What a big Navy breach taught the Army

Lt. Gen. Edward Cardon

Lt. Gen. Edward Cardon learned some important lessons when the Navy booted Iranian hackers off its network.

A Navy operation that began in August 2013 to drive Iranian hackers from the unclassified portion of the service's intranet has had a lasting impact on the Navy's approach to network security. And it turns out the Army was paying close attention to how its seafaring brethren handled the intrusion.

The most important lesson that Lt. Gen. Edward Cardon, head of Army Cyber Command, took from the Navy's eviction of hackers from its network is that cybersecurity is "an operational mission" and not just an IT issue, he said.

"If you come at things from an IT focus, you're going to lose," Cardon said during a Nov. 10 media briefing. "I'm not saying that the J-6s, CIOs of the world do not have a critically important role," but their focus is on making communications work rather than making them trusted and defensible.

When asked to name a revelatory moment that shaped the Army's approach to cybersecurity, Cardon said it was Operation Rolling Tide, the Navy's first defensive cybersecurity operation to be given a name. It lasted three to four months and involved the Navy Fleet Cyber Command, the National Security Agency and the Defense Information Systems Agency.

Cardon and his fellow cybersecurity experts in the Army closely followed the operation.

"Everything they're doing, we're looking at our network the same way," which leads to the discovery of vulnerabilities, said Cardon, who took over Army Cyber Command when Operation Rolling Tide was underway.

The Naval Network Warfare Command took the lead in conducting operations to evict the hackers, while teams at the Navy Information Operations Command in Norfolk, Va., were dispatched to "hunt on the networks" for the intruders, a defense official previously told FCW.

Cardon has his own stable of network hunters -- the 41 cyber teams that his command is creating, totaling 1,899 people. Today, 30 of the teams are at initial operational capability (IOC) or better, with all teams slated to be there by the end of the fiscal year, Cardon said.

Two of the teams are currently at full operational capability (FOC), which Cardon said means an ability to do multiple missions or one mission around the clock. He said he hopes to accelerate that number to 25 teams by the end of the fiscal year.

Cardon mused about the usefulness of distinguishing between those capabilities. "Right now we talk in terms of IOC and FOC," he said. "But, for example, when I was a brigade combat team commander, nobody every asked me, 'Are you IOC or FOC?' What they asked me was, 'What's your readiness?’ And so what's happening [is] the Department of Defense is moving the cyber mission force into the traditional readiness models."

With prodding by Congress, DOD officials are fleshing out the department's cyber deterrence doctrine. How that shakes out could affect how Cardon allocates his cyber teams, he said.

The Army hasn't bared all about a sophisticated intrusion like the Navy did with the Iranian hack of the Navy Marine Corps Intranet. Whether that is because Army networks haven't been hit by that kind of breach or because the service hasn't disclosed it is an open question. Hackers linked to Syrian President Bashar al-Assad claimed responsibility for knocking off-line, but that was an act of disruption, not espionage.

About the Author

Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.

Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.

Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.