The Washington PostDemocracy Dies in Darkness

U.S. military cyber operation to attack ISIS last year sparked heated debate over alerting allies

May 9, 2017 at 6:00 a.m. EDT
Cyber Command and National Security Agency chief Adm. Michael S. Rogers testifies on Capitol Hill in early January. (Evan Vucci/Associated Press)

A secret global operation by the Pentagon late last year to sabotage the Islamic State’s online videos and propaganda sparked fierce debate inside the government over whether it was necessary to notify countries that are home to computer hosting services used by the extremist group, including U.S. allies in Europe.

While U.S. Cyber Command claimed success in carrying out what was called Operation Glowing Symphony, the issue remained unresolved and now confronts the Trump administration, which is conducting a broad review of what powers to give the military in countering the Islamic State, including in the cyber realm.

As part of the operation, Cyber Command obtained the passwords to a number of Islamic State administrator accounts and then used them to access the accounts, change the passwords and delete content such as battlefield video. It also shut the group’s propaganda specialists out of their accounts, former officials said.

Cybercom developed the campaign under pressure from then-Defense Secretary Ashton B. Carter, who wanted the command to raise its game against the Islamic State. But when the CIA, State Department and FBI got wind of the plan to conduct operations inside the borders of other countries without telling them, officials at the agencies immediately became concerned that the campaign could undermine cooperation with those countries on law enforcement, intelligence and counterterrorism.

Cyber Command has launched a new digital war against the Islamic State

The issue took the Obama National Security Council weeks to address and still looms large for the Trump administration as the military seeks greater latitude to wage offensive cyber operations around the world.

“It’s a tricky thing to navigate,” said aformer U.S. official, who like a dozen other current and former officials interviewed, declined to be named because the operation remains classified. “Think how we would react if one of our allies undertook a cyber operation that affected servers here in the United States without giving us a heads-up.”

The operation was supposed to be launched at the end of September last year. Pentagon officials argued that under an existing authority they had to counter terrorists’ use of the Internet they did not need to request the permission of countries in which they were zapping propaganda.

“At a very basic level, what they were trying to do was remove content that the adversary was putting out there,” said a former defense official. “It didn’t require exquisite tools.”

The Pentagon drew up a list of about 35 countries outside of the war zones of Iraq and Syria that might have hosting services with videos and other Islamic State content to remove.

In a series of Obama Situation Room meetings, CIA Director John Brennan, Secretary of State John F. Kerry, FBI Director James B. Comey and Director of National Intelligence James R. Clapper Jr. argued that notice was necessary — especially to allied countries — to preserve relationships. Carter, Cybercom commander Adm. Michael S. Rogers and Gen. Joseph F. Dunford Jr., the chairman of the Joint Chiefs of Staff, countered that existing authority did not require it, particularly as the Pentagon insisted there would be no harmful collateral effects.

Dismantling of Saudi-CIA website points to holes in cyberwar policies

At a Senate Armed Services Committee hearing May 9, Cyber Command and National Security Agency chief Adm. Michael S. Rogers responded to Sen. John McCain's question about the worst and best case scenarios for the future of cyber. (Video: AP)

They also argued that if notice is given, word of the operation could leak. That could tip off the target and enable other adversaries to discover the command’s cyber capabilities.

A major flash point was Germany, a strategic ally and a country with which the United States had a dust-up several years ago in the wake of disclosures by former National Security Agency contractor Edward Snowden that the NSA had intercepted the phone calls of Chancellor Angela Merkel.

In the end,about 15 countries were notified, but action was taken in only about five or six.

Beginning in November, personnel at Cybercom’s headquarters in Fort Meade, Md., began a rolling series of propaganda takedowns and account lockouts in a campaign that stretched into the new year.

The Pentagon and Cyber Command officials maintain the operation was a success. It showed that Cybercom could integrate computer attack capabilities into traditional battle plans as U.S. Central Command sought to help local allies push the Islamic State out of strongholds in Iraq and Syria.

Intercepts of Islamic State militants revealed that in some cases they “didn’t know what the hell was going on” with their platforms, one former official said.

A senior defense official said: “It took a little while, but they learned so much in the first few months of doing it that it set the stage for things that are happening now, and I would say for operations in the future.”

U.S. intelligence officers, in contrast, concluded about a month into the campaign that the impact on the Islamic State was short-lived at best as the group either restored the content or moved it to new servers, current and former officials said.

The conflicting assessments stem from different definitions of success, said a second former defense official. “Cyber Command and DOD tend to define success as temporary disruptions or distraction of the adversary,” he said, while “the intelligence analysts say, ‘Prove to me what effect you had. Was it or wasn’t it enduring?’”

Private sector researchers who track militant websites also expressed skepticism about the operation’s value. Evan Kohlmann, chief innovation officer of Flashpoint, a research firm, said there was a dip in Islamic State propaganda releases beginning in mid-October that lasted through January, but it was impossible to know whether it was the result of cyber operations or physical operations in Syria.

“In the last year, ISIS has suffered heavy casualties among its media emirs, video narrators, cameramen, and others associated with propaganda production,” Kohlmann said, using an acronym for the Islamic State. “Even absent any specific cyber campaign targeting them, one would naturally expect them to be producing and releasing less content.”

Rita Katz, director of SITE Intelligence Group, said the group’s primary means to release propaganda is on the encrypted messaging app, Telegram, through a channel called Nashir, which has suffered no significant disruptions in the past six months. “ISIS media isn’t something you can just shut off or directly disrupt,” she said. “The group and its network of supporters are too adaptive and persistent, and they’ll adjust to any attempts to do so.”

The operation was carried out by Cybercom’s Joint Task Force Ares, created by Rogers last year to develop digital weapons and strategies to go after the Islamic State’s networks.

Adam Entous, Greg Miller and Missy Ryan contributed to this report.