UPDATE: I am much happier with how the EO Framework is going to play out based on subsequent messaging by NIST and DHS. What I said below is still accurate conceptually, just the EO is more ++ in these terms than the — I thought.)
(CAVEAT: I wrote this in about 10 minutes. Please Understand if it’s not complete or poorly worded)
So, the Executive Order (full text HERE ) looks like it is more focused on an Asset Based risk perspective than a Functions and Business centric one – particularly in the definition and use of the upcoming NIST framework and the determination of criticality. I might be wrong, and a lot hinges on what the NIST framework ends up looking like, but the language as it sits now has me….watchful. Some thoughts on why an asset-centric approach is problematic:
1. Attackers use different paths to achieve different real world objectives (things blown up, data stolen, etc)
2. Asset criticality therefore changes according to the path the attacker takes, which objectives are chosen, and which defenses are in place. In other words, asset criticality is dynamic.
3. Assets can be protected to a very high level without any assurance whatsoever that undesired consequences are not caused by attacks.
4. Functions and business objective centric protection approaches (such as DHS’s CARMA) linked to capability domain frameworks (such as the ES-C2M2) tied into technical assessments (such as DHS CSET) assure that protection programs and measures are working together to reduce actual dynamic tactical and strategic risks and reduce the risk of ineffective controls inappropriately targeted and configured.
5. Asset centric approaches create static defenses which attackers can work around while functions and business consequence focused approaches actively address the reality of how attacks occur, where controls should be placed, and to what level they must be configured.
6. Functions based approaches also create a more lexically coherent framework that assures all stakeholders are having the same conversation. Asset Based approaches, though speak to fixed points where each stakeholder may have a different perspective on the goals of any controls.
7. Functions and business consequence driven frameworks can also be more effectively used to determine the success or failure of cybersecurity efforts and provide more realistic and useable metrics and goals.