Embed Size (px)
Citation preview
RIZWAN ALI, Colonel, US Air Force
Team Leader, Task Force Cyber
Supreme Headquarters Allied Powers Europe (NATO)
https://www.linkedin.com/in/CyberRiz
Case Study:Incorporating Cyber into NATO Military Structure
Numerous undeterred actors
Motivation of threat actors remains strong
Actors test adversaries’ technical and political resolve
Muted response may create permissive environment
Adapted from Office of the US Director of National Intelligence’s unclassified assessment
Threat Landscape
2
International organization
Consensus decision making
North Atlantic Council
NATO 101
3
• Purely cyber defense
• Cyber attacks can reach Article 5
• Robust assistance to Allies
NATO’s Cyber Policy
4
Technical aspects of cyber defense handled by
NATO C&I Agency
5
NATO’s Cyber Structure
If cyber defense not controlledby the military, what role
is there for NATO’s Military Authorities?
6
NATO Military Authorities’ Dilemma
Determine military need
Develop a plan
Implementation
Course correction
7
• Incorporate cyber into operational processes
• Build cyber into plans
• Develop cyber injects for exercises
• Ensure continuity of operations
• Develop cyber situational awareness
• Define and refine cyber capabilities
8
Military Need / Develop Plan
• Incorporate cyber into operational processes
• Build cyber into plans
• Develop cyber injects for exercises
• Ensure continuity of operations
• Develop cyber situational awareness
• Define and refine cyber capabilities
9
Implementation
Bureaucratic momentum is non-trivial
Overcoming the non-trivial bureaucratic momentum:
• Embedded cyber into SHAPE’s OpsCenter
• “Forced” ourselves into meetings and conferences
• Insisted on approval authority cyber inject development
• Established Task Force for Cyber – key matrix management success
• Provided daily/weekly reports to SACEUR & staff
• Became “info-central” for cyber in NATO
Implementation
We made ourselves indispensable to SACEUR and Ops10
• Incorporate cyber into operational processes
• Build cyber into plans
• Develop cyber injects for exercises
• Ensure continuity of operations
• Develop cyber situational awareness
• Define and refine cyber capabilities
11
Military Need / Develop Plan
Ensure continuity of operations
Not a pure CIS (J6) issue
Continuity of Ops not continuity of CIS
Experts are Ops (J3) and Plans (J5)
Operations must continue in degraded and deniedcyber environments
12
Implementation
Difficult to define
No standard industry or military framework
Consulted experts around the globe
Required SHAPE to develop our own concept
Cyber Situational Awareness
13
Implementation
NIFCThreat
Reports
NIFCThreat
Reports
NIFCThreat
Reports
NIFCThreat
Reports
NIFCThreat
Reports
NIFCThreat
Reports
NIFCThreat
Reports
NetworkThreat
Reports
Cyber SecuritySensor
Network
AlliesCyber Intel
Cyber Reports
Commercial Cyber SA
Open Source
Collection
Military Commands
Cyber SA: Aggregation of data is non-trivial
National IntelAnalysis and
Briefings
Network Ops Ctr
Source: Unclassified SHAPE product
14
Mission Awareness
Threat
Network AwarenessCyber SA
Cyber SA: The Framework
15
Threat
Cyber SA
Allies
Cyber Sensors
Event correl-ation
TF Cyber
NetworkOps
Subordinate Commands
Vendors
Commercial Cyber SA
Feeds
NATO Intel
Other On-Demand Analysis Trend
Analysis
Threat Analysis
Unusual Insider Activity Analysis
NATO Network CD Key
IndicatorsStrategic Website Status
Open Sources
Stra
tegi
c-Le
vel
Dat
a A
nal
ysis
Dat
a Fu
sio
n
Academia
Mission
Network
16
Develop coherent vision for future
Don’t be dependent on existing frameworks
Form a matrix team to implement vision
Ensure executive-level approval
17
Key Lessons
Involve Operators (J3 & Ops Center) from Day 1
Stress that Cyber is not same as CIS
RIZWAN ALI, Colonel, US Air Force
Team Leader, Task Force Cyber
Supreme Headquarters Allied Powers Europe (NATO)
@CyberRiz, [email protected]://www.linkedin.com/in/CyberRiz
