President Obama confirmed for the first time last week that the U.S. is conducting “cyber operations” against ISIS, in order to disrupt the group’s “command-and-control and communications.”
But the American military’s campaign of cyber attacks against ISIS is far more serious than what the president laid out in his bland description. Three U.S. officials told The Daily Beast that those operations have moved beyond mere disruption and are entering a new, more aggressive phase that is targeted at individuals and is gleaning intelligence that could help capture and kill more ISIS fighters.
As the U.S. ratchets up its online offensive against the terror group, U.S. military hackers are now breaking into the computers of individual ISIS fighters. Once inside the machines, these hackers are implanting viruses and malicious software that allow them to mine their devices for intelligence, such as names of members and their contacts, as well as insights into the group’s plans, the officials said, speaking on condition of anonymity to describe sensitive operations.
One U.S. official told The Daily Beast that intelligence gleaned from hacking ISIS members was an important source for identifying key figures in the organization. In remarks at CIA headquarters in Langley, Virginia, this week, Obama confirmed that cyber operations were underway and noted that recently the U.S. has either captured or killed several key ISIS figures, including Sulayman Dawud al-Bakkar, a leader of its chemical weapons program, and “Haji Iman,” the man purported to be ISIS’s second in command.
The military has also used cyber operations to block ISIS’s use of encrypted communications, in order to force members to use less secure channels where they can be more easily monitored, officials said. That tactic appears to be a response to ISIS’s effective use of encrypted text applications in particular, which officials had said previously made it harder for the military and intelligence community to track individual fighters.
Three former intelligence officers, who spoke on condition of anonymity to discuss sensitive operations, told The Daily Beast that U.S. Cyber Command, which conducts online attacks for the military, has the capability to identify when someone is using an encrypted application and then target the communications infrastructure to make it harder, if not impossible, to use that application.
“Encrypted communications definitely make things more difficult,” one former officer said. “But any military adversary worth its salt is going to be using them, whether commercially available or otherwise. You take that as a given, and you just find ways to go after it.”
The new cyber campaign against ISIS isn’t the first time the U.S. has used offensive techniques to penetrate the computers of an adversary. But it’s a new feature in the war against the self-proclaimed Islamic State and represents an escalation from a few months ago.
In February, U.S. military hackers began to interfere with ISIS’s online communications, the computer equivalent of jamming radio signals, making it harder for members to communicate with each other and for commanders to give orders, the officials said. Those operations helped to hamstring ISIS in the Syrian town of Shaddadi, one of its training and logistics sites, while rebel forces on the ground took back the city.
But those operations were broader and less precise than what’s being conducted today. Defense officials wouldn’t comment on the exact methods being employed to compromise ISIS computers, except that individuals were being tricked into loading malicious software onto their devices, thereby giving U.S. hackers access.
This could be achieved through “spear phishing”—sending emails with infected attachments that appear to come from a trusted source—or through so-called watering hole attacks, in which websites that a group is known to visit are surreptitiously loaded with malicious software.
President Obama’s confirmation of cyber operations followed comments by Secretary of Defense Ash Carter and his deputy, Robert Work, who told reporters last week that the U.S. was “dropping cyber bombs” on ISIS. It was an arguably mixed metaphor, since there’s no indication that the U.S. has launched cyber attacks that have caused physical damage to infrastructure connected to the Internet, such as power grids or oil facilities. But Work’s remarks and Obama and Carter’s statements signaled a marked shift both in rhetoric and policy.
Never have so many top officials spoken openly about cyber attacks, which historically have been guarded with the utmost secrecy because of the sensitive and often perishable techniques that are used to penetrate computers, monitor them, and sometimes control them remotely.
Work said that Carter’s orders to launch cyber attacks on ISIS were unprecedented. “It is the first time he has given Cyber Command guidance [that] we’re going to go after ISIL. Just like we have an air campaign, I want to have a cyber campaign,” Work said.
But within the government, there is debate over how exactly to wage a cyber war, who should be in charge of it, and what limits should be imposed on hackers who have the capability to do far more damage than just spy on jihadist computers. One official acknowledged that the U.S. is still figuring out its rules for cyber warfare even as it engages in it.
Carter is pushing for U.S. Cyber Command to have greater freedom to launch attacks, a defense official told The Daily Beast. Barely seven years old, Cyber Command has never been given a full-fledged attack mission, and its leaders have been reluctant to go on the offensive in part because the rules of engagement in the cyber fight against ISIS haven’t been precisely defined. Also, offensive operations that involve entering computers or disabling pieces of the telecommunications infrastructure have been seen as hostile acts that require approval from high up the military chain of command, and in some cases the president himself.
Carter wants to give Cyber Command more freedom to make decisions on when to strike. He’s essentially asking how can “we address tactical cyber threats against ISIL,” a defense official explained, using an alternate acronym for the group. “It comes down to defining the battlespace and who is responsible in it.”
Those freer strikes, officials stressed, would be limited only to ISIS. There is no proposal on the table to give Cyber Command a freer hand to attack other U.S. adversaries or countries such as North Korea and Iran that have launched their own cyber attacks on American institutions.
But while Carter is pushing for a more aggressive mission, there’s also been disagreement within the military and the intelligence community over whether it’s better to continue monitoring a compromised ISIS computer gleaning potentially useful insights—or whether the smarter move is to disable those systems and make it harder for the group to operate online.
Carter has generally come down on the side of taking out ISIS’s computers and networks, which is the job of Cyber Command, and has been urging the national security community to “eliminate the threat,” one defense official said. The Pentagon, as well as the FBI, have also been leaning on social media companies such as Facebook and Twitter to step up their efforts to shut down accounts used by ISIS fighters and their sympathizers to spread the group’s propaganda. In February, Twitter shut down 125,000 such accounts in one fell swoop—a move that had a substantive impact on ISIS’s online recruitment, according to a recent study.
The conflict between gathering intelligence and going on the offensive is not unique to this cyber campaign against ISIS, or cyber operations in general. In fact, it’s been a hallmark of armed conflict for generations.
But the lack of clarity around the rules and laws that govern cyber operations have aggravated that tension between intelligence and attack, officials said. Carter’s push to give more power to Cyber Command is seen as an effort to clarify matters.
The command is based at Fort Meade, Maryland, the headquarters of the National Security Agency, which is charged with entering computer systems in order to gather intelligence. Some of the NSA’s hackers, however, also work for Cyber Command. When it comes time to launch offensive operations, such as shutting down a computer or a network, they simply “switch hats.”
“It’s as if one moment, I’m NSA, and now, I put on the other hat, and I’m Cyber Command,” a former intelligence officer explained. Both NSA and Cyber Command are run by the same person, Adm. Michael Rogers.
The new, more aggressive posture in cyber operations against ISIS was spurred by the ISIS attacks on Paris last November, officials said. The administration pushed the military to develop new ways to mitigate the ISIS threat online. Two months later, Rogers crafted a U.S. cyber offensive strategy, one defense official said. That’s when the U.S. began actively disrupting ISIS communications in Syria.
So far, there’s not enough evidence to say whether the operations are fundamentally changing the course of the war. But the former intelligence officers were skeptical.
“There are methods to basically deny their ability to communicate,” one former officer said. “If there’s a forum on the Web where they talk and send orders, you could shut it down. You could target specific individuals and their communications devices or their social media accounts.”
But unlike when the military and intelligence community deployed cyber operations against ISIS’s predecessor, al Qaeda in Iraq, in 2007 and 2008, the U.S doesn’t have hundreds of thousands of troops on the ground, nor has it deployed teams of hackers and analysts. When cyber operations were at their peak in the Iraq war, soldiers and spies worked around the clock in shifts to kill or capture fighters, mine their computers and phones, and use the information to launch subsequent cyber operations that led to more raids and more intelligence.
It was a full-throttle, cyber operation combined with military strikes. By comparison, this new effort against ISIS looks relatively modest, the former officers said.
And in Obama and other top officials’ willingness to talk openly about cyber attacks, the former officers sensed a public relations effort.
“Cyber Command has been around seven years now,” one former officer said, “and I think they’re under pressure to do something.”