30 May 2017

Breaking the Mirror: South China Sea Policy Revisited

Series Introduction The current administration has a unique opportunity to reorient the United States’ strategic approach toward China and the South China Sea conflict, placing the U.S. and its allies on a path to an ideal resolution. To achieve this end, the US should replace the recent reactive, myopic, and compartmentalized approach with a proactive, long-term, and comprehensive strategy oriented towards achieving the best possible outcome for US national security interests. The U.S. has failed to take action to preserve and advance its interests during this ongoing conflict despite the unprecedented knowledge and analytic capability available to U.S. leadership through subject expertise within government agencies and think tank organizations. A troubling misunderstanding of China continues to plague the U.S. government, resulting in errors in policy and action towards China’s recent actions. This analysis aims to place potential U.S. foreign policy responses to Beijing’s aggressive expansion in the South China Sea area into the context of the Chinese frame of reference and U.S. objectives. Ultimately, appropriate policies and actions in East Asia should flow from the bottom line objective of US security and economic interests. Relevant policies, alliances, relationships, and all means of influence projections must be developed to reach and maintain these objectives. This discussion will first describe the situation in the South China Sea, and seek to re-evaluate implicit assumptions in recent US government actions. Through a careful revision and examination of assumptions, the U.S. government will be able to craft policies that will help achieve its desired end states. Simultaneously, however, the People’s Republic of China (PRC) is pursuing ends contrary to U.S. objectives within the same space. As with any policy of this nature, therefore, the U.S. must contend with the subject country, the PRC, to achieve its goals. With this in mind, advances in U.S. objectives must be achieved within the context of the least amount of conflict with China. Only by understanding the PRC’s nature and assumptions can the U.S. gain insight into why and how Beijing makes decisions and discover the strengths and weaknesses of its framework to maximize its success. Understanding the Chinese perspective and its resulting decision-making calculus will allow the U.S. to effectively align its actions towards the best outcome to the dispute given its regional objectives. After this, the second part of this series will posit recommendations regarding what U.S. end states in the region might look like, and a path for pursuing these end states with the nature of the adversary in view. Outside of government-level policy making, the discussion is also relevant to private-sector decision makers. If properly understood and implemented, this formula may help put the U.S. in a more advantageous position in East Asia over the course of the next decade. The order of the aforementioned schema is vital, for only by reassessing and correcting where we have been and currently are can an ideal way forward be determined. Part I: Breaking the Mirror The first of the part of the approach towards China is encapsulated in the phrase “breaking the mirror.” This is a reference to “mirror imaging” in decision-making processes, a common analytic concept. The primary idea is that you and your adversary likely hold differing presuppositions and worldviews. Each point of reference inevitably affects decision making and makes itself felt at lower levels of abstraction and in physical events.  Students and analysts working in international relations or political science study the history, culture, and language of other nations. This is done based on the assumption, likely well-held, that knowledge gained in these studies will give insight into the map of understanding through which

Read More
30 Mar 2017

Iranian Presidential Elections: Suppressing Dissension through Cyber

Introduction During the next months leading up to Iran’s Presidential elections on 17 May, Iranians will see an increase in cyber espionage leveraged against their systems and accounts. This increase will especially target politically active citizens as well as prolific and politically vocal Iranian-Americans abroad. These attempts by Iran’s intelligence and security services will be designed to collect intelligence on perceived threats to the current ruling structures and political elites. Tactically, these operations will give Iran’s intelligence network the information and access they seek to disrupt the proliferation of views and actions it deems harmful to the outcome of the election results desired by Iran’s theocratic elites. The regime has already shown signs that it will achieve/attempt to access to social networking sites to both monitor and limit political speech. These attempts involve personal webmail accounts including Gmail and other email services as well as social networking platforms. Among these, Telegram, allegedly the most widely used in Iran, is the most notable. Who is at risk? Iran’s cyber espionage programs, like other programs it sponsors, fit into a broader, strategic pathway to achieve its desired end goals. Geopolitically, this translates into regional dominance, as Iran sees itself as the natural dominating force, politically, economically, and culturally, over the Gulf region. Internally, the regime wants to maintain internal stability to allow the current religious and political Shi’a structures to persist in their dominance over the internal political conversation and economic decisions. The motivation for the cyber activity discussed in this analysis is closely linked with Iran’s internal concerns and desired end state. Iran’s targeted intrusion operations ahead of the elections will primarily affect Iranian citizens, dissidents, political opponents of the regime and activists. Iran’s Cyber Police (FATA) has already faced pressure from elites within the Supreme Leader’s circle over the past six months to maintain an adequate hold on internet communications leading up to the election. FATA monitors Iran’s social media space for hints of political criticism and unrest, and their monitoring has led to arrests and prosecutions of Iranians on the grounds of treason and inciting social unrest. The Iranian National Guard Corps will play a significant role in monitoring, exploiting, and exerting force over perceived threats to the theocratic establishment originating from the elections and related events. Looking outside its borders, Iran’s ruling elite and its corresponding intelligence service, the IRGC, believe that Washington works tirelessly to undermine or bend Iran’s internal political affairs to its will. Iran views foreign non-governmental organizations, dissidents, and Iranian-American groups as outlets for U.S. influence and covert operations. Tehran suspects these organizations to be fronts owned or controlled by the U.S. government. They suspect that they will work to electoral outcomes or processes. Due to the Trump Administration’s position on Iran following the Obama-brokered nuclear deal, Tehran is especially wary of political dissension and internal conflict. The new U.S. administration has not yet provided details of its foreign policy vis-a-vis Iran and the region. The few impressions and statements made thus far may prompt attempts to penetrate related U.S. information networks in order to gain insights into Washington’s views on and potential plans regarding the upcoming elections. The Iranian government may be even more sensitive to this due to the claims that Russian intelligence services attempted to influence the recent U.S. presidential election. What will targeting look like? Security researchers observed the first well-coordinated and widespread cyber espionage targeting against targets both within Iran and abroad following the 2009 Iranian elections in which Mahmoud Ahmadinejad took the Office of the Iranian President. In the wake of this election, Iran’s Green movement emerged. Central to the

Read More
09 Feb 2017

DHS report on how terrorists will target sporting events

The U.S. Department of Homeland Security (DHS) has issued an intelligence assessment (dated 2 February 2017) on the potential techniques and tactics that terrorists could use to target sporting events. The report is based upon detailed analysis of sporting event attacks overseas. The report’s key judgements note that: “Five separate plots and attacks against soccer matches or associated venues overseas between June and December 2016 demonstrate the continued interest by foreign terrorist organizations (FTOs) and other violent extremists in targeting sporting events. Violent extremist messaging by FTOs, such as al-Qa‘ida and the self-proclaimed Islamic State of Iraq and the Levant (ISIL), shows that the prospects for media attention and the potential for mass casualties in such attacks likely enhance the attractiveness of targeting high-profile sporting events. Recent plotting underscores terrorist actors aspirations to target both individuals and venues affiliated with sporting events—including spectators, team members, security personnel both at the stadiums themselves or at associated venues—and suggests that security and response planning should consider the implications of attacks against potential secondary targets, in addition to attacks against the primary venue. We also assess that while security measures, such as the presence of metal detectors or armed security, at entrance checkpoints likely deterred some potential operatives from attempting to gain access to stadiums and arenas, plotting likely shifted to locations that were perceived to be less secure. Although terrorists’ interest in attacking sporting events is not new, the number of ISIL-linked plots in the last six months—two of which were directed by Syria-based ISIL operational planners—probably indicates a greater focus on these events by the group in the near future. Nevertheless, we assess that complex and coordinated attacks employing multiple tactics and teams of operatives, as seen in at least one recently disrupted ISIL plot, are more likely to occur in locations overseas, such as Europe and the Middle East, than in the United States, based on presence of potential operatives, ease of travel across borders, and proximity to the conflict zones, such as Syria and Iraq. The small number of examples of aspirational or disrupted plotting in the United States targeting stadiums suggests that sporting events are only one of many targets US-based homegrown violent extremists (HVEs) consider for attacks.* We further assess that the most likely scenario for such plotting in the Homeland would involve an HVE or small cell targeting attendees or uniformed security at such an event, likely outside the security perimeter, using simple tactics.” Recent Plots and Attacks Targeting Major Sporting Events Overseas Provide Insight on Potential Tactics and Targets (PDF Report)

Read More
09 Feb 2017

US government warns that terrorists want to target hospitals

In a joint intelligence alert issued on 8 February 2017, the Department of Homeland Security, the FBI, and the National Counterterrorism Center (NCTC) warned that ISIS and other terrorists are encouraging attacks on hospital and other healthcare facilities. According to the alert: “Recent calls over the past year for attacks on hospitals in the West by media outlets sympathetic to the Islamic State (ISIS) highlight terrorists’ perception of hospitals as viable targets for attack. Targeting hospitals and healthcare facilities is consistent with ISIS’s tactics in Iraq and Syria, its previous calls for attacks on hospitals in the West, and the group’s calls for attacks in the West using “all available means”. The pro-ISIS Nashir Media Foundation released a series of messages on 29 December 2016 encouraging long offenders in the West to conduct attacks on hospitals, cinemas, and malls. In early June 2016, ISIS called for a “month of calamity”, encouraging followers in Europe and the United States to attack schools and hospitals in an audio message released via Twitter. Additionally, in its January 2016 issue of Rumiyah magazine, ISIS provided tactical guidance and encouraged lone offenders to conduct arson attacks on hospitals.”

Read More
06 Dec 2016

US Foreign Policy: A Strategic Approach towards China Concerning the DPRK

Last week, a task force assembled by the Council on Foreign Affairs released a report on the current North Korea situation facing the U.S. and its regional allies. The report was conducted following the regime’s unprecedented number of ballistic and nuclear grade missile testing within a single year and its leader’s increasingly belligerent posturing. The report asserts that the previous two U.S. Administrations’ overarching approach towards the DPRK has failed to slow the regimes’ path towards weaponized nuclear material. It also argues that due to the danger the volatile regime poses towards its neighbors and eventually the U.S. mainland, halting any further progress of the regime’s nuclear program must become a “front-burner” issue. Also, while the task force presented no original ideas in terms of paths to success, its value lays in the hierarchy in which it places known ideas, as well as iterating the need for urgent action. There are multiple dangers to U.S. interests from DPRK miniaturization of nuclear materials, including, but not be limited to, the following: An existential threat to the U.S. when the regime’s nuclear weapons are able to reach the U.S. mainland The regime’s ability to use nuclear arms as a means of increasing influence on regional and international politics The option for the desperate and reckless regime to sell the weapons to the U.S.’s many adversaries for profit, including Iran or international terrorist organizations The task force also accurately judged that, regardless of action taken, The People’s Republic of China’s (PRC) involvement will define any policy’s ultimate success or failure. While official sanctions implemented by UN partners have done little to change the regime’s position on advancing with its nuclear weapons program and committing human rights abuses against its own populace, it has made China Pyongyang’s primary benefactor. While the PRC has agreed to the UN resolution on sanctions towards the DPRK regime on paper, it has continued to provide “food & fuel” and economic channels for capital to flow in and out of the country. This state of affairs has put the PRC in a unique position; if it so chooses, it has the power to deal a devastating economic blow to the regime. The PRC has the most leverage in terms of cutting off essential resources, given its geographic position on North Korea’s sea-lanes and land border. This position enables the PRC to restrict and permit trade in and out of North Korea. Beijing’s foreign policy priorities, however, are oriented toward its own critical priorities: internal stability and sustained economic growth. Beijing has opted to save face with the international community regarding complaints on how it treats its own citizens and its aggressive expansion in the South China Sea. It expects, quite rightly, that its economic power will save it from any repercussions besides international political virtue signaling, while helping the adjacent regime in Pyongyang remain relatively stable. While the PRC would prefer a less troublesome regime on the Korean peninsula, it does not have the same geostrategic or defense concerns as the U.S. This friction is the essential source of friction between U.S. and PRC cooperation on this issue. A higher priority on Beijing’s list is ensuring the regime remains intact so that any negative effects do not spill over into China. This position contrasts heavily with the US ideal of replacing the totalitarian Communist state with a pro-Western, democratic government. The task force also suggested that a united Korean peninsula (under a U.S. friendly government) would be unfavorable to Beijing. The task

Read More
11 Oct 2016

Inside ISIS’s English-Language Magazine

With the slow but steady recovery ISIS-held lands across Iraq and Syria, analysts are warning of a surge in ISIS-inspired attacks across Europe and the US as the terrorist group changes tactics. The latest magazine from Al Hayat Media Center, the ISIS media wing, confirms this shift in emphasis with an explicit charge to target “businessman riding to work in a taxicab, the young adults (post-pubescent “children”) engaged in sports activities in the park, and the old man waiting in line to buy a sandwich…Indeed, even the blood of the kafir street vendor selling flowers to those passing by is halal to shed – and striking terror into the hearts of all disbelievers is a Muslim’s duty.” Rumiyah (Rome) Magazine published its first issue in September and, unlike most ISIS propaganda, was published in English, French, German, Indonesian, Turkish, and Russian in addition to Arabic. The magazine’s forward begins with a eulogy for a fallen ISIS commander and a reminder to the “faithful” that the death of any one man is irrelevant to the preservation of the muwahidden. “…Those fools do not realize that Allah preserves His religion however He wills, and this religion will remain established and will not be damaged by the death of any person…” After the forward, the 38-page publication is divided into 7 articles and a summary of recent ISIS operations, including those of affiliates in Somalia, the Philippines, and Russia (“As the soldiers of the Khilafah continue waging war on the forces of kufr, we take a glimpse at a number of recent operations conducted by the mujahidin of the Islamic State that have succeeded in expanding the territory of the Khilafah, or terrorizing, massacring, and humiliating the enemies of Allah.”) Articles: The Religion of Islam and the Jama’ah [“body” or “worldwide community”] of the Muslims – a summary of various core ISIS doctrines with heavy exegesis from the Quran Interview with the Amir of the Central Office for Investigating Grievances Among the Believers are Men: Abu Mansur al-Muhajir – a eulogy for recently killed ISIS militant and recruiter from Australia who spent four-and-a-half years in prison for a plot to detonate a bomb in a stadium during an Australian Football match. He died outside of Aleppo when “a piece of shrapnel struck him and tore his chest open, bringing him what he had long awaited – shahadah in the path of Allah.” O Women, Give Charity – a charge to women, who are “excused” from fighting, to do their part by waging jihad with their “wealth, souls, and tongues.” The Wicked Scholars are Cursed – an explanation of the necessity of violent jihad within ISIS theology and a repudiation of all other Muslim scholars who reject it The Virtue of the 10 Days of Dhul-Hijjah and the Acts of Worship Therein – an explanation on the observances for Dhul-Hijjah, the “best ten days of the year according to Allah.” The Kafir’s Blood is Halal for You: So Shed It – the final article in the publication and subject of concentrated western attention. “The Kafir’s Blood is Halal for You: So Shed It” The most immediately relevant for Western readers, this article declares “anyone who is neither a Muslim nor a dhimmi kafir [a non-Muslim who pays a special tax, subjects themselves to special laws, and deserves regular “humiliation”] is a hostile tyrant deserving aggression.” It continues its internal line of reasoning with additional interpretations of Hadith and other

Read More
06 Oct 2016

DHS Warns of Regional Power Outages Associated with Hurricane Matthew

The Department of Homeland Security has issued a FOUO warning regarding expected wide-spread regional power outages as a result of Hurricane Matthew coming ashore in Florida. According to DHS, there is a 51 to 100 percent electric power outage zone that contains 34 electric generating stations, 279 substations, and 1 nuclear power plant. Hurricane Matthew Electric Grid Impact

Read More
04 Oct 2016

DHS Issues Alert on U.S. Election Hacking

The United States Department of Homeland Security has issued an Intelligence Assessment on the Cyber Threats and Vulnerabilities to U.S. Election Infrastructure. The report, which primarily downplays the risk of hacking election systems appears to conflict with recent FBI Director testimony stating that at least 20 states have been electronically probed with four suffering hacking related intrusions. The report does note that “multiple elements of US election infrastructure are potentially vulnerable to cyber intrusions. The risk to US computer-enabled election systems varies from county to county, between types of devices used, and among processes used by polling stations.” The key judgements also include: DHS has no indication that adversaries or criminals are planning cyber operations against US election infrastructure that would change the outcome of the coming US election. Multiple checks and redundancies in US election infrastructure—including diversity of systems, non-Internet connected voting machines, pre-election testing, and processes for media, campaign, and election officials to check, audit, and validate results—make it likely that cyber manipulation of US election systems intended to change the outcome of a national election would be detected. We judge cybercriminals and criminal hackers are likely to continue to target personally identifiable information (PII), such as that available in voter registration databases. We have no indication, however, that criminals are planning theft of voter information to disrupt or alter US computer-enabled election infrastructure. Other elements of the report, note the resiliency of the voting infrastructure, but also the potential for nation-state disruption. No Indication of Cyber Operations to Change Vote Outcome DHS has no indication that adversaries or criminals are planning cyber operations against US election infrastructure that would change the outcome of the coming US election. Multiple checks and redundancies in US election infrastructure—including diversity of systems, non-Internet connected voting machines, pre-election testing, and processes for media, campaigns and election officials to check, audit, and validate results—make it likely that cyber manipulation of US election systems intended to change the outcome of a national election would be detected. We assess that successfully mounting widespread cyber operations against US voting machines, enough to affect a national election, would require a multiyear effort with significant human and information technology resources available only to a nation-state. The level of effort and scale required to change the outcome of a national election, however, would make it nearly impossible to avoid detection. This assessment is based on the diversity of systems, the need for physical access to compromise voting machines, and the security and pre-election testing employed by state and local officials.* In addition, the vast majority of localities engage in logic and accuracy testing, which work to ensure voting machines operate and tabulate as expected—before, during, and after the election. We judge, as a whole, voter registration databases are resilient to systemic, nationwide cyber manipulation because of the diverse systems and security measures surrounding them. Targeted intrusions against individual voter registration databases, however, are possible. Additionally, with illicit access, manipulation of voter data, or disruptions to their availability, may impact a voter’s ability to vote on Election Day. Most jurisdictions, however, still rely on paper voter rolls or electronic poll books that are not connected in real-time to voter registration databases, limiting the possible impacts in 2016. Voting precincts in more than 3,100 counties across the United States use nearly 50 different types of voting machines produced by 14 different manufacturers. The diversity in voting systems and versions of voting software provides significant security by complicating attack planning. Most voting machines do not have active connections to the Internet. We assess the impact of an intrusion into vote tabulation systems

Read More
19 Sep 2016

FBI Seeking Info in NYC/NJ Bombings

The FBI is asking for assistance in locating Ahmad Khan Rahami. Rahami is wanted for questioning in connection with an explosion that occurred on September 17, 2016, at approximately 8:30 p.m. in the vicinity of 135 West 23rd Street, New York, New York. Rahami is a 28-year-old United States citizen of Afghan descent born on January 23, 1988, in Afghanistan. His last known address was in Elizabeth, New Jersey. He is about 5’ 6” tall and weighs approximately 200 pounds. Rahami has brown hair, brown eyes, and brown facial hair. SHOULD BE CONSIDERED ARMED AND DANGEROUS If you have any information concerning this case, please contact the FBI’s Toll-Free Tipline at 1-800-CALL-FBI (1-800-225-5324), your local FBI office, or the nearest American Embassy or Consulate.

Read More
30 Aug 2016

Increasing Use of Ransomware May Threaten US Civilian Government and Critical Infrastructure Networks

The U.S. Department of Homeland Security’s Office of Intelligence and Analysis has released a new Intelligence Report detailing the risk ransomware poses to U.S. civilian and critical infrastructure networks. According to the report: I&A assesses ransomware campaigns are spreading rapidly as a result of widely available access to ransomware or its source code in underground markets and media reports on ransomware profits, increasingly threatening US government and civilian systems, especially those that enable critical services and key resources, by denying legitimate users access to their data. New ransomware variants display increasingly advanced functions and capabilities, such as targeted delivery techniques, obfuscation mechanisms, persistence capabilities, and backup system deletion tools that constitute a high threat to US networks. Cybercriminals since at least the spring of 2016 have been using a variety of increasingly sophisticated mechanisms to distribute ransomware more effectively than they had in the past, such as advanced phishing campaigns using spoofed e-mail addresses and content, water-holing techniques, system vulnerability exploitation, and well-established botnet infrastructures. Non-traditional ransomware users, such as criminal hackers or state-sponsored cyber actors, may use ransomware variants as a means to obtain and maintain persistent illicit access to targeted networks not only to facilitate denial and destruction of data, but also as a distraction to obfuscate other types of fraudulent activity and cyber espionage. Ransomware Growth and Maturity Brings New Threats The overall use of ransomware campaigns is spreading rapidly as a result of widely available access to ransomware in underground markets and media reports on ransomware profits, increasingly threatening US government and civilian systems, especially those that enable critical services and key resources, by denying legitimate users access to their data. Cyber actors since at least 2013 have deployed data-encrypting ransomware indiscriminately against US businesses, universities, maritime vessels, healthcare providers, emergency services providers, and SLTT governments to deny access to data until ransom demands have been met. These schemes in 2015 generated more than $24 million in illicit revenue, typically in bitcoin, according to a news article citing the FBI. Ransomware campaigns experienced significant growth and increasing maturity in the past year as a result of the release of multiple ransomware variants in underground cyber markets, increased media coverage of ransomware campaign profits, and strong supply and demand in underground cyber markets. The number of ransomware variants released on underground markets nearly doubled in mid-2015, according to open source reports and other data received by the National Computer Emergency Response Team in the United Kingdom, also known as CERT-UK.3 The surge in ransomware variants coincided with increased media coverage of ransomware profits, according to a CERT-UK assessment. Additionally, ransomware source code was released in the underground cyber market between late 2015 and early 2016, enabling the development of customization features and allowing cyber actors to modify and make improvements to the malware. For example, a cyber actor using the nickname “RADAMANT” in January 2016 advertised the sale of RADAMANT ransomware malware source code in the Russian underground criminal forum exploit.in, according to a collaborative FBI source with excellent access, some of whose reporting has been corroborated in the past year. The same actor initially advertised the RADAMANT kit for rent in December 2015 in the same forum, offered technical support, and secured hosting services, according to the same source. New Variants Display Increasingly Advanced Functions and Capabilities New ransomware variants display increasingly advanced functions and capabilities—such as targeted delivery techniques, obfuscation mechanisms, persistence capabilities, and backup system deletion tools—that constitute a high threat to US networks. For example, the ransomware Locky is deployed in a multi-stage, targeted fashion against vulnerable systems and can locate and

Read More