NATO Confronts Cyberthreats

British forces use a laptop to keep track of personnel and logistics. NATO is developing teams of cybersecurity experts that can deploy to the field on a moment’s notice to respond to cyberattacks.

National borders are no barriers to adversaries of the world’s oldest geopolitical alliance.

Cybermarauders are taking aim at NATO systems both within the alliance and through member nations as experts strive to stay a step ahead of adversaries. The alliance must deal with different security standards along with diverse levels of information system sophistication among member nations.

The cyberthreat is not particularly different in Europe and throughout NATO than it is in North America. Targets are similar, and cybermarauders need not draw any geographical distinction for their operations. Bernard Roussely, chief, information assurance and service control team, NATO Consultation, Command and Control Agency (NC3A), reports that his group sees the same trends observed by other institutions, and attackers are employing the same tactics and tools in both geographic realms.

Roussely reports that NC3A recently has seen threats targeting its systems and its people. This is a new trend that also is appearing elsewhere, he reports. Cybermarauders are targeting their attacks in a much better way, he says, as they aim for targets that have some value to them.

In its targeting of people, these cybermarauders are employing a form of spear phishing. Roussely alleges that they are impersonating people with whom the NC3A does business to gain access or information. This requires NC3A personnel to maintain awareness of their contacts and be aware of potential identity spoofing.

The growth of vulnerabilities discovered in systems and products bodes ill for the future, Roussely offers. Vulnerabilities are everywhere, he says, adding that every application that runs on a computer is likely to bring unprecedented vulnerabilities. The number of incidents is growing, and the motivations of attackers are becoming stronger. And, motivation determines the level of the threat.

“If there is a perceived value in attacking systems to provoke denial of service, to steal information or to damage a reputation, then a group or some people will try to do so,” Roussely declares.

The challenge for the NC3A is different from that facing other nations by nature of the alliance’s organization. With more than two dozen member nations, the alliance must take into account different levels, types and sophistication of network security. Any one of those nations could be the access point for an intrusion or even a cyberattack on some NATO network assets.

Information security in these nations by and large has different maturity levels. This is complicated by the varied materiel that nations possess—aircraft and ships, for example. NATO works with those nations to interface with them on security efforts.

As with communications and networking among NATO’s 28 nations, interoperability is an issue in cyberdefense. Its component in cyberdefense encompasses items such as protocols, procedures and formats, for example. “When you share data, you have to talk the same language—not a spoken language, but an [information technology] language that can be understood,” Roussely says. This may come down to something as simple as nomenclature for viruses, where commonality of terms is essential for personnel in different nations to grasp what each is working on.

Member nations run their own cybersecurity, but NATO organizations such as commands and agencies have their own systems that are secured by their host groups. Member nations contribute funding to these organizations’ security through an established mechanism.

NATO’s Cyber Defence Management Authority, established in 2008, emerged from the alliance’s cyberdefense policy that came in the wake of coordinated cyberattacks on Estonia the previous year. It has empowered NATO to establish links with national cybersecurity organizations.

U.S. and German military personnel monitor NATO computer networks. The Atlantic alliance is stepping up its cybersecurity activities in the wake of increasingly numerous and sophisticated threats from diverse adversaries.

The NATO Computer Incident Response Capability (NCIRC) focuses on detecting and responding to incidents as they happen. The NCIRC comprises several tiers to enable personnel to manage cyberevents, and it has direct relationships with its equivalents among individual member nations.

Expanding the NCIRC’s scope and coverage is the top priority for information assurance, Roussely declares. The NCIRC has been deployed in an initial setting, and the alliance’s main effort is to ensure that it covers as many systems as possible.

The NCIRC also must add more services than originally included. Roussely explains that the NCIRC was created with the services that were believed to be necessary at the time of its founding, but subsequent threat developments have pointed out the need for additional capabilities. “The threat is evolving, and we have to make sure that we don’t leave servers or nodes unattended from a cyberdefense standpoint,” he emphasizes.

Some of these new services will entail technical features that will improve ongoing activities, particularly in the areas of flexibility and responsiveness. Existing capabilities such as incident handling will be enhanced. Roussely likens these improvements to enhancing an automobile engine to increase its performance and mileage, as opposed to replacing it with a new block.

But one key new capability will be a response team that can go into the field and provide support to member or partner nations. This team would respond to requests from these nations as needed, and NATO will formalize a policy and a set of tools to deploy and use on other sites.

As with most modern militaries, NATO has a large number of networks connected to the Internet. These are as exposed as other similar military systems, and the alliance employs the best practices available to protect them, Roussely offers. On the other hand, systems and networks that are not Internet-accessible—particularly classified systems—are not nearly as vulnerable. While this non-Internet characteristic does not mean these classified systems are invulnerable, it does sharpen their information security focus onto internal user practices and procedures.

NATO and its member nations rely in large part on commercial information system technologies, including software, for alliance and military operations. This includes commercial services such as telecommunications, which have their own security challenges.

NATO does not rely on commercial encryption to protect its networks, Roussely notes. The alliance uses its own encryption over leased communications infrastructure such as telecommunications pipes and satellites.

Service-level agreements help ensure a minimum level of availability for commercial systems. If the commercial provider comes under cyberattack, the service-level agreement guarantees a minimum level of service to NATO during that attack. “We make sure in the contract that the provider has the ability … to make sure that we will not suffer from an attack on their systems,” Roussely assures.

All commercial products adopted by NATO for sensitive uses have undergone an evaluation process. Crypto products in particular are subject to a specific policy applying to their procurement. A security accreditation process ensures that a certain level of protection is guaranteed by any system. No system is foolproof, Roussely allows, but NATO’s approach aims to raise the bar to a level sufficient for applications. “It’s a risk management approach,” he says.

And raising the bar is key to maintaining an effective level of security. This applies both to NATO and to commercial organizations and information technology providers. “The threat is likely to increase; and if we don’t raise the bar, then we’ll see a lot more incidents and a lot more damage,” Roussely warns.

NATO does work with major commercial information technology providers to build in security, Roussely says, but the alliance does not add requirements that are greater than those established by national authorities such as the U.S. Defense Department. National standards and accreditations usually are sufficient to serve as baselines for NATO. The alliance rarely goes beyond national guidelines for product suitability.

NATO reviews its security posture regularly with an eye toward staying ahead of cybermarauders. Citing the attacks on U.S. information systems in early summer, Roussely observes that many of these onslaughts were successful because some systems had not been patched properly. “If people do not maintain their security posture up to some level, they will have problems,” he states. “Attackers will get to them at some stage, and this is something that we have to take care of.

“We cannot install a system at whatever security level and just leave it in the hope that no one will do anything against the system,” he continues. “You have to come back to the system rapidly and check whether it is up to date in terms of patches, up to date in terms of configuration—up to speed in terms of security. The administrators and users also must be up to date with respect to the threat, best practices and training in case of an incident.”

Cyberdefense traditionally has not had a place in the political agenda, Roussely notes. However, the new generation of people moving into positions of responsibility understands information technology and the importance of its security. The establishment of the U.S. Cyber Command represents a change in the way information security is considered, and people are coming to realize how their everyday lives rely on information technology.

WEB RESOURCES
NATO C3 Agency: www.nc3a.nato.int/Pages/Home.aspx
NCIRC: www.ncirc.nato.int/index.htm