[A.White] Out of Iraq and Levant, ISIS Is an Idea, Not a Group; ISIS nodes


ISIS nodes and why we’re failing

Self-organising decentralised terrorist nodes

Outside of Iraq and the Levant, ISIS is an idea rather than a terrorist organisation. Unlike traditional terrorist organisations like the IRA, Haqqani network, ETA, Force 17, the ISIS organisation in Iraq (in-country ISIS) does not dictate attack vectors to out-of-country local nodes (out-of-country ISIS). Distributed and decentralised, local nodes increase the success of the parent global operations but operate with the absence of command and control influence. As such, outside Iraq and Levant, ISIS is an idea, not a group.  This stand-alone model is why security forces are failing to track communications they expect to be delivering instructions and targets. There are no direct communication delivery networks from in-country to out-of-country. While the use of sink nodes does coordinate the formation of basic local nodes, it is far from an intelligent system or organisation for a sustainable terrorist group.

Composition of local nodes

Out-of-country (OoC) local nodes are comprised of a minimum of one agent[1]. The agent’s surroundings comprise the environment and, along with the possibility of other agents in the node, this environment creates a world. OoC agents are goal-based. They determine exploits and attack vectors and take action. With a lack of direct communications to in-country (IC) ISIS, the agents are low level, blind executors of the ISIS idea rather than evolving into a system that would allow cooperation and coordination at a higher level. Whilst Paris may seem like a coordinated attack, it was a series of connected agents, broken into local ISIS nodes, with one attack vector – Paris. Different attack sites does not equal different attack vectors.

Decentralised = scalable, fault tolerant and self-configuring


As more agents become available so they can engage in more complex attacks, cross-linking targets for increased effect. Multi-agent nodes can create multiple nodes which increases redundancy, and, as seen in Paris, become highly scalable with attacks being performed in parallel. ISIS nodes have increased resilience to state security intervention because they operate in silos.


The lack of coordination between nodes equals a lack of attack vectors. ISIS nodes settle in a quasi-random space: they need access to resource networks and an availability of attack vectors: window cleaners tend not to live in a village with an absence of windows.  Nodes have a symbiotic relationship and must often access resources from non-terrorist sectors. Local criminal gangs facilitate assistance so nodes can compute solutions to their goals: facilitation of weapons, documents and safe passage. This creates a siloed, autonomous, in-country terrorist organisation; they follow the idea of ISIS but are not governed by a global command and control centre. There can be hundreds of autonomous organisations operating for the same global entity. The nature of siloed operations makes detecting and shutting down their operations difficult but it also makes it difficult for nodes to coordinate large scale attacks without communicating; with no command structure, it’s common for local nodes to be unaware of others.

Parameter tuning

For decentralised terrorist network support, who trades with who is an important parameter. Control of this supply chain can stop nodes from operating effectively. Parameters can include flow of currency, availability of controlled resources and the availability of the resource giving entity itself. Using Pareto efficiency[2], finding local resource giving entities with controlled goods shortages, could be one sign of an attack vector about to become live by a node: a sudden weapons shortage in local black markets could be used as an indicator. For trading requirements, understanding what information is needed to take appropriate decisions and actions is one part of a solution equation. Discovering resource giving entities or brokers, is another.

Reinforced learning

Nodes aim to deliver quality and quantity and, in turn, receive reward and recognition for their global parent. More complex tasks involve more nodes. Unlike more traditional terrorist organisations, survival of the node is not paramount. Larger attacks receive greater recognition for the parent global organisation ISIS and so will propagate the idea further. This reinforced learning is used in the start-up of future independent nodes.

Possibility of ISIS sink node

A sink node has a unique function in an organisation. It maintains a global view of a network.  While no direct line of communication can be seen from IC ISIS to OoC ISIS local nodes, the possibility of a sink node located out-of-country, connecting agents, is a possibility. An ISIS sink node located in a place where many agents pass (a refugee camp in Turkey, Serbia[3], Croatia, Hungary, etc), could link them into operational nodes. It is doubtful that attack vectors would be provided at this point but access to controlled resources and currency could be possible. An increasing use of sink nodes to link individual agents can be seen in the Paris attacks on 13th November 2015[4], where a number of unconnected individuals seem to have created local nodes.

Defeating decentralised, self-organising ISIS nodes

While the idea is the central power for ISIS nodes, it is extremely difficult to fight an idea. How can we destabilise nodes? Removing a node has no effect on others. Actions against the parent global organisation have no negative effective on out of country nodes; one day after news of successful drone strikes on senior in country ISIS figures[5], the Paris attack took place. In-country actions against the global parent company exacerbate node actions.

But stopping stand-alone terrorist nodes? That seems to be the difficult question that needs an answer.



Note: The creation of nodes is outside of the scope of this article.

[1] Agents are malicious actors. They can be trained or untrained. Often the media will refer to singular agents as lone wolves.

[2] Pareto efficiency, or Pareto optimality, is a state of allocation of resources in which it is impossible to make any one individual better off without making at least one individual worse off.

[3] http://www.theguardian.com/world/2015/oct/19/refugees-stranded-on-serbian-croatian-border

[4] http://www.bbc.co.uk/news/world-europe-34818994

[5] http://www.bbc.co.uk/news/uk-34805924


About Author

A. White

CTO of Direct Action International, A White provides thoughts around most things cyber related.