At the end of February, Secretary of Defense Ashton Carter told a House subcommittee that U.S. Cyber Command (CYBERCOM) is conducting offensive operations against the Islamic State. This statement went viral. “Make no mistake,” Peter Singer of New America said, “this is a very big deal.” It signals a shift in the fight against the Islamic State and marks the first time the United States has acknowledged undertaking cyberattacks during armed conflict. CYBERCOM’s campaign makes real what was anticipated—the integration of offensive cyber capabilities in strategies and tactics for waging war.
Using cyberattacks against the Islamic State
CYBERCOM’s attacks have two targets: the Islamic State’s use of social media and its use of cyber means to engage in command, control, and communications in military operations. In terms of social media, the White House instructed the Department of Defense to use CYBERCOM’s capabilities against the Islamic State after the terrorist attacks in Paris and San Bernardino again highlighted how the Islamic State exploits social media to radicalize and recruit. Government and private-sector efforts to combat these activities, such as the Department of State’s counter-messaging campaigns, were not working—and foreign fighters continued to join the Islamic State.
With mobilization of the .gov and .com domains ineffective, the White House ordered CYBERCOM to degrade the Islamic State’s online presence. This move connects with other post-9/11 decisions that elevated the military’s and intelligence community’s roles in counterterrorism when law enforcement and diplomatic efforts proved inadequate. The conclusion that military cyberattacks are needed to address terrorist use of social media is unprecedented and unanticipated—degrading Twitter-enabled terrorism was not on CYBERCOM’s agenda when it was established.
The second target involves missions CYBERCOM was built to accomplish—disrupting an adversary’s capabilities during armed conflict. CYBERCOM is attacking the Islamic State’s ability to command its forces in the field, control their tactical movements, and communicate with fighters during military operations. Such disruption is coordinated with air strikes, special forces operations, and ground attacks to isolate and defeat Islamic State forces. CYBERCOM attacks reportedly contributed to the recapture of Shaddadi by Syrian rebels in February. The campaign to re-take Mosul also involves CYBERCOM attacks. These activities mark the first time the United States has integrated offensive attacks by CYBERCOM in fighting an armed conflict.
Using cyberspace to wage war
Reactions to CYBERCOM’s offensive often emphasized this development is seminal for reasons beyond the conflict with the Islamic State. For starters, it demonstrates that CYBERCOM has transitioned from a predominantly defensive focus to “full spectrum” capabilities, which makes CYBERCOM more potent for military operations. CYBERCOM was designed to have these capabilities, but, with CYBERCOM’s offensive mission now operational, the United States has crossed into uncharted territory in the history of war.
Crossing this line means the United States has resolved issues that informed earlier decisions not to use cyberattacks in armed conflict. During the Libyan air campaign in 2011, the Obama administration considered cyberattacks on Libyan air defense systems, but decided against them for various reasons, including legal concerns. The Obama administration now believes the domestic and international legal authority it claims to wage war on the Islamic State permits the cyber offensive.
Similarly, the law of armed conflict guides the United States in fighting the Islamic State, meaning the U.S. government believes CYBERCOM’s attacks comply with it. Although the United States has long held the law of armed conflict applies to military cyber operations, CYBERCOM’s attacks represent the first large-scale cyber campaign the United States has vetted and conducted under the laws of war. By generating supportive state practice in an actual conflict, this precedent strengthens the U.S. position that the law of armed conflict applies in cyberspace and makes China’s reluctance to agree with this position harder to sustain.
The disclosure also suggests the Obama administration is signalling to foreign actors beyond the Islamic State. This transparency contrasts with its reluctance to acknowledge drone attacks against terrorists. The administration has been more transparent in the cyber context to achieve certain ends, such as developing cyber deterrence. Deterrence requires credible military capabilities and the willingness to use them. Letting the world know about CYBERCOM’s campaign provides evidence of both.
CYBERCOM’s attacks confirm what many expected—governments would develop cyber weapons, incorporate them into military power, and use them with other weapons in war. Discussion of cyber elements of "hybrid warfare" pointed in the same direction. This trajectory now accelerates and, among other things, reinforces the need to address weaknesses in public- and private-sector cyber defenses.
In reflecting on the CYBERCOM disclosure, Alan Paller of the SANS Institute observed, “No military campaign in the future will be fought without a cyber component.” We knew this moment would arrive and that when it did we would thereafter encounter the digital fog of war.