Active Cyber Security

NECCS is a set of defensive security measures. Offensive activities, in particular penetration actions against the NII, can be performed to test the efficiency of the security measures and the preparedness of the NECCS organization personnel. But offensive actions against objectives outside the NII are not considered.

[141]

DOTMLPF is an acronym originally coined by the US DoD to guide planners on the aspects that they should undertake when developing a program according to the JCIDS procedure (Joint Capabilities Integration and Development System). It refers to Doctrine, Organization, Training, Materiel, Leadership, Personnel, and Facilities.

Later, NATO adopted the acronym, adding the interoperability component, DOTMLPFI, because interoperability is vital issue to the success of the development of any CIS. Furthermore, NATO considers interoperability as a transversal component that has to be undertaken along with the rest of the components (DOTMLPF). In this way, NATO ensures that this critical element is included from the beginning. This avoids the recurring problem of requiring additional work to address interoperability issues after developing a system.

Likewise, the praxis has shown that security is a cornerstone in most programs, especially those related to information systems and telecommunications. Any change or occurrence subsequent to the implementation requires more expense and effort than if it had been incorporated from the beginning. Moreover, in some cases it is not possible to implement it after the fact.

NECCS is the “S” of the DOTMLPFIS acronym in NEC plans and, in turn, a DOTMLPFI study is a convenient way to tackle NECCS itself.

The DOTMLPFI study of NECCS is composed of smaller studies embracing just one element or aspect of NECCS. However, all of them have in common the same goal, “Information Superiority.”

The DOTMLPFI features for NECCS study are:

Doctrine Study focuses on the development of a legal and procedural framework that guides users in how to proceed securely in an NEC environment. It is related to the development of doctrine, policy, regulations, guides and best practices.

Organization Study focuses on the development of the better way to organize and link all the NECCS components (DOTMLPFI). It is related to the development of the NECCS organization and structure, roles and responsibilities.

Chapter 10

NECCS way ahead

[142] NECCS Planning Doctrine Organization Training Materiel Leadership Personnel Facilities Interoperability

Training. Study focuses on the development of an educational activity that prepares users to interact securely with the information systems. It is related to the development of cyber security training, awareness, and exercises, mainly through online activities.

Materiel. Study focuses on all the computer materiel needed to carry out all the security services. It is related to computer equipment, software applications, both ancillary and spare.

Leadership. Study focuses on preparing NEC leaders in cyber security issues and NECCS leaders. It is related to the assumption by users of their respective responsibilities as well as to the study of trends that help prepare now for the future.

Personnel. Study focuses on the need for human resources. It is related to qualifications, job descriptions, training, awareness, leadership, change management, and motivation.

Facilities. Study focuses on the need for permanent and deployable installations to host the CIS securely.

Interoperability. Study focuses on the development of standards that help the secure interconnection between information systems with different security requirements.

Below are detailed general recommendations to develop a DOTMLPFI study for NECCS.

[143]

10.1.

_Doctrine

Doctrine is a term generally used in the military, legal, or religious fields and is understood in different ways: as a strict set of rules, a collection of general principles, or a list of recommendations.

Traditional military doctrine is a concise expression aimed at providing guidance in how military forces conduct operations. It is a guide to action, rather than a strict set of rules.

Another important objective of a doctrine is to provide a common lexicon. This objective is particularly important in the cyber security field, where the current situation regarding uniformity and consistency of terminology is a bit chaotic.

NECCS doctrine concept is closer to the military understanding “guide to action” rather than a “set of strict rules.”

So far, doctrines are based on theory, history, case studies, lessons, and experimentation. They offer guidance about how to act when some type of standard attack or other situation occurs.

The problem in NEC environment is that this approach for developing a doctrine is not enough due to the characteristics of the particular NEC battle location, i.e., cyber space, where cyber threats are uncertain and dynamic in nature.

Below are some recommendations to develop an NECCS doctrine:

a. Due to the uncertain nature of cyber space, NECCS doctrine should add to the traditional study sources (theory, history, case studies, lessons learned, and experimentation) a study of trends and analysis of perspectives and prospects in cyber space.

b. Due to the changing nature of cyber space, NECCS doctrine should be flexible and allow a degree of freedom or non-observance to the users based on objective criteria.

c. Due to the rapid evolution of the cyber space, NECCS doctrine should foresee a mechanism that reliably allows constant updates to itself.

d. Due to the lack of uniformity and consistency of the terminology related to the cyber field and in particular, in security matters, NECCS doctrine should be permanently involved in the study and implementation of a cyber security glossary and taxonomy as well as explanations of new concepts.

e. NECCS doctrine should be composed of a comprehensive body of knowledge, including cyber security principles, policy, technical, and operational guidance,

[144]

and international legal framework, all aimed at fostering initiative and creative thinking in the cyber security field.

Security policies and procedures evolve and adapt with time. A period of time is necessary to achieve a level of maturity and integration in order to be truly effective. After that, the policies can be considered doctrine.

10.2.

_Organization

NECCS organization is understood according to two aspects:

a. The organized group of people working together in the development, implementation, application, management, control, monitoring, and supervision of security measures and policies within an NEC

NECCS