One of the most crucial missions entrusted to intelligence services in the fight against jihadist terrorism is carried out on the Internet. The way in which this mission has been undertaken is one of the least-known facets of the war on terrorism. In stark contrast to the intense public scrutiny received by covert programmes such as leadership decapitation operations by armed drones and other interventions using paramilitary forces, anti-terrorist operations in cyberspace continue to be a little-known dimension. Actions have been conducted covertly for much of the time and the lack of transparency can be explained by concern over the need to protect the procedures used. The operations draw on the same resources and knowledge that facilitate cyber-intelligence operations against state actors. Those involved have taken the view that providing information on such interventions poses a risk that sensitive procedures would be revealed. Moreover, the information could be used by state adversaries to thwart active intelligence operations. However, the rise of the Islamic State and its territorial expansion in Syria and Iraq resulted in a noticeable opening up of information of this nature. By way of example, the need to convince public opinion that all available means were being used led the United States Cyber Command to acknowledge publicly for the first time that it was conducting offensive operations in cyberspace to combat Islamic State.
In this Insight, I will show that despite the heterogeneous nature of the intelligence operations devised and executed by intelligence community actors, a common factor of all the actions is the attempt to foster mistrust in radical communities on the Internet with the aim of diminishing the benefit of terrorists’ use of the Internet. The combination of cyberattacks and psychological operations by state actors has achieved considerable success in reducing terrorist activities on the Internet and undermining the effectiveness of propaganda initiatives by jihadist groups.
Gathering vs. Elimination
One of the main difficulties faced when attempting to systematise the logic underlying intelligence operations against terrorists’ presence on the Internet is the contradictory approaches of different intelligence bodies. On one side are actors who have identified terrorist actions in cyberspace as a clear opportunity to obtain information to guide repressive actions in physical space. Under this view, even if the virtual presence does have pernicious effects in assisting violent radicalisation, monitoring can offer an irreplaceable opportunity not just to identify terrorist actors who would otherwise be difficult to locate but also to inform the analysis of the tactical and strategic evolution of the phenomenon.
There is, however, another perspective which views the costs associated with terrorism activities on the Internet as outweighing the benefits of monitoring for intelligence purposes. The uninterrupted operation of websites, forums and social media profiles enhances the threat, leading to more frequent – and more lethal – terrorist attacks. The primary approach should be to harness existing cyber-resources to dismantle this infrastructure and thus contribute to the objective of hampering terrorist use of information technologies for their force multiplier effect.
The debates on the appropriateness, or not, of acting against such websites triggered some of the most heated and prolonged inter-agency clashes in the United States’ intelligence community since 9/11. Given that it proved impossible to resolve the debate, a third approach was devised that largely satisfied supporters of each view: the implementation of intelligence operations to sabotage terrorist activity on the Internet. These actions were not designed to eliminate the virtual spaces used for terrorist actions (thus ensuring that the means used to gather intelligence were not put at risk) but rather to erode terrorists’ trust in these spaces and therefore reduce the utility of cyberspace for terrorists.
Honeypots and Sabotage
One of the first actions undertaken by intelligence services to infiltrate jihadist networks operating on the Internet was to extend to cyberspace a classic espionage tradecraft practice: honeypots. These helped entice the target to a space whose external characteristics and manner of operation suggested it was part of the jihadist sub-culture when it was in fact controlled covertly by an intelligence service or an external collaborator of a service.
Such ‘deceptive mimicry’ is far from easy: generating an external appearance and content that replicates the visual and discursive characteristics of the radical sub-culture is insufficient. Some form of guarantee of authenticity, such as original content, is also required. Despite facing serious difficulties, some of these operations successfully fool targeted users for considerable periods.
This ploy is not just designed to gather data generated by users who visit and interact with the sites; it also offers the possibility to subtly influence the relations of trust that underpin such virtual communities. Website and forum administrator privileges allow administrators to exploit the content of such spaces, opening up a wide range of possibilities for manipulation of user discourses and relationships.
In addition to the immediate benefit derived from initiatives of this kind, mere suspicion of the existence of such traps has detrimental effects on online jihadist communities. Honeypots raise the level of suspicion among cyber-activists to such a degree that paralysis can set in; the disruptive effect of such actions led some influential jihadist ideologues to acknowledge that forums had not developed their full potential. Honeypots have contaminated the activity of legitimate forums, forcing them to limit their content to registered users and introduce much stricter monitoring and permanent censure to avoid the ‘provocations’ of intelligence services. All these self-protection measures undermined the dynamism of the interchange on these platforms and caused user numbers to fall.
The portfolio of actions designed to sow mistrust includes interventions aimed at causing technical disruption to the infrastructures that support the virtual community. The ultimate aim is not so much to deny jihadists access to certain services but to fuel user suspicion through specific incidents. To do so, selective acts of sabotage are carried out to cause disruption, which is interpreted by users as a sign that the services are no longer secure due to enemy infiltration.
One senior British military figure has admitted, for example, that such operations to cause laptops and mobile phones used by jihadists for coordination purposes to malfunction made the fighters feel so cut off and isolated that they simply dumped their weapons and left the battlefield.
A similar motive lay behind Operation Glowing Symphony, the cyber-sabotage campaign launched in 2016 by the US Army Cyber-Command in cooperation with the National Security Agency (NSA). According to the heads of the operation, the aim was to add a “psychological component” to the cyber-harassment operations conducted in the past. Actions to degrade communications infrastructures, such as the erasure of content from servers used by terrorists, or the deletion of accounts used to manage and coordinate their propaganda apparatus, were supplemented by a more ‘creative’ phase. The operation heads reported that following months of suffering such effects, Islamic State propagandists began to grow frustrated and view each other with mistrust, resulting in some IS media operations not being reinstated following sabotage.
Evaluating the results of more than two decades of operations is far from easy due to the very limited information available. The little information that does exist tends to originate from deliberate leaks to the media, resulting in a bias towards details that the intelligence services were actively seeking to divulge. With rare exceptions, the accounts provided by those responsible are usually triumphalist, and overstate the impact of the operations on terrorist networks. Information tends not to be forthcoming from the victims of the interventions either. As a means of deflecting responsibility for their own mistakes, cyber-jihadists often magnify the scope and capabilities of the enemy. Enemy actions become the primary reason used to explain almost any phenomenon causing confusion.
Despite the aforementioned paucity of information, it can be said that intelligence operations have considerably diminished the benefits of the Internet for terrorists. Firstly, it is apparent that external interference has gradually eroded the utility of certain propaganda initiatives. An example of this is online discussion forums: these points of contact and socialisation were once instrumental in creating a global community comprising thousands of activists but have now become marginal spaces with negligible influence. Due to their users’ belief that they were operating in unsafe and spy-ridden spaces, forums lost part of their potential as tools for radicalisation and communication among strangers. A key role in triggering this perception has been played by intelligence operations such as those outlined here, many of which were deliberately intended to be provocative.
Secondly, the harmful effects of intelligence operations also extend to the supply side. Private conversations between those operating within such spaces clearly evidence the impacts of sabotage on morale, with some confessing to being “tired” or “psychologically depressed.”
Although the definitive history of intelligence operations against the presence of jihadist terrorism on the Internet can only be written when the records of the organisations concerned are declassified, it is possible to state tentatively that the cumulative effect of such actions has played a key role in reducing the benefit derived by these groups and individuals from their use of the Internet.