Washington D.C., January 21, 2020 - Today the National Security Archive is releasing 6 USCYBERCOM documents obtained through FOIA which shed new light on the campaign to counter ISIS in cyberspace. These documents, ranging from a discussion of assessment frameworks to the 120-day assessment of Operation GLOWING SYMPHONY, reveal the unprecedented complexity of the operation, resulting challenges in coordination and deconfliction, and assessments of effectiveness.

Background

In August of 2018 the National Security Archive combined FOIA released documents we had received with those from Motherboard to produce an in-depth timeline of the formation of JTF-ARES and the planning behind Operation GLOWING SYMPHONY. These documents represent the first time the US Government has officially acknowledged offensive cyber operations. The mission assigned to JTF-ARES was to counter ISIS actions in cyberspace while Operation GLOWING SYMPHONY specifically targeted ISIS use of social media and internet propaganda. JTF-ARES functions also encompass support to kinetic battlefield operations, a role which remains almost entirely classified.

While the documents used in the 2018 timeline went into great depth on the planning process, questions remained as to how the experience impacted broader USCYBERCOM operations. Some clues were released in the following years.

In an August 2019 interview with NPR’s Dina Temple-Raston, General Paul Nakasone (Director of the NSA, Commander of USCYBERCOM, and original commander of JTF-ARES) revealed that the counter-ISIS campaign was informing how the US approached conflict in cyberspace. As Nakasone’s commands formulated their response to Russian activity during the 2016 US election, they looked at JTF-ARES and, rather than work through the Joint Force Headquarters-Cyber assigned to support US European Command, elected to form another task force called the Russia Small Group. “So this concept of a task force lives on. A lot of that thinking came from what we were doing in 2016. It's powerful to bring a number of different elements of a team together and be able to form something very rapidly to address a threat.”

The counter-ISIS mission also informed how USCYBERCOM operated on a more tactical level. A September 2019 National Security Archive posting revealed internal discussions from late November 2018 spearheaded by the command’s Joint Intelligence Operations Center – Combat Targets Division regarding the applicability of the US Military’s Joint Targeting Doctrine to offensive cyber operations. The briefing slides concluded with a note to “Incorporate C-ISIL [counter-ISIL] lessons learned into doctrine”. General Nakasone’s comments linking JTF-ARES and the Russia Small Group as well as briefing slides connecting the counter-ISIS mission to internal discussions of targeting procedures speak to the significance of JTF-ARES and Operation GLOWING SYMPHONY within the United States’ cyber-warfighting community.

This significance is underlined by the decision to authorize a series of interviews with personnel involved with Operation GLOWING SYMPHONY. First, NPR published a feature as a part of its “I’ll Be Seeing You” series titled “How the US Hacked ISIS”, once again by Dina Temple-Raston. The piece relied heavily on a Marine, “Neil”, who came up with the concept for Operation GLOWING SYMPHONY. The popular cyber-security podcast Darknet Diaries then released an episode which also featured a Marine with a nearly identical account of planning the operation, presumably “Neil” this time going by “The Commander”. The NPR feature and Darknet Diaries episode provided details from the American side of the operation, and a subsequent Australian Broadcasting Corporation interview provided further information from the perspective of an operator from a Five Eyes partner. These interviews provide personal, anecdotal evaluations of the operation’s impact, but there had not yet been any public documentation of official assessments or after-action reviews.

Today the National Security Archive is releasing 6 USCYBERCOM documents obtained through FOIA which shed new light on Operation GLOWING SYMPHONY. These documents range from a discussion of assessment frameworks on the operation’s date of authorization, November 10, 2016, to the 120-day assessment of Operation GLOWING SYMPHONY on April 12, 2017. These documents reveal the unprecedented complexity of the operation, resulting challenges in coordination and deconfliction, and assessments of effectiveness.

“The Most Complex Offensive Cyberspace Operation USCYBERCOM Has Conducted to Date”

Figure 1: Document 5, USCYBERCOM 30-Day Assessment of Operation GLOWING SYMPHONY, Page 2

Operation GLOWING SYMPHONY was a watershed moment for USCYBERCOM due to an operational scope and complexity which forced evolutions in how the command conducted operations. This fact, which had been alluded to in previously secured documents on targeting, is repeatedly underlined in the USCYBERCOM 30-Day Assessment of Operation GLOWING SYMPHONY [document 5]. The Operation forced the maturation of processes related to target validation, operational deconfliction, and inter-agency coordination. It also revealed shortcoming’s in data exploitation capabilities.

The 120-Day Assessment [document 6] goes into further detail on challenges in exploiting data collected through Operation GLOWING SYMPHONY computer network exploitation. The assessment reveals that a key challenge to exploitation was storage of the data itself, an indication of the operation’s scope relative to USCYBERCOM’s capacity at the time.

Figure 2: Document 6, USCYBERCOM 120-Day Assessment of Operation GLOWING SYMPHONY, Page 20

The scope of the operation also challenged existing capabilities for performing Political Military Assessments on time-sensitive targets. This point made in the 30-Day Assessment [document 5] goes on to note that the challenge would need to be addressed in a permanent manner “given the likelihood that USCYBERCOM will be conducting more frequent and widely-scoped operations throughout the global internet infrastructure in the future”.

Figure 3: Document 5, USCYBERCOM 30-Day Assessment of Operation GLOWING SYMPHONY, Page 23

Playing with Others

Perhaps most importantly to the evolution of USCYBERCOM, Operation GLOWING SYMPHONY exercised the command’s ability to operate at scale while coordinating with combatant commanders, other US agencies, and coalition partners. One challenge reported in the 120-Day Review [document 6] was an extension of problems arising from targeting procedures, particularly in how targets are cleared for engagement.

Figure 4: Document 6, USCYBERCOM 120-Day Assessment of Operation GLOWING SYMPHONY, Page 20

When planning a kinetic strike, a commander must complete a formal process before nominating a target for attack, at which point the target is cleared for engagement. JTF-ARES operators, however, had to then complete their own vetting and deconfliction process once the Combatant Command formally designated a target for cyber-attack, presumably making it difficult to engage time-sensitive targets. This challenge was particularly salient due to concurrent combat operations in Mosul, which USCYBERCOM was supporting as well according to the 30-Day Review [document 5].

Figure 5: Document 5, USCYBERCOM 30-Day Assessment of Operation GLOWING SYMPHONY, Page 5

To facilitate rapid action and coalition deconfliction the J3 (Operations Officer) for Operation GLOWING SYMPHONY recommended in a November 22 After Action Review briefing [document 4] adopting procedures to pass “aim points” to coalition partners for engagement. The J3 noted questions as to whether partner deconfliction processes were up to the standards required by USCYBERCOM and how partner nations would then manage deconfliction with other US agencies.

Figure 6: Document 4, Operation GLOWING SYMPHONY J3 AAR Observations, Page 3

Coordinating with other US agencies had already been a challenge for USCYBERCOM. The 30-Day Review [document 5] reveals that when Operation GLOWING SYMPHONY went through the Joint Interagency Coordination process it was met several “non-concurs”. This resulted in a series of NSC Deputies Committee and Principles Committee meetings to adjust the plan for the operation before initiation. This delay and change to the operation design had an impact on effectiveness, though the exact impact is redacted from the release. May 2017 reporting by The Washington Post’s Ellen Nakashima revealed that GLOWING SYMPHONY triggered objections by the CIA, State Department, and FBI regarding operating in foreign countries without prior notification, and that these objections required weeks of NSC meeting to iron out.

Figure 7: Document 5, USCYBERCOM 30-Day Assessment of Operation GLOWING SYMPHONY, Page 17

Measuring Success

Success in Operation GLOWING SYMPHONY was assessed according to task accomplishment (whether elements of the operation are completed) and operational effectiveness (whether the operation has the impact desired). Almost immediately, nearly all indicators of task accomplishment were evaluated as “green”, or successful, leaving the question of operational effectiveness [document 1, page 2].

The 30-Day Assessment [document 5] provides the first indications of impact on ISIS media operations. The operation is assessed to have “imposed time and resource costs” by disrupting activities, leading USCYBERCOM to assess “that OGS successfully contested ISIL in the information domain”.

Figure 8: Document 5, USCYBERCOM 30-Day Assessment of Operation GLOWING SYMPHONY, Page 2

Making this evaluation presented challenges, however. Coordination was required before the start of the operation to allow intelligence agencies to prepare collection assets for gathering indicators of success for Operation GLOWING SYMPHONY [document 5, page 20]. Despite the high-priority placed on answering questions of effectiveness, the 30-Day Assessment reported difficulties in comprehensively assessing the overall impact to ISIS media.

Figure 9: Document 5, USCYBERCOM 30-Day Assessment of Operation GLOWING SYMPHONY, Page 7

Adversary Exploit

These new documents raise new questions for research, none more ominous than an observation made in this heavily-redacted section of the 120-Day Assessment.

Figure 10: Document 6, USCYBERCOM 120-Day Assessment of Operation GLOWING SYMPHONY, Page 15

The declassified fragments of this section allude to an “opportunity” exploited to an unknown degree by an “adversary”, possibly but not necessarily ISIS, that could require “more invasive tactics and/or utilize sophisticated capabilities” with the potential to “risk critical infrastructure and/or capabilities”. Given mention of a “plan and agreement”, it is conceivable that a coalition member or a non-coalition member party to an information sharing agreement leaked operational intelligence to a US “adversary”, but possibilities range from a minor difficulty in prosecuting certain targets to something as major as leakage of USCYBERCOM tools used during Operation GLOWING SYMPHONY.

Carrying Forward

Operation GLOWING SYMPHONY was originally approved for a 30-day window, but the a July 2017 General Administrative Message reported the operation’s extension to an unknown date. Whether the operation is currently ongoing or not, it is public knowledge that JTF-ARES continues to operate. It is also increasingly apparent that the counter-ISIS mission, JTF-ARES, and Operation GLOWING SYMPHONY are viewed within the US military’s cyber-warfighting community as not just a chapter in counter-terrorism and ‘low-intensity conflict’, but as demonstrations of the nation’s offensive cyber capability and a model for conducting an “American way” of cyber warfare.

The documents