What a big Navy breach taught the Army

A Navy operation that began in August 2013 to drive Iranian hackers from the unclassified portion of the service's intranet has had a lasting impact on the Navy's approach to network security. And it turns out the Army was paying close attention to how its seafaring brethren handled the intrusion.

The most important lesson that Lt. Gen. Edward Cardon, head of Army Cyber Command, took from the Navy's eviction of hackers from its network is that cybersecurity is "an operational mission" and not just an IT issue, he said.

"If you come at things from an IT focus, you're going to lose," Cardon said during a Nov. 10 media briefing. "I'm not saying that the J-6s, CIOs of the world do not have a critically important role," but their focus is on making communications work rather than making them trusted and defensible.

When asked to name a revelatory moment that shaped the Army's approach to cybersecurity, Cardon said it was Operation Rolling Tide, the Navy's first defensive cybersecurity operation to be given a name. It lasted three to four months and involved the Navy Fleet Cyber Command, the National Security Agency and the Defense Information Systems Agency.

Cardon and his fellow cybersecurity experts in the Army closely followed the operation.

"Everything they're doing, we're looking at our network the same way," which leads to the discovery of vulnerabilities, said Cardon, who took over Army Cyber Command when Operation Rolling Tide was underway.

The Naval Network Warfare Command took the lead in conducting operations to evict the hackers, while teams at the Navy Information Operations Command in Norfolk, Va., were dispatched to "hunt on the networks" for the intruders, a defense official previously told FCW.

Cardon has his own stable of network hunters -- the 41 cyber teams that his command is creating, totaling 1,899 people. Today, 30 of the teams are at initial operational capability (IOC) or better, with all teams slated to be there by the end of the fiscal year, Cardon said.

Two of the teams are currently at full operational capability (FOC), which Cardon said means an ability to do multiple missions or one mission around the clock. He said he hopes to accelerate that number to 25 teams by the end of the fiscal year.

Cardon mused about the usefulness of distinguishing between those capabilities. "Right now we talk in terms of IOC and FOC," he said. "But, for example, when I was a brigade combat team commander, nobody every asked me, 'Are you IOC or FOC?' What they asked me was, 'What's your readiness?’ And so what's happening [is] the Department of Defense is moving the cyber mission force into the traditional readiness models."

With prodding by Congress, DOD officials are fleshing out the department's cyber deterrence doctrine. How that shakes out could affect how Cardon allocates his cyber teams, he said.

The Army hasn't bared all about a sophisticated intrusion like the Navy did with the Iranian hack of the Navy Marine Corps Intranet. Whether that is because Army networks haven't been hit by that kind of breach or because the service hasn't disclosed it is an open question. Hackers linked to Syrian President Bashar al-Assad claimed responsibility for knocking Army.mil off-line, but that was an act of disruption, not espionage.