Top Secret documents show Cyber Command’s growing pains in its mission against ISIS

U.S. government documents made public Tuesday show that while a U.S. Cyber Command operation that disrupted ISIS computer networks was largely successful, there were significant shortcomings, including operators having trouble collecting data, interagency deconfliction issues, difficulty vetting targets, and, in at least one case, a close call with the operation being discovered by the adversary.

The documents, shared with CyberScoop via George Washington University’s National Security Archive, show how the command has faced significant internal hurdles as Pentagon leadership has pushed Cyber Command to grow into a well-respected force since its creation in 2009. They include briefings on how Cyber Command measured the effectiveness of Operation Glowing Symphony, a mission carried out in 2016 that was meant to isolate and destroy ISIS networks used to spread the terrorist group’s propaganda.

The documents show the gaps needed for the U.S. government to scale and expand its offensive cyber missions beyond ISIS to countering other adversaries like Russia, Iran, China, and North Korea.

Some of those projects have already begun. U.S. officials, including National Security Agency Director Gen. Paul Nakasone, who previously stood at the helm of Glowing Symphony, have said the operation provided a road map for other task forces that have been created to counter other adversaries, including the Internet Research Agency (IRA), the Russian troll farm that has interfered in U.S. elections.

However, the documents show that simple technical issues such as data storage, or the speed by which other agencies weighed in on the mission, hindered Glowing Symphony as it was being carried out.

Cyber Command did not return a request for comment.

Unexpected data and adversaries

According to the documents, Cyber Command was simply not prepared to handle the amount of data it had collected in conjunction with Glowing Symphony. The command did not have the capability to handle the terabytes of data that it collected, despite the fact that operation had planned to pull data once it had infiltrated ISIS-used servers and use it to further the mission.

“OGS plans factored the possibility of adversary data recovery and acknowledged the need for exploiting that data,” the documents said. “[P]olicies are needed for handling procedures for captured data,” adding that the Command’s Capabilities Development Group should work on “developing USCYBERCOM data storage solutions.”

Additionally, a Cyber Command briefer notes an “opportunity” that ISIS may have taken advantage of while the operation was being carried out. The section is heavily redacted, but the briefing indicates operators may have run the risk of impacting critical infrastructure or using a hacking capability that could have been discovered by ISIS members.

The interaction gave Cyber Command some trepidation in exploiting critical networks, according to the documents.

“USCYBERCOM continues to analyze reporting to codify the degree to which the adversary exploited this opportunity,” the memo notes. “Should follow-on operations propose more invasive tactics and/or utilize more sophisticated capabilities, it would be ill-advised to risk critical infrastructure and/or capabilities unnecessarily.”

Interagency process poses problems

The documents reveal broader issues Cyber Command has had with other portions of the U.S. government, slowing down the processes by which the command could carry out its orders.

“Interagency policies and processes are not established to meet the demand for speed, scale, and scope required for effective cyberspace operations,” the documents say.

Beyond working with coalition partners, the Department of Justice, FBI, CIA, NSA, and other members of the U.S. government were involved in coordinating Glowing Symphony, according to the documents.

One briefing said the process for vetting the operation’s targets was too “lengthy and difficult.” One briefer bluntly noted that the deconfliction processes — which allows other government agencies or councils check to make sure Cyber Command’s campaigns didn’t negate other government operations — “were too immature to execute.”

In one case, deliberations in the National Security Council Principals Committee, or Cabinet-level meetings, took so long that they delayed some Glowing Symphony missions, possibly to the detriment of the operation’s goals.

“The time required to elevate and negotiate the Interagency non-concurs prevented USCYBERCOM from [redacted] as originally designed,” one briefing document says.

Throughout Glowing Symphony, Cyber Command frequently butted heads with the intelligence community given that Cyber Command’s task — disrupt or destroy ISIS infrastructure — ran contrary with the intelligence community’s mission of gathering information, according to former Secretary of Defense Ash Carter.

Carter has previously alluded to issues within Cyber Command’s efforts against ISIS.

“I was largely disappointed in Cyber Command’s effectiveness against ISIS. It never really produced any effective cyber weapons or techniques,” Carter wrote in a 2017 blog for Harvard Kennedy School’s Belfer Center for Science and International Affairs. “When CYBERCOM did produce something useful, the intelligence community tended to delay or try to prevent its use, claiming cyber operations would hinder intelligence collection.”

Since the height of the operation, U.S. Cyber Command has changed its interagency processes. The biggest changed occurred in 2018 when the National Security Council rescinded Presidential Policy Directive 20, an important policy memorandum that guided the approval process for government-backed cyberattacks. The Trump administration replaced PPD-20 with National Security Presidential Memorandum 13, a revamped policy framework that officials have said is much quicker than its predecessor and has yielded “operational success.”