Download presentation
Presentation is loading. Please wait.
Published byAshlyn Nuth Modified over 9 years ago
1
Mr. Mark S. Loepker Colonel Enrico Bologna SC/4 Co-Chairmen
NATO Consultation, Command & Control Board INFOSEC Subcommittee “Protection of Information” SC/4 Perspectives 4 May 2005 On behalf of Col Bologna and myself, I wish to thank Jarslov Smid and Jarslov xxx for the great support provided to me as I prepared for this wonderful conference. I am honored to be here and look forward to speaking with many of your as the conference proceeds. When Jarslov told me the theme of your conference, Protecting Information, and asked me to speak I was very excited to do so. Clearly, this is THE topic of the day. Not only do we rely on Computer Information Systems to handle our daily lives, but it is the centerpiece of how NATO conducts its mission. There is no augment over the importance of this topic. But there is plenty of debate over how to successfully achieve the protection of information. Many factors must be considered when weighing protection options. We are all familiar with the process. Many call it risk management. Some call it risk acceptance, and others call it risk avoidance. No matter what label you place on the decision process it still must analyze the fundamental elements of risk – namely, the vulnerability inherent in systems, the adversary who wishes to exploit those vulnerabilities (some call this threat), the impact on the mission given a successful attack and the countermeasures to plug up the most lucrative vulnerabilities. How does NATO go about agreeing on how to approach these INFOSEC challenges – that is what I’d like to share with you over the next few minutes. Mr. Mark S. Loepker Colonel Enrico Bologna SC/4 Co-Chairmen NATO UNCLASSIFIED
2
Protecting Information Policy Directives Guidance Oversight NOS
INFOSEC Subcommittee SC/4 Multiple Bodies Protecting Information is not easy. On one hand, users what easy access to information from any location at any time. On the other hand, users what to be assured the information they access is there when they need it (availability), the right information (integrity), from the right people (authenticity), and they don’t want the bad guy to know what they know (confidentiality). A tough problem for the Information Technology and Information Security professional. A good way to address this challenge is through three fundamental techniques. The first is policy. Good policy will have a long life and not address specific technologies or conditions. It sets forth fundamental principles that are easy to understand. From these principles, come Directives and Guidance documents that implement the policy for specific situations. These documents address technologies and the conditions for their use. Finally, oversight is critical to ensure the directives and guidance that implement policy are used to protect our information. The NATO Security Counsel, NATO Office of Security, is responsible for NATO INFOSEC Policy. More about them later in this briefing. The INFOSEC Subcommittee, or SC/4, is responsible for directives and guidance that implement policy. And many bodies are responsible for oversight Today, I will concentrate my remarks on the INFOSEC Subcommittee. Directives Guidance Oversight NATO UNCLASSIFIED
3
Overview INFOSEC Subcommittee - SC/4 Role of SC/4
Achievements & Activities Areas of Interest First, I will provide a very brief overview of who the INFOSEC Subcommittee is and its structure. Many of you already know this but it will serve as a refresher to make sure we all understand the same information. Next we will focus on the role of the SC/4. The tasks before the Subcommittee are varied and create a workload that demands much from the nations, strategic commands and agencies that support the SC/4. It is important to look at the work just completed. As I mentioned in my opening comments, Technical and Implementation Directives and Guidance help implement Policy. By its very nature, Policy is broad and difficult to follow without the implementing documents. The quantity of documents produced sometimes seems overwhelming, but each is designed to help NATO and NATO Nations follow the Policy all agreed to. Lastly, we will look at what is on our plate for 2005 and beyond. These areas of interest span multiple years. The represent the focus of the SC/4 based on the NATO Consultation, Command, and Control Board (NC3B) direction. TX: Lets start with the SC/4 organization. NATO UNCLASSIFIED
4
Mission Statement The primary mission of the INFOSEC SC is to support the NATO C3 Board (NC3B) in achieving the fundamental security objectives of confidentiality, integrity and availability in relation to NATO information stored, processed or transmitted in C3 systems and, as appropriate, in relation to the supporting C3 systems infrastructure. The INFOSEC SC also supports the Military Committee (MC) and the NATO Security Committee (NSC) by responding on urgent matters of an operational or a security policy nature. You see here the INFOSEC Sub-Committee’s mission statement. Again, the subcommittee’s mission is to support the NATO C3 Board in the fundamental security objectives of Confidentiality, Integrity and Availability. This includes all information stored, processed or transmitted in C3 systems as well as the supporting infrastructure. Please note the reference to the NATO Security Committee and the Military Committee. You will see the relationship more clearly in a later slide. NATO UNCLASSIFIED 2
5
SC/4 Composition 26 Member National Representatives
Strategic Commands & Agencies: Supreme Headquarters Allied Powers Europe (SHAPE) / ACO Supreme Allied Command Transformation (SACT) NATO Office of Security (NOS) NATO CIS Support Agency (NCSA) NATO C3 Agency (NC3A) NATO ACCS Management Agency (NACMA) SECAN, DACAN, EUSEC, EUDAC Secretariat: Co-Chairmen (Staff and Nationally Elected) Secretary There are 26 National Representatives to the Subcommittee. These members bring to our Plenary Meetings the official national position on any matter before the Subcommittee. Unanimous decision many times requires the members to meet outside of Plenary session to achieve consensus. You see that the subcommittee has representatives from both Strategic Commands, the NOS, NCSA, the NC3A, NACMA, and finally four Military Committee agencies, SECAN, DACAN, EUSEC and EUDAC. These members provide the requirements (Strategic Commands) and the guidance (Agencies) necessary for the nations to conduct business. The INFOSEC Secretariat is drawn from the NATO Headquarters C3 Staff INFOSEC branch. The staff Co-Chairman of the subcommittee also serves as the branch chief of the INFOSEC Branch. This is Col Enrico Bologna, while I (Mr. Mark S. Loepker) fill the nationally elected co-chairman position. Ms. Sonia Faraguna is the SC Secretary. NATO UNCLASSIFIED
6
The Agencies SECAN EUSEC DACAN EUDAC
Military Committee Communications and Information Systems Security and Evaluation Agency - US Staffed and Operated EUSEC Military Committee European Communications Security and Evaluation Agency - UK Staffed and Operated DACAN Military Committee Distribution and Accounting Agency US Staffed and Operated EUDAC Military Committee European Distribution and Accounting Agency UK Staffed and Operated SECAN is the short title for the Military Committee Communications and Information Systems Security and Evaluation Agency. SECAN is organised and staffed by the United States and it is the NATO Agency which evaluates crypto systems and communications security equipment proposed for use in passing NATO traffic, and recommends their approval or disapproval to the Military Committee. When requested, SECAN certifies the security of NATO funded CIS and Computer Controlled Systems and when requested by accreditation authority and mutually agreed, they will also evaluate the security of NATO or nationally funded CIS and Computer Controlled Systems. Finally, they assess the vulnerability of communications and CIS to technical exploitation and recommend technical COMSEC and COMPUSEC policy, standards and procedures. EUSEC, the European Communications Security and Evaluation Agency is organised and staffed by the United Kingdom and it evaluates violations of crypto security, and the physical security crypto material, where the material is used in Europe. DACAN is the Military Committee Distribution and Accounting Agency. It is organised and staffed by the United States and is responsible for coordinating the production, distribution and accounting of crypto material for use in NATO. EUDAC, the European Distribution and Accounting Agency, is organised and staffed by the United kingdom and performs a role similar to DACAN, but within Europe. EUDAC also supports DACAN in their work. NATO UNCLASSIFIED 5
7
Relationships NAC SC/4 INFOSEC NATO UNCLASSIFIED NATO SECURITY
COMMITTEE NATO C3 BOARD MILITARY SC/8 Naviga-tion PROVIDES INFOSEC TECHNICAL AND IMPLEMENTATION DIRECTIVES AND GUIDANCE SC/4 INFOSEC SC/2 Inter- operability SC/3 Frequency Management SC/5 Information Systems SC/6 Communications Network SC/7 Identi- fication WG/1 ADP SECURITY SC/1 Joint Requirements and Concepts Let me now provide you with an overview of the relationships between the SC, the Military Committee and the NATO Security Committee. This slide depicts the relationship between the NATO C3 Board and the MC and the NSC. SC/4, as indicated in its mission statement, has the task to provide support to the MC in CIS Security matters of an operational nature, and also shares a special relationship with the MC because of the SC’s relationship with the four nationally manned Military Committee agencies. SC/4 also has the task, stated in its mission statement, to provide technical and implementation directives and guidance to the NSC on matters of CIS Security policy. Under the NSC, WG/1 also has a special relationship with the INFOSEC SC, which is also depicted here. For efficient co-ordination,SC/4 is represented in WG/1 by the staff co-chairman of the INFOSEC SC. The NATO Office of Security (NOS) coordinates, monitors and implements NATO security policy. The Director of Security is the Secretary General’s principal adviser on security issues and is Chairman of the NATO Security Committee. He directs the NATO Headquarters Security Service and is responsible for the overall coordination of security within NATO. NATO UNCLASSIFIED
8
Relationships NC3A NCSA NACMA NATO C3 BOARD SC/4 INFOSEC MILITARY
COMMITTEE NATO C3 BOARD SC/4 INFOSEC Requirements SHAPE / ACO NC3A SACT NCSA SECAN Let me now move to the detailed relationships found within the Sub-Committee. You see here that the NC3A, NCSA, and NACMA are part of the NATO C3 Organisation providing technical support, as needed to SC/4. Requirement statements come from the Strategic Commands to SC/4, highlighting their special role in the SC. You will notice that the four nationally manned Military Committee agencies, while answering directly to the Military Committee are also providing technical support to the INFOSEC SC. These relationships and the necessary co-ordination are vital to the on-going work within the INFOSEC SC. DACAN NACMA EUSEC EUDAC Provides technical support, as needed NATO UNCLASSIFIED
9
Ad Hoc Working Groups INFOSEC SC AC/322 (SC/4) NATO UNCLASSIFIED
Staff co-Chairman Col. Enrico BOLOGNA National co-Chairman Mr. Mark Loepker LTC Mike Richardson Secretary: ISDN AHWG/3 Dormant Chairman: VACANT COMMON CRITERIA AHWG/10 Chairman: Mr. David MARTIN Sec: LTC Mike RICHARDSON CRYPTOGRAPHIC DOCUMENTATION AHWG/14 Chairman: Mrs. Debby WALLNER Sec: Maj. Giordano EUSEPI INTERCONNECTION OF NETWORKS(ICN)AHWG/4 Chairman: Mr. Jim OBAL Sec: Cdr. Bernd FÜSER NATO/NON-NATO CO-OPERATION AHWG/11 Chairman: Cdr. Bernd FÜSER TECHNICAL INFOSEC DOCUMENTATION AHWG/15 Chairman: Mr. Kjell W. BERGAN Sec: LTC Mike Richardson Here is the present sub-structure of our INFOSEC Sub-committee. As you can see, we have eight active AHWGs and we intend to reactive the ISDN AHWG later this year in order to develop the Technical Characteristics for Primary Rate Interface (PRI) to identify and select eligible crypto equipment for NATO procurement. Let me review this work quickly with you. The ISDN AHWG is working to develop the MC of crypto equipment for ISDN within NATO. The Interconnection of Networks AHWG is addressing the technical and implementation aspects for the interconnection of NATO networks between NATO networks and non-NATO and public networks. The Application Security AHWG identifies security issues addressable in the application layer of the OSI (Open Systems Interconnect (OSI) Reference Model ). The INFOSEC Architecture AHWG review and updates the INFOSEC Framework Document. A revised version of this document is now being drafted. The mission of the Common Criteria AHWG is to develop a NATO Transition Plan from the current NATO criteria for evaluation of IT security to the new Common Criteria, addressing all aspects that impact NATO. The mission of the NATO-Non-NATO Co-operation AHWG is to establish direct liaison and common level of knowledge amon INFOSEC orgnaisation and staffs in NATO and PfP nations. Further interaction with the INFOSEC SC and the PfP nations will be co-ordianted and organised through this AHWG. The Cryptographic Documentation and Technical Implementation Documentation AHWGs are working on the latest Technical & Implementation Directives and Guidance. In 2004, we established two new AHWGs: first, the Secure Communications Interoperability Protocol AHWG also known as “SCIP” under the chairmanship of Mr. Antony Martin of the UK - this has replaced the old Application Security AHWG and second, the Cryptographic Modernisation AHWG under the chairmanship of LTC Bob Logsdon, USAR. SCIP AHWG/6 Chairman: Antony MARTIN Sec: Maj. Fred JORDAN INFOSEC ARCHITECTURES AHWG/13 Chairman: CDR Wolfgang KÖHLER Sec: Maj. Giordano EUSEPI CRYPTOGRAPHIC MODERNISATION AHWG/16 Chairman: LTC Robert LOGSDON Sec: Col Enrico BOLOGNA NATO UNCLASSIFIED
10
Role of SC/4 Develop Technical and Implementation Directives and Guidance Based on Security Policy Assist in Identification and Formulation of INFOSEC Requirements Promote Interoperability Between NATO and NATO Nations, Non-NATO Nations and International Organizations Over the next three slides, we will discuss the role of the SC/4. As I mentioned earlier, these functions demand a large amount of work. This work is captured as tasks in our Program of Work agreed by all the nations, reported to the NC3 Board and reviewed and updated annually. I would say that our most important function is our first role – developing technical and implementation directives and guidance. This consumes the majority of our Program of Work and the time of nations, strategic commands and agencies. These documents are based on and implement policy developed by the NSC. Next, we consult with the Strategic Commands to identify and formulate the INFOSEC requirements necessary to protect NATO’s information. This process is clearly an ongoing mutual exchange of information as the nations share their national architecture and INFOSEC plans and the Strategic Commands share their military requirements. Key to NATO’s success is interoperability not only within and between NATO and NATO Nations but also with NATO’s partners. Interoperability saves the lives of our warfighters through seamless secure communication. We don’t always achieve it. Our goal must be to eliminate areas of non-interoperability. I talk more on this issue later. NATO UNCLASSIFIED
11
Role of SC/4 (Continued)
Recommend Improvements to Operations, Materials, and Facilities Contribute to the Identification of Vulnerabilities Provide a Forum for Exchange of Information and Ideas SC/4 provides an excellent opportunity to bring each nation’s best INFOSEC practices together for the betterment of NATO. During each Plenary, a section is set aside for nations to present their capabilities and future plans. For instance in the last Plenary, Norway, who won the NATO competition for IP Encryptors, described the improvements planed taking the original 10 Mega bits per second up to 1 giga bit per second. The improvements are interoperable the the higher speed equipment will allow for enhanced collaborative planning tools. Finding vulnerabilities is job that never ends. Information technology is not perfect. In fact, each capability has an inherent vulnerability. The key is to find the right combination of countermeasures that provide enough defense in depth or layered security to stop the bad guys from exploiting the vulnerabilities. To help find network vulnerabilities, NATO often turns to its own evaluation agency SECAN, with over 50 years of experience. A very important function of SC/4 is the exchange of ideas. Today’s rapidly changing information technology environment demands a forum to debate the best ways to protect NATO’s information. The SC/4 uses various means to accomplish this goal. Our Ad Hoc Working Groups debate the technical issues and develop the documents. Our Plenary Meetings debate the political issues, formally agree on documents, and share best practices. And lastly, our social activities promote the friendships necessary to work the tough issues and achieve consensus. I remember with great memories our 2002 summer Plenary in your beautiful city – Prague. NATO UNCLASSIFIED .
12
Role of SC/4 (Continued)
Maintain Technological Awareness of Developments That May Affect Security Advise the NATO Security Council on Implications for NATO Security Policy Monitor and Assess the INFOSEC Projects Within the NC3A Hand in hand with our goal of keeping pace with national developments, the SC/4 works with other NATO subcommittees and agencies to stay aware of all technological developments that effect the protection of information. For example, NATO’s efforts in Network Enable Capabilities or NNEC. This is the future of NATO’s evolving Information Technology architecture. SC/4 is working closely with the NC3A to assess the INFOSEC aspects of NNEC. An initial study is due for release this fall. If you remember my first slide that spoke of policy, directives and guidance, and oversight. Key to good policy is frequent exchange between the policy developers, the NATO Security Council, and the ones task to write implementation documents, SC/4. The NSC’s active organization for leading policy development, te NATO Office of Security (NOS), attends our Plenary meetings and Ad Hoc Working Groups. SC/4 likewise attends NOS Working Group One who writes INFOSEC Policy. Together, we work to make sure NATO has the best policy and implementing documents to protect NATO’s information. The NC3A plays an important role in the SC/4. They provide the engineering and technical support to assess projects under consideration. SC/4 turns to the NC3A for help with ad hoc working groups, NATO Public Key Infrastructure, NATO Security Accreditation Board, vulnerability assessments, architecture assessment and product interoperability testing to name a few. SC/4 provides oversight for tasks that support our Program of Work. NATO UNCLASSIFIED
13
2004 Achievements Requirement for, Selection, Approval and Implementation of, Security Tools Electronic Labelling of NATO Information Consistent Marking of NATO Information in C3 Systems Intrusion Detection Support of PKI Cryptographic Aspects Now, I’d like to highlight some of the progress we made in 2004. 1. INFOSEC T&I Directive on the Requirement for, the Selection, Approval and Implementation of, Security Tools – AC/322-D(2004)0030, 17 Jun 04 2. INFOSEC T&I Guidance for Electronic Labelling of NATO Information – AC/322-D(2004)0021 (INV), 5 Mar 04 3. NC3B T&I Guidance for Consistent Marking of NATO Information in C3 Systems – AC/322-D(2004)0022 (INV), 12 Mar 04 4. INFOSEC T&I Guidance on Intrusion Detection – AC/322-D(2004)0033, 22 Jun 04 5. INFOSEC T&I Guidance in Support of Public Key Infrastructure Cryptographic Aspects – AC/322-D(2004)0035, 16 Jul 04 NATO UNCLASSIFIED
14
2004 Achievements (Continued)
Education and Training Requirements for INFOSEC Personnel Criteria for NNN Structures, Rules and Procedures Strategy on Non-NATO Cryptographic Confidentiality Issues – Implementation Plan INFOSEC Course for NNN and IO NATO Public Key Infrastructure Reference Architecture 6. Additional Education and Training Requirements for Invited Nations’ INFOSEC Personnel – AC/322-D(2004)0009 (INV), 22 Jan 04 7. Criteria for Non-NATO Nations’ Structures, Rules and Procedures – AC/322-D(2004)0031, 24 Jun 04 8. Strategy on Non-NATO Cryptographic Confidentiality Issues – Implementation Plan – AC/322-D(2004)0032, 22 Jun 04 9. INFOSEC Course for Non-NATO Nations and International Organizations – AC/322-D(2004)0023, 12 Nov 04 And under the NATO PKI Management Authority the: 10. NATO Public Key Infrastructure Reference Architecture – AC/322-D(2004)0018 (INV), 5 Mar 04 NATO UNCLASSIFIED
15
2005 Planned Activities Cryptographic Security and Cryptographic Mechanisms Protecting NATO Information Over the Internet Network Centric Environment Guidance on Common Criteria Technical Characteristics for Primary Rate Interface This year’s plate is very full. Some of our tasks include: Finalizing the revision of AC/322-D/0047 (Technical and Implementation Directive on Cryptographic Security and Cryptographic Mechanisms). This is our cornerstone document for cryptography. An initial revision was just approved by the NATO C3 Board but more work is needed. We are getting closer to providing agreed directives and guidance for the protection of NATO Information over the Internet. Working with SC/5, a policy and directive document are in development. Use of NATO’s Public Key Infrastructure and interconnecting network directives will provide the foundation for this effort. The TIDAHWG and CDAHWG continue to make progress on an additional three Directives and eight Guidance documents currently under development. The bulk of these documents takes into consideration the rapidly evolving technology that will ultimately be incorporated into the future Network Centric environment. The Common Criteria within NATO encountered a political challenge last year. We were unable to agree on a directive but did agree to provide guidance. It is difficult to hold all NATO Nations to the CC when not all NATO nations participate in the Common Criteria Recognition Agreement (CCRA). Therefore, a guidance document will provide the System Approval Authorities a means to accept CC or nationally evaluated products based on the evaluation evidence provided. If additional evaluation is required, the SAAs may seek that extra evaluation prior to approving a system. In 2001, the Integrated Service Digital Network AHWG was made dormant after the Technical Characteristics for the Basic Rate Interface (BRI) crypto equipment were defined. Now based on a clear Operational Statement of Requirement presented by ACO, the ISDN AHWG will reconvene to develop the Technical Characteristics for Primary Rate Interface (PRI) to identify and select eligible crypto equipment for NATO procurement. NATO UNCLASSIFIED
16
2005 Planned Activities (Continued)
Secure Communications Interoperability Protocol Comprehensive Cryptographic Modernisation Roadmap INFOSEC Training and Awareness Programme Plenary Session in EAPC Format INFOSEC Day with Industry Standards will help define and ensure future interoperability. This is why SC/4 considers Secure Communications Interoperability Protocol (SCIP) an important issue. To help coordinate SCIP activity, a NATO single point was established. Multiple subcommittees and international groups are working hard to define the standard. Some key documents are expected by the end of this year. The Cryptographic Modernization is a must task if we are to ensure the protection of NATO’s information in the future. Ageing cryptographic equipment must be replaced. We are working on the development of a comprehensive Cryptographic Modernization Roadmap over the next two years. The Roadmap is a transition strategy from the existing inventory to future generations of interoperable cryptographic products and mechanisms. Since 2001, the visibility and recognition of the importance of INFOSEC has increased dramatically. It is time to “sell our product” and in order to achieve this, we need to make products, and additional informational material, available to a wide audience and spread the word of where people (from user level through to managerial level) can go to access information to protect NATO information and to increase the visibility and understanding of INFOSEC. This effort will use web technology and other means to accomplish this task. As part of this goal, the SC/4 will begin to hold a portion of our Plenary Meetings in EAPC format. Many items are unclassifed and appropriate to share with our non-NATO partners. Those items for NATO only will be held in reserve for Plenary sessions. INFOSEC Day with Industry is built on the success of the first SC/4 “Day with Industry” held in Oct 04. The Sub-Committee agreed to continue these forum on an annual basis. These sessions bring industry experts together with policy makers to target the tough issues facing the Sub-Committee and further the efforts in moving towards a Network Centric Environment. The best way to protect our NATO information is to engage industry in a partnership where NATO develops the standards industry builds to. NATO UNCLASSIFIED
17
Areas of Interest NATO UNCLASSIFIED
The final part of my presentation will briefly address some long term areas of interest. NATO UNCLASSIFIED
18
INFOSEC Capability Package
Reference Architectures Strategic Commands Input Statement of Requirements Provides Nations Insight for INFOSEC Product Development The INFOSEC CP is an agreed document between multiple NATO bodies. The document provides the basis for identifying resources for agreed operational requirements. The Strategic Commands play a major role in formulating these requirements. The INFOSEC CP is now adequately supported by various approved architectures. It is consistent with NATO’s efforts to modernize and adapt to changing environments. Additional architectural details, including target architectures, will be developed as the INFOSEC CP projects mature. One of the many benefits of this package is the insight gained by nations on what INFOSEC products are needed to protect NATO’s information. From this insight, nations can develop the interoperable products in a timely fashion. NATO UNCLASSIFIED
19
Crypto Selection and Procurement
CSP Task Force IS, IMS, Nations, SC, Agencies Agreed That Synchronisation Will Reduce Procurement Delay NICE & NSIE Initial Review Separate Serial Processes - Caused Delays Change to Integrated Parallel Approach The Cryptographic Selection and Procurement Task Force was formed to identify and assess the sources of delays in selection and procurement of NATO cryptographic solutions procedures and to recommend an improved, more timely, selection and procurement. The first Cryptographic Selection Procurement Task Force meeting was held in February The meeting was attended by 20 nations, NATO bodies and agencies and proved to be very fruitful. There was overall agreement that synchronisation would significantly reduce any delay in procurement. The first CSPTF Syndicate meeting was just held to draft recommendations for improvement of the selection and procurement process. The results will be presented to the CSPTF this fall. The NATO Internet Protocol (IP) Cryptographic Equipment (NICE) and the NATO Secure Integrated Service Digital Network (ISDN) Equipment (NSIE) competitions provided the back drop for this effort. Initial review of the NICE and NSIE revealed much of the delay was due to separate serial processes. One of the CSPTF’s recommendations will be to adopt an integrated parallel approach. NATO UNCLASSIFIED
20
Cyber Defence and NCIRC
Central Capability Incident Handling and Reporting Establish Links With National CIRCs NATO Computer Incident Response Capability (NCIRC) IOC Declared on 16 Dec 04 IDS 17 Sites/2 Sensors Each by End 05 2004 has been a key year for the implementation of NATO Cyber Defence The NCIRC Main Capability, provided by British Telecom, was implemented in The System was handed over to NITC (NCIRC Tier 2) on 23 November 04 with Initial Operating Capability (IOC) declared on 16 Dec 04. Full Operational Capability (FOC) is planned under the INFOSEC CP. The NCIRC Handbook was published in December Comments are being received and will be taken into consideration for further versions. The Handbook is also available for downloading at Intrusion Detection System (IDS) provide an excellent proactive capability in the fight to protect NATO’s information. The reception of offers for IDS was closed on 27 Sep 04, after extensions requested by some nations. Admin & Financial Evaluations were performed at the end of Final offers are now under consideration. We expect to have initial IDS sites up by the end of 2005. NATO UNCLASSIFIED
21
NATO Public Key Infrastructure
Governed by NATO PKI Management Authority (NPMA) Ensure Interoperability Across NATO, NATO Nations and its Partners Provides Identification, Authenticity and Integrity Provides Protection of NATO Information up to NATO Restricted Must have Public Key Enabled Applications Public Key Infrastructure (PKI) provides the means by which we can identify, authenticate and ensure our information is the information we sent. Critical to a successful PKI is a common structure to implement its features. The NATO PKI Management Authority (NPMA) provides the organization for the development of those standards. The NPMA ensures these standards are agreed and followed which in turn will ensure interoperability within NATO and its partners. Agreeing to standards is one thing. Having the public key enabled applications is another. While there are some applications that use PKI, many more are needed before NATO can expect a robust use of PKI to protect NATO information. If implemented correctly and evaluated properly, PKI technology can provide the confidentially services necessary to protect up to NATO Restricted information over the INTERNet. NATO UNCLASSIFIED
22
NATO Network Enabled Capability (NNEC)
Support to Political and Military Strategic Framework Late 2005 INFOSEC Aspects Operational Requirements Security Policy Network Interconnections Risk Management NNEC is the future of NATO’s networks. With heavy support from both political and military organizations, the SC/4 stands ready to assess the INFOSEC aspects of this effort. We anticipate receiving the strategic framework this fall. Once received, we will begin the work to identify the many challenges ahead. We are sure new operational requirements will be developed. New security policy may be needed to support those requirements. To fulfill these requirements, we may need to interconnect our networks in a risk managed way. One thing is for sure, new opportunities await us around the corner and it will require the collective technical expertise of all NATO nations to develop the techniques needed to protect the future of NATO information. NATO UNCLASSIFIED
23
Road Map NOS Developed Support NSC and NC3B Web based collection of NATO Security Policies, Directives, and Guidance for the protection of NATO Information on Communication and Information Systems (CIS) In Final Development The last area of interest is a project led for the NOS. They have developed a web based tool to access NATO security related documents. It is a one stop shop for all the reference material one may need. The SC/4 is working with NOS to include all SC/4 documents making this tool a powerful means for accessing information relative to the protection of NATO’s information. NOS plans to complete this project soon. Nations will receive a copy of this tool during a future SC/4 Plenary as soon as it is finalized. NATO UNCLASSIFIED
24
Summary Protecting Information is Complex
Policy, Directives, Guidance and Oversight Provide Common Agreed Methods for Protection Collaborative Process Between NATO Bodies and NATO Nations Requires Constance Vigilance Protecting information is a complex task especially when 26 nations must agree to common policies, directives and guidance. Each nation has their own methods that meet their national requirements. Combining these methods into one that can take time. The SC/4 provides an environment to conduct the collaborative process necessary to reach consensus. It takes hard work and many months to achieve. But in the end, the collective NATO body benefits. The common goal is the protection of NATO’s information and in turn the information of every contributing nation. This requires continued vigilance as new vulnerabilities are discovered, new and old adversaries attempt to take advantage of those vulnerabilities and attack our networks, and new countermeasures are developed and deployed to stop them from damaging NATO’s mission. The challenges never end and therefore the work to solve them continues. The SC/4 is the focal point for NATO Nations to come together and tackle those challenges head on. It is a privilege and honor to Co-Chair this distinguished body with Col Bologna. I thank you for the opportunity to share our approach to protecting NATO’s information. NATO UNCLASSIFIED
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.