Counterstrike: The Untold Story of America's Secret Campaign Against Al Qaeda (19 page)

*   *   *

It may seem surprising, but the cyberwar era began with America playing offense, not defense. In advance of the presidential order in March 2003 that sent American forces into Iraq to topple Saddam Hussein, American war planners proposed an opening salvo that would have given the invasion a true twenty-first-century capability. Before any bombs were dropped or artillery rounds fired, the military and its intelligence partners wanted to inject electronic poison pills into the Iraqi banking system. The plan was for massive computer network sabotage, a cyberattack to bring down Iraq’s financial infrastructure, freezing billions of dollars in Saddam Hussein’s official bank accounts and rendering him incapable of purchasing war supplies or paying his soldiers. “We knew we could pull it off,” said one senior official serving in the Pentagon at the time. “We had the tools.”

What would have been the most far-reaching cyberoffensive in history was questioned by Bush administration officials, who were unconvinced that the ripple effects—measured in economic collateral damage—could be contained inside Iraq. Given the linkages of the global economy, they feared that this cyberoffensive might spark worldwide financial havoc, starting in the Middle East and quickly spreading to Europe and even the United States. The plan was vetoed and never executed.

America’s enemies are free from such discipline and self-restraint, and do not worry about a risk-versus-revenge calculus in waging their war of violent religious extremism on the Internet. Terrorists have proven far more agile and effective than the United States in turning the global computer network into a powerful tool, and it is their medium of choice for fund-raising, recruiting, propaganda, tactical planning, and mission execution. “The Internet forum is the connective tissue of the global Jihad,” said one high-ranking intelligence officer. And American national security officials are poised for the day when terrorists use the Internet not just for communications, command, and control but for attack.

*   *   *

On Dolley Madison Boulevard in Langley, Virginia, a tree-lined throughway named for the First Lady who rescued presidential art, silver, and china along this evacuation route before the British burned the White House in 1814, the Central Intelligence Agency has surrendered its anonymity. A large sign points traffic toward the spy headquarters. A few miles farther up the road, in McLean, Virginia, sits the intelligence community’s newest addition, the National Counterterrorism Center. It remains under cover, blending successfully with dozens of high-rise office parks hosting defense contractors, insurance conglomerates, and accounting firms surrounding the Tysons Corner shopping complex. When officials talk about the NCTC site, they refer cryptically to “LX1,” in part for the letters and numeral shaped by the design of the office park when viewed via satellite image on Google Earth.

It was on September 30, 2005, a crisp autumn day, when General John Abizaid, the top officer of Central Command, showed up along with two other generals who ran Centcom’s directorates for operations and for intelligence and special operations. They were there to meet with Vice Admiral Scott Redd, the NCTC director, to make their case for what became known as “countering adversary use of the Internet,” a phrase used so often that it got its own alien-sounding cyberacronym: CAUI.

For more than two hours, the generals made their presentation to the admiral. It went beyond the usual discussions about terrorist fund-raising, recruiting, propaganda, and ideology over the Internet. The generals showed Admiral Redd that Al Qaeda’s own and affiliated Web sites were using coded messages woven into apparently innocuous transmissions, messages that could instruct operatives what to do and when. Militants could learn how American military convoys were organized and how they were vulnerable to IEDs. How to shoot a rocket-propelled grenade at just the right spot to take out a Humvee. How close you had to be, and at what angle, for a projectile to penetrate a soldier’s bulletproof vest. And then there were the beheadings and other torture porn, some even showing gruesome executions of Americans. Some Web sites offered recipes for poison and guidelines for handling toxic chemicals. Others had explosives manuals on offer—a few of them stolen straight from the American military’s training library. A quartet of Web sites had to be taken down, Abizaid argued, and immediately. These online offenders were known as “The Centcom Four.”

The problem was that the Internet service providers hosting the sites were not in Iraq or Afghanistan, war zones where the Americans had free rein to fight. The servers hosting some of the worst terrorist home pages were in Western Europe and Southeast Asia. Up to 80 percent of the militant sites had huge amounts of digital data and communications flowing through legitimate servers in the United States, many of which hosted millions of pages—too many for the operators of those servers to monitor. The question was how to deal with this problem. Military necessity had gotten out ahead of government policy. What authorities did the U.S. military have? What could be done?

“General Abizaid was the Centcom commander and he essentially felt like we were losing daily, not just the broader battle of ideas, but we were losing the information war in Iraq and Afghanistan because the way the terrorists dominate in either putting out beheadings or you just name it,” said a counterterrorism official involved in the discussions. “He essentially wanted to shut down some of the Internet sites, and in a sense we did not have the proper authorities to do that. So we had to work a plan to establish the authorities, have them granted, and then to devise a means that would get them past the attorney general and the Department of Justice that people could live with as far as our own freedoms as citizens.”

Looking back on his quandary, Abizaid observed in a 2010 interview that “this country, over its two-hundred-plus years of history, has been conditioned to fight wars against nation-states and to have a bureaucracy that’s designed to attack it from a nation-state perspective. In the Napoleonic period, you had two realms of war and they were land and sea; in World War I and World War II it becomes land, sea, and air; in the Cold War it becomes land, sea, air, space—and in this war it becomes land, sea, air, space, and cyberspace. In this war there is a reluctance to admit, even within the services, that cyberspace is a domain of war where you have to conduct defensive and offensive operations. Yet when you looked at the enemy, the enemy was moving in the cyberspace world in a way that allowed them to recruit, train, organize, equip, proselytize, educate—you name it!—conduct intelligence operations.… We tried to get authority to operate in the Internet space aggressively, because we believed that the Internet space, the cyberworld, was an area that Al Qaeda was excelling in. It took years and very, very tough discussions—even at the presidential level.”

Even to participants who struggled through the creation of the new counterterrorism cyberpolicy, the weeks following the NCTC conference were a blur of working-group meetings with participants ranging from the military and intelligence staff level all the way up to the deputies of the National Security Council. What emerged was an ad hoc, clumsy policy, with authority granted to a new panel, named the Strategic Operational Planning Interagency Group for Terrorist Use of the Internet. If that title was not sufficiently bureaucratic, the acronym was a howler: SOPIG-TUI. Meeting via secure video teleconference, the sessions sometimes drew three dozen participants from all across the government. “We invited everybody and their brother who has a lawyer to participate in these SOPIG-TUIs, almost to the point where we get new folks coming in over and over again,” said one participant. Another official involved in the effort to counter adversary use of the Internet, reviewing his notes from those early meetings, noted a page with only one entry: PAINFUL, written in big block letters.

Even so, these meetings led to the creation of a powerful board of governors assigned to oversee counterstrikes on the Internet. Proposals to disrupt or take down terrorist Web sites were submitted to the SOPIG-TUI, which approved and forwarded them up the chain for a decision by the deputies at the National Security Council. But Abizaid and others were not completely satisfied. The process could take weeks, and it robbed the military of the essential capability to eliminate threats on the Web almost instantaneously. In response, SOPIG-TUI’s advocates argued that it balanced the requirements of the intelligence and law enforcement communities with those of the armed forces. The rules of the SOPIG-TUI remain classified and have never been released, but it has since been superseded by a more formal process—a three-way agreement among the Pentagon, the intelligence community, and the Department of Justice—for considering timely attacks on terrorist Web sites, with the president making the final decision on whether to proceed.

*   *   *

Among the most closely guarded secrets of the military and the intelligence community are the tools that are used to defend against computer network attack and to carry out digital offensives on the Internet. But just as Iraq became a proving ground for the nation’s counterterrorism forces, it also served as a real-world laboratory for computer network warfare. In 2007 President Bush gave official but secret authorization that in effect declared Iraq an official battle space for America’s cyberwarriors.

With the surge’s success that year in knocking back Al Qaeda in Mesopotamia, the military command in Baghdad came to believe that one of the greatest long-term risks to stability in Iraq was a shadowy organization called Jaysh Rijal al-Tariqa al-Naqshbandia (JRTN)—the Men of the Army of al-Naqshbandia Order—based in the north-central part of the country. Its adherents were drawn from a large number of Iraqis who had not participated in the Sunni-led rebellion against the American invasion but who still opposed the government in Baghdad. “It is a Sufi sect—historically mystical, whirling-dervish kind of stuff,” said one military intelligence officer. “It was not a mainstream movement of Islam, but it has organizational capacity far beyond most of the terror groups.” It boasted that it had leadership and financial support from the Baathist elite hiding in their safe haven of Syria, among them Izzat Ibraham al-Douri, a top aide to Saddam Hussein who was a member of the Iraqi leader’s clan. JRTN established operational cells across Iraq, not just in its northern base, growing in its combat strength and becoming more sophisticated in waging information warfare. JRTN operated a pirate television station, bouncing images off an Egyptian-managed satellite from a primitive but effective broadcast studio inside a cargo truck that kept to the roads inside Syria to avoid detection and attack. Its programming specialty was video of snipers picking off American troops.

More ominous than the TV transmissions was JRTN’s presence on the World Wide Web. Its Internet home page was a triptych—a map of the Arab world, the Iraqi flag, a rifle—with the name of the organization written along the bottom in Arabic. The site posted videos that were advertisements for the group itself, along with operational and how-to videos. JRTN members engaged in online training, demonstrating how to assemble bombs and prepare Katyusha rockets for use against American forces. The videos were accompanied by melodic recitations from the Koran. And then there were the videos of these attacks themselves. Like an MTV of hatred, these videos featured high-energy Arabic music with rhythmic beats and singing to celebrate successful attacks. One showed the downing of an American helicopter, the images captured by a video camera prepositioned beneath the anticipated flight path.

JRTN remained a strong presence on the Internet even as the United States drew down its troops and the Iraqi government prepared for national elections in March 2010. During this time, JRTN’s inspirational and inciting propaganda videos were troubling enough, but in the run-up to the elections the JRTN Web site and other terror home pages took on a new operational edge. The government had kept secret the location of thousands of polling places, for obvious security reasons, but terror operatives began posting the information on these sites. It was a targeting list. And then a military raid turned up a trove of videos prepared by Al Qaeda in Mesopotamia, ready for posting on the Internet, meant to inspire preelection violence by showing successful attacks on American positions and the deaths of American troops. “When you’re working against terrorists, you could win the battle but you could lose the war because you lost the information campaign,” said one high-ranking military officer in Baghdad. “If you don’t challenge that, you allow them to recruit and get money and keep growing. Cyber is their safe haven.”

Deciding how to respond to this threat was not easy; it involved turf wars and competition within the different parts of the U.S. government. One agency’s goals sometimes opposed another’s. If the military made a strong case for taking a site down, it might still run up against equally powerful arguments from the intelligence agencies to keep the site alive in order to observe the terrorists’ activities and plans. The debate was all about risk and benefits.

“Now, if there is a honey pot like that and you are Ray Odierno fighting Islamists in Iraq, your view is that anything that permits the Islamists to communicate with one another is killing my troops, shut it down,” said a former senior official on the National Security Council. “And the counter argument is: Actually there are going to be Web sites around where they will communicate—you can’t prevent them from communicating. The Internet is the Internet. If we get them communicating here, we can learn about them and we can give you intelligence that will allow you to go after these people and in the long run, it will keep the troops safer. These are difficult arguments to make.

“The other dilemma is, you think about shutting Web sites down. But of course servers are located in physical space and physical space falls within nation states and nation states have concerns about what happens on their territory. We don’t have rules for any of this. You take down a Web site and, yes, it may be hosting Jihadis, but it also may be hosting things at home.” The debate is paralleled by discussions over how the American national security bureaucracy should act against jihadist Web sites that are password encoded. While the software and passwords may allow militants to feel secure for meeting in these cyber back rooms, a decision to not attack the sites and let them operate allows America’s cyberwarriors the opportunity to monitor and track who comes and goes. You can allow these sites to operate uninterrupted and follow those individuals who turn up on them in hopes of gathering intelligence and links to higher leaders.