NATO adopts of a new cyber defense policy
NATO is reinforcing cybersecurity for its entire communications and information systems architecture and on all of its networks, including unclassified, restricted and secret networks. The project will be implemented in several phases and is speeding toward completion by the end of 2012, a challenging deadline that NATO officials say they are determined to meet.
Unusually, the NATO Computer Incident Response Capability Full Operational Capability (NCIRC FOC) project has been given a specific deadline—the end of next year—for completion. “It is the only project that has a physical date as a deadline. I could have wished it different, but this is life. And we will deliver,” promises Brian Christiansen, chief of the NATO Consultation, Command and Control Agency (NC3A) cyber defense team.
The project is designed to upgrade NATO’s cyber defenses significantly to meet current, emerging and anticipated threats, but the project title may not be entirely accurate. “The term ‘full operational capability’ is perhaps a misnomer—cyberthreats are constantly evolving, and we will never have a final or full capability,” says Georges D’hollander, NC3A general manager. “The NCIRC FOC project will, however, significantly boost our capability to face the evolving threat.”
The effort will be implemented in several increments and will include an upgraded capability to identify, trap and analyze malware and cyberattacks launched against alliance systems; advanced sensors to provide improved early detection of threats against NATO networks; a consolidated information assurance picture that will give operators an overview of the situation across NATO networks, including a dynamic risk assessment; and an upgraded and advanced threat assessment capability.
The first increment will include a technology upgrade for the NCIRC Technical Centre in Belgium. Additionally, it will include a decision support system, which will help make sense of the large amounts of data flowing through the network and will support incident handling. The first increment also will include a reference system, which will allow the technical center personnel to test new defense software or to study malicious software.
The second increment will add an array of sensors for network situational awareness, including intrusion prevention systems, full packet capture and network forensic tools. The NC3A does not expect to install sensors on every server, but it is instead developing a methodology to place sensors intelligently in the network, covering as much of the network as possible, Christiansen explains.
One challenge to installing the cyber situational awareness sensors, however, is handling the resulting uptick in network activity. “What we’re doing in 2012 is putting a lot of sensors on the network, and that means we will get a lot of traffic from sensors reporting back to the technical center,” Christiansen explains. “Therefore, we are also looking at capabilities whereby we can aggregate and filter the traffic in the various sites so that we minimize the traffic to the [greatest] extent possible.”
The third increment will be the final decision support system, which will provide a consolidated information assurance picture or data model. This model will ensure information goes only to those who need it, when they need it, rather than flooding users with unnecessary data. In addition, operators can tailor the information and how it is presented. “We have different ways of consuming information. Some people would like to see scrolling lists of information. Others would just like to have a graphical presentation. Others might want something in between,” Christiansen elaborates.
The model for the consolidated information assurance picture already is being used in the combat zone. “As a starting point, we will use what is already in Afghanistan. For the Afghan Mission Network, we have not a prototype, but a first implementation of a consolidated information assurance picture. It is very raw, very limited, and it will be used as a starting point for whomever wins the contract,” Christiansen reveals.
The NCIRC FOC also will include a dynamic risk assessment, which will evaluate any significant modification to the network to limit unintended consequences. Altering one part of the network could affect other segments inadvertently. That means risks either can go up or down because of changes, requiring potential variances to be carefully assessed beforehand.
The NC3A recently completed a requirements document for a fourth increment, which includes a threat assessment capability for the NATO Security Challenges Division at NATO headquarters in Brussels. A fifth increment will build a duplicate technical center to be on standby, ready for use should anything go wrong at the original center.
Christiansen stresses that the beefed-up cybersecurity effort includes no offensive measures, and it is intended only to defend against attacks. NATO, he says, is very specific about what constitutes an attack: the action has to be attributable with provably malicious intent. Defensive measures can include an active defense in which intruders are attacked while inside NATO networks but not outside of NATO’s network boundaries. “NATO is a defense organization. We’re defending the territory. We’re defending our networks,” he says.
If all goes well, the NC3A intends to award a contract at the end of this year. “We expect that whoever wins the contract will have 12 months to get everything implemented. It will be very ambitious. We count on industry,” Christiansen says. The contract is valued at approximately €45 million (nearly $65 million).
In June, NATO announced the adoption of a new cyber defense policy. The current direction promotes a coordinated approach to cyber defense across the alliance with a focus on preventing cyberthreats and building resilience. It also brings all NATO structures under centralized protection and applies new defense requirements.
The NC3A has kicked off another NCIRC-related effort, the Multinational Cyber Defence Capability Development Initiative, aimed at jointly developing and possibly jointly procuring national cyber defense capabilities. “The ultimate goal is to create capabilities in the nations that are interoperable from the beginning. They’re born interoperable,” Christiansen reports, adding that cybersecurity systems tend to be developed and procured with no thought given to the need for interoperability. “Very often you think there is no need for interoperability, and then one year, two years, five years down the road, we have been asked to develop bolt-on interoperability, and that is costing the nations big money,” he adds.
The interoperability effort does not require the nations to cooperate on cyber operations. But if they decide to do so, their systems will be designed to work together. “There may be a time when they need to cooperate, and that is not the time to find out that they’re not interoperable with their neighbors. That is too late.”
The initial February meeting involved 22 interested nations, which have been asked to provide a statement of intent if they want to join the effort. This fall, NATO will call a second meeting to discuss areas of interest and to search for common ground. “It is not something that will run as a committee. It is a coalition of the willing,” Christiansen asserts.
The NC3A’s role is as a facilitator rather than leader, but in February the agency did provide a capabilities framework document to start the effort. “There are few, if any, frameworks out there among the nations, so that means whenever we discuss cyber defense, we may use different words, we may use different concepts, we may use completely different values for what we’re trying to protect. What we’re trying to do with this framework document is describe how we see cyber defense developing—not in broad terms—but in very detailed, functional terms,” he adds.
The agency expects the nations to provide some feedback on the document before moving forward, but not all nations have to agree on the final product, Christiansen reports. “It does not have to be approved by all 28 nations. That’s not what we’re looking for. But if the majority of the nations agree on the framework, then we know how to push forward in developing the capabilities. And if nothing else, it will create a common terminology. If you’re negotiating with industry, it’s very important that we’re talking about the same thing.”
Over the years, a culture clash has developed in the arena of interoperability between those with a passion for sharing data and those equally passionate about protecting it. This poses a challenge for the agency’s interoperability effort. “We’re trying to convince the nations that there are two levels of information. There is the level where speed is of the essence, where you have to get it out to your peers as soon as possible. Then, there’s the information where confidentiality is of the essence,” Christiansen says, citing cyber forensics information as an example of the latter. “We all know the higher the security, the lower the interoperability. It takes a long time for highly classified information to cross lines of demarcation.”
NC3A: www.nc3a.nato.int/Pages/default.aspx
NCIRC Technical Centre: www.ncirc.nato.int/
By George I. Seffers, SIGNAL Magazine