By year's end, NATO’s rapid reaction team of network defenders is expected to be operational. These cyber experts will be capable of deploying within 24 hours to any NATO nation undergoing crippling attacks on its information technology infrastructure or to the battlefield in support of warfighters.
The cyber rapid reaction team (RRT) will be made up of six experts supported by national or NATO personnel. The exact number of team members can be tailored to address each mission. They will be armed with all of the technology required to conduct the mission, including satellite telephones and technologies for cryptography, evidence collection, network forensics analysis and network security. The team can either deploy to hot spots around the world or offer remote support.
“Our mission is to ensure the availability and integrity of NATO’s own networks at any given time and to support a NATO nation if targeted at the critical infrastructure level. It is not to respond to small incidents or day-to-day attacks. When a nation is under cyber attack, and it is significant, the nation’s government will come to NATO through the ambassadors or through the ministries and will ask for NATO to send a team to assist their nation,” says Suleyman Anil, head of the Cyber Defence section in NATO’s Emerging Security Challenges Division. Requests for assistance from NATO nations will be considered by the Cyber Defence Management Board. Requests from non-NATO countries will require endorsement by the North Atlantic Treaty Council.
Anil reveals that the team is not resourced properly yet, but is on track and already able to deploy if necessary. “If we have a need for a NATO rapid reaction team, we will send a team today,” he says.
The RRT will support networks “across NATO, whether it is in Afghanistan or Brussels or in Norway, or in Turkey,” Anil says. “We work with the local information technology teams to find the holes in their systems and to plug holes and to respond to incidents. This is a big amount of effort primarily focusing toward prevention and deterrence.”
The cyberteam will work out of NATO’s Computer Incident Response Capability (NCIRC) facility, which alliance officials describe as the nerve center for NATO’s cyberdefense operations. As soon as a request for assistance comes in and is approved, the team will draw up an action plan and work to get systems back to normal operation quickly.
While any NATO nation can take advantage of the capability, Anil explains that it is designed primarily to assist those nations that are challenged to defend their own networks. He cites Estonia and Georgia, both of which suffered crippling cyber attacks in recent years.
The cyber attacks on those two countries propelled NATO to beef up its own cyberdefenses. It established a Cooperative Cyber Defence Center of Excellence in Tallinn, Estonia, in 2008. Estonia, Latvia, Lithuania, Germany, Hungary, Italy, Poland, Slovakia and Spain are sponsoring nations supporting the center.
The center has published reports on lessons learned from both attacks. Over three weeks in spring 2007, Estonia was hit by a series of cyber attacks. Web defacements carrying political messages targeted websites of political parties, and governmental and commercial organizations suffered from different forms of denial-of-service or distributed-denial-of-service attacks, according to one report. Among the targets were Estonian governmental agencies and services, schools, banks and Internet service providers, as well as media channels and private websites.
The Estonian government’s decision to move a Soviet memorial apparently triggered the attacks, along with street riots, violence against the Estonian ambassador in Moscow and indirect economic sanctions by Russia. By April 28, 2007, the cyber attacks against Estonia were officially recognized as a significant threat and more than just random criminal acts.
On August 7, 2008, following separatist provocations, Georgian forces launched a surprise attack against the separatist forces. The next day, Russia responded to Georgia’s act by conducting military operations in Georgian territory, which the Georgian authorities viewed as military aggression. Before the Russian invasion even began, however, cyber attacks already were being launched against a large number of Georgian governmental websites, making it among the first cases in which an international political and military conflict was preceded by a coordinated cyber offensive.
According to the NATO report on Georgia, Russian blogs, forums and websites spread a Microsoft Windows batch script that was designed to attack Georgian websites. The script was posted on several websites and also was hosted on one site as a compressed downloadable file that contained an executable “war.bat” file. The same method was used in the cyber attacks against Estonia, where a downloadable script to ping-flood Estonian websites was shared on various Russian language message boards, the report states. Instructions on how to ping-flood Georgian government websites also were distributed on Russian language websites and message boards, along with lists of vulnerable Georgian sites.
The report on Georgia describes the attacks on that country’s cyber infrastructure as being very similar to those launched against Estonia in its earlier dispute with Russia. During the Estonia attack, instructions on carrying out cyber attacks were spread almost exclusively on Russian language sites, regardless of whether those sites were located in Estonia, the Russian Federation or elsewhere, the report adds.
NATO and U.S. officials say the cyberthreat has grown significantly in size, scope and sophistication since the attacks on Estonia and Georgia. Some believe the attacks on those countries will become the model for future attacks. When NATO announced the creation of the RRT earlier this year, Alex Vandurme, head of the NCIRC engineering section, said, “The types of cyber attacks experienced by Estonia and Georgia will become the most frequent form of cyber attack in the future—a mixture of protest, or traditional war, and a cybernetic element.”
In February, NATO awarded a €58 million ($73 million) contract to establish the NCIRC, which is expected to be fully operational by the end of the year. NATO also is setting up a Cyber Threat Awareness Cell to enhance intelligence sharing and situational awareness.
NATO began formulating the RRT concept last year, and the team was created following the revision of the NATO cyberdefense policy. In June of last year, NATO defense ministers approved a revised NATO policy on cyberdefense. The RRT capability is a part of that action plan, Anil explains.
The revised policy offers a coordinated approach to cyberdefense across the alliance. It focuses on preventing cyber attacks and building resilience. All NATO structures will be brought under centralized protection, and new cyberdefense requirements will be applied. The policy clarifies political and operational mechanisms of NATO’s response to cyber attacks and integrates cyberdefense into NATO’s defense planning process. It also sets out the framework for how NATO will assist allies, upon request, in their own network defense efforts. The intent is to optimize information sharing and situational awareness, collaboration and secure interoperability based on NATO standards. Additionally, the policy also sets the principles on NATO’s cyberdefense cooperation with partner countries, international organizations, the private sector and academia.
The RRT’s procedures and possible actions are being outlined in a handbook. The manual establishes the guidelines for NATO’s response to its allies and partners who request assistance. “We are in the implementation phase, and we are establishing our procedures, how we work with the national experts and with the private sector, and there are all kinds of legal issues and clearance issues in doing that, so the coordination is challenging in many aspects,” Anil says. “There is also a concept of operations, which should be finalized soon. The handbook is ready to go into review as we speak, and that should be complete in a similar time frame.”
The RRT will be trained in NATO procedures and will be involved in the alliance’s Cyber Coalition exercise held each November.