Copyright: Foreign Policy, March 3, 2015.
“We are Muslims, Christians, Jews,” the wire-frame Guy Fawkes mask announces in an eerie robot voice. “We are hackers, crackers, hacktivists, phishers, agents, spies, or just the guy from next door…. ISIS, we will hunt you, take down your sites, accounts, emails, and expose you…. You will be treated like a virus and we are the cure. We own the Internet.”
The “we” here is Anonymous, the vaunted global hacking collective that launched a furious online offensive against the Islamic State in early February, and which declared war on the group shortly after the fall of Mosul last June. As the alternative Counter Current News reported (and as Anonymous #OpISIS YouTube videos proudly trumpeted), these attacks exposed more than 6,600 Islamic State-linked Twitter accounts, along with 2,000 email addresses and about 100 IP/VPN channels. Several of the group’s major recruiting sites were also knocked offline.
But Fawkes’s wire-frame visage sounded about as frustrated as a robot voice can in a subsequent video released on Feb. 11, announcing a third attack. “With our last Operation ISIS, we showed the world and especially governments it’s not that hard to fight back ISIS online. So why’s no government doing it?”
Great question. How is it that the U.S. government, capable of coordinating a complex air campaign from nearly 6,000 miles away, remains virtually powerless against the Islamic State’s online messaging and distribution network? For months, the militant group’s horrifying, crisply edited videos of death marches, beheadings, and immolations have churned their waythrough the social media landscape, commanding near-instantaneous global attention. Add to this the group’s use of more intimate web platforms for international recruiting (20,000 foreign fighters from 90 countries at last count), and the scope of the problem only widens.
These online mouthpieces carry immense strategic value. The Islamic State’s June 2014 offensive into Mosul, for instance, was accompanied by a well-choreographed social media campaign, sowing terror and confusion far in advance of its fighters. Tellingly, when the Iraqi government finally acted, it did so by banning its own citizens’ access to Facebook and Twitter. Within the last month, videos of the Islamic State’s atrocities have resonated so strongly with citizens of Jordan and Egypt that they’ve provoked armed escalation and retaliation by these Arab governments. This is arguably exactly what the Islamic State wants.
If the United States is struggling to counter the Islamic State’s dispersed, rapidly regenerative online presence, why not turn to groups native to this digital habitat? Why not embrace the efforts of third-party hackers like Anonymous to dismantle the Islamic State — and even give them the resources to do so?
To date, the State Department’s tiny Center for Strategic Counterterrorism Communications — with its 21,000-follower “Think Again Turn Away” Twitter account — has been the tip of the spear in the U.S. effort to short-circuit the Islamic State’s propaganda machine. At best, its efforts are like spitting in the wind. At worst, it has been an embarrassment, as when the account confused al Qaeda and the Islamic State in a much-maligned tweet that baffled jihadis around the globe.
Although the Obama administration has announced a significant expansionof the office and put forth an encouraging plan to empower networks of university students to counter violent extremism online, these initiatives only address half the problem. As anyone who’s ever gotten in a political debate on Twitter can tell you, the availability of a viable counter-narrative in no way guarantees that somebody will actually listen to it. A remarkable number of people seek out information online with their minds firmly made up. Just as the United States must push back against Islamic State messaging, it must also take steps to tear out its voice box.
Those best suited to this task are not necessarily the thousands of professional hackers at U.S. Cyber Command and related agencies, who are trained and equipped to counter cyberattacks by rogue states and sophisticated non-state actors. Instead, the U.S. government should look to those unaffiliated, socially minded hackers (“hacktivists”) who have their own reasons to despise the Islamic State. This includes self-declared,underutilized “white hat” hackers, who use their expertise to test and improve the cyber-defenses of companies. It also includes those individuals and hacktivist collectives like Anonymous who have had a traditionally antagonistic relationship with the U.S. government.
Although a quick stroll through the 4chan image board, Anonymous’s early nesting ground, makes a terrible first impression, the fact is that hacktivists do have a moral compass. The targets selected by Anonymous and other groups — the recording industry and movie studios following the forced shutdown of a popular file-sharing website, accused rapists in Steubenville, Ohio, and even the United States government (following the federal indictment and suicide of hacker Aaron Schwartz) — suggest a loose set of guiding principles. Indeed, Anonymous even briefly joined the Syrian civil war when it hacked the email account of Syrian president Bashar al-Assad in 2012. As a rule, hacktivists despise bullying, hypocrisy, and fundamentalism. The Islamic State couldn’t present a clearer target.
What might a U.S. “partnership” with dispersed, largely unaccountable — if not uncontrollable — groups of shadowy individuals often at odds with U.S. laws look like?
It’s a radical idea: a nonprofit foundation, sponsored by the anti-Islamic State coalition and funded through a mix of U.S. public support and private contributions. (Think NPR doing bounty-hunting.) This small institution could issue bite-sized rewards (or tote bags?) for proof of the identification or elimination of Islamic State-linked social media accounts, VPN/IP channels, recruiting websites, or any other sort of online refuge. Defining “proof” here would be a significant engineering challenge — but certainly not as hard as flying unmanned space planes or deploying Star Wars lasers.
Such bounties could be paid in Bitcoin, an anonymized, volatile cryptocurrency that’s understandably “suspect” to the U.S. government, but that remains popular among secretive online communities. By authorizing the use of Bitcoin, officials would be extending a fig leaf to the world’s hacktivists, respecting those critical hacker values of freedom and anonymity. Any other system — involving traceable payments or even potential registration as federal contractors — would almost certainly combust in a storm of paranoia and lightning accusations of government surveillance.
So long as the initiative attracted attention and payment proved quick, reliable, and tamper-proof — critical when dealing with hackers — it could open a new front in the digital war against the Islamic State. Already, social media administrators are struggling to shut down jihadi accounts at a pace that’s not even close to that with which they are being opened. A crowdsourced hacktivist army could supplement those efforts, identifying and flagging new nodes in the Islamic State’s network the moment they began attracting followers. These paid volunteers could also harass the Islamic State with phishing and distributed denial of service (DDoS) attacks — the bread and butter of today’s online vigilantes. Strong verification mechanisms could incentivize a more surgical approach to identifications and attacks, limiting collateral damage.
The effect would be to exert a constant pressure on the Islamic State’s digital operations. Social media companies like Twitter, which have been fighting a long-running game of whack-a-mole against the Islamic State, could get a huge boost in their never-ending effort to track down targets. Long lists of jihadi accounts, compiled by hacktivists and verified by government proxies, could be sent to the immediate attention of social media monitors. Likewise, brute-force DDoS assaults (which overwhelm servers’ nonstop connection requests) against Islamic State websites and forum boards could stymie its global coordination and recruiting drives. Other, stealthier attacks could sow confusion among Islamic State supporters, as with Anonymous’s recent hack that compromised more than 2,000 emails.
The goal would be to push the Islamic State into deeper and deeper parts of the web. No longer would grisly execution videos trend so quickly worldwide; no longer could the Islamic State so easily pull the strings of public attention. As prospective jihadis (particularly in the West) found it harder to establish contact with recruiters in Iraq and Syria, governments would find it easier to identify and stop them. In time, the Islamic State’s global reach and influence would wane.
This sort of partnership wouldn’t require any deeper mending of the rifts between hacktivists and the U.S. government. Those attacking the Islamic State and seeking anonymized payment could be greeted with a simple message: “You don’t like us and we often don’t like you. Performing this service will in no way immunize you from applicable domestic laws, now or in the future. But we share a common enemy and will defeat it best by working together.”
If individuals and groups like Anonymous are performing this service for free today, why pay them? It’s a question that speaks to the dynamics of these decentralized groups. The fact is that, while loose hacktivist collectives are excellent at mounting one-time “operations” to disrupt or disable target networks, they’re much less effective at sustaining that pressure over the long run. Those involved can get bored or distracted. The effort can fizzle.
This poses a problem. After all, there will never be a single decisive moment — an online Battle of the Bulge — that drives the Islamic State off the Internet for good. So long as the group exists, its fighters will always gravitate toward online services to achieve their goals of international terrorism and recruitment. Accordingly, rolling back the Islamic State’s virtual operations will be a continual task, akin to spraying for pests or mowing a really big lawn. This is the kind of job you pay for.
“Enlisting trolls to fight trolls” sounds like a surreal, distinctly 21st-century idea. It’s not. The United States has often embraced unlikely collaborators to realize strategic goals. In the early 1940s, tens of thousands of American Jeeps rumbled into Nazi Germany — driven by Soviet soldiers. In the 1980s, Afghan mujahideen shot down Soviet helicopters with U.S.-supplied Stinger missiles. In the war-torn Iraq of 2007, the United States showered money on previously hostile Sunni tribes to finally quash al Qaeda’s influence. Even today, Washington navigates tenuous partnerships with Iranian-backed Shiite militias and the terrorist-designated Kurdistan Workers’ Party. By comparison, offering micropayments to socially minded hackers comes across as fairly benign. U.S. soldiers are less likely to one day find themselves on the wrong end of a U.S.-supplied piece of crypto-currency.
There are plenty of fair objections and points of criticism to a plan like this. For one, it’s truly a stretch to imagine the U.S. government buying up Bitcoin with public money — something that the Internal Revenue Service classifies a highly speculative form of property. Likewise, in an arrangement where hacktivists’ real identities would never be compromised, there could be no guarantee that these hackers would not be using U.S. government money to attack websites under U.S. legal protection (the kind of absurd perpetual-motion machine only federal policy could devise). Finally, the sanctioned employment of hacktivists would push against international norms that have long banned hacking and piracy. This model, harnessed by another government at a later date, could potentially imperil the same U.S. interests it now stands to aid.
Nonetheless, rallying a cybermilitia via a smart system of micropayments — therefore expanding the war against the Islamic State without compromising hacktivists’ fringe credentials — is still preferable to ham-fisted alternatives. Too much direct U.S. legal pressure on companies like Twitter, for instance, would run the risk of nationalizing what have become global platforms for conversation and debate. Trying to legislate the Islamic State off the web will do more harm than good. A real, lasting solution requires unorthodox thinking and respect for what the Internet has become.
In Iraq and Syria, kinetic operations against the Islamic State are proceeding, limiting the reach and power of the insurgent group. Yet on the Internet — on web services and servers largely based in the United States — the Islamic State still operates with impunity. For a war effort that hinges on the marginalization and rejection of its propaganda, this represents a gaping vulnerability. It’s long been a maxim of U.S. military operations that no safe haven should be left to the enemy. This thinking must now extend to the Islamic State’s terrible, pioneering use of the cyber-domain.
Loosely affiliated hacktivists have spent years honing their ability to harass and disrupt in this same domain. They also hate the Islamic State and all it stands for. Why not work with them?