Mobilization Indicators for the Homegrown Violent Extremist

A new doc for the intel library from the National Counter-terrorism Center.

This handbook lists what to look for (indicators) that may foreshadow a violent terrorist action.

An Excerpt:

The indicators of violent extremist mobilization described herein are intended to
provide federal, state, local, territorial and tribal law enforcement a roadmap of observable
behaviors that could inform whether individuals or groups are preparing to engage in
violent extremist activities including potential travel overseas to join a Foreign Terrorist
Organization (FTO). The indicators are grouped by their assessed levels of diagnosticity—
meaning how clearly we judge the behavior demonstrates an individual’s trajectory towards
terrorist activity. The list also includes additional information concerning what the behavior
could indicate, identifies likely observers, and provides a probable timeframe between
behavior and an ultimate violent act. Some of these activities might be constitutionally
protected and may be insignificant on their own, but, when observed in combination
with other suspicious behaviors, may constitute a basis for reporting. Law enforcement
(LE) action should not be taken based solely on the exercise of constitutionally protected
activities or on the apparent race, ethnicity, national origin, or religion of the subject.

New HF Direction finding methods from Isreal

The new ELK 7065 from IAI:

From the link:

The ELK-7065 is a state-of-the-art HF COMINT system suitable for the harsh electromagnetic environment characterizing the HF band. The system tags and identifies signals characteristics in a multi-dimensional domain, composed of signal identifiers such as power, center frequency, modulation, geo-location, polarization and more. These techniques enable swift labeling of the received signals, identification and reliable Electronic Order of Battle (EOB) generation. The unique front-end technology allows installation on board compact airborne platforms, such as mission aircraft of all sizes and UAVs.

More info HERE!

And HERE!

And last but not least, a Youtube video:

VIDEO

The Role of Intelligence in Small Tactical Teams

mi_corps_insignia-svg

What is Intelligence

Intelligence, in the context of this discussion, is the act of reducing uncertainty. For militias, neighborhood protection teams, mutual assistance groups and other small groups, intelligence is crucial in economy of effort.

“Economy of effort” is essentially “getting the most bang for your buck.”
Imagine the mission of: “Protect your home from looters after the storm”. Without any information, you don’t know where to focus observation, what to plan for, etc…. As we develop intelligence, we can reduce uncertainty, and better defend your home. If you know that the most likely looters will be young disenfranchised Swedish immigrants from the housing projects north of your neighborhood, you can be aware of what to look for. If you know the terrain of your area, then you can determine that the Swedish looters will come from one or two avenues of approach. This allows you to focus your observation there. Etc…

Pre-planning

While in “peacetime” or “DEFCON 4”, or “condition blue”, or whatever the operative term for “No immediate operations or threats,” there are a number of intelligence functions that should be carried out to be prepared for operations.

Intelligence Preparation of the Battlefield

One of the first tasks an intelligence section should carry out is Intelligence Preparation of the Battlefield (or IPB)
In IPB, you determine the area of operations (AO), area of interest (AI), Map terrain features and determine lanes of movement, and avenues of approach. Where are obstacles, etc…

Sam Culper has an Amazon ebook (more like a pamphlet) on Amazon, called “intelligence preparation of the battlefield”, as well as his book “SHTF Intelligence” and website https://readfomag.com/ that goes into much more depth.

There is also the army field manual 34-130 Intelligence Preparation of the Battlefield.

Other tasks that go with the IPB phase include defining the human terrain(Demographics, and where are people based on culture, economics, politics, etc), mapping infrastructure such as rail lines, power lines, gas lines, substations, pumping stations, water treatment, etc, and if your group has a capable signals section, mapping radio users, towers, frequencies, modes, etc.

Intelligence Database

In addition to IPB, your intelligence section should be developing an intelligence database.

In times past, filing cabinets, folders and index cards were the tool of choice. These days the most popular setup is a “wiki” type database. (Wikipedia is the most well known wiki) In fact, the U.S. Department of Homeland Security uses a “wiki” database called “Intelliwiki” as their national set-up. Regardless of what format you use, you should be collecting information on influences in your AO.

Categories of influences are people, groups, gangs, organizations, companies, etc… Gaining thorough information on these influences helps to reduce uncertainty.

For example, knowing that Ludvig Karlsson is the leader of the local Swedish criminal gang, means that an intelligence section can keep tabs on him, to get an idea of gang activities, instead of trying to watch the whole gang. (An example of “economy of effort”)

Operational Planning

Peacetime has ended, or you have gone to” DEFCON 3”, or “Condition Orange”, or whatever your group determines to be a heightened state of readiness. This elevation of readiness does not happen in a vacuum, it happens in response to something, and that “something” should help to define your intelligence requirements. Your group is going operational. At this point the intelligence section will start doing analysis, and in conjunction with leadership, determine priority intelligence requirements, (PIR’s), data gaps that need to be filled, developing human intelligence resources (aka spies and moles) within groups that you may have interest in, etc…

The who and what of this planning it this stage will be very dependent on your groups function and goals. A neighborhood protection team will be more interested in criminal gangs, and food supply, while a guerrilla/insurgent group will be more concerned with political groups and influences.

Analysis

Analysis is the process of taking known information about situations and entities of strategic, operational, or tactical importance, characterizing the known, and, with appropriate statements of probability, the future actions in those situations and by those entities.

An excellent book to get started in understanding analysis is: Intelligence Analysis, a Target-Centric Approach

Whole college courses are taught on analysis, and this discussion can not possibly cover all the information needed just to get started.

To briefly encapsulate the analysis process, what is known, and what is reported is evaluated to rate the reliability of the data, then that information is modeled, with the different possible outcomes of actions. Most likely course of action and most dangerous course of action are considered. “Wargaming” and “Red Teaming” may be used to play out COA’s,

Operational

Once your group is actually conducting a mission, or operational, the duties of the intelligence section get added to. The most common responsibilities include tracking friendly forces, enemy forces, other groups, weather, looking for trigger events, and any changes in the assumptions that were made in the analysis and planning phase, and advising leadership on any changes in expected COA’s. Just because you are operational does not mean the planning, and pre-planning stop. In fact it is when things are most fluid that keeping IPB’s, Intel DB’s, and models up to date can be the biggest help.

Putting it all together

Example 1: Neighborhood Protection Team

Background. Due to some un-named catastrophe, there is a break down in the rule of law. Government is non-functional, and your group is tasked with protecting the neighborhood from looters. You have done IPB, and built an intelligence database.

Defense of your location is the mission, so you develop some of the following PIR’s

Who are the most likely threats, and what are their capabilities and methods?

What is an indicator that a threat is imminent?

Because you have developed your intelligence database, you know that there are two criminal gangs that were functional during peacetime in your area.
The Swedish gang is the biggest, and their leader, Ludvig Karlsson drives a tricked out red Volvo SUV.
There is also a latino gang ran by someone called “El Hefe”. Many gang members have low-rider cars and compact pickups.

Because you have done a proper IPB, you know that there is only vehicle access to your neighborhood via 2 roads from the north. Travel on foot from the west is unlikely due to the swampy marsh on that side, and thick woods followed by another neighborhood to the south means that threat to you from that direction is unlikely without the southern neighborhood being attacked first. This knowledge allows to more economically marshal your resources to guard the two roads, and the exposed fields on the east. (This economy of effort, and you don’t totally discount the south and west, but you can devote significantly fewer resources to guarding them.)

A week into the catastrophe, you get a reliable report that a neighborhood 12 miles to the north of you was wiped out. The attackers are reported to have been Caucasian, and many were blond. A red tricked out Volvo SUV was seen. There were about 30 attackers. And they attacked around noon. They raped and looted, and killed everyone that was in the neighborhood, and then set it on fire.

A few days later a reliable report indicates that another neighborhood was attacked at night by about a dozen Hispanic looking men. They only looted, but did not hesitate to kill any who resisted. A low-rider pickup truck was cruising the area that afternoon.

A few days later, there is another report of a daylight raid and red Volvo SUV on one neighborhood that was burnt to the ground, and a night time raid by a Latino gang that happened after a low-rider pickup was seen in the area.

At this point we can “model” the behavior of the two gangs, and say that the most likely course of action by the Latino gang will involve a scout in a low rider pickup, and attack at night, while an attack by the Swedish gang will include a red Volvo SUV during the day.

We then determine that the most dangerous course of action (for us) is to be attacked by the Swedish gang, since they spare none, and burn everything to the ground. Being attacked by the Latino gang is also a dangerous course of action.

Knowing this we have a number of courses of action to consider, in order to make our plans.

Since you know that El Hefe is the leader of the Latino gang, you could specifically target him at his home (If you know where that is), but what will the gang do then? Will they escalate their violence? Is there a second in command that will step up and carry out the same raids? Or will they fall apart?
It is okay to say “I don’t know.” In fact it is preferred. Guessing or making stuff up is a recipe for disaster. A proper analysis needs the facts and data weighted correctly to be useful.

Not knowing what will happen to the Latino gang if El Hefe is taken out leads leadership to conclude it is not worth the risk of sending people out of the protection of the neighborhood to make the hit. Instead, they conclude that an advanced observation post (OP) to watch for low-riders, and red Volvos is a better risk/reward.

Several weeks in, your OP radios in that a tricked out red Volvo SUV, followed by about nine other cars just passed the OP en route to your neighborhood, about six miles away. You sound the alarm, and your neighborhood protection team moves to a prepared ambush site one mile north of the neighborhood. When the Volvo convoy gets into the killzone, the ambush is executed.

After most of the convoy is wiped out, you find Ludvig Karlsson and some other Swedish gang members among the dead and injured, along with a number of weapons, molotov cocktails, and forced entry tools. Mission success (for now)

Even with the one threat eliminated, the Intel team cannot stand down. Will the Latino gang attack? Will another group move in, or fill the void left by the Swedish gang? Will any survivors of the Swedish gang try to retaliate? (Will they even know who wiped them out, since the ambush was away from the neighborhood?) These are all issues the intelligence section must continue to work on.

Now imagine if the neighborhood protection team did not have an intelligence section or person?
The first hint of a raid would be when the raid happens. Most likely the neighborhood would have more casualties. They would not have the advantage of a well planned ambush, or early warning. Vehicles and houses would be damaged by the firefight. If molotovs are thrown, some houses may burn. If the defenders do not completely wipe out the Swedish gang, and they are driven back, they may come back for retribution. All a much more dangerous course of action.

Example 2: Intel in political action

Background: Your group is a state gun rights group trying to influence social and political action to remove current state firearms restrictions.

Your IPB will not focus on physical terrain, lanes of movement and avenues of approach, but instead focus on the human terrain. Where are the conservative and liberal neighborhoods? What areas of employment tend to have one political stripe work there? (For instance more liberals will work in the trendy hipster coffee shop section of town, while more conservative minded folks will be working in the industrial business park. ) Why does this matter? If you spend money on political advertising such as a billboard, putting one that resonates with conservatives in a conservative part of town is more effective than putting a conservative billboard in a liberal part of town.

Your database will have the politicians, their donors, businesses, and donor businesses. Other political activist groups (Both for and against), etc… This is used to leverage campaigns against the opponents donors and sponsors. A boycott of a gun grabbers major donor, may hurt their bottom line, and reduce their effectiveness.

Your analysis will focus on which groups to pressure, or what areas to market to will yield the biggest effect for political action. (Economy of effort again)

Example 3: Guerrilla / Insurgency

Background: You live in Dirka Dirka-stan, and due to the fact that the political establishment is so entrenched and in bed with big business, your attempts to peacefully effect the political process have failed, so your group decides to go kinetic.

Understanding the human terrain is essential!

There is a senator from Dirkafornia that is notoriously anti-rights and anti-gun. A lot of insurgents, if given the chance, would jump at the opportunity to kinetically remove the senator. However, if your intelligence section has done its homework, they may conclude that since the senator is from the city of Dirkfrancisco, that their likely successor will be just as bad as a gun grabber as the target. Additionally, we can model that after many political assassinations, there is a groundswell of sympathetic support for the deceased’s pet causes… so a kinetic action against the senator may actually produce the opposite of the desired effect, and get sympathy votes of “We should ban more guns, because that is what the senator would have wanted, in honor of them.”

Individual guerrilla actions may require an IPB for a specific action, such as an ambush or assasination.
Analysis is needed to look at the courses of action for success and failures of the mission so that the risks can be weighed. What are the third and fourth order effects? Will there be blowback? By whom? What will the public reaction be?

Conclusion

Intelligence is an important task for small tactical teams. It can mean the difference between success or failure. It can prevent the waste of life and resources. It drives the missions!

In an Army Infantry Brigade there is an intelligence company of about 60 people devoted to the task, which include network and computer technicians, Human Intelligence collectors, Signals Intelligence collectors, exploitation teams, analysts, synchronization and collection management sections, linguists, cryptanalysts, imagery analysts, database technicians, and more.
Additionally this company supports intelligence sections at brigade and battalion level.

This is a huge role to fill by one or couple of people that will make a small teams intelligence section. While you can not do everything a brigade intel company does, starting with the basics gets you a huge advantage over the unprepared.

For more links check the S2 section here:

Citizenmilitem.com S2 library

DasBlinkenlight

OPSEC and RF Security

Modern radios are made to be used by people with little training or experience. Usually if two radios are set to the same frequency, two people can start using them effectively in very little time. Radios are used in warehouses, department stores, hotels, film sets, and a myriad of other locations. The information in this blog may seem to be overkill, but these procedures are intended to work in a high threat environment where bad radio procedures put lives at risks. Here, we will look at some of the security implications that come about from radio use.

A) OPSEC

Operational Security, (OPSEC) is the process of keeping information that could be used against you from your adversaries. There are several broad categories of information that we will focus on. We want to deny our enemies information that can reveal the following information:

1) Capabilities. By knowing what your group is capable of, an enemy can act so as to negate your strengths, or deny you employing your capabilities to their fullest effect. If an enemy knows you are capable of shooting down helicopters, they will limit their use of helicopters in your area of operations to deny your group those kills.

2) Limitations. By knowing what your group is not capable of, an opponent can exploit those limits for their own gain. If your opponent knows you can not shoot down helicopters, they may use more helicopters to move about, so as to avoid ground based IED’s, and ambushes.

3) Identification. Personal and functional identification can both help an adversary against you. a)Functional identification is identifying the purpose of a group or unit. Observing a bunch of men in uniform is some information, but being able to determine if they are a logistics company, vs a medical treatment team, vs special forces unit all dictate different reactions.
b) Personal identification is identifying individual people within a group. Knowing that the commander of a unit is Captain John Doe, of 1234 main street, Anytown, would allow an adversary to possibly pressure or otherwise compromise Captain Doe’s family, and thus gain an advantage.

4) Location. Knowing where a unit is allows an opposition force (OPFOR) to maneuver to intercept, block, avoid, attack, or follow that group. If OPFOR knows you are based on north ridge of Candy Mountain they can plan an appropriate attack.

5) Intentions. Knowing what a group plans to do allows for the enemy to take actions to reduce the effectiveness of those actions. If your enemy knows you plan to attack an outpost tomorrow at dawn, they can move in reinforcements, or set a trap, or move to intercept before you arrive, ect…

6) Activities. Knowing what you are doing at the current time allows your adversary to adjust their plans accordingly. If your adversary knows you are currently setting up a camp, then they can probably assume you are not about to attack them, and operations they carry out at that time are safer to execute.

7) Effects of enemy action. Knowing what effect their own actions have had on your group will allow an enemy to adjust their planning and operations to better effect. If an enemy knows that their last attack was very effective, then they will continue to carry out the same kind of attacks, where as if an attack had little or no effect, they may change their methods.

Information from any of the above categories may also give the enemy information in other categories. Knowing your intent to go to a certain position at some time in the future, reveals a future location. Identifying a units function hints at some capabilities and limitations. That is why it is crucial for OPSEC to protect this information.

Imagine the following radio exchange between an infantry platoon, B1, and their command, B6:

B6: “Team 1, Team 1, this is command, do you copy? Over.

B1: “Command, this is Team 1, go ahead. Over.

B6: “Hey Bob, we took a licking from OPFOR yesterday out by Candy Mountain. They destroyed our HF radio, so we do not have any long range commo at the moment. Well, anyway, we are going to attack their outpost on the north side of Happy Valley tomorrow morning. Rendezvous at Grid 1213141589 at 0500. We will place the mortars just east of that location, and attack at 0600. Over.

B1: “Roger, We copy all that, Frank. We will head out tonight, and layup about an hour south of the rendezvous, until 0400, and then head in. see ya there, and stay safe. Over

B6: “Roger that Bob. Team 1, this is command. Over and out

The above exchange is full of OPSEC violations. Personal ID of Frank, and Bob; functional ID. of command and team; capabilities of having mortars, limitations of command not having a HF radio; locations of the rendezvous, layup, and mortar positions, intent of their plan and the effect of the previous attack. It is a goldmine of information for the OPFOR. Based on this information, the OPFOR can ambush Team 1 in route to their layup, or rendezvous, or sabotage the mortar position, or attack the rendezvous before Team 1 links up, or reinforce their outpost, or vacate it and lay traps, ect…

We can mitigate these OPSEC violations by following the standard operating procedures (SOP’s) found in Volume 1 of the Signals Handbook.    By only transmitting what is necessary, and by following the proper format, The above exchange becomes the following:

B6: “Bravo 1, Bravo 1, This is Bravo 6, Over.

B1: “Bravo 6, This is Bravo 1, go ahead, Over

B6: “Rally at Grid 121314589, at 0500. Over.

B1: “Wilco, Out.

We can see with this new exchange, we have eliminated a lot of the OPSEC compromises. There is still a location, and some intent, but it is a lot less actionable than the first exchange. Any additional information about the attack, or mortar positions can be exchanged by B1 and B6 in person at the rendezvous.

By following good SOP’s we can reduce, but not entirely eliminate OPSEC compromises. We can further reduce our OPSEC compromises by employing good COMSEC.

B) COMSEC

Communications Security (COMSEC) is the process of protecting the content of our communications. There are a number of approaches that can be used to implement COMSEC, from technological to procedural. Technological methods include encrypted radios, frequency hopping radios, steganography (hiding communications within other messages), and certain bands or modes of radio communication. Procedural methods include using codewords, codebooks, and manual encryption.
Good COMSEC lets us achieve better OPSEC.

Looking at the exchange above, we see that the OPSEC compromises still there are the grid location, and time to be there. Since “Bravo 1” and “Bravo 6” are following army convention then it also hints that B6 is command, compromising functional identification, so just by adding code names and DRYAD based encryption (As discussed in Volume 1 ) we can remove the rest of the OPSEC compromises:

B6: “Whirlwind, Whirlwind, This is Thunderhead. Over.

B1: “Thunderhead, this is Whirlwind. Go ahead. Over.

B6: “Rally at grid I set Charlie, November, Quebec, Yankee, Alpha, Foxtrot, Juliett, X-Ray, Bravo, Hotel, at time, I set: Lima, India, November, Foxtrot, Victor. Over.

B1: “Wilco. Out.

Now our transmission only tells them that we will be going somewhere, sometime. By using the DRYAD encryption we are denying them information about location and time. If we deem that even that little bit of information is too much of a compromise of OPSEC, we can either encrypt the whole message via a one time pad, or use the a codebook and the DRYAD sheet to also encrypt the “rally” and “time” parts of the message.

C) TRANSEC

Another part of the OPSEC plan should include transmission security (TRANSEC.) Because an opponent may be using signals intelligence, (SIGINT) we need to take measures to minimize the radio signals they can detect. The longer a radio is transmitting, the greater chance the opponent’s SIGINT element will detect it, and possibly radio locate, or radio direction find the transmitting radio.

The simple fact that a radio transmission is being received at all, may give a rough idea of the location of the transmitter, and radiolocation can pinpoint it, compromising the location. This is a breach of OPSEC. Even if everything is encrypted, link analysis (keeping track of who talks to who) can allow an analyst to get some general functional identification of units, such as defining what element is the command and control element. This breach of OPSEC would allow a small enemy force to determine which unit to attack yields the biggest reward.

There are a number of methods that help improve TRANSEC. The most important method is to only transmit when absolutely necessary for the mission, or the security of other friendly or allied units.

When transmissions must be made, keeping them short helps TRANSEC, as well as changing frequencies at regular intervals. Use the lowest transmit power needed to make the communication. Use directional antennas. Use unusual bands or modes.

D) Threat SIGINT Capabilities

The United States armed forces employ high levels of TRANSEC and COMSEC technology, and procedures when operating in a hostile environment. Those technologies and procedures are supported by thousands of personnel at every echelon of the force. Unfortunately, a small team does not have the resources to execute every COMSEC and TRANSEC measure. For the purpose of this handbook, we will divide threat forces SIGINT capability into 5 categories.

1) None. When there is no adversary or opponent, there is no one to offer any SIGINT threat. We operate in this condition for some administration and camp duties. It is also appropriate for training that is not focused on communications. For example, range safety officers communicating with each other over a large rifle range.
We do not need to take any special precautions in a no SIGINT threat environment.

2) Low. We consider it a low SIGINT threat when we do not have a defined opponent, or our opponent is not likely to have any active SIGINT capability. A looting gang in the aftermath of a natural disaster would be an example of a low SIGINT threat. In this environment, our biggest danger is “inadvertant SIGINT” If some people in the threat group are using some commonly available radios such as FRS/GMRS or CB radios, and our group also uses those same types of radios, then there is a chance that we accidentally end up on the same channel as the threat group, and they may hear our transmissions.
Precautions to take in a low SIGINT threat environment include using radio SOP’s to keep transmissions short and to the point. Code words and code names generally provides enough COMSEC to foil any OPFOR listening to our transmissions. If available, use radios that are not as common as CB, and FRS/GMRS.

3) Medium. We define a medium SIGINT threat as a group that has nascent SIGINT capabilities. This may include professional criminal organizations, or other small tactical teams/groups. The equipment used would most likely be one or several handheld radio scanners. Most commercially available radio scanners these days can scan or search the VHF and UHF radio bands, and can listen to FM analog voice transmissions. Some of the newer (and more expensive) scanners can also decode the APCO/P25 digital voice transmissions that many public safety agencies are switching to. If the public safety agency is using encryption on their radios, however, the scanner cannot decode it. Medium SIGINT threat groups may also have persistance, and record radio intercepts, and perform intelligence analysis on radio activity. Basic link analysis may be employed.
Precautions that should be taken against medium SIGINT threats include using radios that do not use analog FM voice, or P25 digital. Using unusual frequencies, and of course keeping transmissions to a minimum will help with TRANSEC. If you are able to use non-P25 digital modes, then code words and code names should suffice for COMSEC. If you must use analog or P25, then you should employ full COMSEC measures including one time pads, and DRYAD/code book encryption.

4) Advanced. Advanced SIGINT threats are groups that contain as members: radio experts, avid scanner hobbyist, or communications professionals with access to professional level equipment. They will have more capabilities than can be offered by just having scanners. They may have surveillance receivers, spectrum analyzers, frequency counters, wideband receivers, or computer based “software defined radio” (SDR) receivers. An advanced SIGINT capability may be able to decode any non-encrypted digital communications, and may have radio direction finding and radiolocation systems. They will also perform intelligence analysis on all radio activity.
Precautions against advanced capabilities include all “medium” precautions, but only employing full COMSEC. Nothing should be sent un-encrypted.

5) High/professional. High SIGINT threat opponents include professional military, and large government law enforcement agencies. They will have well funded SIGINT capabilities with multiple professional staff. They will be able to call on experts around the world and devote tremendous resources to breaking your OPSEC. They may have computer hackers, and technologists that can derive OPSEC information from other electronic sources.
Precautions against professional SIGINT threats: do not use computers or radios. If you absolutely must, then keep use to a minimum, and be crafty. Expect being crafty to fail.

The list of U.S. government cell monitoring equipment

https://theintercept.com/2015/12/17/a-secret-catalogue-of-government-gear-for-spying-on-your-cellphone/

THE INTERCEPT HAS OBTAINED a secret, internal U.S. government catalogue of dozens of cellphone surveillance devices used by the military and by intelligence agencies. The document, thick with previously undisclosed information, also offers rare insight into the spying capabilities of federal law enforcement and local police inside the United States.

More at the link at top.