STRENGTH ANALYSIS
MULTI-JURISDICTIONAL
INTELLIGENCE SHARING:
HOMELAND SECURITY
INFORMATION NETWORK
(HSIN)

Additional Information provided in Download

 By Michael Prasad, CEM
Emergency Management Intelligence
Analyst

EXTREMIST VS . TERRORIST : SHOULD IT MATTER TO EMERGENCY MANAGEMENT
PRACTITIONERS ?

There are obstacles to information sharing between the U.S. Intelligence community and
state/local law enforcement agencies, most emanating from the USA Patriot Act. Designation as terrorism may or may not bring additional benefits to threat Protection and Prevention (two elements of Disaster Readiness, for which Emergency Management practitioners are responsible for – outweighing the impacts to U.S. civil liberties.

As part of a standard “SWOT” Analysis – one strength that law enforcement agencies within the United States is the Homeland Security Information Network (HSIN). Emergency Managers, not just law enforcement, need to keep in mind their organization’s disaster readiness (resiliency) along the normal standard disaster phases of Protect/Prevent/Prepare, Respond, Recover and Mitigate – including the adverse impacts that can be generated by these threats. Tools and techniques – along with collaboration, coordination,
cooperation, and communication – to and from the military and civilian intelligence agencies can assist emergency management practitioners at all levels of government.

DURING AN INCIDENT IS NOT THE TIME TO BE EXCHANGING BUSINESS CARDS

More information about HSIN can be found at https://www.dhs.gov/emergency-services. While designed as a law-enforcement collaboration and communication tool, the expansion to include emergency management should be included. There are a number of incident types which start out as law- enforcement only, yet quickly expand into fire, rescue, public health, transportation, critical infrastructure impacts, and more. There are also international intelligence concerns which transport themselves into U.S. Domestic threats and hazards, as well. The more that an Emergency Manager understands “left of boom”: in the Preparedness/Protection/Prevention phases, the better they are prepared – and ready – for the Response and Recovery work needed. These relationships and connections need to be working and in place, all the time – not just when something bad happens.

The concept of Emergency Management Intelligence is the curation and dissemination of these various intelligence aspects to Emergency Management officials before, during and after incidents happen. It takes what was designed by DHS through FEMA and applies it to an all-hazards approach, not just one that Prevents/Protects against Terrorism. The case for information-sharing beyond local law-enforcement into Emergency Management will be shown here through human-threat examples, but what is key to Emergency Management is the consistent use of tools and systems on an all- hazards approach. This is vital knowledge to have, for both complex coordinated attacks as well as attacks by adversaries during natural or other disasters, when our nation is perceived as being crippled or under duress already.

Under a Response/Recovery incident command structure by governmental and non-governmental partners, this is applicable to the Incident Action Planning, through Unified Command and the use of the Intelligence branch.

HSIN, as one of the tools in the toolbox for Emergency Responders, has a role in this curation and dissemination of Emergency Management Intelligence. Federal Intelligence Community members –both military and non-military – can make determinations on threats/hazards which should be shared with local law enforcement and other emergency management officials. The movement of classified status to sensitive but unclassified, can be performed – including with redaction and protection of civil rights of US persons. Emergency Management has a very specific – and important – use case need for this intelligence.

EXAMPLES OF EMERGENCY MANAGEMENT INTELLIGENCE NEEDS , HELPED BY HSIN

The FBI notes that terrorism threats impacting the United States (and therefore U.S. Emergency Management) has two key factors of recent impact:

  • Lone offenders: Terrorist threats have evolved from large-group conspiracies toward lone-offender attacks. These individuals often radicalize online and mobilize to violence quickly. Without a clear group affiliation or guidance, lone offenders are challenging to identify, investigate, and disrupt. The FBI relies on partnerships and tips from the public to identify and thwart these attacks.

  • The Internet and social media: International and domestic violent extremists have
    developed an extensive presence on the Internet through messaging platforms and online images, videos, and publications. 4 These facilitate the groups’ ability to radicalize and recruit individuals who are receptive to extremist messaging. Social media has also allowed both international and domestic terrorists to gain unprecedented, virtual access to people living in the United States in an effort to enable homeland attacks. The Islamic State of Iraq and ash-Sham (ISIS), in particular, encourages sympathizers to carry out simple attacks wherever they are located—or to travel to ISIS-held territory in Iraq and Syria and join its ranks as foreign fighters. This message has resonated with supporters in the United States and abroad (FBI, 2021).

Artificial Intelligence and Machine Learning are technological advances maliciously being used by FTOs and DVEs to increase their reach and distribution of social media disinformation.  These same tools can be utilized by “good actors” (government and the private sector, especially social media corporate giants) to prevent disinformation campaigns and protect the public, as noted previously.

CONNECTING WHAT HAPPENS ON THE INTERNET TO REAL -WORLD THREATS

The Q-Anon network, designated as a domestic violent extremist threat in 2019, had a “PizzaGate” disinformation campaign that resulted in actual violent incidents.  West Point’s Combating Terrorism Center has a detailed analysis of how their disinformation campaigns have generated lone offender participation in real world criminal activity.  The analysis and investigations into the January 6, 2021 attack on the U.S. Capitol – and its nexus to social media disinformation campaigns – is still in progress. At the very least, the FTOs have been amplifying and capitalizing on these events to further spread their own disinformation.

An October 2020 U.S. Department of Homeland Security Homeland Threat Assessment Report noted that “Russian influence actors also posed [online] as U.S. persons and discouraged African Americans, Native Americans, and other minority voters from participating in the 2016 election” (DHS, 2020, pp. 12-13).

That same report noted that foreign disinformation is not limited to national level impacts:

 

  • China views a state or locality’s economic challenges—including healthcare challenges due to COVID-19—as a key opportunity to create a dependency, thereby gaining influence. Beijing uses Chinese think tanks to research which U.S. states and counties might be most receptive to China’s overtures.

  • During the beginning of the COVID-19 outbreak, Beijing leveraged sister city relationships with U.S. localities to acquire public health resources. In February [2020], Pittsburgh shipped its sister city, Wuhan, 450,000 surgical masks and 1,350 coverall protective suits. Pittsburgh also established a GoFundMe account that raised over $58,000 to support Wuhan response efforts by providing medical supplies.

  • In Chicago, Chinese officials leveraged local and state official relationships to push pro-Chinese narratives. Also, a Chinese official emailed a Midwestern state legislator to ask that the legislative body of which he was a member pass a resolution recognizing that China has taken heroic steps to China has taken heroic steps to fight the virus. (DHS, 2020, p. 13)

 

WHAT CAN EMERGENCY MANAGERS DO TO INCREASE THEIR READINESS TO SOCIAL MEDIA DISINFORMATION ?

Actions may speak louder than words, but those words can incite violence and generate threats and risks. Emergency managers already know the power of social media as it relates to public information alerts and warnings. They themselves (and through their governmental leaders) must be the trusted source for accurate and timely information needed to maintain life safety, incident stabilization, and property/asset protection before, during and after a disaster. Many times, the communications (both to and from the public) are expedited and amplified by social media.  In some cases, social media may be the preferred (or only) way for members of the public to communicate with emergency management during a disaster. Disinformation campaigns can hinder or even threaten this method of communication – and can impact operations, finance/administration, planning, and logistics.

Emergency Managers should be connected to the Federal resources for Intelligence on FTO and DVE disinformation campaigns on a steady-state basis. This information should not be siloed within Law Enforcement only.

  • If possible, connect with the CISA and other resources directly. Utilize governmental
    collaboration systems such as HSIN and maintain a constant connection between law enforcement and emergency management. At the state level, utilize Fusion Centers for this type of threat, in addition to the others.

  • Maintain your own cyber-monitoring capabilities. Connect with academic researchers and other private sector partners who also monitor for cyber threats.

  • Do both of the above – one example of this is the State of New Jersey. Their Fusion Center is populated by both their State Police (who also operate that state’s Office of Emergency Management – one of only two states in the Nation, Michigan being the other – to operate this way) and their Office of Homeland Security and Preparedness (OHS&P) which reports directly to the Governor’s Office. In addition to generating its own threat analysis, the NJ OHS&P also has a robust Cybersecurity and Communications Integration Cell, which also provides public/private information alerts and sharing.  In many ways, there is too much data out there for social media monitoring (especially open-source data), including what is available on disinformation campaigns. Organizations may need to utilize aggregator and filtration software to help focus the view to the areas important to them specifically. One example of this is Swan Island Technologies TX360 product, which is used by Allied Universal Security amongst others, to help “Mitigate Risk and Improve Response and Recovery.”

  • Countering disinformation campaigns requires the coordination of the organizations impacted with local, state, tribal and territorial governments. Emergency management can utilize their own public information capabilities, through their crisis communications team. This is true for private sector organizations as well as public ones.

  • Consider building communications templates in advance for disinformation campaigns, along the same lines as for fictitious disasters.

  • Exercise these templates (and the team which will implement/activate them) on a regular, continual basis. Consider current examples in the media impacting other organizations (or even other countries) and exercise the “what if this had happened to us?” aspects. Evaluate those exercises and make needed improvements to the Planning, Organization, Equipment and Training of the Crisis Communications Team.

  • Countering disinformation campaigns should not be limited to only “fighting back” via social media. The public may learn about the disinformation campaign from other sources and they themselves may not get their information via social media. And do not forget all the various languages that your constituents may use (including American Sign Language); as well as making sure your counter-messaging is accessible to people with disabilities and access/functional needs.

  • Finally, Emergency Managers are consequence management planners. The view that a
    Disinformation Campaign may be connected to another threat or hazard – or even that groups may be working in concert to promote complex coordinated attacks, is one which needs to be part of the Planning for both steady-state and disaster Operations.

OUR ADVERSARIES COORDINATE , COLLABORATE , COOPERATE , AND COMMUNICATE AS WELL

Reducing the “Pink Slice” 20 – what one does not know they do not know – about a threat or hazard to any operations is part of the continuous vigilance needed for Intelligence and Situational Awareness. The graphic at the end of this report illustrates how these clashes can occur – and sometimes even ad hoc collaborations and coordination between disconnected groups can make a bad situation worse:

  • 2017 Protest Events in Charlottesville, Virginia. 21 Multiple alt-right wing groups, white
    supremacy groups, anti-government groups had hand-to-hand combat events with
    Antifa, Black Lives Matter and other alt-left wings groups, even after propaganda
    campaigns indicated these would be “peaceful” free-speech protests.

  • A January 6, 2021, political rally moves towards U.S. Capitol and becomes a massive
    civil unrest incident and a possible insurrection against the United States Government.
    Multiple alt-right wing groups, white supremacy groups, anti-government groups had
    hand-to-hand combat events with U.S. Capitol Police and other law enforcement
    agencies. Some have described the shortfalls that day in the Protection and Prevention
    efforts, as a failure of intelligence sharing amongst local, state and federal entities.

  • While Emergency Managers do not necessarily need to consider whether the COVID-19
    pandemic was itself a terrorist act (the causality – or why – of incidents, disasters, etc. is
    not as critical as the adverse impacts generated), COVID-19 certainly had an impact on
    DVEs and FTOs. Pandemics – especially worldwide ones – may be considered a “global natural experiment that offers insight into causal processes” 23 by terrorists and
    extremists, for their own nefarious purposes.