The war against Islamic State will be won — or lost — on the cyber battlefield
President Trump and Secretary of Defense James N. Mattis should be congratulated for contributing to the steady decline of Islamic State’s territorial claims.
Several years ago, in October 2014, Islamic State controlled land from central Syria to the fringe of Baghdad — territory that included large key cities such as Mosul, Fallujah and Tikrit in Iraq and Raqqah in Syria. Today, it controls only a sparsely populated chunk of desert on both sides of the Iraq-Syria border.
Its shrinking territory notwithstanding, Islamic State continues to fly a black flag of aggression rather than a white flag of surrender. It flies this flag most effectively online, using the internet to promote warped religious views, recruit fighters, inspire deadly acts of terrorism and encourage disruption and chaos.
The battle against Islamic State will not be won until it is defeated in the cyber arena. The acting director of intelligence at the National Counterterrorism Center, Lora Shiao, acknowledged this in early December when she testified before the Senate: “We don’t see ISIS’ loss of territory translating into a corresponding reduction in its ability to inspire attacks.”
Building the capacity to inflict cyber destruction requires tools that are far easier to obtain than other forms of WMD.
To beat back Islamic State’s virtual caliphate, the U.S. and its allies must develop two separate but interlinked strategies.
The first must focus on defeating Islamic State’s online propaganda and recruitment operations, including its use of the internet to instigate attacks in the physical world.
As Andrew Byers and Tara Mooney wrote recently in Foreign Affairs, this will require close coordination and information-sharing across U.S. governmental agencies, including the National Security Agency, Cyber Command, the National Counterterrorism Center, the CIA and other components of the Department of Defense. Countering Islamic State’s propaganda will require particular creativity — and experts with language and dialect fluency, sophisticated cultural awareness and social media savvy.
It will also require cooperation from the private sector. In some respects, such cooperation has already begun, with Facebook and Twitter removing Islamic State material and deleting related accounts. But tech companies will need to go further and share information about accounts that disseminate Islamic State propaganda. In return, the government needs to make educational resources and training available to tech companies, allowing them to better police hateful and dangerous messages.
The second strategy must focus on Islamic State’s ability to carry out actual cyberattacks on network infrastructures.
Last June, an Islamic State sympathizer group called Team System Dz hacked Ohio Gov. John Kasich’s website to display the message, “I love the Islamic State . . . . You will be held accountable Trump, you and all your people for every drop of blood flowing in Muslim countries.”
In November, Swedish radio stations were reportedly hacked to play a song, “For the Sake of Allah,” that encourages people to join Islamic State.
Some analysts describe these events as a form of cyber graffiti and dismiss the notion that Islamic State has the capacity to wreak real havoc online. The problem with this view is that it risks assuming past performance is an indicator of future capability.
Islamic State wants to see our destruction, and the world has paid a deadly price for assuming it was the terrorist equivalent of a junior varsity team.
While Islamic State and its adherents may not possess the cyber sophistication of North Korea or Russia, building the capacity to inflict cyber destruction requires tools that are far easier to obtain — and more difficult for intelligence agencies to trace — than other forms of WMD.
When an enemy wants your defeat, you have to assume they will find the means to achieve it. The U.S. needs to actively monitor, identify and prevent attempts by Islamic State to use cyber tools to cause harm.
While the two strategies address different risks, they reinforce each other. Disrupting Islamic State’s recruiting and propaganda efforts will work to block its access to human expertise, capital and cyber tools. Preventing cyberattacks by Islamic State limits its attractiveness to would-be followers. The failure to carry out either strategy could be devastating.
Matthew R. A. Heiman is a visiting fellow with the National Security Institute at George Mason University’s Antonin Scalia Law School. He served as an attorney with the national security division of the Department of Justice and as a legal adviser to the Coalition Provisional Authority in Iraq.
to continue reading