Ian West, Chief, Cyber Security for the NCI Agency
Ian West, Chief, Cyber Security for the NCI Agency

Near the Belgian city of Mons, site of World War I's first major battle, not far from the battlefields of Waterloo, is one of today's ongoing international cyber-battlefields, NATO's Supreme Headquarters Allied Powers Europe (SHAPE).

There NATO Communications and Information Agency (NCI Agency) provides a single 200-person cyber-security  operation led by Ian West, Chief, Cyber Security for the NCI Agency, previously Director of the NATO Computer Incident Response Capability Technical Centre, NATO's CERT (Computer Emergency Response Team) and a Royal Air Officer in information security policy.  

The unit's role is to protect NATO's networks from cyber-attack, providing cyber-security solutions throughout the lifecycle: from design of defences, through the procurement and implementation process and into operation.  Its jurisdiction includes an innovation hub in The Hague, people in Brussels and control over cyber-security in some 30 sites – plus NATO networks in operations from Afghanistan to maritime operations and exercise locations.  Work ranges from an incident handling service, monitoring several hundred intrusion detection/prevention sensors, 110 NATO websites for defacement, monitoring emails to and from the internet for classified content, to vulnerability testing and measurement as part of a compliance role, and being subject matter experts for security training and awareness.

Complexity is increased through the use of some ten different security levels ranging from compartmentalised top secret systems down to unclassified systems and everything in between.

200 million suspicious events
West confirmed to SC Magazine that NATO's networks are regularly under APT attack by Nation States, as well as from crime organisations and hacktivists who use DDoS and malware: “We face both global threats of viruses and malware, and specific threats targeted against NATO including organised crime, cyber-espionage, hacktivism and website defacement. Then come user errors (and malicious insiders).”

When we ask about the scale of cyber-attacks West told SC: “Every day NATO's sensors encounter something like 200 million suspicious events. It's a big number. Certainly some of those are false positives. But the internet is a hostile place, and you have automated tools that are constantly looking for vulnerabilities which make up a lot of those suspicious events. With the combination of technology that we have deployed, and the people, we can get that number down to around 10 incidents per day that need some sort of intervention.”

 “Your defences may defeat an attack, but that attack may be interesting. It may the precursor to a new malware campaign or cyber-espionage campaign, so it's very difficult to say what exactly constitutes something that needs to be escalated,” with human intelligence the decider.

Insider threat is treated it as seriously as an external threat – whether accidental or deliberate.  “It's a combination of not allowing users to do certain things, and training and awareness is hugely important.  We consider the user to be part of our defence in depth. We do use all methods available to raise the awareness of our staff.”

Crown jewels
SC asked whether NATO considered a ‘crown jewels' approach to security as appropriate. West told SC: “It is impossible to protect everything to the same standard. From a risk perspective, it's not necessary. You really need to identify what is important, so that you can then focus your attention on the items that are critical to your business. And with that comes an acceptance that you will suffer successful attacks in other areas.  There is no guarantee of 100 percent security, no matter how many Euros, pounds or dollars you spend. We put our most sensitive information in areas that are more isolated from, say the internet.”

"Focus your attention on the things that are critical to your business"

Looking ahead, West adds: “We need the ability to do some horizon scanning. To get early notice of the type of attack we should be expecting, who is perhaps behind that attack and when they are likely to attack, to anticipate these threats better.”

Specifically on attribution of attacks, West says:  “We are trying to find out who is behind it, why are they trying to attack you and what are they after. We determine attribution, to the best of our ability, by looking at the facts – it's an investigation. Looking at the malware perhaps that's been used. Has it been used in any other campaigns? Looking at any information, pieces of the jigsaw and putting them together to see who may have been behind this attack. Everything. 100 percent certain attribution is almost impossible because attackers can spoof the identity of another group or nation, so we have to keep an open mind and be very cautious.”

And an existing intrusion on the network is also a possibility. West comments: “Every organisation needs to, at least, consider that they may have already been breached. It would be irresponsible, given the sophistication of some of these threats, to think otherwise.”  

So it's looking for abnormal activity – and yes, NATO has audited normal activity. West adds: “We do operate whitelisting on some of our devices and for some of our activity, we also operate blacklisting – it's not one or the other as far as we are concerned. We operate all the time with defence in depth.“

When asked about learning from offensive capabilities, West acknowledged: “A lot of cyber-defenders have at least the knowledge of what to expect in cyber-attack. That's part of their training,” then added, with what sounded like real regret, “But I need to emphasise at this stage that all of NATO's activities in the cyber-realm, particularly our organisation, are defensive. Our mission is to defend NATO, nothing more.”