News | Public Intelligence

DEA Data Shows Drug Cartels Continue to “Operate and Profit” From Marijuana Sales in Legalized Markets

Public Intelligence — Fri, 28 Jul 2017 01:16:52 +0000

A legal marijuana grow in Colorado. Photo Brett Levin/Flickr.

A bulletin from the El Paso Intelligence Center (EPIC) released to law enforcement in February 2017 describes how Mexican transnational criminal organizations (TCOs) are continuing to exploit legalized markets in the U.S. for the sale and distribution of marijuana. In January 2016, EPIC produced a bulletin detailing how “data provided by the Drug Enforcement Administration (DEA) and open source reporting” indicated at the time that Mexican TCOs had not been adversely affected by marijuana legalization in numerous markets, noting instead “that the effort of legalization had conversely brought new opportunities for illicit profits from marijuana sales.” The updated February 2017 bulletin, which was obtained by Public Intelligence, indicates that Mexican TCOs continue to exploit the legalization of Marijuana in these areas, operating in three distinct “co-equal marijuana markets in U.S. legalized states: a legal market; an illegal market, and a black market.”

Based on “analytical exchanges” between DEA and Northwest High Intensity Drug Trafficking Area (HIDTA) analysts, the bulletin states that TCOs are selling illegally grown marijuana in legal markets, including to “proscribed customers, such as children.” In black markets, TCOs are selling illegally grown marijuana at lower prices in an attempt to undercut the profit margins on legally cultivated marijuana. In all three markets, the TCOs are “evading state tax laws” and often utilizing public lands to grow the marijuana before transporting it back to non-legalized state markets. The bulletin provides some specific examples of diversion from legalized markets:

(U//DSEN) In November 2015, DEA reporting indicated that representatives of an unknown TCO were cultivating marijuana at indoor-grow houses in Colorado, and transferring marijuana to Florida, a state with strict medical marijuana requirements that ban recreational use.

(U//DSEN) According federal and state law enforcement reporting, since the legalization of marijuana in Washington State in 2012, Washington State marijuana has been illegally diverted to forty-three states throughout the United States.

(U) According to open sources, throughout 2016 federal agents and state law enforcement officers in Colorado have attempted to curtail illegally grown cannabis, and officials indicate that marijuana is being grown in the state for transfer and sale across the nation.

(U//LES) Analysis of CY2015 seizure incidents on U.S. Interstate highways indicates Colorado State marijuana has been illegally diverted to states where marijuana is illegal .

(U) In January 2017, according to press reporting, federal agents and authorities in El Paso County served several warrants and arrested several individuals in connection with an “out-of-state organization” for illegally growing marijuana outside Colorado Springs, Colorado, and illegally transporting and selling it in Texas, where sales are illegal.

The bulletin concludes by assessing that based on the “developing nature of marijuana legalization” Mexican TCOs will likely “continue to profit from marijuana sales in both legalized and still-illegal state markets.” As legalization leads to more decriminalized markets, EPIC assesses that “rising marijuana demand will continue to encourage TCOs to meet that demand.”

The post DEA Data Shows Drug Cartels Continue to “Operate and Profit” From Marijuana Sales in Legalized Markets first appeared on Public Intelligence.

The 2017 Guide to Detecting Homegrown Violent Extremists

Public Intelligence — Mon, 27 Mar 2017 01:35:22 +0000

A graphic from the 2017 National Counterterrorism Center handbook on indicators of mobilization to violence among homegrown violent extremists depicts a man watching a video of Anwar al-Awlaki.

The National Counterterrorism Center (NCTC) has released a 2017 version of their handbook for spotting indicators of mobilization to violence among homegrown violent extremists (HVEs). The guide was originally intended for distribution among public safety personnel and is not intended for public release, but has since appeared on several publicly accessible law enforcement mailing lists and conference websites. In 2014, the NCTC’s Office of National Intelligence Management formed an Interagency Analytic Focus Group with members from the Department of Homeland Security, Department of Energy, FBI, NSA, as well as representatives of state and local law enforcement. The focus group “collaboratively developed the list of behavioral indicators and ranked them into three tiers of diagnosticity,” eventually developing a list to distribute to law enforcement personnel. The 2017 handbook released by NCTC is a version of that list updated with new indicators observed since the handbook was last published.

Intended to provide “a roadmap of observable behaviors that could inform whether individuals or groups are preparing to engage in violent extremist activities,” the handbook is a slick 36-page publication with colorful graphics depicting dozens of behavioral indicators that an HVE is mobilizing to violence. These behaviors are divided into three groups based on their overall diagnostic capacity. Group A includes indicators that are “very diagnostic on their own” and thus require little else to indicate mobilization to violence. These indicators include “preparing or disseminating a last will or martyrdom video/statement” as well as “planning or attempting to travel to a conflict zone to fight with or support an FTO.” Group B includes indicators that are “moderately diagnostic, more so when observed with other indicators.” These include more common activities that may not directly indicate an imminent threat of violence, such as “posting terrorist icons/flags/prominent figures to social media” and “expressing acceptance of violence as a necessary means to achieve ideological goals.” Group C includes indicators that are even more common and thus are “minimally diagnostic on their own,” requiring the “presence of other indicators to gain diagnosticity.” This group includes “unusual purchase of military style tactical equipment” and “blaming external factors for failure in school, career, or relationships.”

A graphic depicting the scale of threat levels assigned to various behavior indicators of mobilization to violence among HVEs.

The guide also introduces a scale for evaluating the overall threat level of indicators by ranking: how diagnostic they are in positively identifying mobilization to violence; how dependent they are on other indicators to positively diagnose mobilization; how easily observable the indicators are; as well as whether the indicators present a long-term, near-term, or imminent concern. For example, someone “disseminating a last will or martyrdom video/statement” is ranked as highly diagnostic, independent of other indicators, and observable, presenting an imminent concern. An indicator like “surveilling potential targets” is moderately diagnostic and observable, but is highly dependent on other indicators and only presents a near-term concern.

While some of the initial indicators in Group A seem plainly apparent as being indicators of mobilization towards violence, many indicators in the Group B and C are broad and at times confusing in their origin. One indicator in Group C is “inappropriate use of what an individual perceives as ‘doctrine’ to manipulate the behavior of parents, co-workers, close friends and family.” The guide offers examples of this indicator including “criticism of parents’ clothing choices, reading material choices, musical preferences, religious practices, interfaith friendships.” Another broad indicator in Group B is “use of encrypted media applications to engage with unknown overseas individuals.” Several indicators in Group C also relate to communications privacy, such as “utilizing communication security techniques” and “discussing operational security.” Many of these indicators are rated as being dependent upon other evidence “pointing to terrorism and intent to take violent action” and the guide makes clear that “many of these signals or indicators—some of which might involve constitutionally protected activities—may be insignificant on their own.” If any public safety personnel receiving the guide “reasonably believes” based on the information contained in the guide “that an individual may be mobilizing to violence “they are encouraged to “inform LE agencies with investigative authorities via mechanisms like E-Guardian or Suspicious Activity Reporting.”

The post The 2017 Guide to Detecting Homegrown Violent Extremists first appeared on Public Intelligence.

Feds Say Homegrown Terrorists Increasingly Prioritizing Civilian Targets

Public Intelligence — Mon, 03 Oct 2016 01:39:05 +0000

A chart from the August 2016 bulletin issued by the Department of Homeland Security, FBI, and National Counterterrorism Center (NCTC) shows the increasing number of plots focusing on civilian targets.

A joint intelligence bulletin issued in late August by the Department of Homeland Security, FBI, and National Counterterrorism Center (NCTC) assesses that homegrown violent extremists (HVEs) are “increasingly favoring civilian targets” as part of a wider “variety of targeting choices.” Previous assessments have found that HVEs are most likely to prioritize attacks on “law enforcement personnel, military members, and US Government-associated targets.” However, a recent shift towards civilian targets has likely been driven by the accessibility of “soft targets” that are often less secure than government facilities and provide greater opportunities for conducting mass casualty attacks.

Over the last year, seventy-seven percent of the “thirteen HVE attacks and disruptions . . . focused on civilian targets, in contrast to eleven percent of the eighteen HVE attacks and disruptions in the first seven months of 2015.” Three separate HVE plots in 2016 targeted religious institutions, the “first such cases since a 2009 plot against a New York-based synagogue” according to the bulletin. Since 2015, HVEs have “plotted against or attacked restaurants, a nightclub, a concert, a public ceremony, a place of employment, and a college classroom, demonstrating the variety of targeting choices.” The bulletin was issued prior to the recent bombings in New York and New Jersey which also targeted civilian locations including a train station, charity race, and numerous public streets.

The bulletin states that a combination of factors ranging from “perceived lower levels of security” as well as “violent extremist messaging glorifying recent attacks on civilians” have motivated this shift in tactics. The bulletin also highlights a newer trend which has led HVEs to select “familiar targets of personal significance to simplify plotting,” often capitalizing on preexisting grievances or a desire for revenge. This is particularly relevant to cases such as the December 2015 attack on the Inland Regional Center in San Bernardino, during which Syed Rizwan Farook and his wife Tashfeen Malik killed fourteen people at a training event and Christmas Party hosted by the San Bernardino County Department of Public Health. Farook, who worked for the county as a health inspector, had been attending the event earlier in the day prior to conducting the attack. In another example cited in the bulletin, an eighteen-year-old freshman at the University of California at Merced named Faisal Mohammad stabbed a classmate and three other individuals at the college before being shot by a campus police officer. The FBI later stated that Mohammad had been viewing extremist material online and they believe the attack was inspired by the Islamic State of Iraq and the Levant (ISIL).

To help prevent HVE attacks, the bulletin recommends that state and local authorities be vigilant and “report suspicious activities related to potential mobilization to violence in the Homeland by US-based individuals inspired by foreign terrorist organizations.”

The post Feds Say Homegrown Terrorists Increasingly Prioritizing Civilian Targets first appeared on Public Intelligence.

DHS Report Finds “Immeasurable Vulnerabilities and Attack Vectors” Against U.S. Critical Infrastructure

Public Intelligence — Wed, 06 Jul 2016 02:35:46 +0000

A screenshot released by the security company Kaspersky shows a malicious Microsoft Word document similar to one used by hackers in an December 2015 attack against the Ukrainian energy sector. The attack disrupted more than 200,000 customers and affected dozens of substations.

A Department of Homeland Security assessment released in April states that critical infrastructure throughout the U.S. faces “immeasurable vulnerabilities and attack vectors” due to the increasingly prominent role of information and communication technology (ICT) in critical infrastructure sectors. The strategic risk assessment, authored by the Office of Cyber and Infrastructure Analysis within DHS, was obtained by Public Intelligence and describes the “convergence of cyber and physical domains” as a strategic threat to the nation’s infrastructure.

As ICT is increasingly depended upon in “all 16 critical infrastructure sectors,” there is an “inherent reliance on a network connection for functionality” that “creates numerous vulnerabilities” and makes “universal security extremely difficult and improbable, allowing cyber attackers to more easily exploit critical infrastructure.” These vulnerabilities are also expected to affect the growth of smart cities and other developments related to the internet of things (IoT). DHS cites a report estimating the smart cities market to be valued at $392 billion by 2019 and estimates that in five years 26-50 billion IoT devices to exist. Warning that the growth of these technologies advantages comes with “inherent vulnerabilities,” DHS states that billions of “interconnected IoT devices creating, transmitting, and storing data will result in ‘data exhaust,’ which allows threat actors to gain significant insights into sensitive information such as telemetry, voice, video, health, and infrastructure component status data.” Moreover, failures of “critical infrastructure IoT devices” could result not just in “economic loss through lost productivity and damage to the national economy,” but also “adversely affect public safety through physical infrastructure damage or catastrophic infrastructure failure.”

Industrial control systems (ICS), such as supervisory control and data acquisition (SCADA) systems, that are connected to cloud infrastructure are also cited as a growing concern as “cloud providers are generally not prepared or equipped” to address many of the specialized security needs of these systems. The report states that the “compromise of critical infrastructure SCADA systems that are connected to cloud infrastructure could have a direct physical effect on human life.” However, the threat to ICS extends far beyond cloud security issues with more than 245 cyber-related incidents in FY2014 according to the Industrial Control Systems-Cyber Emergency Response Team (ICS-CERT). Techniques used in these incidents included “access and exploitation of Internet facing ICS and SCADA devices, exploitation of zero-day vulnerabilities in control system devices and software, malware infections within air-gapped control system networks, Structured Query Language injection and application vulnerability exploitation, network scanning and probing, lateral movement between network zones, targeted spear-phishing campaigns, and strategic Website compromises (a.k.a. watering hole attacks).”

Similar concerns were expressed in a January 2016 intelligence assessment issued by DHS which found that nation-state cyber actors are actively “targeting US energy sector enterprise networks” to maintain “persistent access to facilitate the introduction of malware” in the event of “hostilities with the United States.” While the assessment states that this activity is focused primarily on “data theft” as well as “accessing and maintaining presence on ICS” networks and systems, the report uses unusually blunt language to describe how this kind of access would likely be used as “part of nation-state contingency planning” only to be “implemented to conduct a damaging or disruptive attack in the event of hostilities with the United States.” In December 2015, a coordinated attack on the Ukrainian energy sector demonstrated just how damaging this sort of access to ICS infrastructure can be, resulting in the loss of power for more than 225,000 customers and the disruption of at least fifty regional substations. The attack is described in the DHS assessment as “consistent with our understanding of Moscow’s capability and intent, including observations of cyber operations during regional tensions.”

The post DHS Report Finds “Immeasurable Vulnerabilities and Attack Vectors” Against U.S. Critical Infrastructure first appeared on Public Intelligence.

Nation-State Cyber Actors Focused on “Maintaining Persistent Access” to U.S. Energy Infrastructure

Public Intelligence — Mon, 04 Apr 2016 01:39:05 +0000

Damaging cyber attacks against the U.S. energy infrastructure do not currently pose a significant threat according to an intelligence assessment released by the Department of Homeland Security and Industrial Control Systems Computer Emergency Response Team (ICS-CERT) in January. While cyber actors backed by a number of nation-states are actively “targeting US energy sector enterprise networks,” these activities are focused primarily on supporting cyber espionage activities to acquire and maintain “persistent access to facilitate the introduction of malware” in the event of “hostilities with the United States.”

The restricted DHS assessment titled “Damaging Cyber Attacks Possible but Not Likely Against the US Energy Sector” was obtained by Public Intelligence and reveals that at least seventeen intrusions against the U.S. energy sector were traced back to APT actors in FY 2014. The attacks never resulted in damage or disruption, but were instead focused on “data theft from enterprise networks” and “accessing and maintaining presence on ICS” networks and systems. One example cited in the assessment is a piece of malware called Havex that was “likely developed by Russian state-sponsored cyber actors.” The existence of the malware was first disclosed in a June 2014 blog post by Finnish security firm F-Secure which described how the remote access tool (RAT) was being used as part of an industrial espionage campaign. DHS states that this campaign dates back to 2011 and that while the “main function is to gather information,” Havex can also run “specialized plug-ins for additional capabilities.”

The assessment also mentions an attack on the Ukrainian energy sector in December 2015 that resulted in at least 80,000 customers losing power for up to six hours. At the time the assessment was written, ICS-CERT stated that they were “unable to confirm” the event was triggered by cyber means, but that a sample of the malware provided by the Ukranian Government had the capability to “enable remote access and delete computer content, including system drives.” While DHS does not attribute the attack to any specific cyber actor, the assessment states that the attack is “consistent with our understanding of Moscow’s capability and intent, including observations of cyber operations during regional tensions.”

A month after the DHS assessment was published, ICS-CERT released an alert describing the attack in much greater detail and relaying the findings of a team that included representatives of the U.S. Computer Emergency Readiness Team (US-CERT), Department of Energy, FBI and North American Electric Reliability Corporation. The alert increased the number of those affected by the attack to more than 225,000 customers, noting that the attack was “reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks.” The attackers reportedly “acquired legitimate credentials and leveraged valid remote access pathways” to cause 50 regional substations to experience “malicious remote operation of their breakers conducted by multiple external humans.”

ICS-CERT also released a restricted version of the alert marked For Official Use Only that included non-public details and analysis of the vulnerabilities exposed by the attack. An updated version of the restricted alert from March was also obtained by Public Intelligence and states that “critical infrastructure [industrial control system or ICS] networks, across multiple sectors, are vulnerable to similar attacks.” ICS-CERT argues that the “incident highlights the urgent need for critical infrastructure owners and operators across all sectors to implement enhanced cyber measures that reduce risks” that could result from the use of a number of different techniques that were employed by the attackers, including:

• Theft of legitimate user credentials to enable access masquerading as approved users,
• Leveraging legitimate remote access pathways (VPNs),
• The remote operation of human-machine interface (HMI) via company installed remote access software (such as RDP, TeamViewer or rlogin)
• The use of destructive malware such as KillDisk to disable industrial control systems (ICSs) and corporate network systems
• Firmware overwrites that disable/destroy field equipment
• Unauthorized scheduled disconnects of uninterruptable power supplies (UPS) to devices to deny their availability
• The delivery of malware via spear-phishing emails and the use of malicious Microsoft Office attachments
• Use of Telephone Denial of Service (TDoS) to disrupt operations and restoration.

During the attacks, “remote human operators” accessed the workstations of dispatchers at the facilities using legitimately installed tools for remote access. They used this access to trip the breakers, change the passwords for key systems, corrupt firmware of serial-to-ethernet converters used for substation communication and leverage backup battery systems to trigger shutdowns of connected servers and devices. In one instance, the attackers used an uninterruptible power supply (UPS) to target an internal telecommunications server which cut off “all internal communications with regional offices and distribution substations.”

Despite the risks demonstrated in the Ukrainian attack, the DHS assessment from January tries to downplay the threat posed by state actors, noting that 63 percent of malicious cyber activity in FY 2014 was “unattributed, low-level activity” related to cybercrime using methods such as ransomware and denial-of-service attacks. The assessment’s authors also include a section criticizing the media’s over-hyping of cyber attacks and cyber warfare as leading to “misperceptions about the cyber threat to the US energy sector.” The term “cyber attack” is often used by the media and private sector to refer to incidents and activities that are not necessarily intended to “cause denial, disruption, destruction, or other negative effects” which would better be described as “cyber espionage, and even low-level, untargeted incidents of cybercrime.” The assessment even speculates that overuse of the term could lead to “alarm fatigue” which could lead to less reporting of incidents and longer response times.

The post Nation-State Cyber Actors Focused on “Maintaining Persistent Access” to U.S. Energy Infrastructure first appeared on Public Intelligence.

DHS Report Details “Persistent” Cyber Targeting of Police, Emergency Services

Public Intelligence — Tue, 23 Feb 2016 02:22:34 +0000

A clip from a local television station in Montana shows an emergency alert that was generated by “unknown attackers” in February 2013. The attackers used default credentials to broadcast false emergency messages stating that the “bodies of the dead are rising from their graves and attacking the living.” Similar messages aired in several other states where similar systems were compromised by the attackers.

Cyber attacks against law enforcement, fire departments and other emergency services have become increasingly common and are likely to increase according to a recent intelligence assessment prepared by the Department of Homeland Security and the Multi-State Information Sharing and Analysis Center (MS-ISAC). The assessment, which was distributed to law enforcement in September 2015 and was obtained by Public Intelligence, reviewed a number of “cyber attacks against the [emergency services sector or ESS] between February 2012 and May 2015,” finding that “targeting of the ESS will likely increase as ESS systems and networks become more interconnected and the ESS becomes more dependent on information technology for the conduct of daily operations—creating a wider array of attack vectors for cyber targeting.” Recent incidents involving the use of telephony-denial-of-service (TDoS) attacks, ransomware as well as the exploitation of “critical hardware and software” including call-center communications-management software, closed-circuit TV camera systems, interactive voice response systems, and emergency alert systems are detailed in the assessment.

DHS and MS-ISAC assess that the “most prominent cyber actors targeting the ESS” are “criminal hackers” who have engaged in “numerous attacks against state and local networks, particularly law enforcement, in response to perceived social and legal injustices” and are “prone to announcing attacks to increase visibility and support for their cause.” The assessment defines “criminal hackers” as “individuals or groups that commit a crime by illegally accessing or altering systems, often in furtherance of an ideological goal.” The use of the term “criminal hackers” marks a departure from previous law enforcement bulletins which have used the terms “hacktivists” or “hacker groups” to describe ideologically-motivated cyber actors. The term is also used in an FBI bulletin released in May 2015 titled “Criminal Hackers Target Police to Protest Perceived Injustices.” The assessment distinguishes between these criminal hackers and “cybercriminals” who “carry out illegal activities on computer networks, such as carding schemes, ransom and extortion, theft of personally identifiable information, and account information to facilitate fraud.”

Criminal hackers “gain support for their political agenda—or to exact retribution for perceived social or legal injustices—have shown repeated interest in targeting the ESS” as is “evidenced by the numerous attacks against state and local networks, particularly law enforcement, in response to perceived social and legal injustices.” However, DHS and MS-ISAC assess that their capabilities are not particularly sophisticated, limiting them to “low-level cyber operations, such as [denial of service or DoS] attacks, website defacements, and doxing (publishing of personally identifiable information), often attacking targets of opportunity.” These low-level operations have proliferated in recent years, particularly in response to increased political controversy surrounding police brutality and excessive use of force. The assessment also discusses several examples of these operations, often involving DoS attacks or doxing, including a series of DoS attacks conducted by the hacker collective Anonymous against the City of Madison, Wisconsin in 2014 to protest an officer-involved shooting. The attack reportedly “affected some police, fire, and medical dispatch services; as well as city government Internet and e-mail communications, and online payment services.”

Though so-called “criminal hackers” are the most prominent cyber actors in DHS and MS-ISAC’s assessment, cybercriminals working for financial gain pose a “persistent threat” and have launched attacks significantly impacting ESS operations.

In May 2015, a Nevada county sheriff’s department and a Wisconsin police department were victims of a ransomware attack that encrypted both departments’ shared folders. MS-ISAC later determined that the intrusions occurred as a result of visits to a legitimate website which had been compromised.
A city in Southern California and several local public-safety agencies were hit by ransomware in June 2014. The compromise affected 100 computers and 10 servers.
A fire department in Northern California and a law enforcement agency in Southern California were infected by ransomware resulting in the compromise of one computer and one server in each location, making vital information unavailable.
In 2013, telephony denial of service (TDoS) attacks affected approximately 600 critical government phone systems nationwide, including 200 public-safety answering points (PSAPs). After several days, the attackers reportedly requested $5,000 to cease the attacks.

The post DHS Report Details “Persistent” Cyber Targeting of Police, Emergency Services first appeared on Public Intelligence.

DEA Report Details Philadelphia’s Growing Drug Overdose Problem

Public Intelligence — Mon, 04 Jan 2016 02:38:24 +0000

A nasal spray kit for Narcan, also called Naxolene, a drug that can be used to reverse the symptoms of acute opioid overdose. The photo is taken from a handout produced by the Delaware Valley Intelligence Center.

Since 2009 Philadelphia has seen a 43 percent increase in drug-related overdose deaths, helping to make Pennsylvania the nation’s leading state for drug overdose death among young men. Over the same period, the city has seen a 45 percent increase in overdose deaths where heroin was present in the individual’s system. While heroin is still the primary source of drug overdose deaths, the city is also seeing a significant increase in deaths related to prescription drug abuse, particularly opioids. Deaths related to Fentanyl, an extremely potent prescription painkiller, have increased more than 300 percent between 2013 and 2014.

Using data provided by the Philadelphia Medical Examiner’s Office, the DEA’s Philadelphia Field Division issued a report in July analyzing overdose deaths for the years 2013 and 2014. The report which, was obtained by Public Intelligence, showed a 33 percent increase in drug-related overdose deaths in the city between 2013 and 2014. Nearly two-thirds of those that died were male and the average age was 42 years old. The largest number of deaths occurred in the 46-60 age group. The deaths are also highest among whites, which accounted for approximately 60 percent of overall deaths in 2013 and 2014.

A chart showing the number of deceased individuals in Philadelphia in 2013 and 2014 that tested positive for opioids other than heroin.

The increasing abuse of prescription painkillers has led to a significant increase in heroin-related deaths. The DEA report states that the “widely reported trend of prescription opioids abusers switching to heroin, with deadly results, is supported by the stability in toxicology test results for the opioids oxycodone and hydrocodone, while heroin-positive results increased substantially during the reviewed years.” However, the number of deaths where prescription opioids are a factor has also increased significantly. The presence of oxymorphone, marketed under the name Opana, increased 42 percent from 2013 to 2014 which supports “law enforcement reporting indicating that Opana is increasingly popular and sought after by prescription drug abusers in Philadelphia.” Likewise, the more than 300 percent increase in deaths where fentanyl was present in the decedent’s system demonstrates the highly increased “potential for overdose and death” due to the drug’s increased availability.

The DEA says the data “paints a clear and chilling picture of the impact of drug abuse in Philadelphia, especially related to heroin and fentanyl.” The report also praised the recent passage of legislation in Pennsylvania allowing for law enforcement officers, fire fighters and EMS personnel to administer naloxone, also called Narcan, a drug which can reverse the symptoms of an opioid overdose. A September 2015 report from the Delaware Valley Intelligence Center that was also obtained by Public Intelligence shows the statistics for Narcan administrations in Philadelphia between January and June of last year. Narcan administration numbers can indicate the locations of “abuser populations” and also indicate areas where law enforcement should focus their attention.

A map showing the total number of Narcan administrations in Philadelphia between January and June 2015.

During the period analyzed, Narcan was administered in every zip code in Philadelphia excluding one small area south of the Wells Fargo Center and Lincoln Financial Field. Many of the neighborhoods surrounding North Philadelphia saw the most administrations of Narcan, including one near Port Richmond that had 253 administrations during the period. The second highest zip code only had 92 administrations during the same period. The DEA hopes that this will reduce the number of overdose deaths, however, it notes that “although the number of fatal overdoses will fall, the rate of abuse will not be impacted without continued joint law enforcement and public health efforts to address supply and abuse.”

The post DEA Report Details Philadelphia’s Growing Drug Overdose Problem first appeared on Public Intelligence.

FBI Finds “Minimal Correlation” Between Suicide Vests Used in Middle East and Europe

Public Intelligence — Wed, 16 Dec 2015 03:11:06 +0000

Images of suicide vests and belts from an FBI’s intelligence note released after the November 2013 .

An analysis of recent suicide bombings throughout the Middle East, Europe and Africa by the FBI Terrorism Explosive Device Analytical Center (TEDAC) that was released after the terrorist attacks in Paris, France last month states that “suicide vest and belt improvised explosive devices (IEDs) in the Middle Eastern, African, and European regions likely . . . have minimal correlation” and do not indicate tactical migration.

Following the attacks in Paris, which featured seven separate suicide bombings, media coverage has focused on the prominent use of suicide vests as indicative a tactical shift for the Islamic State of Iraq and the Levant (ISIL). Though there are past examples of suicide attacks inside Europe, such as the 2005 London bombings, the use of suicide vests in the Paris attacks has been said to represent an entirely new type of threat, a tactic once relegated to the battlefields of Iraq and Syria now appearing in European cities. However, an External Intelligence Note issued by TEDAC on November 17 titled “Suicide Vest and Belt Improvised Explosive Device Tactics in the Middle Eastern, African, and European Regions Show Minimal Signs of Tactic Migration” and obtained by Public Intelligence presents a different view, attributing the tactical similarities to factors such as “available materials, training, and local or national counter-IED policies.”

While TEDAC would normally assume that “similarities between suicide vests and belts from different regions likely indicate common training or common IED facilitators,” the intelligence note states that these similarities “may be a product of independent open source research, thus resulting in a false link between devices and subjects.” Moreover, the similarities may “indicate tactic or construction influences” based on the nature of the devices and access to required materials. Similarities can include everything from “overall IED construction, wiring techniques, common explosives, initiators, switches, electronic diagrams, enhancements, and employment.”

When broadly examined, the types of “suicide vests and belt IEDs observed in each region” covered in the intelligence note “differ broadly in many characteristics, resulting in an inconclusive determination that the suicide vest and belt IEDs prevalent in any one area translate to tactic migration.”

A study by the Institute of National Security Studies found that there were approximately 370 suicide bombings in the Middle East region in 2014 claiming the lives of over 2,700 victims. Iraq, Yemen, Lebanon and Libya all saw a significant increase in the use of the tactic over the previous year. Prior to the attacks in Paris, suicide bombings in Europe have been primarily limited to Turkey and Russia.

	Middle East	Europe	Africa
Common explosives used in suicide vests/belts	triacetone triperoxide (TATP), trinitrotoluene (TNT), Semtex, C4, Research Development Formula X (RDX), and pentaerythritol tetranitrate (PETN)	TNT and C4	RDX, Ammonium Nitrate, and Urea Nitrate

The intelligence note takes several quotes from an interview conducted by Der Spiegel with a captured ISIL leader named Abu Abdullah discussing the group’s target selection process and methods for constructing suicide vests. He describes how he used “explosive fill removed from artillery shells for car bombs” and “drilled open the shells of anti-aircraft guns to construct suicide belts because he believed the effect of the powder was more intense.” According to the interview, he would receive a potential bombers’ measurements in “advance from the leadership in order to be able to make a well-fitting belt” and “always had belts in different sizes prepared.”

Explosive vests in Yemen have also included similar design elements. A suicide bomber tied to Al Qaeda in the Arabian Peninsula (AQAP) was killed in July 2015 by Houthi forces prior to detonating his vest, allowing for forensic analysis. The device featured “dual grenade-pin detonators, a main charge wrapped with sheets of ball bearings, and detonation cord that was placed inside a pouch around the bomber’s waist.”

Similar to the Middle East, bombings in Turkey have often used either C4 or trinitrotoluene (TNT) in suicide vests. Vests used in the Middle East often included other high-powered explosives such as Semtex or Research Development Formula X (RDX) or triacetone triperoxide (TATP), the explosive that was reportedly used in the vests detonated during the Paris attacks.

The post FBI Finds “Minimal Correlation” Between Suicide Vests Used in Middle East and Europe first appeared on Public Intelligence.

The Dangers of Traveling Overseas to Fight Against the Islamic State

Public Intelligence — Mon, 05 Oct 2015 01:44:46 +0000

Foreign fighters are pouring into Iraq and Syria from all over the world to take up arms with the Islamic State (ISIL). Recent reports have estimated that as many as 30,000 foreign fighters may be fighting in Iraq and Syria and that they are flowing in at a rate of nearly 1,000 new recruits a month. However, a recently emerging phenomenon of Western individuals, primarily veterans, returning to Iraq and Syria to fight against ISIL forces has only recently begun to receive significant media attention. No one has a precise number on how many Westerners are actually fighting in the conflict against ISIL, though estimates often place the number somewhere around 100-130 foreign fighters.

Seeing this increasing trend, the Department of Homeland Security, National Counterterrorism Center and FBI released a joint intelligence bulletin in late July warning of the dangers in traveling overseas to fight against ISIL forces. The bulletin titled “Risks for US Persons Traveling to Combat the Islamic State of Iraq and the Levant” was obtained by Public Intelligence and discusses the “emerging trend of US persons traveling to combat ISIL.”

The bulletin states that a “number of US persons have traveled to Syria or Iraq of their own volition to combat ISIL over the past year, according to media interviews granted by these individuals” which “underscores a recent broader trend of Westerners mostly joining Kurdish forces and likely motivated by ISIL’s indiscriminate killing of civilians, aid workers, and journalists, as well as a desire to protect civilians, among other reasons.”

The bulletin notes that many of the “identified US persons do not appear to have ethnic or family ties to Syria or Iraq” and that the trend will likely continue “given the group’s ongoing atrocities, the publicity that US anti-ISIL fighters have received, the perception among some US persons that regional groups confronting ISIL need their help, and the prevalence of social media tools to facilitate communication and travel with anti-ISIL groups in the region.”

People’s Protection Units

The majority of U.S. and European individuals that have traveled to Iraq and Syria to fight against ISIL have joined Kurdish forces. Some have elected to fight alongside the Peshmerga, the forces of Iraqi Kurdistan, while many others have joined the YPG, also known as the People’s Protection Units of Syrian Kurdistan. The YPG has a robust online recruitment effort complete with a website providing useful information on what to expect when fighting alongside Kurdish forces and interviews with foreign fighters that have successfully made the journey to Syria. Their Facebook page The Lions of Rojava has more than 30,000 likes and features many pictures of Western fighters along with other promotional items.

A photo from Jordan Matson’s Facebook page. Matson, second from the right, is one of a number of foreign fighters that have joined with Kurdish forces to fight against ISIL.

One fighter who has received significant media attention after joining the YPG is Jordan Matson, a 28-year-old man from Wisconsin who previously served in the U.S. Army. Matson reportedly worked as a delivery driver for several months to save money prior to heading to Turkey in September 2014 to meet with Kurdish forces. He was eventually escorted by a YPG representative into Iraq and posed as a doctor to get into Syria. He has documented his journey on Facebook which contains dozens of photos of Matson with other Kurdish fighters. In an interview with USA Today, Matson said that he is not paid for his efforts but that the Kurds “treat me like family.” They provide little in the way of supplies and are their ranks are often made up of young men and women with minimal training. “Sometimes it’s just kids. That’s the way it is. I have a Kalashnikov and that’s it.”

An image of Keith Broomfield distributed by the YPG.

In June, a 36-year-old from Massachusetts named Keith Broomfield was killed near Kobani, Syria while fighting with the YPG. Broomfield is believed to be the first U.S. citizen killed while fighting with the Kurds against ISIL. According to his father, Broomfield had gotten into trouble in his younger years and straightened his life out after finding religion. He “believed it was God’s will that he go help the suffering Kurds.” Broomfield’s brother said that “He knew the risk. He understood those. He believed in opposing evil, which I believe in, too.” After his death, his sister posted a message on Facebook stating that “My brother died to defend my sisters who are being sold, enslaved, raped and murdered. To defend my brothers who are shot beheaded and dumped into piles off trucks.”

The joint intelligence bulletin issued by DHS, FBI and NCTC describes Broomfield’s death as underscoring the “risks of traveling to join anti-ISIL groups” which include “dying in accidents or being captured in combat.” The bulletin adds that “ISIL almost certainly would seek to use captured US persons in its messaging videos, as it has done with captive Western journalists, aid workers, and coalition military personnel.”

ISIL Social Engineering

Due to the online recruitment efforts of Kurdish forces, one particular concern that is repeated numerous times in the joint intelligence bulletin is that individuals wishing to join the fight against ISIL are vulnerable to social engineering. “Violent extremist hackers have commonly used various forms of social engineering to obtain information about their adversaries” and ISIL supporters in other countries “could use these techniques against US persons who express on social media a desire to travel to join anti-ISIL groups.” The bulletin cites an incident in November 2014 where a Syrian civil rights group received an email claiming to be from Canadian activists and identifying the location of ISIL strongholds. Instead, a link in the email led to “malware intended to collect the victim’s IP address and other system information to determine a victim’s physical location.”

The threat posed by social engineering is heightened due to the fact that “those with former US military affiliations may be more desirable targets for ISIL, particularly in light of ISIL’s September 2014 call for attacks against members of the military, law enforcement, and government personnel; a message the group continues to emphasize.” Moreover, the FBI has received “reporting indicating individuals located overseas are spotting and assessing like-minded individuals in the United States who are willing and capable of conducting attacks against current and former US-based members of the US military.” An FBI alert from early July reported that two Middle-Eastern men approached the wife of US service member in Colorado and asked if she was the “wife of a US interrogator.” The men laughed when she denied this and “left the area in a dark-colored, four-door sedan with two other Middle-Eastern males in the vehicle.” The alert added that similar “incidents in Wyoming have been reported to the FBI throughout June 2015” where “family members of military personnel were confronted by Middle-Eastern males in front of their homes” who attempted to “obtain personal information about the military member and family members through intimidation.”

The joint intelligence bulletin ends with a statement that “FBI, DHS, and NCTC urge vigilance and advise individuals who express anti-ISIL sentiment publicly—current and former military members in particular—to review their online social media accounts for any information that might serve to attract the attention of violent extremists, and to exercise operational security in their interactions online.” It also advises that anyone planning to go to the region “regardless of their intent or motivation, should be aware of the limited consular access in Syria and Iraq, the potential to inadvertently violate US or Iraqi law, and the increased likelihood of being targeted by violent extremist groups, including but not limited to ISIL.”

The post The Dangers of Traveling Overseas to Fight Against the Islamic State first appeared on Public Intelligence.

Transitioning PGP Keys

Public Intelligence — Sun, 20 Sep 2015 02:00:48 +0000

We are transitioning PGP keys in conjunction with the establishment of new security procedures. The following is our key transition statement signed with our new key. You can download a copy of the new key here. You can also download a copy of the transition statement below signed with our new key as well as a copy of the statement signed with our old key.

The post Transitioning PGP Keys first appeared on Public Intelligence.

DHS, CIA Provide Glomar Responses to FOIA Requests on Public Intelligence

Public Intelligence — Mon, 20 Jul 2015 02:13:56 +0000

The USNS Hughes Glomar Explorer (T-AG-193), now known as the GSF Explorer, from which the so-called “Glomar response” derives its name.

The Central Intelligence Agency (CIA) and Department of Homeland Security Office of Intelligence and Analysis (I&A) have both responded to recent requests under the Freedom of Information Act (FOIA) for all records “related to or mentioning the website Public Intelligence” with a Glomar response, refusing to admit the existence or nonexistence of records related to the request.

The response from I&A states that the request is denied specifically pursuant to Title 50 US Code § 3024(i) and 6 U.S.C. § 121(d)(11), two statutes protecting intelligence sources and methods. The denial states that “the fact of the existence or nonexistence of records pertaining to your request would be exempted from disclosure pursuant to the third exemption of the Freedom of Information Act (FOIA)” and though specific statutes are cited “I&A neither confirms nor denies that such records may or may not exist.”

The response from CIA states that the request is denied due to section 102A(i)(1) of the National Security Act of 1947 as well as section 6 of the CIA Act of 1949. Section 102A(i) of the National Security Act of 1947 as amended requires the Director of National Intelligence to protect “intelligence sources and methods from unauthorized disclosure.” Section 6 of the CIA Act of 1949 as amended references section 102A(i)(1) of the National Security Act and further affirms that the Agency is exempt from the “provisions of any other laws which require the publication or disclosure of the organization, functions, names, official titles, salaries, or numbers of personnel employed by the Agency . . .” In 2010, John Young of Cryptome previously requested information on himself and his website and received a nearly identical response citing the same statutes.

A “Glomar response” is generally provided when an agency’s denial of a request would indicate that records pertinent to the request do, in fact, exist and thus expose either classified information or impact an individual’s privacy. For example, the Department of Justice Office of Information Policy states that a “FOIA request seeking records which would indicate that a particular political figure, prominent businessman or even just an ordinary citizen has been the subject of a law enforcement investigation may require an agency to flatly refuse to confirm or deny whether such records exist.” This is also true if the records in question are properly classified as “confirmation or denial of the existence of responsive records would, in and of itself, reveal exempt information.”

The “Glomar response” takes its name from the U.S. Navy Ship Hughes Glomar Explorer, a vessel built by Howard Hughes for his company Global Marine Development Inc. Though the ship was ostensibly a marine research vessel, it was actually built on behalf of the CIA for an operation called Project Azorian that was focused on salvaging a Russian submarine that had sunk in the middle of the Pacific Ocean in 1969. After news stories that exposed the operation appeared in both the Los Angeles Times and New York Times in 1975, journalists for both publications revealed that the CIA had made significant efforts to prevent the stories from being published. A journalist named Harriet Ann Phillippi filed a request for records related to the Agency’s censorship attempts and was provided a response that read “in the interest of national security, involvement by the U.S. Government in the activities which are the subject matter of your request can neither be confirmed nor denied.”

The post DHS, CIA Provide Glomar Responses to FOIA Requests on Public Intelligence first appeared on Public Intelligence.

The Increasing Sophistication and Legitimacy of the Islamic State

Public Intelligence — Tue, 23 Jun 2015 02:47:42 +0000

The Islamic State of Iraq and the Levant (ISIL) has become the preeminent terror group among U.S.-based extremists according to an assessment authored by the Department of Homeland Security and more than a dozen state and local fusion centers. Individuals determined to fight “overseas in a Muslim-majority country” or conduct attacks domestically will be “more likely to derive inspiration from ISIL than [al-Qaeda] or any of its affiliates” as long as ISIL can maintain its “current level of perceived legitimacy and relevancy.” This assessment of ISIL’s increasing popularity among domestic extremists is the focus of a ten page Field Analysis Report obtained by Public Intelligence titled Assessing ISIL’s Influence and Perceived Legitimacy in the Homeland: A State and Local Perspective. Drawing on suspicious activity reports from around the country as well as intelligence reporting from DHS and the Bureau of Prisons, the report finds that ISIL’s military successes in Iraq and Syria along with the group’s self-proclaimed re-establishment of the caliphate have captured the attention of violent extremists likely to buy in to its “violent extremist counterculture.”

While this may mean that more “lone offender” attacks against U.S. targets are on the way, an assessment from the DHS Office of Intelligence and Analysis sees more sophisticated plots on the horizon. Focusing on a plot disrupted in January 2015 by Belgian authorities in which “a large group of terrorists possibly operating under ISIL direction” were found to have stockpiled explosive precursors and sophisticated weaponry, DHS concludes that the group may have “developed the capability to launch more complex operations in the West.” The assessment titled Future ISIL Operations in West Could Resemble Disrupted Belgian Plot was released to law enforcement last month and was also obtained by Public Intelligence.

An Increase in Suspicious Activity

In the second half of 2014, the volume of ISIL-related suspicious activity reports that were received by state, local and federal authorities “increased sharply,” indicating a trend that “signifies a penetration of ISIL’s messaging into the Homeland.” This increase coincides with the group’s recent military successes including “rapid territorial gains” and the “self-declared re-establishment of a caliphate.” ISIL has also rapidly expanded its English-language messaging to include armies of social media accounts, elaborate and gruesome videos as well as an English-language magazine that highlights life inside of the Islamic State, including “government services” such as “banking, health care and education.” Previous assessments from DHS have noted the “savvy” use of media by ISIL, though the Field Analysis Report studying the group’s legitimacy focuses on the activity this messaging has inspired domestically. According to the report, graffiti, symbols, paraphernalia and other ISIL-related imagery has been reported to law enforcement throughout the U.S. Personnel at Marine Corps Base Quantico reportedly discovered leaflets with an ISIL banner discussing “coming from Mexico on a train.” Small ISIL flags were found on the windshields of vehicles in a residential neighborhood in Falls Church, Virginia. ISIL stickers have also been reported on highway signs and other public structures in Arizona, Nevada and Texas.

Though suspicious activity reports related to ISIL have increased significantly, many of the reports are likely not a legitimate indicator of ISIL activity. In preparing their Field Analysis Report, fusion center personnel reviewed a number of incidents that resulted in suspicious activity reports being filed into the national Information Sharing Environment and found that half of those were based on anonymous tips “that were likely not credible.” These reports often described “aspirational threats of violence against family or friends, where ISIL-affiliation appeared to be used only as a means to intimidate the victim(s).” The other incidents reviewed, “most of which . . . were also likely not credible” related to public threats against political targets. These include threats made against the President as well as public calls for the assassination of Twitter employees following the company’s suspension of accounts associated with ISIL in 2014. Over one-third of the reports were related to “social media postings” including the dissemination of “official ISIL messaging.”

ISIL’s Legitimacy Surpasses al-Qaeda

Whether the increase in suspicious activity reporting related to ISIL is an accurate indicator of the group’s increasing operational presence or simply an artifact of the group’s increasing notoriety, the Field Analysis Report argues it is a reflection of the group’s increasing legitimacy. Through its bloody tactics, the group wins converts by asserting their defense of “Muslims against enemy attacks” as well as the defense of the “self-proclaimed re-establishment of the caliphate.” Citing surveillance of inmate communications conducted by the Bureau of Prisons, the Field Analysis Report lists a number of incidents where U.S. involvement in the Middle East was listed as a justification of ISIL’s tactics. In multiple conversations with family members, one inmate reportedly stated his belief that the group needed to “finish Shiites and other disbelievers.” Criminal indictments of U.S. persons inspired by ISIL to either travel overseas or conduct attacks domestically also indicate a “general desire to fight overseas, defend Muslims against aggressors and join like-minded violent extremists.”

ISIL’s attraction among domestic extremists has become so strong that the formal division between the group’s leadership and al-Qaeda has had little effect on their support for both groups. Individuals arrested for trying to join ISIL, as well as individuals who have traveled overseas to fight with the group, have expressed support for Anwar al-Aulaqi, al-Qaeda in the Arabian Peninsula as well as Jabhat al-Nusra. This support indicates that potential “homegrown violent extremists” may “embrace the groups’ similarities more than their distinctions.” However, U.S.-based extremists are “more likely to derive inspiration from ISIL than [al-Qaeda]” or other groups, a judgment which DHS states is “consistent with [the Office of Intelligence and Analysis’] review of all-source reporting on the topic.” In fact, DHS states that it concurs with the Field Analysis Report’s judgment that “ISIL’s 2014 successes on the ground in Iraq and Syria–especially its declaration reestablishing the caliphate–and sophisticated English-language messaging campaign . . . are key drivers contributing to the group’s support among a small subset of US-based individuals.”

Increasingly Sophisticated Attacks

Along with their rising legitimacy and increasing popular appeal, ISIL has also likely “developed the capability to launch more complex operations in the West.” An assessment authored by the DHS Office of Intelligence and Analysis in May concludes that future attacks conducted by ISIL could reflect an increasingly “complex, centrally planned plotting” over the “more-simplistic attacks by ISIL-inspired or directed individuals.” The assessment focuses on a plot disrupted in Belgium earlier this year “involving an Islamic State of Iraq and the Levant (ISIL) group with at least ten operatives—some of whom were returning foreign fighters—possibly targeting police or the public.” The plot may have been directed by members of ISIL and was apparently in an early planning phase as there is no publicly available information about the group’s target. The raid of a safe house in Verviers, Belgium on January 15, 2015 resulted in a firefight between three suspects involved in the plot and police. Two of the suspects were ultimately killed and the third was arrested by Belgian authorities. Items recovered from the safe house as well as other locations in Belgium and several other European countries included “automatic firearms, precursors for the explosive triacetone triperoxide (TATP), a body camera, multiple cell phones, handheld radios, police uniforms, fraudulent identification documents, and a large quantity of cash.”

With more than a dozen individuals associated with the plot spread out throughout Europe, including France, Spain, Greece and the Netherlands, the group sought to exploit the “significant challenges for law enforcement to detect and investigate multi-jurisdictional threats and the necessity of interagency sharing of information about emerging and ongoing threats.” In fact, the group’s leader Abdelhamid Abaaoud reportedly directed other members via a cell phone from a safe house in Athens, Greece and was able to return to Syria even after the raid in Belgium, despite having international warrants for his arrest. The group also employed sophisticated operational security measures and were able to acquire weapons and other supplies without being detected by law enforcement due to knowledge gained during their extensive criminal histories.

The DHS assessment finds that the “countermeasures used by this group underscore how knowledge of law enforcement tactics can help subjects adapt their patterns of behavior and highlight the need for investigators to consider whether subjects may be using countermeasures to deflect scrutiny.” One group member reportedly changed his cell phone five times, instructed other members of the group to frequently switch vehicles and to examine their surroundings for hidden microphones and other surveillance equipment. Communications between group members often occurred in several different languages and used coded language to hinder translation efforts. The group utilized an assortment of fraudulent identification documents and kept a large amount of cash “intended to fund some of the group’s procurement activities and to conceal purchasing patterns.”

These efforts to conceal their activities indicate that the group was “likely aided by members’ criminal background and possible access to criminal groups, underscoring the potential for operatives to bypass traditional tripwires and obscure operational planning efforts.” One group member Souhaib el Abdi reportedly “had previous experience with trafficking forged documents” and much of the equipment held in their Belgian safe house “including Kalashnikov rifles, handguns, ammunition, and materials to make explosives” is believed to have been acquired illegally. Though security measures employed by the group could make it more difficult for law enforcement to discover potential plots, the DHS assessment argues that they may also provide an opportunity to “detect ongoing plotting, as investigations of intercepted illegal activities may present indicators of other nefarious intentions” and “awareness of the tactics and tradecraft used by this group could assist with identifying and disrupting potential complex plots in the United States.”

The post The Increasing Sophistication and Legitimacy of the Islamic State first appeared on Public Intelligence.

U.S. Cyber Command Blocking Public Intelligence and Nearly 2,500 “WikiLeaks-Related” Websites

Public Intelligence — Fri, 22 May 2015 02:42:20 +0000

A block page displayed when users on military networks attempt to access this website.

U.S. Cyber Command (CYBERCOM) has blocked access to the Public Intelligence website (publicintelligence.net) as well as at least 2,484 other “WIKILEAKS-related websites” on their unclassified network.

The block was first reported in June 2012 by a regular contributor to Phibetaiota.net, a website run by former CIA officer and longtime proponent of open-source intelligence Robert David Steele. An anonymous contributor to the blog reported that CYBERCOM had “blocked access to www.publicintelligence.net from DoD computers” for unstated “operational reasons.” The article described the contents of the notice that is displayed when users attempt to access the site and stated that the “block category” was listed as: “USCC_WIKILEAKS_BLOCK.” According to other individuals who have experienced the block, a message is displayed indicating that you have “attempted to access a blocked website” and that access has been denied for unstated “operational reasons by the DOD Enterprise-Level Protection System.” The notice also instructs the user to “contact your local Network Control Center” to gain access to blocked websites that are “mission essential.”

An email from an intelligence analyst with the U.S. Army TRADOC G2 Intelligence Support Activity (TRISA) requesting access to this website.

In March 2013, a U.S. Army intelligence analyst did just that: she requested that an exception be made for her unit to access the site in order to conduct official research. The analyst’s request is contained in a 15-page document from the U.S. Army’s Network Enterprise Technology Command (NETCOM) that was released following a request under the Freedom of Information Act (FOIA). The document contains a chain of emails between members of the U.S. Army TRADOC G2 Intelligence Support Activity (TRISA) and IT Specialists with NETCOM. In an email dated March 7, 2013, an analyst with the Contemporary Operational Environment and Threat Integration Directorate (CTID) within TRISA states that “CTID requests access to this website http://publicintelligence.net/” and adds that “we all use this website for official open source research to support [REDACTED].”

The request was referred to members of the 106th Signal Brigade under NETCOM who requested a memorandum for record stating that access was required for official business and had been approved by the unit’s information assurance manager. The request appeared to be moving along until late April 2013 when the 106th Signal Brigade informed the IT personnel at TRISA that the block was a CYBERCOM block related to WikiLeaks. In an email from April 23, 2013, NETCOM informed all parties involved in the effort to unblock the site that “TRISA has withdrawn their request for access to the site” after being informed by IT personnel at TRISA that “this was considered a wiki leak [sic] type site so this can be closed with no further action and if she needs access to this site she can use [REDACTED].” In another email regarding the retraction of the request, NETCOM personnel discussed how “once the user requesting the unblock realized the site was a wiki leaks block, they decided they would use the [REDACTED].”

A response from the 106th Signal Brigade stated that “info.publicintelligence.net is blocked by the United States Cyber Command under the category of wikileaks” and cites several tasking orders and all army activities (ALARACT) messages distributed in support of the WikiLeaks block. Two of those ALARACTs were previously obtained by Public Intelligence and discuss preventative measures taken to limit the unauthorized dissemination of information and protect “sensitive information in the public domain.” ALARACT 245-2010 explicitly forbids Army personnel from viewing any classified information released by WikiLeaks because it would introduce classified material onto unclassified networks where it may not be properly safeguarded:

ARMY PERSONNEL MUST BE VIGILANT WITH REGARD TO THE INFORMATION POSTED ON THE WIKILEAKS WEBSITE AND ANY OTHER WEBSITE THAT PURPORTS TO PUBLISH CLASSIFIED INFORMATION. VIEWING, DOWNLOADING OR PRINTING INFORMATION FROM THE WEBSITE COULD POTENTIALLY EXPOSE ARMY NETWORKS TO SENSITIVE DATA OR CREATE SITUATIONS IN WHICH DATA IS IMPROPERLY SAFEGUARDED THUS HARMING OUR ABILITY TO CONDUCT MISSIONS VITAL TO OUR NATIONAL DEFENSE. INFORMATION MARKED AS CLASSIFIED BUT IN THE PUBLIC DOMAIN IS NOT CONSIDERED DECLASSIFIED UNTIL ASSESSED BY THE APPROPRIATE ORIGINAL CLASSIFICATION AUTHORITY AND A DETERMINATION ON ITS DISPOSITION AND CONTINUED CLASSIFICATION IS RENDERED.

Similar notices were disseminated by the Air Force, Navy, White House and a number of other government agencies in 2010 following the release of hundreds of thousands of U.S. diplomatic cables by WikiLeaks.

In response to a FOIA request for records related to the WikiLeaks block, CYBERCOM confirmed that in November 2013 there were 2,484 “WIKILEAKS-related websites” blocked on “their unclassified network.” However, the release of a forty-six page document listing these websites was denied on the grounds that the information was properly classified and its release could “risk circumvention of the law.”

A Pattern of Blocking

In June 2013, it was revealed that the DoD has been blocking access to news stories regarding the disclosure of classified NSA documents by Edward Snowden. According to Pentagon spokesman Lt. Col. Damien Pickart, any website that chooses to “post information the department deems classified” will have that content “filtered” rendering it “inaccessible from DoD networks so long as it remains classified.” Public Intelligence has not posted any of the material revealed by Snowden or WikiLeaks and hosts only a small number of previously classified documents that have been publicly revealed in media reports. Lt. Col. Pickart told U.S. News & World Report that the DoD “does not determine what sites its personnel can choose to visit while on a DoD system, but instead relies on automated filters that restrict access based on content concerns or malware threats.”

Pickart also made clear that DoD is not “going to block websites from the American public in general, and to do so would violate our highest-held principle of upholding and defending the Constitution and respecting civil liberties and privacy.” However, Pickart’s statements are contradicted by the experiences of individuals who have encountered the CYBERCOM block. Users report encountering the block on documents that are unclassified and, in some cases, have no control markings at all.

In addition to the CYBERCOM block, the army’s Continental U.S. (CONUS) Network Operations and Security Center (C-TNOSC) has also previously blocked portions of the Public Intelligence website from being accessed on army computers. Visitors report that attempts to access information on the site have been met with the following notice:

“The site you have requested has been blocked by Team CONUS (C-TNOSC/RCERT-CONUS) due to malware being hosted on the site”

The U.S. Army block has apparently been in effect since at least February 2012. A number of forum postings and comments on a variety of websites make reference to the block. There are no independent reports of malware being hosted on the Public Intelligence website and all public security directories list the site as safe. When contacted for comment, U.S. Network Enterprise Technology Command spokesperson Gordon Van Vleet told Public Intelligence that he was unable to provide any information on the block.

The post U.S. Cyber Command Blocking Public Intelligence and Nearly 2,500 “WikiLeaks-Related” Websites first appeared on Public Intelligence.

On Twentieth Anniversary of Oklahoma City Bombing, Feds Warn of Domestic Extremist Threat

Public Intelligence — Sun, 19 Apr 2015 23:01:20 +0000

A photo of the Alfred P. Murrah Federal Building following the Oklahoma City Bombing on April 19, 2015.

A joint intelligence bulletin issued by the Department of Homeland Security and FBI to coincide with the twentieth anniversary of the Oklahoma City Bombing warns that “domestic extremism will remain a persistent threat through the end of 2015 and beyond” with “high confidence that lone offenders and those who pursue leaderless resistance continue to pose the greatest threat of violence.” The bulletin, which is based on “recent patterns of extremist activity” often “taken by those who plan and act alone or in small cells,” states that domestic extremism “remains a persistent threat, and the United States has experienced violent ideologically-motivated criminal acts, both prior to and after the Oklahoma City attack” including “assaults, arsons, shootings, and use, or attempted use, of improvised incendiary and explosive devices, resulting in death, injury, and property damage.” Moreover, the bulletin states that “many of the same motivations used by domestic extremists to justify their criminal acts in the mid-1990s—anti-government and anti-law enforcement sentiment; racial, ethnic, and religious hatred; and advocacy of violent conspiracy theories—continue to influence domestic extremists and their targeting choices in 2015.”

The bulletin, titled “Twenty Years after Oklahoma City Bombing, Domestic Extremism Remains a Persistent Threat,” was originally posted online to a public website associated with the Northwest Warning, Alert and Response Network (NW-WARN), a “collaborative effort between government and private sector partners” throughout the region “with a goal to maximize real-time sharing of situational information without delay and provide immediate distribution of intelligence to those in the field who need to act on it.” The bulletin has since been removed. However, Public Intelligence was able to obtain a copy of the bulletin prior to its removal from the site.

To illustrate the “scale of the current threat” from domestic extremists, the bulletin cites eighteen incidents between January 1, 2014 and April 1, 2015 that were “conducted by individuals inside the United States in furtherance of political or social agendas without foreign direction, are criminal and violent in nature and caused, or could have reasonably caused death, grievous harm, or financial losses of at least $1 million.” The incidents vary both in scope and motivation, from a 52-year-old woman from Austin, Texas who threw a Molotov cocktail at a Planned Parenthood facility in March to a plot by a “Moorish sovereign citizen” to kill the police chief of Ferguson, Missouri following protests over the killing of Michael Brown last year. In addition to attacks perpetrated by Earth Liberation Front members and other left-wing extremists, the bulletin also highlights the events that occurred in April 2014 at the Bundy Ranch in Bunkerville, Nevada in which dozens of “militia extremists converged on a Nevada ranch to prevent [the Bureau of Land Management] from executing a court order to seize cattle in a dispute over unpaid grazing fees.” These “militia extremists” in association with “individuals from across the country . . . who reacted to reports about altercations between BLM personnel and the rancher’s family and supporters that alleged unnecessary excess on the part of the US Government” eventually engaged in an “armed standoff and the ultimate suspension of the BLM operation due to militia extremist threats.”

The bulletin also contains a list of the various types of domestic extremists recognized by the DHS and FBI, including animal rights extremists, black separatist extremists, militia extremists and sovereign citizen extremists:

(U//FOUO) Domestic Extremists: individuals present in the United States who seek to further political or social goals, wholly or in part, through unlawful acts of force or violence. The mere advocacy of political or social positions, political activism, use of strong rhetoric, or generalized philosophic embrace of violent tactics may not constitute extremism, and may be constitutionally protected. This definition does not include or describe homegrown violent extremists, who are defined by the FBI as al-Qa‘ida-inspired individuals based in the United States and radicalized primarily in the United States, and are not directly collaborating with a foreign terrorist organization.

(U//FOUO) Animal Rights Extremists: individuals who seek, wholly or in part, through unlawful acts of force or violence, to further their opposition to people, businesses, or government entities perceived to be exploiting or abusing animals. The mere advocacy of political or social positions, political activism, use of strong rhetoric, or generalized philosophic embrace of violent tactics may not constitute extremism, and may be constitutionally protected.

(U//FOUO) Black Separatist Extremists: individuals who seek, wholly or in part, through unlawful acts of force or violence, to attain separation from the non-black US population. This separation includes, but is not limited to, physical separation, political separation, or social separation as demonstrated by separate communities, political institutions, or social organizations. This desire for separation is typically based on either a religious or political belief system, which is sometimes formed around or includes a belief in racial superiority or supremacy. The mere advocacy of political or social positions, political activism, use of strong rhetoric, or generalized philosophic embrace of violent tactics may not constitute extremism, and may be constitutionally protected.

(U//FOUO) Environmental Extremists: individuals who seek, wholly or in part, through unlawful acts of force or violence, to further their opposition to people, businesses, or government entities perceived to be destroying, degrading, or exploiting the natural environment. The mere advocacy of political or social positions, political activism, use of strong rhetoric, or generalized philosophic embrace of violent tactics may not constitute extremism, and may be constitutionally protected.

(U//FOUO) Lone Offenders: individuals who, operating alone or without the witting support of others, seek to advance, wholly or in part, a particular ideology or social agenda through unlawful acts of force or violence in violation of federal law.

(U//FOUO) Militia Extremists: individuals who seek, wholly or in part, to engage in unlawful acts of force or violence in response to perceived abuses of power or authority by government, perceived threats to Constitutional rights by government, or bureaucratic incompetence in attending to critical tasks. The mere advocacy of political or social positions, political activism, use of strong rhetoric, or generalized philosophic embrace of violent tactics may not constitute extremism, and may be constitutionally protected.

(U//FOUO) Sovereign Citizen Extremists: individuals who openly reject their US citizenship status, believe that most forms of established government, authority, and institutions are illegitimate, and seek, wholly or in part, through unlawful acts of force or violence, to further their claim to be immune from government authority. The mere advocacy of political or social positions, political activism, use of strong rhetoric, or generalized philosophic embrace of violent tactics may not constitute extremism, and may be constitutionally protected.

(U//FOUO) White Supremacist Extremists: individuals who seek, wholly or in part, through unlawful acts of force or violence, to support their belief in the intellectual and moral superiority of the white race over other races. The mere advocacy of political or social positions, political activism, use of strong rhetoric, or generalized philosophic embrace of violent tactics may not constitute extremism, and may be constitutionally protected.

The post On Twentieth Anniversary of Oklahoma City Bombing, Feds Warn of Domestic Extremist Threat first appeared on Public Intelligence.

Feds Issue Bulletin Warning ISIL’s “Savvy” Use of Media is Resonating with Western Youth

Public Intelligence — Thu, 26 Mar 2015 02:34:28 +0000

Three British teenagers Shamima Begum, 15, Kadiza Sultana, 16, and Amira Abase, 15, who traveled last month to Turkey before crossing the border into Syria to join the Islamic State of Iraq and the Levant (ISIL).

The “innovative use of social media and messaging” by the Islamic State of Iraq and the Levant (ISIL) “has played a key role in motivating young Western males and females to travel to the Syrian conflict to join and support the self-declared Islamic State” according to a joint intelligence bulletin released by the Department of Homeland Security and FBI last month. The 5-page bulletin titled “ISIL Social Media Messaging Resonating with Western Youth” was disseminated to law enforcement throughout the country at the end of February to report on the “continuing trend” of Western youth being inspired to travel to Syria and join ISIL forces. According to the bulletin, this trend is aided by the fact that “Western youth are willing to connect over social media with like-minded persons, and have proven adept at obfuscating such social media usage from their parents and guardians.”

ISIL’s “savvy media packaging” has helped it gain “widespread attention” among both male and female youth demographics, particularly those “who are already radicalized to violence.” The group’s “Western-focused messaging frequently features fluent English speakers, including Western youth, with whom audiences probably are able to relate” including “several videos featuring high-tech filming and editing” that likely intensifies the “appeal of these messaging efforts.” Their videos “often include dramatic shots and sound effects to further the viewer’s tension and interest” as well as “graphics and chronological layout” making them “more like documentary films.”

Moreover, ISIL’s resonance with “with female youths is unprecedented and has prompted a number to attempt to travel to Syria.” While “most females appear motivated to travel based on a desire to live in ISIL’s self-declared state” rather than participate in the conflict, the effectiveness of the group’s messaging demonstrates “ISIL’s broad appeal across demographic boundaries.” The joint intelligence bulletin cites a number of instances where Western youth have attempted to travel to Syria to join ISIL and states that “Western teenagers currently in Syria are known to have accessed violent extremist messaging for guidance on means and routes for traveling to Syria.” An article earlier this month in the British newspaper The Independent cited Helen Ball, the London Metropolitan Police Service Senior National Coordinator for Counterterrorism, as saying that at least sixty British women, including girls as young as fifteen, have traveled to Syria in the hopes of joining ISIL.

A significant number of American youths have also attempted to “radicalize others to violence, establish contact with like-minded individuals, and travel to Syria to join the group.” The Wall Street Journal reported earlier this month that at least one-hundred and eighty Americans have traveled or attempted to travel to join ISIL in Syria. The Justice Department has prosecuted nearly thirty cases related to ISIL in the last eighteen months and the FBI claims to have ISIL-related investigations open in all fifty states.

Some of the cases do not involve direct attempts to travel to Syria, but rather efforts to help others join ISIL often using social media. One case cited in the joint intelligence bulletin involves a Virginia teenager who was arrested in February for encouraging others to join ISIL and even facilitating travel arrangements. The DHS-FBI bulletin states that “ISIL messaging likely influenced [the teenager] to create, produce, and disseminate violent extremist messaging via social media to radicalize other youth to violence” as well as “establish connectivity with violent extremists overseas, connect with like-minded aspirants, and distribute ISIL messaging to a network of friends and followers.” One of his associates reportedly was successful in traveling to Syria to join ISIL. An article in the Washington Post about the case states that the boy was viewed by community members who knew him as a quiet, though typical teenager. He was “taking Advanced Placement classes and listed some of his interests as civil rights and social action.”

The post Feds Issue Bulletin Warning ISIL’s “Savvy” Use of Media is Resonating with Western Youth first appeared on Public Intelligence.

Comments on Reddit Led to Virginia Fusion Center Warning on Protesters Attacking Emergency Vehicles

Public Intelligence — Tue, 17 Mar 2015 02:25:40 +0000

A video posted to YouTube in December 2014 by activists associated with Anonymous that appears to show Chicago police officers discussing surveillance of protesters.

A bulletin issued in December 2014 by the Virgina Fusion Center (VFC) warned law enforcement and first responders that emergency vehicles could be targeted by violent protesters seeking to retaliate against the perceived surveillance of their activities. The bulletin, which is titled “Malicious Activists May Promote Harm to Emergency Management Vehicles Observed During Violent Protests,” draws its conclusion that “violent or malicious activity” could be directed toward emergency vehicles “operating near protest areas” based primarily upon comments to a post on Reddit and a protest guide posted anonymously on Pastebin.

Following the decision last year by a Missouri grand jury not to indict police officer Darren Wilson in the killing of unarmed black teenager Michael Brown, protests have taken place throughout the nation. One particular protest held in Chicago on November 28, 2014, just days after the decision, gained attention online after numerous protesters noticed a Chicago Office of Emergency Management and Communications (OEMC) vehicle that followed them as they marched through the city streets. Several posts on Twitter and other social media platforms include pictures of the vehicle with some protesters noting that their phone begins to malfunction and behave strangely when the vehicle is near. After the photos began to spread on social media, there was rampant online speculation that the vehicle may have contained a Stingray IMSI-catcher produced by Harris Corporation and used by law enforcement to intercept cellular communication content including calls, text messages and other data.

The protesters’ speculations were further bolstered when a video was posted on YouTube by activists associated with the group Anonymous that featured recordings of police scanner traffic where an officer appears to discuss the ability of the local police fusion center to intercept cellular phone calls made by the protesters:

Dispatch: “CPIC [Crime Prevention and Information Center] on the air for a mobile”
CPIC Officer: “Go ahead”
Car 41 Officer: “Yeah one of the girls is kind of an organizer here, um, she’s been on her phone a lot. Are you guys picking up any information, uh, where they’re going, possibly?”
CPIC Officer: “Yeah we’ll keep an eye on it, we’ll let you know if we hear anything.”
Car 41 Officer: “10-4. They’re compliant, and they’re, they’re doing ok now but she’s spending a lot of time on the phone.”
CPIC Officer: “10-4”

A post on the excellent PrivacySOS blog authored by Kade Crockford, director of the ACLU of Massachusetts’ Technology for Liberty Project, covered the protesters’ observations as well as video released by Anonymous. The post, which is directly cited in the VFC bulletin, also mentioned that a local news outlet had identified the potential target of the police surveillance mentioned in the Anonymous video as Kristiana Rae Colón, daughter of Chicago alderman Rey Colón and organizer of the #BlackLivesMatter protest that was being held that day. The blog post on PrivacySOS was later linked to in the news section of Reddit, leading to more than five-thousand positive votes and two-thousand comments. The VFC issued its bulletin warning law enforcement that “emergency management vehicles operating near protest areas may be targeted by precipitating violent or malicious activity” primarily because a few comments on Reddit, several of which appear to be facetious, suggest using violent tactics against the Chicago OEMC vehicle or otherwise sabotaging its surveillance capabilities.

One comment highlighted in the bulletin states if “someone were to accidentally operate a device at protests that happened to operate at the frequencies that truck is using” that it would “block their transmissions.” Another commenter says “if you see one of those cars” at a protest, just “make a bunch of calls saying ‘I think I just overheard someone saying there was a bomb'” on the other side of town. More interestingly, a comment is included in the bulletin because it references Virginia, despite the fact that the comment simply notes that a vehicle like this exists in “Chesterfield VA and it’s only supposed to be used with a court order or a search warrant.” These comments are described in the bulletin as commenters expressing “interest in responding to similar vehicles via technical, subversive, or violent means.”

These violent or malicious intentions are further exemplified, according to the bulletin, by an anonymous post on Pastebin from December 6, 2014 titled “Stingback: A Short, Emergency Guide for Activists Being Spied on by Chicago Police Stingrays (and very likely other police departments).” The guide provides a few simple actions protesters can take to help protect themselves from police surveillance while organizing, including using separate phones for personal and protest activities, using encrypted communication apps such as the products of Open Whisper Systems including TextSecure, RedPhone and Signal, as well as turning off a phone’s location tracking features. One of the last suggestions in the guide, which mentions physically inhibiting the movements of the vehicle, is what led to it being cited in the VFC bulletin. VFC warns law enforcement that “emergency management vehicles deployed to potential protest areas, particularly areas which may have a propensity for violence, should exercise caution” and “be aware that they may be targeted by non-violent methods in order to inhibit their vehicle movements in the area.”

At no point in the VFC bulletin is the fundamental claim of the protesters addressed: that surveillance of the protesters’ communications based solely on the fact that they are engaging in free speech activities is a violation of their Constitutional rights. In fact, this point is made explicitly clear in the Department of Homeland Security and Department of Justice’s guidelines on policing First Amendment-protected events which states that “collecting, maintaining, using, or sharing information regarding persons or groups solely because they are involved in constitutionally protected activity” is prohibited, as is “collecting, maintaining, using, or sharing information regarding persons or groups solely because of the content of their speech.”

The post Comments on Reddit Led to Virginia Fusion Center Warning on Protesters Attacking Emergency Vehicles first appeared on Public Intelligence.

FBI Warns Law Enforcement of Copy Cat Attacks Following Murders of Two NYPD Officers

Public Intelligence — Thu, 01 Jan 2015 03:09:29 +0000

Photos of NYPD officers Rafael Ramos and Wenjian Liu who were murdered on December 20, 2014 by Ismaaiyl Brinsley in apparent retaliation for the deaths of Michael Brown and Eric Garner.

The FBI has issued a National Situational Information Report (NSIR) to law enforcement around the country warning of “copy cat assassinations” following the murder of two New York Police Department (NYPD) officers in December. The report, which was issued days before Christmas and posted online by a lodge of the Chicago Fraternal Order of Police, states that the “recent murders of New York City Police Officers Wenjian Liu and Rafael Ramos have spawned numerous threats” against law enforcement personnel. The report states that Ismaaiyl Brinsley, the man who reportedly shot the two NYPD officers, claimed to be part of a nationwide group planning to kill police officers:

“As of November 2014, USPER Ismaaiyl Brinsley, responsible for the shooting of two New York City Police officers on 20 December 2014, claimed to be a member of an unidentified group that was “going to get a lot of cops in Florida, Las Vegas, and California for New Year’s.” Ismaaiyl Brinsley also discussed travel plans via Amtrak with two other individuals known as “Larry” and FNU LNU (NFI) [First Name Unknown Last Name Unknown (No Further Information)].”

Brinsley, who was initially identified in the media as a member of the national prison gang the Black Guerrilla Family, was later said to have no connection to the gang. However, the day before the murders were committed, the Baltimore FBI office issued a bulletin stating that they had received “reliable information” that members of the gang were planning to target white law enforcement officers to “send a message.” The FBI NSIR mentions this as well as information that indicates the “Heartless Felons Gang, an Ohio street gang, gave its members orders to kill white police officers in the Cleveland area to avenge black lives taken by white police officers.”

Several online threats against law enforcement are also documented in the FBI NSIR including statements made by a man on the East Orange New Jersey Police Department’s Google plus page that he wanted to kill law enforcement officers. The Department of Homeland Security questioned another man at his home in Memphis, Tennessee after he posted online that he was “heading to New York City to kill two more police officers.” The man allegedly wrote “Good Job #F-K12 Kill em all i’m on my way to NY now #shootthepolice 2 more going down tomorrow.” No charges were ultimately filed as the man stated he was intoxicated when he wrote the post.

The FBI NSIR also includes a YouTube comment made by a man later identified as Jeremiah Perez of Colorado Springs:

“SINCE DARREN WILSON our group has killed 6 retired sheriffs and cops……because of this event we will hunt two more in colorado this week…..for every innocent citizen that cops kill WE, VETERANS WILL KILL RETIRED HELPLESS COPS……..we already started and MORE TO COME NOW…….join us and kill any cop or any retired cop !!!!!!! MORE PEOPLE HAVE BEEN KILLED SINCE THE PROTEST !!! THEY DONT CARE, SO NOW REAL HEROS WILL HUNT THEM ALL !!! fuck ISIS, COPS ARE THE REAL ENEMIES OF FREEDOM LOVING AMERICANS and TIME TO STRIKE BACK IN ALL OUT WAR IS NOW !!”

The comment ultimately led to the man’s arrest on federal charges under 18 USC §875, using interstate communications to convey threats of injury against an individual. A criminal complaint written against Perez and posted on the Department of Justice’s website states that the FBI was alerted to Perez’s comment after Google voluntarily notified law enforcement because of the comment’s threatening content. The complaint includes the entire notice provided to the FBI by Google, which states that “based on the content of a post/comment to a YouTube video on Google Plus Social Media, Google Inc. believes that there presently exists an emergency involving imminent death or serious bodily injury to a person or persons, and that immediate disclosure to you of certain information is required to avert the emergency.” After obtaining a search warrant based on the IP address provided by Google, the FBI seized Perez’s computer and interviewed him. He admitted posting the comments and stated that his comments “were the result of misplaced frustration and a way of experimenting with words.”

Forensic examination conducted by the FBI of Perez’s computer revealed a number of other posts to YouTube and other websites using the screen name “Vets Hunting Cops,” including searches that were conducted for the following terms:

“Kill Sara Palin, Kill Barack Obama, Kill Cory Gardner, Kill Darren Wilson, Find and Kill Darren Wilson, Kill Fox Pundints, Fox News Headquarters, Kill Fox News Racist, Kill Bill O’Reilly, Fox News Headquarters gets bombed, Someone Kill Fox News, Kill the Cops, Beaver Creek City Police Department, How to Find Somebody on YouTube, How to Find Somebody’s IP Address Through YouTube, Kill Ted Cruz, Kill M itch McConnell, Calls to Assassinate GOP Leaders, Google Maps for Fox News Headquarters, Hunt Darren Wilson’s Family, St. Louis Police Officer’s Association, Darren Wilson Prosecutor, Locate Bill O’Reilly’s house.”

Perez reportedly admitted to FBI agents that he had conducted the searches, but said that he had no intention of following through with the actions he was researching. Perez now faces up to five years in prison.

The post FBI Warns Law Enforcement of Copy Cat Attacks Following Murders of Two NYPD Officers first appeared on Public Intelligence.

DHS Analysis Finds ISIL Most Likely to Conduct IED, Small Arms Attacks in Western Countries

Public Intelligence — Fri, 05 Dec 2014 03:56:00 +0000

A photo of Michael Zehaf-Bibeau who shot a Canadian solider on October 22, 2014 in an attack on Parliament Hill that was reportedly inspired by Islamic State of Iraq and the Levant (ISIL). The photo was taken by a tourist at the beginning of Zehaf-Bibeau’s attack.

An intelligence assessment released last month by the Department of Homeland Security’s Office of Intelligence and Analysis found that a domestic terrorist attack conducted by individuals affiliated with or inspired by the Islamic State of Iraq and the Levant (ISIL) would most likely “employ tactics involving edged weapons, small arms, or improvised explosive devices (IEDs).” The assessment, which was obtained by Public Intelligence, was released in October following several recent attacks conducted in Europe and Australia by individuals sympathetic to ISIL. Based on a review of these and other planned attacks, analysts at DHS evaluated the tactics and targets, as well as operational security measures employed in order to determine “tactics, targets, and tradecraft that potentially could be used in the Homeland by individuals associated with or inspired” by ISIL.

The assessment concludes that the “most likely perpetrators of a potential ISIL-directed or inspired Homeland attack include individuals acting under the direction of foreign-based terrorists, returning foreign fighters, and those who are inspired by the ongoing conflict in Syria and Iraq but who cannot or will not travel overseas.” These individuals would likely use “edged weapons, small arms, or improvised explosive devices (IEDs)” to attack targets that provide an “opportunity to successfully execute an attack that would garner media attention.” For example, recent plots in Europe and Australia have targeted public gatherings, government employees and Jewish facilities.

Several attacks in Europe over the last year have shown the willingness of former ISIL fighters to conduct attacks once they return to their home countries. In February, a man named Ibrahim Boudina was arrested in France after returning from Syria where he reportedly fought with ISIL. During a search in Greece, where Boudina had been entering into Europe, authorities discovered a USB drive with instructions on making explosives. A French-Tunisian friend of Boudina was also arrested in Italy after returning from Syria. A week after the arrest, members of the French security service reportedly discovered “a handgun, bomb-making instructions, and three soda cans filled with the high-explosive compound TATP” in an apartment complex owned by Boudina’s father.

In May, a French citizen that is believed to have fought with ISIL in Syria shot and killed four people at a Jewish museum in Brussels, Belgium. When the man was arrested several weeks after the attack, he was found to be in possession of an ISIL flag as well as an automatic rifle that was believed to have been used in the attack.

An image from the DHS intelligence assessment released in October highlights various plots in Europe and Australia, providing examples of their tactics and targets as well as operational security measures employed by the attackers.

In September, Australian authorities arrested fifteen individuals suspected of planning to kidnap and behead members of the public on behalf of ISIL. The plot was allegedly foiled after communications were intercepted between a “Syria-based Australian senior ISIL member and a Sydney-based group member discussing a plot reportedly centered on filming the murders of randomly selected individuals in Sydney, which would then be sent to ISIL’s media wing to disseminate via social media.” According to the DHS assessment, the plot is an example of the “potential threat posed by individuals who have not traveled to Syria or Iraq, but who maintain contact and take some level of direction from overseas-based ISIL leaders.”

A similar incident mentioned in the assessment also occurred in September when an eighteen-year-old Australian who had publicly expressed his support for ISIL stabbed two police officers after volunteering to meet with counterterrorism task force members as part of an ongoing investigation. Less than a week after the assessment’s publication by DHS, a Canadian citizen named Michael Zehaf-Bibeau shot a soldier at the Canadian War Memorial in an attack that was reportedly inspired by ISIL and entered a building on Parliament Hill before being shot by police.

The post DHS Analysis Finds ISIL Most Likely to Conduct IED, Small Arms Attacks in Western Countries first appeared on Public Intelligence.

FBI Warns of Hacktivist Threats Following U.S. Airstrikes in Iraq and Syria

Public Intelligence — Mon, 29 Sep 2014 01:56:19 +0000

A Twitter account purporting to be operated by Junaid Hussain, also known as Abu Hussain Al Britani, who was sentenced to six months in prison in 2012 for hacking an email account associated with former Prime Minister Tony Blair and flooding the U.K. national anti-terror hotline with automated calls.

The FBI Cyber Division has issued a notification to private industry and law enforcement to be aware of the potential for retaliatory cyber attacks following recent U.S. military actions in the Middle East. While the FBI has “no information at this time to indicate specific cyber threats to US networks or infrastructure in response to ongoing US military air strikes against the terrorist group known as the Islamic State of Iraq and the Levant (ISIL)” the bulletin states that the FBI believes that “extremist hackers and hacktivist groups, including but not limited to those aligned with the ISIL ideology, will continue to threaten and may attempt offensive cyber actions against the United States in response to perceived or actual US military operations in Iraq or Syria.”

The bulletin titled “Threat of Cyberterrorist and Hacktivist Activity in Response to US Military Actions in the Middle East” was released last Wednesday and is based on “recent, nonspecific, and probably aspirational threats made on social media platforms to carry out cyber as well as physical attacks in response to the US military presence in the Middle East.” The bulletin, which was obtained by Public Intelligence, states that “Middle East-based hacktivist groups and extremist cyber actors have previously targeted US commercial and government Web sites in response to a range of US military actions and foreign policy positions” using tactics such as “Cross Site Scripting (XSS), Structured Query Language (SQL) Injection, and TCP/UDP Flooding for defacement and DDoS attacks.” According to the FBI, web site defacements “conducted by these actors will likely contain messages expressing support for ISIL, and/or contain imagery such as the black ISIL flag or graphic imagery, e.g., pictures or videos of ISIL executions.”

Previous examples of hacktivist attacks motivated by U.S. military actions are included in the bulletin including an incident in May 2014 in which the “Tunisian Hackers Team threatened Distributed Denial of Service (DDoS) attacks against the US financial sector unless US military forces were withdrawn from presumed-Islamic lands.” The bulletin also cites numerous threatening posts on Twitter and identifies several accounts that have expressed support for ISIL, some of which have even provided guidance on tools that could potentially be used in a cyber attack. One particularly interesting example cited in the bulletin is the case of Junaid Hussain, a British man who pleaded guilty in 2012 to charges related to the hacking of an email account connected with former Prime Minister Tony Blair. Hussain, who was just sixteen at the time the hacking occurred, was involved in the compromise of a Gmail account used by Blair’s adviser Katie Kay and later posted private contact information obtained from the account. As part of the hacking group TeaMp0isoN, Hussain also participated in an attack that flooded the the U.K.’s national anti-terror hotline with automated calls, including some prank calls that are still available on YouTube. After serving six months in a youth detention facility, Hussain was arrested on suspicion of “violent disorder” in late 2013 and while on bail fled to Syria with a 24-year-old rapper named Abdel-Majed Abdel Bary. He is now reportedly fighting with ISIL and goes by the name Abu Hussain Al Britani. A Twitter account reportedly operated by Hussain features a profile photo depicting him pointing an AK-47 at the camera and a bio that reads “random British mujahid somewhere in the Islamic State.”

A recent tweet from Junaid Hussain featuring a photo of a RPG and AK-47.

Several recent law enforcement bulletins issued by the Department of Homeland Security and local fusion centers have warned about online threats made by supporters of ISIL. A joint DHS-FBI intelligence bulletin from August 22, 2014 obtained by Fox News warned that following the “start of US military air strikes on 8 August against the ISIL in Iraq, ISIL supporters launched a Twitter campaign threatening retaliatory violence against the Homeland and US interests overseas.” The bulletin went on to say that social media is increasingly being used by ISIL supporters to encourage violent attacks on U.S. interests. Another fusion center bulletin from early July, also obtained by Fox News, cited specific tweets threatening the lives of U.S. military personnel. One tweet from a British jihadist cited in the bulletin reportedly instructed supporters to use LinkedIn and Facebook to look up information on U.S. service members prior to staging attacks: “You could literally search for soldiers, find their town, photos of them, look for address in Yellowbook or something. Then show up and slaughter them.”

While no specific plots have been identified, online threats against U.S. service members are evidently credible enough to warrant a response from the U.S. Army. The Army Threat Integration Center (ARTIC) issued a special assessment on Thursday warning soldiers about the threat posed by the “Islamic State of Iraq and the Levant (ISIL), its supporters, those swayed by radical Islam, and lone offenders with the intent or inclination to act on ISIL’s behalf.” Given the “continued rhetoric being issued by ISIL’s media services and supporters through various social media platforms,” the assessment states that ARTIC is concerned of the possibility of attacks conducted against U.S. military personnel and their families:

Over the past year, ISIL has threatened violence against the United States and US interests overseas in response to ongoing counterterrorism pressure. Following the start of US air strikes in Iraq in early August 2014, and then Syria in late September 2014, ISIL supporters launched a Twitter campaign threatening retaliatory violence against the United States. Additionally, a recent audio message from an ISIL spokesman called, for the first time, for lone offender attacks in the Homeland in retaliation for US military operations in Iraq and Syria.

The assessment includes tips on basic home security precautions that service members should take to protect against an individual “conducting an attack while you or your family members are home.” These tips include using the “peephole before opening the door to anyone” and not opening the door to “solicitors or strangers.”

The post FBI Warns of Hacktivist Threats Following U.S. Airstrikes in Iraq and Syria first appeared on Public Intelligence.

Joint Chiefs of Staff Guide Offers Blunt Assessment of Afghan National Police

Public Intelligence — Mon, 08 Sep 2014 01:40:19 +0000

An Afghan National Police patrolmen poses for a photo at a Police Sub-station under construction and under guard in Kandahar City. (U.S. Navy photo by Petty Officer 2nd Class Ernesto Hernandez Fonte)

“First time I ever saw an Afghan Police Station I thought it was something straight out of the dark ages, complete with zero electricity, mud structure, and no sewage drainage. Immediately I knew this mission would be challenging and wondered what the heck I got myself into?”

This quote from a U.S. Army Captain is just one example of the unusually blunt assessments contained in the Joint Center for International Security Force Assistance (JCISFA) guide for advising the Afghan National Police (ANP). The 2010 version of the JCISFA ANP Mentor Guide, which was obtained by Public Intelligence along with a guide for troops assisting the Afghan National Army (ANA), contains a number of revealing observations on the often poor condition of Afghan National Security Forces, in particular the ANP.

The JCISFA guide explains to would-be advisers that an ANP station will not “resemble anything close to what an American police station would look like” and are often constructed from mud and straw. Though the Combined Security Transition Command–Afghanistan (CSTC-A) is reportedly funding numerous station rebuilds and renovations throughout the country, the guide warns that advisers could encounter the following conditions:

Electricity (1 to 2 kerosene lanterns for light) in rural areas up to 2 to 4 hours of power each day.
Lack of heat and air conditioning.
Generators that work poorly (if at all).
Latrines that are almost all “Eastern style” and have plumbing problems.
Limited water and an unworkable sewage system.

The introduction to the mentor guide states that “public perception of the ANP is poor” and that police officers “have been known to establish Vehicle Control Points (VCP’s) or Traffic Control Points (TCP’s) for the purpose of exacting tolls” or “stealing from the population.” They will often ask to see the vehicle’s registration papers and then require a bribe, referred to as a “baksheesh” which literally means gift, before they return the registration to the vehicle’s owner. Local or tribal leaders will even utilize the ANP at times to “oppress their rivals in inter-family squabbles” which leads to a low public opinion of the national police force. While the ANA is often well regarded by the population, the ANP has a negative reputation among the Afghan people which is used to the advantage of insurgents. According to the guide, ANP are killed at three times the rate of ANA soldiers.

Here are some other revealing observations found in the JCISFA guide:

Police Stations are Often Not Staffed Properly: “In order for a district station to function properly, the ANP need to fill key staff and leadership roles. Unfortunately, in many stations, some of the positions are unfilled, while in other stations the chief is the only key position filled.”
Centralized Leadership Can Cause Inaction: “Control in the ANP is very centralized. As a result, subordinate officers rarely have the latitude to make decisions without first consulting with the chief. In some ways, this centralized control makes the advisor’s job easier since once he convinces the chief of the need to do something, he has convinced the whole station. On the down side, however, subordinate leaders will rarely take the initiative to solve problems without direction, and if the chief is not present they will often defer a decision, even a critical one, until his return.”
Many Police Chiefs are Appointed Due to Patronage: “Many ANP chiefs owe their position not to leadership ability or police experience, but to the patronage of a local leader. As a result, advisors must often guide them very closely to help them do the right things.”
Police Chiefs Often Feel They Can Fleece the Population: “Many chiefs also feel that their position grants them the right to certain ‘benefits’ including skimming pay or demanding additional compensation from the community.”
Afghan Police Lack Muzzle Awareness: “Muzzle awareness is a major problem with many ANP, especially those who have never had an advisor team before. Developing muzzle awareness takes patience and constant spot corrections. Over time, these efforts will have an impact. ANP will also have a tendency to carry loaded weapons with the safety disengaged. A Kalashnikov-type weapon with a selector switch in a position other than ‘safe’ is easy to spot. Advisors need to maintain vigilance regarding the condition and position of ANP weapons.”
Afghan Police Lack Fire Discipline: “Accountability of weapons and ammunition remains problematic due to poor record keeping, theft, maintenance issues, and, in the case of ammunition, operational use. Since the ANP are not known for their fire discipline, keeping stations stocked with sufficient ammunition in areas with a lot of enemy activity will become a constant challenge for the advisor teams.”
There is “Rarely” a Formal Work Schedule: “ANP normally work a ‘fire house’ schedule where they will live and work at the station for a number of days followed by some time off. Unfortunately, the work schedule of the ANP is rarely formalized. Therefore neither the chief nor the advisors can accurately predict how many ANP will be at the station from day to day. This lack of predictability is exacerbated when the ANP conduct a major operation. It is not unusual on the day after an operation for the ANP to have almost no one on duty due to poor schedule management. Typically, advisors can expect to find 50-70% of a station’s assigned strength on duty at any given time. While some of the absences are authorized (time off, sick, injured, leave) some of the absences may be “ghost” police who either do not exist or exist only to collect a pay check.”
Police Can Often Have Ties to Illegal Militias or the Taliban: “That many ANP owe their jobs to the influence of these local leaders has led to the perception that many of them have ties to insurgents or the Taliban, work with illegal militias, or have questionable loyalty to the ANP over their tribal benefactors. Unfortunately, in many cases, these perceptions are reality. The lack of a comprehensive national criminal database also makes weeding out the bad very difficult. In a country where mid to upper level Taliban leaders can freely travel the streets because no one is able or willing to identify them makes infiltration of the ANP by criminals and insurgents a foregone conclusion.”
New Recruits Often Skip Their Training: “A new ANP hire is expected to attend basic police training at either the Central Training Center (CTC) in Kabul or one of the seven Regional Training Centers (RTC) in Kandahar, Gardez, Herat, Kunduz, Jalabad, Mazar-i-Sharif, and Bamian. New hires are expected to attend training within 1-3 months of hire, since they are paid full ANP from the date of hire, often there is no impetus for them to go. Poor record keeping further exacerbates the problem resulting in a large number of untrained ANP.”
Police Stations Often Use Hand Drawn Maps: “Districts often lack maps or may have hand-drawn maps. Maps in Dari can be requested, but land navigation training must be provided in order for the map to be read accurately. Dividing an area of responsibility into sectors based on recognizable terrain features and given simple code names based on colors or numbers, along with specific check points based on easily recognizable points will assist in intelligence gathering, operational planning, and communications.”
Police Corruption is Rampant: “Corruption can be found at all levels, and may be justified by reasoning that the ANP risk much and are underpaid. One favorite tactic is to ‘shake down’ travelers at [traffic control points]. Another is to steal various items while conducting the search of a home. Leaders must be encouraged to follow up on reported acts such as these and to resolve them. Unresolved issues such as these can and will lead to more violence against the ANP and more support for insurgents.”

The post Joint Chiefs of Staff Guide Offers Blunt Assessment of Afghan National Police first appeared on Public Intelligence.

Feds Issue Bulletin on Google Dorking

Public Intelligence — Mon, 25 Aug 2014 00:25:46 +0000

An example of a “Google dork” query with accompanying responses.

A bulletin issued by the Department of Homeland Security, the FBI and the National Counterterrorism Center earlier this month warns law enforcement and private security personnel that malicious cyber actors can use “advanced search techniques” to discover sensitive information and other vulnerabilities in websites. The bulletin, titled “Malicious Cyber Actors Use Advanced Search Techniques,” describes a set of techniques collectively referred to as “Google dorking” or “Google hacking” that use “advanced operators” to refine search queries to provide more specific results. Lists of these operators are provided by Google and include the following examples:

allintext: / intext:	Restricts results to those containing all the query terms you specify in the text of the page
allintitle: / intitle:	Restricts results to those containing all the query terms you specify in the title
allinurl: / inurl:	Restricts results to those containing all the query terms you specify in the URL
filetype:suffix	Limits results to pages whose names end in suffix
site:	Using the *site:* operator restricts your search results to the site or domain you specify
Minus sign ( – ) to exclude	Placing a minus sign immediately before a word indicates that you do not want pages that contain this word to appear in your results
Phrase search (using double quotes, “…” )	By putting double quotes around a set of words, you are telling Google to consider the exact words in that exact order without any change

Here is an example of a query constructed from these operators:

“sensitive but unclassified” filetype:pdf site:publicintelligence.net

The bulletin warns that malicious cyber actors can use these techniques to “locate information that organizations may not have intended to be discoverable by the public or to find website vulnerabilities for use in subsequent cyber attacks.” Hackers searching for “specific file types and keywords . . . can locate information such as usernames and passwords, e-mail lists, sensitive documents, bank account details, and website vulnerabilities.” Moreover, “freely available online tools can run automated scans using multiple dork queries” to discover vulnerabilities. In fact, the bulletin recommends that security professionals use these tools “such as the Google Hacking Database, found at http://www.exploit-db.com/google-dorks, to run pre-made dork queries to find discoverable proprietary information and website vulnerabilities.”

Several security breaches related to the use of “advanced search techniques” are also referenced in the bulletin. One incident in August 2011 resulted in the compromise of the personally identifiable information of approximately 43,000 faculty, staff, students and alumni of Yale University. The information was located in a spreadsheet placed on a publicly accessible File Transfer Protocol (FTP) server and was listed in Google search results for more than ten months prior to being discovered. Another incident in October 2013 involved attackers using Google dorking to discover websites running vulnerable versions of vBulletin message board software prior to running automated tools that created administrator accounts on the compromised sites. As many as 35,000 websites were believed to have been compromised in the incident.

The post Feds Issue Bulletin on Google Dorking first appeared on Public Intelligence.

DHS Warns of “Domestic Violent Extremists” Targeting Government Officials, Law Enforcement

Public Intelligence — Thu, 14 Aug 2014 16:19:26 +0000

An intelligence assessment from the Department of Homeland Security demonstrates law enforcement’s growing fear of violence from “anti-government” extremists emboldened by the recent standoff at the Bundy Ranch in Nevada.

An intelligence assessment released July 22 by the Department of Homeland Security Office of Intelligence and Analysis warns of an increasing trend of “anti-government violence” from what are described as “domestic violent extremists” inspired by the recent standoff at the Bundy Ranch in Bunkerville, Nevada. The report, titled “Domestic Violent Extremists Pose Increased Threat to Government Officials an Law Enforcement,” was originally obtained and published by Public Employees for Environmental Responsibility, a non-profit alliance of local state and federal resource professionals that has been advocating for criminal charges against Cliven Bundy and “militia snipers” involved in the April standoff with the Bureau of Land Management. In recent months, the report suggests that there has been a notable increase in violence from domestic extremists motivated by “anti-government ideologies.” Compared to the previous four years, DHS assesses that the “perceived victory by militia extremists in a show of force against the Department of Interior’s Bureau of Land Management (BLM) will likely inspire additional anti-government violence over the next year.” The report reflects a current trend in the national law enforcement community that views the rise of domestic extremist groups, variously referred to as militia or anti-government extremists as well as sovereign citizens, as a significant threat to the safety of government officials, law enforcement and first responders. In fact, a recent survey conducted by the National Consortium for the Study of Terrorism and Responses to Terrorism (START) at the University of Maryland found that law enforcement throughout the country identifies sovereign citizens as the top terrorist threat, greater even than the threat posed by Islamic extremists.

Domestic Violent Extremists and The Victory at Bunkerville

Though law enforcement agencies have been warning for years of the potential for violence perpetrated by members of the so-called sovereign citizen movement, who believe that the U.S. government is “operating outside of its jurisdiction and generally do not recognize federal, state, or local laws, policies, or governmental regulations,” the DHS’ recent assessment does not focus on members of this group. Instead, the assessment focuses on domestic violent extremists motivated by “anti-government ideologies” and a common perception of “government overreach and oppression.” Unlike sovereign citizens, these groups and individuals “recognize government authority,” however they may engage in acts of violence due to “their perception that the United States Government is tyrannical and oppressive” and “needs to be violently resisted or overthrown.” The assessment also refers repeatedly to “militia extremists” who are defined as facilitating or engaging in acts of violence “directed at federal, state, or local government officials or infrastructure in response to their belief that the government deliberately is stripping Americans of their freedoms and is attempting to establish a totalitarian regime.” These individuals often “oppose many federal and state authorities’ laws and regulations (particularly those related to firearms ownership), and often belong to paramilitary groups.”

The DHS assessment finds that a “recent spike in anti-government attacks and plots since November 2013” is a departure from the previously sporadic occurrence of “domestic extremist violence.” The increase is believed to be motivated by “perception of government actions (or lack of action) addressing political issues such as gun control, land-use, property, and other activities as interfering with their individual rights and as oppressive measures that warrant violent reprisal against US Government entities and law enforcement.” Historically, spikes in violence have followed “high-profile confrontations” involving the U.S. government including Ruby Ridge and Waco. DHS identifies the recent standoff with BLM agents in Bunkerville, Nevada as an example of such an event that could “inspire further violence”:

(U//LES) I&A assesses that the belief among militia extremists that their threats and show of force against the BLM during the April Bunkerville standoff was a defining victory over government oppression is galvanizing some individuals-particularly militia extremists and violent lone offenders-to actively confront law enforcement officials, increasing the likelihood of violence. Additionally, this perceived success likely will embolden other militia extremists and like-minded lone offenders to attempt to replicate these confrontational tactics and force future armed standoffs with law enforcement and government officials during 2014.

Several incidents in 2014 are identified as having a “connection to the events in Bunkerville” based on news reports and information provided by law enforcement. The most significant incident discussed in the assessment is the recent murder of two Las Vegas police officers and another civilian committed by Jerad and Amanda Miller. The pair, who had attended the Bunkerville standoff, “expressed that violence was necessary to fight a perceived tyrannical US government apparatus intent on stripping Americans of their rights” according to the Southern Nevada Counterterrorism Center. The couple also left a note on the murdered police officers that “exclaimed the attack was the start of a ‘revolution,’ and a ‘new day,’ suggesting they anticipated further violence, and made statements on their social media profiles indicating their willingness to ‘shed blood,’ and ‘die fighting,’ to stop government oppression.”

A timeline included in the DHS intelligence assessment documenting a “surge” in violent plotting from domestic extremists.

In all, DHS found that there had been eight incidents of “anti-government” violence since March 2011, either in the form of an actual attack or an arrest stemming from a plot that was interrupted prior to to an attack taking place, including:

March 2011 – Four members of the militia extremist group The Alaska Peacemakers Militia (APM) – including its leader – were arrested in March 2011 for conspiracy to kill judges and law enforcement. APM’s leader was sentenced in January 2013 to 26 years in prison. Three other members received sentences of 26, 12 and 5 years, respectively.
November 2011 – Four militia extremists were arrested in November 2011 for planning to obtain explosives, guns and a biological toxins for attacks against government personnel, including employees of the Internal Revenue Service, the Bureau of Alcohol Tobacco Firearms and Explosives and local law enforcement. Two were convicted in 2012 for plotting to obtain explosives and two were convicted in 2014 for plotting to obtain the toxins.
December 2011 – Georgia-based US Army soldiers – arrested in December 2011 – were convicted in 2012, 2013 and 2014 for involvement in a homicide to cover up the plans of their militia extremist group called F.E.A.R. (Forever Enduring Always Ready) that plotted to attack government and critical infrastructure targets including a hydroelectric dam and Ft. Stewart military base. According to court documents, the individuals allegedly stockpiled over $87,000 in firearms and bomb-making components.
November 2013 – An armed lone offender extremist with an anti-government ideology entered Terminal 3 of LAX on November 1, 2013 and proceeded to the security screening area where he opened fire with an AR-15 style assault rifle. The gunman subsequently shot and killed one TSA Transportation Security Officer (TSO) and wounded two other TSOs, plus a civilian. Another individual was injured fleeing the scene. The suspected gunmen was wounded and is awaiting trial.
February 2014 – Three militia extremists in February 2014 were arrested by federal law enforcement attempting to buy explosives in furtherance of a plot to allegedly attack the electrical grid and government targets, including DHS personnel and facilities. They are awaiting trial.
March 2014 – A militia extremist in March 2014 was arrested by federal law enforcement for a series of plots culminating in a plan to allegedly acquire weapons and travel to Washington, D.C. to kill law enforcement and government officials. He is awaiting trial.
April 2014 – Militia Extremists – many of whom traveled from around the country – joined peaceful protesters at a ranch in Bunkerville, NV and additionally surrounded officers with firearms during an armed standoff over grazing rights.
June 2014 – Two violent lone offender extremists motivated by anti-government ideology ambushed and killed two Las Vegas Metropolitan Police Department officers and a civilian, wounding one more officer before dying in a shootout.

According to DHS analysis, the common link between these incidents is the targeting of “government facilities and personnel, followed by law enforcement personnel and critical infrastructure and key resources (CIKR).” Law enforcement is targeted “because these individuals perceive it as an extension of state control over individuals and CIKR is targeted to undermine the government’s perceived economic and societal power and control.”

Government and Law Enforcement are Primary Targets

Over the last few months, fusion centers around the country have issued a number of bulletins on the potential threat to law enforcement by sovereign citizens and other “domestic extremists.” In May, the Pennsylvania Criminal Intelligence Center released a bulletin to law enforcement on “Targeting First Responders” describing a number of recent incidents where individuals have sought to bring firefighters, paramedics and law enforcement to a location for the purposes of conducting a subsequent attack. In early June, the New York State Intelligence Center issued a bulletin stating that suspects “motivated by elements of a far right anti-government ideology with a particular fixation on law enforcement” had conducted attacks on government targets, including a recent incident in which Dennis Marx attempted to enter the courthouse in Forsyth County, Georgia with an an assault rifle, an assortment of grenades, body armor, and a gas mask. Marx wounded a sheriff’s deputy who returned fire, preventing him from entering the courthouse where he was scheduled to have a hearing on eleven felony drug and weapons charges. According to the bulletin, Marx had “long running issues with law enforcement and was a self-identified sovereign citizen.”

In July, the New Jersey Office of Homeland Security and Preparedness issued a bulletin to firefighters warning about the threat posed by the “anti-government sovereign citizen movement” which has been “catapulted into the forefront of public attention due to an increase in criminal activity by sovereign citizens nationwide.” The bulletin notes that while there “have been no reported incidents of fire service personnel being targeted or coming in contact with confirmed or suspected sovereign citizens” it is nonetheless important to know the indicators that one is dealing with a sovereign citizen, such as the use of “unusual language regarding self-identity, such as ‘freemen,’ state citizens, non-resident aliens, sovereign citizens, or common law citizens.”

Last August, the FBI’s San Antonio Division issued a bulletin stating that a Sovereign Citizen group was organizing youth groups to participate in door-to-door fundraising campaign with the actual intent of identifying the homes of law enforcement and first responders. The youth traveled in “small teams of at least two, traveled throughout neighborhoods knocking on doors” telling the homeowners that “they worked for a fund raising organization designed to help young individuals with public speaking.” The groups were “instructed that the information they collected counted as ‘points'” and that the “team with the most points would win a college scholarship and a large sum of money.” A yellow reference card was provided to each of the groups listing approximately fifteen professions that corresponded to a point value ranging from 500 to 2000 points. Professions listed on the card included firefighters, nurses, doctors as well as members of the military. However, the profession with the highest point value of 2000 was “police officer.” Following the release of the FBI bulletin, the New Jersey Regional Operations Intelligence Center later issued a request for information describing incidents where government officials had been threatened and instructing law enforcement to be careful when providing their personal information to unknown parties.

The post DHS Warns of “Domestic Violent Extremists” Targeting Government Officials, Law Enforcement first appeared on Public Intelligence.

DHS Tells Firefighters, Paramedics Medical Treatment Provides an Opportunity to Identify Extremists

Public Intelligence — Tue, 22 Jul 2014 02:01:35 +0000

A report from WJLA on the arrest of Todd Dwight Wheeler in January 2014.

A joint bulletin released in March by the Department of Homeland Security, FBI and National Counterterrorism Center instructs firefighters and paramedics to use emergency medical treatment as an opportunity to identify violent extremists. The March 2014 bulletin obtained by Public Intelligence titled “Emergency Medical Treatment Presents Opportunity for Discovery of Violent Extremist Activities” is part of the Fire Line series distributed to firefighters, emergency medical service personnel and other first responders around the country.

The bulletin states that efforts to “gain expertise with explosive, incendiary, and chemical/biological devices may lead to injuries and emergency treatment, which may provide potential indicators of violent extremist activities to responding emergency medical service (EMS) personnel.” An initial “size-up” of the scene and “patient assessment” provide first responders with the ability to “evaluate whether an injury is a genuine accident or related to violent extremist activity.” For example, “hastily or expediently treated injuries” observed by first responders “may be an indicator of illicit activity as actors injured in nefarious activity are often not inclined to seek legitimate medical attention, or use efforts that are designed to mislead or obscure the genuine nature of the injury.” Other indicators include “shock or infection accompanying healing wounds, or corrective treatment for healed wounds” often without plausable explanation “may be signs of suspicious activity.”

To support its claims, the bulletin cites the January 2014 arrest of a Maryland man named Todd Dwight Wheeler Jr. for making and possessing explosive materials. According to the Baltimore Sun, Wheeler was arrested after one of his relatives called 911 and reported that he may be suicidal. Paramedics reportedly found Wheeler “suffering from injuries caused by ‘chemical or mechanical reactions'” including “burns to one of his limbs that paramedics determined could have come from a blast.” After speaking with Wheeler, first responders “became suspicious of his story, suspicious of his injuries and suspicious of his distinct chemical odor.” Police later searched the home with help from Bureau of Alcohol, Tobacco, Firearms and Explosives agents finding several “completed bombs”, “more than 100 pounds of chemicals, including acids, fuels, oxidizers and explosives precursors”, “components of destructive devices, including igniters and detonators”, “an automatic Ruger Mini-14 rifle, other guns and knives” as well as “manuals and books detailing explosive manufacturing and booby traps, with titles like The Poor Man’s James Bond, Booby Traps, Deadly Brew and Highly Explosive Pyrotechnic Compositions.” Under a plea agreement entered in May, Wheeler pled guilty to one count of “being a prohibited person in possession of firearms.” He faces up to ten years in prison.

The post DHS Tells Firefighters, Paramedics Medical Treatment Provides an Opportunity to Identify Extremists first appeared on Public Intelligence.

The Vocabulary of Cyber War

Public Intelligence — Thu, 10 Jul 2014 16:17:41 +0000

A restricted document from U.S. Strategic Command provides insight into the underlying philosophy of military efforts to wage cyber warfare.

At the 39th Joint Doctrine Planning Conference, a semiannual meeting on topics related to military doctrine and planning held in May 2007, a contractor for Booz Allan Hamilton named Paul Schuh gave a short presentation discussing doctrinal issues related to “cyberspace” and the military’s increasing effort to define its operations involving computer networks. Schuh, who would later become chief of the Doctrine Branch at U.S. Cyber Command, argued that military terminology related to cyberspace operations was inadequate and failed to address the expansive nature of cyberspace. According to Schuh, the existing definition of cyberspace as “the notional environment in which digitized information is communicated over computer networks” was imprecise. Instead, he proposed that cyberspace be defined as “a domain characterized by the use of electronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructures.”

Amid the disagreements about “notional environments” and “operational domains,” Schuh informed the conference that “experience gleaned from recent cyberspace operations” had revealed “the necessity for development of a lexicon to accommodate cyberspace operations, cyber warfare and various related terms” such as “weapons consequence” or “target vulnerability.” The lexicon needed to explain how the “‘four D’s (deny, degrade, disrupt, destroy)” and other core terms in military terminology could be applied to cyber weapons. The document that would later be produced to fill this void is The Cyber Warfare Lexicon, a relatively short compendium designed to “consolidate the core terminology of cyberspace operations.” Produced by the U.S. Strategic Command’s Joint Functional Command Component – Network Warfare, a predecessor to the current U.S. Cyber Command, the lexicon documents early attempts by the U.S. military to define its own cyber operations and place them within the larger context of traditional warfighting. A version of the lexicon from January 2009 obtained by Public Intelligence includes a complete listing of terms related to the process of creating, classifying and analyzing the effects of cyber weapons. An attachment to the lexicon includes a series of discussions on the evolution of military commanders’ conceptual understanding of cyber warfare and its accompanying terminology, attempting to align the actions of software with the outcomes of traditional weaponry.

Defining Cyber Warfare

One of the primary reasons for creating a lexicon devoted to cyber warfare is that there are “significant underlying differences” between traditional military operations and so-called “non-traditional weapons” such as those employed in cyber warfare. The lexicon was intended to reduce these differences by integrating and standardizing the “use of these non-traditional weapons” while providing “developers, testers, planners, targeteers, decision-makers, and battlefield operators . . . a comprehensive but flexible cyber lexicon that accounts for the unique aspects of cyber warfare while minimizing the requirement to learn new terms for each new technology of the future.” Described as a Language to Support the Development, Testing, Planning, and Employment of Cyber Weapons and Other Modern Warfare Capabilities, the lexicon is designed to facilitate the construction and employment of cyber weapons:

The cyber warfare community needs a precise language that both meets their unique requirements and allows them to interoperate in a world historically dominated by kinetic warfare. Mission planners must be able to discuss cyber weapons with their commanders, the intelligence analysts, the targeteers, and the operators, using terms that will be understood not just because they have been defined somewhere in doctrine, but also because they make sense. Giving the weapons planners a well-founded lexicon enables them to have far-reaching discussions about all manner of weapons and make important decisions with a significantly reduced likelihood of misunderstanding and operational error.

To understand what exactly constitutes a cyber weapon and what makes it so different from the kind of weapons employed in traditional warfare, it is important to understand the objectives of cyber warfare. Cyber warfare is defined in the lexicon as the creation of “effects in and through cyberspace in support of a combatant commander’s military objectives, to ensure friendly forces freedom of action in cyberspace while denying adversaries these same freedoms.” This can be accomplished through cyber attacks, cyber defense as well as cyber exploitation, with each option providing its own unique set of associated capabilities and potential outcomes. Cyber attacks bare the greatest resemblance to popular notions of cyber war, incorporating actions to “deny or manipulate information and/or infrastructure in cyberspace” through methods like a computer network attack (CNA) that are intended to “disrupt, deny, degrade, or destroy the information within computers and computer networks and/or the computers/networks themselves.” Cyber defense is primarily focused on defending U.S. military networks from similar attacks conducted by other nations or non-state actors and protecting the integrity of the Department of Defense’s Global Information Grid (GIG) which carries military communications worldwide. Cyber exploitation is focused primarily on the collection of intelligence and other useful data from targeted computer systems to enable improved “threat recognition” that can contribute to future operations in cyberspace.

These components of cyber warfare rely on capabilities that are used to construct cyber weapon systems. A cyber warfare capability is a “device, computer program or technique” that includes any combination of “software, firmware, and hardware” that is “designed to create an effect in cyberspace, but has not been weaponized.” Weaponization is a process that takes these capabilities and implements “control methods, test and evaluation, safeguards, security classification guidance, interface/delivery method” and other tactical considerations to ensure that the capability can be properly employed to produce the intended effect. A completed cyber weapon system is a combination of one or more of these capabilities that have been weaponized and are ready for deployment. These weapons can then be categorized based upon specific uses and issues related to their employment, such as who is authorized to use them. One suggested schema in the lexicon provides three categories: the first for weapons that require approval from the combatant commander, a second for weapons that are pre-approved for specific uses and a third that requires the approval of the President or Secretary of Defense before the weapon can be utilized.

Brig. Gen. Robert Brooks, director of the Massachusetts Air National Guard gets a eyes-on 3D tutorial of how to analyze data in the Virtual Reality Center at the University of Arkansas at Little Rock, during the 2014 Cyber Shield Exercise held in May.

One of the “Discussions on Cyberspace Operations” contained in the lexicon follows the military’s historical apprehension toward describing software programs and other cyber capabilities as weapons. Throughout the early 1990s, the term “tool” was widely favored in the initial phases of the military’s cyber warfare mission. One reason for this reluctance was military commanders’ concerns about the lack of authority under Title 10 for conducting cyber operations. However, given that there are six “Joint functions” recognized in military doctrine “C2 [command and control], Intel, Fires, Maneuver, Protection and Sustainment,” the use of any offensive cyber capabilities “unquestionably” is a form of fires, making the cyber capability itself a kind of weapon. The idea that software and computer hardware could be considered a weapon is further complicated by the fact that many offensive cyber capabilities consist of nothing more than “cyber techniques” that involve “keystrokes, but where no hardware or software is introduced into the target system.” When “last minute changes in the target render the approved weapon inert, an operator might need to use cyber techniques to complete an assigned mission, particularly one that has been approved for effect or objective,” making the certification process and training of the “operator” critical to considering cyber capabilities as a “weapon system.” There must be control methods, testing and evaluation, safeguards, certified personnel, mission logs, a concept of operations as well as tactics, techniques and procedures on how to employ the weapon system. This is similar to the situation with conventional weapons as “the very first M-16 rifle ever made, while a ‘weapon’ in the dictionary sense of the word, was not deployed until it was operationally tested, had a training program, spare parts inventory, etc.” It was only after this process that “each new M-16 was part of a ‘weapon system’ and could be crated and shipped to the front lines directly from the assembly line.”

Cyber Weapons and Their Effects

A fundamental distinction discussed in the lexicon, one which separates cyber weapons from those used in conventional warfare, is the distinction between kinetic and non-kinetic weaponry. Kinetic weapons are those that “use forces of dynamic motion and/or energy upon material bodies” whereas non-kinetic weapons are those that “create their effects based upon the laws of logic or principles other than the laws of physics.” Within each of these broad categories, there are further distinctions based upon the lethality of the weapon being described. For example, a Mark-84 bomb is an example of a lethal kinetic weapon capable of inflicting physical damage to material entities based upon the use of motion and force. The Active Denial System, a directed-energy weapon which uses millimeter waves to create a sensation of heat on the skin of human targets, is an example of a non-lethal kinetic weapon. As a non-kinetic weapon creates its effect through the use of logic or other principles, the category necessarily encompasses a much wider array of weapon systems from diverse fields like information warfare and psychological operations. Biological and chemical weapons are examples of lethal non-kinetic weapons that rely upon biological factors rather than physical force to create their effect. Computer network attack (CNA) software, on the other hand, is an example of a non-lethal non-kinetic weapon, creating an effect based solely on the logical operations it performs on a targeted computer system.

While cyber weapons are considered to be non-lethal in their effects, this doesn’t mean that non-lethal weapons are “required to have zero probability of causing fatalities, permanent injuries, or destruction.” To better understand the effects that non-lethal non-kinetic weapons can have, the lexicon attempts to align cyber weapons with the traditional terminology of the “Four D’s” used throughout the information operations community: deny, destroy, degrade and disrupt. One discussion in the lexicon introduces a construct to understand these effects in terms of a scope, level and time of “denial” in a targeted system, causing “reduction, restriction, or refusal of target operations.” Using this framework, “degrade, disrupt, and destroy” would all be considered different forms of denial that have varying scopes. Disrupt introduces a “time aspect of denial” and degrade adds an “amount or level of denial.” The final term “destroy” is saved for the “special case that includes the maximum time and maximum amount of denial.” The lexicon even proposes a function for calculating denial:

Quantitatively, denial (D) can be expressed as a function of scope (s), level (l), and time (t), i.e. D(s,l,t). Defining effects in this manner makes it clear to the planning staff that each of the parameters of the function must be considered and specified as necessary as indicated by, or derived from, commander’s objective. As the level (l) or amount approaches 100% and time (t) approaches infinity, destruction is achieved.

The true effects of a cyber weapon often differ significantly from simply denying or even destroying an enemy system. Every weapon “takes an action” when it is triggered and this action is “intended to have an effect.” For a traditional bomb, that action is a “kinetic explosion and the effect is normally target damage,” whereas a cyber weapon may result in “the execution of some software and the effects, some form of denial or manipulation.” However, weapons also have “outcomes that are not expected and are not required to achieve the objective.” The lexicon describes these as indirect effects that can result in consequences for unintended targets. When these consequences affect unlawful targets or cause “damage to persons or objects that would not be lawful military targets,” they are considered “collateral effects” that are similar to the traditional notion of collateral damage.

Vulnerabilities and Target States

Past worries about collateral damage from cyber weapons have proven to be well founded. In the summer of 2010, copies of an unknown computer worm began replicating throughout the internet using a vulnerability in Microsoft Windows to find its way into the control systems of major corporations like Chevron. However, the malicious program was not the work of Chinese hackers or sophisticated cyber criminals, it was a cyber weapon called Stuxnet created as part of a joint U.S. and Israeli intelligence operation targeting Iran’s nuclear program that was codenamed “Olympic Games.” Stuxnet would later claim other unintended targets, including a Russian nuclear power plant. Unintended effects associated with cyber weapons are dangerous for a number of reasons, including the risk that an adversary might be able to use the weapon, once discovered, against the originator of the attack. According to the lexicon, these vulnerabilities of cyber weapons can be separated into six distinct categories:

(U//FOUO) Detectability risk – The risk that a weapon will be unable to elude discovery or suspicion of its existence. This includes the adverse illumination risk of hardware weapons.

(U//FOUO) Attribution risk – The risk that the discoverer of a weapon or weapon data will be able to identify the source and/or originator of the attack or the source of the weapon used in the attack.

(U//FOUO) Co-optability risk – The risk that, once discovered, the weapon or its fires will be able to be recruited, used, or reused without authorization.

(U//FOUO) Security Vulnerability risk – The risk that, once discovered, an unauthorized user could uncover a security vulnerability in the weapon that allows access to resources of the weapon or its launch platform. This includes the risk of an adversary establishing covert channels over a weapon’s C2 link.

(U//FOUO) Misuse risk – The risk that the weapon can be configured such that an authorized user could unintentionally use it improperly, insecurely, unsafely, etc.

(U//FOUO) Policy, Law, & Regulation (PLR) risk – The risk that the weapon can be configured such that an authorized user could intentionally use it in violation of existing policy, laws, and regulations.

These vulnerabilities are “mostly unfamiliar to the kinetic weapons community, and are due to the complexity of the weapons, the dynamic nature of the ‘atmosphere’ of cyberspace, and the difficulty of gathering detailed intelligence about cyber targets.” A discussion on cyber weapon vulnerabilities in the lexicon argues that “the crowded nature of cyberspace and the proliferation of anonymizing technologies can work to both our advantage and disadvantage, in that attribution can be very difficult for both our adversaries and ourselves.” Once a network target has been “accessed and subverted,” the implanted cyber weapon should be “considered like a mine or an improvised explosive device (lED) where there are no longer any delivery considerations for the weapon, but only survivability and transferring of commands and updates.”

In several portions of the lexicon, attacking unaffiliated infrastructure that happens to be used by an adversary is discussed as a viable means of creating a “second order” effect on the target. For example, if “privileged access in not possible, we may still be able to create our desired effect in the first order by using public access to the target” such as “a distributed denial of service (DDOS) that floods a port on the target.” When the intended target “cannot be directly accessed via either public or privileged means, the desired effect can still be achieved by targeting an intermediating link or node so that the desired effect cascades from the first order effect.” An example of this is “conducting a DDOS attack on a critical link” leading to the target or “degradation through packet flooding” by assuming the “maximum data bus speed and a maximum input/output processor throughput on the target.” A ping flood attack can be “directed at a single IP address or broadcast to a whole Class B IP domain with thousands of recipients.”

The effectiveness of a cyber weapon corresponds to its ability to place a target into a particular state of operation. The target state “corresponds to the condition of the target with respect to a military objective” such as creating a root shell for privileged access. A typical cyberspace target state can typically be considered to operate in one of the following “five states relative to achieving a commander’s primary objective”:

Unconfirmed: Unknown if there is an access path to target.

Confirmed/Nominal: Access path to target established.

Unprivileged access: Unprivileged access to target established.

Privileged access/At risk: Privileged access to target established.

Goal/Other condition: Target has been placed in the desired or other intermediate condition.

Using a real world example, the lexicon asks us to “consider the use of a ‘buffer overflow’ capability to achieve ‘root’ level (privileged) access on a computer operating system in order to disable an adversary’s computer program.” The use of a “buffer overflow creates an initial effect (access to unauthorized portion of memory) and, by including in the buffer overflow capability other carefully crafted code, it can also enable another effect (e.g. gaining root access) and place the target in a different state.” Whereas the previous state of the target was “nominal,” the new state of the target is “compromised.” If the system administrator has implemented “a mechanism to log and report all creations of a root shell,” the outcome can still create unintended consequences because the cyber weapon could be detected and then be susceptible to attribution or manipulation. With certain types of cyber weapons this sort of discovery or attribution could present serious problems, though with others it may prove to be of little use to the weapon’s discoverer. As cyber weapons only “deliver information or some other information-related effect to the target and not high explosive or high energy,” they can be used “as long as we have electrical power.”

U.S. Strategic Command Cyber Warfare Lexicon

Select a term from the following list to read the full definition. All definitions are taken from U.S. Strategic Command (USSTRATCOM) Cyber Warfare Lexicon Version 1.7.6.

cyberspace

cyberspace operations (CO)

cyber warfare (CW)

cyber attack (CA)
cyber defense (CD)
cyber exploitation (CE)

cyber warfare capability

cyber weapon system

cyber weaponization

cyber weapon characterization

cyber weapon categorization

cyber weapon delivery mode

cyber weapon flexibility

cyber weapon identification

cyber weapon vulnerability

detectability risk
attribution risk
co-optability risk
security vulnerability risk
misuse risk
policy, law, & regulation (PLR) risk

access

collateral effect

deny

degrade
disrupt
destroy

dud

effects assessment (EA)

intended cyber effect

kinetic

probability of effect (PE)

target state

targeted vulnerability

objective vulnerability
access vulnerability

weapon action

weapon effect

direct effect
indirect effect

cyberspace

(U//FOUO) cyberspace: a global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. (from 12 May 2008 SECDEF memo)

[(U//FOUO) Previous version – cyberspace: A domain characterized by the use of electronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructures. (from NMS-CO)]

Alabama	1,420,223	Maine	12,497	Pennsylvania	513,349
Alaska		Maryland	226,110	Rhode Island
Arizona	126,165	Massachusetts		South Carolina
Arkansas	24,153,042	Michigan	2,393,851	South Dakota	133,794
California	20,393,280	Minnesota	18	Tennessee	10,971,501
Colorado	184,338	Mississippi	44,830	Texas	68,793,268
Connecticut		Missouri	141,658	Utah	16,654
D.C.	962,356	Montana		Vermont
Delaware	1,085,708	Nebraska	173,877	Virginia	10,342,356
Florida		Nevada	276	Washington	8,520,754
Georgia	1,020,907	New Hampshire		West Virginia	34,578
Hawaii		New Jersey		Wisconsin	154,401
Idaho	578,174	New Mexico	35,076	Wyoming
Illinois	4,515,553	New York	1,189,118
Indiana	108,715	North Carolina		State	168,569,227
Iowa		North Dakota		Federal	23,005,381
Kansas	2,108,188	Ohio	5,564,883
Kentucky	1,637,232	Oklahoma
Louisiana		Oregon	1,012,497	Total	191,574,608

Old Version February 13, 2009	New Version October 12, 2012	Changes
The source and method for defining a person, place, or thing as a No-Strike entity is derived primarily from the body of international law collectively known as LOW. The LOW incorporates international treaties and agreements adhered to by the U.S. government, as well as customary international law, into a comprehensive set of guidance and requirements governing the conduct of modern warfare.	The basis for defining a person, place, or thing as a No-Strike entity is derived primarily from the body of international law collectively known as LOW. LOW comprises the international law related to the conduct of hostilities binding on the United States or its individual citizens, including treaties to which the United States is a party and applicable customary international law that regulates the conduct of armed hostilities.	Law of war is now the “basis” for defining no-strike entities rather than the source. The law of war is defined as international law “binding” rather than “adhered to” by the U.S. This includes treaties and “customary international law” that “regulates” rather than “requires” certain actions when conducting military activity.
No-Strike entities are those designated by the appropriate authority upon which kinetic or non-kinetic operations are prohibited to avoid violating international law, conventions, or agreements, or damaging relations with coalition partners and indigenous populations. The infliction of unnecessary suffering or damage to civilian persons or property that is excessive in relation to the concrete and direct military advantage anticipated is inconsistent with international law and is contrary to DOD policy outlined in this document and in references a and b.	No-Strike entities are those designated by the appropriate authority upon which kinetic or non-kinetic operations are prohibited to avoid violating international law, or agreements, or damaging relations with coalition partners and indigenous populations.	The new version removes “conventions” from a list of things to avoid violating. An entire sentence prohibiting the infliction of “unnecessary suffering or damage to civilian persons or property” is removed, as well as the statement that this is “inconsistent with international law” and “contrary to DOD policy.”
The LOW requires all military personnel to take reasonable precautions to ensure that only military objectives are targeted and to ensure that civilian or noncombatant objects are not made the object of attack.	The LOW requires all military personnel to take reasonable precautions to ensure that only military objectives are targeted and to avoid targeting (i.e., attacking) civilian or noncombatant persons or objects.	A requirement to “ensure” that civilians are not the subject of attacks is changed to an admonishment to “avoid targeting” civilians.
However, in these circumstances the commander must weigh the anticipated loss of life, damage to property, or other negative effects incidental to the attack versus the military advantage expected to be gained by the attack. In making the decision, commanders must consider the military necessity for attacking the target, proportionality of the means planned for target engagement, and reasonableness within the framework of operational objectives.	However, in these circumstances the commander must weigh the anticipated loss of life, damage to property, or other negative effects incidental to the attack versus the military advantage expected to be gained by the attack. The anticipated injury or loss of civilian or noncombatant life, damage to civilian or noncombatant property, or any combination thereof, incidental to attacks must not be excessive in relation to the concrete and direct military advantage expected to be gained.	When making the decision to attack a location where collateral damage is likely, the commander is no longer told to consider “proportionality” and “reasonableness within the framework of objectives”, but is instead required to ensure that loss of civilian or noncombatant life or property is “not excessive” in relation to the “concrete and direct military advantage expected to be gained” by the attack.
By limiting unnecessary suffering and disproportionate damage, the No-Strike process will accelerate recovery in post-conflict operations and minimize operational limitations routinely imposed as a result of international sensitivities over the humanitarian impacts of military operations.	By mitigating human suffering and property damage, the No-Strike process will accelerate recovery in post-conflict operations and minimize operational limitations routinely imposed as a result of international sensitivities over the humanitarian impacts of military operations.	A commander’s “limiting” of “unnecessary” suffering is now only a requirement to “mitigate human suffering” and property damage.
Failure to observe these obligations could result in disproportionate negative effects on civilians and noncombatants and be considered a LOW violation. Furthermore, U.S. leadership and military could be subject to global criticism, which could adversely impact military objectives, alliances, partnerships, or national goals.	Failure to observe these obligations would be considered a LOW violation. Furthermore, the United States could be subject to global criticism, which could adversely impact military objectives, alliances, partnerships, or national goals.	A statement that collateral damage could “result in disproportionate negative effects on civilians and noncombatants” is now no longer included. Global criticism in such a circumstance would also be leveled at the U.S. generally rather than the “U.S. leadership and military.”
The CDM is a balance of science and art that produces the best judgment of potential damage to collateral concerns.	The CDM is a balance of science and art that produces a conservative characterization of the risk of collateral damage for commanders and decision makers.	The collateral damage estimation (CDE) methodology (CDM) has changed from a “best judgment of potential damage” to a “conservative characterization of the risk of collateral damage”.
However, the science is inherently limited by the quantity and reliability of collected and analyzed weapons effects data and target information.	However, the science is inherently limited by the quantity and reliability of collected and analyzed weapons effects data, weapon delivery uncertainties, and target information.	The new version inserts “weapon delivery uncertainties” into a list of factors affecting collateral damage estimation.
All of these sources contain some degree of inherent error and uncertainty.	All of these sources contain some degree of inherent variability.	Sources of information that feed into the collateral damage estimation process are no longer subject to some degree of “error and uncertainty”, but are instead subject to “variability.”
CDM is merely an estimate to assist a commander in the decision making process relying on informed data and sound judgment.	Ultimately CDE is an estimative process to help inform a commander’s decision making.	An entire sentence is changed to reflect that attempting to predict collateral damage is an “estimative process” rather than an “estimate” to “help inform the commander’s decision making.” A description of this process as “relying on informed data and sound judgment” is also removed.
	The CDM does not account for secondary explosions. Collateral damage due to secondary explosions (i.e., weapons cache or fuel tanks for military equipment) cannot be consistently measured or predicted. Commanders should remain cognizant of any additional risk due to secondary explosions.	A passage is inserted indicating the collateral damage estimation methodology (CDM) does not apply to secondary explosions from gas and fuel tanks on the ground.