NATO Nations Embrace Collaboration Technologies, Seek Security Solutions

Tuesday, January 02, 2010
By Beverly Mowery

 

With a NATO focus, security experts from around the world gather in Brussels, Belgium, to explore the management of security and its technical and physical applications at TechNet International.

Security and information sharing have prominent and complementary roles in countering asynchronous warfare challenges, but many of today’s defense policies and military forces still are organized for World War II-type threats. NATO is looking ahead at the emerging challenges in light of a wider threat and is seeking a more collaborative environment in response.   

Within the European arena, governments often are protective, limiting competition and collaboration, and this hindrance needs to be addressed at the government level. “Simply buying what nations are used to providing will not help the cost and quality issues,” explained Adm. Sir Ian Forbes, RN (Ret.), KCB, CBE, former NATO Supreme Allied Commander, who addressed attendees at TechNet International in Brussels, Belgium, in October.

NATO is no longer the leading player in the emerging security landscape but is part of an international relationship. This collaborative environment requires that NATO and organizations such as the European Union and the United Nations make their relationship work practically, not just rhetorically or politically.

Emphasizing the theme of the conference, Adm. Forbes noted that the challenges in security are international, but the solutions are national. The security business is different from the defense business, he added. In defense, the lines of communication and structure are well known, and the supply lines are understood. In security, the market is indistinct; there is no requirement of training, and the face of the customer is elusive.

The cornerstone of NATO is its ability to provide a collective defense, including crisis management and conflict resolution. Intelligence to support the alliance is provided by the member nations, based on agreed requirements and requests for information. Information sharing within the alliance centers on “need to know.” Rules and means are needed to provide information without compromising national security; and because NATO cooperates with nonalliance countries, methods are needed that allow partners as well as others to share information, stated Brig. Gen. Norbert Stier, DEU, AR, deputy assistant director, intelligence division, International Military Staff, NATO Headquarters.

 

Col. Tina M. Harvey, USAF, director of communications, 3rd Air Force, Ramstein Air Base, Germany, discusses how provision of service can be guaranteed.

The NATO Communication and Information Systems Services Agency (NCSA) helps NATO provide communications and information systems support; therefore, the agency has a significant role in ensuring information flow while providing protection through information security and cyberdefense. Lt. Gen. Kurt Herrmann, GEAF, director, NCSA, explained that his organization handles 200 sites, 10 security levels, six major operations and 100,000 users, providing management, support, delivery and sustainment of information systems. Ensuring a free flow of information, not just technology, is essential, the general explained, detailing the importance of more information flow to facilitate more collaboration. Gen. Herrmann indicated that this focus is a fundamental economic shift. NCSA must stay ahead not only with advanced technology but also with proactive policies to provide the most cost-effective solution without stopping the flow of information. The general used a quote he credited to Dr. Gary Hinson comparing security to the brakes on a car: they slow the car down, but they also make going faster possible.

Even with good technology and well-established policies, a network still is vulnerable if users are not trained and responsive. If security is too cumbersome, users will find a way around it or will revert back to legacy systems with which they are more comfortable. In light of the growing cyberthreat, this is a great concern. “Technology can be as sexy as you want, but at the end of the day, the human element is what you cannot control,” Adm. Forbes acknowledged.

Kris Fitzgerald, the director for Dell’s Global Service for the Public Market, shared that in his experience, users will turn off security solutions that are complicated. “When things are overwhelming, we resort back to a place where we have comfort,” he said.

And security needs to be simplified: The number of attacks and breaches of networks is expanding at a dramatic rate. Between 2008 and 2009, cyberattacks increased 60 percent, and the amount of malicious code increased 265 percent in the same time frame, Brig. Gen. Murat Üçüncü, chief of the information systems division, Turkish General Staff, reported. Organizations must provide training to users and network administrators to help improve their awareness of security issues, he emphasized.

The perpetrators behind the attacks vary greatly, from “script kiddies”—who are “just playing around” to see what will happen—to cyber activists, organized crime or terrorist organizations, nation states and insider threats, Gen. Üçüncü elaborated.

According to a research paper presented by Matthijs van der Wel, manager, principal forensics, Europe, the Middle East and Africa, Verizon Business Solutions, in 2008 alone more than 285 million records were compromised—more than the previous four years combined. Organized crime was responsible for 91 percent of this activity. Of these intrusions, 99.6 percent were compromised from servers and applications; 74 percent resulted from external sources; and 32 percent implicated business partners. The breaches originated from hacking in 64 percent of the cases. The use of malware was reported in 38 percent of the breaches, and privilege misuse was involved in 22 percent of the crimes.

 

A data-breach investigations report published by Verizon Business is the source of a briefing by Matthijs van der Wel, manager, principal forensics, Europe, the Middle East and Africa, Verizon Business Solutions. He explains the various categories of threats and how they relate to data-record breaches.

The threat environment is expanding, William Schlichter, business development executive, Unisys, noted as he talked about the need for security innovation. Threats today are against people as well as against assets and technology. There is a commercial impact, he said, explaining that 90 percent of the world’s cargo moves by sea, and more than a third of that passes through dangerous waterways. And of course, he stressed, the military operational impact cannot be overlooked either. Modern warfighters now depend on automated processes. When commanders no longer can trust what is coming to them, they too will go around or overload the system. Warfighter capability could be degraded as a result, and this could lead to a lack of political support and trust.

Cyberthreat now is business driven, and the barriers to entry are low, stressed Dr. Adrian R. Hartman, senior manager and architect, Bell Labs, LGS Innovations. The threat is propagating from both nation states and nonstate enemies; and while there are plenty of perimeter security solutions, the perimeter increasingly is difficult to define. He recommended a holistic security approach, one that is part of a threat-tolerant network design built in through the life cycle. Design security into products from the beginning, he advised.

Inherent threat tolerance can be achieved through software diversity, Hartman continued. With all applications being identical, the construct code can be shuffled so that all installations are not vulnerable to the same attack function, he explained.

Kathy Nuckles, chief executive officer and president of Communications and Power Engineering Incorporated, agreed. If security is not intuitive, users will revolt, and “if there is a workaround, they will find it,” she related. One key to successful adoption of security is enforcement, she stressed.

Nuckles’ company has supported the U.S. Defense Message System for 14 years, and she explained the system will be shutting down within the next two years. The U.S. Defense Department is not providing a comprehensive replacement system and is leaving it to users to provide their own alternative. This is creating some panic, she said, warning that users may return to legacy systems.

She cautioned that industry cannot be expected to deliver a single consolidated capability, so the government needs to define the basic payload constructs, the security label toolset and the security token so industry will know the environment better.

“It is hard to come up with solutions unless you drop some old requirements. Until you define the mission and where you want to go, you cannot define the solution,” she elaborated. But from confusion there is opportunity, she added.

The challenge is how to increase knowledge for all by providing information access while protecting individual systems, Donald G. Neault, vice president, Advanced Services Global Government Solutions Group, Cisco Systems Incorporated, noted. Web 2.0 and other collaborative efforts are not just useful, they are essential, but in this dynamic business environment, new approaches to security are needed.

Throughout the first day of the event, many of the experts emphasized that the most significant security challenges being faced are human ones, not technology ones. Neault, however, believes that neither technology nor humans are the main problem. The problem, he said, is complexity. Technology integration is complex, so in a world of complexity, device, configuration, application and operational standards and fewer versions are needed. They will not eliminate complexity entirely, he suggested, but they will make it much easier to manage.

The event also featured a NATO technology showcase, which provided a glimpse of the work occurring at the NATO Consultation, Command and Control Agency’s (NC3A’s) technical laboratories in The Hague, the Netherlands, including a prototype of a cyberdefense and high-assurance Extensible Markup Language (XML) guard. Maj. Gen. Georges D’hollander, BEAR (Ret.), general manager, NC3A, gave the keynote speech on the second day of the event, and the conference wrapped up with a panel session addressing provision-of-service issues.

Photography by Norma Corrales

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.