CLC #002: Cyber Letters of Marque for Counter-ISIL Cyber Operations
Cyber Lunarium Commission #002:
Cyber Letters of Marque for Counter-ISIL Cyber Operations
The Cyber Lunarium Commission was established to propose novel approaches to United States cyber strategy grounded in technical and operational realities. The commissioners of the CLC “moonlight” in cyber policy, drawing upon their experiences in government, military, industry, and academia.
The Cyber Lunarium Commission can be reached at email@example.com and followed at @CyberLunarium. We welcome questions and feedback about our work.
The United States has conducted successful cyber operations against ISIL with US Cyber Command’s Operation GLOWING SYMPHONY. It’s time to take this mission into ready private sector hands, so that United States Cyber Command (USCC) can focus on more sophisticated operations. Building upon the concept of cyber letters of marque (CLoM) discussed in the Cyber Lunarium’s first report CLC#001 The Case for Cyber Letters of Marque and subsequent FAQ, this report explores how CLoMs could be used in counter-ISIL cyber operations.
ISIL's Cyber Operations
The Islamic State of Iraq and the Levant (ISIL, a.k.a. ISIS), has taken advantage of cyberspace more than any other previous terrorist organization. It has done so in three primary ways: online messaging, development of communication infrastructure, and participation in minor cyber attacks. ISIL frequently uses social media to spread propaganda (including infamous beheading videos) and operate recruitment programs. The group’s communication infrastructure consists of networks of decentralized nodes, allowing recruits to participate in operations and share anti-surveillance advice with each other. ISIL’s actual operations in cyberspace, while not nearly as damaging as many other state-sponsored attacks, can still threaten US national security. The group has taken credit for multiple defacements and the takeover of USCENTCOM’s social media account in 2015. Members of the ISIL affiliated “United Cyber Caliphate” have been arrested for publishing “kill lists” that doxed US service members.
ISIL’s use of cyberspace can also be its downfall. Through Operation GLOWING SYMPHONY, USCC demonstrated that ISIL’s primary media dissemination arms could be shut down effectively through offensive cyber operations. After the success of GLOWING SYMPHONY, it is clear that ISIL can be disrupted in cyberspace, and can be attacked with fairly limited risk of retaliation.
Why Counter-ISIL Operations?
Counter-ISIL cyber operations are an ideal first target for experimenting with cyber letters of marque holders for four primary reasons:
1) CLoM operations against ISIS can free up USCC resources
As geopolitical trends shift, and great power conflict becomes a more pressing issue than counter-terrorism, USCC will need to engage more challenging adversaries than the relatively primitive ISIL.
Operation GLOWING SYMPHONY’s took on ISIL’s internet and media operations in the “most complex offensive cyberspace operation USCYBERCOM has conducted to date.” While undoubtedly an important mission, in many ways, continuing to have USCC fight a relatively unsophisticated cyber adversary in the future will be overkill - reminiscent of President George W. Bush’s remarks early in the Global War on Terror about not wanting to “fire a $2m missile at a $10 empty tent and hit a camel in the butt.”
Following the success of GLOWING SYMPHONY, private sector operators could continue to provide intelligence support to counter-ISIL operations as well as carrying out limited offensive operations. Externalizing operations to CLoM holders can allow USCC to focus on much needed training and equipping activities. Just as taking on ISIL allowed USCC to experiment with its capabilities, allowing CLoM operators to take over this mission could serve as a test of the CLoM concept.
2) ISIL is a relatively uncontroversial and low risk target
The United States is already engaged in armed conflict against ISIL, and members of ISIL have violated US law and threatened US national security. In terms of authorities, the use of CLoMs more closely matches proportional retaliatory action than the use of military force.
Based on previous ISIL-attributed cyber attacks, the group currently does not have the ability to retaliate effectively in cyberspace. While ISIL can retaliate in other ways (i.e. through kinetic acts of terrorism), it already does so frequently as part of normal operations - the very point of offensive cyber operations against the group would be to disrupt this capability.
ISIL also likely does not have counterintelligence capabilities of advanced adversary states that make cyber operations risky - e.g., the ability to detect operations and remediate them, identify specific actors conducting operations, or retaliate on-or-off net. The group’s status on designated terrorist organization lists further cements its inability to procure defensive technology or training that could be used to develop these capabilities.
Politically, counter-ISIL cyber operations are likely to be relatively non-controversial - the group is not recognized internationally as an actual “state” and is almost universally condemned on the global stage. Further, targeting ISIL, as a non-state terrorist group, sidesteps the legal complexity that other types of non-state targeting could present - e.g., cyber actions against foreign corporations which benefit from cyber-enabled economic espionage, etc.
3) The private sector can target ISIL using innovative operating concepts unlikely to be developed in traditional government contexts
In the counter-ISIL context, CLoMs could be employed to extend authorities for operations to private operators acting as force multipliers. A variety of concepts of operations are possible - including many not explicitly laid out here which the innovation of the private sector could develop.
The US government could allow already-existing non-government employees to place “hands-on-keyboard” during military cyber operations while otherwise operating in government spaces and with government tools. Alternatively, allowing contractors to conduct cyber operations semi-autonomously with targets and tools developed in-house is also a possibility. In both of these cases, CLoM operators would not “own” the counter-ISIL cyber mission, but instead carry out operations under the supervision of both Congress and pertinent agencies.
In even simpler operations, “access-as-a-service” (as explored in CLC#001) could be offered to target ISIL devices - CLoM holders would simply gain initial footholds on ISIL machines (e.g., through 0day/nday exploitation, phishing, or other concepts) before handing compromised devices off to government operators. In these operations, payment would be based on simply obtaining access.
CLoM holders could also be commissioned to conduct less forward-leaning operations, such as simply providing government operators with network topology information, intelligence about attack surface (open ports, applications, etc), or validated selectors for targeting (both at a network level and in terms of digital identities on forums, social media, etc).
4) CLoMs that target ISIL can give the private sector a way to hack ISIL legally, and allow the US government to leverage talent
Due to the inherently clandestine nature of cyberspace operations, multiple government-sponsored actors (or even non-state actors) can sometimes target the same devices or individuals. This occasionally culminates in two distinct cyber actors (even from the same country) unknowingly sabotaging each others’ operations. During Operation GLOWING SYMPHONY, members of hacktivist organization Anonymous accidentally did the latter. Anonymous’ operation “#OpISIS” resulted in the doxing and shutdown of hundreds of ISIL social media accounts and websites. This activist activity allegedly impeded US government intelligence collection efforts for Operation GLOWING SYMPHONY.
Publicly designating ISIL as a target for CLoM operations would signal to the public that the US is targeting ISIL organizations, and that CLoM holding organizations would also be able to participate. Ideally, this would incentivize individuals interested in targeting ISIL to join a CLoM holding organization or start their own, increasing the number of possible anti-ISIL operations coordinated by the US government. Companies holding CLoMs could tap into unique talent pools not accessible to the US government as well, bringing additional skilled individuals to the US mission.
Concepts of Operations
On the technical front, ISIL targets should be fairly easy to track and compromise - i.e., a mix of outdated Android phones, legacy Windows computers, web apps, and mainstream security applications (browsers, VPNs, messaging apps, etc). Operations would likely not be challenged by modern technology security features, complex large-scale network devices, or difficult-to-navigate cloud architectures. Operations could be conducted with a mix of publicly available tools and low-cost bespoke tools developed by CLoM holders.
In order to assure adherence to legal targeting against adversary combatants, Executive Branch agencies of the US government (e.g. DoD, CIA, NSA, etc) could issue targeting legality determinations. Other targeting information could also be conveyed to CLoM holders through these relationships - e.g., designating certain devices which should not be targeted in order to not disrupt ongoing USG-administered operations.
Though defeating ISIL is a core part of US national strategy, the group is not a “hard target” for cyber operations. Such a target can provide a demonstrable testing ground for unleashing the power of the US industrial base against an opponent, while building the governance necessary to scale operations to other niche targets.
Following this report, CLC#003 will discuss expand upon the access-as-a-service concept discussed in this piece and CLC#001, with a focus on IoT access-as-a-service offerings.