Interview: CIO for overseas military operations on the rising nation-state cyberthreat facing the MoD
Nicholas Lloyd, who oversees technology across 52 global locations, discusses the changing threat landscape
Credit: Ben Birchall/PA Archive/PA Images
In what is truly a unique role as Air Commodore in the Royal Air Force, and chief information officer (CIO) of the permanent joint headquarters for the Ministry of Defence (MoD), Nicholas Lloyd, has his work cut out. He enables global operations for defence across 52 locations in Europe, Africa, the Middle East and Asia. He is essentially responsible for the technological aspect behind every overseas military operation, and is accountable for £46m in annual spend.
“Whether we are operating in Kabul in Afghanistan, Somalia, Estonia or Nigeria, we are there for a purpose, for which the UK government has committed to a project. This might be supporting a nation in that area, or supporting the EU or UN, and it’s my job to enable this in terms of information flows, and delivering technology to people who support the information flow,” Lloyd tells PublicTechnology at the recent Cyber Security Connect event in Monaco.
That might be to help with countering terrorism, or helping a nation stabilise their own country, or assisting a host nation to build their own national capacity in a given area, or even for building a hospital in South Sudan on behalf of the UN, for example.
"It’s always tempting to think your country is better than anyone else at cybersecurity – and it isn’t."
Lloyd’s role covers the management of “the information generated and consumed to support that activity, how are we going to enable those information flows in that country and backwards and forwards from here.”
The post sits within a standard NATO structure, which is very different to a commercial organisation. The overall boss is the chief of joint operations, who is responsible for global military operations. Below him is the chief of staff, in a role similar to a deputy CEO or COO. Then it’s the board level, which is where Lloyd and other commodores sit.
“It’s geared towards military needs, although it is not too dissimilar in that we have many of the same functions; we don’t have a CFO, but we have someone who is responsible for finance,” he says, adding that the rest of the board members include those responsible for intelligence, operations, planning, and policy.
Collaboration between all of the teams has been key, particularly because Lloyd says that the MoD continually has to evolve to adapt to the different kinds of threats it is facing. In the most recent era, cyberthreats have become more prominent.
“We’ve found that there is a lot more state-based competition. While terrorist networks have degraded, national interest is becoming more evident amongst various nations, particularly across the Middle East, and therefore when you get competing states, the level of threat from a cyber perspective increases significantly,” Lloyd says.
The joint headquarters of the MoD took the decision to not introduce a chief information security officer (CISO) role, and instead gave many of the responsibilities to Lloyd because of the work he and his team were carrying out on risk management.
“Cyber risk features strongly [in our plans], and this risk-based approach and ability to engage in a meaningful conversation and explain in business or operational terms what it might mean and what we can do about it has meant that the role of the CIO on the board has become more important,” Lloyd says.
Procurement and recruitment
While the MoD invests heavily in IT for its UK operations, this is not Lloyd’s remit as Charles Forte covers this as MoD CIO – Lloyd’s role is responsible for technology overseas.
“Defence is a large enterprise and therefore we outsource a lot to large contractors, but we also innovate and work with SMEs when services we have are not meeting our needs,” he says.
In addition to outsourcing agreements, Lloyd can draw on equipment that the ministry has already acquired, such as local area networks for specific purposes, and can draw on technicians and engineers from the army, navy and air force that are able to operate that equipment, install it and maintain it.
“It’s like going into a sweet shop and saying: ‘I want this, this, and this’, and then having to integrate all of it. And then, if there is still a shortfall, we might then consider laying our own services on top of that – that could be exploiting capabilities we’ve already got such as manipulating SharePoint or it may be buying in an additional capability to provide an extra service that’s required,” Lloyd states.
His role is focused less on the contractual and commercial negotiations and more on integrating various capabilities, and delivering this overseas.
Lloyd and his team are also focused on recruitment.
Unlike commercial organisations that hire from external sources at different levels of seniority, the MoD recruits from what Lloyd calls “the ground floor”.
"While terrorist networks have degraded, national interest is becoming more evident amongst various nations, particularly across the Middle East, and therefore when you get competing states, the level of threat from a cyber perspective increases significantly."
“For us, recruitment and retention are really important because we are bringing them into the ground floor of the organisation and growing them as they go through their careers,” he says. “If retention is poor, we’ll struggle, because if we lose someone at the top end you need someone that has come through the organisation behind them to backfill them – so we’re focusing on this, and incentivising people with rewarding jobs and careers.”
The issue is compounded by a lack of students with STEM skills. However, Lloyd says that it is a challenge that every organisation is facing, and that the MoD is no different.
At Cyber Security Connect, delegates heard from a number of different government departments, including police forces and HM Revenue & Customs, and Lloyd feels that hearing about the progress that departments have made in cybersecurity highlighted the fact that the topic cannot be approached in siloes.
“You can’t assume that it will add up to the sum of the individual parts, you have to work across departments as well,” he says.
Lloyd believes the same approach can be used for the UK as a whole.
“It’s always tempting to think your country is better than anyone else [at cybersecurity] – and it isn’t. However, the UK is lucky in that it is a size where things we do can make a difference – you can join things up across Whitehall to get departments to collaborate and cooperate. This is much more difficult in the US for example, which is huge,” he says.
John Swinney tells Holyrood conference that most attackers are ‘exploiting the same basic failings’
National Crime Agency leading inquiry after malware assault
Initial set-up meant investment required was unknown and objectives may not be achieved
Auditors flag up a range of targets missed and benefits not delivered