© iStock/guvendemir
© iStock/guvendemir

Air Commodore Nicholas Lloyd has a high-stakes job even by the perilous standards of the cyber security profession.

The Royal Air Force officer is the CIO for the Permanent Joint Headquarters of the Ministry of Defence, which makes him responsible for the IT behind every overseas military operation.

Lloyd oversees the defences against cyber threats from both terrorist groups and nation-states in 52 locations across Europe, Africa, the Middle East and Asia.

"The threat is not a static thing," Lloyd told CIO UK at Cyber Security Connect in Monaco. "It's related to where you are, who else is operating in that area and what your role is at that time."

He illustrates his point by comparing the military's work in South Sudan and Estonia. In the former, his team is helping the UN build a hospital and their biggest cyber threat is criminal exploitation of user devices and local networks.

The latter operation comes with a far greater risk. As part of the NATO enhanced forward presence in the Baltic state, the UK has a battalion deployed in Estonia, which shares a border with a truculent cyberwarfare superpower in Russia.

"There is a competition between states, particularly between the USA and Russia, but also China, Iran, North Korea, so you can expect where NATO, the US, and the west is operating in close proximity to those other states that there is going to be friction," Lloyd said.

"Those other states are obviously going to take a clear interest in what you're doing and from our perspective, you need to be very aware of things like cyber espionage, whether that's denial of service attacks or other acts.

"But generally speaking, states don't do things without a purpose, so that kind of activity would normally be part of a broader kind of messaging that a state's starting to become uncomfortable and is trying to signal the fact that it's not comfortable. Although obviously, we need to be prepared to make sure that we can continue to operate through those periods of tension."

Changing threats

Lloyd's route into cyber security began when the Air Force sponsored him to study an electronic and electrical engineering degree at Loughborough University. He then began his military career as an electronics engineer in the Royal Air Force covering every aspect of communications technology, from local area networks to radar systems.

"Cyber is simply the latest manifestation in that environment," Lloyd said. "In some respects, there are elements to it that are clearly brand new. In other aspects, things like electronic warfare have been around for a long time. Change is the only constant but a lot of the manifestations of that are in some ways familiar."

The biggest change of late has been the transitioned to a multi-polar world of constant competition between states. The fiercest rivalries are between the USA and China, Russia, Iran and North Korea.

Some are more willing than others to resort to crime to get ahead in the competition. All are capable of creating insider threats through clandestine social engineering, persuasion, bribery and blackmail.

Terrorist organisations can be used as a proxy to provide plausible deniability over cyber attacks. The resources that they have can increase both the damage done to the target and the protection provided to the perpetrator.

"You also find that some of these groups are actually quite motivated by a national strategic narrative anyway," Lloyd said. "It may well be that they're not directly being told to act on behalf of a state but they are motivated by the narrative of that state and therefore act as proxies on its behalf even without any direct instruction."

State actors

The cyber risks from overseas have changed as global power dynamics have evolved. China is playing a long-term game as it prepares to surpass the US to become the world's largest economy and is regularly accused of stealing intellectual property to accelerating its growth.

Russia is more concerned with the decline caused by demographic changes and is trying to retain influence through deliberately disruptive behaviour.

Iran is motivated by its battle with Saudi Arabia for regional hegemony in the Persian Gulf. The USA has nailed its flag to the Saudi mast and Iran views cyber as a way to level the playing field and reduce the impact of sanctions.

North Korea faces enormous economic stress that sanctions bolster. Cyber crime provides an opportunity to create revenue, and actors from the state were unsurprisingly linked to the WannaCry ransomware attack.

"It's not unreasonable to think that people who might see the west as an opponent would wish to find some kind of asymmetrical advantage against them and cyber offers an obvious potential asymmetric opportunity," Lloyd said. "Therefore you expect the likes of Iran and North Korea to be trying to develop that capability to level the playing field, but it's also an opportunity for them to monitor what the west is doing.

"If the west is present in what they consider to be their region - say the Gulf for argument's sake - you would expect cyber to be one way of maintaining a monitoring watch on what the players in that part of the world are up to. So cyber espionage is another thing that they would be motivated to do.

"Then when you come to economic sanctions - which is obviously very topical when it comes to Iran - cyber espionage is not necessarily against states operating in that region, but further afield is maybe a way to avoid sanctions, whether that's because you can generate revenue to mitigate the effects of sanctions on your economy in terms of foreign currency or indeed simply to gain access to intellectual property that would otherwise be denied you."

Attack and defence

Nation states aim to save their best cyber exploits for when they need them, but the weapons need to be continually refreshed to keep pace with developments in technology. Domestically, the threat of a cyber attack on national infrastructure grows.

The lower level disruptive activity typically uses the same weapons wielded by organised crime.

"You're not going to necessarily see zero-day exploits being used directly by states unless there's a specific high reward for what they're going to use those for, because once they've used it, the awareness of it means you lose that first move advantage. And then of course it's out there and might well be used against you as well," Lloyd said.

"Typically speaking I think on a day-to-day we will see the same range of tools, techniques and procedures used against us as you would find in say the financial industry. But we have to obviously be prepared for threats beyond those as well."

Lloyd is reluctant to share specific detail about the government's defences, but explains that two core principles are collaboration with other departments and allies, and creating a strong security culture and strategy around the use of information.

The thorough classification of any information from the moment that it's created that details the potential impact of that information falling into the wrong hands and how to respond boosts defences and guides preparations for any potential breach.

"There's an element here that's a little bit like swimming with sharks," Lloyd said. "If you swim with sharks you might well get bitten but probably your first priority is to be a better swimmer than the person next to you.

"So there's an element of the UK as a whole making sure that it's raising its game and being a harder target, and therefore to a degree you would hope that some of those threats will look for weaker victims elsewhere, whether that's organised crime or other states or anyone else acting in a fairly hostile manner."

Business risks in hostile territories

Lloyd advises companies operating in the regions of these nations not to panic, as states won't use their best cyber exploits against businesses as they want to save them for other nations, but businesses should prepare for the possibility of some collateral damage, particularly when a state in the region feels threatens or wants to send a message.

Organisations whose proprietary knowledge is the backbone of their profitability are the most at-risk. Lloyd warns them to ensure they are monitoring the insider threats, behavioural analytics and the third-party suppliers around the most valuable aspects of the business.

Cyber crime aimed at raising revenue depends on clear ways of accessing funds, which makes ransomware, social engineering and spear phishing popular methods of attack. Organisations also need to think about the dangers beyond their office walls as many employees will be using the same passwords and systems when travelling. VPNs for business trips can help reduce the risk.

The unique skills and experiences that armed forces personnel possess has led a number of companies to launch initiatives that retrain veterans for second careers in technology. Lloyd supports the schemes but believes that benefits can also come from movement in the opposite direction.

"Because we recruit people at the bottom end of the organisation and develop them all the way through their career, we probably need to get a little bit cleverer at honing people with the skill sets laterally into the organisation," Lloyd said.

"We're trying to do that through the use of reserves. For example, we've got cyber reserves that we can draw upon and I've personally found them incredibly useful because they come with a skill set that can be difficult to grow and retain organically within the organisation.

"The ability to reach out to people who are doing cyber-related jobs in industry from a different angle and to use them as reservists in the military tasks is a great opportunity. I think there's a good opportunity for a two-way flow here in terms of transferrable skills."

There are several Ministry of Defence CIOs all with specialist skills and focus areas. You can reach the main CIO Office by contacting the switchboard 020 7218 9000.