Thursday, February 14, 2008

ODNI Releases Info-Sharing Standards

The Office of the Director of National Intelligence (ODNI) has released standards for sharing information about potential terorrist-related activity among local, state, and federal law enforcement. Federal Computer Week reports:

John Cohen, a spokesman for PM-ISE, said the standards establish functional criteria to provide general categories of behavior that can be seen as suspicious and a map for how information and intelligence should be shared among fusion centers.

“It provides a definition that is communicated and understood across all communities,” he said.

He also added that the hope is that by giving law enforcement more intelligence or information about what they should be looking for they can avoid relying on profiling.
The key concept is "observable behavior." It's not who you are; it's what you do. Looking at the standards themselves, which are downloadable here, provides a clearer picture:
Suspicious activity is defined as “observed behavior that may be indicative of intelligence gathering or pre-operational planning related to terrorism, criminal, or other illicit intention.”
Not surprisingly, the CTISS continues the general trend of emphasizing the importance of fusion centers:
The State or major urban area fusion centers shall act as the key conduit between the State, local, and tribal (SLT) agencies and other ISE participants. It is also important to note the ISE Shared SpaceF5F implementation concept is focused exclusively on terrorism related information, however many suspicious activity report (SAR) originators and consumers have responsibilities beyond terrorist activities and beyond the scope of the ISE.

Of special note, there is no intention to modify through this ISE-SAR Functional Standard or otherwise affect the currently supported and/or mandated direct interactions between State, local, and tribal law enforcement and investigatory personnel and the Joint Terrorism Task Force (JTTF) or Field Intelligence Groups (FIGs).
Not sure what this last bit means - could mean that the JTTFs and FIGs will remain their own information silos, which would be unfortunate.


In any case, it sounds at first like the new standards for suspcious activity reporting (SAR) will cast a wide net and take advantage of a significant vulnerability of potential terrorist groups - the nexus between "ordinary" crime and potential terrorism:
It is also important to acknowledge that many terrorist activities are now being funded via local or regional crimes organizations. This places law enforcement and homeland security professionals in the unique, yet demanding, position of identifying suspicious activities, behavior, or materials as a byproduct or secondary element to a criminal enforcement or investigation activity. This means that, while some ISE-SARs may document activities or incidents to which local agencies have already responded, they are being shared to facilitate aggregate trending or analysis.
Illicit money-making activities present a lot of opportunities for
law enforcement to detect these groups. And yet, when you look at the specific categories of observable behaviors, they're almost entirely operational and target-centric:
Eliciting Information: Questioning facility personnel about facility/infrastructure/ personnel: this includes individuals probing employees in person on or off-site, over the phone, or via the Internet about particular structures, functions, and personnel procedures at the facility/infrastructure.
Breach/Attempted Intrusion: Unauthorized personnel attempting to or actually entering a restricted area or protected site. Impersonation of authorized personnel (e.g. police/security, janitor).
Misrepresentation: Presenting false or misusing insignia, documents, and/or identification, to misrepresent one’s affiliation to cover possible illicit activity.
Photography: Taking pictures/video of facility/infrastructure/personnel or surrounding environment.
Observation: Showing unusual interest in facility/infrastructure/personnel; for example, observing it through binoculars, taking notes, drawing maps, or drawing structures of the facility.
Surveillance: Monitoring the activity of people, facilities, processes or systems.
Theft/Loss/Diversion: Stealing or diverting something associated with a facility/infrastructure (e.g., badges, uniforms, identification, emergency vehicles, technology or documents {classified or unclassified}, which are proprietary to the facility).
Sabotage/Tampering/Vandalism: Damaging, manipulating, or defacing part of a facility/infrastructure or protected site.
Testing of Security: Interactions with, or challenges to installations, personnel, or systems that reveal physical, personnel or cyber security capabilities.
Cyber Attack: Compromising, or attempting to compromise or disrupt an organization’s information technology infrastructure.
Expressed or Implied Threat: Communicating a spoken or written threat to damage or compromise a facility/infrastructure.
Flyover: Suspected over flight of a facility/infrastructure; this includes any type of flying vehicle (e.g., airplanes, helicopters, unmanned aerial vehicles, hang gliders).
Materials Acquisition/Storage: Acquisition of unusual quantities of precursor material (e.g., cell phones, pagers, fuel, timers), unauthorized/unlicensed individual/group attempts to obtain precursor chemicals/agents, or toxic materials, and rental of storage units for the purpose of storing chemicals or mixing apparatus.
Acquisition Of Expertise: Attempts to obtain or conduct training in security concepts; military weapons or tactics; or other, unusual, capabilities, such as specialized transport or handling capabilities.
Weapons Discovery: Discovery of weapons or explosives.
Sector-Specific Incident: Actions associated with a characteristic of unique concern to specific sectors (such as the public health sector), with regard to their personnel, facilities, systems or functions.
Recruiting: Building of operations teams and contacts, personnel data, banking data or travel data.
Other: Incidents not fitting any of the above categories.
By the time someone is doing most of these activities, they may have already put an organization together, raised funds, etc. Also, it's possible to put together many elements of an attack without a specific target in mind. In fact, some potential modes of attack, such as a "dirty bomb" attack or some types of biological attacks, wouldn't require access to a particular target. Close enough would do. So the target-centric focus is a bit puzzling. Also, many important activities that would provide good opportunities for detection would fall into just a couple of categories: Acquisition of Expertise and Recruiting.

Everything seems to be there; it just seems odd that the emphasis is on observations that are tied so closely to reconnaissance and/or exploiting the vulnerability of a specific target.


TSA Blogs

The Transportation Security Administration has established a blog, "Evolution of Security." So far the general theme seems to be "what we do and why we do it."


Tuesday, February 12, 2008

Cat and Mouse

It's a few weeks old, but worth noting...this article in the Washington post discusses some of the ways terrorists have adapted to the attempts by law enforcement to sniff them out. They've become adept at evading some types of electronic surveillance, for example.

In an age of spy satellites, security cameras and an Internet that stores every keystroke, terrorism suspects are using simple, low-tech tricks to cloak their communications, making life difficult for authorities who had hoped technology would give them the upper hand.

Across Europe, al-Qaeda operatives and sympathizers are avoiding places that they assume are bugged or monitored, such as mosques and Islamic bookshops, counterterrorism experts said. In several cases, suspects have gone back to nature -- leaving the cities on camping trips or wilderness expeditions so they can discuss plots without fear of being overheard.
It's age-old stuff, really. Clandestine organizations have always used these tactics. But the rapid advance of technology has provided new options for evading detection:
Overall, terrorist cells around the world have become noticeably more skilled at avoiding detection, European counterterrorism officials and analysts said in interviews. For instance, operatives now commonly use Skype and other Internet telephone services, which are difficult to trace or bug.

At times, they have displayed a flair for creativity. Defendants convicted last April in a plot to blow up targets in London with fertilizer bombs communicated via chat rooms on Internet pornography sites in an effort to throw investigators off their trail, according to testimony.
Techniques run the gamut from advanced to rudimentary:
Often, suspects use simple, homemade codes in their exchanges. In a trial in the German city of Kiel, a Moroccan-German man charged in a separate case with recruiting suicide bombers to go to Iraq revealed in testimony in November some of the rudimentary ciphers that he and other cell members used in Internet chat forums.

"Taxi drivers," Redouane el Habab said, referred to suicide bombers; explosives were "dough." Anybody who had to go to "the hospital," he added, had been taken to jail, while those visiting "China" were really attending training camps in Sudan.
The bottom line is that, although these tactics make detection difficult, it is not impossible - and human intelligence is still critical:
"Unfortunately, the technology changes so quickly that we're always playing a catch-up game," the senior Italian official said. "The bottom line is that we'll have to work more and more with human sources."

Other Italian officials, however, said the trackers would always have one important advantage: Because conspirators must communicate, they will always be vulnerable to eavesdropping in some form.

"Many times I ask myself, how is it still possible to obtain important information if the suspects know we can do this?" said Spataro, the deputy chief public prosecutor in Milan.

The answer, he said, is that "as members of a criminal association, they have to speak, they have to communicate with each other, they have to make plans."
This sort of thing is why I've emphasized the recruiting process. Once a terrorist group - or any other criminal organization - is behind closed doors, its options for practicing deception increase. But when recruiting, they have to be more forthright with their communications. They are very cautious at the outset, of course, but eventually they have to show their hand.

Disrupting recruiting can also have the advantage of exploiting vulnerabilities in a pre-operational stage.

Monday, February 11, 2008

All Politics Is Global?

Here's an interesting paper out of Australia, arguing that terrorism has, in essence, reached the viral stage:

[W]e are not now dealing with some kind of well drilled, structured organisation where people are recruited into a hierarchy and they are trained and given high-level skills that allow them to pull off spectacular acts of terrorism. More and more, terrorists are amateurs. They may be relatively incompetent, but they are also unlikely to be part of a network. Such people are not recruited – they recruit themselves.
Hmm...yes and no.

There certainly are some self-recruited amateurs out there, but it's incorrect to assume that all potential terrorists are amateurs.

The paper's author, Waleed Aly, argues that Osama bin Laden understands the new nature of globalized terrorism. The evidence of his new understanding is his evolving mode of communication in his video and audio addresses:
[Bin Laden] is not dressed in military fatigues. He’s dressed in the golden robes of a statesman. He has carefully cultivated a more youthful, vital appearance. He is not, and for a long time, has not been issuing strategic advice or instructions. He is not identifying targets. He is not addressing somebody he knows personally and with details of the next operation and how it will be conducted. ... bin Laden’s mode of discourse is a motivational one. He is a motivational speaker now. He provides a political narrative for people, a narrative of inspiration, but he issues no direct instructions.
The upshot of this?
[T]errorists scarcely need to recruit anymore because we have entered a phase of self-radicalisation, of DIY terrorism.

We are not dealing with organisational structures. We are most truly dealing with a persuasion around which otherwise disconnected people can coalesce accidentally into a movement. These are people that often have wildly divergent ideologies, and often disagree vehemently with one another. They are not some uniform factory product. This is not some singular evil ideology, despite the now familiar insistence of various pundits and politicians. It is a persuasion that has converged on an expression of political violence at a given point in time.
Again, yes and no. Some plotters, such as the Fort Dix guys, are clearly beginners - DIY types. But it's naive to think that, because we're seeing some of these guys, that's all there is.

Organization is critical to marshaling forces and increasing capabilities. Terrorist organizations understand this as well as anyone, even if, for security reasons, they seek to establish small, self-contained operational groups.
Identity politics is central to forging, and fighting, such a persuasion. It is crucial to grasp this because it leads us to think of counterterrorism in new ways. Presently, the governmental focus is disproportionately on the pointy end of the terrorism process: finding people who are about to kill us and locking them up. And it is precisely because the more formative stages of this process are beyond the conventional gaze that the scope of the threat grows consistently.

A person might begin with deep local grievances, but quickly learn to give them a global meaning. This is the nature of liquid modernity, where space collapses and it is possible to plug into the grievances of antipodean communities, even virtual communities, instantly. With globalised information flows, I can now appropriate the grievances of Muslims from Europe, Asia or the Middle East as my own, and I can therefore construct an artificially unified story. The brilliance of demagogues like bin Laden is in their ability to exploit this; to impart upon people the tools to knit together global narratives of persecution out of their domestic grievances; to convince disconnected audiences that the frustration, exclusion and alienation they feel domestically is not merely a domestic problem, but is precisely the same oppression visited upon their co-religionists in Iraq, Israel, Chechnya or Kashmir, part of the same grand design.
No disagreement here. This is the danger of the metastasization of the terrorist threat - that the old adage "all politics is local" becomes turned on its head. (Or perhaps, more accurately, the newer adage, "Think global; act local" is expressed in malevolent ways.)
The implications for government policy are relatively clear. No longer can we maintain the convenient political fiction that it is possible to quarantine policy decisions, whether foreign or domestic, from issues such as the terror threat. It is clear that whatever actions we take, in whatever sphere we take them, can and do have an increasingly global resonance.
The reverse is also true. On the local level, we ought to understand how events in faraway places can have significant local impacts. In the battle of hearts and minds, we can engage this argument only when we see both the near and the far - how we affect and are affected by events around the corner and around the globe.


Intrastate and Interstate Preparedness in Missouri

Missouri does well in a recent review of its preparedness for a health-related disaster.

[A] recent review from the Centers for Disease Control and Prevention (CDC) revealed that Missouri is well prepared to provide drugs and medical supplies from a federal stockpile in the event of a public health emergency.

Missouri scored 96 of 100 percent for its overall readiness to quickly distribute the necessary medicines and medical supplies received from the Strategic National Stockpile (SNS). These supplies would then be dispersed to local public health agencies, hospitals and other treatment sites for dispensing to Missourians. CDC's report card stated "the state of Missouri continues to demonstrate a well developed Strategic National Stockpile preparedness program with clear evidence of collaboration between state agencies; and should be highly commended for its significant work in improving preparedness through collaboration with all eight bordering states."

Local public health emergency response plans blend with the state-level plan, an achievement that requires a great deal of advance communication and collaboration with local partners. The state and local communities conduct exercises on an ongoing basis to identify gaps in the delivery and dispensing of supplies needed during emergencies, and then work on improvements to those plans.

Some improvements noted from last year's score of 85 percent include increased recruitment and training of Strategic National Stockpile team members; advance preparation of public information messages; cooperative planning with bordering states; and increased emphasis on exercise training and evaluation. The most recent state exercise focused on the use of a Regional Distribution Site; an alternate care treatment site as well as the capability of receiving and staging large shipments of managed inventory.
The good news here is the intrastate and interstate collaboration. As one of only two states that border 8 others (Tennessee being the other), Missouri has an exceptional need to develop relationships with bordering states.

The need for interstate planning is made all the more striking when you consider that the New Madrid fault area lies at the confluence of three states - Missouri, Arkansas, and Tennessee.