In defence of the internet27 January 2020
Cyberdefence is becoming increasingly prioritised at NATO. Grace Allen talks to Ian West, cybersecurity chief at the NATO Communications and Information (NCI) Agency, about its work to counter cyberthreats, the value in collaboration and reducing siloisation, and how to integrate and share sensitive data securely.
In 2016, NATO officially recognised cyberspace as a fourth military domain, adding it to land, sea and air as a sphere which the organisation must commit to defend. In the three years since, further measures have highlighted the close attention NATO is paying to the online world.
Allies committed to the establishment of a Cyberspace Operations Centre in 2018. 2019 has seen the adoption of a NATO guide to tools for dealing with malevolent online attacks, and this year’s edition of the NATO Information Assurance Symposium (more familiarly known as NIAS, thanks to the military affection for acronyms) was the largest yet.
“The number of participants keeps rising,” says Ian West, the NATO Communications and Information Agency’s cyberdefence chief. “When we first started 15 years ago, we had 20 people in the audience. We’re now talking to audiences of in excess of 1,000 people.”
While NATO’s recent response to cyberthreats has attracted headlines, West’s career shows that it’s something the organisation has taken seriously for a long time. After serving in Belgium in the British Royal Air Force, West stayed in the country to join NATO as an international civil servant. “I’ve been here ever since,” he says. “I do like it here – I like it a lot. And I love the NATO environment.”
Between 2004 and 2014, West was technical centre director at the NATO Computer Incident Response Capability – “another long name, which is now known just as the NCIRC” – which provided cyberdefence for NATO sites. He’s now chief of the NATO Communications and Information Agency’s Cyber Security Centre, heading up a team of around 200 experts who design, build and operate cybersecurity solutions to defend NATO’s critical networks against threats.
West is based in Mons, Belgium, along with around three quarters of his team, who work on cyber operations and assessing NATO’s networks, looking for vulnerabilities and maintaining cyber hygiene. The remainder, numbering around 40, work on capability development at The Hague. Their work is entirely defensive, looking after NATO’s networks. “That’s basically who we are and what our mission is,” West says.
West’s team works to support NATO’s new Cyberspace Operations Centre, which is also based in Mons. Due to be fully operational by 2023, the centre was established to provide NATO commanders with situational awareness and synchronise operational activity in cyberspace.
“Our role in the NCI agency is to defend the enterprise, and part of the enterprise is our operation networks,” West says. “We work very closely indeed with the Cyberspace Operations Centre, providing information on the latest security posture, availability of our networks, technical vulnerabilities that we’ve found that perhaps that might affect the networks. We provide them with a lot of information to help them work at the operational level.”
It becomes evident in our conversation that the sharing of information is fundamental to defence in this new operational domain. “Cybersecurity is very much a team sport,” West says.
This has been something he has been aware of since his early years with NATO, working to stand up the NCIRC. “We quickly learned that even in those days, all of us, whether it’s industry, government or other international organisations, we all share the same type of technology, and that means that we all suffer from the same sort of threats,” he says. “We knew quite quickly that we have a piece of the jigsaw, but we don’t see the whole picture. And we can learn from other people. So we found very quickly the importance of collaboration and sharing information not just about threats, vulnerabilities and exploits but also about how best to defend against these fairly sophisticated attacks.”
An interconnected defence
An allied approach is, after all, what NATO is all about. A memorandum of understanding on cyberdefence, updated in 2015, establishes parameters for the exchange of information between the 29 allied nations. Another example of cooperation between alliance members to facilitate an improved response against cyberattack is NATO Smart Defence, a pooling of resources agreed on by leaders at the 2012 Chicago Summit. Individual allies focus on developing specialisms which play to their strengths and then share these across the organisation.
Creation of NATO Computer Incident Response Capability (NCIRC).
Ian West becomes technical centre director at the NCIRC.
West joins NATO Communications and Information Agency’s Cyber Security Centre.
NATO Industry Cyber Partnership (NICP) launched.
Updated memorandum of understanding on cyberdefence establishes parameters for the exchange of information between the 29 allied nations.
NATO officially recognises cyberspace as a fourth military domain.
Belgium, France, the Netherlands, the UK and the US join the Cyber Collaboration Network.
NATO’s new Cyberspace Operations Centre due to be fully operational.
A key aspect of NATO Smart Defence is the Malware Information Sharing Platform, or MISP. “Many of us are facing pretty sophisticated malware attacks, cyber espionage attacks,” West says. “Up until we fielded this capability called MISP, every single one of our allies was doing exactly the same thing – they were analysing the malware.”
Clearly, each nation undertaking the same analysis is not the most effective use of resources. Now, only one of the allies needs to investigate a malware attack and can then share the results across NATO through MISP. “It’s incredibly efficient.”
A further leveraging of technology allows experts across NATO to work together to cope with the increasing rapidity and sophistication of these assaults. “Our attackers are pretty agile,” West says. “They’re pretty flexible, quite quick and sometimes pretty well organised. Now, when you’re faced with that sort of speed, collaborating at that sort of speed, defending at that sort of speed, becomes a challenge. It’s not something that you can do using a telephone, or emails.”
Instead, the NCI Agency has been working this year on extending a protected network to their technical counterparts in the cyberdefence offices of allied nations. Known as the Cyber Collaboration Network, it creates a secure workspace where experts can communicate using voice, video and chat capabilities, and collaborate in shared spaces.
Belgium, France, the Netherlands, the UK and the US were the first to join the network, in February 2019. “You can imagine that this is quite a game changer, and allows us to speak, see and interact in real time with our colleagues in allied cyberdefence offices,” West explains.
An agreement also exists between NATO and the EU for sharing information on cyberdefence: a technical arrangement with the EU Computer Emergency Response Team (CERT-EU), which was the first formal agreement between the EU and NATO for 23 years, as West points out. “They too suffer exactly the same sort of threats as we do,” he says. “So we have pretty regular meetings with them.”
Alliances with academia and industry
To keep at the cutting edge of cyber developments NATO also maintains relationships with outside organisations in academia and industry. The NATO Industry Cyber Partnership (NICP) was launched at the Wales Summit in 2014 in recognition of the vital input the private sector can provide; its aims include building trust and relationships and the sharing of information and expertise as well as improving NATO’s cyberdefence supply chain. “We can’t go this alone, and we do need to work very closely with industry not just on a commercial basis, but also on a collaborative basis,” West says.
For this purpose, information sharing agreements exist between NATO and industry: knowledge is exchanged between the organisation and certain companies on a no-cost basis. Furthermore, threat vector analysis workshops, held a few times a year, further encourage open exchange.
“We get together with some of our stronger industry contacts in a room, we close the doors and we talk, frankly, like we’ve never talked before,” West says. “We can’t talk about everything, but we found these meetings to be very successful, because for the first time, we’re actually sharing information… not just about threats, but also sharing best practices, how best to defend against some of these threats.”
This kind of collaboration ensures that the NCI Agency can stay at the forefront of developments which are crucial to rebuffing cyberthreats. At the recent edition of NIAS, a key topic of conversation was cloud computing, with speakers discussing how to operate securely in the cloud and the opportunities this technology offers NATO.
“I think the cloud will play a huge role in every aspect of our lives, including cybersecurity,” West says. While remaining aware of the potential security challenges of this relatively new innovation, NATO is making use of both private and public cloud infrastructure to improve its activities, and is also looking to allies and industry for examples of how to best make use of it. Already, some collaborative spaces for working with academia and industry are now in the public cloud.
While critical and highly secret NATO information won’t be on the public cloud any time soon, “that certainly doesn’t stop us from moving some of our less sensitive activities into the public cloud”, West says. “So, whether it’s a public cloud or private cloud, NATO’s really embracing this new technology.”
This is an ongoing endeavour: in recognising cyber as an operational domain, NATO has committed to maintaining a position at the forefront of the digital world. “NATO is going through the digital transformation to really harness the power of technology and the power of data,” West says. “We’re really doing our best to keep up with modern technology, so that it supports the strategic and political aims of the alliance.”