Obama’s Underwhelming Cyber Offensive Against the Islamic State
The Obama administration has dragged its feet on waging cyber war on the Islamic State.
In February, the Pentagon revealed that it has begun an aggressive cyber campaign against the Islamic State. The Associated Press reported that U.S. offensive cyber attacks are targeting the group's ability to use social media and the internet to recruit fighters and inspire followers, including preventing the group from distributing propaganda, videos, or other types of recruiting and messaging on social media sites like Twitter. Three days later, Secretary of Defense Ash Carter told reporters that cyber operations are underway to interrupt the Islamic State's "command and control, to cause them to lose confidence in their networks, to overload their networks so that they can’t function,” particularly in Syria.
In February, the Pentagon revealed that it has begun an aggressive cyber campaign against the Islamic State. The Associated Press reported that U.S. offensive cyber attacks are targeting the group’s ability to use social media and the internet to recruit fighters and inspire followers, including preventing the group from distributing propaganda, videos, or other types of recruiting and messaging on social media sites like Twitter. Three days later, Secretary of Defense Ash Carter told reporters that cyber operations are underway to interrupt the Islamic State’s “command and control, to cause them to lose confidence in their networks, to overload their networks so that they can’t function,” particularly in Syria.
The Obama administration should be commended for any measure that disrupts IS’ ability to recruit foreign fighters, inspire “lone wolves,” conduct operations in Syria, or coordinate attacks abroad. Yet while there are numerous unanswered questions regarding this new cyber offensive — Secretary Carter, understandably, declined to provide specifics — the first one may be: “What took them so long”?
In his September 2014 address to the American people justifying military operations against IS, President Obama declared: “I have made it clear that we will hunt down terrorists who threaten our country, wherever they are. That means I will not hesitate to take action against [the Islamic State] in Syria, as well as Iraq.” Yet the history of the anti-IS campaign, dubbed Operation Inherent Resolve, is rife with examples of the Obama administration’s hesitance to take actions later deemed necessary to disrupt and degrade the terrorist network:
- Despite declaring “Stopping [IS’] financing and funding,” one of the five mutually reinforcing lines of effort to degrade and defeat the group in September 2014, the administration chose not to target the massive convoys of fuel trucks smuggling its oil — generating up to $2 million in revenue per day for the terrorist proto-state — until last November, a full 15 months into the anti-IS air campaign;
- The CIA and Joint Special Operations Command reportedly only began a drone campaign to hunt IS leaders in Syria last summer;
- It was not until last October — 14 months into Operation Inherent Resolve — that President Obama ordered less than 50 special operations troops into Syria to advise local forces fighting IS.
This hesitance is especially puzzling in the case of cyber operations. The idea of conducting cyber operations against terror networks or in Syria is not exactly new. In 2013, U.S. intelligence operatives covertly sabotaged al Qaeda in the Arabian Peninsula’s propaganda efforts by hacking its online magazine Inspire. When airstrikes against the Assad regime in response to its use of chemical weapons against civilians appeared imminent in 2013, speculation was rampant that offensive cyber attacks would be a component of any military operation. Moreover, the administration clearly recognizes the threat posed by the Islamic State’s activity in cyberspace. Countering its propaganda and recruitment efforts was one of the original five lines of operation. Given that in November 2014 there were estimated to be roughly 46,000 IS-linked Twitter accounts, this line of operation would inevitably require a significant cyber component. Last August, after IS hackers posted the names, addresses, and photos of U.S. troops on Twitter, U.S. forces conducted a targeted drone strike in Raqaa, Syria, killing Junaid Hussain, a British citizen in his early 20s believed to be a leader of the Islamic State’s hacking division. Thus, the option of offensive cyber operations in Syria had been available for almost three years — and IS propaganda and cyber activity had been deemed a threat for 16 months — before the administration authorized their deployment.
There are three possible explanations for this delay:
The administration wanted to avoid establishing a precedent: P.W. Singer of the New America Foundation noted that Carter’s admission “is the first public acknowledgment” the U.S. military is carrying out offensive cyber operations, and argued that this is “a big line to cross.” Given the conventional wisdom in some quarters that the alleged U.S.-Israeli cyber attack on Iran’s Natanz nuclear reprocessing facility triggered a cyber arms race, it is possible the administration wanted to avoid creating a new norm regarding offensive cyber operations.
Yet there are several precedents of states conducting cyber attacks in coordination with military operations. Israel used a cyber attack to disable Syrian air defenses in 2007’s Operation Orchard, destroying the nuclear reactor under construction at Kibar. In 2008, Russian “patriotic hackers” crippled key portions of Georgia’s communications systems to facilitate their invasion of the country. In fact, this is not even the American use of offensive cyber operations as a force multiplier in a broader military campaign, as in 2007 U.S. forces hacked into al Qaeda in Iraq’s cellphone network to send fake texts directing insurgents to locations where they were subsequently targeted.
Thus, although acknowledging such cyber operations may be unprecedented, there was certainly no precedent sufficient to deter the administration from actually deploying this capability against IS.
The potential costs of cyber operations against IS outweighed the potential gains. Even as IS has perfected the use of social media for propaganda and recruitment purposes, the U.S. intelligence community has used extremists’ Twitter feeds to monitor their messaging for strategies, tactics, and policies. As one former National Security Agency official noted: “Twitter is an incredible source to learn what these groups are doing. The FBI, CIA, and NSA not only get a lot of intelligence from Twitter, but there is also a lot of manipulation going on.” Thus, the administration may have foregone attacking IS in cyberspace over concerns that blocking its internet access could hurt intelligence gathering. Alternatively, cyber attacks frequently have unintended consequences. In 2008, for example, the U.S. military’s dismantling of a Saudi website that U.S. officials suspected of facilitating suicide bombers in Iraq also inadvertently disrupted more than 300 servers in Saudi Arabia, Germany, and Texas. Fear of similar negative second-order effects may have inhibited the administration.
While such concerns are legitimate, they are also manageable. Secretary Carter reportedly ordered that cyber operations be conducted without diminishing the indications or warning U.S. intelligence officers can glean about IS activities, suggesting this risk can be assessed and mitigated. In fact, Carter went a step further and suggested the hacking campaign could force IS to communicate via more easily interceptable methods. Moreover, although the risk of blowback is endemic to cyber warfare, it may be outweighed by the operational value of the targeted network. In discrete operations such as the jamming of IS online communications networks during the four-day battle for Shaddada in mid-February, which helped U.S.-backed Syrian rebels retake the town and nearby oil fields, the operational objective attained was worth the risk of spillover to untargeted networks.
Either way, the Pentagon clearly believes these risks can be evaluated on a case-by-case basis, and should not have precluded the use of all cyber operations against IS.
The administration is not actually trying to defeat IS. According to the Los Angeles Times, the cyber offensive against IS was not launched until last December after the IS-inspired attack in San Bernardino, California, that killed 14 Americans. Consequently, in a White House meeting, administration officials directed senior Pentagon officials to prepare options for more aggressive cyber operations. If true, this merely represented the latest in a series of entirely reactive escalations by the Obama administration in Syria and Iraq. President Obama initially dismissed IS as the jayvee team of terrorism, and only signed off on military operations against the group in response to its conquest of Mosul in June 2014 and the subsequent threat of genocide against Iraq’s Yazidi population. The announcement of a drone campaign against IS leadership followed the fall of Ramadi last summer. The deployment of U.S. special operations advisers to aid Syrian rebels only came after Russia began combat operations in Syria last October. Similarly, the decision to accept a greater risk of civilian casualties while bombing IS fuel convoys was only taken after November’s IS-sponsored attack in Paris that killed 130 people.
None of these assets were committed to the anti-IS campaign as part of a comprehensive strategy for defeating the group, but rather as defensive measures in response to successful Islamic State operations or expansion. In a sense, the administration’s incremental deployments are reminiscent of Leslie Gelb and Richard Betts’ famous conclusion in The Irony of Vietnam regarding the Kennedy and Johnson administration’s decision-making: “Each time they turned the ratchet of escalation up another notch they did not believe that the increase would provide victory [in Vietnam].” Similarly, the Obama administration’s incrementalism projects the appearance of fighting not to lose in Syria and Iraq.
Why does the administration appear to have eschewed victory against IS as a strategic objective? Some analysts speculate that President Obama does not want to risk empowering anti-IS groups that also oppose Bashar al-Assad — or even provide Syrian civilians with a modicum of protection from his forces — in order to avoid jeopardizing its pursuit of detente with Iran. Alternatively, it is possible that President Obama does not perceive IS to be a significant threat to U.S. national security. He told Jeffrey Goldberg that the Islamic State “is not an existential threat to the United States,” especially when compared to climate change, and reiterated this sentiment in his remarks from Argentina on the Brussels suicide bombings that killed at least 31 people and wounded 270. Alternatively, President Obama may view the struggle against IS as unwinnable. When asked “Why don’t you just go get the bastards [ISIL]?” the President’s reponse is that “we just don’t have the tools in our toolkit to have a huge impact.”
Although it can plausibly be argued that the costs of an intervention capable of defeating IS — or at least eliminating its manifestation as a proto-state in Syria and Iraq — outweigh the threat it represents, the president certainly seems to find these “tools” effective enough each time his policy appears broken.
Whatever the cause, there are significant dangers to the Obama administration’s incrementalism. First, by deploying new assets solely as a reactionary measure, the White House is ceding the initiative in Syria and Iraq to a web of actors — IS, Iran, and Russia — who are pursuing goals in direct opposition to U.S. interests and will shape conditions in the region accordingly. Second, by failing to make clear that it has settled for a policy of containing IS, the Obama administration has created a disconnect between its rhetoric and the resources deployed by its ad hoc escalations. This exacerbates the appearance of American inconstancy evidenced by President Obama’s refusal to enforce the 2013 “red lines” over Assad’s use of chemical weapons, further undermines U.S. credibility in the region, and may lead regional allies to seek help from other great powers. Finally, by repeatedly deploying the minimum resources necessary to prevent the Islamic State’s expansion rather than committing them in a decisive and deliberate fashion, the administration risks prolonging the conflict. Beyond the devastating humanitarian toll in terms of civilian deaths and refugees, this has enabled the self-declared caliphate to serve as an inspiration to “lone wolves” and homegrown jihadists, as well as plan terrorist attacks abroad.
By failing to deploy all relevant assets to the anti-IS campaign at the outset in a deliberate and decisive fashion, the administration has increased the probability that the horrors of Paris, Brussels, and San Bernardino will be repeated. President Obama may be right that such attacks do not threaten the “existence of our nation”, but they certainly pose an existential threat to the lives of U.S. citizens and those of our allies.
Photo credit: JOHN MOORE/Getty Images
More from Foreign Policy
Saudi-Iranian Détente Is a Wake-Up Call for America
The peace plan is a big deal—and it’s no accident that China brokered it.
The U.S.-Israel Relationship No Longer Makes Sense
If Israel and its supporters want the country to continue receiving U.S. largesse, they will need to come up with a new narrative.
Putin Is Trapped in the Sunk-Cost Fallacy of War
Moscow is grasping for meaning in a meaningless invasion.
How China’s Saudi-Iran Deal Can Serve U.S. Interests
And why there’s less to Beijing’s diplomatic breakthrough than meets the eye.