An unprecedented Pentagon cyber-offensive against the Islamic State has gotten off to a slow start, officials said, frustrating Pentagon leaders and threatening to undermine efforts to counter the militant group’s sophisticated use of technology for recruiting, operations and propaganda.
The U.S. military’s new cyberwar, which strikes across networks at its communications systems and other infrastructure, is the first major, publicly declared use by any nation’s military of digital weapons that are more commonly associated with covert actions by intelligence services.
The debut effort is testing the ability of the military’s seven-year-old U.S. Cyber Command’s to conduct offensive operations against an enemy that has proved to be an adept user of technology to organize operations, recruit fighters and move money.
But defense officials said the command is still working to put the right staff in place and has not yet developed a full suite of malware and other tools tailored to attack an adversary dramatically different than the nation-states Cybercom was created to fight.
In an effort to accelerate the pace of digital operations against the Islamic State, the Cybercom commander, Adm. Michael S. Rogers, created a unit in May headed by Lt. Gen. Edward Cardon that is tasked with developing digital weapons — fashioned from malware and other cyber-tools — that can intensify efforts to damage and destroy the Islamic State’s networks, computers and cellphones.
The group, called Joint Task Force Ares, is coordinating operations more closely with U.S. Central Command, which is leading the military fight, and working to sharpen offensive operations.
Defense Secretary Ashton B. Carter has pressed Rogers repeatedly to pick up the pace of the nascent cyber-offensive, ensuring it plays a more active role in the overall campaign against the Islamic State.
“Cybercom has not been as effective as the Department would expect them to be, and they’re not as effective as they need to be,” said a senior defense official who, like other officials, spoke on the condition of anonymity to discuss internal conversations. “They need to deliver results.”
Although officials declined to detail current operations, they said that cyberattacks occurring under the new task force might, for instance, disrupt a payment system, identify a communications platform used by Islamic State members and knock it out, or bring down Dabiq, the Islamic State’s online magazine.
It is not, however, part of the group’s mission to identify individuals to be targeted by American airstrikes, officials said.
“We want to take cyber out of the shadows, where people think we’re doing something malicious or spooky, and treat it like we do our operations in other domains,” said Aaron Hughes, a senior Pentagon official for cyber-policy.
And officials hope the campaign is a significant step toward normalizing cyber as a tool of warfare, just like the use of airstrikes and artillery barrages.
The very nature of the Islamic State — not a country or a government that would have vast institutions or infrastructure vulnerable to attack — makes it a challenging target for cyberattacks. It is unlike more traditional foes such as Iran — a country whose nuclear infrastructure was attacked in a joint U.S.-Israeli operation by a sophisticated piece of malware designed to infiltrate and damage the computers running an enrichment facility.
“The more dependent you are on technology, the more you are a target for cyberattack. And ISIS is less dependent,” said James Lewis, a cyber-policy expert at the Center for Strategic and International Studies, said, using an acronym for the Islamic State. “It doesn’t mean you get no military advantage out of it. But scruffy insurgents aren’t the best target for high-tech weapons.”
The simple fact that the Pentagon has ordered its first major cyber-offensive campaign, and has acknowledged it publicly, is a milestone.
“Here you’ve got a real first time where you have a state saying, ‘We did this — we’re using cyber on the battlefield,’ ” said Jason Healey, a senior research scholar in cyber-conflict at Columbia University and a former military cyber-operator. “Without a doubt, this is the first time we’re seeing this in history.”
Military cyber-specialists conducted tactical operations in Iraq and, to a lesser extent, in Afghanistan toward the end of the George W. Bush administration, but the communications environment has changed significantly, officials said. The techniques used then were simpler than those being planned today, they said. “Terrorist organizations use the most modern comms,” the senior defense official said. “They know that people are after them, and so they spend a lot of time protecting themselves” through the use of encryption, for example.
Carter announced a cyber-strategy last year that for the first time addressed the use of cyber-weapons in combat and the need to be transparent about their use. But he was unhappy with the effectiveness of the early efforts against the Islamic State, leading to the creation of the dedicated unit led by Cardon.
Cardon’s task force is headquartered at Fort Meade, Md., which is also the headquarters for Cybercom and the National Security Agency. The unit comprises about 100 people, including intelligence personnel and staff from across the military.
One key aim of the group is to be more closely integrated with the overall military campaign against the Islamic State, officials said.
This would allow Lt. Gen Sean MacFarland, who oversees operations in Iraq and Syria, to work cyberattacks into his battle plan, just as he uses airstrikes. At times, officials said, commanders may choose to use a cyberattack when it will reduce the odds of civilian casualties; an example of this is disabling a communications network by digital means rather than bombing it.
Cardon said the fledgling unit is having some effect but that the militants were also resisting its efforts, switching servers and other hardware to stay ahead of the attacks.
“We’re definitely having an impact on them, but it’s a dynamic space,” the general said in an interview.
The Obama administration said that the overall military campaign against the Islamic State has weakened the self-anointed caliphate. A senior administration official told Congress last month that the group had lost almost half the territory it once controlled in Iraq. In Syria, U.S.-backed fighters are battling for control of areas along the Turkish and Iraqi borders.
The cyberwarfare campaign against the Islamic State has presented some challenges for the Pentagon. Whenever the military undertakes a cyber-operation to disrupt a network, the intelligence community may risk losing an opportunity to monitor communications on that network. So military cybersecurity officials have worked to better coordinate their target selection and operations with intelligence officials.
The military is also grappling with the need to avoid harming civilian or noncombatant networks. Militants use the communications systems of commercial services, which the general population relies on.
“Think about any war zone,” Cardon said. “You don’t have just the enemy side and the friendly side. You have all this gray. It’s the same thing in cyberspace.”
Cybercom’s new offensive is limited primarily to Iraq and Syria and does not include Islamic State affiliates from North Africa to East Asia. But Pentagon officials said that future cyber operations could extend outside the two countries.
“As we move through additional phases of this operation, that fight will absolutely go global,” Hughes said.
But Cardon cautioned that cyber is just one element of the larger struggle against the Islamic State. “We’ll be a contributor,” he said. “This war here is not going to be won in cyberspace.”