Publication originally posted on Jane’s Defence Weekly
The result of NATO’s first ‘smart defence’ multi-nation project in cyber defence – a new incident reporting-and-sharing system – was tested during the Alliance’s recent large-scale cyber exercise in November. The system’s three sponsoring nations will roll out the product in spring 2015 and intend to make it available to all other allies, said NATO and industry officials.
The new Cyber Information and Incident Coordination System (CIICS) is a big step forward for alerting and spreading information about cyber incidents, and thus keeping up NATO’s defences, according to Doug Weimer, Director of security and crisis management at Rhea Systems SA: the Belgian subsidiary of Canada’s ADGA Group, which focuses on space and defence engineering.
« Cyber adversaries are sharing information to attack these systems. Thus, if we don’t step up the same for the allies’ defence and counter-attack, they’ll always be behind the curve, » Weimer said on 19 December.
Rhea is developing the new web-based incident ‘ticketing’ system for the defence ministries of Canada, the Netherlands, and Romania.
The three nations launched their smart defence project’s work package in March 2013, funnelling their requirements and funding through the NATO Communications and Information Agency (NCI Agency), which oversees Rhea’s work on their behalf.
« In Afghanistan the Alliance was lucky: the enemy did not have much cyber-attack capability, so we didn’t have to work on that very much, » NCI Agency cyber technician Luc Dandurand told IHS Jane’s on 12 December, « but for future missions our interconnected systems are going to be attacked by our adversaries and we’ll have to react far more quickly – all the more so because weapon systems will be increasingly be connected to each other, meaning the risks to [command and control] C2 will rise. »
Rhea’s remit from the NCI Agency was to restructure traditional ticket procedures in a new way to accelerate the sharing of incident information without compromising the sensitive national information that tickets often carry. It came up with software that offers a three-tiered architecture of information. The first consists of basic building blocks of single information elements, or attributes. These are grouped by a military’s cyber defence team into facets, which describe more fully a particular cyber issue such as identifying malware or a denial-of-service attack. A facet can be stand-alone or mixed with other descriptive facets to form wider templates, which structure all the information. The templates’ various information fields can be left visible or masked, according to a military’s secrecy rules.
Each military cyber defence team chooses among CIICS’ standardized attributes to construct its own templates. When a given event’s characteristics populate a template, it is then pushed out by the cyber team as a joint ticket to the other trusted cyber teams who have pre-identified the threat characteristics for which they want information. Thus, immediate cross-alerting and situational awareness take place between defence teams according to their threat priorities. The system then uses a shared directory of contacts to automatically alert the relevant personnel in each nation.
This has distinct advantages over traditional means used to generate alerts between cyber teams. « Incidents have always been handled by phone or individual email, which is labour intensive and slow, » said Dandurand. « Also, if you’re talking about CERT [computer emergency response team] operations rolling across eight-hour shifts, the risk is that the awareness of the email or phone history is lost. With the joint ticket system there is continuity – and you can add new developments, which are immediately updated. »
A basic version of the CIICS product was tested at NATO’s massive ‘Cyber Coalition 2014′ exercise, which took place from 18-20 November centred on Estonia’s military base in Tartu and involved more than 670 cyber experts operating from dozens of locations from across the alliance and partner nations.
Some 200 tickets were created during the three-day exercise, according to Dandurand. « Your typical CERT generates only a few large-incident tickets a day under real-life conditions, so that was a good opportunity to test the software under load, » he said, adding that, although there were some performance issues, Rhea’s on-the-spot developers « fixed things on the fly, sometimes even before the glitch was identified by the users ».
However, only a part of CIICS’ intended functionality – namely, its single-incident handling capability – was tested in Tartu.
The NCI Agency and Rhea have until mid-March 2015 to develop multi-incident handling plus CIICS’ information-sharing capability for a full, Version 2 production-grade system. The latter then goes to the three nations’ defence ministries, whose cyber-defence teams will connect to each other in April, followed by full operational capability in May. Eventually, a Version 3 will enable the parsing of information fields with different security labels.
The production-grade software will be licensed by Canada, the Netherlands, and Romania at a « reasonable » cost, according to Dandurand. « They will recapture their costs and that’s all, making it affordable for other nations that want to use it, » he said.
According to Weimer, the three nations will make maximum use of CIICS beyond their own military needs as well. « The data field in a template only becomes sensitive once it’s populated with information, so by tailoring or masking the fields, then military and civil authorities can swap joint tickets on cyber threats. They have every intention of using this beyond their defence ministries, » he said.
Written by Brooks Tigner