Lt. Gen. Edward Cardon goes about his work as head of Army Cyber Command with the subdued intensity of someone who knows he will be at it awhile. The soft-spoken Californian is trying to build a cyber workforce, and he is clear about where that effort is falling short.
Some private-sector IT specialists want to “come work for us for a year or two, but they don’t want to…be there for 20, and we don’t have a mechanism to really do that,” Cardon said in a recent interview at the command’s offices in Fort Belvoir, Va.
Cardon is part of a generation of military officers whose job is to draw clearer lines around the Defense Department’s role in cyberspace. Those commanders typically have a blend of battlefield and systems management experience, but rarely are they IT experts. They help shape doctrine and give orders, while the “cyber warriors” in control rooms around the country and the world conduct network defense and potential hacking of adversaries.
Since the American military declared cyberspace an operational domain in 2011, it has not been a question of if but how the Pentagon will organize its capabilities.
There has been no shortage of ideas inside and outside the Pentagon for how to better use people in the nation’s cyber defense. Cardon in particular has been outspoken on the subject.
At a February cybersecurity conference in Washington, he said that, given the diffuse nature of digital networks, “command” might not be the right word for organizing cyberspace. Instead, “maybe it’s the way that we organize against very specific missions,” he said. Those missions then become opportunities for leadership, and recruiters find the “skills and attributes that we need to be able to do that.”
In other words, Cardon is interested in creating teams that, contrary to centuries-old notions of chain of command, are driven by specialized skillsets rather than hierarchy.
Although “command” is still the operative word for his perch, Cardon’s thinking on the issue points to a less hierarchical approach to cyberspace. He was a brigadier general in Iraq during the 2007 surge that pushed the number of U.S. troops there to about 170,000, and he wants to apply that experience to cyberspace.
“When you have a hierarchy that works against a network, it doesn’t work as fast as the network. And so in Iraq, what happened is Gen. [Stanley] McChrystal recognized that there was a lot of information coming in,” he said, referring to one of the now-retired architects of the surge and to the military’s broader efforts to counter the decentralized insurgencies in Iraq and Afghanistan. “But the information was organized geographically and not against the network. And so by creating a place where everyone could come together, he in effect created a network to work against the network. You can instantly see this application to cyber because the threat isn’t geographically constrained.”
In the same vein, Cardon has floated the idea of applying the concept of “fusion cells” — small teams of Special Forces and intelligence officers dispatched to Iraq in 2008 — to cyberspace. Whereas the fusion cells’ targets were Iraqi insurgents, Cardon’s cyber cells would target intruders lurking on DOD networks. The ability to pinpoint those hackers would rest on better information sharing.
“We may or may not see [the hackers], but somebody sees them, and if we could share that information better, we’d have a much more robust defense than we have today where we all sort of operate in our lanes,” he said.
A growing force against growing threats
On the one hand, the military brass portrays the buildup of Cyber Command as a steady march toward 6,200 employees. But seen in another light, the Pentagon’s cyber posture has been a reactive response to a threat that has been steadily growing.
In the past several years, multiple intrusions into Pentagon networks have sounded alarm bells for military leaders. William Lynn III, a former deputy Defense secretary, called a 2008 hack of classified military computer networks “the most significant breach of U.S. military computers ever” and “an important wake-up call.” Another flash point came in 2013, when Iranian hackers embedded themselves in the unclassified portion of the Navy Marine Corps Intranet.
The most recent shot across the Pentagon’s cyber bow was a Russian intrusion that Defense Secretary Ashton Carter disclosed on a recent trip to Silicon Valley. The hackers had breached an unclassified DOD network via “an old vulnerability in one of our legacy networks that hadn’t been patched,” he said.
Carter added that DOD network defenders were able to drive the Russians off the unclassified network. But whether such a cleanup operation can continue to limit the damage done to some of the largest, richest networks in terms of intellectual property is another question altogether.
“We’re getting faster and faster with our operations,” Cardon said. “The challenge we still have is the disparate nature of the networks.”
Barriers to private-sector collaboration
Despite Cyber Command’s focus on offensive and defensive operations, cybersecurity analyst Richard Stiennon likes to think of the command as a “centralized IT security department” for the Pentagon, albeit one that is stifled by acquisition regulations.
Cyber Command “can only buy things that the big contractors have figured out how to sell,” said Stiennon, who is founder and chief analyst at IT-Harvest. “So they can’t go to Silicon Valley and talk to the startup that’s got the solution for Windows XP. They can’t get the latest breach-detection solution because no startup in their right mind would take a year and a half out to go through the [federal] qualification process.”
Cardon acknowledged that barriers to entry are a sticking point in his outreach to the private sector. A lot of technology firms don’t want to deal with the government because they find the process cumbersome, he said.
“We have to figure that out because we’re going to need them because the money that they’re investing in science and technology and research and development dwarfs the Department of Defense,” he added.
The federal acquisition process is one impediment to the greater interaction between Cyber Command and private-sector IT experts sought by Cardon and his boss, U.S. Cyber Command and National Security Agency leader Adm. Michael Rogers. Another hurdle is the cultural differences between IT experts who have spent their careers in the private sector and Pentagon officials who view cyberspace as a warfighting domain.
“Cyber, to us, is a form of a maneuver,” Cardon said. “So to me…the danger is the IT world views things through [what] I call the role of the help desk. Just make my computers, phones, everything work, [and] I’m happy, as opposed to thinking, ‘Hey, this space is contested and you have to protect it.’“
Regardless of how Pentagon officials view cyberspace, many of them are looking at it through nontechnical eyes, said Carl Herberger, a former electronic warfare officer in the Air Force.
“Computer warfare is being thrust upon most of the senior [military] leadership, and I don’t think most of them have a foundational knowledge of how packets get routed, how applications get crafted” and other technical activities, said Herberger, who is now vice president of security solutions at data security firm Radware.
Yet military leaders generally won’t be the ones defending DOD networks. That is the work of the cyber forces that Cardon and his counterparts in the other military services are developing. The Army cyber force will consist of 41 protection teams that will defend Army networks from intrusions, and Cardon said the service is making progress in recruiting.
“We had a lot of failure rates in the beginning,” he said, adding that some of the early recruits for the cyber force lacked the technical aptitude for the job. But now candidates take an exam that gauges their technical skills and their likelihood of passing the training process.
Those cyber soldiers will enter a contested space that Cardon and other Pentagon leaders believe they have no choice but to enter.
“Sometimes you hear the term, ‘We’re militarized in cyberspace.’ No, that’s not it at all,” he said. “In fact, the struggle is already ongoing between criminal groups, nation-states, etc. The question is, in the construct of military operations, how do we use cyber?”