Coalition Network DefenceCommon Operational Picture

Josef Kaderka

University of Defence, Brno

The Czech Republic

Josef.Kaderka@unob.cz

Brno, The Czech Republic2 – 4 May 2007

Terms Computer networks role under

coalition conditions Some related activities and projectsSome related activities and projects Today and close futureToday and close future ConclusionConclusion

AgendaAgenda

Only non-classified sources were used and non-classified information is published

Information superiority as a matter of successful future coalition operation

Widely accepted idea … Everybody talks/works on it Not only pros, but also cons

Technically, there are similar issues like in business - but we deal with lifes

NATO Network Enabled Capability NATO Network Enabled Capability

Common Operational Picture (COP)Common Operational Picture (COP)A single identical display of relevant information shared by more than one command. A common operational picture facilitates collaborative planning and assists all echelons to achieve situational awareness.

− US Joint Force Common Glossary− Free Dictionary− Wikipedia

• Situational Awareness (SA) as a COP result

Common Operational Picture and Common Operational Picture and Situational AwarenessSituational Awareness

Vital importance Coalition interconnecting aspects

Sensitive information sharingIT asymmetry (USA, …, the rest)De facto partial infrastructure sharingFirewalls, IDSs, Safeguard etc.

Computer networks as a battlefield Need to be defended - on the coalition

level

Computer networksComputer networks

No line of contact No safe distance as a security

guarantee No relation with unit geographical

deployment Correct recognition of real attack (false

positive/negative) Extremely rapid attack expansion even from

the depth Massive concurrent and selective attack

against discovered vulnerabilities All this in the coalition environment !

Cyberbattle specifics/possibilitiesCyberbattle specifics/possibilities

Operational Capability Requirements equal to the IT services

„Force“ commander shouldUnderstand the new threatsConsider proactive measures, ...

„Network“ Commander shouldUnderstand the force commander

intention, ...Many new specific duties

Both should share the same approach

Forces and NetworksForces and Networks

Some related activities and projectsSome related activities and projects NATO Multilateral Interoperability Program (MIP) The Technical Cooperation Program (TTCP)

Aus, Ca, NZ, UK, US, (five eyes nations ) Combined Enterprise Regional Information

Exchange System (CENTRIXS) Coalition Secure Management and Operations

System (COSMOS) FGAN/FKIE *

Ge NATO RTO IST ET

*) Forschungsgesellschaft für Angewandte Naturwissenschaften Forschungsinstitut für Kommunikation, Informationsverarbeitung und Ergonomie

Objective to shareSituational AwarenessPlans and OrdersNBC alerts and critical messages

Common Interface SpecificationMessage Exchange Mechanisms

(AdapP-3)Data Exchange automatic push Land Command and Control

Information Exchange Data Model Nations’ interface on a secure LAN

MIP

US-led, multinational information sharing networks

Core collaboration services E-mail with and without attachmentsWeb-browser-based data accessFile sharingSecure VoIP

Next extensionsCOP (Tactical), CIP (Intelligence)Near-real-time data access etc.

CENTRIXS

Preliminary steps High tactical and operational level coalition

information sharing among coalition partners known to each other

Advantage of a well defined and internationally agreed to „information language se“ designed for C2 interoperability

Enforce the discrete dissemination (Protected Sharing) of released information „need to know“ based

Focused toward a single Secret High Releasable to coalition network

COSMOS

Graph clustering-based anomaly detector

Modified star connected IDS network with central Meta-IDS server

Modifications to hierarchical IDS Information sanitization while exiting

local domain Data reduction & predefined correlation

rules to manage data flow MITE - MANET Intrusion Detection for

Tactical Environments

FGAN/FKIE

2005 – 2006 (Ca, Cz, UK, US) Coalition Network Defence Common

Operational Picture (CNet-D COP)(formerly Coalition Information Assurance – CIA – COP)

Technical and political approaches to the problem of developing and demonstrating a coordinated IA posture

Collecting, displaying, fusing, and securely sharing network security-related status data, ..

NATO RTO IST ET 041

Today and close future of theToday and close future of theCNet-D COPCNet-D COP

Models needed (secure information sharing)Conceptual, DataJoint C3 Information Exchange Data Model

(JC3IEDM) already existsAdvanced national research in Canada

Standardization (in coalition environment)Computer attack early warningAttack correlations among partners, ...IETF Intrusion Detection Message Exchange

Format (IDMEF) draft, ...

Example of CNet-D Security Example of CNet-D Security Architecture Model (DRDC Ottawa)Architecture Model (DRDC Ottawa)

CriticalResources

SystemDescription

Defensive PostureExposed Critical Res

Ops Capability Req(IT Services)

Pr<1Risk

IT Svc impact(-delta Service)

Threat Pr<1(Threat Vector)

Vulnerabilities

Force Commander

ITI(resource model)

Exploits

Threat Pr=1(Threat Vector)

Pr=1Incidents

IT Svc Impacted(-delta Service)

Force Commander

events

alarms

DefensivePosture

Intel on Threat Pr<1(Threat Vector)

Safeguards

Threat VectorsPr=0

Threat Pr=1(Threat Vector)

Impact as-delta onIT Servicesnow & future

1

2

3

4

5

6

7

Possible Possible CNCNetet-D COP architecture-D COP architecture (DRDC Ottawa) (DRDC Ottawa)

COP

CA

GuardIACOP

COP

US

GuardIACOP

COP

UK

GuardIACOP

COP

CZ

Guard IACOP

CoalitionWAN

What to discuss/doWhat to discuss/do

Security architecture Single/common view of coalition

networks security status ... Impact Assessment [tools] ... Practical realization, testing ...

The Research Task Group (RTG) proposal agreedSent to appropriate body

Items to solve specification Basic documents prepared

Technical Activity Proposal Programme of Work (PoW)

Some Some ET 041 results results

Future RTG Future RTG Work ItemsWork Items

Plan overall activities of the RTG Agreeing on an underlying set of definitions to be

used for CNet-D SA (Situational Awareness) Agreeing on the conceptual model for CNet-D SA Defining a detailed data model and data

specifications Promote the data model and necessary

definitions, etc.

Thank youThank you