Other issues include questions of information security—self-defense of NATO's networks—that are complicated by the alliance's multinational membership.
“First and foremost, we have to protect our own systems,” Shea says. “We have over 100,000 computers in the NATO command structure; we have 36 vital networks, military and civilian; and although we started early, and have arguably one of the best CIRCs (Computer Incident Response Capability) in the business, as far as the international organization is concerned, the majority of NATO's networks are not under 24/7 protection. The military ones are,” he adds, but “the civilian ones less so. So we still have a lot of work to do to get up to the level where all of our systems are under 24/7 centralized-management cyberprotection.”
In February 2012, NATO signed a €58 million ($75 million) contract with a consortium led by Italy's Finmeccanica to upgrade its CIRC. The contract was the culmination of a process that began in 2004, and during which the alliance spent four years assessing the capability it required.
“[The upgraded CIRC] involves enhanced sensors, better intrusion-detection methodologies, better data-package freezing, better malware analysis, forensics and the like, plus the technology to allow rapid-reaction CIRCs to be deployed to assist allies who are facing cyberattack,” remarks Shea.
Since the contract award, Finmeccanica has conducted proof-of-concept tests that revealed areas of the initial system design requiring change. By the end of this month the consortium will have delivered the capability at sites designated as Tier One and Tier Two in the command structure—the Tier One site is in Brussels and Tier Two is the NATO CIRC technical center of Mons, Belgium. The remaining sites—the exact number is classified, but in excess of 50—will follow, and full operational capability (FOC) is slated for late October.
NATO CIRC combines commercial off-the-shelf (COTS) hardware and software with proprietary elements. Besides the main system, there is a test and reference system already installed at Mons.
The reliance on COTS elements is deliberate. Systems in wide service commercially benefit from industry's ongoing efforts to combat changing threats, so optimal capability can be ensured without eating into the CIRC budget.
Even so, the NATO CIRC requirement is being revised: Aviation Week understands that, since the contract award, the consortium has handled an average of 250 technical questions per week, some of which mandated significant amendments to the original system design.
“FOC is not only technically the thing that gives us the instruments to play a greater role in cyberdefense, but more importantly, politically it suggests that we can now walk,” says Shea. “[If] we've started to be able to protect our own systems, we're in a better position to go to [different governments] and suggest other things NATO could potentially do to improve cyberdefense, not just of NATO headquarters and the command structure, but of its member states and allies.