NATO's fight against cyber terrorists

"It's not the most difficult threat that we face, but the fact remains that there can be so many," says Koen Gisjbers, general manager of the NATO Communication and Information Agency (NCI). As he talks down the line from the agency's headquarters in Brussels, his voice sounds disappointed, even weary. "Sometimes, our job is complicated by even a simple mistake in communications."

This is an oblique reference to an event in June 2011, when 'hacktivist' group Anonymous claimed that they had stolen a gigabyte of classified information from the alliance's databases.

The hacking was in response to the publication of a report, authored by a NATO parliamentary reporter, on the danger that the group, among others, posed to the integrity of its systems and networks. As it turned out, Anonymous published only a handful of documents marked restricted (NATO's lowest security grading) and containing little sensitive information, before going dark again. Nevertheless, the episode was an embarrassing reminder of the basic dangers that accompany an online presence.

"I think it is clear that we face the normal hackers, people that try to see if they can beat NATO," says Gisjbers, eager to emphasise that they're not the most dangerous when it comes to defending the alliance's networks. "Most likely it's state-sponsored attacks, or even activities that are related to getting financial benefits."

"Activities" is an understatement. Speaking to the Guardian last year, the NCI's chief of cybersecurity admitted that in 2013 the agency had detected up to 200 million suspicious cyber-events each day. Only 0.0018% of these were serious threats. Nevertheless, that meant the NCI was tasked with fending off at least five major cyberattacks a week.

Broadly speaking, these can be divided into either attempts to undermine NATO networks themselves, or steal information. Most fall into the latter category. In October 2014, it was revealed that hacking group Pawn Storm, based in Russia, had been mounting phishing attacks against the NATO liaison to Ukraine and the armed forces of at least two member states.

In the same month, cybersecurity firm iSight Partners announced that it had discovered that Operation Sandworm - a group so-named for its references to science fiction novel Dune inside its code - had exploited a zero-day vulnerability in Windows to spy on NATO computers and telecommunications firms. More recently, cybersecurity researchers F-Secure published a report claiming that a group called The Dukes had repeatedly tried to hack into NATO's branch office in Georgia and into systems related to the organisation of alliance-organised military exercises.

This isn't the nightmare most cybersecurity analysts fear, though. For that, ask Estonia. In April 2007, after a national debate on the fate of the country's most prominent Soviet war memorial, its banking system was crippled by a wave of distributed denial of service (DDoS) attacks. The public content of news and government websites was systematically altered to convey pro-Russian viewpoints. The government's email system was brought down for hours at a time. The crisis was only resolved after Estonia cut its networks off from the outside world.

The scale of the onslaught prompted the alliance to reevaluate to what extent a cyberattack could constitute an outright provocation against member states, with the council eventually agreeing last year to designate it worthy of invoking the mutual defence clause of the NATO treaty. At the time, Gisjbers was serving as assistant chief of staff for command and control at NATO's Allied Command Transformation (ACT) section in Norfolk, Virginia in the US. The attack on Estonia, as well as a similar onslaught on Georgia's networks during its 2008 war with Russia, had a profound impact on his thinking.

"I've been to both locations and looked closely at what happened there," says Gisjbers. "After that, we started quite happily translating what it all meant for an organisation like NATO. I started implementing similar changes for the Dutch Government and the Ministry of Defence in particular. It's clear that if you're very dependent on IT and C4ISR for your daily work, and your operations especially, it becomes an integral part of your military operations. You need it running to be able to survive and remain effective in those periods of time."

A former Olympic athlete, Gisjbers began his military career as a combat engineer in the Royal Netherlands Army in 1980. He went on to serve with distinction in Kosovo, preparing units for deployment to the Congo and Afghanistan and running the RNA's air assault brigade. His transition into cybersecurity began with his appointment to the ACT in 2006. After serving with distinction in Norfolk, Gisjbers returned to the Netherlands to rationalise the government's IT services and oversee its cybersecurity policies, before being recalled by NATO in 2012 to run the newly minted NCI.

An amalgam of competing logistics and communications agencies within NATO, the agency was intended to become the guardian and guarantor of the alliance's basic nervous system. "We deliver all the C4ISR and IT support to the NATO organisation," he says. "We also influence the military C4ISR architectures and standards for the member states."

Gisjbers' term as general manager has been defined by two major shifts in NATO's cybersecurity posture. The first is the transformation of what the agency considers to be the operational template for future campaigns abroad. The FMN, or Federated Mission Network, promises to become the platform wherein much of the raw intelligence on an enemy troop's movements and disposition acquired by individual member states will be pooled and then interpreted.

Approved by the NATO Council in January this year, it was intentionally built to resemble ISAF's Afghan Mission Network (AMN). "During that mission, NATO was responsible for their own unique networks stretching from Brussels to Kabul and the regional commands, while the nations operated their own military networks," recalls Gisjbers. "One of the biggest lessons we learned from Afghanistan was that isolating your own networks in this way is not going to make you an efficient force in an operation."

Established in 2010, within a year, the AMN allowed junior commanders to easily access, visualise and act upon intelligence accrued by 48 NATO and partner nations. The FMN will function in a similar way. For now, the NCI is focused on delivering the technical innovations necessary in building a combat intranet that can easily facilitate intelligence sharing, while at the same time remaining invulnerable to outside interference. The implementation process is ongoing, although elements of the FMN system were demonstrated successfully during NATO's recent communications exercise dubbed 'Steadfast Cobalt'.

Private dealings
However, the technology honed and implemented by the NCI would arguably not exist were it not drawing upon the creativity of the private sector. As the leader of an agency that describes "80% of its work [as] done through contracts with national industries", it is a relationship valued by Gisjbers and his colleagues. "We want to use the knowledge and the thinking power of industry, but on the other hand not forget our own thinking power because we know better than anyone else what interoperability means," he says.

This conception of cybersecurity at its strongest, when the best and the brightest minds of the public and private sectors collaborated, dates back to Gisjbers' time tending to Dutch Government networks. In an article published in the Georgetown Journal of International Affairs in 2010, he argued forcefully for such consultation, "given the central role of the private sector in the management of networks and the provision of digital services". Moreover, assistance can go in both directions. "As an agency, we can also help in transferring knowledge to industry that they do not have," says Gisjbers. "We can play a role in strengthening our own suppliers with corporate and threat awareness, so they can defend themselves.

"This was made possible by an agreement reached at the highest political level among the member states," adds Gisjbers, which was embodied in the NATO industry-cyber partnership endorsed at the alliance's summit in Wales in September 2014 in front of 1,500 associated industry leaders and policymakers. "We work in two main streams in that development. The first is the comprehensive sharing of threat data. We make sure we understand what's going on on the internet, how that affects our networks and what we can learn from one another in real time."

In this respect, a strong relationship with private industry is intended to marshal resources in ways that portray the older model of state innovation as obsolete. "When it comes to innovation, we need solutions we can deploy within weeks and months as opposed to years," he explains. "In this regard, we have stood up as an agency. We've founded a cyber-incubator in The Hague, where we've invited figures from industry and academia to help us in areas that we felt could be improved."

In August, the incubator convened its first international summer school in cooperation with Europol and The Hague Security Delta. Students include staff from NATO and related defence industry partners from over ten member states and Japan. According to the relevant NCI press release, "legal and policy elements relevant to cybersecurity in international environments" as well as "projects directly linked to questions the NCI Agency's customers are asking" were just some of the topics under discussion.

Naturally, this raises additional questions about how the NCI goes about safeguarding its supply chain from cyberattacks. This is partly achieved by anonymising the data, but also through the limited spectrum of advice and liaison with the private sector. "We're not interested in a relationship with industry based on generic solutions," says Gisjbers. "We are looking at those which aid in securing a federation of networks that we can apply in the NATO environment. That brings some very specific challenges."

This, however, requires appropriate levels of funding. Despite the advantages accrued by outsourcing contracts to private industry and building more robust military-grade networks, the NCI has arguably had to make do in this respect. During a public interview at the NIAS cybersecurity symposium, Gisjbers related as a point of pride his success in enhancing the NCI's service delivery with staff numbers reduced by over 25%. "I always compare this with the fact that we are changing the engine of a plane while flying," he said. "And we still fly."

Does the NCI require more resources? Perhaps not, at least not at the present time. Its achievements in the creation of the FMN concept and cybersecurity alone are indicative of an agency confidently punching above its weight. Yet the scale of recent attacks against NATO infrastructure and between nation states across the globe demands that this situation be monitored closely. With member states simultaneously pouring resources into their own cyberdefences and having signed on to closer cooperation in this area through NATO, it is only logical that the NCI's stature will increase. Perhaps it has to. After all, a chain - much less a network - is only as strong as its weakest link.