NATO Confronts Cyberthreats

Cybermarauders are taking aim at NATO systems both within the alliance and through member nations as experts strive to stay a step ahead of adversaries. The alliance must deal with different security standards along with diverse levels of information system sophistication among member nations.

The cyberthreat is not particularly different in Europe and throughout NATO than it is in North America. Targets are similar, and cybermarauders need not draw any geographical distinction for their operations. Bernard Roussely, chief, information assurance and service control team, NATO Consultation, Command and Control Agency (NC3A), reports that his group sees the same trends observed by other institutions, and attackers are employing the same tactics and tools in both geographic realms.

The growth of vulnerabilities discovered in systems and products bodes ill for the future, Roussely offers. Vulnerabilities are everywhere, he says, adding that every application that runs on a computer is likely to bring unprecedented vulnerabilities. The number of incidents is growing, and the motivations of attackers are becoming stronger. And, motivation determines the level of the threat.

The challenge for the NC3A is different from that facing other nations by nature of the alliance’s organization. With more than two dozen member nations, the alliance must take into account different levels, types and sophistication of network security. Any one of those nations could be the access point for an intrusion or even a cyberattack on some NATO network assets.

Information security in these nations by and large has different maturity levels. This is complicated by the varied materiel that nations possess—aircraft and ships, for example. NATO works with those nations to interface with them on security efforts.

Member nations run their own cybersecurity, but NATO organizations such as commands and agencies have their own systems that are secured by their host groups. Member nations contribute funding to these organizations’ security through an established mechanism.

NATO’s Cyber Defence Management Authority, established in 2008, emerged from the alliance’s cyberdefense policy that came in the wake of coordinated cyberattacks on Estonia the previous year. It has empowered NATO to establish links with national cybersecurity organizations.

The NATO Computer Incident Response Capability (NCIRC) focuses on detecting and responding to incidents as they happen. The NCIRC comprises several tiers to enable personnel to manage cyberevents, and it has direct relationships with its equivalents among individual member nations.

Expanding the NCIRC’s scope and coverage is the top priority for information assurance, Roussely declares. The NCIRC has been deployed in an initial setting, and the alliance’s main effort is to ensure that it covers as many systems as possible.

The NCIRC also must add more services than originally included. Some of these new services will entail technical features that will improve ongoing activities, particularly in the areas of flexibility and responsiveness. Existing capabilities such as incident handling will be enhanced.

But one key new capability will be a response team that can go into the field and provide support to member or partner nations. This team would respond to requests from these nations as needed, and NATO will formalize a policy and a set of tools to deploy and use on other sites.

NATO and its member nations rely in large part on commercial information system technologies, including software, for alliance and military operations. This includes commercial services such as telecommunications, which have their own security challenges.

NATO does not rely on commercial encryption to protect its networks, Roussely notes. The alliance uses its own encryption over leased communications infrastructure such as telecommunications pipes and satellites.

Service-level agreements help ensure a minimum level of availability for commercial systems. If the commercial provider comes under cyberattack, the service-level agreement guarantees a minimum level of service to NATO during that attack. “We make sure in the contract that the provider has the ability … to make sure that we will not suffer from an attack on their systems,” Roussely assures.

NATO does work with major commercial information technology providers to build in security, Roussely says, but the alliance does not add requirements that are greater than those established by national authorities such as the U.S. Defense Department. National standards and accreditations usually are sufficient to serve as baselines for NATO. The alliance rarely goes beyond national guidelines for product suitability.

Cyberdefense traditionally has not had a place in the political agenda, Roussely notes. However, the new generation of people moving into positions of responsibility understands information technology and the importance of its security. The establishment of the U.S. Cyber Command represents a change in the way information security is considered, and people are coming to realize how their everyday lives rely on information technology.