An interview with Philip Mudd of the New America Foundation.
Philip Mudd is a senior global advisor at Oxford Analytica, where he advises on the issues of global politics, counterterrorism, intelligence, and homeland security, as well as a senior research fellow with the New America Foundation’s Counterterrorism Strategy Initiative. In 2005, FBI Director Robert Mueller appointed Mudd to serve as the newly established National Security Branch’s first-ever deputy director. He received a Presidential nomination to become Undersecretary of Intelligence and Analysis (I&A) at the Department of Homeland Security (DHS) in early 2009 but later withdrew his nomination, returning to the FBI as its senior intelligence advisor. Before arriving at the FBI, Mudd served as deputy director of the CIA’s Counterterrorist Center from 2003-2005. He started his career at the CIA in 1985 as an analyst, specializing in South Asia and then the Middle East. He has received many CIA awards and commendations during his service, including the Director’s Award.
Drawing on your experiences and contacts at the FBI and the CIA, what, in your opinion, are the most credible threats to homeland security today?
People think we still face an al Qaeda threat and we do, but what we face more is the ripple effect of ideology among people who typically don’t even know much about what al Qaeda is. They hear about the message from friends, and they read about it on the Internet. In my experience, the Internet serves more as an accelerant in radicalization than an actual initiator.
We face more threats from individuals who may appear in the newspapers as al Qaeda affiliated people, but they’re just sort of fuzzy radicals. They think they have absorbed al Qaeda’s ideology, but they are usually angry or frustrated without having a serious ideological understanding of the al Qaeda message. They might be emotionally driven as a result of, for example, photographs they saw. Or they saw American forces doing things that they don’t approve of, such as searching women or operating in mosques. Over time, these individuals may begin to overtake the threat from al Qaeda core and affiliated groups in places like Yemen and Algeria.
We also face a threat from other types of groups, such as gangs, that are more damaging but make fewer headlines. It’s interesting, though, because we struggle to accept the occasional act of violence from a low level al Qaeda affiliated individual, but we seem to have accepted a threat from gangs. We still have well over 10,000 murders in this country every year. Almost none of them are terrorism-related.
And, finally, we’re starting to understand the implications of the cyberthreat. We start with the national security threat and then, obviously, the personal threat of people intruding on our cyberspace to steal things like Visa cards. I think we’re just now seeing the tip of the iceberg of this. The cyberthreat should easily overtake terrorism as a national problem in years to come, and probably soon.
Looking over the horizon, what other ideological threats aside from jihadism could metastasize into violent extremism?
There are a couple of broad areas. White supremacist and sovereign citizen groups, while not a significant threat, are still a problem.
The second threat, which I mentioned earlier, is gangs. They are more entrenched and their territories are broader.
When the FBI was set up in 1908, it was set up partly as a result of the Model-T. If you were a local sheriff before the Model-T and someone committed a bank robbery, it was unlikely they’d get too far. The Model-T meant that no local sheriff could handle regional or national crime. If you keep going a century beyond, what we have now is cybergangs from Eastern Europe, human trafficking from Southeast Asia, narcotics from Central America, and drug cartels from Mexico. Increasingly, crime is international and the kinds of gangs that we’re seeing are not only national or regional; they’re international and virtual.
The Aspen Institute Homeland Security Group, of which you’re a member, just released a report describing intelligence reforms for the DHS. Can you explain the recommendations outlined in the report?
When you look at the constellation of intelligence services in the United States, there is some overlap, but many of them have unique capabilities. For example, the CIA’s capabilities are obviously focused overseas in places like South Asia or the Horn of Africa. The National Counterterrorism Center’s capabilities are focused on infusing intelligence from all services. The FBI’s focus is largely domestic. So you look at a couple of pieces that help define what DHS’s specific mandate and responsibilities are. There are unique areas—such as the border, customs, and national infrastructure—that other intelligence community members don’t focus on. These are areas where DHS has a mandate by statute and by responsibility. They have unique pools of data in areas like travel or immigration. So Aspen’s recommendation is to build on these unique areas and try to avoid areas that are the responsibility of other agencies.
How would DHS make the private sector a factor in the domestic intelligence apparatus? What responsibilities would they each have?
There are a couple of responsibilities. The first is when you’re looking at broad industries: How do we prevent breaches of digital information by a foreign power? What are the common threats across the United States? Maybe an industry on the West Coast hasn’t been attacked yet, but an industry on the East Coast has been. Maybe there are lessons.
While you’re trying to help people understand what the common threat is and maybe how to respond to it, you’re also, hopefully, building trust, so they report a breach, and the federal government can sound the alarm and give stakeholders advice on protecting themselves. It has to be a partnership though, because a lot of information that resides out there is not going to be in federal databases. It’s going to be in the hands of a security manager who needs to build trust with DHS because he’s concerned about proprietary information reaching the general public.
So what the Aspen Institute wants is for DHS to focus more on protection at the local level than determining who’s going to attack us and why?
I think what we’re saying is “How can we sharpen and focus what we do over time so it aligns with our areas of expertise?” That includes the areas where we have unique talent and data pools and the areas where we have a customer base that isn’t being served by other agencies. We spent a lot of time with DHS Secretary Janet Napolitano and other DHS officials.
I’m afraid that someone is going to perceive this as a critique of DHS. It’s only saying we have more experience than we did a decade ago, so let’s apply it and see if there are ways to evolve. Any entity that I’ve ever been involved with—whether it’s public or private—has to sit back at some point and say, “Look, the world changes.” I don’t care if you’re selling widgets or you’re doing homeland security. Let’s keep evolving or we’ll die.
The report talks about creating a new type of analytical report for states and locals. What would it look like, and how would it benefit state and local first preventers?
The first question would be not “What do we produce for them?” My question to them would be, “What do you need that can help you make decisions better on security issues?” And a second question would be, “How do we deliver it that’s most efficient for you?”
I suspect the answer is going to be that it has to be useful, it has to be tactical, but it can’t be classified so they don’t need to go to a SCIF (sensitive compartmented information facility) to read it. It should come on their iPad or via e-mail.
It’s going to be a redefinition of the way we think about intelligence for customers who are outside the Beltway, who aren’t optimized to handle classified information and who need it delivered electronically by things like iPhones.
Say you’re looking at attacks against tourist targets overseas. We’ve seen attacks in Indonesia. We’ve seen them in the Horn of Africa. We’ve seen them in the Philippines. We’ve seen them in India. What does that tell us about the vulnerabilities of hotels or resorts? What does it tell us about how people operated, how they breached security, how security failed to prevent them from operating inside a hotel in Mumbai, for example? Are there things that we’re learning that somebody in the hotel industry in Las Vegas or Los Angeles or New York should know?
I don’t think any of that’s particularly sensitive. But my point is that the question starts with “You’re the security director of a major hospitality company: What do you need? Can we fill that gap?” If so, let’s ensure that we deliver your needs in a way that helps you answer the question fast, instead of a classic Washington approach, which is that we’re going to take the information we have; package it up in traditional paper-based intelligence reports that are classified; and give it to you via mechanisms that aren’t that convenient. That’s been the proclivity of the intelligence community for the past 70 years, and it needs to change.