Day two of NIAS 2016, the NATO cyber conference, again focused on NATO's industry partnerships, hence a lot for references to the activities of the NCIP (NATO Industry Cyber Partnership), a formal grouping set up to facilitate information exchange between NATO's cyber-operations and private sector cyber-security companies.
During the show, SCMagazineUK.com spoke to Dr Gregory Edwards, director of infrastructure services, NATO Communications & information agency to understand the rationale behind setting up NCIP and how it works. “We all agreed – industry and NATO – that it was a good idea that we communicate and share lessons, but we struggled with how to do it, who would start. It was more difficult for industry, and easier for NATO with a defined 28 members, so NATO decided to lead and industry agreed. We set up quarterly executive meetings, and NATO provided the subject for discussion, to which industry would follow up and contribute.”
One of the first subject questions from NATO was to get an industry view on what its priorities ought to be, and how could industry support those. “We got validation that our priorities were pretty good – we were focused on the right areas. What was more difficult was when we asked industry, what do we do? We took threat vectors as one of the top priorities and asked, how can we agree on how to protect ourselves, both in terms of information and tech? The group produced a five or six page report telling us what to do in terms of technology, processes and procedures. One of the first things we needed to do was to agree a standard taxonomy, then how we identify, report and respond to attackers.”
It was certainly not all a one way street, and as well as NATO providing the framework into which other parties could report, it also found it had different tools to those which the industry used.
Another finding from the cooperation was the need to de-risk the acquisition process for introducing new technologies to combat emerging threats, which was particularly important given that Edwards told SC that the biggest challenge for NATO in relation to cyber-threats is, “The ability to respond to emerging threats – staffing, organisation, training, and ordering up a capability and having it deployed fast.” This flagged up the need to look at how urgent threats can be responded to, with options including working outside the normal processes. “We need to create an avenue whereby if we agree it's an emerging event, we find a way of meeting urgent requirements, say getting two weeks to deliver (a new capability).”
Previously, before having the relationship that it now has with the industry, a new threat would result in someone saying, ‘you should talk to industry', but now NATO will already know what solutions the industry is working on.
Part of the identification of this supply problem came up when NATO set up a cyber-security incubator and promoted development of particular solutions from start-ups, but then found that these small companies were not geared up to be able to cope with the lengthy and arduous NATO procurement process. In addition, NATO was faced with competition laws in various countries where a tailored solution could not simply be purchased without an open tender, slowing adoption.
Edwards explained to SC, “the response was that they would have to partner with a bigger organisation, which would have to see the advantage offered by the smaller operation. For the smaller company that couldn't bring their product to market, we created an environment where it could grow. We are still assessing whether we continue the innovation cycle again if we are not getting a concrete outcome. Several capabilities are now ready but we need to find a way to put them in.”
SC also asked whether this cooperation with industry got in the way of pricing and negotiations. Was industry saying you're not spending enough?
Edwards responded: “No, industry is not saying what the right sum should be. But they do want to know what scale and scope our projects are so now we provide an estimate of effort for each project. Today we are not at that level (where companies criticise expenditure levels), but maybe soon someone will say, you need to raise more investment get that done. [Revealing actual budget] would present challenges with negotiations. Also, some companies will bid later, as they need to protect themselves. We have been held back by competition law, but it's a delicate area and needs to be managed well [to avoid perceptions or actually giving one company an unfair advantage] so we try to use open forums where everyone has the opportunity to be part of the discussion.”
Ian West, head of cyber at NCIA provided a bit more information on the planned €70 million (£59 million) spend on refreshing and enhancing cyber-capabilities, saying that the initial document would be ready in the next two months after which it would need to get approval by the 28 allies, then get started on implementing. The biggest problem was knowing what capabilities would be needed in the future, but in general terms, there was an expectation of more automation to handle skills shortages, and more use of big data to identify indicators of compromise.
West also cited the NCIP as critical in developing innovation and speed of response to counter threats in cyber-space. In particular he cited the development of a Malware information sharing platform as providing operational advantages over acting separately. “We share our analysis of malware, whereas two to three years ago all 28 nations hit by the same APT would do their own analysis. Now we are pooling analysts and adding to our knowledge and its had a huge take-up. And now it's extended to industry. We used to classify [everything] and we still classify some of the context, but not the malware. It's a real feeling of collective defence; nations are opening their doors and we have been releasing information useful to our partners.”
While the classification process is better, with information shared where it doesn't compromise sources, the length of the procurement process still needs work to allow faster working for exceptions and work is underway to improve this process, seeking to learn from entrepreneurial development models.
Industry representatives signed up to the NCIP agreed there were benefits from information sharing on both sides. In a press briefing, Kah-Kin Ho, senior director Public Sector at FireEye Inc told reporters, “No single company has all the answers – cyber-security is a team sport.”
Greg Day, VP and chief security officer, Palo Alto Networks, agreed, adding, “criminals collaborate effectively and the good guys have not. We want to change the model, and not sell our threat intelligence for financial gain, but exchange information to create better and quicker solutions to our customer base.”
He later elaborated that this was made possible because the sale of threat intelligence was not a major revenue stream for most organisations, as well as sharing being ethically the right thing to do, and explained that while sometimes it was not possible to share details, benefits could be shared.
The vendors felt that sharing intel had not put them at a commercial disadvantage, but said that trust had been established first to enable the sharing. He concurred saying, “It increases customer satisfaction, and sharing intel means all our products get better. While we do overlap in some ways, we get an advantage over those that don't take part in this.”