MONS, BELGIUM — NATO’s Communications and Information Agency will recruit six cyberdefense experts in the coming months to help deal with cyberattacks on NATO systems. This action is part of NATO’s effort to move toward what it calls full operational capability by the end of October, meaning improved protection of 55 NATO sites across the world.
A NATO official regretted the term “full operational capability,” as he argued that NATO’s cyberdefense policy has been modernized but that further improvements are still needed.
A big part of this effort is the Mons-based NATO Computer Incident Response Capability (NCIRC), which has come with a price tag of €58 million (US $74.5 million).
The NCIRC is housed in the NATO Information Assurance Operations Centre, whose task is to look after NATO-owned systems and not systems in NATO countries.
In comments to journalists during a visit to the NCIRC, Ian West, director of the NCIRC Technical Centre, said “the number and sophistication of attacks is growing. In a worst-case scenario, it [an attack] could lead to loss of life, e.g., if intelligence information regarding an ambush does not get through as a result of the attack.”
As many as nine out of 10 inbound emails to NATO are stopped because they are suspicious. Many are probes against NATO systems that are generally harmless but could be precursors to an attack.
In total, there are estimated to be around 147 million “suspicious events” per day against NATO systems. Technology systems whittle that down to a more manageable number of serious cases, which are then dealt with by the cyber experts.
In 2012, there were 2,500 confirmed serious cases (around 200-300 cases per month). Many attacks are automated.
The NCIRC operates on a 24/7 basis, which is important because an attack coming from the Far East, for example, might hit the NATO networks in Europe at 2 a.m. European time.
“The most important thing is to stop the attack,” said West. In addition, NATO may carry out forensic analysis of the malicious code but does not go after the attackers. If it needs law enforcement assistance, it calls on the host nation of the attacker.
A forensic analyst within the cyberdefense team can identify a specific group that is behind a malicious software (malware) attack through the signature left by the attackers. However, specific attribution, i.e. where attacks are launched from and by whom, is very hard. This forensic analysis information is shared with NATO allies so that they can update their defenses.
Computer systems at NATO sites but also those used to direct artillery fire or found in vehicles on NATO missions are protected. However, for equipment provided by a NATO country, ultimate responsibility lies with the NATO country in question as it owns the equipment.
In addition to monitoring and protecting NATO networks, staff in Mons can be called on to form rapid reaction teams. A team could be drawn from the 130 staff as it needs to have the flexibility to respond to a big range of attacks. These cyber experts may act online or visit NATO sites, depending on the type of support needed.
Asked if NATO carried out offensive cyberdefense activities, West said that “cyberdefense is purely defensive. NATO is not doing anything offensive or active defense. It is completely passive defense.”
Organized crime, cyber espionage and hacktivism are the three main aims behind the attacks.