Governance & Risk Management

Report: US 'Dropping Cyber Bombs' Against ISIS

Systems, Networks, Communications Being Disrupted
Report: US 'Dropping Cyber Bombs' Against ISIS

The U.S. government is actively disrupting - rather than just monitoring - networks and communications technologies used by the jihadi fighters known as ISIS, ISIL or Daesh, The New York Times reports.

See Also: IT Modernization: Orchestration and Automation

"We are dropping cyber bombs," Robert O. Work, the deputy secretary of defense, tells the Times. "We have never done that before."

The Department of Defense has previously said that U.S. Cyber Command, which was established in 2009, has been attempting to monitor and disrupt ISIS's cyber infrastructure. Cyber Command centralizes the control of U.S.-led "cyberspace operations," organizes related resources and coordinates the defense of U.S. military networks.

Adding more details - based on interviews with "a half-dozen senior and midlevel officials" - the Times reports that counter-ISIS operations involve a small group of cyber units dubbed "national mission teams" and loosely based on how Special Operations forces are organized. The operations are using "implants" to target militants' networks, first to study how commanders operate and then to try to spoof their communications, for example, to redirect jihadi forces to a location where they can be ambushed by U.S. drones or military ground forces, the newspaper reports.

"Implant" is government-speak for either physically altering a device to allow for monitoring - for example by intercepting networking equipment after it's been shipped by a manufacturer, and before it arrives to the customer, then altering it - or infecting a device with software, such as malware, to eavesdrop on systems or networks (see Defending Against Government Intrusions).

Officials are releasing some details about these cyber operations in an attempt to psychologically rattle ISIS leaders, as well as deter new recruits, the newspaper reports.

The White House says that President Obama was to discuss the overall campaign - including cyber operations - against ISIS at an April 25 meeting in Hanover, Germany, with the leaders of France, Germany, Italy and the United Kingdom.

The details of related operations follow a February press briefing by U.S. Secretary of Defense Ashton Carter, who provided some details relating to the counter-ISIS campaign, which he said was primarily active in Syria. Carter also revealed that the effort was designed "to interrupt, disrupt ISIL's command and control, to cause them to lose confidence in their networks, to overload their network so that they can't function, and do all of these things that will interrupt their ability to command and control forces there, control the population and the economy."

Carter added that bringing these capabilities to bear is "an important new capability and it is an important use of our Cyber Command and the reason that Cyber Command was established in the first place."

The Disruption Debate

But The New York Times reports that efforts to disrupt ISIS lagged for some time because the civilian employees inside the National Security Agency preferred to monitor adversaries, rather than disrupt them - and by doing so, revealed and likely lost related monitoring capabilities. By contrast, many military officials favored immediately disrupting ISIS's networks and operations.

The NSA didn't immediately respond to a related request for comment.

Britain's Government Communications Headquarters - the country's sister agency to the NSA - has been having a similar debate with other branches of the British government, the Times reports. A press officer for GCHQ declined to comment on that report.

In his February press briefing, Defense Secretary Carter acknowledged that disrupting ISIS's communication channels - or information technology practices - could make it more difficult to monitor their activities. "But it cuts both ways. Sometimes, those other means are easier for us to listen to. So by taking away some of the ways that they are used to operating ... drives them to other, including older technologies," he said. "And so one way or another, it is a very effective tool."

Despite U.S. administration officials trumpeting the cyber fight against ISIS, however, Thomas Rid, professor of security studies at King's College London, notes that the "funny language" being used offers few solid details about what's actually being done.

Threat-intelligence engineer Danny Moore at network infrastructure firm Verisign, meanwhile, says via Twitter that there's probably little strategic benefit - for example, disrupting ISIS ground forces - to be gained via these activities. Nevertheless, he says the activities might be useful for disrupting communications or attempts to move money from overseas, for example, to pay fighters.

Inconsistent Use of Encryption

One seemingly obvious use of installing malware on ISIS leaders' PCs would be to crack their encrypted communications. But what's known about how ISIS has used encryption for terror-related operations reveals little sophistication or consistency, the operational security expert known as the Grugq says in a blog post (see Top 10 Data Breach Influencers).

"The clear takeaway ... is that: 1) ISIS doesn't use very much encryption, 2) ISIS is inconsistent in their tradecraft," he says. "There is no sign of evolutionary progress; rather it seems more slapdash and haphazard. People use what they feel like using and whatever is convenient."

The Grugq says that in ISIS's March attack on Brussels Airport, attackers used burner (disposable) phones, a laptop with "no encryption at rest," as well as unencrypted phone calls and SMS messages. In other words, there was no 'going dark' process - which refers to law enforcement or intelligence agencies being unable to crack criminals' encrypted communications. Rather, the group just discarded equipment as its operation progressed.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.