EMERGING THREATS

TO
NATIONAL SECURITY
JUNE 2018 SPECIAL REPORT
Spies Are Going After US Supply
Chains, Intel Agencies Say
As cyber defenses close
the easier holes, foreign
agents are looking to
penetrate makers of
parts and software.
BY PATRICK TUCKER
COVER: spainter_vfx via istock.com
P
resident Trump astounded many in
Washington on Sunday by vowing to rescue
ZTE, the Chinese manufacturer whose
mobile phones are viewed as a security threat
by the U.S. intelligence community. America’s
own spies have been warning that China and
other potential adversaries might seek to weaken
U.S.security through the electronic goods and
services it buys.
“The most critical CI threats cut across these
threat actors: influence operations, critical
infrastructure, supply chain, and traditional
as well as economic espionage. Regional actors
such as Iran and North Korea, and nonstate
actors such as terrorist groups, transnational
criminal organizations, and hackers/hacktivists
are growing in intent and capability,”
William Evanina, who leads the National
Counterintelligence Security Center, told the
Senate Intelligence Committee on Tuesday. “For
example, a growing set of threat actors are now
capable of using cyber operations to remotely
access traditional intelligence targets, as well
as a broader set of U.S. targets including critical
infrastructure and supply chain, often without
attribution.”
Evanina declined to slam Trump’s decision
on ZTE, but said, “I will say that the intelligence
community is on the record about the threat posed
by Chinese telecom.” Asked whether he would use
a ZTE phone, Evanina answered, “I would not.”
The government’s efforts to better manage
security risks to the government and military
supply chain go back a decade. They include a
2015 best-practices report from the National
Institute of Standards and Technology, and a
requirement in the 2018 defense authorization
act that the Pentagon develop a better process for
supply-chain security.
But the risk is growing and there’s no simple
solution, according to Joyce Corell, the assistant
director for supply chain at the National
Counterintelligence and Security Center, or NCSC.
“The software supply chain is clearly being
used as a threat vector,” Corell said.
She cited reports from cybersecurity company
Emerging Threats to National Security | Page 2

NG HAN GUAN via AP Crowdstrike, whose 2018 Threat Report identified
out two software-based supply chain attacks with
Chinese origins: Netsarang and CCleaner.
“Both of these back-door attacks on legitimate
applications point to China-nexus threat actors,
and used the technique of compiling malware
directly into the compromised software,” the
company notes. “Similarities between these
attacks, such as command-and-control tactics and
code overlaps, suggest they are connected to the
same threat actor.”
One reason such attacks will grow more
common: the government’s renewed emphasis
on more obvious forms of cybersecurity, such as
protection against remote penetration attacks
and phishing attacks, which Corell referred to as
“perimeter” attacks. Now that the low-hanging
fruit is disappearing, adversaries are focusing
their attacks on the supply chain. “How do you
get around a hardened perimeter? You subvert a
supply chain,” she said.
Corell said reducing supply chain risk is
more difficult and complicated than just sending
buggy pieces of hardware or software to the IT
department. Because supply chain management
touches acquisition and other aspects of
management and business, organizations need a
team of people across disciplines to tackle the risk,
she said.
“We’re seeing an evolution in what I call a
need for integrated risk reduction, where you
bring together all the lines of business that need
to be at the table. You can no longer push your
risk decision down to your [chief security officer]
or just leave it in the hands of the [chief technical
officer]. You need to know what your enterprise
risk is. And you need to address all types of risk
from an integrated risk reduction perspective,”
she said. That might include experts in trade law
federal acquisition and government authorities.
“Sometimes you need an expert in every one
of those to help you assemble a risk-strategy
approach.”
Most important, managing the future of supply
chain risk is not something you do once and then
you are you done. Like a good health regimine,
it requires lots of consistent attention and
maintenance.
Emerging Threats to National Security | Page 3
A Criminal Gang Used a Drone Swarm
To Obstruct an FBI Hostage Raid
D
And that’s just one ENVER, Colorado — Last winter, on the
of the ways bad guys outskirts of a large U.S.city, an FBI hostage
are putting drones to rescue team set up an elevated observation
use, law enforcement post to assess an unfolding situation. Soon they
officials say. heard the buzz of small drones — and then the
BY PATRICK TUCKER tiny aircraft were all around them, swooping past
in a series of “high-speed low passes at the agents
in the observation post to flush them,” the head
of the agency’s operational technology law unit
told attendees of the AUVSIXponential conference
here. Result: “We were then blind,” said Joe Mazel,
meaning the group lost situational awareness
of the target. “It definitely presented some
challenges.”
The incident remains “law enforcement-
sensitive,” Mazel said Wednesday, declining to
say just where or when it took place. But it shows
how criminal groups are using small drones for
increasingly elaborate crimes.
Mazel said the suspects had backpacked the
drones to the area in anticipation of the FBI’s
arrival. Not only did they buzz the hostage
rescue team, they also kept a continuous eye on
the agents, feeding video to the group’s other
members via YouTube. “They had people fly their
own drones up and put the footage to YouTube so
that the guys who had cellular access could go to
the YouTube site and pull down the video,” he said.
Mazel said counter surveillance of law
enforcement agents is the fastest-growing way that
organized criminals are using drones.
Some criminal organizations have begun to use
drones as part of witness intimidation schemes:
they continuously surveil police departments and
precincts in order to see “who is going in and out
of the facility and who might be co-operating with
police,” he said.
Drones are also playing a greater role
in robberies and the like. Beyond the well-
documented incidence of house break-ins,
criminal crews are using them to observe bigger
target facilities, spot security gaps, and determine
patterns of life: where the security guards go and
when.
In Australia, criminal groups have begun
have used drones as part of elaborate smuggling
schemes, Mazel said. The gangs will monitor port
authority workers. If the workers get close to a
shipping container that houses illegal substances
or contraband, the gang will call in a fire, theft, or
some other false alarm to draw off security forces.
Andrew Scharnweber, associate chief of U.S.
Customs and Border Protection, described how
criminal networks were using drones to watch
Emerging Threats to National Security | Page 4
 Border Patrol officers,
identify their gaps in
coverage, and exploit
them.
“In the Border
Patrol, we have
struggled with
scouts, human
scouts that come
across the border.
Naypong via iStock
They’re stationed on various mountaintops near
the border and they would scout ... to spot law
enforcement and radio down to their counterparts
to go around us. That activity has effectively been
replaced by drones,” said Scharnweber, who
added that cartels are able to move small amounts
of high-value narcotics across the border via
drones with “little or no fear of arrest.”
Nefarious use of drones is likely to get
worse before it gets better, according to several
government officials who spoke on the panel.
There is no easy or quick technological solution.
While the U.S.military has effectively deployed
drone-jamming equipment to the front lines in
Syria and Iraq, most of these solutions are either
unsuitable or have not been tested for use in
American cities where they may interfere with cell
phone signals and possibly the avionics of other
aircraft, said Ahn Duong, the program executive
officer at DHS’s homeland security, science and
technology directorate.
The most recent version of the FAA
reauthorization bill contains two amendments
that could help the situation, according to
Angela Stubblefield, the FAA’s deputy associate
administrator in the office of security and
hazardous materials safety. One would make it
illegal to “weaponize” consumer drones.
The other — and arguably more important
— amendment would require drones that fly
beyond their operators’ line of sight to broadcast
an identity allowing law enforcement to track and
connect them to a real person.
“Remote identification is a huge piece” of
cutting down on drone crime, Stubblefield said.
“Both from a safety perspective ... enabling both
air traffic control and other UAS [unmanned areal
systems] to know where another is and enabling
beyond line-of-sight operations. It also has an
extensive security benefit to it, which is to enable
threat discrimination. Remote ID connected to
registration would allow you to have information
about each UAS, who owns it, operates it, and
thus have some idea what its intent is,” said
Stubblefield.
But even if both amendments pass as part of
the re-authorization, it will be some time before
they take effect, so it will be the Wild West in
America’s skies a while longer.
Emerging Threats to National Security | Page 5
The Pentagon Is Making a Ray
Gun to Stop Truck Attacks
T
A device that resembles
an old phonograph may
soon be used to jam and
shut down vehicles like
the one that killed 10
people in Toronto
BY PATRICK TUCKER
he van driver who killed 10 Toronto
pedestrians on Monday showed that a
terror technique that ISIS pioneered in Iraq
and Syria in 2015 remains terrifyingly effective
against unsuspecting urban populations. But the
U.S. military is working on a new weapon to stop
vehicle-born terrorist threats, one that could help
police departments as well.
The Defense Department’s Joint Non-Lethal
Weapons Program, or JNLWD, is pushing ahead
with a new direct energy weapon that uses high-
powered microwaves to stop cars in their tracks
without damaging the vehicle, its driver, or
anyone else.
The jammer works by targeting the car’s
engine control unit causing it to reboot over and
over,
stalling
the
engine.
Like
an invisible hand, the microwaves hold the car in
place. “Anything that has electronics on it, these
high-powered microwaves will affect,” David Law,
who leads JNLWD’s technology division, said in
March. “As long as the [radio] is on, it holds the
vehicle stopped.”
Law’s crew has dubbed the device the Radio
Frequency Vehicle Stopper. They’re working on
two versions. A small one, vaguely resembling an
old-time phonograph, can fit in the bed of a truck.
With a range of 50 meters, it is intended for hot
pursuits. To deploy it, the driver would pull out in
front of the attacker and turn it on.
For more random truck attacks, like the one in
Toronto, the directorate is working on a stationary
version about three times the size. Augmented
by an amplification
device and a larger
dish, this one would
have a range of a “few
hundred” meters,

A model of the short-range radio frequency stopper

under development to stop vehicle attacks, developed by
JNLWD. Photo taken March, 2018. / Patrick Tucker

Emerging Threats to National Security | Page 6

 “The concept of the radio-frequency stopper reflects a
breakthrough in shrinking power generators as in ray
gun tech”
Law said. If you could figure out the most likely
locations for a vehicle-borne terrorist attack, you
could pre-position the device. A video of a live
demonstration of the technology is below.
The military is developing the weapon for
“force protection” — as in protecting soldiers and
bases. But it has applications for police as well.
Placed strategically around cities, it could prevent
attacks like the ones in Europe, Canada, the United
States, and elsewhere. There are, however, some
tricky legal issues involved in using electronic and
radio jamming devices in the United States.
The directorate hopes to have a working
prototype by FY 2019.
There’s a reason no one has thought of this
before. The concept of the radio-frequency
stopper reflects a breakthrough in shrinking
power generators as in ray gun tech. Direct-energy
weapons use a lot of power. Electricity to run the
stopper comes from a gasoline-powered turbine
from Indianapolis-based Candent Technologies
that generates 300 kilowatts of power. Says Law.
At 400 pounds, it’s about the size of a large
copy machine. But that’s a fraction of the size
of generators that the military would use for
similarly power-hungry tasks, like massive Mobile
Electric Power 809A, which starts at 6,200 pounds
The directorate will take possession of the
generator in September.
Emerging Threats to National Security | Page 7
To Learn How to Protect America
From Digital Threats, Look to Europe
T
European nations he revelation that Cambridge Analytica, a
are charting the way, data firm hired by the Trump campaign,
adopting whole-of- exploited Facebook data from 50 million
society methods Americans should be a wake-up call. Our
for dealing with this government is failing to protect us online. Foreign
new challenge. intelligence agencies need only check social
BY MAX BERGMANN media user-agreement boxes to harvest our data
& PATRICK BARRY and run influence campaigns. Meanwhile, as
everything from hospitals to nuclear power plants
to Wall Street are connected online, America is
increasingly vulnerable. Yet compared with our
allies, there is little urgency to tackle the problem.
This is a surprising role reversal. European
weakness in the face of national security threats
has been a bipartisan headache since the end of
World War II. Yet, when it comes to the newest
digital threats to the West, like those emanating
from Russia, Europe is charting the way, adopting
whole-of-society methods for dealing with this
new challenge.
While there is no single “European” approach
toward Russia, various European countries —
along with the EU and even NATO— are providing
a variety of smart policy responses that America
should emulate.
Beginning with 2007 attacks on Estonia’s
internet, Europe has been a digital-aggression
petri dish: cyber-attacks, digital propaganda, even
election hacks. Employed effectively, these actions
disrupt or discredit news sources, strain national
dialogue, and even crush democratic legitimacy.
In response, Europe has wisely stopped
treating cyberspace like its own special domain
reserved for tech geeks and certain policy makers.
Just as Russia has integrated various digital
tools – be they for espionage, cyber attacks, or
propaganda – into larger, aggressive political
strategies, more countries must have their own
integrated approaches. This was reflected in
January’s launch of the joine EU-NATO European
Center of Excellence for Hybrid Warfare, which
seeks to enlist diplomats, law enforcement,
intelligence services, even technical experts to
tackle the threat.
Emerging Threats to National Security | Page 8
 “European willingness to write rules reducing vulnerability
or stamping out foreign actors’ malign acts signals a resolve
that so far is lacking in the States.”
Europe is also active in another respect:
regulation. Germany has implemented a hate-
speech law requiring swift action and large
penalties for spreading already-illegal language.
France has promised legislation targeting
fake news. And at the EUlevel, the European
Commission is preparing its General Data
Protection Regulation, which will use the threat
of stiff fines to engender better cybersecurity.
European willingness to write rules reducing
vulnerability or stamping out foreign actors’
malign acts signals a resolve that so far is lacking
in the States.
In no area is Europe more engaged than in
mobilizing society to achieve digital resilience.
As documented in a 2017 Washington Post report,
these efforts have been going on for years. They
exist in countries like Sweden, where schools
are enlisted to detect Russian propaganda, and
at the EU-level, where a task force documents
and analyzes state-sponsored malign influence
campaigns. As German MP Patrick Sensburg said,
“We have to prepare the public.”
Little such urgency is seen in the United States,
where a 2016 study from Stanford showed that
students have a “dismaying” ability to tell fake
news from real, and where tens of millions of
Americans may have unwittingly used platforms
like Twitter or Facebook to view or share Russian
propaganda during the 2016 election season.
These actions continue today, and there are signs
they will be employed in this year’s mid-terms.
One major lesson from Europe is that
responding to Russia and bolstering defenses is
not just about foreign policy. Through fixes to
law, there is much that America can do to shore
up its defenses. Sensible proposals exist, but
they withering on the vine. Disclosing foreign
funding of political ads, as recommended by
Senator Warner, can help inject much needed
transparency. Legislation pressed by Senators
Lankford, Kloubachar, and others, will not only
fund election infrastructure hardening, but put
equipment suppliers on notice that we expect
Emerging Threats to National Security | Page 9
 better security.
matejmo vis istock.com
Regulation is not a silver bullet; America’s
first amendment make some European-style
regulations impossible. Yet Americans can and
should take steps to curb tech abuses.
While Congress must act, the Trump
administration can take steps now to protect
America.
For the military, the Pentagon is taking a good
first step by elevating U.S. Cyber Command. But it
should also ensure the military can conduct hybrid
warfare in an integrated way. For instance, in the
future, it may be that information warfare should
fall in CYBERCOM’s job jar. At the same time the
command should also follow a model closer to US
Special Forces, whose actions are most effective
when tied to strategic objectives set by regional
commanders and diplomats.
The State Department needs to get in the game.
We should be investing in our counter-propaganda
tools, like the Global Engagement Center (though
re-thinking its contract with Cambridge Analytica
would help).
Expanded law enforcement investigations to
expose illicit foreign cyber and influence efforts
is an area where the U.S. is actually surpassing
Europe, as evidenced by the Mueller probe. We
should devote more resources to these efforts, just
as we did to counter terrorism following 9/11.
DOJ, DHS and others should mobilize society
against the threat, not as isolated task forces,
but like the Obama administration’s whole of
government effort to counter violent extremism.
But the strongest signal would be enforcing
laws meant to punish election interference. The
President must signal the clear intent of the United
States to defend itself against adversaries, like
Russia, employing digital means to attack our
democracy.
Emerging Threats to National Security | Page 10
About the Authors

PATRICK TUCKER MAX BERGMANN PATRICK BARRY

Patrick Tucker is Max Bergmann is a Patrick Barry served

technology editor senior fellow at the in the Defense and
for Defense One. He’s Center for American Homeland Security
also the author of The Progress, where he Departments during the
Naked Future: What focuses on European Obama administration,
Happens in a World That
Anticipates Your Every security and U.S.-Russia where he advised
Move? (Current, 2014). policy. Cabinet officials on
Previously, Tucker was counterterrorism,
deputy editor for The cyberspace and
Futurist for nine years. intelligence.

Emerging Threats to National Security | Page 11