Ministry of Defence cyber veteran shares war stories and battle tactics
"Bureaucracy and legacy infrastructure create unnecessary roadblocks - almost for the sake of it."
After three decades of public service, former Ministry of Defence cyber leader Dan Jones is finally ready to talk about his very British battle against the twin challenges facing all organisations.
Just over a year ago, he stepped down from public service after a 29-year career that culminated in a senior “service leader” role in defensive cyber operations.
Although much of his work remains top-secret, we can credibly speculate that he was involved in battling attacks, thwarting digital espionage and defending against attempts to compromise the UK’s military infrastructure.
Now he’s joined endpoint security firm Tanium as a senior security advisor covering the EMEA region. Although he’s finding that both governments and businesses suffer from the same pair of essential problems, working in industry carries one very clear benefit.
"The technology is really cool," he tells Machine. "I get really excited by little green lights flashing on racks in a data centre."
For our eyes only: Defending the defenders
After spending so long at the Ministry, Jones still finds it hard to snap out of long-standing routines.
“I keep referring to the MoD as ‘we’,” he admits. “I can't get out of that habit…”
After leaving Whitehall, he's drawing on the scars and bruises from 30 years spent deep in the trenches of government to help clients mitigate their own cybersecurity challenges.
“I’m very much an over-promoted geek," he says. “Having done this for a long time, I think I'm entitled to have one or two opinions."
What Jones' recipe for success does not involve is a DOGE-style scorched earth approach.
He adds: "Bringing in Elon Musk with an axe isn’t the answer. Government roles are tough enough as it is and anything that makes them easier should be welcomed."
The shared problems of public and private sectors
All organisations face two major challenges (among many others, of course). The first is bureaucracy, which is endemic in Whitehall and pretty much every blob-infested public sector institution around the world. The second is legacy tech, a lingering affliction for almost every organisation with a history, from government departments to global enterprises.
"Bureaucracy and legacy infrastructure create unnecessary roadblocks - almost for the sake of it," Jones says.
So, after a life of public service and subsequent break into the market-led world of the security industry, which of these problems would he say has the biggest impact?
"The reason I'm laughing, Jasper, is that it depends on when you ask me," he chuckles. "Five years ago, I definitely would have said bureaucracy."
To illustrate the challenge of over-management and organisational friction, Jones tells the story of a big project that involved renewing or renegotiating large numbers of contracts with platform and service providers for defensive cyber operations.
“We needed to do something different,” he recalls.
The inspiration came from articles about the American approach to “weaponising” cyber procurement.
"Yes, it’s a sensational title," he admits. "But the principle behind it was devolving responsibility down to a much more junior level, giving them the accountability and effectiveness to make decisions, keep up to date and gain a chance of keeping pace with the evolving cyber threat."
Essentially, weaponising procurement means that a wider range of people throughout the hierarchy can get involved, pulling down unnecessary chains of command and enabling decisions to be made more quickly.
"You can take advantage of things faster," Jones explains. "I don't think it's it's fixed all the problems. It's just significantly better. The bureaucracy is in there, and it took a massive amount of effort to get the government machine to change. But it could. It does show there is a different way of solving the problem."
Charge of the IT brigade: Securing the MoD
At the MoD, Jones was responsible for service development delivery for the UK armed forces' defensive cyber operations divisions.
He reveals: "My job was to give the best support I could, as quickly as possible, to frontline troops to make sure they could do their day job, whether it's in a hot and dusty place or somewhere cold, or it's in a very luxurious sort of overseas environment that I'll never get to.
"It was my job to provide that capability at all three security classifications."
Jones also worked to support frontline operations in theatres including Afghanistan in 2010 and Libya in 2011.
"It's not for the faint-hearted," Jones says. “You’re in it for a different reason. And from a defence point of view, we were able to attract talent and bring people in because they could go and do things in an environment no other private sector organisation goes anywhere near.
"Eventually, we would lose people, just as natural churn takes place, because they realise: 'Hey, I've got a load of knowledge and experience I could go and earn twice what I'm earning in the public sector. Sign me up.'"
When he first started working in the mid-90s, Jones was managing 60 machines. “I went on to oversee a digital estate on a scale I couldn’t have imagined 20 years ago,” he adds.
The perils of ancient technology
After once believing that bureaucracy was the biggest challenge facing organisations, joining the private sector has changed Jones' mind for good.
"I haven't found an organisation yet, whether that’s in the private sector or my new job, that doesn’t have a legacy tech challenge,” Jones says. "Basically, the less you have of it, the less of a headache you're going to have.”
Like many, if not most, organisations, the MoD adopted cloud technology but still relies on legacy systems due to budget constraints and, yes, the friction caused by resistance to change. As a result, it operates a mix of cloud and outdated infrastructure, leaving older systems vulnerable due to a lack of maintenance and patching. A large estate with more tools creates a bigger attack surface.
“Organisations are adding new technologies without retiring outdated ones," Jones warns. "AI is being layered on top of old systems instead of replacing them, compounding the problem.
“Reducing the variety of tools and technologies makes management easier. A smaller, more consolidated set of tools means a smaller attack surface. Conversely, a broader estate with a wide range of technologies increases the attack surface. That’s simple maths. But it creates issues.
“Meanwhile, bureaucracy is still a major obstacle, especially in government. I used to think the MoD’s approach was chaotic, but after working with the NHS, I have to say its takes the prize for the most complex setup.”
With more than 200 trusts in England, the cybersecurity expertise is found within the national NHS body, but responsibility for security is left to individual trusts.
“This structure, while historically justified, creates major vulnerabilities like those involved in the four NHS cyber-attacks last year,” Jones adds. “Without a national-level approach, keeping pace with evolving threats is nearly impossible."
"These attacks weren’t the result of sophisticated, months-long, socially engineered nation-state attacks. They were exploits taking advantage of basic cyber hygiene failures. That’s not the fault of NHS staff - it’s just a reflection of how the NHS is resourced."
Jones tells us that local hospitals might have just one or two junior cybersecurity personnel, who spend more time on bureaucratic exercises than on actually improving security.
"They’re required to report up the chain on basic cyber hygiene such as patch management, vulnerability management and other routine tasks," Jones reveals. "The problem is, they’re spending more time reporting the situation every quarter than actually fixing it."
Enacting cultural change
So what to do? Jones primarily sees security as “a people problem dressed up in technology.”
"It's culture," he explains. "That means giving your colleagues the education and knowledge to use those tools, techniques and technology safely and in an ethical capacity, but also helping them develop the brain power to understand these things [security solutions] are not infallible.
“At the core of it all, cybersecurity is a people problem. Whether it’s changing mindsets, improving culture, adjusting procedures, or making decisions, people are the challenge - not the technology itself. The tech is just a tool."
This also means paying more attention to the basics: finding vulnerabilities before the bad guys and fixing them fast. It also involves taking on legacy tech and removing the bureaucratic friction that further slows down organisations.
The other piece involves encouraging defenders to let computers shoulder some of the work.
“I recently upgraded from an old, dying car to a new one packed with technology,” Jones says. “Being old-school, the first thing I did was turn it all off.
“Human nature means frontline security teams - whether in security operations centres or other organisational entities - tend to turn off automated systems. If you don’t let the computers do their job, there’s no time to properly understand, react, and respond.
“One of the advances we need to push is a shift in mindset. Look at Tesla or any other newer vehicle. They update themselves automatically. You don’t need to think about it - the system takes care of itself.
“So why don’t our office computers or work laptops do the same? Why is there still a need for manual management? Why don’t we trust service providers to handle updates automatically?
“Whenever you insert people, things slow down. Every organisation has limited capacity, and that resource should be focused on higher-value decision-making, where human experience and judgment really matter. Instead, we waste that intellect on tasks computers could handle themselves."
Mitigating the security risk of AI
The other challenge all defenders must face is AI. Jones argues that AI is not yet creating new and novel threats but is lowering the barrier of entry and increasing the blast radius of non-novel attacks.
“I’ve been around a long time - there’s a reason I have no hair,” he jokes. “I’ve done software development, data warehousing, and network design at both national and international levels. I understand these technologies, though I wouldn’t want to roll up my sleeves and start coding again. That kind of experience is usually required at an operator or analyst level to be an effective frontline cybersecurity defender.
"AI tools like Microsoft Copilot are a great example of how this is changing. There’s a reason it’s called 'Copilot' and not a replacement - it allows users to interact with their networks in plain English without needing to learn a dozen different products. It does the heavy lifting, which is a huge benefit for the cybersecurity community because it lowers the entry barrier and helps attract talent.
“Of course, there are nuances like costs and accessibilities, but AI also puts these same capabilities into the hands of attackers. Looking back at NHS vulnerabilities, the exploits were basic. AI isn’t necessarily creating new threats yet, but it enables attacks to be executed at scale, overwhelming security teams.
" That’s why companies, both private and public, need to invest now in automation and orchestration - those first key steps."
However, despite being aware of its threats, Jones is not necessarily a huge AI evangelist nor a “massive subscriber” to the idea that today’s technology even deserves its grand name.
"Most people picture AI as Terminator-style robots, but in reality, it follows four basic steps: automation, orchestration (stitching together systems that don’t work out of the box), machine learning, and finally, artificial intelligence,” he says.
“What we have today - ChatGPT, generative AI, copilots - are very clever, very capable services, but they’re really just processing enormous amounts of data very quickly with powerful algorithms. They’re not thinking for themselves, which is the differentiator.”
This means that humans will always have a role to play in security, he argues.
"I think people are going to take an even greater centre stage and are still going to be the linchpin," Jones says. "Over time, there may be less and less requirement for those people in the current roles. But I don't think there are enough people in the roles anyway in this space.
"So the limited capacity we do have, or can afford, depending on whether you're public or private, is going to need to shift in its knowledge, skills and experience to be whatever the next challenge turns out to be."
Have you got a story or insights to share? Get in touch and let us know.
