SECURITY WITHIN NATO - NLD-A by Adjudant Gerard Jansen IT Sy NCOIC in the CJ-2 Division NATO School

SECURITY WITHIN NATO

           by

         Adjudant
      Gerard Jansen
          NLD-A
       IT Sy NCOIC
   in the CJ-2 Division
       NATO School

                          UNCLASSIFIED

Personal Background

1956

1974: Basic training NCO Academy
10 years Engineer
6 years Counter Intelligence and Security Units in NLD
8 years Military Intelligence Unit in DEU
Missions: Engineer in UNIFIL (Lebanon)
             Humint Operator in IFOR/SFOR (Bosnia)
Retire in November 2012

                                           UNCLASSIFIED

The classification of this briefing is

       NATO UNCLASSIFIED

ACO FP DIRECTIVE 80-25   NATO UNCLASSIFIED

Key FP Components
              AIR DEFENCE    INTELLIGENCE
 BATTLESPACE MANAGEMENT      LOGISTICS
                       CIS   MEDICAL

COMBAT - JOINT ENGINEERING   METOC
      ELECTRONIC WARFARE     NBC DEFENCE
                 EOR - EOD   SECURITY
             FIRE FIGHTING   SPACE
         GROUND DEFENCE      TERRORISM DEFENCE
            INFO & PSY OPS   THEATRE MISSILE DEFENCE
                UNDERWATER WARFARE

                                              NATO UNCLASSIFIED

Definition of Protective Security

Protective Security is defined as:

“The organized system of defensive
measures instituted and maintained at all
levels of command with the aim of achieving
and maintaining security”

                                     AAP-6

                                UNCLASSIFIED

Information Assurance – description

“Information Assurance. Information shall be protected by applying
   the principle of Information Assurance, which is described as the
   set of measures to achieve a given level of confidence in the
   protection of communication, information and other electronic
   systems, non-electronic systems, and the information that is
   stored, processed or transmitted in these systems with respect to
   confidentiality, integrity, availability, non-repudiation and
   authentication.”

                                                          NATO UNCLASSIFIED

REFERENCES


C-M (2000) 49 (SECURITY WITHIN NATO) (NU)


C-M (2000) 50 (Protections against Terrorist Threats) (NU)

Supported by

AC/35-D/2000   Directive on Personnel Security (NU)

AC/35-D/2001   Directive on Physical Security (NU)

AC/35-D/2002   Directive on Security of Information (NU)

AC/35-D/2003   Directive on Industrial Security (NU)

AC/35-D/2004   Primary Directive on INFOSEC (NR)

AC/35-D/2005   INFOSEC Management Directive for CIS (NU)


AD 70-1 (NR)


and many others

•RECORDING DEVICES
•The INTERNET
•SECURITY CLEARANCES
•PASSWORDS
•RELEASE POLICY DOCUMENTS
•WIPING STORAGE MEDIA
•USB Sticks

                            UNCLASSIFIED

HANDIES/SMARTPHONES/IPADs/
PORTABLES/CELLPHONES/MOBILES
   In fact all are Recording Devices

                              UNCLASSIFIED

How secure is your
     handy?

               UNCLASSIFIED

Warning !!
     Don’t forget the European law
In many countries it is not allowed to use
  the handy in your car without a hands
        free car set anymore!!!!!!

Punishment in GE is € 40
In NL € 130

                                 UNCLASSIFIED

Hands free Car Kit suitable for
 all kinds of mobile phones!

                            UNCLASSIFIED

UNCLASSIFIED

UNCLASSIFIED

The police modified the software to activate the
     hands free use without informing the user (in
    this case a criminal) and than the mobile is just
                   a listening device!

GAP Monday 16 July 2007                  UNCLASSIFIED

The Taliban forces the companies to shut down the network
                      during the night.

Operation Security: This can be the reason not to allow
            the use of mobiles in theatre.
                                        UNCLASSIFIED

NOT ALLOWED IN A TECHNICAL SECURITY AREA OR ROOMS WHERE
          COSMIC TOP SECRET INFORMATION WILL BE DISCUSSED!

          NOT ALLOWED IN A CLAS I SY AREA

          PRIVATELY OWNED ARE ALLOWED IN A CLAS II SY AREA BUT
          SWITCHED OFF?????Ha, Ha! SHOULD BE “BATTERY TAKEN OUT!!”

          BASE STATIONS NOT WITHIN 2 METRES OF CLASSIFIED CIS

          SWITCHED OFF WHEN ATTENDING NON CLASSIFIED MEETINGS
          AGAIN SHOULD BE ”BATTERY TAKEN OUT!!”

          DON’T DISCUSS CLASSIFIED INFORMATION OVER PHONE BECAUSE
          NORMAL PHONES ARE NOT SECURE

Ref: AD 70-1 Part II-I-12                                       NATO UNCLASSIFIED

HEADQUARTERS CAN HAVE
                           ADDITIONAL RULES

                            TO AVOID PROBLEMS!

                       DON’T TAKE IT WITH YOU

Ref: AD 70-1 Part II-I-12                    UNCLASSIFIED

How secure is your mobile?

Sand Storm, 26 April 2005. Al Asad, IRAQ
It's a wall of sand and wind traveling at 60 mph.
I stood here as long as I could to photograph this for you.
I missed the last two storms that came
through but glad I got these.
Share them with people in Canada.

CLASSIFICATION?

CLASSIFICATION?

CLASSIFICATION?

CLASSIFICATION?

Sand Storm, 26 April 2005. Al Asad, IRAQ
It's a wall of sand and wind traveling at 60 mph.
I stood here as long as I could to photograph this for you.
I missed the last two storms that came
through but glad I got these.
Share them with people in Canada.

The real challenge is

  “The Internet”

Webpages / Web logs / Chatting
    Facebook    / Hyves / You Tube / Twitter/
            LINKEDIN / WIKILEAKS!!!!
What will be the content?
Who is allowed to put info into ….?
What is allowed to mention in chatting?
It is security wise not smart to put maps in .. (Google Earth)
What are your soldiers talking about?

                          EMAIL

     Content?
     With or without Classification?
     How to control the content?
     Classify and or Content scanners.

1.000.000.000.000$

Home - Personal Computers (PCs)

AWARENESS not a TEST

Do you share your computer with others?

Do they all have an individual accounts with user-id and
  passwords?

Do you know if they are downloading / sharing (peer to
  peer)?

Are they using the same “My Documents”?

Home - Personal Computers (PCs)

AWARENESS not a TEST

Do you make backups of your vital information?

Where are the backups stored?

Do you update your anti virus program daily?

Do you have a firewall – and it’s configured?

Do you have a wireless network for home use / connecting to
  the Internet?

Is this wireless network password protected?

Which clearances are there?
         NATO SECURITY CLEARANCE CERTIFICATE

         CERTIFICATE OF A SECURITY CLEARANCE

Ref: AC/35-D/2000                                 NATO UNCLASSIFIED

Which clearances are there?
         NATO SECURITY CLEARANCE CERTIFICATE

                                    FOR

                      A POSITION WITHIN NATO
                    SIGNED BY NATIONAL SECURITY AUTHORITY
                                  and the

         CERTIFICATE OF A SECURITY CLEARANCE
                                   FOR
                    VISITS AND CONFERENCES
                      SIGNED BY AN SECURITY AUTHORITY
                        ( E.G. HQ SECURITY OFFICER ).
Ref: AC/35-D/2000                                           NATO UNCLASSIFIED

UNLESS SPECIFICALLY REQUIRED BY NATIONAL
    SECURITY RULES AND REGULATIONS A
 SECURITY CLEARANCE IS NOT REQUIRED FOR
    ACCESS TO INFORMATION CLASSIFIED
                      NATO RESTRICTED

                                        NATO UNCLASSIFIED
  Ref: AC/35-D/2000

C-M (2002)49   AD 70-1

This image cannot currently be display ed.

                                                                      NATO UNCLASSIFIED

MEMBER NATION WILL
                     PROVIDE THE CLEARANCE

BASED ON AN NATIONAL
INVESTIGATION

VALIDITY: FIVE YEARS FOR CTS, AND
10 YEARS FOR NS AS OF THE DATE OF
THE INVESTIGATION

                                             NATO UNCLASSIFIED
 Ref: AC/35-D/2000

REQUEST A RENEWAL ON TIME

  THE OVERLAP IS NOW 12 (was 6) MONTHS

        NO RENEWAL MEANS TEMPORAY NO
              CLASSIFIED WORK!!!

                                        NATO UNCLASSIFIED
Ref: AC/35-D/2000

UNCLASSIFIED

Do Not

         UNCLASSIFIED

Do Not

         UNCLASSIFIED

Do Not

         UNCLASSIFIED

CIS - INFOSEC
                      Identification & Authentication

Passwords

   minimum length / maximum validity
       LANs – NC and above – 8 characters / 180 days
       LANs – NU/NR – 6 characters / 1 year
       portable computers – NC and above – 8 characters / 90 days
       portable computers – NU/NR – 6 characters / 180 days

   privileged users (e.g., administrators) – changed more regularly

   number of unsuccessful attempts - 3

   structure – mixture of alpha numeric and special characters

                                                             NATO UNCLASSIFIED

Coffee?

EUFor
                    IRAQ
        IC
                    CLASSIFICATIONS

                          ON
                                       PSE
KFor
                      DOCUMENTS

                       COVERS              DPA
 EU
                           or
OSCE
                      BRIEFINGS       MD
    Afghanistan
                                           NATO UNCLASSIFIED
Ref: AC/35-D/2002

Reference:

C-M (2007) 0118:        NATO Information
                        Management Policy

C-M(2002) 49 :          NATO Security Policy

C-M(2002) 60 :          Management of Non-Classified
                        information.

AC/35-D/2002 M Rev 3: Directive on the Security of
                      Information.

                                                       NATO UNCLASSIFIED

TYPES OF DOCUMENTS:

  NATO
  SECRET BLA
                             DVD
  BLA BLA LA

                             CD

     ALSO THINK ABOUT:
                                   VIDEO TAPES/ CASSETTES
NOT USED COPIES
MICRO FICHE/ MICRO FILM               INKT RIBBONS

 CARBON PAPERS                         BACKING SHEETS
                                                     NATO UNCLASSIFIED
    Ref: AC/35-D/2002

Handling of NATO
                               Information

                                   Classified?                        YES
                                   (i.e. NR and                 C-M(2002)49 applies
                                      higher)

                                                               with details in AC/35 and
                                    NO.                            AC/322 Security
                              C-M(2002)60 applies                     Directives

YES -no NATO marking!            is it for Public?
NATO Public Disclosure
        Policy

                         NO (i.e. for official purpose only)
                         mark as NATO UNCLASSIFIED

                                                                            NATO UNCLASSIFIED

The classification of this briefing is

          NATO UNCLASSIFIED
Releasable PfP, EU, Council of Europe, MD,
      Contact Countries, KFOR, etc.

What is NATO UNCLASSIFIED?

It is unclassified information but because it is originated
    within NATO you put NATO in front of it;

If you send it to the normal public you need to remove
   the classification;

If you send it to an organization within NATO or outside
   NATO for example PfP the classification stays on it!

                                                  NATO UNCLASSIFIED

Release of Information to NON-NATO

                 The NAMILCOM decides for information
                             classified up to
                     and including NATO SECRET.
               The NAC decides for COSMIC TOP SECRET.

               Release Request from Course Director to CJ2

The request contains the following information :

A. The material/ Information Involved
B. Whom the information will be released to?
C. Justification for release (in this case to follow a course)

                                                                 NATO UNCLASSIFIED

Release of Information to NON-NATO

Mission Commander decides for MISSION SECRET.

                                          NATO UNCLASSIFIED

Supporting Document on Information and Intelligence
                      Sharing with non-NATO Entities

    “Need to Know” versus “Responsibility to Share”
Categories of NNEs addressed -

 non-NATO nations – addressed in the current version of the Supporting
  Document (including more flexible arrangements for the “seven”) –

 Australia, Austria, Finland, Ireland, New Zealand, Sweden, Switzerland

 next to be addressed –

     host nations, NGO, GO
     contractors on operations, exercises and transformational activities
     multinational forces

NATO Roadmap!

                NATO UNCLASSIFIED

NATO’s relations with Contact Countries

In addition to its formal partnerships, NATO cooperates with a
range of countries that are not part of these structures. Referred
to as Contact Countries, they typically share similar strategic
concerns and key Alliance values. Australia, Japan, South Korea
and New Zealand are all examples of Contact Countries.
These countries have expressed an interest in deepening relations
with NATO, or simply wish to be informed of NATO’s agenda.
Some are troop contributors to NATO-led operations or
contribute to these operations in another way. Others simply seek
to cooperate with NATO in areas of common interest.
This was from the NATO Riga Summit in November 2006

UNCLASSIFIED

DOCUMENT SECURITY

                                        NATO UNCLASSIFIED
Ref: AC/35-D/2002

Memory Drives/USB Sticks

MAGNETIC MEDIA (REUSABLE MEDIA)

     According to NATO you can re-use storage media NATO
     SECRET and lower but it has to stay inside the unit and you
     need to label it with the former level.
                             How to re-use?

                          Simply use “Delete” is not enough!

                      DECLASSIFY USING THE PROPER TOOLS:
                         BLANCCO For complete hard drives
                                     And
                           (NORTON WIPE INFO for files)

AC/35-D-2005 (INFOSEC) Page 1-28 :
                                                               NATO UNCLASSIFIED

USB Storage Media
           Advantage:
           small, cheap, easy, capacity and no problems with dust

           Disadvantage:
           small (escape detection)
           Valuable (classification content)
           capacity (a lot of info)

           LOSS                                =COMPROMISE
               THEFT

Ref: AD 70-1 Part V chapter 14 plus AC/322-D/0048
                                                             NATO UNCLASSIFIED

USB Storage Media
         NATO Policy:

        Disable, Minimize, Operational necessary and not for CTS.

      Furthermore:
      As of NATO RESTRICTED the USB must have encryption
      NS or MS only in a controlled area (24/7 hrs manned / guarded)

Ref: AD 70-1 Part V
                                                           NATO UNCLASSIFIED

CLEAN DESK?

          UNCLASSIFIED

How far do you want
to go with security?

                UNCLASSIFIED

SECURITY AREAS

                    ADMINISTRATIVE ZONE

                         CLASS - II

                         CLASS - I

               TECHNICAL SECURE AREA

                                          NATO UNCLASSIFIED
Ref: AC/35-D/2001

Example OPS ROOM

                   UNCLASSIFIED

UNCLASSIFIED

Ref: AC/35-D/2001

Ref: AC/35-D/2001   UNCLASSIFIED

ADMINISTRATIVE ZONE (NR)
                    Defined zone
                    Possibility to control traffic
                    Normal keys/ Normal cabinets

                         CLASS - II SECURITY AREA (NC / NS /CTS)
                    A clearly defined and protected area in which all
                    entry and exit is controlled
                    A control of entry system in which only those
                    cleared and specially authorized can enter the area.
                    Provision is to be made for escorts
                    Possibility to realize “need to know”
                    Security Keys/ Tumbler locks/ Card Readers/ Bars
                    in front of windows/ Strong doors and walls etc.

                          CLASS - I SECURITY AREA (NC / NS /CTS)
                    Always supervision (two man rule).
                    To realize “need to know” is difficult!

                            TECHNICALLY SECURE AREA (CTS)
                    Physical inspections
                    Unescorted only permanent staff
                    Always locked when not in use
                    Items/furniture checked for bugs
                    Telephones / Mobiles not allowed
Ref: AC/35-D/2001   Extra: Camera/ Guards etc.                             NATO UNCLASSIFIED

NOTE BOOKS,
                              LAPTOPS,
                            CALCULATOR,
                             PALMTOPS,
                                PCDs,
                               PDAs,
                                ETC.

Ref: AD 70-1 Part III and Part V chap 14   UNCLASSIFIED

LAPTOPS OR NOTEBOOKS ARE CALLED IN NATO
                      DIRECTIVES
              PORTABLE COMPUTING DEVICES
                         PCD
                          And

                     PERSONAL DIGITAL ASSISTANT
                                PDA

Ref: AD 70-1 Part V chap 14                 UNCLASSIFIED

THIS IS NOT A PCD!

                     UNCLASSIFIED

Examples of PDAs
          PALM-TOPS                PALM PILOTS
                                       HAND HELD

  ELECTRONIC CALCULATORS
                                     ELECTRONIC DIARIES!

           Examples of PCD’s

Ref: AD 70-1 Part V chapter 14 plus AC/322-D(2007)0046
                                                           NATO UNCLASSIFIED

THESE TYPES CAN BE USED UP TO AND
         INCLUDED NATO SECRET INFORMATION WHEN
         THEY   ARE   OFFICAL    PROVIDED  AND
         AUTHORISED.

                     IF THEY ARE PRIVAT?
         THE MAXIMUM IS NATO RESTRICTED

         NO CONNECTION TO NATO CIS NETWORK

Ref: AD 70-1 Part V chapter 14 plus AC/322-D(2007)0046
                                                         NATO UNCLASSIFIED

PCDs and PDAs
                      NEGATIVE
    SMALL (Escape detection)
           VALUABLE( Expensive or Content)
                         CAPACITY (A lot of info)

           LOSS                                =COMPROMISE
               THEFT

Ref: AD 70-1 Part V chapter 14 plus AC/322-D/0048
                                                             NATO UNCLASSIFIED

PCD:

   MAXIMUM IS NATO SECRET

   WITHOUT HARD DRIVE UNCLASSIFIED

   NO CONNECTION TO A PRINTER OUTSIDE A CLASS-II SECURITY
   AREA

   MARKED WITH CLASSIFICATION

   More information concerning Communication Devices, Crypto, removable
   hard drives, Wire less system etc you find in AC/322-D(2007)0046 dated
   Oct 5th, 2007 Silence procedure.
Ref: AD 70-1 Part V chapter 14 plus AC/322-D/0048
                                                              NATO UNCLASSIFIED

TRANSPORTATION Of A PCD

   IT IS CONFORM DOCUMENT SECURITY: MAXIMUM IS NATO
   SECRET

   WITHOUT HARD DRIVE UNCLASSIFIED

   OTHER POSSIBLITY: SEND THE FILES THROUGH THE NATO
   SECRET WAN
   OR TAKE THE FILES WITH YOU IN A SMALLER PACKAGE WITH A
   COURIER CERTIFICATE

    TAKE A WIPING PROGRAM WITH YOU AND WIPE THE LAPTOP,
    DESTROY THE FILES IN THE CLASSIFIED REGISTRY.

    NOT ALLOWED TO TRAVEL OVER AND THROUGH NON NATO
    COUNTRIES UNLESS SPECIAL APPROVAL FROM NSA

Ref: AD 70-1 Part V chapter 14
                                                NATO UNCLASSIFIED

Security requirements for palms
1.     The best PDA is an officially supplied one. Why? See underneath rules!
2.     It should have a label on it with a classification.
3.     The PDA should have a identification and authentication mechanisms. Password should be changed
       every 6 months.
4.     The PDA should lock itself after a specific period of inactivity by clearing or overwriting display
       devices.
5.     Authorization shall be asked before connection to the network.
6.     Privately owned Palm shall not be connected to systems handling NC or higher.
7.     Virus protection software shall be installed and regular updated.
8.     Local synchronization is authorized which means directly connected to the computer and not through
       a network.
9.     A PDA that was synchronized to an Internet connected computer shall not be synchronized to any
       NATO system.
10.    Classified Information in mails and documents e.g. word or excel shall not be downloaded on the
       PDA (classified is NATO RESTRICTED and higher)
11.    Synchronization is only authorized for agenda, to-do list, memo and address list.
12.    Users shall deactivate any Infrared (IR) mean on the PDA unless the need for IR is acknowledged by
       the SAA
13.    The highest classification processed on the PDA should be NATO RESTRICTED and cryptographic
       mechanisms are preferable.
14.    Users should not download software from an unsafe or unknown source and should not install
       software.
15.    PDA’s are generally not allowed to be used for NATO CONFIDENTIAL and above.
16.    Privately owned PDA’s are only allowed when all above rules are obeyed and a registration and
       check is done by CJ6 and CJ2.
17.    The best is to use only officially provided PDA’s

Ref: AC/322-D/0048 or AD &70-1 Part V Chapter 14                                         NATO UNCLASSIFIED

END OF BRIEFING

Questions?