NATO Nations Embrace Collaboration Technologies, Seek Security Solutions
 |
With a NATO focus, security experts from around the world gather in Brussels, Belgium, to explore the management of security and its technical and physical applications at TechNet International. |
Within the European arena, governments often are protective, limiting competition and collaboration, and this hindrance needs to be addressed at the government level. “Simply buying what nations are used to providing will not help the cost and quality issues,” explained Adm. Sir Ian Forbes, RN (Ret.), KCB, CBE, former NATO Supreme Allied Commander, who addressed attendees at TechNet International in Brussels, Belgium, in October.
NATO is no longer the leading player in the emerging security landscape but is part of an international relationship. This collaborative environment requires that NATO and organizations such as the European Union and the United Nations make their relationship work practically, not just rhetorically or politically.
Emphasizing the theme of the conference, Adm. Forbes noted that the challenges in security are international, but the solutions are national. The security business is different from the defense business, he added. In defense, the lines of communication and structure are well known, and the supply lines are understood. In security, the market is indistinct; there is no requirement of training, and the face of the customer is elusive.
The cornerstone of NATO is its ability to provide a collective defense, including crisis management and conflict resolution. Intelligence to support the alliance is provided by the member nations, based on agreed requirements and requests for information. Information sharing within the alliance centers on “need to know.” Rules and means are needed to provide information without compromising national security; and because NATO cooperates with nonalliance countries, methods are needed that allow partners as well as others to share information, stated Brig. Gen. Norbert Stier, DEU, AR, deputy assistant director, intelligence division, International Military Staff, NATO Headquarters.
 |
Col. Tina M. Harvey, USAF, director of communications, 3rd Air Force, Ramstein Air Base, Germany, discusses how provision of service can be guaranteed. |
Even with good technology and well-established policies, a network still is vulnerable if users are not trained and responsive. If security is too cumbersome, users will find a way around it or will revert back to legacy systems with which they are more comfortable. In light of the growing cyberthreat, this is a great concern. “Technology can be as sexy as you want, but at the end of the day, the human element is what you cannot control,” Adm. Forbes acknowledged.
Kris Fitzgerald, the director for Dell’s Global Service for the Public Market, shared that in his experience, users will turn off security solutions that are complicated. “When things are overwhelming, we resort back to a place where we have comfort,” he said.
And security needs to be simplified: The number of attacks and breaches of networks is expanding at a dramatic rate. Between 2008 and 2009, cyberattacks increased 60 percent, and the amount of malicious code increased 265 percent in the same time frame, Brig. Gen. Murat Üçüncü, chief of the information systems division, Turkish General Staff, reported. Organizations must provide training to users and network administrators to help improve their awareness of security issues, he emphasized.
The perpetrators behind the attacks vary greatly, from “script kiddies”—who are “just playing around” to see what will happen—to cyber activists, organized crime or terrorist organizations, nation states and insider threats, Gen. Üçüncü elaborated.
According to a research paper presented by Matthijs van der Wel, manager, principal forensics, Europe, the Middle East and Africa, Verizon Business Solutions, in 2008 alone more than 285 million records were compromised—more than the previous four years combined. Organized crime was responsible for 91 percent of this activity. Of these intrusions, 99.6 percent were compromised from servers and applications; 74 percent resulted from external sources; and 32 percent implicated business partners. The breaches originated from hacking in 64 percent of the cases. The use of malware was reported in 38 percent of the breaches, and privilege misuse was involved in 22 percent of the crimes.
 |
A data-breach investigations report published by Verizon Business is the source of a briefing by Matthijs van der Wel, manager, principal forensics, Europe, the Middle East and Africa, Verizon Business Solutions. He explains the various categories of threats and how they relate to data-record breaches. |
Cyberthreat now is business driven, and the barriers to entry are low, stressed Dr. Adrian R. Hartman, senior manager and architect, Bell Labs, LGS Innovations. The threat is propagating from both nation states and nonstate enemies; and while there are plenty of perimeter security solutions, the perimeter increasingly is difficult to define. He recommended a holistic security approach, one that is part of a threat-tolerant network design built in through the life cycle. Design security into products from the beginning, he advised.
Inherent threat tolerance can be achieved through software diversity, Hartman continued. With all applications being identical, the construct code can be shuffled so that all installations are not vulnerable to the same attack function, he explained.
Kathy Nuckles, chief executive officer and president of Communications and Power Engineering Incorporated, agreed. If security is not intuitive, users will revolt, and “if there is a workaround, they will find it,” she related. One key to successful adoption of security is enforcement, she stressed.
Nuckles’ company has supported the U.S. Defense Message System for 14 years, and she explained the system will be shutting down within the next two years. The U.S. Defense Department is not providing a comprehensive replacement system and is leaving it to users to provide their own alternative. This is creating some panic, she said, warning that users may return to legacy systems.
She cautioned that industry cannot be expected to deliver a single consolidated capability, so the government needs to define the basic payload constructs, the security label toolset and the security token so industry will know the environment better.
“It is hard to come up with solutions unless you drop some old requirements. Until you define the mission and where you want to go, you cannot define the solution,” she elaborated. But from confusion there is opportunity, she added.
The challenge is how to increase knowledge for all by providing information access while protecting individual systems, Donald G. Neault, vice president, Advanced Services Global Government Solutions Group, Cisco Systems Incorporated, noted. Web 2.0 and other collaborative efforts are not just useful, they are essential, but in this dynamic business environment, new approaches to security are needed.
Throughout the first day of the event, many of the experts emphasized that the most significant security challenges being faced are human ones, not technology ones. Neault, however, believes that neither technology nor humans are the main problem. The problem, he said, is complexity. Technology integration is complex, so in a world of complexity, device, configuration, application and operational standards and fewer versions are needed. They will not eliminate complexity entirely, he suggested, but they will make it much easier to manage.
The event also featured a NATO technology showcase, which provided a glimpse of the work occurring at the NATO Consultation, Command and Control Agency’s (NC3A’s) technical laboratories in
Photography by Norma Corrales
Comments