A View from the CT Foxhole: Lisa Monaco, Former Assistant to President Barack Obama for Homeland Security and Counterterrorism
October 16, 2017
Lisa Monaco served as Assistant to the President for Homeland Security and Counterterrorism from March 2013 to the end of the Obama administration. Prior to the White House, Monaco spent 15 years at the Department of Justice, the majority of that time serving as a career federal prosecutor, and in senior management positions in the Justice Department and the FBI. During this period, she served for three years as counsel to and then Chief of Staff at the FBI, helping then Director Robert Mueller transform the FBI after 9/11 into a national security organization focused on preventing terrorist attacks on the United States. From 2011 to 2013, she served as Assistant Attorney General for National Security, the first woman to serve in that position. Monaco is currently a distinguished senior fellow at the Center on Law and Security at the New York University School of Law and a senior national security analyst for CNN.
CTC: How do you see the threat from global terrorism evolving?
Monaco: We have, for some time now, rightly focused on ISIS and its various manifestations. I have, in the past, described it as taking multiple forms. They have, in one respect, been an insurgent army, and they’re clearly on their back foot in that manifestation. They’ve also been a semi-classic terror group in terms of planning and dispatching attackers for attacks like we saw in Paris, Brussels, etc. And then of course there has been what I call the social phenomenon of ISIS manifested in their use of and abuse of social media platforms to recruit, radicalize and mobilize individuals to violence.
At the same time, we cannot lose sight of the potential still for a catastrophic 9/11-style attack given what we’re seeing, particularly from al-Qa`ida in Syria. We, in the Obama administration, were very focused on that even while we were focusing on ISIS. A group of al-Qa`ida veterans who had decamped from Afghanistan to Syria seeking safe haven, known as the Khorasan Group, were among the first set of targets in Syria in the summer of 2014 at the same time that the United States began the anti-ISIS campaign in Iraq. And I think that threat, particularly of aviation-style attacks—whether it’s from al-Qa`ida in Syria or AQAP, which remains very persistent, or indeed from ISIS—is something we can’t take our eye off.
We’re also going to have to continue to pay very close attention to the threat from foreign fighters—particularly those from Europe and other western passport holders dispatched as operatives both to Europe and to other Western countries.
CTC: The enduring threat from al-Qa`ida is, of course, very concerning, especially because there are now up to 20,000 fighters1 affiliated with al-Qa`ida-aligned groups in Syria. In 2015, however, we had al-Qa`ida’s leader in Syria Abu Muhammad al-Julani claiming in an Al Jazeera interview2 that Ayman al-Zawahiri had put a moratorium on launching attacks against the West from Syrian territory. How does that complicate the threat picture?
Monaco: The exhortations from Zawahiri in general and to Julani specifically was something we watched quite closely when I was in government. It is true, Jabhat al-Nusra—al-Qa`ida in Syria, however you wanted to call them—have long been focused on the fight against Assad. I think they’re obviously now the biggest force, most capable force fighting the Assad regime. That said, I think the more they contain or grab hold of a safe haven in Syria, the greater potential threat they become.
Based on what we saw with regard to their whole purpose in going to Syria two, three years ago they were decamping from Afghanistan to Syria precisely so they’d have this more hospitable environment, which they continue to enjoy. I just think we can’t discount that some element of the focus remains on plotting against the far enemy—notwithstanding Zawahiri’s exhortations, whether that’s for public consumption or not—and that the more they feel safe in the area that they do occupy—whether it’s Idlib or otherwise—the more threat they will pose. We can’t lose track of their potential to plot attacks from there on the U.S. homeland.
CTC: With regard to the so-called Khorasan Group plotting against the West in 2014, as the intelligence picture matured on that, was it more of a case of a group putting itself in a position to launch attacks against the West, or were there actual preparations for a specific plot?
Monaco: I’d say both. And in fact, those 2014 strikes were against bomb-making factories in Syria. That’s why—we said this publicly at the time—we included those targets in addition to the ISIS targets at the start of that campaign.
CTC: Bomb-making facilities specifically tailored to launching attacks on Western aviation?
Monaco: Western targets and Western aviation.
CTC: Then after that came the al-Zawahiri moratorium. But from a counterterrorism practitioner point of view, you can’t take any chances given the history of the group.
Monaco: Correct. The one thing I think CT professionals certainly agree on is having physical space that either has periodic pressure or not sufficient pressure placed on it is a quintessential element of a threat picture that we’re going to be worried about. So their capability of continuing to have that territory in Syria, growing it, is something that you’re always going to be worried about as a main ingredient to attacks on the West.
CTC: When it comes to the threat from al-Qa`ida in Yemen, they appear to have grown in terms of their manpower, resources, and territorial footprint since attempting to blow up a U.S. passenger jet over Detroit on Christmas Day 2009. Ibrahim al-Asiri released a statement last month threatening more attacks against the United States.3 How concerning is AQAP, as part of the threat matrix?
Monaco: It was always at the top of our list of concerns when I was in government. They continue to grow their manpower. They have benefited from the chaos in Yemen. The Houthi rebellion has done nothing but, I think, feed their ranks. And we’ve seen them be the most persistent terrorist group when it comes to aviation plotting. That’s just by the numbers. It’s quite clear going back certainly to the so-called Christmas Day bomber and then the printer cartridge plot of 2010 and on and on. And as you rightly point out, Asiri remained, at least by the time I left government, still at large and somebody we were quite concerned about, because of concern he was continuing to hone his craft and training up apprentices or sharing the benefit of his knowledge with other terrorist groups, whether it’s al-Qa`ida in Syria elements, whether it’s ISIS elements. The proliferation of his knowledge is something we were quite concerned about.
CTC: In July, Australian police arrested two brothers in Sydney who allegedly plotted to blow up a passenger jet and were in the very early stages of trying to build a poison gas dispersal device.4 The plot got a lot of attention because the Islamic State allegedly air-mailed a partially constructed device, including high-grade explosive, for final assembly in Australia, which I’ve called an IKEA-model of terrorism. How much of a wake-up call was this plot?
Monaco: Like you, I worry this is a sign they’re innovating. We’ve seen that with attempts to build non-metallic devices and ever smaller devices in order to evade detection, but that can still be deadly if placed in a particular place on an airliner. I’m very worried that they’re “going to school” on the aviation measures we’ve taken to date and that we’re in a race about who’s going to innovate more, in terms of us on the detection end and them on the explosives end. We’ve seen them continuously adapting, whether it’s trying to get an explosive on an airliner or reacting to the steps the West has taken to harden the whole air travel supply chain. We saw that in the Brussels airport bombing in the departures area of the airport. They know we can’t push out our secure areas further and further, so they’re looking to strike just beyond that last point of defense.
So whether it’s in trying to attack the soft target areas of the airline industry, whether it’s in, as you say, using the logistics supply chain to their advantage with this IKEA-style of terrorism, all signs point to terrorist actors trying to innovate but still seeing the airline industry and airline services as a very attractive target because of economic repercussions and the quintessential effect of terror—to make people afraid of going about their daily lives and doing routine things.
CTC: With the Islamic State having launched a significant number of sulfur mustard attacks in Syria, what level of concern did you have while in the White House, and do you have now, on the chemical terror threat posed by the group?
Monaco: I think you rightly point to access to facilities, material, and expertise due to the amount of time and free reign ISIS has had in places like Mosul, which is the academic seat in Iraq—the Mosul university, Mosul hospital—and all that time spent there is something we were very, very concerned about. We can’t discount that they’ve learned a fair bit and have gotten some of that expertise [into] their ranks. As is well documented they’ve carried out a spate of the sulfur mustard attacks in Syria and Iraq. Actually carrying out an attack involving operatives dispatched to Europe or the United States with this material would add another layer of difficulty for them because you’re talking about getting material, people, know-how into the West. One of the biggest concerns in this regard is the 7,000 European passport holders who traveled into the region as part of the overall 40,000 travelers into the conflict. The worry is some will have significant know-how and skills that have been burnished in places like Mosul.
CTC: The numbers of foreign fighters are staggering. As Lieutenant General Michael Nagata of the National Counterterrorism Center stated in April,5 the 40,000 figure refers to the approximate number who have been identified so far.
Monaco: Yes, that 40,000 represents identities known. We’ve amassed a lot of information with our partners. But the most worrying thing is that number that hasn’t been identified. And while I think we’ve gotten better and there’s been a growing amount of information sharing and coupling that with other intelligence from security and law enforcement services across the West as well as in our broader partnerships, we can only have so much confidence in that 40,000 number. It’s very hard to tell you what that unknown number is. I don’t think we have a good sense of even just the scale of what we’re not seeing.
CTC: So far, we have not seen a single terrorist plot on U.S. soil involving Islamic State recruits dispatched to this country. Rather, the threat has come from Islamic State sympathizers, some of whom were virtually directed by Islamic State operatives in Syria. In examining those charged in terrorism-related cases, as well as the small number of terrorists killed during attacks, a study published last month by the Center on National Security at Fordham Law found there were 15 individuals involved in “ISIS cases”a in 2014, 73 in 2015, 39 in 2016, and 17 in the first seven months of 2017. What do those figures tell you about the evolution of the threat?
Monaco: The 2015 uptick may be due, to a significant degree, to the real focus by the FBI on investigations and arrests and prosecutions for material support in the form of travel to join ISIS. The large number in 2015 may also be a function of a very aggressive use of online undercover operatives to make sure law enforcement can identify radicalization and mobilization to violence that is going on online. The other factor at play here is that these 2015 numbers should be seen against the backdrop of the [September 2014] Adnani direction for supporters to act wherever they are. That produced a significant challenge for law enforcement because the individual deciding in his own mind to follow Adnani’s direction is a lot harder to detect than somebody talking to somebody else in a chat room who turns out to be a member of law enforcement.
CTC: The number of Islamic State-related cases has declined since its 2015 peak. Does that suggest the Islamic State message is losing its resonance in the United States? Is the threat picture ameliorating?
Monaco: I don’t ever recall feeling content that a threat had crested. I’m loathe to put all that together and say the ISIS messaging—whether it’s to join the fight in Iraq and Syria, whether it’s to act where you are—has lost its resonance to a point where I’d be comfortable. In the run-up to the election in 2016, we were very, very concerned about what we were seeing coming out of some of the main ISIS messaging platforms about attacking the election or polling places as gatherings of potential soft targets. Now, what I think you can say with more certainty is that it’s probably getting harder to carry out attacks, given the very forward-leaning stance the FBI has taken in its ISIS investigations. But the fact remains, this new phenomenon of individuals inspired to act because of what they are seeing online is a real challenge for law enforcement to detect and disrupt.
CTC: There’s been a significant reliance on sting operations here in the United States.b One could argue these sorts of investigative tactics, while they have no doubt thwarted dangerous plots, have inflated the number of terrorism cases in the United States because individuals are more likely to move forward with plans if they believe others are part of the conspiracy. Given the unease in the Muslim community over sting-operations and how important information from the community is in alerting authorities to potential terrorist activity, is there a danger in overrelying on sting operations?
Monaco: I’ve seen this debate evolve over time, and when I was the head of the national security division at the Justice Department, it was, and continues to be, a very important tool. I would defend the use of that tool overseen as it is, by definition, by our court system. In those cases in which plotters are operating in what I call a “closed system,” this approach is key. The Boston bombers are a perfect example. They were talking to each other and viewing, passively, Awlaki videos. Unless you were somewhere in that conversation stream between the two brothers or watching them watching those al-Qa`ida videos, which we didn’t have a basis to do at the time, how else are you going to detect when something goes wrong in their mind and turns them to action?
Now, I do think we need to have a discussion about what form getting into that conversation can take. It can be an undercover agent or it can be a member of the community, maybe a relative or friend or teacher who says, “I realize that you’re starting to talk in a way that is making me very concerned about what your intentions might be. Let’s sit down and figure out what’s going on here. Let’s bring in some other trusted community member, whether it’s law enforcement, whether it’s a parent, whether it’s somebody else.”
We absolutely need to find ways to empower the community to help. I also think we have to honestly have a discussion about what potential off-ramps there could be for some of these individuals—whether it’s through a community organization, a community group, a community member, whether it’s through some type of diversion program as we’ve used in the past for gang members and the like. There are all sorts of complications for that in the terrorism scenario, but we need to be having that conversation.
So yes, there has been a significant use of sting operations by law enforcement as a way of disrupting something that is on its way to going bad because there is a zero tolerance for any missed threat. But at the same time, sting operations are one tool in a very limited tool box for this type of threat. So we need to be having a conversation about developing more tools, including potentially off-ramps working with members of the community.
CTC: In June, the new administration granted $10 million to 26 organizations working on CVE [countering violent extremism], but it also rescinded funding for a number of organizations, including the Muslim Public Affairs Council and Life After Hate, an organization that works to counter far-right extremism.6 What would your advice be to the new administration in how best to empower the Muslim community to take on jihadi ideology?
Monaco: One of the things I heard most often from Muslim community members and from others when the subject turned to CVE was “why do you, Obama administration, only see this radicalization and terrorism as a Muslim problem?” I think we went to great lengths to make very clear that terrorism, extremism, violence in all its forms from all sorts of ideologies is unacceptable. But it’s very hard to get that message through, and you really undercut your ability to build trust and relationships with the Muslim community, if you’re not very clearly showing that you’re concerned about all forms of extremism and terrorism, including far-right extremism, neo-Nazis, white supremacists, sovereign citizen movements. So the move to rescind the grant to Life after Hate, for example, just sends both the wrong message and substantively undercuts the approach to get after all forms of extremism.
So my advice would be firstly, put your money where your mouth is and make clear that you are defining extremism broadly. And then secondly, we’ve seen a diminution for the focus and support for the counter-messaging efforts that we worked very hard in the Obama administration to revamp. Nobody who worked on these efforts in the Obama administration would tell you that we were perfect in this. In fact, we arguably had a few false starts. But by the last several years of the Obama administration, we had really taken on the expertise and guidance from experts in counter-messaging and branding and the technology industry to really revamp the efforts coming out of the State Department. In creating the State Department’s Global Engagement Center, we decided to have the federal government not act as the messenger. Instead we acted as a convener to encourage collaboration between tech industry companies and legitimate voices in the NGO sector and beyond to amplify the impact of those best placed to counter ISIS messaging. This involved getting on board the likes of YouTube, as well as the Sawab Center in the UAE, which has become a regional node for confronting extremist messaging.
I am concerned that in the last nine months there has been a real diminution in those efforts. The Global Engagement Center still doesn’t have a director. And the talent that we spent a long time trying to recruit into government from Silicon Valley and the like is leaving because they don’t see a lot of uptake for these efforts.
CTC: In late September, citing national security threats, the Trump administration banned most travel to the United States from seven countries, all of which have Muslim majorities except North Korea.7 It was the third iteration of an order that has caused significant controversy. What are the national security rationales for such measures?
Monaco: It remains to be seen just how this third iteration is going to be operationalized, but certainly with respect to the first two versions, they do not operate from a threat-based, intelligence-based, targeted approach to vetting, which I think is how you should approach it. James Clapper8 and I and a bipartisan group of national security officials have signed onto briefs that have said there are no national security grounds for blanket bans and that there ought to be rigorous vetting and it ought to be threat-based, intelligence-based.
It is not that any one of the national security experts I’ve talked to about these issues doesn’t think that there can’t or shouldn’t be more done in terms of vetting. In fact, the vetting process ought to be constantly evaluated in relation to the threat picture and to the intelligence picture. But a blanket, country-based, wide-swath approach is not only ineffective, but it’s also counterproductive because it’s going to hurt the very relationships we need counter the terrorist threat and feed into a recruiting narrative that the United States is at war with an entire religion. Not only can this be exploited by groups like al-Qa`ida and the Islamic State to push their worldview, but it can really undermine the partnerships that we need to get after a whole host of threats. You saw that with the Iraqi reaction to the very first iteration of the travel ban.
CTC: There have been a number of calls from politicians for platforms such as WhatsApp to create backdoors to address the issue of terrorists “going dark” because of encryption. But Aaron Brantly argued in the August issue of this publication that such measures would be futile because terrorists users would migrate to other platforms and because the code behind end-to-end encryption is already available on the internet making it possible for terrorists to build their own platforms and “worse than futile” because such backdoors would damage the ability of millions of Americans to communicate securely.9 We seem to be in a situation in which terrorists are increasingly using encryption in plotting attacks, but it has become very difficult, perhaps impossible, to do much about it. Is that a fair assessment?
Monaco: I think that it certainly describes the landscape as had been developed by the time I left government. It’s important that we break this problem down a little bit. It’s something we tried to do in talking with the tech firms and experts when I was in government, because for a long time we were talking past each other with law enforcement saying: “It’s not impossible for you to give us this information. You’ve been doing it for years in responding to lawful process. And the tech industry would say, “No, it’s impossible. We can’t give that to you,” because of course the technology had been constructed such as to make it impossible.
We need to break this into two streams. The first stream are the password-protected phones in the hands of investigators, like we saw with the San Bernardino attacker’s iPhone. The second stream is the end-to-end encryption concerns for communications in transit. I continue to think that our innovation and entrepreneurial culture is such that we ought to be able to find a solution if not to both streams, then at least to the first stream—the mountains and mountains of devices that are coming into lawful possession of law enforcement without them being able to access their contents pursuant to lawful process from a court.
CTC: The San Bernardino attackers’ iPhone was eventually cracked10 suggesting, as you say, that there may be technological solutions in extracting data in those cases, but when it comes to the second stream of terrorists using end-to-end-encryption, short of shutting down their access to the internet, this seems very hard to stop.
Monaco: That’s right because as you point out, users could migrate to other platforms, which may be even more difficult for intelligence services to monitor, and the code is out there for end-to-end encryption. My worry is, given what I see right now, I don’t see dialogue between government and the tech industry improving under the current administration.
CTC: The cell dispatched by the Islamic State which carried out the Paris and Brussels attacks were communicating via encrypted apps with senior Islamic State operatives in Syria. Belgian investigators found audio briefings recorded by the Brussels cell for their superiors in Syria on a laptop used by the cell in which they were discussing attack planning. The last briefing was recorded a day before the attacks and made clear an attack was about to be launched.11 None of this was picked up in real time by signals intelligence agencies. How much more difficult is end-to-end encryption making it for the NSA or GCHQ to thwart plots?
Monaco: There’s no doubt that it has made identifying and disrupting plots more difficult because you need a starting point to then develop the intelligence further, and you won’t get that starting point, so as to flesh out that network, if all the communication is being done on encrypted platforms. It’s going to be harder and harder—and sometimes impossible—to get that critical insight which is going to allow you to develop the intelligence picture.
CTC: Turning to the nature of the terrorist threat from Iran and Iranian proxies, in 2011 as Assistant Attorney General for National Security, you helped oversee the investigation that thwarted a plot by Mansour Arbabsiar directed by elements of the IRGCc to assassinate the Saudi Ambassador to the United States.12 How has the threat from Iran-sponsored terrorism evolved?
Monaco: Arbabsiar was in communication with handlers from the IRGC. We alleged and he pled guilty to a plot against the then Saudi ambassador [now foreign minister] Adel al-Jubeir to take place by bombing the Cafe Milano restaurant in Georgetown while he was there. The plot itself was extremely worrying both because of the violence of trying to assassinate an ambassador, but also it evinced to us a new threshold that the IRGC seemingly was willing to cross. That’s why you saw a whole-of-government response to that plot. And so on the day that we announced the indictment, myself, FBI Director Bob Mueller, the U.S. Attorney in Manhattan Preet Bharara, and the Attorney General Eric Holder made a joint public statement to make very clear that we saw this as the Quds forced basically crossing this threshold. At the same time, we sanctioned a number of members of the Revolutionary Guard under the Treasury’s authorities. We were kind of pulling out all elements of national power to say this type of purported escalation in the form of this plot was not going to be tolerated.
I think the case blew the lid a little bit off the notion that there might be some sort of restraint being imposed on the Quds force. At the very least, it was clear that whatever restraint was being imposed was not being heeded by the elements who were perpetrating this plot and who we named in the indictment.
CTC: What are the continuities and changes you’ve seen in the counterterrorism strategy of the Obama and Trump administrations?
Monaco: I think we’ve seen a fair bit of continuity in terms of the counter-ISIS campaign. Contrary to there being some new secret plan to counter ISIS, what we’ve seen is basically a continuation of the playbook that the Obama administration was executing to greater and greater effect and in a more, more aggressive way, particularly over the course of 2016. I think a change that you’ve seen between the last administration and the current one—at least that’s been reported, although not necessarily explained by the new administration—is this idea of delegation of certain operational decisions down further and further to commanders in the field, so as to increase the tempo of operations in the counter-ISIS campaign. So continuity with some change in this respect, but largely a continuation of the strategy and the campaign that the Obama administration had been putting into effect, vis-à-vis countering ISIS in Iraq and Syria.
CTC: Last month, The New York Times reported the Trump administration13 is considering relaxing two rules in targeting terrorists. “First, the targets of kill missions by the military and the CIA, now generally limited to high-level militants deemed to pose a ‘continuing and imminent threat’ to Americans, would be expanded to include foot-soldier jihadists with no special skills or leadership roles. And second, proposed drone attacks and raids would no longer undergo high-level vetting.” According to the article, “the changes would lay the groundwork for possible counterterrorism missions in countries where Islamic militants are active but the United States has not previously tried to kill or capture them.” How do you view these proposals?
Monaco: It remains to be seen what actually is going to be approved. If the reporting is correct, what is being proposed would have some pretty significant continuity in terms of the maintenance of the near-certainty standard—near certainly of no civilian casualties—and a continued distinction between areas of active hostilities, i.e., traditional battlefields, versus areas outside of active hostilities, which was of course a framework that the Obama administration used. The departure from the continuing imminent threat standard is significant and maybe more significant in terms of how our partners react and how they will, or will not, chose to work with us in areas outside of active hostilities in going after threats to the United States and to our allies and partners, if they do not believe that the framework that we are operating under is consistent with international humanitarian law.
Although having a continuing imminent threat standard does not end debate about these operations, having that threat standard was valuable as both a discipline for our operations and as a way to bring our partners on board. So we’ll see how our partners react to these reported proposed changes. But by and large, if the reporting is correct, we’ve seen some significant continuity in the framework that President Obama announced in 2013. Seeing that institutionalized in our counterterrorism operations would be a good thing.
CTC: What worries you most when it comes to the challenges ahead for U.S. counterterrorism agencies?
Monaco: One of the greatest benefits since 9/11 and one of the greatest continuing challenges I think is to build and maintain robust partnerships to detect, deter, and disrupt terrorism threats. Will we have and are we fostering partnerships—whether it’s with our European and NATO allies or whether it’s across the board—to keep the type of pressure on safe havens and emerging safe havens that we need to do to keep the lid on the kind of catastrophic attack that we started our conversation with? That remains to be seen, for example, when it comes to information-sharing with the Europeans for those who are traveling out of Iraq and Syria and whether they feel confident that this administration is one with which they can work. Working at those partnerships is a continuing challenge, particularly on the European front where I think they need to do more with and amongst themselves when it comes to information-sharing between the intelligence and criminal sides of their respective houses. Are we, in the United States, postured to help them and foster good relationships? We’ll see.
The other challenge, even as we talk about physical safe havens, is the virtual safe havens that ISIS and other terrorist actors are amassing. Are we poised to address the continued proliferation of virtual safe havens? We’re going to need to do a lot more work with the private sector and the tech industry, and that gets to the question of the relationship and trust. I haven’t seen a lot from this administration about trying to do the necessary outreach to do that.
We also need to keep on paying attention to the cyber capabilities of terrorist groups. The Ardit Ferizie case shows that ISIS is using criminal actors and hackers to amass information for kill lists. In that case, the names of former and current military were fed to ISIS for a kill-list exploitation. What that shows you is a hybrid approach of sorts—in which ISIS was outsourcing the hacking effort and then exhorting its followers to go after these named individuals.
CTC: The Islamic State, of course, has nothing like the capability of hackers allegedly sponsored by states like Russia, but the worry presumably is that terrorist groups may develop the capability in the future to disrupt critical infrastructure by getting into computer systems.
Monaco: Indeed. What the Ferizi example shows you is they don’t have to build that capability in-house. They can outsource that. We see state actors doing that, for example, in creating cutouts by using criminal hacking capability to attempt to create deniability. Non-state actors can do the same. CTC
[a] The study categorized “ISIS cases” as individuals charged in federal court with Islamic State-related offenses; individuals accused of violating other statutes that are not inherently associated with terrorism, where the investigation alleges some kind of a link to the Islamic State; and individuals who were killed by law enforcement while attempting an Islamic State-related attack inside the United States. See Karen J. Greenberg (ed.), “The American Exception: Terrorism Prosecutions in the United States: The ISIS Cases March 2014 – August 2017,” Center on National Security at Fordham University Law School, September 2017, p. 5.
[b] In 2014, 33 percent of the Islamic State-related cases involved government informants or undercover agents, with the share increasing to 65 percent in the years since, and 83 percent of the 2017 cases. See Greenberg.
[c] Iran’s Islamic Revolutionary Guard Corps
[d] The Quds Force is the paramilitary arm of the IRGC.
[e] Editor’s note: Ardit Ferizi, a Kosovo citizen arrested in Malaysia, admitted that in June 2015 “he gained system administrator-level access to a server that hosted the website of a U.S. victim company,” which contained “databases with personally identifiable information (PII) belonging to tens of thousands of the victim company’s customers … Ferizi provided the PII belonging to the 1,300 U.S. military members and government personnel to Junaid Hussain, a now-deceased Islamic State recruiter and attack facilitator … on August 11, 2015, in the name of the Islamic State Hacking Division (ISHD), Hussain posted a tweet that contained a document with the PII of the approximately 1,300 U.S. military and other government personnel.” “This case represents the first time we have seen the very real and dangerous national security cyber threat that results from the combination of terrorism and hacking,” Assistant Attorney General John Carlin stated after Ferizi was sentenced to 20 years in prison. “ISIL-Linked Kosovo Hacker Sentenced to 20 Years in Prison,” United States Department of Justice, September 23, 2016.
 Ali Soufan, “Hamza bin Ladin: From Steadfast Son to al-Qa`ida’s Leader in Waiting,” CTC Sentinel 10:8 (2017).
 “Nusra leader: Our mission is to defeat Syrian regime,” Al Jazeera, May 28, 2015; James Novogrod, “Al-Qaeda in Syria: Our Focus Is Assad, Not West,” NBC News, May 27, 2015.
 Ibrahim al Asiri, “The March of Victory and the Defeat of America,” Al-Malahem Media, September 12, 2017.
 Andrew Zammit, “New Developments in the Islamic State’s External Operations: The 2017 Sydney Plane Plot,” CTC Sentinel 10:9 (2017).
 “Foreign Fighter Fallout: A Conversation with Lt. Gen. Michael K. Nagata,” CSIS, April 5, 2017.
 Jennifer Hansler, “DHS shifts focus of funding to counter violent extremism,” CNN, July 4, 2017.
 Michael D. Shear, “New Order Indefinitely Bars Almost All Travel From Seven Countries,” New York Times, September 24, 2017.
 Jamie Crawford, “Former spy chief calls Trump’s travel ban ‘recruiting tool for extremists’,” CNN, February 9, 2017.
 Aaron Brantly, “Banning Encryption to Stop Terrorists: A Worse Than Futile Exercise,” CTC Sentinel 10:7 (2017).
 Ellen Nakashima, “FBI paid professional hackers one-time fee to crack San Bernardino iPhone,” Washington Post, April 12, 2016.
 Paul Cruickshank, “Discarded laptop yields revelations on network behind Brussels, Paris attacks,” CNN, January 25, 2017.
 “Two Men Charged in Alleged Plot to Assassinate Saudi Arabian Ambassador to the United States,” U.S. Department of Justice, October 11, 2011.
 Charlie Savage and Eric Schmitt, “Trump Poised to Drop Some Limits on Drone Strikes and Commando Raids,” New York Times, September 21, 2017.