively flexible lifestyle that allows for spontaneous travel and chance encounters…in general. But sitting on an actual greyhound bus to New York, with no rationally justifiable purpose or agenda and everything that mattered  - including clothing – in a single backpack, brought back very specific physical memories; I actually felt, for the first time in a long while, at home.  There was a part of my that relaxed which I hadn’t even felt clenched.  Even the odd double-images created by bus windows were something that tasted of old friends…

I’m obviously not suggesting that I want to live out of a backpack for the rest of my life, but it was a striking reminder that no matter how far we get from our pasts, or how many transformations are created by new experiences, those pasts are always with us. Even if we don’t always notice them. In a personal transition period now, I had been unsure what I wanted to do next.  I’m still not sure, but now I have a much more specific idea of where to start looking…and how to integrate (and take advantage of to everyone’s benefit) that mindset in my professional career.

(And, now that I hear morning birds chirping, it’s time for sleep…)

My Source Boston 2013 Talk: Cyber Momentum (Understanding and Leveraging the National Cybersecurity Policy Debate)

This year, thanks largely to Josh Corman, I had the opportunity to speak at Source Boston.  It was an interesting experience and the first time in a couple of years I’ve had the chance to talk in front of a general security/hacker audience (Bsides Chicago was the last) – vs one focused on critical infrastructure specifically (like a  NATO conference in Tbilisi, Georgia).   Thanks Josh. Also, Thanks Jen Giroux for helping my lens myself – your perspective was crucial.

More important than my talk are the slides themselves.  I managed to put together one of the only presentations you’ll find with relatively short summary of the critical infrastructure landscape that also provides some framing help and advice on how to approach the topic more effectively (See this post for a longer treatment of the executive order sections).  It’s meant to have a strong verbal component, so if something seems incomplete or your need more information, feel free to ping me.  I hope you enjoy. (PDF HERE)

(Consider viewing these full screen)

NIST Cybersecurity Framework RFI: My Submission

To Whom It May Concern -

In response to this RFI, rather than suggest specific content, I would like to bring NIST’s attention to several conceptual perspectives that I believe have so far been underrepresented in the discussion so far.

Perspective 1: A Need for Common Conceptual Framing

First, I believe the potential value of a successful framework will not be in the content, but in the conceptual model the content is organized around.  One of the primary problems facing us as individual organizations and as a nation is the not only the lack of a common cyber security lexicon, but also significantly incomplete and often incompatible views as to what comprises cyber security itself.  This point can be illustrated in two ways:

1. After attending the recent NIST Framework Workshop, it was evident that many speakers were discussing only component pieces of cyber security (e.g., information sharing), and not the entirety of the problem (e.g., procurement). The result was a grab-bag of security ideas that could not be evaluated in terms of each other or their role in security as compared to the rest of the ideas shared.  The discussion lacked the structural and conceptual rails required to guide the participants down the path of solving the same problem. I was left wondering “How does this all fit together?”.
2. One of the critical infrastructure sectors recently asked their pertinent government agencies (there were 4 represented) for guidance on which federal tools and frameworks should be used, by whom, when, and why.  Industry believed the tools lacked appropriate descriptions.  After investigation, the fundamental issue was not that the tools lacked descriptions, but that those using them were not aware of the full scope of problems which needed solving.  Participants lacked a common, complete conceptual framework in which to evaluate the tools.  This lack of a broad, structured, conceptual model made it difficult for them to assess or use other content.

These are only two examples of many.  This is a problem that occurs in almost every cyber security dialogue – even among cyber security SME’s. For this reason I believe that one of the primary values of the NIST Framework should be in providing that common view – not only of security practices, but also how those practices fit together to reduce risk.  One might call it a “cyber security algorithm” where program, practice, and control domains are variables which must be used to solve for “assured risk reduction”.  In such a model, individual best practices and content elements can be tied to each “variable” and can be selected by industry.  This provides some assurance that they are all working coherently together.

Such a model could conceivably be broken down into six different layers of activities (national, sector, business, architecture, implementation, operation) broken into two dependent but different risk life cycles: Strategic (risks from cyber systems) and Operational (risks to cyber systems).

In this manner, the structure of the NIST framework could be used independently of the content to educate readers, assist them with communication, and be helpful as a tool to solve for specific cyber security outcomes.

Perspective 2: Non-Cyber Business Maturation and Foundations

In my experience, many organizations would have very successful cyber security practices, but their extra-cyber practices are not able to effectively use or support the good cyber-specific ones.  These extra-cyber practices include procurement, marketing, scheduling, business operations, development, testing, sales, database administration, communications, etc.  It is often said that “good security isn’t bolted on, it’s baked in”.  That is only partially correct.  Good security is good business – there is often little to distinguish the two.  Security usually fails long before anyone with “information security” in a title or department name is involved.  As such, I believe the NIST framework should focus more on identifying good business practices which lead to successful cyber security than on cyber-specific ones. It should also keep in mind that those most in need of the framework are the least likely to understand their own role in the cyber security problem domain.

Perspective 3: Quality Assurance & Human-Centric Cyber Security

As we have seen many times now – in the cases of some large and well known security breaches of organizations who were fully aware and invested in cyber security best practices – the problem we are facing is not just one of knowledge, but one of consistency of practice. It is relatively difficult, the way we do business today, to assure the application of best practice (whether through internal business incentive or government regulation) in a consistent manner.  The NIST framework should attempt to improve this consistency.

One aid in achieving that consistency is identifying where cyber security faults – which are really just errors made by a human in an authorized role somewhere on a timeline – are occurring and describing them in terms of human-role/authorized-action control pairs.

Examples could include: CEO/SuccessDefinition, Vendor/FeatureInclusion, Vendor/QualityAudit, ProcurementOfficer/ProductEval, Subcontractor/OrganizationBridging, ITManager/WorkPrioritization, etc.

 Putting these pairs into a timeline or lifecycle model would allow us to describe desired cyber security state and control points in a manner that would: Be valid through most possible iterations of technology, allow users of the framework to better identify which best practices were applicable when and to whom, reduce cost by placing controls as close to the fault source as possible, and help increase consistency by more effective and efficient control placement.

In closing, I believe that the NIST cyber security framework has the potential to be an extremely valuable tool, but that its success will depend on its framing and structure. It must speak to non-traditional cyber-security audiences in their own voices and simplify otherwise high levels of detail in a way that enabled significantly better dialogue than we as a community have been able to achieve so far.

Thank you for your time and efforts.

V/R,

Jack Whitsitt/Energysec

FAQ: White House Executive Order on Cyber Security

Over the past week, I’ve had a number of questions from industry, people at various cybersecurity conferences, friends, and…well..my job….ask me about my opinion on the executive order.  Here are some interpretations in the form of a FAQ.  It’s worth mentioning that, although I am familiar with the culture, language, and *some* small number of the actual background discussions here, I have no ownership nor formal role in most of it. Just some wacky alien putting some other wacky aliens’ behavior in terms more earth-like. If I use definitives like “is” or “will” please read an implied “my best educated guess” into them. 

1. What is the Executive Order and why was it issued?

This is a two prong answer. First, obviously it was absolutely a political goad to congress to write legislation and to poke at the Republicans. However, more importantly, it is also potentially a very valuable order that was seriously thought through and that will be used.

Think of it like a mother (the White House) telling kids (DHS, SSA’s) to “clean up the house”.  Based on existing house rules (overarching critical infrastructure directives/laws), she expects it will be done and goes off to handle other things.She comes back to find out that the kids of swept once or twice then went on to xbox, pushed stuff under the bed, or made more of a mess of the toy box trying to clean it than it was before.

Mom comes back and says “Ok, I left you to your own devices, here are the specific ways – again within the larger context of house rules – you are going to clean up. In the case of cyber security, the White House has said: You – DHS and SSAs and everyone else – are going to remove barriers to information sharing, work with our customers (industry) to build some coherent approach to solving the problem to our satisfaction  – some standard way of organizing the whole mess, and you’re each (especially you SSA’s!) are going to create explicit privacy and civil rights protections or else you fail.

2. What are the main thrusts of the Order?

1) Improve Information Sharing

2) Use business-function driven risk analysis to determine priorities

3)Create a framework of standards for reducing risks from cyber security issues to critical infrastructure

4)Engage industry to the greatest extent possible, and assure privacy and civil liberties are embedded in the entire process.

Whether any of this will be successful or remain uncorrupted is a different question.

3. Could this in any way infringe on individual freedoms if misinterpreted?

The short answer is “not any more than before”. DHS messaging is that privacy and liberty assurance is one of the three primary focuses of the EO. The Executive Order relies on existing government privacy and civil liberties mechanisms and embeds them throughout the order. Whether or not you think those mechanisms were sufficient is one question, but the EO doesn’t make them worse or better.

4. What will the “Framework” described be?

Based on comments from NIST: The framework will includewhatever will achieve effective cyber: processes, technologies, architectures, concepts, specifications, etc.  It is intended to be layered and include broad principles, common practices, and sector specific realities.

The role of NIST is to support the industry development of the framework.  The government will depend on the actions of the private sector after sharing, up front, performance goals. NIST is being engaged because it has experience gathering lots and lots of input, but this will NOT be a typical NIST thing.

The aim of the framework approach is to enhance adaptability, with cost and impact to economics of business being an integrated explicit part of the conversation.

Additional benefit is that, by increasing interoperability of requirements, concepts, expectations, etc, baseline security can be driven to market/products (my comment: which has been a vendor/industry complaint often voiced)

Moreover, a goal of the EO – both in context of information sharing and the framework – is harmonization of efforts (this was repeated extensively and resonated with my experience in the dialogue) – particularly nby the federal government (which, again, has been a substantial private industry complaint).

5. Standards? What is meant by standards? That sounds scary!

Not as much as you’d think. Based on comments from NIST: Generally, common basis of comparison…some are performance…but some are norms to promote collective collaborative action. These latter are developed by industry and what the EO is referring to. In other words, the Framework of Standards is meant less to be comparative and more to allow everyone and everything to be working together.  (Jack’s note: I’ve said for years there should be a Chinese menu of options selectable by environment and risk, this looks like it might be going down that path).

6. What are some simple things to know ahead of time that I might not already?

There are laws, mandates, and programs on the books now and have been for years.  This includes strategic planning, incident response, information sharing, and engagement. The sector specific agencies’ jobs(SSA) are to take broad cybersecurity capabilities within DHS and apply them in sector (industry) specific ways.  All major players in industry have been actively engaged in the dialogue so far.  There have been certain cultural, process, political, perception, legal, and conceptual barriers to progress despite existing work and engagement.  The Executive Order attempts to rectify these barriers while keeping in tact most of the fundamental structures already in place.

7. How does the new PDD relate to the Executive Order? 

The PDD is an update/replacement to HSPD-7.  These documents are not cyber specific, but are the policy  context under most critical infrastructure protection activities that the federal government engages in (including cyber security) are driven by.  The old HSPD-7 and the National Infrastructure Protection Plan from DHS which supports it have been around for years and understanding them is necessary to understand a lot of the intent behind the executive order.

8. What is an SSA, as defined by HSPD-7, the new PDD, and the NIPP?

SSA’s (ref’d above) are the sector (Energy-DOE, Transportation-TSA, Chemical-DHS, etc) specific agencies who are the functional owners of engaging their segments of the private industry in gov cyber security efforts. The EO and the new-PDD update their responsibilities from what they were under the old HSPD-7, but they’re similar.  For reference, a paraphrased overview of the old SSA responsibilities is to:

• Use mechanisms like Critical Infrastructure Partnership Advisory Council (which allows gov/industry cooperation) to bring Sector Coordinating Councils (made up exclusively of non-lobbyist private industry) together with Government Coordinating Councils (Sector Specific Agency points of contact) to work together on planning the reduction of risk
• Encourage organizations with information to share with those who need it and encourage development of information sharing programs and mechanisms
• Promote education, training, and awareness within industry in coordination with other government and private sector partners
• Identify, prioritize, coordinate federal Critical Infrastructure Protection activities in sector – ie, make sure the government is organized and doesn’t overburden the private sector
• Appraise congress of industry’s current status and progress in reducing risk, based on engagement and feedback from industry
• Increase integration of cyber security efforts with other all hazards protection and response programs – in other words, since cyber attacks can have physical implications, make sure first responder type organizations are working with cyber ones
• Develop and implement sector risk management program (within the government) and framework and use to determine risk priorities of sector and coordinate (not require) risk assessment and management programs with industry. This means create a process by which, facilitated by government, industry can get together and figure out where it is and what it’s priorities

9. How does CISPA relate to this?

An executive order cannot change already legislative assigned federal responsibilities, so everything the EO directs occurs under existing mandates and laws.  Further, the EO addresses information sharing AND getting the government’s overall act together in cyber security.  CISPA, on the other hand, is aimed (for better or worse, this post isn’t for my opinions on it) on removing legal barriers to information sharing and addressing specifically problems associated with industry cybersecurity needing to intersect with the intelligence community.

10. What guarantee do we have to transparency in any of this?

Workshops kick off in April.  NIST has questions to industry on its website and will be reaching out further (more proactively than “on the website”) in the near future. If you read my earlier NIST post, you’ll see transparency and participation are core, not tangential, tenets here and are one of the things that will (or is intended to at least) distinguish this from past efforts. Further, if you have been on any of the DHS calls with industry, every single conversation revolves around getting more and better industry involvement. They are very serious about it.  Finally, in my own work with some of this (which is tangentially related), transparency and engagement have been priorities I’ve seen.

11. Indeed it’s written with the basis that Government will continue to be the determining data librarian for cyber threats.

Over and Over and Over industry tells gov “we need better threat info”.  Most of EO not dealing with the framework is written to that end – it primarily deals with pushing data TO the private sector because they have requested it. However, post-order messaging has (correctly) been: Look, we don’t have a classified pot of information at the end of the rainbow that’s going to save the day. Industry, you guys know about yourselves way more than we do – or you should.  If you don’t share, that’s fine, but we can’t help you unless you help us to do it.

I don’t like the disproportionate focus on Information Sharing. I think it’s a waste of time, but we collectively have created this stupid beast. I might be a red herring, but it’s our collective red herring.This deserves a longer treatment than a couple of sentences, so come see me talk about it at SOURCE Boston

12. Why is the Cyber EO so obtuse? And while the PPD adds context – it’s clear that we require more (and more) clarity

Much of the obtuseness is because a) some is to be defined later by b) federal agencies who will get very clear direction from those in the WH charged with implementing the EO within the context of c) existing language on the books and in response to d) specific beefs from industry and dialogue failures in the past. What most people lack is the appropriate context from which to interpret it, since most people are not critical infrastructure owners and operators or feds who have been engaged in the discussion. Much of the insight Im trying to provide here isn’t direct experience with the EO iteself, but the cultural language which has developed in the civilian space on the topic of critical infrastructure protection over the past several years.  It’s not understood well outside of Washington, but those it is speaking to understand it.  This is a huge problem and one I’ll try to address in Boston

13. Is this more of the government telling private sector they’re coming?

Gov’t is already there: HSPD-7, NIPP, SSA’s, CIPAC, CSCSWG, CNCI, NCCIC, foobar.   Regulatory capability already there: TSA, DOE(NERC CIP), etc. This EO speaks to and sorts out this *existing* stuff in one prong and tries to sort out information sharing barriers in another prong (barriers which, right or wrong – mostly wrong – industry has cited over and over and over as the reason their cyber sucks)

14. Why do we have any faith that Government has the agility and consistency to get it right this time?

We don’t. but, the way the framework components are laid out, we have an interesting opportunity to force it to work by the order’s focus on creating real consensus business-driven requirements. In particular, I believe cyber security is a quality assurance problem over unbounded time driven from business priorities and is almost 100% a human-centric problem.  There might be space here for that conceptual shift to occur.  More on that later, possibly in Boston

15. Should the Cyber EO have been so broad? Look at the “Designated Critical Infrastructure Sectors and Sector-Specific Agencies” list in the PPD.

Don’t forget that the PPD is based on years old definitions and, more importantly, is an all-hazards list primarily focused on physical attacks. In large enough scale, most things are critical in the terms of the broader discussion.

The trick is, for cyber, determining what within those spaces is critical. It’s a different functional discussion – as this is all laid out – than which sectors are critical. That’s handled in a process – a version of which I’ve been facilitating at a sector level for the past year – that is designed to base decisions on business driven threat scenarios.  It’s not perfect, but it’s a huge improvement from past methodologies.

16. If and only if (IFF) the Cyber EO was really meant to get action to answer these questions – then it should not have been issued so broadly, so politically charged, and otherwise tied to SOTU the way it was.

Agree. It’s over-politicized – but that gets into questions of its effectiveness and clarity in the current political and cultural environment, and that’s out of scope here.

17. Why not leverage the bodies of work existing up-front?

Because the process of engagement in finding and applying those existing bodies of work is the key element of this part of the EO, not the outcomes themselves. It’s an attempt to build in continuous flexibility and applicability in changing environments and compared to differing and dynamic priorities.  Think “it’s not the destination but the journey” here and add on “and the requirement to iterate through multiple journeys as a lifestyle”. The mechanism NIST and the collective gov builds to continuously engage industry in the development and adaptation of the framework are where our real opportunities to make this valuable come in – but we need to work together coherently. More in this in Boston.

Also see this document from NIST: http://www.nist.gov/itl/cyberframework.cfm

18. What makes this a compelling DHS issue instead of economic development, science, or other component of Government?

Because the EO can only really address already existing legislatively assigned authorities. This EO is a goad for further legislation, and that might change the agency assigned responsibilities. That said, I actually agree this should be a DHS issue – no other agency has the type of broader mission required to effectively coordinate cybersecurity in the broad terms it requires – NSA would be one of the worst choices, since their core mandates are, in many cases, only of use in terms of focused support.  Think correlation with physical and geographically dispersed response and coordination.  The FBI, similarly, would be a terrible choice since their mandate is “prosecute and convict”.

19. What about regulation of industry?

There are a number of agencies who *already have* regulatory authority over private sector critical cyber infrastructure – some have used it, some haven’t. The EO asks that they use the new processes in the EO to reevaluate whether they should regulate and how if they don’t now and the effectiveness of any regulation if it’s already in place. Every two years, the government is required to check with industry to make sure any regulation is a) effective and b) not too burdensome.  In my opinion (based on work with some of the processes which will be used),  this is much less likely to result in additional regulation than is suspected. (This is because the processes attempt to be more empirical and data-informed than the more speculative and subjective attempts in the past.)

20. Why haven’t I heard about any of this and why does it not resonate with me?

So much of this has been driven by lobbyists and industry associations….unfortunate in many cases…but almost impossible to get substantive input from more fair representation.  The reasoning behind this is something I’ll cover in Boston and it’s something we need to culturally change together – and we can.

White House Cyber Executive Order: Interpretive English Language Translation & Summary

(My FAQ is HERE and might be more interesting for most people.  It’s based on questions and conversations I’ve had at Suits & Spooks, Shmoocon, and from industry the past weeks. You can also come see me talk at SOURCE Boston ;) )

Section-by-Section translation of the EO based on my own interpretation; designed to get through all of the heavy government language to the spirit of what each section is attempting to convey. Some of this might be wrong, but I think I’ve hit the substance. Will refine over time:

Important to remember: EO can’t change existing law and responsibilities

Sec. 1-3

Fluff

Sec. 4.  Cybersecurity Information Sharing.

 a) The US Government will pass more (unclassified) information than they already are, and from more sources, to the private sector faster so that they (industry) can better protect themselves.

 b) More about the rapid dissemination of these reports, but now mentions the ability to disseminate limited classified reports

 c)The government will enhance a new program (previously announced) to provide classified threat and technical information to qualified critical infrastructure companies (including commercial service providers who work with criticalinfrastructure)

 d) The intel community will speed up processing of security clearances for private sector companies with critical infrastructure

 e)Since actually becoming a fed is hard, and because not everyone wants to, there are initiatives going on – and which the EO directs to be hurried/expanded – to allow private citizen subject matter experts to come under temporary service

Sec. 5.  Privacy and Civil Liberties Protections.

a) Agencies already have privacy/civil liberty offices and procedures in place. They must make sure any action they take in regard to the EO is done using those offices and procedures.

 b) DHS must make formally sure on a recurring bases that 5a) is indeed happening

 c) When DHS reports on this, it will consult with OMB (to provide another layer of oversight)

 d)Private entity information will be protected by the most protective interpretation of the law

Sec. 6.  Consultative Process 

The government will engage with private sector stakeholders on all aspects of the EO and will utilize mechanisms that already exist and are currently being used to collaborate with industry on cyber security and critical infrastructure – particularly those outlined in HSPD-7 and DHS’s National Infrastructure Protection Plan

 Sec. 7.  Baseline Framework to Reduce Cyber Risk to Critical Infrastructure.

a) NIST will lead the development of a framework to reduce risks to critical infrastructure from cyber systems.  The framework speaks to the process of reducing risk.  The framework is intended to make sure business efforts, policy efforts, and technical efforts are aligned and working together.  The framework will incorporate existing standards and best practices as much as possible (clarification: NIST has said here that they mean interoperability/common frame of reference type standards, not performance or measurability focused standards. Ie, the intent of the standards is to help everyone work together.)

b) The framework is *process focused* and intended to deal with the fact that this is the real world; it’s goal is to work collectively to figure out the best ways to reduce risk – the process is the focus, not the results. “The journey is the destination”.  The framework will include ways to measure how well organizations are participating in the process.

c) The framework will explicitly include ways to protect business interests and civil liberties

d1) This process will be as inclusive as possible. Government required to show up to the table and government required to engage industry as much as industry is willing to participate.

d2) The government will provide outcome goals for the framework based on critical determinations made in section 9 (the intricacies of this are a bit out of scope of this review. Suffice it to say that there is already existing work here being done and existing processes already in use that will most likely be used to fulfill this requirement.). This is assigned to the heads of relevant agencies, which means its a performance criteria for those individuals, which means it will get done.

e) a preliminary version of the framework will be done in 240 days, final in a year

f) The process of engagement and validity of approaches will be reviewed regularly for appropriateness in addressing cyber security

Sec. 8.  Voluntary Critical Infrastructure Cybersecurity Program.

a) There will be a program (outreach & engagement?) to encourage private sector adopting the framework process

b) The agencies already on the hook for industry engagement for critical infrastructure (sector specific agencies – SSAs – under HSPD-7 and the National Infrastructure Protection Plan – NIPP) will use their existing mechanisms (like CIPAC) to reach out to industry on a sector by sector basis and address sector specific risks and concerns

c)The Sector Specific Agencies will let the president know annually how this is all going – is industry participating or no?

d)the government will try and create additional value for industry to participate

e) The government will try and figure out how – or if it even makes sense – for the government to adjust its procurement and contracts to use/fit in with the framework

Sec. 9.  Identification of Critical Infrastructure at Greatest Risk.

a) Within 150 days, DHS will determine, based on potential national consequences from a cyber attack, what infrastructure is critical.  This speaks to a consultative process (as described in section 6) that the government will use to identify what the framework and the rest of the Order is aimed at. I’ve been working within one industry for some time using a version of the process that will be used here. The process uses business-function driven risk analysis to determine priorities: Critical Functions->Value Chain->Supporting Cyber Infrastructure->Program level vulnerabilities->Scenarios to be protected against. Ish.

b) The sector specific agencies will, in line with their existing role, provide DHS with enough information to make these determinations. The EO assigned this to the heads of the sector specific agencies, in particular, and so it is a performance criteria for them. This tends to mean it will get done.

c) Owners and operators of critical infrastructure will be confidentially notified of their status as critical infrastructure and there will be a mechanism for them to ask to be reconsidered

Sec. 10. Adoption of Framework (Read: Potential Regulation)

a) Agencies who can currently regulate will look at any new information provided by the preliminary framework and determine if the way they are currently handling regulation is sufficient based on framework identified risks (my note here: TSA has, in the past, declined to regulate because industry was actively participating already. This directive does not make future regulation a given).

b)If current regulation isn’t sufficient, regulatory agencies will propose actions.

c)within two years, agencies will work with owners and operators to determine if any new regulation is ineffective or excessively burdensome and will make recommendations for relief/changes

d) DHS will help out any agencies who don’t have the technical cyber qualifications to do this effectively

e) Regulatory agencies that aren’t sector specific agencies should consult with everyone and get on board, too

Sec. 11. Definitions (Speaks for itself. Read these without translation)

(a) “Agency” means any authority
of the United States that is an “agency” under 44 U.S.C.
3502(1), other than those considered to be independent
regulatory agencies, as defined in 44 U.S.C. 3502(5).
(b) “Critical Infrastructure Partnership Advisory Council”
means the council established by DHS under 6 U.S.C. 451 to
facilitate effective interaction and coordination of critical
infrastructure protection activities among the Federal
Government; the private sector; and State, local, territorial,
and tribal governments.
(c) “Fair Information Practice Principles” means the eight
principles set forth in Appendix A of the National Strategy for
Trusted Identities in Cyberspace.
(d) “Independent regulatory agency” has the meaning given
the term in 44 U.S.C. 3502(5).
(e) “Sector Coordinating Council” means a private sector
coordinating council composed of representatives of owners and
operators within a particular sector of critical infrastructure
established by the National Infrastructure Protection Plan or
any successor.
(f) “Sector-Specific Agency” has the meaning given the
term in Presidential Policy Directive-21 of February 12, 2013
(Critical Infrastructure Security and Resilience), or any
successor.

Asset vs Functions Based Cybersecurity

UPDATE: I am much happier with how the EO Framework is going to play out based on subsequent messaging by NIST and DHS.  What I said below is still accurate conceptually, just the EO is more ++ in these terms than the — I thought.)

(CAVEAT: I wrote this in about 10 minutes. Please Understand if it’s not complete or poorly worded)

So,  the Executive Order (full text HERE ) looks like it is more focused on an Asset Based risk perspective than a Functions and Business centric one – particularly in the definition and use of the upcoming NIST framework and the determination of criticality. I might be wrong, and a lot hinges on what the NIST framework ends up looking like, but the language as it sits now has me….watchful.  Some thoughts on why an asset-centric approach is problematic:

1. Attackers use different paths to achieve different real world objectives (things blown up, data stolen, etc)

2. Asset criticality therefore changes according to the path the attacker takes, which objectives are chosen, and which defenses are in place. In other words, asset criticality is dynamic.

3. Assets can be protected to a very high level without any assurance whatsoever that undesired consequences are not caused by attacks.

4. Functions and business objective centric protection approaches (such as DHS’s CARMA) linked to capability domain frameworks (such as the ES-C2M2) tied into technical assessments (such as DHS CSET) assure that protection programs and measures are working together to reduce actual dynamic tactical and strategic risks and reduce the risk of ineffective controls inappropriately targeted and configured.

5. Asset centric approaches create static defenses which attackers can work around while functions and business consequence focused approaches actively address the reality of how attacks occur, where controls should be placed, and to what level they must be configured.

6. Functions based approaches also create a more lexically coherent framework that assures all stakeholders are having the same conversation.  Asset Based approaches, though speak to fixed points where each stakeholder may have a different perspective on the goals of any controls.

7. Functions and business consequence driven frameworks can also be more effectively used to determine the success or failure of cybersecurity efforts and provide more realistic and useable metrics and goals.

FURTHER CONTEXT **HERE** AND **HERE** AND **HERE**