This Reference Aid is based on I&A’s review of the radicalization to violence of 39 US homegrown violent extremists (HVEs) who either successfully carried out or were arrested before attempting to carry out attacks in the Homeland between 1 January 2015 and 31 December 2016. It is intended to inform federal, state, local, tribal, and territorial counterterrorism, law enforcement, and countering violent extremism (CVE) officials. For additional information about these HVEs, please see the classified I&A Intelligence Assessment “(U//FOUO) Commonalities in HVEs’ Radicalization to Violence Provide Prevention Opportunities,” published 10 February 2017.
This case study is an examination of behaviors that resulted in a disrupted terrorist attack, revealing a cycle of planning and preparation that could provide indicators for preventing similar attempts. The terrorist attack planning cycle is not a static, linear process but rather could begin in any of the several stages with variances in details, sequence, and timing. An individual’s mobilization to violence often provides observable behavioral indicators such as, pre-attack surveillance, training, and rehearsal. The indicators potentially allow third-party observers and law enforcement to identify individuals moving to violence, circumstances that may allow for disruption of planned attacks. This product is intended to cultivate an awareness of the planning cycle among stakeholders for identification, mitigation, and disruption of attack planning.
DHS-FBI-NCTC Guide: International Partnerships Necessary To Mitigate ISIS’s Organ Harvesting for Terrorist Funding
The Islamic State of Iraq and ash-Sham (ISIS) is attempting to obtain money from organ harvesting, including from its own injured members, captives, and deceased individuals. Identification, prevention, and interdiction of organ harvesting and trafficking is a highly complex issue which may be effectively addressed through international partnerships among governmental, health, law enforcement, legal, and private-sector entities.
We assess with moderate confidence that cyber actors, including those who support violent extremism, are likely to continue targeting first responders on the World Wide Web, including by distributing personally identifiable information (PII) for the purpose of soliciting attacks from willing sympathizers in the homeland, hacking government websites, or attacking 911 phone systems to hinder first responders’ ability to respond to crises.
The EMP protection guidelines presented in this report were initially developed by Dr. George H. Baker, based on his previous work where he led the Department of Defense program to develop EMP protection standards while at the Defense Nuclear Agency (DNA) and the Defense Threat Reduction Agency (DTRA). He is currently serving as a consultant to the Department of Homeland Security (DHS) and is emeritus professor of applied science at James Madison University (JMU). He presently serves on the Board of Directors of the Foundation for Resilient Societies, the Board of Advisors for the Congressional Task Force on National and Homeland Security, the JMU Research and Public Service Advisory Board, the North American Electric Reliability Corporation GMD Task Force, the EMP Coalition, and as a Senior Scientist for the Congressional EMP Commission.
Autonomous vehicles collect and process data from their environments, taking actions that can either help or replace drivers. OCIA assesses that these vehicles will benefit society by improving road safety and reducing deaths, injuries, and costs associated with collisions. Autonomous vehicles will also likely lead to a decrease in traffic congestion, decreasing fuel consumption and emissions per mile, and helping save drivers’ money and time. However, as vehicles become increasingly connected and a part of the Internet of Things, vulnerabilities and potential consequences are likely to increase unless cybersecurity is better integrated into vehicle design and development. Legal and regulatory gaps exist on issues such as collision liability and safety standards; if these gaps are not addressed, cities and states might implement their own laws and regulations, creating inefficiencies for automobile manufacturers, shipping companies, and drivers. Moreover, fully autonomous vehicles will likely have an adverse effect on the professional driver workforce when bus, taxi, and truck drivers are eventually replaced.
Artificial Intelligence (AI) is an emerging risk that will affect critical infrastructure (CI) as it becomes common throughout the United States. The purpose of this research paper is to analyze the narratives about AI to understand the prominence of perceived key benefits and threats from AI adoption and the resulting implications for infrastructure security and resilience. Narratives are strongly held beliefs, and understanding them will help decision makers mitigate potential consequences before they become significant problems.
Terrorist and violent extremist groups have long expressed interest in poisoning and adulterating food and beverage supplies in the West but rarely use this as a tactic. Nonetheless, recent incidents in Europe and Africa underscore the continued interest by some groups in targeting food products at point-of-sale, distribution, and storage. The mere threat of product adulteration in the Homeland almost certainly would cause psychological and economic harm. While we have not seen any specific, credible terrorist threats against Homeland food production and distribution infrastructure, we cannot rule out the possibility of inspired violent extremists or disgruntled insiders attempting to adulterate or poison food and beverages with commonly available toxic industrial chemicals or crude biological toxins due to the relative ease of product manipulation, especially at the last point of sale, which criminal actors have demonstrated consistently in the past.
OCIA assesses that if specific industrial control systems (ICS) were successfully infected with ransomware, it could affect the ability of certain sectors to provide real-time management and control of large networks of geographically scattered equipment. Although security researchers have demonstrated the possibility of ransomware targeting control systems, OCIA assesses that such an attack is highly unlikely given the higher success rate against consumer and business systems, the likelihood that business and process control networks are segmented, and the ability for operators to take a control system out of service and employ manual overrides.
On May 12, 2017, organizations across the world reported ransomware infections impacting their computer systems. The infections, caused by a ransomware strain referred to as WannaCry, restricts users’ access to a computer and demands a ransom to unlock it. The U.S. Department of Justice defines ransomware as, a type of malicious software cyber actors use to deny access to systems or data until the ransom is paid. After the initial infection, ransomware attempts to spread through systems and networks.
Cloud services offer a number of benefits such as scalability, high availability, and decreased ownership cost. As a result, owners and operators in several critical infrastructure sectors such as Communications, Energy, Financial Services, Information Technology, and Transportation Services have migrated in-house computing resources to cloud infrastructures. However, cloud service environments still possess many of the same potential vulnerabilities associated with internally hosted environments, as well as additional exploits to virtual systems or networks. Owners and operators of critical infrastructure need to fully understand the risk environment as they address current cloud services and consider additional migration.
The Department of Homeland Security (DHS) assesses that given the high value of patient information and proprietary data on the black market, the Healthcare and Public Health Sector will continue to be one of the primary targets for malicious cyber actors. Stolen health data sells on the black market for more than 10 to 20 times the price of stolen credit card data. DHS assesses that growth in the medical device market over the next 4 years will result in more devices connected to the Internet, and an increase in the number of cyber-related incidents that target those devices. This is partly because manufacturers do not place enough emphasis on the security of medical devices.
Department of Homeland Security, Federal Bureau of Investigation, Intelligence Fusion Centers, U.S. Secret Service
(U//FOUO) DHS-FBI-USSS Joint Threat Assessment 2017 Presidential Address to a Joint Session of Congress
This Joint Threat Assessment (JTA) addresses threats to the 2017 Presidential Address to a Joint Session of Congress (the Presidential Address) at the US Capitol Building in Washington, DC, on 28 February 2017. This assessment does not consider nonviolent civil disobedience tactics (for example, protests without a permit) that are outside the scope of federal law enforcement jurisdiction; however, civil disobedience tactics designed to cause a hazard to public safety and/or law enforcement fall within the scope of this assessment.
Recent calls over the past year for attacks on hospitals in the West by media outlets sympathetic to the Islamic State of Iraq and ash-Sham (ISIS) highlight terrorists’ perception of hospitals as viable targets for attack. Targeting hospitals and healthcare facilities is consistent with ISIS’s tactics in Iraq and Syria, its previous calls for attacks on hospitals in the West, and the group’s calls for attacks in the West using “all available means.” While we have not seen any specific, credible threat against hospitals and healthcare facilities in the United States, we remain concerned that calls for such attacks may resonate with some violent extremists and lone offenders in the Homeland because of their likely perceived vulnerabilities and value as targets.
(U//FOUO) DHS-FBI Intelligence Assessment: Baseline Comparison of US and Foreign Anarchist Extremist Movements
This joint DHS and FBI Assessment examines the possible reasons why anarchist extremist attacks in certain countries abroad and in the United States differ in the frequency of incidents and degree of lethality employed in order to determine ways US anarchist extremists actions might become more lethal in the future. This Assessment is intended to establish a baseline comparison of the US and foreign anarchist extremist movements and create new lines of research; follow-on assessments will update the findings identified in the paper, to include the breadth of data after the end of the reporting period (as warranted by new information), and identify new areas for DHS and FBI collaboration on the topic. This Assessment is also produced in anticipation of a heightened threat of anarchist extremist violence in 2016 related to the upcoming Democratic and Republican National Conventions—events historically associated with violence from the movement.
(U//FOUO) DHS Intelligence Note: Germany Christmas Market Attack Underscores Threat to Mass Gatherings and Open-Access Venues
A 25-ton commercial truck transporting steel beams from Poland to Germany plowed into crowds at a Christmas market in Berlin at about 2000 local time on 19 December, killing at least 12 people and injuring 48 others, several critically, according to media reporting citing public security officials involved in the investigation. The truck was reportedly traveling at approximately 40 miles per hour when it rammed the Christmas market stands. Police estimate the vehicle traveled 80 yards into the Christmas market before coming to a halt.
This Joint Analysis Report (JAR) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This document provides technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities. The U.S. Government is referring to this malicious cyber activity by RIS as GRIZZLY STEPPE.
(U//FOUO) DHS, Fusion Centers Reference Aid: Malicious Terrorism Hoaxes Likely to Endure, Strain State and Local First Responder Resources
This Reference Aid is intended to provide information on malicious terrorism hoaxes that will continue to challenge first responder resources throughout the Homeland and territories. This Reference Aid is provided by I&A, DIAC, NCRIC, NVRIC, and NJ-ROIC to support their respective activities, to provide situational awareness, and to assist federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials and first responders with recognizing the indicators and implications of malicious terrorism hoaxes. The use of hoax calls may also be used as a technique to lure authorities to a particular location for the purpose of conducting a potential attack, but is not discussed in this article, as luring is viewed as its own distinct tactic.
DHS has no indication that adversaries or criminals are planning cyber operations against US election infrastructure that would change the outcome of the coming US election. Multiple checks and redundancies in US election infrastructure—including diversity of systems, non-Internet connected voting machines, pre-election testing, and processes for media, campaign, and election officials to check, audit, and validate results—make it likely that cyber manipulation of US election systems intended to change the outcome of a national election would be detected.
One of the most significant cyber threats to businesses, local and federal government agencies is the Distributed-Denial-of-Service attack (DDoS). A Distributed Denial of Service attack (DDoS) occurs when an attacker commands a number of computers to send numerous requests to a target computer. The overwhelming flood of requests to the website or computer network can cause it to shut down or fail to handle the requests of legitimate users, much like a rush hour traffic jam on the freeway. This type of attack can completely disrupt an organization’s operations until the network is able to be restored. Understanding the basic concept and methods of a DDoS attack can help operators of both large and small networks mitigate the severity of the attack.
The results of this analysis show a strong earthquake will likely cause significant damage to critical infrastructure in the area affecting 547 dams or water control structures, render approximately 300 roadway segments unusable, and cause damage to 172 water and wastewater treatment systems. The scenario earthquake will likely cause damage to 154 dams in the area. Seven of the dams will likely experience Extensive or Complete damage. The Ward Creek Dam, which is used for flood control, is likely to incur Complete damage. Extensive damage to the James H. Turner Dam poses the greatest risk to downstream population. The earthquake will cause damages to many road segments, bridges, and tunnels in the area. As a result, travel times on these roadways and others will increase significantly. Multiple areas on freeways such as I–680, I–880, and I–580 will have the highest above normal traffic volumes. Several bridges on these freeways will also likely incur Extensive damage. Tunnels in the area will likely have less damage with bores in the Caldecott Tunnel on State Route 24 experiencing only Moderate damage.
A joint intelligence bulletin issued in late August by the Department of Homeland Security, FBI, and National Counterterrorism Center (NCTC) assesses that homegrown violent extremists (HVEs) are “increasingly favoring civilian targets” as opposed to government facilities and personnel. Previous assessments have found that HVEs are most likely to prioritize “law enforcement personnel, military members, and US Government-associated targets.” However, a recent shift towards civilian targets has likely been driven by the accessibility of “soft targets” that are less secure and provide greater opportunities for mass casualty attacks.