Unlikely bedfellows: Nato and business

What has a military organisation like Nato got to do with private-sector business?

While Nato and business may be unlikely bedfellows, security experts are calling for a closer relationship and Nato strategists may be more willing than expected.

The basis for this unlikely relationship is cyber security, which featured fairly prominently at this week’s Nato Summit in Wales with the adoption of a revised cyber security policy.

But what has a military organisation like Nato got to do with private sector business?

Simply put, it is in a position to influence the 28 Nato member countries in terms of improving their cyber defence capabilities and passing that on to business, according to Jason Hart, vice-president of cloud solutions at data protection firm SafeNet.

“Nato has the opportunity and obligation to ensure that member states are aware of cyber threats, are building a capability to address them and are supporting businesses to do the same,” he said.

Nato is well-placed to bring home the message that legacy systems and infrastructure is extremely vulnerable, and co-ordinated attacks have the potential for bringing down whole countries if individual organisations do not do more to improve their resistance to cyber attack, he added.

Basic security measures

Hart said Nato could use its position to recommend that member countries adopt a set of basic measures that would result in some “quick wins”.

Nato has the opportunity and obligation to ensure that member states are aware of cyber threats, are building a capability to address them and are supporting businesses to do the same

Jason Hart, SafeNet

These quick wins include enabling two-factor authentication and encryption for all cloud-based services.

“We have got to start moving the security controls closer to the data, and implementing just these two basic measures would result in a huge increase in data security across Nato countries,” he said.

By mandating that all static passwords for online services are replaced with one-time passwords, he believes Nato countries could eliminate up to 70% of data breaches.

Securing the internet of things

Hart, a former ethical hacker, also sees the internet of things (IoT) as a big and rapidly growing threat to data security, with physical objects such as tractors collecting and transmitting potentially sensitive agricultural data.

In business, he points out that many devices, such as printers, are Wi-Fi and Bluetooth-enabled as part of the IoT trend, providing yet another entry point for attackers into the corporate IT environment.

“Nato has a role to play here in encouraging member countries to recognise the threat and start legislating to ensure all future connected devices meet minimum data security standards,” he said.

Raising awareness of cyber security

Hart said he hoped that the 2014 Nato Summit would help raise the level of awareness about cyber security to make it clear that it is a real issue that affects countries and companies alike.

“Cyber security is still not an issue for many organisations, partly because they do not believe they can be affected and partly because they believe their legacy defences provide enough protection,” he said.

Typically, big organisations say they do not believe cyber threats are an issue for them because they do not have any data that attackers are likely to target.

“They often do not know what type of data they have and they do not consider that attackers not only steal data, but can also alter internal data to cause disruption or manipulate markets,” said Hart.

“Few organisations are able to identify what data is valuable to them and what would have the greatest impact if it were compromised, so they are not even clear on what they need to protect,” he said.

Hart said Nato has a responsibility to tell businesses the threat is real and that countries and organisations have to accept responsibility for cyber security to stop “making it easy for the bad guys”.

Data breaches reveal holes in security

Data breaches continue to increase in number and severity, despite that fact that the global spend on data security in the past year is estimated at around $80bn.

“This indicates that something is fundamentally wrong and, again, Nato has a role to play in encouraging member countries to get the basics right instead of just throwing money at the problem,” said Hart.

Nato also needs to think beyond physical threats of military aggressors to include the cyber threat as well, he said.

Revamped cyber security policy

The good news is that Nato is planning to increase its focus on these issues under a new cyber security policy, said Jamie Shea, Nato deputy assistant secretary general for emerging security challenges.

“We are now thinking beyond taking care of just Nato cyber defences, and although we have a lot of work to do, we now have a policy basis that allows us to get on with that,” he said.

The new policy makes, for the first time, cyber attack a potential trigger for invoking the Nato treaty’s article that requires members to come to the aid of any member under attack, Shea told Computer Weekly.  

Another key element of the enhanced cyber policy is to expand Nato’s cyber defence capabilities beyond the organisation itself to provide assistance to individual member countries.

Careful planning of cyber defences

To make this a reality, Nato is using its defence planning process to get each ally to achieve specific cyber defence commitments by a certain date.

These commitments include actions such as putting in place the basics of a coherent cyber defence strategy, establishing a national computer emergency response team (Cert) and building forensics capabilities.

Cyber defence capabilities goals for each member state will be reviewed and updated continually, but Nato will also provide help in reaching each set of goals, said Shea.

“We plan to set up a panel of national cyber defence experts so that if a member has difficulties with a control system for critical infrastructure, for example, there will be an expert on hand to help,” he said.

Multi-national co-operation on internet security

The third key element of the enhanced Nato cyber defence policy is multi-national co-operation in cyber defences, which includes the concept of “smart defence” through pooling and sharing capabilities.

Most importantly, from a private-sector viewpoint, is that the multi-national co-operation element will include a focus on industry through setting up a Nato cyber industry partnership (Ncip).

This Ncip will attempt to replicate, at a Nato national level, the private-public partnerships in member countries, such as the UK’s cyber security information sharing partnership (Cisp).

The Ncip will enable Nato to work with industry on things such as supply chain management, risk assessment, information assurance and early-warning best practices.

At Nato’s annual information assurance symposium later this month, Shea said the organisation plans to meet industry representatives to discuss the proposed Ncip to gauge their interest.

“We will discuss things like what benefits they would expect from the Ncip, what could be shared, ways of building trust and what level we can work with each other,” he said.

Building security partnerships

In the past, Nato had almost all the necessary expertise it required within the organisation, but Shea said the advent of the cyber world has changed all that.

“Cyber is interesting because never before has the private sector been so crucial to national defence capabilities.

Cyber is interesting because never before has the private sector been so crucial to national defence capabilities

Jamie Shea, Nato

“Industry has now become a partner in managing crises – most cyber attacks are really now managed by governments calling on industry to come in with extra expertise and resources,” he said.

But does Nato have a role to play in helping the private sector in cyber defence?

“It is a two-way street – while we are dependent, to some degree, on the private sector, organisations that are being hit by cyber attacks are also seeking the assistance of governments,” said Shea.

“To some degree it is a relationship of mutual dependency, but such relationships only work if both sides benefit equally from it,” he said.

As a result, as Nato takes forward its relationship with industry, Shea said the key objective is to work out what kind of relationship will be meaningful for all parties.

“What we want in a cyber industry partnership is a very broad dialogue with a range of different companies to exchange ideas in such a way that both sides are getting enough of if it to sustain that relationship,” he said.

Preparing for cyber attacks

Will Nato be instrumental in promoting any “quick wins”, such as mandating two-factor authentication?

“In addition to the long-term co-operation we have outlined in the policy, we could also usefully focus on a few things to kick-start the dialogue, and the authentication idea is an interesting one,” said Shea.

“In discussions with industry, planned for later in September, we will look to set short-term, medium-term and long-term goals, and we will welcome good ideas for an agenda to get things up and running,” he said.

Finally, the enhanced cyber defence policy factors cyber attack scenarios much more heavily into Nato’s military operational planning.

“This means that all future Nato military exercises will involve a cyber component and look at the challenges of running military operations in a degraded cyber operating environment,” said Shea.

Both Hart and Shea were members of a panel discussion on the emerging security challenges in a networked world at the Nato pre-summit debate hosted by Forum Europe.

Read more on Privacy and data protection