December 19, 2011
NATO developments in the area of Cyber Defence
On last 7 December 2011, NC3A's General Manager Mr Georges D’hollander, spoke at the AFCEA Cyber Security Defence Conference presenting some important development in the area of cyber defence in NATO.
Here we report a few excerpts of his speech.
The Key Role of Intelligence
When we talk of cyber defence, we often jump straight away to new capabilities and technologies that the Alliance is developing. This is certainly important. But we should not forget about NATO’s traditional capabilities such as intelligence-sharing, defence planning or exercises. A cyber attack is in many ways similar to a ballistic missile attack. When the attack is launched, you only have minutes to respond. The warhead is not physical one, but it can be equally devastating. This is why you want as much intelligence as you can beforehand, to predict a potential threat. This is also why you want your response to be as well rehearsed as possible. One of my messages to the national representatives here is – do not treat cyber defence purely as a matter of technology.
The NATO Computer Incident Response Capability (NCIRC) IOC (Initial Operating Capability) currently provides NATO’s Cyber Defence capability to respond to computer security threats and vulnerabilities rapidly and effectively. It provides the means for handling and reporting incidents as well as disseminating important incident-related information to system and security management. It concentrates incident handling into one centralised and co-ordinated effort, thereby eliminating duplication of effort. However, it does not yet protect all the networks within NATO. The upcoming NCIRC Full Operating Capability (FOC) project, for which my Agency is the procurement agent, aims not only at a technology refresh of the existing NCIRC IOC capability but will also introduce new technologies to improve cyber defence situational awareness and enhance NATO’s ability to respond to evolving cyber-threats.This upgraded capability, which will be implemented by the end of 2012, will lay out a strong foundation for cyber defence information sharing in a federated environment. Later increments of the NCIRC FOC project will provide NATO with the means to further develop cyber defence situational awareness by dynamically assessing and managing the level of risk in its CIS thus providing the Alliance greater flexibility in its conduct of network centric warfare. In any case, the term ‘Full operational Capability’ is quite a misnomer since, given the evolution of cyber threats, it is unlikely that any capability to counter them could ever be final or full. The project will, however, significantly boost NATO’s capability to face the evolving threat.
Coordination between NATO and National Cyber Authorities
To reap full benefit of the common interests in achieving cyber defence capabilities, a greater effort is required to align national activities in addition to coordination. This requires a dedicated structure to continually monitor national requirements and efforts and to coordinate and strategize on the way forward so as to ensure that there is no dispersion of efforts and that the tempo of research and development activities is in line with the assessment of the risks against NATO and national CIS. Establishing this structure and facilitating the coordinated development of cyber defence capabilities is the purpose of the MNCD programme (Multinational Cyber Defence Capability Development) initiated by NC3A.
Through an informal analysis of existing capabilities and needs, the following three areas have been identified as possible initial targets for MNCD: 1) cyber defence information sharing, 2) cyber situational awareness, and 3) a distributed multi-sensor collection and correlation capability.
The development of an initial cyber-defence information sharing capability, would enable efficient exchange of cyber defence information such as incident information, attack signatures, and threat assessments, between national Computer Emergency Response Teams (CERTs) including the NATO Computer Incident Response Capability (NCIRC).
Concerning cyber situational awareness, for most NATO Nations operational cyber defence is performed using a variety of tools and products including Intrusion Detection System (IDS) and other sensors, Security Incident and Event Managers (SIEM), vulnerability databases, and network monitoring software. These tools typically operate individually and there is no overall view. Cyber defence situational awareness is, therefore, achieved by experts manually consulting and consolidating a variety of feeds. Significant competency and a lot of manual effort are required. The joint development of this capability would simplify and enable quick decision making in the cyber domain, especially in a coalition environment, by providing a flexible set of visual interfaces (e.g. dashboards, dynamic views, and reporting features).
Distributed Multi-sensor Collection and Correlation Infrastructure capability would provide the means to coherently collect and correlate data from multiple sensors in an efficient and distributed manner so as to enable flexible management of sensor data storage and run a variety of correlation algorithms against the collected data.
Read the Full Speech