Gate 15’s David Pounder asked Homeland Security Today Managing Editor Bridget Johnson to help paint a threat assessment for the year ahead for the benefit of critical infrastructure entities and Information Sharing and Analysis Centers and Organizations. We share that Q&A here for the benefit of all HSToday partners and readers.
In 2018, the high-profile attacks of 2017 appeared to give way to smaller, isolated attacks that were more focused on more concealed weapons or low-tech weapons, i.e., knifes or vehicle attacks. Do you see this as an established shift in tactics or something else?
Johnson: The prevailing message in the evolution of terror attacks is “come as you are” – both ISIS and al-Qaeda have fully embraced a homegrown terror modus operandi that’s borderless, nixes the need for a training camp and really doesn’t care all that much about the perpetrators’ religious orthodoxy. Some may be tempted to view these smaller-scale attacks as the Plan B of terrorists who have lost swathes of territory, but seeping terror into every neighborhood nook and cranny by recruiting the people who grew up there has always been terrorists’ Plan A. This means confronting terrorists with potentially limited skillsets who are using low-tech attack methods that are easily obtained. This is the new norm, as it only expands their jihadist pool and geographic reach.
Realistically, ISIS knew what al-Qaeda expressed from the start: that the physical caliphate in Iraq and Syria wouldn’t last and the future was homegrown. And even terrorists claiming allegiance to ISIS use the bomb recipes and guidance that al-Qaeda has been publishing for years – we’re in the era of universal jihad. But messaging has been clear that terror groups just want jihadists to reach for what’s easy and works – they’d rather see a few people stabbed, a city on edge and the next attacker inspired than watch idiot remote recruits struggle to correctly make a bomb.
The Islamic State has not been in the headlines as much in 2018, and al-Qaeda roared back onto the scene after several years reconstituting themselves. What do you see from these groups heading into 2019?
Johnson: Usually when I see an online publication, video or website from ISIS or ISIS-supporting media groups, I have to watch or read it pretty fast before it gets flagged for extremist content and removed by the website company. With al-Qaeda, however, I’ve had a website on one of my tabs for weeks that functions as a women’s al-Qaeda news and advice portal – par for the course, al-Qaeda content, even though usually more developed and damaging than ISIS materials, just doesn’t get attention from the censors. Al-Qaeda has relished this waiting-in-the-wings role, hanging back (but still very much in active operation and development) like the professors while ISIS stormed across Syria and Iraq like fraternity boys. Al-Qaeda combines the wisdom of elders with younger, hungry leaders, like al-Qaeda in the Arabian Peninsula emir Qasim al-Raymi and 30-year-old Hamza bin Laden, groomed by his dad to one day take over the family biz. Al-Qaeda emerges from the ISIS heyday with street cred for being right about the caliphate not working, with a wealth of jihadist training tools in deep circulation online, with their dead legends still recruiting new adherents (see: the lectures of American cleric Anwar al-Awlaki, because there’s an app for that), and with years out of the spotlight that enabled them to build talent, focus and, very importantly, learn from ISIS’ mistakes in their jihad campaigns moving forward.
If the U.S. withdraws from Syria it will fuel ISIS propaganda, but the propaganda bonanza of greater concern would come if the U.S. withdraws from Afghanistan. If a deal with the Taliban – strong al-Qaeda and Haqqani network allies – goes through, it will be very effectively touted throughout the Islamist terrorist community as a long-fought victory against the world’s biggest superpower, and that will be a massive shot in the arm of inspiration to homegrown jihadists.
What other groups should ISAC and ISAO members be aware of as it relates to threats against their people, facilities and locations?
Johnson: The Pittsburgh synagogue shooting underscored the danger of ant-Semitic and neo-Nazi extremism, and it’s critical to understand that the official membership strength of such organizations doesn’t reflect the degree of the threat because “lone wolves” operate in these spheres just like Islamist jihad: receiving online inspiration and guidance to take action. The Anti-Defamation League recently launched an informative heat map outlining extremist activity, and it’s easy to see the upswing in white nationalist groups recruiting with fliers and stickers in ground campaigns across the country. Another network of neo-Nazis called “The Base” – remember that’s what al-Qaeda means – is “networking, creating propaganda, organizing in-person meet-ups, and discussing potential violence or ‘direct action’ against minority groups, especially Jewish and black Americans,” as VICE reported in November. “An extensive online library contains a trove of manuals with instructions on lone wolf terror-tactics, gunsmithing, data mining, interrogation tactics, counter-surveillance techniques, bomb making, chemical weapons creation, and guerrilla warfare.”
Keep in mind the threat of mass casualty attacks that aren’t linked to a particular ideology for motive – the 2017 Sutherland Springs church massacre had a domestic violence link as the shooter’s estranged wife routinely attended with her family (her grandmother was slain), and the 2017 Las Vegas massacre wasn’t linked to religion or ideology but was more akin to Charles Whitman’s 1966 mass shooting from the University of Texas tower in Austin. In this age of extremism made so prominent by social media, we need to recognize that there are still threats posed by those who will kill for the sake of killing and they are hard to stop in the planning stages by not leaving that extremist trail.
There appears to be more terrorist propaganda than in previous years ranging from wildfires, to claims of responsibility, to the holidays. Is there any evidence or correlation to suggest the release of propaganda has coincided with a specific act or target? Is it effective? And what, if anything, should organizations do when they see this publicized?
Johnson: Although much of the incitement propaganda – as simple as a poster with a threatening message – is churned out these days by independent media groups allied with ISIS, they do produce coordinated messages that have jointly supported threat methods or target choices and have even aligned with an editorial calendar of sorts. ISIS and al-Qaeda both jumped on the California wildfires this past year, precisely with the goal of steering lone jihadists toward considering that attack method when humidity is low and winds are high. And before the Dec. 11 attack on the Christmas market in Strasbourg, France, ISIS and its supporters had already begun their holiday incitement campaign. A mid-November threat poster distributed online invoked the 2016 Berlin Christmas market attack and vowed “retribution” to come.
The challenge in responding to these often voluminous threats is trying to determine which is a consciously targeted threat and which is something random that an ISIS fanboy threw together during his fun with Photoshop. For example, I came across an image a few weeks before Christmas depicting a knife-wielding jihadist approaching a decorated tree in a city square. Some researchers outside the U.S. were incorrectly assuming this was a depiction of New York City. I saw in the photo a restaurant that’s only a chain in Canada and, based on the edge of an H&M store also in the photo, began using maps and photos to pinpoint the city and exact location: Toronto’s Yonge-Dundas Square. Now, this wasn’t targeted over the holidays, as far as we know, though we can assume that authorities didn’t ignore the threat after it was circulated. Did ISIS supporters specifically mean to target this shopping and entertainment district, or were they just googling for a nice representative photo of Christmas decorations in a public place? These questions underscore the importance between the ISAC community and law enforcement, as agencies may have seen additional threat information to support the propaganda image, or they may have information to discount the threat – bearing in mind that even if the person who created the image didn’t intend to attack a specific corner in Toronto, a Canadian could still get inspiration from the suggested target and launch an attack.
Maintaining awareness of all the potential threats can be challenging for members, especially those who may not have limited resources or a smaller footprint. What would you recommend for organizations to keep up to date on with regards to threat intelligence? Are there publications they should actively monitor or read?
Johnson: I’m going to be partial to Homeland Security Today, of course, but I’ll break this down further. To get an idea of what’s currently being distributed online, there’s subscriber content at intelligence portals such as SITE or the MEMRI Jihad & Terrorism Threat Monitor, free source material at sites such as Jihadology, and documented incidents and threats from groups with dedicated extremist monitoring such as ADL. They should also sign up for updates from relevant government agencies. Once you skim the surface of the breadth of extremist content out there, though, you fully comprehend the importance of information sharing through an ISAC, as it’s hard for one cog in a vast industry or community to shoulder the burden of threat assessment alone.
A key element for prevention is having an active and alert workforce that identify suspicious activities, potential threats, as well as disrupt potential attack plans. There appear to be a lot of emphasis on commercial facility targets because of the ease of access, vulnerable areas (open areas, public spaces). Having tracked terrorist activities over the past several years, what are some simple steps members can take to help reduce their targeting profile or become a hardened target and be prepared for terrorist attacks?
Johnson: First, members need to evaluate their basic security posture to protect against generally threats both in conjunction with day-to-day operations and special events. I can’t emphasize enough how a simple security measure worked in the October shooting at a grocery store Kentucky: Shortly before killing two store patrons, police say the shooter tried to enter a predominantly African-American Baptist church but found the doors locked. Who would have thought the church would need that sort of security on an ordinary Wednesday – but who also thought Dylann Roof would have joined a Bible study at the Emanuel African Methodist Episcopal Church in Charleston, S.C., in 2015 and then massacred those attending? If there’s an event with large crowds, extra security can be added; if there’s a vulnerable outdoor area, concrete vehicle barriers can be added; if there’s an event check-in, security screening can be employed.
The next step is to “red team” the heck out of facilities, personnel and the local environment: think like a terrorist to harden soft spots. This means assessing the particular vulnerabilities of a facility, from the point of view of an assailant, if an attacker were to undertake a number of different scenarios. (This is also where professional security consultation and expertise will come in handy for facilities that are unexperienced in terrorist threats.) What needs to be considered is how low- and high-tech terrorists might attack and what variables they may use to hike the body count. For example, the 2017 Manchester concert attacker didn’t need to make it past the security checkpoints to inflict harm, but waited until people started leaving the show and detonated his device in this outside area. ISIS instructions on committing arson at factories, churches, nightclubs, hospitals, apartment buildings, schools, etc., include blocking off exits; how would a facility overcome this advance prep? ISIS has proposed stabbing random people, such as a tipsy patron exiting a bar, and making the attacks look like everyday murder – how hardened is a facility’s perimeter in protecting employees and patrons from a range of crimes, such as proper security in parking lots?
Aside from terrorism or extremist groups, do you see trends that may become bigger stories or threats in the next year?
Johnson: Remember these four letters: CBNR. Threat assessments continually warn of a potential “big one” coming in the area of chemical, biological, nuclear or radiological agents. I’d encourage members to follow the work of the bipartisan Blue Ribbon Study Panel on Biodefense, which tries to draw attention to the many facets of this vulnerability and emphasizes our lack of preparedness. The panel also drills down to concerns such as the use of drones to disperse aerosolized agents on soft targets that attract large crowds. Bear in mind these threats aren’t always weaponized: Experts fear another pandemic 100 years after the devastating Spanish Flu, and venues that attract crowds – from the mall to church – will be transmission areas. “We can say with a reasonable certainty that both awful events will occur,” co-chairman former Sen. Joe Lieberman (I-Conn.) said of bioterror and a pandemic at a panel in October. “And the question is how do we determine to the best of our ability when they’re about to occur, how do we prevent them and, if we’re unable to prevent them, how do we organize to respond as quickly as possible to them. The bottom line is we don’t think we’re ready.”
For the Faith-Based Information Sharing and Analysis Organization (ISAO), hate-based extremism has seen an increase over the past four years as documented by the recent FBI hate crime statistics. What factors do you feel contribute to this and are there steps members can take to minimize their risk both within the U.S. and globally, especially considering missionary work?
Johnson: It’s important to underscore how modern-day extremism bleeds from one ideology to the next in terms of terror crowdfunding: learning from and adopting what has worked for one group, particularly utilizing social media and other online avenues. Religious hate-based extremism such as anti-Semitism along with animus against certain ethnicities and races has, unfortunately, always been present in society, but the spreading of hate and incitement to violence is much more intense and moves at lightning speed now. Think back to the 1994 Rwandan genocide when Hutus slaughtered hundreds of thousands of Tutsi in a mere 100 days: a key driver was a trendy radio station that broadcast grotesque lies about the Tutsi then vowed that “slowly, slowly, slowly, we will kill them like rats.” Popular means of online communication and communities easily whip up lies to justify hate, then incite followers to act on that hatred. The formula has worked for Islamic terror groups in both calls to action and recruitment, and it’s working for both organized and lone perpetrators of hate crimes: think of the Gab trail left by the accused Pittsburgh synagogue shooter.
On that note, groups doing work in the U.S. and globally shouldn’t gauge risk just by whether swastikas are being spray-painted on their doors. Corresponding security in response to physical threats is critical, but they need a layer of awareness through a monitoring service – whether an industry intel firm, nonprofit hate crimes researchers, or agreement with law enforcement – that is paying attention to what hatemongers are saying and inciting online.
Finally, your recent article on terrorism identified five areas that terrorist groups may have signaled their direction and intent moving into 2019. Where do you see the most risk for organizations moving forward?
Johnson: Taking the five points in that piece, let me apply them to organizational risk. First, the disinformation ops: we saw this for an extended period of time after the Vegas mass shooting, when ISIS claimed Stephen Paddock was their jihadist. After getting the fake news out there for long enough, in a sustained high-profile campaign, ISIS seamlessly rolled back their claims and lifted the attack up for jihadists to emulate. Expect them to employ this tactic more in the future. Second, terror groups highlighted accessibility issues to lure recruits with disabilities and also urged unusual attack methods including venomous snakes or electrocution; organizations need to think outside of what they believe a terrorist might look like or how he or she might attack. Third, even as web companies say they’re cracking down on jihadist accounts and the spread of propaganda, know that terror groups are adapting to tech roadblocks and still are getting the information out there – and, consequently, luring recruits. Fourth, the proliferation of propaganda through ISIS-supporting media groups instead of ISIS’ media arm means increased, not decreased, PR power – and these independent operators can be anywhere, like the Chicago computer engineer arrested in October and charged with working on behalf of one of these indie ISIS operations. Fifth, terror groups have been showing distinct curiosity in their communications this year about branching out into bio, agricultural or chemical attacks. It’s beyond time to listen to experts about shoring up our CBNR defenses.