CHASING LIGHTNING — WHY CONTEMPORARY DOMESTIC COUNTERTERRORISM EFFORTS AREN’T WORKING

Disclaimer: The information presented in this writing is derived from professional experience and publicly accessible resources. The opinions and observations expressed within this Practitioner's Blog are intended solely for informational purposes and reflect only the author's individual views and insights.

The United States faces a critical challenge. Despite a labyrinth of preventative measures, mitigation strategies, and bolstered law enforcement operations designed to shield us from the threats of terrorism, domestic violent extremism (DVE), and targeted violence, attacks continue to occur. Threat actors often evade detection until it’s too late, leaving the public grappling with the harrowing question: How could we not have seen this coming?

Those of us on the front lines understand precisely why this keeps happening. Our established counterterrorism and DVE prevention methods are outdated and woefully inadequate. A cornerstone of these efforts, the Nationwide Suspicious Activity Reporting Initiative (NSI), desperately needs reevaluation. 

Conceived in the aftermath of 9/11, the NSI was designed to foster enhanced information sharing and coordination among federal, state, and local law enforcement and the public to identify and report potential indicators of terrorism. This collaboration is intended to flow through the 80 fusion centers—state and local intelligence hubs—that operate across the U.S. and its territories.

Despite having a well-established information-sharing structure, the mechanisms for sharing critical intelligence related to terrorism, based on the NSI, have proven inadequate in keeping pace with the needs of countering contemporary threats such as homegrown violent extremism, terrorism, domestic violent extremism, and targeted violence prevention. The existing information-sharing platforms, reminiscent of outdated systems like Windows 98 and Vista, contribute to this deficiency.

The primary mechanism for information sharing within the domestic intelligence framework, particularly among fusion centers and the FBI, is flawed. It operates like a black hole, with agencies submitting Suspicious Activity Reports (SARs) often left unaware of which reports will not be acted upon or coordinated by the Joint Terrorism Task Force (JTTF). As a result, prosecutable cases and investigable incidents remain unresolved, even when they could be acted upon by fusion centers and state and local law enforcement agencies. Moreover, access to sensitive databases and the ability to exploit them vary significantly across the fusion center network, hindering critical insights needed to identify credible threats.

However, let’s be clear: The issue isn’t with the coordination and information-sharing infrastructure. Fusion Centers, the Department of Homeland Security (DHS), law enforcement, and the FBI’s Joint Terrorism Task Force (FBI-JTTF) serve as the unsung sentinels of our communities. They work tirelessly to protect us, often without the recognition they deserve. The crux of the problem lies in the detection and reporting structure, which is plagued by two significant shortcomings: (i) a severe undervaluation and lack of training regarding open-source intelligence (OSINT) and (ii) an overwhelming reliance on observable indicators of suspicious activity.

What does this mean in practical terms? According to the NSI, there are 16 vetted and defined indicators of suspicious activity—ranging from expressed threats to physical intrusion attempts to cyberattacks. While this list may seem comprehensive, it disproportionately focuses on physically observable actions. This outdated approach fails to account for the evolving tactics of today’s terrorists and violent extremists, who often operate in the shadows, utilizing technology and anonymity to evade detection.

We have witnessed advancements from threat actors firsthand. On February 3, 2023, Brandon Russell and Sarah Clendaniel were arrested for conspiring to attack the U.S. electrical grid in Maryland. Their accelerationist goal was to destabilize institutional trust, cause civil unrest, and strategically catalyze the downfall of Western society toward their neo-Nazi aim of establishing a white-ethnic state. While their ideology is barbaric and abhorrent, their tactics during preoperative planning for the attack were highly sophisticated.

Particularly, both utilized the end-to-end encrypted chat platform of choice, Telegram, which provided heightened OPSEC during sensitive planning stages by separating 1st Amendment-protected speech from criminal plotting.

Russell Russell also leveraged a publicly available online tool that maps critical infrastructure globally with shocking precision during planning and preparation. Using this online resource highlights the potential for conducting what, if physically observed, would’ve been defined as observation/surveillance, eliciting information, and acquisition of expertise—was able to be conducted entirely online.

Although Russell was very likely under FBI surveillance due to his involvement in the accelerationist, neo-Nazi network Atomwaffen Division, without prior monitoring, the public, law enforcement, and intelligence agencies would have been unable to observe and report on their activities. It’s worth noting that ECHO has similarly utilized publicly available resources and mapping to target numerous threat actors following foiled plots. This isn’t the only way the environment’s changed.

If you were to ask any fusion center analyst or sworn personnel what the most commonly reported 'suspicious activity' is, they would likely say 'expressed or implied threats.' The public is quite effective at reporting these threats. However, most reported threats emerge on popular social media platforms like X, Instagram, TikTok, Snapchat, and Facebook. In contrast, threats made via darker, more elusive communications platforms and online message boards often go unnoticed. Unfortunately, law enforcement and intelligence communities focused on domestic counterterrorism efforts often lack the resources and training to track, monitor, and actively hunt these hidden threats.

The acquisition of expertise is similarly conducted almost exclusively online and is encouraged among threat actors. Across dark platforms, messaging forums, and archive websites, terrorists and violent extremists share information, guidance, and specific attack tactics, targets, and procedures designed to help those on the path to violence achieve the highest possible efficiency and impact. Whether it comes from accelerationist networks like Terrorgram or foreign terrorist organizations like ISIS, this attack guidance and information transcends ideological boundaries. Regardless of if it's manufacturing improvised explosive or incendiary devices, building 3D-printed firearms, constructing novel deployment devices, or evading law enforcement surveillance, guidance on these destructive ideas is merely a few keystrokes away online.

To effectively combat the contemporary threats of domestic terrorism, violent extremism, and targeted violence, the domestic intelligence apparatus must adopt a more holistic approach that integrates Open-Source Intelligence (OSINT) and adapts to the increasingly sophisticated methods employed by malicious actors. We cannot rely solely on visible threats; we must cultivate a culture of vigilance that empowers citizens and practitioners alike to recognize and report suspicious behaviors that may not fit within the narrow definitions of the past.

There is some hope. The Office of the Director of National Intelligence (ODNI) recently released an unclassified "Intelligence Community OSINT Strategy" for 2024-2026. This strategy explicitly acknowledges the importance of OSINT for national security and strategic defense. Additionally, it highlights the significance of the private sector and academia in establishing cutting-edge techniques in OSINT. Recognition, resources, training, and modernization of the National Security Infrastructure (NSI) will be critical in the coming years. I hope that progress is being made at the highest levels of law enforcement and the intelligence community, but hope alone is not a course of action. Until then, the unseen sentinels in the fusion center network, state and local law enforcement, the Department of Homeland Security (DHS), and the FBI's Joint Terrorism Task Forces (JTTFs) will remain vigilant.

To those sentinels: Good hunting. 

- Bishop