Pentagon officials have publicly said, in recent weeks, that they’re hitting ISIS not only with bullets and bombs but also with cyberoffensive operations. “We are dropping cyberbombs,” Robert Work, deputy secretary of defense, is quoted as proclaiming in Monday’s New York Times. Similar, if less colorful, statements have been made by Secretary of Defense Ash Carter and,a week ago, President Obama.
What does it mean? And what effects are these new weapons having on the overall war? After dropping his “cyberbombs” bombshell, Work said, “We have never done that before.” But in fact, the United States has done it before, against Iraqi insurgents, including al-Qaida fighters, back in 2007. And, as I discovered while researching my book Dark Territory: The Secret History of Cyber War, the effects were devastating.
Standard accounts have credited President George W. Bush’s troop surge and Gen. David Petraeus’ counterinsurgency strategy for turning the Iraq conflict in the coalition’s favor in 2007. These accounts aren’t wrong, as far as they go, but they leave out another crucial factor—cyberoffensive warfare, as conducted by the Joint Special Operations Command and the National Security Agency.
A few years earlier, JSOC started capturing insurgents’ computers and sending them to Fort Meade, Maryland, where NSA analysts hacked into the machines and unearthed passwords, email lists, cellphone numbers—the stuff of a modern spymaster’s dream. (Eventually, the NSA set up a center inside Iraq: Over the next few years, 6,000 analysts were rotated through; of them, 22 were killed by roadside bombs while out on computer-capturing missions.) Once skilled hackers burrow into a network, not only can they intercept what’s being heard, seen, or read—they can also distort, disrupt, or destroy it.
In 2006, a plan was put together: NSA linguists, using an insurgent commander’s username, would send phony emails to his fighters, suggesting that they all meet at a certain place, date, and time. Lying in wait would be a team of JSOC soldiers, who would kill the assembled insurgents.
President Bush approved the plan on May 16, 2007. (All cyberoffensive operations required—and still do require—presidential approval.) Through the remainder of the year, these operations killed nearly 4,000 Iraqi insurgents.
Not only did the operation wipe out whole cadres of jihadi fighters, it also messed with the minds of their surviving comrades and commanders. They could no longer be sure whether messages they’d sent were getting where they should go—or whether messages they received were genuine or traps. They could no longer trust anything they saw, heard, or read; they could no longer trust one another. Command and control fell apart.
The concept was nothing new. As far back as Roman times, armies intercepted enemy communications. In the American Civil War, Union and Confederate generals used the new telegraph machines to send false orders to the enemy. Most famously, during World War II, British and American cryptologists broke German and Japanese codes, a crucial ingredient (kept secret for many years after) in the Allied victory.
The NSA got deeply into this game—not just monitoring but messing with enemy communications—in the late 1970s, when William Perry, then the Pentagon’s chief scientist (and later a secretary of defense), called the strategy “counter command-control warfare.” In the 1990s, the NSA director, Adm. Mike McConnell, watched the movie Sneakers (in which an evil genius, played by Ben Kingsley, says, “There’s a war out there … and it’s not about who’s got the most bullets, it’s about who controls the information: what we see and hear, how we work, what we think”) and renamed the strategy “information warfare.” A few years later, a fan of William Gibson’s Neuromancer (in which the term cyberspace first appeared) called it cyberwar—which, at least so far, has stuck.
I don’t know exactly what cyberoffensive operations President Obama has approved in the fight against ISIS, and I don’t want to know. But it’s worth noting that there is a branch of the military called U.S. Cyber Command. It’s the fastest growing command, with an annual budget of $7 billion and rising. It attracts the smartest cadets from the service academies. It’s based in Fort Meade and, by statute, is commanded by the same four-star general or admiral who directs the NSA. It has personnel stationed in all the other combatant commands, including U.S. Central Command, which covers military operations in the Middle East, South Asia, and North Africa.
If Cyber Command isn’t doing to ISIS something like what NSA and JSOC did to Iraqi insurgents in 2007, it wouldn’t merely be a surprise; it would be a national-security scandal.