ISIS propagates its ideology and promises of a jihadi utopia through slick social media campaigns, seeking to inspire a global audience to take up arms against its enemies and the societies they represent. Perhaps less visible has been ISIS’ operational use of digital communications as a command and control platform to guide fighters through battles on the ground in Iraq and Syria. Both the U.S. and UK have declared that they are seeking to use offensive cyber capabilities against such digital force multipliers leveraged by the terrorist organization, a form of remote electronic warfare.
The Cipher Brief’s Levi Maxey spoke with Ewan Lawson, a Senior Research Fellow for Military Influence at the Royal United Services Institute in London, about what this means from a practical standpoint, and why such operations are more complicated than they appear at face value.
The Cipher Brief: Sir Michael Fallon, the UK Defence Secretary, has said that Britain is using cyber warfare in the battle to retake Mosul from ISIS. Could you describe what this means in a practical sense?
Ewan Lawson: To a certain extent, the details of these operations have not been revealed, nor are they likely to be in the immediate future. This reflects three factors. First, the ways in which an organization can gain access to an adversary’s IT systems are relatively limited, and once known, can often be blocked. Therefore, it is important to ensure that appropriate operational security is maintained so that the accesses involved are not revealed and therefore compromised.
Second, the organizations involved in generating such accesses are generally national signals intelligence agencies such as the UK’s Government Communications Headquarters (GCHQ) and the U.S. National Security Agency (NSA), who for the very good reasons outlined above, are reluctant to share information on their operations and are culturally secretive by nature.
Third, some of the approaches are likely to be based on disrupting ISIS cognitively, perhaps by disrupting communications or inserting false messages. For these to be a success, operational security is clearly vital.
I would assess that it is most likely that most activity will have been in this cognitive space, which has analogies to electronic warfare activity such as “spoofing” or “jamming.” Given the utility of the networks for intelligence gathering, it is unlikely that there will have been efforts to destroy networks but rather to disrupt their use.
TCB: Have such cyber offensives been tactically, operationally, or strategically useful in the ground fight against ISIS, or is this more of a way of combating recruitment messaging?
Lawson: There is little evidence as yet to confirm the efficacy of such activity, as the operational analysis has yet to be made public and indeed may not yet have been completed. However, efforts at disruption of the information space in order to have a cognitive impact are nothing new in conflict, and whilst often difficult to measure in terms of actual effect, are generally considered an essential part of any use of force. The impact can be significant. For instance, the substitution of commands or location information does not only have the immediate effect of that false data, but can also undermine confidence in command, control, and information systems, impacting decision making and potentially channeling the adversary on to alternate means where they can be more easily targeted.
Broader efforts to counter recruitment through cyberspace will also be taking place, but these will most likely be handled separately from the efforts in support of the ground campaign.
TCB: What are some of the legal challenges to hitting ISIS in cyberspace?
Lawson: Considerable progress has been made in the application of the laws of armed conflict and international humanitarian law to cyberspace in the form of the two volumes of the so-called Tallinn Manual, but this is not recognized as authoritative by key states such as Russia and China. However, whilst state actors are likely to maintain essential data and connectivity on national networks within national means, a non-state group such as ISIS does not have that option, and therefore its data is likely to be stored in third party countries who may well not be a party to the conflict.
Thus, there is an issue with disrupting data in those third party countries, but this may not become an issue unless there is accidental spillover due to the activity taking place. As was illustrated in the case of Stuxnet – a disruptive worm leveraged against the Iranian nuclear facility in Natanz – even a highly focused cyber capability can and will escape into the wild where it can be reverse-engineered and perhaps employed against innocent parties. These issues remain contentious.
TCB: How might the use of offensive cyber capabilities against a non-state actor like ISIS be different or similar to cyber espionage used to track terrorist groups?
Lawson: It is likely that some of the access methods and techniques used to conduct espionage will also be used to conduct disruptive activities. Using those accesses for disruption runs the risk of exposing them to an adversary such that the particular access is lost. This is known as the intelligence loss/gain debate, and in a very practical sense, is at the heart of the debate in the U.S. about the “dual hatting” of Commander of U.S. Cyber Command and Director of the NSA. On the one hand, this in theory means that such intelligence loss/gain decisions are in the hands of one individual who has responsibility for both espionage and offensive operations through cyberspace. However, some in the U.S. system have expressed concern that there has been a tendency to focus on the intelligence operations rather than the potential opportunities for disruption.
TCB: Cyber warfare is also being used between nation-states, such as the reported U.S. operations against Iranian nuclear facilities and North Korean missile systems. But how are cyber operations conducted against a non-state group different than against a state?
Lawson: To an extent, this depends upon the nature of the state in question and the extent to which it is both networked, and whether that networking is vulnerable. However, in many ways, non-state groups are a greater challenge as they generally have a lower reliance on networked systems, and thus the attack surface available for efforts at disruption is smaller. Whilst a group like ISIS has been innovative in its use of technology, it is not reliant on the sort of networks that are necessary for successful nuclear or missile programs, or more complex weapons systems such as integrated air defense systems. This tends to mean that the possible targets and disruptive activities are more limited and indeed are likely also to be the same networks that are being monitored for intelligence purposes.