Cybersecurity initiatives are sufficiently challenging to the defense strategists of nations. When it comes to mounting and conducting cyberdefense programs within coalitions, however, the problems become more pronounced.
That is the assessment of the situation NATO faces in conducting effective cross-alliance cyberdefense operations, as outlined by one of the organization's key strategists at a conference here earlier this year.
In his presentation at Defense IQ's cyber defense and network security event, Jamie Shea, deputy assistant secretary general for emerging security challenges at NATO headquarters in Brussels, outlined a number of issues that require solutions from the alliance. These include:
•Setting a threshold that triggers a response to cyberattack.
•The point at which, under NATO's constitution, a cyberattack on one member is considered an attack on the alliance, thus triggering the likelihood of a collective response.
•Proportionality—whether and how cyberattacks could spark kinetic and other responses.
•Problems of classification and politics over when and how alliance members should share information about attacks on their national networks.
Other issues include questions of information security—self-defense of NATO's networks—that are complicated by the alliance's multinational membership.
“First and foremost, we have to protect our own systems,” Shea says. “We have over 100,000 computers in the NATO command structure; we have 36 vital networks, military and civilian; and although we started early, and have arguably one of the best CIRCs (Computer Incident Response Capability) in the business, as far as the international organization is concerned, the majority of NATO's networks are not under 24/7 protection. The military ones are,” he adds, but “the civilian ones less so. So we still have a lot of work to do to get up to the level where all of our systems are under 24/7 centralized-management cyberprotection.”
In February 2012, NATO signed a €58 million ($75 million) contract with a consortium led by Italy'sto upgrade its CIRC. The contract was the culmination of a process that began in 2004, and during which the alliance spent four years assessing the capability it required.
“[The upgraded CIRC] involves enhanced sensors, better intrusion-detection methodologies, better data-package freezing, better malware analysis, forensics and the like, plus the technology to allow rapid-reaction CIRCs to be deployed to assist allies who are facing cyberattack,” remarks Shea.
Since the contract award, Finmeccanica has conducted proof-of-concept tests that revealed areas of the initial system design requiring change. By the end of this month the consortium will have delivered the capability at sites designated as Tier One and Tier Two in the command structure—the Tier One site is in Brussels and Tier Two is the NATO CIRC technical center of Mons, Belgium. The remaining sites—the exact number is classified, but in excess of 50—will follow, and full operational capability (FOC) is slated for late October.
NATO CIRC combines commercial off-the-shelf (COTS) hardware and software with proprietary elements. Besides the main system, there is a test and reference system already installed at Mons.
The reliance on COTS elements is deliberate. Systems in wide service commercially benefit from industry's ongoing efforts to combat changing threats, so optimal capability can be ensured without eating into the CIRC budget.
Even so, the NATO CIRC requirement is being revised: Aviation Week understands that, since the contract award, the consortium has handled an average of 250 technical questions per week, some of which mandated significant amendments to the original system design.
“FOC is not only technically the thing that gives us the instruments to play a greater role in cyberdefense, but more importantly, politically it suggests that we can now walk,” says Shea. “[If] we've started to be able to protect our own systems, we're in a better position to go to [different governments] and suggest other things NATO could potentially do to improve cyberdefense, not just of NATO headquarters and the command structure, but of its member states and allies.
“In other words, as long as we don't have FOC, the nations can say, 'Ah, well, you guys can't even take care of the rudimentary things first and foremost, so how can we discuss more ambitious things?' This is the kind of baptism of fire that we have to get through,” Shea concludes.