Ministry of Defence CIO - defending the data assets of the nation

Profile picture for user mbanks By Martin Banks October 9, 2016
Talking with the CIO of the UK’s Ministry of Defence shows quite an open view of how they now go about defending its valuable data assets, with lessons that could help businesses re-adjust their mindsets on security and how to do it.

MOD Sign

One expects that Mike Stone, CIO to the UK Ministry of Defence (MoD) will answer nearly every question with the classic response: `I could tell you, but I'd have to kill you’.

Surprisingly, however, that proved not to be the case. The MoD is a Splunk user, using it to, as he says, 'hoover up what might be called the digital exhaust of the networks’.  That means all the logs and some telemetry data, with a view to looking at it through various different lenses and come up with intelligence from that: 

I think of it as being my environmental duty, so rather than having all these particles of exhaust flying around and not being captured, we take that exhaust and see if there is any value in it, and actually, there is. But I’m afraid I can’t tell you what that value is.

Safe inside your fortress?

One of Splunk’s key roles is security, especially the security that can come from real-time, detailed analysis of those logs. Stone compares it the old, medieval ways of living within fortress walls and assuming they can never be sacked. He is much more in favour of defence in-depth, and across the board.  So he still sees a role for antivirus tools but they are not the be al and end all, either. There will always be the need to find and detonate anything that gets past that:

We need to be on top of end point security, we need to be looking at the insider threat and behaviour analysis around that. We absolutely need to have visibility of all of the assets, because you can’t assure what you don’t know the state of. You absolutely need to understand all of the network paths that are there. And you need to be thinking about honey traps and things like that.

This is particularly relevant as the MoD moves into the cloud, and Stone acknowledges that the Ministry cannot afford not to exploit that, that this is an area where it cannot be left behind. It has to address those security concerns, otherwise it risks losing the information advantage. Step One here is having to accept that those walls can be sacked and the MoD systems breached. The issue is what the response is:

Just to clarify, I’m not saying that we have been breached at that level. What I’m saying is that we have to prepare ourselves that it’s quite feasible that we could have been or could be breached at those levels and therefore have the defence in-depth to be able to deal with it. So if the perimeter is breached, how do we know that it’s been breached? What do we do about it, particularly if we want to exploit the power of mobility?

We don’t want to be saying that people can’t access data, but we may be wanting to ensure that if they’re doing it from a coffee shop they can only gain access to certain types of data whereas if they’re on a more secure Wi-Fi connection then it’s a very different matter, so we need to be able to understand what capabilities we’re prepared to allow and under what circumstances. And yes, I think it’s perfectly reasonable to assume that we have red-teaming capability, and that we do exercise that capability.

Being a team player

One factor about the MoD is important here as an example of how a user, a customer, manages the relationships with it vendors. The Ministry’s defence in depth approach means working with several vendors and Stone works hard to get them all to act as integral parts of 'his team’ rather than a group of independent technology suppliers:

I have regular calls with all the suppliers together and if anyone talks about `sides’ - be it them or us - there is only one side, and that is the side that we are all about. I am focussed entirely on outcome. What are the outputs that will deliver that, what are the goals for those outputs? Let’s contract for that, not for the atomised requirements.

He acknowledges that this round counter to typical public sector practice, which tends to focus more on inputs and process and often fat user requirement and system requirement documents. This tends to end up producing lots of measures of performance that can show a full set of green lights on a dashboard, yet still won’t deliver the required outcome.

One of those contractors, of course, is Microsoft, which recently set up an Azure datacentre in the UK. Indeed, according to Stone, the MoD is an anchor tenant for the service in the UK because he wanted to make use of Office 365. A UK base for Azure was therefore going to be important for, while he knew he could legally put data anywhere in the European Union, doing so would probably fail what he terms the red face test, or the red top test of public opinion.

Part of this detail has Microsoft providing facilities for the Ministry to save everything in open document format. This allows them to share across government more easily, as well as supporting the National Archives in a better way:

It can be a bit of a challenge for me in that the NATO standard is Word, for instance, so I won't be able to do it in both directions.  Essentially what we’re doing is taking a private instance of Azure and adopting a hybrid cloud strategy so I will be using Azure, the HP cloud and also AWS in some instances. So some elements of it will be public cloud, and some elements of it will be private cloud. It will be effectively as though it was an on premise solution in some regards except for the fact that we will get the latest and greatest that is released into Azure.

One of those is Azure rights management, Which allows him to specify that a document can only be opened by the addressee or that specific paragraphs and can only be seen in particular ways. In addition, the Enterprise Mobility Suite has your active directory working in conjunction with active directory within the exchange suite.

One of his big challenges is that, back in 1995 when the defence information infrastructure was first set, home computer systems had far less capability than those at work.  Today it is quite the reverse, mainly through the power of the cloud, mobility and social media: 

By adopting evergreen services via the cloud and by fully embracing mobility at the lower levels of classification we have to be clear about what our risk appetite is and work within that risk appetite. but that allows us to be able to offer capabilities to our users that will be at least as good as that which they have at home and in some cases better.

That prompts the obvious question about `Bring Your Own Device’, which is somewhere Stone won’t be going. There will, however, be the opportunity for what he calls `choose your own device’ from a number of tablets, laptops and phone types that will be available.

Stone sees this as helping the MoD lead on behalf of the whole of the Five Eyes nations in providing a risk reduction program.  This is an Intelligence alliance between the US, Canada, Australia, New Zealand, and the UK:

Terry Halvorsen, the CIO of the US department of Defence, is looking on with great interest as to what we doing in the space because they recognise that they've got to do something very similar.  If we don't do this we will never be able to provide people with capabilities that the general populous have so we have to find a way of making them secure and its imagination that's the important thing.

I just recently had my symposium and the thing that I really struck home to people was the fact that technology is not the big constraint now - it's coming towards us at a pace that we can hardly cope with. The constraint is our own imagination. If we can imagine what we want to do, then we can harness the technology that's coming towards us to deliver it and I genuinely believe that that's the case and increasingly the Five Eyes are going to work together to achieve these common aims.

Is it just my imagination?

The interesting side issue here is that this increasing level of granularity in the MoD’s data and systems security strategy carries with it some serious learning and guidance that can readily be applied across the wider scope of business, commerce and industry. This is a sub-text of Stone’s job that he is aware of, particularly as one of the key requirements is actually a change in mindset amongst those working within that security framework:

In all organisations there are received wisdoms that become `the way we do business around here’. What I seek to do is to challenge those received wisdoms. So if somebody says to me 'no', then I want to know the reason why, and in most instances I find the reason is because it's inconvenient to them rather than because it's a real `no’. You have to get to what is the thing that is really the problem and address that. Once you address that you can move on to the next issue. So by taking this approach of where we want to go and what needs to be true in order to get there, with the way that technology is moving and the use of some imagination then you can get there. Secondly, they all realise the power of the ecosystem, and that actually having something that's entirely closed destroys value not increases value.

He has his eye on following the iPhone app store and ecosystem model and make it work on both national and international level with NATO and the Five Eyes partners. There is also the need to exploit other platforms and the ecosystem’s other platforms. This maps well onto modern, fast moving business, where a new company can be operating in one country and tomorrow can be operating in 100. 

But perhaps the key learning is about their data and its value beyond its primary content" 

The data that comes from all their transactions is gold dust. Take every single bit of that data - the exhaust - and then analyse the hell out of it and try to get the best insights in the most-timely way to get them ahead and get competitive advantage.

On top of that those companies also realise that it's imagination that’s important. They don't wait for the technology, they think about what they want to do next and they drive that innovation themselves.’They are actually responsible for this almost perpendicular curve of innovation coming towards us and what I would like to do for Defence is to ensure that we are benefiting from those platform economics as a whole.

My take

An interesting example of knowing what is actually important, such as being 'secure’ does not mean pulling up drawbridges and never talking. It does seem possible that the MoD has lesson it can teach industry in building security defences in depth, using a wide range of tools, that then map onto the future world of mobile and cloud infrastructures.