10 minute read
Applying R&D in the field the Commander’s case
NITECH ››› TEN YEARS OF SUPPORTING NATO AND THE NATIONS
APPLYING R&D IN THE FIELD: THE COMMANDER’S CASE
44
David Hayhurst asks NCI Agency Principal Scientist, Ramon Segura, how the NCI Agency developed the Theatre Liaison Kit for secure communications in the field
In the early 2000s, a group of equipment users in NATO presented the Agency’s engineers with a very substantial technical challenge. They wanted a suitcase-sized, fully-secure field communications kit. Moreover, the kits should be deployable to almost any location on Earth, be responsive and versatile enough to assure connectivity for users before or during crisis situations, and work with whatever standard, commercial satellite communications systems were readily available. A tall order, indeed.
From 2004 to 2006, the first so-called “Commander’s Case” concept was developed in-house by the NCI Agency’s predecessor, NC3A. Initially labelled the Compact Commander Office (CCO), the first CCO field usage was by NATO teams, deployed at great speed to Pakistan after a devastating earthquake in 2005.
The CCO concept soon proved its mettle during the humanitarian relief operations in Pakistan and in other applications, generating a great deal of interest throughout the Alliance. But the vital security need for such kits to contain military-grade encryption and network appliances in a reduced form factor proved a major challenge, adding to the very severe limitations posed by the limited satellite data rates available back then. In response, NATO was forced to think creatively to help develop a system capable of overcoming the technological constraints of that time. One response, as NCI Agency Principal Scientist Ramon Segura explains, was for the Alliance to “become one of the government/military Beta testers” of an emerging mobile satellite IP service developed by INMARSAT. This evolved into the Broadband Global Area Network (BGAN) service, which has since been used with military-grade cryptographic devices for more than 15 years.
Another major step in advancing the original Commander’s Case
45
NITECH ››› TEN YEARS OF SUPPORTING NATO AND THE NATIONS concept began in 2006, when NATO first looked to industry to take its original kit design and, following its specifications, deliver more portable and user-friendly kits to the Operations Liaison and Reconnaissance Teams (OLRTs). Two Netherlands-based companies, Gannexion and Surcom, soon delivered the first three Theatre Liaison Kits (TLKs). Utilizing the experience gained with these first TLKs, the later TLK versions became less bulky and fully IP-enabled. “Some of these units were in operation for nearly 15 years,” says Segura.
MISSION-SPECIFIC TLKS
Later, more mission-specific versions of the early TLK, such as the ISAF Liaison Kit (ILK), delivered to forces serving in Afghanistan in 2013, and the ISAF Man-Portable Afghan Mission Network Capability (IMPAC) kit, which was provided the following year, “became smaller and easier to use by dropping legacy technology such as Integrated Services Digital Network (ISDN) and serial circuits, by using newer, smaller components, by taking lessons learned from previous versions, and with the benefit of inspired creativity from the vendors who made these kits,” says an NCI Agency senior engineer who has been working in close collaboration with industry since the earliest CCO prototypes.
This IMPAC, perhaps the most innovative TLK iteration to date, provides an all-in-one, single-user, single-case kit that includes power backup that, if needed, can be recharged from a vehicle battery.\
While the original Commander’s Case principle remains largely unchanged, “industry has
46
The NCI Agency helped deliver the first TLKs to the NATO-led mission International Security Assistance Force (ISAF) mission in Afghanistan (PHOTO: NATO)
In a development of the concept, mission-specific Theatre Liaison Kits were created (PHOTO: NATO)
developed a market for governments and military users. You can find these kits in different forms, for different purposes, from multiple suppliers,” based in the United States and Europe, explains Segura. Having created demand among industry, sophisticated commercial off-the-shelf kits that can be adapted to fit NATO requirements are now available, having been non-existent two decades ago.
NEW GENERATION OF STKS
NATO has recently agreed a sizable contract with Thales, which includes the development of a new generation of what will be known as Small Team Kits (STKs), following on from and expanding upon the TLK model, in support of OLRTs.
“A lesson learned from CCO was that developing these things yourself is quite a lot of work. Still, the CCO case was useful for determining requirement specifications, for finding out what is, and isn’t, possible, and how easy people find it to use,” says Segura. “It is not just about buying some kit, there is a lot more to it than that – such as network design, integration with existing NATO networks, security accreditation, lots of testing, creating and providing documentation and training. A whole raft of things.”
All such critical considerations aside, however, Segura feels that, despite the remarkable advancements since it was originally designed, the fundamental Commander’s Case concept is still part of NATO’s concept of operations for liaison and reconnaissance. It’s set to continue because the requirement for small kits to communicate securely, over any bearer of opportunity, and using the highest-grade of military encryption, will always remain. 47
INDUSTRY PERSPECTIVE
Heightened urgency for cybersecurity
Jim Richberg
Public Sector Field CISO, Fortinet considers federated security operations and integrating cybersecurity across organizations and nations
Why is this topic being discussed now?
Integrating cybersecurity across organizations and jurisdictions is of growing interest, both within the Alliance and worldwide. Ransomware has demonstrated that criminal cyber activity can paralyze the operations of critical infrastructure in even wellresourced industries, and the current geopolitical crisis is leading organizations around the world to worry that they may find themselves in the crosshairs – or at least caught in the crossfire – of destructive statesponsored cyber action. Although the need is urgent because both the threat landscape and an organization’s attack surface are expanding, the effort should be approached mindfully to ensure the project is realistic based on the available resources – especially people.
Feeling a sense of heightened urgency, many are looking at approaches that include creating information-sharing and analysis centres, federating security operations centres (SOCs), setting up centres focused on critical infrastructure or government agency missions, or creating a single ‘super SOC’. Each of these options can be problematic to execute due to complexity, effectiveness, cost – or all three of these factors.
Why is effective cybersecurity so difficult to accomplish?
The security operations landscape is challenging even within a single enterprise. The difficulties organizations face fall into several different areas, including:
• a fragmented network
perimeter: because of work from anywhere, cloud, supply chain and other initiatives, the attack surface that needs to be secured has grown dramatically,
• evasive attacks: sophisticated multi-stage campaigns by malicious actors can evade traditional prevention security and mimic legitimate activity,
• data volume: the volume of security events creates too much
‘noise’ for organizations to be able to rapidly and reliably identify, prioritize and investigate security incidents,
• siloed security: point security products provide stove-piped and incomplete pictures, prevent automation and slow response times, • overwhelmed teams: the scarcity of skilled security professionals makes it difficult to hire and retain adequate cybersecurity staff.
The threat landscape is also evolving with an increase in destructive ransomware, state-sponsored attacks, targeted attacks on Operational Technology (OT) environments and advanced persistent cybercrime. Due, in part, to the steady revenues generated by ransomware, cybercrime groups are becoming increasingly cohesive and well-organized, generating more sophisticated threats and increased reconnaissance capabilities. Compared to a year ago, some attacks are also moving with much greater speed thanks to offensive automation through Artificial Intelligence (AI).
What are the building blocks for success?
While integrating security operations across multiple and often disparate organizations has different characteristics from integrating cybersecurity for a single organization, the underlying tools and trends that enable success still apply.
AI and Machine Learning (ML) is a critical ingredient. AI has fundamentally transformed the effectiveness of the cybersecurity industry over the past decade, and is now responsible for virtually all malware analysis and for finding anomalies and threats on an automated basis in near-real-time. A second technology trend is the rise of cybersecurity mesh architectures – platforms of products and services from different vendors that can share data and operations.
The intersection between increasingly mature and powerful AI/ML and the consolidation of security solutions into interoperable platforms or families or capabilities is a potential game changer. This AI-powered platform approach turns the size and complexity of the attack surface from a liability into a potential advantage – making it a composite collection platform that can see adversaries in motion, the AI/ML to make sense of this data, and the controls to respond both at point of attack and globally.
What is the goal of federated cybersecurity?
Integrating cybersecurity in a multi-organization environment consists of both establishing situational awareness by creating a common operating picture (COP) and driving response. These functions are related but can be prioritized and developed separately.
Establishing shared situational awareness is a human problem. Machines don’t need a ‘threat dashboard’ or heat map of activity. They can share data (‘tip’ and ‘cue’ action) depending on rules and automation. But, even when it is fed by automated data feeds, producing situational awareness for analysts, cyber defenders and decision makers is time and labour-intensive. Problems of information overload and operator fatigue can impede performance and are most likely to occur during a cyber incident or crisis.
There are two distinct approaches to federating awareness:
1. Generating a single shared view, which can produce a user-friendly world view, but which likely requires a bespoke solution built from scratch,
2. Sharing separate perspectives (e.g., each SOC has a ‘repeater’ of the views from other SOCs). This is easier to implement but requires ongoing manual integration by the human analyst/operator, and integration becomes harder as the number/diversity of perspectives to be included grows.
If most of the minutes of every hour are spent making sense of what is going on, the time devoted to action needs to be highly efficient. There are at least three options to enable such integrated/joint response, and that includes an approach being:
1. Data-driven, working from cyber threat intelligence in common formats, (e.g., STIX, TAXII),
2. Function-driven, leveraging key capabilities and commercial products in Security Incident and
Event Management (SIEM) and
Security Orchestration and
Response (SOAR),
3. Architecture-driven, working from architecture-level interoperability.
Option 1 gets ‘back to basics’ by focusing on data interoperability and leveraging existing and widely adopted models and standards. Option 2 leverages cybersecurity components such as SIEM and SOAR tools that typically are designed to work in multi-vendor environments. This approach to integration offloads much of the work to industry partners. Option 3 offloads even more of the burden of integration to the platform and architecture manufacturers. Importantly, these options are not mutually exclusive, especially in a federated and complex ecosystem of networks and capabilities.
How should organizations get started?
Many organizations want their integrated/federated security posture to include a COP. In this case, because the bulk of the defenders’ time will be spent on generating situational awareness, it will place a premium on automation of response, often within parameters or playbooks set in advance.
Alternatively, organizations may place a lower priority on establishing shared situational awareness and settle for something coarser that indicates the presence or absence of ongoing threats. Essentially, they will emphasize the provision of shared services and integrated responses; in other words, choosing to focus on maximizing the impact of defensive action at the expense of a more complete understanding of threat.
There is no ‘right’ answer, but the decision about which goal and what capabilities to develop should be made through a conscious choice that reflects the needs and priorities of the organizations being integrated and of key mission stakeholders, rather than by happenstance or expediency.