Homeland Threat Assessment Finally Released

CISA, Cybersecurity, Data Protection, data security, DHS, People's Republic of China, Russia, Technology, Telecommunications 13 Minutes
After a whistleblower filed a complaint, DHS released its assessment of threats to the U.S. and there is a gap between the acting Secretary’s views and the report itself on domestic violence and Russian interference with the election.

The United States Department of Homeland Security (DHS) has released its first Homeland Threat Assessment (HTA) that covers the gamut of groups, individuals, and trends posing risks to the United States (U.S.) As cybersecurity and terrorism are in the DHS portfolio, both figure prominently in the report. However, the HTA has been the object of controversy arising from a DHS whistleblower who claimed about a month ago that DHS leadership, including acting Secretary Chad Wolf, urged the downplaying of Russian election interference and white supremacist violence in order to please the White House. The HTA had been completed in March, and the official in charge of intelligence and analysis refused multiple requests to change the conclusions in these aspects. Consequently, the document released by the agency seems to have been prompted by the filing of the whistleblower complaint and has a foreword ostensibly written by Wolf that emphasizes a narrative aligned with the White House’s while the body of the report draws different conclusions.

In early September, former Principal Deputy Under Secretary in the Office of Intelligence and Analysis Brian Murphy filed a whistleblower reprisal complaint against DHS for providing intelligence analysis the Trump White House and DHS did not want, mainly for political reasons, and then refusing to make alterations to fit the Administration’s chosen narrative on issues, especially on the Russian Federation’s interference in the 2020 Election. Murphy alleges “he was retaliatorily demoted to the role of Assistant to the Deputy Under Secretary for the DHS Management Division” because he refused to comply with orders from Wolf. Specifically, he claims:

  • In mid-May 2020, Mr. Wolf instructed Mr. Murphy to cease providing intelligence assessments on the threat of Russian interference in the United States, and instead start reporting on interference activities by China and Iran. Mr. Wolf stated that these instructions specifically originated from White House National Security Advisor Robert O’Brien. Mr. Murphy informed Mr. Wolf he would not comply with these instructions, as doing so would put the country in substantial and specific danger.

Regarding the HTA, Murphy claimed (and I know it’s a long excerpt but worth your time to read):

  • In March 2020, Mr. Murphy’s team at DHS I&A completed a HTA. Completion of the HTA was a requirement set forth by Acting Secretary Kevin McCleenan prior to his departure from DHS. Mr. Murphy was intimately involved in the editing and crafting of the HTA. Following its completion, the HTA was distributed by Mr. Glawe to  Messrs. Wolf, Cuccinelli, and Gountanis. Shortly after the distribution, Mr. Glawe was informed that further distribution of the HTA was prohibited due to concerns raised by Messrs. Wolf and Cuccinelli regarding how the HTA would reflect upon President Trump. Two sections were specifically labeled as concerns: White Supremacy and Russian influence in the United States. Mr. Murphy stated to Mr. Glawe that this constituted an abuse of authority by Messrs. Wolf and Cuccinelli, and Mr. Glawe concurred with that assessment.
  • In May 2020, Mr. Glawe retired, and Mr. Murphy assumed the role of Acting Under Secretary. In May 2020 and June 2020, Mr. Murphy had several meetings with Mr. Cuccinelli regarding the status of the HTA. Mr. Cuccinelli stated that Mr. Murphy needed to specifically modify the section on White Supremacy in a manner that made the threat appear less severe, as well as include information on the prominence of violent “left-wing” groups. Mr. Murphy declined to make the requested modifications, and informed Mr. Cuccinelli that it would constitute censorship of analysis and the improper administration of an intelligence program.
  • On July 8, 2020, Mr. Murphy attended a meeting with Mr. Wolf and his Deputy Chief of Staff, Scott Erickson (“Mr. Erickson”). Mr. Murphy asked Mr. Wolf about the status of the HTA. Mr. Wolf relayed the concerns previously outlined by Mr. Cuccinelli regarding the sections on White Supremacy and Russian influence. Mr. Wolf asked for a copy of the HTA so it could be reviewed by policy officials, and so that information regarding the ongoing unrest in Portland, Oregon, could be added into the HTA. Mr. Wolf asked Mr. Murphy if he would accept his edits. Mr. Murphy responded that he would not concur with any edits that altered the underlying intelligence in the HTA, as any such action would constitute an abuse of authority and improper administration of an intelligence program. 
  • Completion of the HTA was subsequently handled by other DHS officials without consultation with Mr. Murphy. Another draft of the HTA was completed in August 2020:  Mr. Murphy did not work on that version of the HTA. On September 3, 2020, Mr. Murphy learned the new draft was provided to Mr. Wolf, who had ordered the HTA to be redesigned with the policy office completing the revisions. It is Mr. Murphy’s assessment that the final version of the HTA will more closely resemble a policy document with references to ANTIFA and “anarchist” groups than an intelligence document as originally formulated by DHS I&A.

As noted, Wolf’s foreword to the HTA reads more like standard Trump Administration talking points than the report itself. Wolf hints at groups other than white supremacists being responsible for domestic violence and terrorism and takes the approach that it is not Russia alone that threatens the 2020 Election.

However, the scrutiny created by Murphy’s complaint or infighting at DHS resulted in Wolf’s foreword not engaging in too much “both sides” claims with respect to domestic terrorism. For example, he argues DHS deigned its “programs to be threat agnostic – ensuring that we can combat a broad range of domestic threats” even though the body of the report makes clear that it is extremists on the right, mostly white supremacists, who are responsible for the spate of domestic terrorism and violence in the U.S. And yet, even in the report, there is no link between the white supremacists and coded language the Republican Party has used since President Richard Nixon’s Southern Strategy was built on wooing racist white Southerners from the Democratic Party that had championed the Civil Rights Act of 1964 among other legislation. In any event, Wolf asserted “I am particularly concerned about white supremacist violent extremists who have been exceptionally lethal in their abhorrent, targeted attacks in recent years.” It bears note Wolf seems only concerned about “white supremacist violent extremists” specifically and not “white supremacists” generally. Perhaps this is explained by Wolf’s nod to the First Amendment right to believe what one wants? Or, in light of Murphy’s whistleblower complaint, this is a softening of claims about white supremacists that dovetails with statements made by President Donald Trump after the white supremacists march and violence in Charlottesville, Virginia or in the first debate against Vice President Joe Biden.

But yet, Wolf’s next sentence is phrased weirdly and seemingly disconnected from his concern about white supremacists. He claimed that “I am proud of our work to prevent terrorizing tactics by domestic terrorists and violent extremists who seek to force ideological change in the United States through violence, death, and destruction.” He separates “domestic terrorists” from “violent extremists” and seemingly worries about “violence, death, and destruction.” It is this last word that seems to be a nod towards White House and Republican narratives that portray the ongoing protests against police killing African Americans without justification that do sometime involve property destruction as being an equal threat to white supremacists seeking to kill or intimidate these very protestors. In this same vein, Wolf contended:

During the course of developing the HTA we began to see a new, alarming trend of exploitation of lawful protests causing violence, death, and destruction in American communities. This anti-government, anti-authority and anarchist violent extremism was identified by DHS in September 2019 when we published our Strategic Framework for Countering Terrorism and Targeted Violence. As the date of publication of this HTA, we have seen over 100 days of violence and destruction in our cities. The co-opting of lawful protests led to destruction of government property and have turned deadly.

This seems very much in the vein of “there are fine people on both sides” (i.e. Trump’s remarks about Charlottesville) because it conflates the sources of the violence and equalizes the protestors and counter-protestors. This has been a policy viewpoint the Administration has trafficked in to make it seems as if the largely peaceful protestors around the U.S. are themselves inciting violence when it is often the case that it is white supremacists. Also, there is a conflation here of property damage and looting, which has definitely occurred at the hands of people protesting police killing of African Americans, and violence intended to suppress such protests. And, the reference to “government property” sure seems like a dog whistle about protestors vandalizing and toppling statutes and monuments to Confederate figures.

Moreover, there are no mentions of QAnon, a multi-headed conspiracy and movement with significant support from Trump loyalists and voters.

Wolf also references election interference. He asserted “[n]ation-states will continue to try to undermine American elections….like China, Russia, and Iran will try to use cyber capabilities or foreign influence to compromise or disrupt infrastructure related to the 2020 U.S. Presidential election, aggravate social and racial tensions, undermine trust in U.S. authorities,
and criticize our elected officials.” Putting the People’s Republic of China (PRC) before the Russian Federation is contrary to the body of the report:

Foreign influence activity will target U.S. foreign and domestic policy, international events such as COVID-19, and democratic processes and institutions, including the 2020 Presidential election. Russia is the likely primary covert influence actor and purveyor of disinformation and misinformation within the Homeland. We assess that Moscow’s primary objective is to increase its global standing and influence by weakening America—domestically and abroad—through efforts to sow discord, distract, shape public sentiment, and undermine trust in Western democratic institutions and processes.

Note that the PRC is not mentioned because apparently DHS staff do not consider them a threat on par with the Russian Federation. Seven paragraphs follow on the capabilities and goals of the Russians before the PRC is mentioned. It is safe to conclude Wolf chose to massage the findings and shoehorn them into a worldview the President and his advisors have been pedaling for months if not years. Likewise, in the subsection titled “2020 U.S. Presidential Election,” again, DHS analysts emphasize the considerable threat posed by Russian Federation, and it is paragraphs into this analysis before the PRC and Iran are mentioned.

From here on out, I’ll include key excerpts of the report itself:

  • Cyber threats to the Homeland from both nation-states and non-state actors will remain acute. U.S. critical infrastructure faces advanced threats of disruptive or destructive cyber-attacks. Federal, state, local, tribal and territorial governments, as well as the private sector, will experience an array of cyber-enabled threats designed to access sensitive information, steal money, and force ransom payments.
  • Russia—which possesses some of the most sophisticated cyber capabilities in the world—
    can disrupt or damage U.S. critical infrastructure networks via cyber-attacks. Russian state-affiliated actors will continue targeting U.S. industry and all levels of government with intrusive cyber espionage to access economic, policy, and national security information to further the Kremlin’s strategic interests.
    • Russia probably can conduct cyber-attacks that would result in at least localized effects over hours to days and probably is developing capabilities that would cause more debilitating effects.
    • We expect Russian cyber actors to use a range of capabilities including social engineering, publicly known software and hardware vulnerabilities, poorly configured networks, and sophisticated “zero-day” attacks that exploit security weaknesses in software.
    • Under Russian law, the Federal Security Service (FSB) can compel Russian rms doing business in the United States—or Russians working with U.S. rms—to comply with FSB information sharing and operational mandates, presenting additional routes for cyber espionage.
  • China already poses a high cyber espionage threat to the Homeland and Beijing’s cyber-attack capabilities will grow. Chinese cyber actors almost certainly will continue to engage in wide-ranging cyber espionage to steal intellectual property and personally identifiable information (PII) from U.S. businesses and government agencies to bolster their civil-military industrial development, gain an economic advantage, and support intelligence operations. China possesses an increasing ability to threaten and potentially disrupt U.S. critical infrastructure.
    • We expect China’s cyber operations against U.S. companies to focus on the critical manufacturing, defense industrial base, energy, healthcare, and transportation sectors.
    • Beijing has targeted information technology and communications rms whose products and services support government and private-sector networks worldwide, while concurrently advocating globally for Chinese information technology companies that could serve as espionage platforms.
    • Under China’s 2017 National Intelligence Law, Beijing can compel businesses based in China and Chinese citizens living abroad to provide intelligence to the Chinese government.
    • We remain concerned about China’s intent to compromise U.S. critical infrastructure in order to cause disruption or destruction.
    • China’s efforts to dominate the 5G world pose new challenges to U.S. efforts to national security, privacy, resistance to malign influence, and human rights. The exponential increases in speed, connectivity, and productivity could render American systems particularly vulnerable to Chinese cyber threats.
  • While Russia and China are the most capable nation-state cyber adversaries, Iranian and North Korean cyber actors also pose a threat to U.S. systems, networks, and information. Iran continues to present a cyber espionage threat and is developing access in the Homeland that could be repurposed for destructive cyber-attacks. North Korean cyber capabilities, while sophisticated, probably will remain confined to criminal generation of revenue. If Pyongyang’s intent changes, however, it probably could quickly build capabilities to conduct broader espionage activity or threaten infrastructure with disruptive cyber-attacks.
  • Cybercriminals increasingly will target U.S. critical infrastructure to generate pro t, whether through ransomware, e-mail impersonation fraud, social engineering3, or malware. Underground marketplaces that trade in stolen information and cyber tools will continue to thrive and serve as a resource, even for sophisticated foreign adversaries.
    • Ransomware attacks—which have at least doubled since 2017—often are directed against critical infrastructure entities at the state and local level by exploiting gaps in cybersecurity
    • Victims of cybercriminal activity in 2018 reported over $2.7 billion in losses—more than twice the amount lost in 2017. This figure does not represent the full scope of loss because some victims do not report incidents.
  • Foreign influence activity will target U.S. foreign and domestic policy, international events such as COVID-19, and democratic processes and institutions, including the 2020 Presidential election. Russia is the likely primary covert influence actor and purveyor of disinformation and misinformation within the Homeland. We assess that Moscow’s primary objective is to increase its global standing and influence by weakening America—domestically and abroad—through efforts to sow discord, distract, shape public sentiment, and undermine trust in Western democratic institutions and processes.
  • Russian influence actors will continue using overt and covert methods to aggravate social and racial tensions, undermine trust in U.S. authorities, stoke political resentment, and criticize politicians who Moscow views as anti-Russia. Although some of this activity might be framed in the context of the U.S. election—seemingly in support of or opposition to political candidates— we assess that Moscow’s overarching objective is to weaken the United States through discord, division, and distraction in hopes that America becomes less able to challenge Russia’s strategic objectives.
  • Russian influence actors will engage in media manipulation—across social media platforms, proxy websites4, and traditional media, to include state-controlled outlets—to exacerbate U.S. social, political, racial, and cultural fault lines.
  • Russian actors will attempt to undermine national unity and
    sow seeds of discord that exploit perceived grievances within minority communities, especially among African Americans. Russian influence actors often mimic target audiences and amplify both sides of divisive issues to maximize discord, tailoring messaging to specific communities to “push and pull” them in different ways.
  • The Russian government promulgates misinformation, threats, and narratives intended to incite panic or animosity among social and political groups. For example, Russian actors amplified narratives such as U.S. law enforcement ignoring ICE detention requests and releasing an illegal immigrant accused of rape; assaults on supporters and opponents of the President; and portrayals of U.S. law enforcement as racially biased. Russian influence actors also have exploited national tragedies, such as the 2017 mass shooting in Las Vegas, and protest movements—sometimes magnifying both a protest and a counter-protest—such as the 2017 protest activity in Charlottesville.
  • Chinese operatives probably are waging disinformation campaigns using overt and covert tactics—including social media trolls—to shift responsibility for the pandemic to other countries, including the United States. China might increase its influence activities in response to what it views as anti-China statements from the U.S. Government over China’s role in the pandemic.
    • Since August 2019, more than 10,000 suspected fake Twitter accounts have
      been involved in a coordinated influence campaign with suspected ties to the Chinese Government. Among these are hacked accounts from users around the world that post messaging and disinformation about the COVID-19 pandemic and other topics of interest to China.
    • China’s Foreign Ministry, state media, and official Twitter accounts promote overt narratives claiming the coronavirus may have originated in the United States, criticize the U.S. pandemic response, and publicize China’s COVID-19-related medical assistance to U.S. cities and states. China has doubled the number of official government posts disseminating false narratives about COVID-19 and has carried out persistent and large-scale disinformation and influence operations that correlate with diplomatic messaging.
    • China most likely will continue amplifying narratives supportive of its pandemic response while denigrating U.S. official criticism that Beijing views as tarnishing its global image.
  • China and Russia will continue to represent the top threats to U.S. supply chain security, given the sophisticated intelligence and cyber capabilities they can use to infiltrate trusted suppliers and vendors to target equipment and systems. Criminal actors also will engage in efforts to compromise supply chains, with such methods as inserting malicious code in a third party’s software to conduct operations against rms that use the software. Criminal and state actors also attempt to compromise supply chains through protectionist measures and by exploiting rapid procurement procedures at the local, state, and federal level during disasters.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Free-Photos from Pixabay

Published by Michael Kans

An attorney who specializes in technology policy, law, and politics with other areas of expertise.

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s