U.S. cyberweapons, used against Iran and North Korea, are a disappointment against ISIS
By David E. Sanger and Eric Schmitt
America’s fast-growing ranks of secret cyberwarriors have in recent years blown up nuclear centrifuges in Iran and turned to computer code and electronic warfare to sabotage North Korea’s missile launches, with mixed results.
But since they began training their arsenal of cyberweapons on a more elusive target, internet use by the Islamic State, the results have been a consistent disappointment, American officials say. The effectiveness of the nation’s arsenal of cyberweapons hit its limits, they have discovered, against an enemy that exploits the internet largely to recruit, spread propaganda and use encrypted communications, all of which can be quickly reconstituted after American “mission teams” freeze their computers or manipulate their data.
It has been more than a year since the Pentagon announced that it was opening a new line of combat against the Islamic State, directing Cyber Command, then six years old, to mount computer-network attacks. The mission was clear: Disrupt the ability of the Islamic State to spread its message, attract new adherents, pay fighters and circulate orders from commanders.
But in the aftermath of the recent attacks in Britain and Iran claimed by the Islamic State, it has become clear that recruitment efforts and communications hubs reappear almost as quickly as they are torn down. This is prompting officials to rethink how cyberwarfare techniques, first designed for fixed targets like nuclear facilities, must be refashioned to fight terrorist groups that are becoming more adept at turning the web into a weapon.
“In general, there was some sense of disappointment in the overall ability for cyberoperations to land a major blow against ISIS,” or the Islamic State, said Joshua Geltzer, who was the senior director for counterterrorism at the National Security Council until March. “This is just much harder in practice than people think. It’s almost never as cool as getting into a system and thinking you’ll see things disappear for good.”
Even one of the rare successes against the Islamic State belongs at least in part to Israel, which was America’s partner in the attacks against Iran’s nuclear facilities. Top Israeli cyberoperators penetrated a small cell of extremist bombmakers in Syria months ago, the officials said. That was how the United States learned that the terrorist group was working to make explosives that fooled airport X-ray machines and other screening by looking exactly like batteries for laptop computers.
The intelligence was so exquisite that it enabled the United States to understand how the weapons could be detonated, according to two American officials familiar with the operation. The information helped prompt a ban in March on large electronic devices in carry-on luggage on flights from 10 airports in eight Muslim-majority countries to the United States and Britain.
It was also part of the classified intelligence that President Trump is accused of revealing when he met in the Oval Office last month with the Russian foreign minister, Sergey V. Lavrov, and the ambassador to the United States, Sergey I. Kislyak. His disclosure infuriated Israeli officials.
The Islamic State’s agenda and tactics make it a particularly tough foe for cyberwarfare. The jihadists use computers and social media not to develop or launch weapons systems but to recruit, raise money and coordinate future attacks.
Such activity is not tied to a single place, as Iran’s centrifuges were, and the militants can take advantage of remarkably advanced, low-cost encryption technologies. The Islamic State, officials said, has made tremendous use of Telegram, an encrypted messaging system developed largely in Germany.
The most sophisticated offensive cyberoperation the United States has conducted against the Islamic State sought to sabotage the group’s online videos and propaganda beginning in November, according to American officials.
In the endeavor, called Operation Glowing Symphony, the National Security Agency and its military cousin, United States Cyber Command, obtained the passwords of several Islamic State administrator accounts and used them to block out fighters and delete content. It was initially deemed a success because battlefield videos disappeared.
But the results were only temporary. American officials later discovered that the material had been either restored or moved to other servers. That setback was first reported by The Washington Post.
The experience did not surprise veteran cyberoperators, who have learned, through hard experience, that cyberweapons buy time but rarely are a permanent solution. The attacks on Iran’s Natanz nuclear facility, begun in the George W. Bush administration and code-named Olympic Games, destroyed roughly 1,000 centrifuges and set back the Iranians by a year or so — the amount of time is still hotly disputed. But it created some room for a diplomatic negotiation.
The attacks on North Korea’s missile program, which President Barack Obama accelerated in 2014, were followed by a remarkable series of missile failures that Mr. Trump noted in a conversation, which leaked recently, with the president of the Philippines. But recent evidence suggests that the North, using a different kind of missile, has overcome at least some of the problems.
The shortcomings of Glowing Symphony illustrated the challenges confronting the government as it seeks to cripple the Islamic State in cyberspace.
The disruptions often require fighters to move to less secure communications, making them more vulnerable. Yet because the Islamic State fighters are so mobile, and their equipment relatively commonplace, reconstituting communications and putting material up on new servers are not difficult. Some of it has been encrypted and stored in the cloud, according to intelligence officials, meaning it can be downloaded in a new place.
“There were folks working hard on this stuff, and there were some accomplishments that had an impact, but there was no steady stream of jaw-dropping stuff coming forward as some expected,” said Mr. Geltzer, who now teaches law at Georgetown University Law Center. “There was no sort of shining cybertool.”
The Obama administration’s frustration with the lack of success against the Islamic State was one factor in its effort to oust Adm. Michael S. Rogers, the director of the N.S.A. and the commander of Cyber Command, according to several former administration officials. They complained that the organizations were too focused on traditional espionage and highly sophisticated efforts to use networks to blow up or incapacitate adversary facilities, like those in Iran and North Korea.
The former defense secretary Ashton B. Carter traveled to Admiral Rogers’s headquarters in Fort Meade, Md., on several occasions, the officials said, to voice his displeasure at the slow pace of the effort and to stoke new initiatives, like Glowing Symphony.
Obama administration officials backed off around the time that President-elect Trump appeared to be considering Admiral Rogers, who had run the Navy’s Fleet Cyber Command operations, as director of national intelligence — and the Trump administration appears to have embraced him.
But the fundamental problem of how to use cybertechniques effectively against the Islamic State remains.
That was evident in the frustration voiced by Prime Minister Theresa May of Britain after the recent attack on London Bridge and in nearby restaurants. She focused on how the internet creates “a safe space” for radical ideology, and said that “the big companies that provide internet-based services” would have to join the fight more fully.
They already police for gruesome videos and overt recruitment, and a former N.S.A. official noted recently that Cyber Command was also highly attuned to taking down anything that seemed to celebrate the deaths of Americans or other Westerners.
But in the United States, any crackdown is likely to run headlong into First Amendment issues, where the advocacy of an ideology, short of direct incitement to violence, is protected speech.
American officials say that even with the loss of territory in Syria and Iraq, and a broad military effort to disrupt the Islamic State’s activities, the militants have proved remarkably resilient.
“The global reach of ISIS right now is largely intact,” Nicholas Rasmussen, the director of the National Counterterrorism Center, said in a speech in Washington last month. “The group also continues to publish thousands of pieces of official propaganda and to use online apps to organize its supporters and inspire attacks.”
Mr. Rasmussen’s assessment came a year after some of the best of the newly created cyber mission teams joined more traditional military units in the fight. The teams are the cyber equivalent of Special Forces teams, dispatched around the world to work on defending Pentagon networks or launching cyberattacks in coordination with more traditional operations.
Cyberoperations are also closely integrated with Iraqi ground combat and allied air missions to maximize the impact on Islamic State fighters hunkered down in the extremist group’s two major strongholds: Mosul, Iraq, and Raqqa, Syria.
“We’re able to either blind them so they can’t see or make sure they can’t hear us,” Lt. Gen. Jeffrey L. Harrigian, the allied air commander, said in an interview at his headquarters in Qatar in December. “There are things we are doing both with space and cyber that are being effectively synchronized to achieve important effects even in Mosul and Raqqa.”
Lt. Gen. Sean MacFarland, who was the top American military commander in Iraq until August, said specialists at Cyber Command had assisted his troops in “disrupting enemy command and control during our offensive operations, and that support improved over the time I was in command.”
Other senior military officials said the number and quality of tools in the United States’ cyberarsenal against the Islamic State had expanded over the past year. Some of the effects are employed repeatedly over days. Locking Islamic State propaganda specialists out of their accounts — or using the coordinates of their phones and computers to target them for a drone attack — is now standard operating procedure.
General Harrigian said allied countries were also employing cyberweapons and techniques against the Islamic State that the United States did not. Without identifying specific countries or skills, he said the allies “can do things we can’t do — some cyberactivities that they have authorities to execute that we do not.”