When the WannaCry ransomware attack hit the headlines this year, it highlighted the threat cyberattacks pose to corporations and national infrastructure. This virus became newsworthy because it infected so many computers – around 230,000 in 150 countries – and affected major institutions, including the UK’s National Health Service, as well as large companies such as FedEx. Serious as it was, WannaCry was just one example of a growing problem.
“Cyberattacks are indeed becoming more common and more sophisticated, and NATO, like many other international organisations, has been targeted increasingly over the past decade,” remarks Kevin Scheid, NATO Communications and Information (NCI) Agency general manager. “In 2016, for example, the number of processed daily cyber events amounted to 550 million – with figures for 2017 being similar – a figure that is higher compared with the 80 million registered six years before.”
The NATO NCI Agency is the organisation’s tech and cyber arm, which formed in 2012 following the merger of the NATO Consultation, Command and Control Agency (NC3A), the NATO ACCS Management Agency (NACMA), the NATO Communication and Information Systems Services Agency (NCSA), the ALTBMD Programme Office and elements of NATO HQ ICTM. Its role is to connect the alliance and defend its networks, as well as to provide support for operations and missions.
As its head, Scheid has unrivalled experience in the field, having served in the US Federal Government for more than 30 years, including senior positions at the White House, intelligence community and the Department of Defence (DoD). Prior to taking up the role of general manager in July, he had spent two years on assignment from the DoD to strategic and technical support provider MITRE Corporation as special adviser to the CEO and the president, leading a company-wide project to expand MITRE’s international engagements with US allies and partner nations.
In this position, Scheid has gained a detailed understanding of the many different types of attack that NATO and other organisations face, and from this he knows that part of the challenge in dealing with cyberattacks is the diversity of sources from which they emanate.
“NATO faces a wide range of attacks – from hackers looking for fame to hacktivists and digital espionage,” he explains. “That is one of the challenges – we must be vigilant 24/7 against a broad range of threats.
“While cyberattacks are hard to trace, attackers leave digital fingerprints. We see more cases where states are behind cyberattacks. The majority of attacks on NATO networks also originate from state actors. Hence, our cyberdefence is not directed against any particular source. We are developing our cyberdefence to respond to attacks from any direction.”
Know your enemy
It should come as no surprise that cyberattacks are becoming more prevalent, living as we do in a time when technology is increasingly at the heart of everything we do, not only in our personal lives, but also in the worlds of business and government.
“There are certainly more attacks, and the level of sophistication and organisation behind them eclipses what we would have seen five or ten years ago,” remarks Piers Wilson, director of the Institute of Information Security Professionals (IISP). “Our increasing reliance on technology is part of the reason. Before, an attack on a bank would have disrupted ATMs or branches, but now the effects are much more serious. If you think about the healthcare sector, X-rays used to be stored on film but now they are digital. Today, we have the dark web, organised crime and the marshalling of botnet resources, as well as malware factories.”
“The nature of cyberattacks is rapidly evolving,” adds Scheid. “They are increasingly used not only for covert information gathering, but also for sabotage and manipulation. This makes them a tool in the arsenal of hybrid warfare.”
While the use of cyberspace for criminal or terrorist activity was once the preserve of skilled hackers, it is now generally accepted that it is a weapon of war between nation states. Furthermore, it is not only rogue states that have assets on the battlefield in the cyberwar; this is a domain into which those threatened must put the same time and resources as those who would use it for nefarious ends.
“Potential attacks span a broad range of people, processes and technologies,” notes Wilson. “They can include social engineering, phishing scams, malware that can appear in suspicious emails or attachments – or, increasingly, in those that seem genuine – and which give rise to the idea of the ‘weaponised user’ because they get people to do things that they should not. We are seeing more activity by foreign intelligence services; for example, through the manipulation of the media, as well as activity by organised crime gangs.”
“The WannaCry virus, for instance, exploited a vulnerability in Microsoft Windows that was, in fact, already known to the US National Security Agency (NSA). This shows that all sides are aware of the cybertheatre in war, so most governments have R&D activity ongoing in this area, not just Russia, China and Israel, which are known to be players. In many ways, cyberwarfare is the new norm. Criminal gangs are just as adept, so the cybertheatre is very sophisticated. It is not just script kiddies. Single hackers are not really the adversary now, it is governments and gangs,” he adds.
The potential implications of cyberattacks are as many and varied as the systems they target. They can impact businesses, which hold valuable personal and corporate data. They can disrupt key elements of infrastructure. They can threaten national security if they penetrate systems operated by government, defence agencies or intelligence services.
“In 2017, it became clear that cyberattacks cannot just have an economic impact on our citizens – by stealing their money – but we saw operations cancelled and c-sections postponed,” says Scheid. “I think it is hard to envisage a more profound impact than that.”
The key issue, therefore, is how nation states, corporations and individuals can respond to the threat of a cyberattack. All three levels are key to an effective response because it may well be that the careless actions of an individual give rise to the opportunity to infect a critical system.
For NATO, which relies on the collaboration between nation states for all of its operations, the emphasis is on collective action and cooperation.
“Information sharing is critical,” Scheid explains. “NATO initiatives, such as Threat Vector Analysis workshops and information sharing agreements with industry, have marked a change in the cooperation climate. We have tangible experience that information sharing has a real benefit: in addition to classified national intelligence sources, some of the earlier information feeds used by NATO during the WannaCry ransomware attacks came from commercial partners. Also, training a variety of communities – users, system owners, cyber operators, system integrators and planners – is an essential part of cybersecurity.
“We do not comment publicly on specifics, but – as most actors – we engage in constant monitoring of the cyber landscape,” he adds. “Cyberattacks can be like tsunamis, so early warning is critical, and actually this is one of NATO’s strengths – we have a tradition of more than 70 years of intelligencesharing among allies.”
That spirit of collaboration must not only exist between nation states, but also between the business world and the governments that form part of international organisations, such as NATO. The corporate world is a rich target in itself, but it is also the door through which a threat can enter a much wider landscape.
“Cyberattacks ignore borders, and defending against them requires cooperation between international organisations, governments, law enforcement agencies, industry, academia,” says Scheid. “No one wins alone in cyber and we need to be bolder in broadening the ecosystem. In this sense, the expertise of the private sector is crucial. This is why NATO is strengthening its relationship with industry via the NATO Industry Cyber Partnership through information sharing, training and exercises. My agency is a hub for this information-sharing with 12 information-sharing agreements with key industrial partners.”
Wilson, who focuses primarily on cybersecurity for the business community, concurs. For him, the response to cyberattacks must span people, processes and technology in the same way that the threat does. First and foremost, he believes that there is an urgent need to build skills within the information security community.
“The security space lacks people,” he says. “It is important for companies to have a good, knowledgeable and experienced team with the right skills. We need education programmes and government policies to bring a larger and more diverse group of people into this industry. We need certified skills and the right framework around the industry.”
He also proposes that those skills, along with increasingly sophisticated technology, be deployed in a different way. Instead of trying to detect the kinds of threat that are currently the flavour of the month – the known exploits that simply add to the burden the information security team has to carry – those resources should use more intelligent and highly automated systems to direct skilled professionals towards the problems that really matter.
“We need to focus skills and resources on the right areas, rather than focusing on all problems at once,” he notes. “Detection is, of course, key but the response must come from skilled people working in the right areas,” Wilson adds.
Taking the next step into a safer world
The process of targeted responses that Wilson describes mirrors the approach that is in place at NATO, which works continuously to help allies build resilience and protect their networks.
“We promote best practices on cyberincident prevention and response,” states Scheid. “We share real-time information about threats through the dedicated Malware Information Sharing Platform.We invest in cyber education, training and exercises. And we have rapid reaction cyberdefence teams – with highly skilled experts and cutting-edge technology – that can aid allies in coping with a cyberattack. These experts can help with intrusion detection, forensic analysis, vulnerability checks and so on.
“At the Warsaw Summit in 2016, NATO Allies made a Cyber Defence Pledge to strengthen their cyberdefences as a matter of priority. Members now report on their progress against it every year – as a way of ensuring that the alliance keeps pace with the fast-evolving cyberthreat landscape, and that allies are capable of defending themselves in cyberspace,” he adds.
At the highest levels, cybersecurity is given the high priority it deserves in an age when battles will increasingly be fought as much in cyberspace as on the ground. For Wilson, however, this can only work if individuals give just as much thought to the basics of cybersecurity.
“Cyberattacks are like raindrops on the windshield,” Wilson says. “They are brushed to one side and you don’t see the real volume of water that is hitting the car. We must do all we can to prevent attacks. That means having a good security team of professional people, but it also means getting people to understand the basics of passwords and patches that contribute to good cyberhygiene.”
The views represented in this article are those of the individuals and their organisations, and therefore neither is endorsing the other in any way.