Ideology-based Threats in Response to Civil Unrest

January 13, 2021

  • This past week the nation witnessed an escalation in both political rhetoric and physical action with the unfortunate events at the U.S. Capitol.
  • The response by government officials, coverage by news media and Big Tech deplatforming have raised the possibility of both digital and physical threats against individuals and organizations in the coming week, as we move towards a transition of power between the current and incoming administrations.
  • Organizations have the tools at their disposal to identify, prepare for and respond to any potential threats posed by the unrest.
  • Leaders need to coordinate and prepare their decision makers for any potential attack, either digital or physical.


As we move toward the inauguration (and beyond), it’s important to focus on potential digital and physical threats to organizations and identify areas of opportunity for preparation and response.



Identifying the Potential Threat

In the aftermath of the storming of the U.S. Capitol, news reports are suggesting the potential for armed protests in Washington D.C. and all 50 states leading up to President-elect Biden’s inauguration on January 20th. Based on credible threats in the National Capital Region (NCR), President Trump has declared a State of Emergency to allow for enhanced security including local and federal law enforcement and the National Guard. Even though physical threats remain a high possibility, we will concentrate our focus on the digital realm and identify some recommendations.


There are several different cyber threat scenarios organizations and elected or public officials should consider. In response to broadcast and online news coverage of the incident at the Capitol and continuing coverage leading up to the inauguration, major media and local affiliates, as well as elected and public officials of both political parties, are probable targets for ideologically motivated attacks. The most-likely attack scenarios:


Ideology-based Threats in Response to Civil Unrest_Blog-Images-100


The deplatforming of President Trump, private citizens and competing social media companies (ie Parler) has increased the potential for ideologically motivated actors to target Big Tech (beyond the current calls for boycotts). While these organizations have robust security in place to prevent attacks, they should still be prepared. Additionally, it’s likely that more advanced adversaries – potentially sponsored by nation-states – may seek to use these tactics as diversions for more sophisticated attacks, especially while many organizations continue remediation efforts stemming from the SolarWinds compromise.



Preparing for and Responding to Potential Threats


Using Threat Intelligence


When approaching a potential “known threat” scenario where information is flowing from credible sources, organizations should begin conducting estimative intelligence analysis to prepare decision makers across lines of business with most-likely and most-dangerous threat courses of action. (Estimative intelligence is predictive, and is used to prepare decision makers for future threats and events.) News media organizations also can and should prepare for the most-likely threats: ideologically motivated actors conducting low-risk social media account hijacking, doxxing of news media personalities and/or web-site defacement. A most-dangerous course of action should be assessed: the combination of the most-likely course of action by both ideologically motivated adversaries or insider threats, plus a simultaneous Distributed Denial of Service (DDoS) and physical assault of field reporters and staff or physical incursion of company property.


The potential for these scenarios should be analyzed by both information and physical security staff for their likelihood per geographical location. News agency and local law enforcement communication and cooperation is essential. A report with associated policies should be distributed to key decision makers within the organization to promote awareness and support incident response (IR).


Enacting Incident Response


Given the immediacy of these potential threats, it’s unlikely that other best practices can be enacted between now and the inauguration. However, future events may require organizations to expand their IR playbooks to include the planning for similar scenarios. Additionally, organizations are encouraged to conduct internal exercises (such as tabletop exercises or readiness assessments) to account for and document best-practice responses in case of a real-world incident.


In the event of a major incident involving both physical and cyber-based attacks, organizations should rely on the Incident Command System (ICS) to conduct their response. The ICS is a standardized structure that coordinates managers and leaders across multiple organizations or lines of business in responding to a major incident. Government organizations rely on ICS for incidents ranging from national disasters to pandemic response (for instance, Hurricane Harvey or the onset of COVID-19).


Ideology-based Threats in Response to Civil Unrest_Blog-Images-ICS-100


Each section in the ICS plays a specific role in the event of a major incident and using ICS allows for designated roles and responsibilities, integrated communications, common language and terminology usage, quick coordination of resources and planning.


For further information and a tutorial on ICS, readers should visit the National Service Knowledge Network Online Learning Center.




While the ongoing events are concerning, organizations have the tools at their disposal to identify, prepare for and respond to any potential threats posed by the unrest. Leaders need to coordinate and prepare their decision makers for any potential attack, either digital or physical. A prepared leader is an equipped leader and will significantly enhance protection of the organization’s most important assets.


Organizations that have offices and personnel near the NCR or in the vicinity of U.S. state capitals should enact policies to allow further remote work, if this isn’t already in place due to COVID-19 safeguards. In addition, to deter potential physical damage of office space in these regions, these organizations should ensure their physical security team(s) have access to threat information and publicly available bulletins produced by local and federal law enforcement and plan for scenarios of escalated public presence and the potential for violence, theft, and property damage. Organizations that face the potential for physical threats should contact experts in that space.

Danny Pickens
Practice Director, Enterprise Incident Management | Optiv
Danny Pickens has two decades of experience in the fields of military intelligence, counterterrorism and cyber security. Throughout his career, he has spent time at the tactical, operational and strategic level of intelligence and cyber operations within the United States military and various divisions of the Department of Defense and other U.S. Government organizations, as well as private enterprise. As the practice director of Optiv’s Enterprise Incident Management professional services team, Pickens is responsible for the direction and engagements of Optiv’s incident management services, encompassing both proactive and reactive incident management operations.