NATO Chronicles - Cyberdefence: Fighting the invisible enemy (w/subtitles)

Uploaded by NATOCOMMUNITY on 20.09.2011

“Get this done final as soon as we can so... “Sir, there is something really strange
going on, you have to take a look at this… “Sir, 10 minutes ago we noticed a worm moving
through our network… hundreds and hundreds of machines … using MS-RPC exploits, with
multiple evasion techniques. Anti-virus does not detect this. Luckily, we do!
“Which site is that? “This is site one!
“Chris, what do you think ? “I think we need to respond immediately.
“OK, Jacks, declare this as an incident, Chris let’s get the management team together
as soon as we can”.
This is NATO's Computer Incident Response Capability Technical Centre, the heart of
the Alliance's fight against cyber crime.
“We believe that it is exploiting the recent “dot-lnk” vulnerability. It actually tries
to propagate itself using the network-shares in the removable drives.”
NATO's member nations report five or six important cyber incidents every day. This time it is
only an exercise. Following any attack, the centre's director, Ian West, calls together
experts from the departments concerned. Everyone knows what they have to do. Things can get
out of hand in a matter of seconds.
"NATO's computer incident response capability provides cyber defence services for all NATO
sites, whether they're static headquarters or deployed in our operations or exercises.
And we do this by trying where ever possible to prevent incidents and attacks from happening.
But when we can't prevent them, we need the ability to be able to detect them and respond
quickly to them. And when those attacks are successful, which unfortunately sometimes
they are, we need to be able to recover the systems so we can get back to our normal operations
as soon as possible."
Cyber attacks are growing in number and in scale. From individuals seeking notoriety,
to gangs trying to cripple states. Recently, Hacktivists from the group Anonymous called
on their members to target NATO. Before that, the Wikileaks affair made headlines world-wide,
exposing, among other things, diplomatic cables allegedly stolen by a disgruntled soldier.
In seconds computers across several borders can come under fire. European nations and
institutions have also been hit. NATO's priorities now are to help allies prevent attacks, to
provide services like education and training, and to lend a hand in times of crisis.
"Cyber attacks are increasing every day, against NATO systems, against important systems in
our member states. And NATO therefore has to go beyond purely providing protection for
its own systems, which was a little bit where we were a little bit before the attacks in
2007 against Estonia, to being able to offer cyber services, cyber protection, to our member
states so that we can help them to prevent attacks, detect attacks, and, if attacks take
place, to quickly respond to limit the damage."
The attacks on NATO member Estonia brought its ministries, parliament, banks and media
to a grinding halt. They were a turning point in the way aggression via compters is perceived.
NATO set up a Cyber Defence Centre of Excellence in the capital Tallinn dedicated to research,
development and the training of experts, as well as to sharing information and lessons
learned. But the Stuxnet virus, which appeared in 2010
and seriously set back Iran’s nuclear program, made the leap from the virtual to the real
world. Critical infrastructure like power stations, transport networks and hospitals
had never seemed so vulnerable.
Adrian Valciu is in charge of security at Transelectrica, the operator of Romania's
electrical network. He is permanently in the frontline, defending a critical piece of national
infrastructure. Because, as Adrian says, security is always too much until its not enough.
"This place is the most important key asset of the critical infrastructure for electricity.
From this point all the commands are given for a smooth operation of the whole electricity
sector in Romania, and also in the Southern part of Europe. Due to the importance of this
facility, we have here a high level of security, not only for physical security, but also for
cyber-security. If something goes wrong here, the whole country will be affected, and a
lot of people and a lot of activities of the State will be put in a bad position.
"The risk is very high to have a black out, not only Romania, but also for the neighbouring
countries, because of the interconnections in the European grid.
“We rely on very well trained people, trained also in security, but also in cyber-security,
and the fight against terrorism. We were trained also in some seminars, with NATO."
Transelectrica's IT department is managed by Teletrans, a telecommunications operator
that controls, among other things, the network's secured computer system known as SCADA.
"After the attack by the Stuxnet virus, we understood for the first time that the SCADA
system is not invulnerable to attack, as we thought before. After that we carried out
some audits. At this very moment we are conducting an audit to check all the security points
in the EMS SCADA system to be sure there are no problems. It's impossible to get into the
system by accident."
Back at NATO, the experts are trying to counter the attack as the exercise unfolds.
“We have noticed some suspicious events coming from your site. Can you please check
your EPO server, and verify as well whether your systems are receiving patches correctly
or whether they are not patched.”
The goal is to detect weaknesses and supply patches. But this is not a job NATO can do
alone. Without the help of private industry, companies specialised in protecting computers
and systems, its defence network would be compromised.
“Hi Arthur, actually ... signatures are available from the vendor. Could you please
publish a report immediately....Yes, thank you.”
One company which provides software and expertise to the allies is Symantec. The head of its
government affairs in Europe department, Ilias Chantzos, is only too aware of the size of
the problem. Over the last eight years, the number of new viruses appearing annually has
risen from around 25,000 to 286 million.
"The more our daily life is dependent on critical infrastructure and on ICT to run it -- like
the distribution of energy, or the telecommunications, or even transport systems -- the more we're
dependent on computers to run all these facilities, the more by the moment these systems are being
attacked, it becomes a threat to our national security and to our economy and to the way
we live our daily life."
At the moment, it is the cyber criminals, operating in networks, who have the advantage.
To stand a chance, NATO and its partners must pool their resources.
"Industry, government and critical infrastructure operators need to find ways to cooperate better
and exchange information better in order to also better understand what the threat is
and how they can collectively defend themselves."
One of NATO's key partners is the European Union. In Brussels, the EU's efforts to prevent
and fight cyber crime is being coordinated by Home Affairs Commissioner Cecilia Malmstroem.
Clearly there is no sense in doubling up.
"Sometimes you don't know where an attack comes from and sometimes it can affect the
critical infrastructure. That's critical for us, but also for NATO. And to build up competencies,
exercises, analyses, intelligence and preparedness, awareness raising, it seems a bit unnecessary
to do that in parallel when we can really join forces. Because only the criminals would
benefit from us doing parallel things. "
Sometimes it's too late for prevention. At NATO, the decision has been taken to despatch
a team of Rapid Response experts to help on the ground.
The team has grown out of NATO's cyber defence policy, which was revised by defence ministers
in June 2011. Efforts now focus on preventing threats and building resilience.
The United States has even urged its allies to consider that a major cyber attack on any
member should be deemed an attack on all, and warrant a collective response, including
the use of military force.
"I think is a powerful sort of political signal that we do not consider cyber attacks as somehow
the acceptable form of conflict, in a way that launching a nuclear weapon against somebody
is an unacceptable form of conflict. It's an attack. An attack by electrons is just
as unacceptable as an attack by tanks or aircraft."
At Translectrica, Adrian Valciu's work day has come to an end and he's heading home.
Of course, his family computer is shielded from viruses. Like his nation's security authorities,
Adrian is particularly conscious of the need to protect and back up his sensitive data.
Romania must remain vigilant and work closely with its international partners and industry
to ensure that the people of Bucharest can sleep easy.