Ideology-based Threats in Response to Civil Unrest Home Insights Blog Ideology-based Threats in Response to Civil Unrest January 13, 2021 This past week the nation witnessed an escalation in both political rhetoric and physical action with the unfortunate events at the U.S. Capitol. The response by government officials, coverage by news media and Big Tech deplatforming have raised the possibility of both digital and physical threats against individuals and organizations in the coming week, as we move towards a transition of power between the current and incoming administrations. Organizations have the tools at their disposal to identify, prepare for and respond to any potential threats posed by the unrest. Leaders need to coordinate and prepare their decision makers for any potential attack, either digital or physical. As we move toward the inauguration (and beyond), it’s important to focus on potential digital and physical threats to organizations and identify areas of opportunity for preparation and response. Identifying the Potential Threat In the aftermath of the storming of the U.S. Capitol, news reports are suggesting the potential for armed protests in Washington D.C. and all 50 states leading up to President-elect Biden’s inauguration on January 20th. Based on credible threats in the National Capital Region (NCR), President Trump has declared a State of Emergency to allow for enhanced security including local and federal law enforcement and the National Guard. Even though physical threats remain a high possibility, we will concentrate our focus on the digital realm and identify some recommendations. There are several different cyber threat scenarios organizations and elected or public officials should consider. In response to broadcast and online news coverage of the incident at the Capitol and continuing coverage leading up to the inauguration, major media and local affiliates, as well as elected and public officials of both political parties, are probable targets for ideologically motivated attacks. The most-likely attack scenarios: Image The deplatforming of President Trump, private citizens and competing social media companies (ie Parler) has increased the potential for ideologically motivated actors to target Big Tech (beyond the current calls for boycotts). While these organizations have robust security in place to prevent attacks, they should still be prepared. Additionally, it’s likely that more advanced adversaries – potentially sponsored by nation-states – may seek to use these tactics as diversions for more sophisticated attacks, especially while many organizations continue remediation efforts stemming from the SolarWinds compromise. Preparing for and Responding to Potential Threats Using Threat Intelligence When approaching a potential “known threat” scenario where information is flowing from credible sources, organizations should begin conducting estimative intelligence analysis to prepare decision makers across lines of business with most-likely and most-dangerous threat courses of action. (Estimative intelligence is predictive, and is used to prepare decision makers for future threats and events.) News media organizations also can and should prepare for the most-likely threats: ideologically motivated actors conducting low-risk social media account hijacking, doxxing of news media personalities and/or web-site defacement. A most-dangerous course of action should be assessed: the combination of the most-likely course of action by both ideologically motivated adversaries or insider threats, plus a simultaneous Distributed Denial of Service (DDoS) and physical assault of field reporters and staff or physical incursion of company property. The potential for these scenarios should be analyzed by both information and physical security staff for their likelihood per geographical location. News agency and local law enforcement communication and cooperation is essential. A report with associated policies should be distributed to key decision makers within the organization to promote awareness and support incident response (IR). Enacting Incident Response Given the immediacy of these potential threats, it’s unlikely that other best practices can be enacted between now and the inauguration. However, future events may require organizations to expand their IR playbooks to include the planning for similar scenarios. Additionally, organizations are encouraged to conduct internal exercises (such as tabletop exercises or readiness assessments) to account for and document best-practice responses in case of a real-world incident. In the event of a major incident involving both physical and cyber-based attacks, organizations should rely on the Incident Command System (ICS) to conduct their response. The ICS is a standardized structure that coordinates managers and leaders across multiple organizations or lines of business in responding to a major incident. Government organizations rely on ICS for incidents ranging from national disasters to pandemic response (for instance, Hurricane Harvey or the onset of COVID-19). Image Each section in the ICS plays a specific role in the event of a major incident and using ICS allows for designated roles and responsibilities, integrated communications, common language and terminology usage, quick coordination of resources and planning. For further information and a tutorial on ICS, readers should visit the National Service Knowledge Network Online Learning Center. Conclusion While the ongoing events are concerning, organizations have the tools at their disposal to identify, prepare for and respond to any potential threats posed by the unrest. Leaders need to coordinate and prepare their decision makers for any potential attack, either digital or physical. A prepared leader is an equipped leader and will significantly enhance protection of the organization’s most important assets. Organizations that have offices and personnel near the NCR or in the vicinity of U.S. state capitals should enact policies to allow further remote work, if this isn’t already in place due to COVID-19 safeguards. In addition, to deter potential physical damage of office space in these regions, these organizations should ensure their physical security team(s) have access to threat information and publicly available bulletins produced by local and federal law enforcement and plan for scenarios of escalated public presence and the potential for violence, theft, and property damage. Organizations that face the potential for physical threats should contact experts in that space. By: Danny Pickens Practice Director, Enterprise Incident Management | Optiv Danny Pickens has two decades of experience in the fields of military intelligence, counterterrorism and cyber security. Throughout his career, he has spent time at the tactical, operational and strategic level of intelligence and cyber operations within the United States military and various divisions of the Department of Defense and other U.S. Government organizations, as well as private enterprise. As the practice director of Optiv’s Enterprise Incident Management professional services team, Pickens is responsible for the direction and engagements of Optiv’s incident management services, encompassing both proactive and reactive incident management operations. Share: government Threat physical security Related Insights Image Physical Security Assessments – A Pillar of Information Security September 17, 2020 Information security strategies often overlook the threats posed by weaknesses in its physical security posture. See Details Blog Image SolarWinds/Orion Compromise SolarWinds/Orion Compromise See Details How Can We Help? Let us know what you need, and we will have an Optiv professional contact you shortly.