ODNI Releases Info-Sharing Standards

The Office of the Director of National Intelligence (ODNI) has released standards for sharing information about potential terorrist-related activity among local, state, and federal law enforcement. Federal Computer Week reports:

John Cohen, a spokesman for PM-ISE, said the standards establish functional criteria to provide general categories of behavior that can be seen as suspicious and a map for how information and intelligence should be shared among fusion centers.

“It provides a definition that is communicated and understood across all communities,” he said.

He also added that the hope is that by giving law enforcement more intelligence or information about what they should be looking for they can avoid relying on profiling.

The key concept is "observable behavior." It's not who you are; it's what you do. Looking at the standards themselves, which are downloadable here, provides a clearer picture:

Suspicious activity is defined as “observed behavior that may be indicative of intelligence gathering or pre-operational planning related to terrorism, criminal, or other illicit intention.”

Not surprisingly, the CTISS continues the general trend of emphasizing the importance of fusion centers:

The State or major urban area fusion centers shall act as the key conduit between the State, local, and tribal (SLT) agencies and other ISE participants. It is also important to note the ISE Shared SpaceF5F implementation concept is focused exclusively on terrorism related information, however many suspicious activity report (SAR) originators and consumers have responsibilities beyond terrorist activities and beyond the scope of the ISE.

Of special note, there is no intention to modify through this ISE-SAR Functional Standard or otherwise affect the currently supported and/or mandated direct interactions between State, local, and tribal law enforcement and investigatory personnel and the Joint Terrorism Task Force (JTTF) or Field Intelligence Groups (FIGs).

Not sure what this last bit means - could mean that the JTTFs and FIGs will remain their own information silos, which would be unfortunate.

In any case, it sounds at first like the new standards for suspcious activity reporting (SAR) will cast a wide net and take advantage of a significant vulnerability of potential terrorist groups - the nexus between "ordinary" crime and potential terrorism:

It is also important to acknowledge that many terrorist activities are now being funded via local or regional crimes organizations. This places law enforcement and homeland security professionals in the unique, yet demanding, position of identifying suspicious activities, behavior, or materials as a byproduct or secondary element to a criminal enforcement or investigation activity. This means that, while some ISE-SARs may document activities or incidents to which local agencies have already responded, they are being shared to facilitate aggregate trending or analysis.

Illicit money-making activities present a lot of opportunities for law enforcement to detect these groups. And yet, when you look at the specific categories of observable behaviors, they're almost entirely operational and target-centric:

Eliciting Information: Questioning facility personnel about facility/infrastructure/ personnel: this includes individuals probing employees in person on or off-site, over the phone, or via the Internet about particular structures, functions, and personnel procedures at the facility/infrastructure.
Breach/Attempted Intrusion: Unauthorized personnel attempting to or actually entering a restricted area or protected site. Impersonation of authorized personnel (e.g. police/security, janitor).
Misrepresentation: Presenting false or misusing insignia, documents, and/or identification, to misrepresent one’s affiliation to cover possible illicit activity.
Photography: Taking pictures/video of facility/infrastructure/personnel or surrounding environment.
Observation: Showing unusual interest in facility/infrastructure/personnel; for example, observing it through binoculars, taking notes, drawing maps, or drawing structures of the facility.
Surveillance: Monitoring the activity of people, facilities, processes or systems.
Theft/Loss/Diversion: Stealing or diverting something associated with a facility/infrastructure (e.g., badges, uniforms, identification, emergency vehicles, technology or documents {classified or unclassified}, which are proprietary to the facility).
Sabotage/Tampering/Vandalism: Damaging, manipulating, or defacing part of a facility/infrastructure or protected site.
Testing of Security: Interactions with, or challenges to installations, personnel, or systems that reveal physical, personnel or cyber security capabilities.
Cyber Attack: Compromising, or attempting to compromise or disrupt an organization’s information technology infrastructure.
Expressed or Implied Threat: Communicating a spoken or written threat to damage or compromise a facility/infrastructure.
Flyover: Suspected over flight of a facility/infrastructure; this includes any type of flying vehicle (e.g., airplanes, helicopters, unmanned aerial vehicles, hang gliders).
Materials Acquisition/Storage: Acquisition of unusual quantities of precursor material (e.g., cell phones, pagers, fuel, timers), unauthorized/unlicensed individual/group attempts to obtain precursor chemicals/agents, or toxic materials, and rental of storage units for the purpose of storing chemicals or mixing apparatus.
Acquisition Of Expertise: Attempts to obtain or conduct training in security concepts; military weapons or tactics; or other, unusual, capabilities, such as specialized transport or handling capabilities.
Weapons Discovery: Discovery of weapons or explosives.
Sector-Specific Incident: Actions associated with a characteristic of unique concern to specific sectors (such as the public health sector), with regard to their personnel, facilities, systems or functions.
Recruiting: Building of operations teams and contacts, personnel data, banking data or travel data.
Other: Incidents not fitting any of the above categories.

By the time someone is doing most of these activities, they may have already put an organization together, raised funds, etc. Also, it's possible to put together many elements of an attack without a specific target in mind. In fact, some potential modes of attack, such as a "dirty bomb" attack or some types of biological attacks, wouldn't require access to a particular target. Close enough would do. So the target-centric focus is a bit puzzling. Also, many important activities that would provide good opportunities for detection would fall into just a couple of categories: Acquisition of Expertise and Recruiting.

Everything seems to be there; it just seems odd that the emphasis is on observations that are tied so closely to reconnaissance and/or exploiting the vulnerability of a specific target.