Washington, D.C., August 13, 2018 – U.S. Cyber Command’s strategy for curtailing ISIL’s ability to exploit the internet may at least partially be paying off, according to an analysis of recently declassified documents posted today by the nongovernmental National Security Archive.

The new documents, obtained under the Freedom of Information Act (FOIA) by Motherboard and the Archive, center around Operation GLOWING SYMPHONY, a USCYBERCOM activity authorized in late 2016 to deny the Islamic State use of the internet.

Correlating new information in the records with the results of public academic research allows for at least a partial, preliminary judgment about the operation’s success. Notably, research from the George Washington University Program on Extremism shows a sizable downtick in ISIL’s use of social media that tracks with the timing of GLOWING SYMPHONY’s launch.

While substantially redacted, the records offer other research benefits. For instance, they make it possible to trace the evolution of the mission from broad concept to a complete plan of operations and authorization. One overarching conclusion from this is that cyber may not be revolutionizing operational planning as much as is often assumed.

At the same time, the execution and impact of counter-terror operations in cyberspace, as evidenced in these documents, speaks to the ways cyber is changing both how terrorist groups conduct global operations and how sophisticated responses are becoming more lethal by integrating cyber with precision-strike tactics.



Joint Task Force ARES and Operation GLOWING SYMPHONY:

Cyber Command’s Internet War Against ISIL

By Michael Martelle

In April 2017 USSTRATCOM released partially redacted versions of Task Order 16-0063 and Fragmentary Orders 01 and 02, dating from May through June 2016, which ordered the establishment of a task force to counter ISIL in cyberspace. The declassifications were in response to a Freedom of Information Act (FOIA) request by the National Security Archive’s Cyber Vault prompted by a July 15, 2016 Washington Post report by Ellen Nakashima and Missy Ryan. The references in this TASKORD informed follow-on FOIA requests, which produced a Mission Analysis Brief. These documents provide a small look into how the United States Military organizes capabilities for offensive cyber missions.

Our earlier analysis of the TASKORD in particular highlights the following insights:

The mission guiding the formation of JTF-Ares aligns with the fourth strategic goal in the Department of Defense’s Cyber Strategy to “build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages. […] If directed, DoD should be able to use cyber operations to disrupt an adversary’s command and control networks, military-related critical infrastructure, and weapons capabilities.”

Cyberspace operators were tasked with coordinating not only with each other, but also with units acting in other domains (including locating targets for “lethal fires”) as well as intelligence agencies.

Command and control of JTF-Ares was given to the commander of Cyber Command instead of Central Command or even Operation Inherent Resolve. This suggests that JTF-Ares has the capacity to operate globally against ISIL.

Further reporting by Nakashima in May 2017 shed light on the operation assigned to JTF-Ares, named Operation GLOWING SYMPHONY, which confirmed our analysis that JTF-Ares was operating globally both in and beyond the Iraq/Syria area of operations (AO). Nakashima’s report revealed that the global nature of Operation GLOWING SYMPHONY had presented political issues for policymakers in cases where ISIL content and capabilities resided or depended on infrastructure in a number of countries including US allies.

The definitional distinction between a task force and an operation is key to understanding the continuity of these documents. A Task Force is a component, or collection of units, within a force organized for a specific task or tasks. A Joint Task Force is a task force drawn from multiple military branches. While it is usually purpose-built, it does not in and of itself include authorization for action.

An Operation is a series of actions organized around a unified purpose or mission.

The revelation of Operation GLOWING SYMPHONY led to a series of FOIA campaigns and the first success was released by Joseph Cox of Motherboard. These documents have been added to the Cyber Vault, and together with the previous releases on JTF-Ares paint a more complete picture of the US Military planning process as it relates to cyber operations.

Today’s posting will use these documents to guide readers through the Joint Planning Process from broad mission concept to the formation of the joint task force to an actionable operation plan and order.

The following section presents a Timeline of the documents that have recently been made public through FOIA. (The first two items on the list have been identified from footnotes in other records, and requests filed for their release.) Within the Timeline are descriptions of each document as well as excerpts of selected items. Clicking on the title of each record will access the entire document.

Timeline

Evaluating Operation GLOWING SYMPHONY

While there is very little data publicly available by which to judge Operation GLOWING SYMPHONY’s overall success or failure, a study of ISIL use of Twitter provides an intriguing correlation. Audrey Alexander, a researcher at the George Washington University Program on Extremism, tracks terrorist use of digital communications technologies. In 2017 Alexander published Digital Decay, an analysis of trends in English-language extremist activity on Twitter.

Her research showed a downward trend in activity from February 2016 through April 2017 that featured a boom-bust cycle up until November 2016 – when Operation GLOWING SYMPHONY was authorized. At this point activity dropped markedly and did not cycle back up.

Public understanding of the effectiveness of US cyber operations is hindered by secrecy, however the public nature of social media allows researchers like Alexander to trace trends in ISIL activities online and gives us an idea of the efficacy of cyber warfare.

More difficult to observe is the impact of cyber operations focusing in on Iraq and Syria, however isolated episodes have given a glimpse into the possibilities of cyber combined with kinetic counter-terror operations. Conflicting reports suggest ISIL hacker Junaid Hussein’s position was pinpointed when he either clicked on a malicious hyperlink or had his messages compromised before he was killed by a US drone as he left an internet café. More recently, US General Stephen Townsend described to military.com how cyber capabilities were used to interfere with communications from an ISIL headquarters in Iraq, forcing ISIL leadership to move to and reveal their backup command posts before kinetic strikes were ordered.

The planning process for Operation GLOWING SYMPHONY should look familiar to anyone acquainted with the military planning process, suggesting that cyber may not be revolutionizing the way the US military plans to fight wars as much as people may think. The execution and impact of counter-terror operations in cyberspace, however, speaks to the ways cyber is changing both how terrorist groups conduct global operations and how developed, sophisticated military forces are increasing lethality by integrating cyber with precision-strike tactics.