Toro-Blog-listing

Leaderless Activism – Blending the NIST Pillars with Threat Intelligence

Written by Jim B - Physical Security Consultant | Jan 30, 2025 9:56:08 AM

Rupert Soames OBE, speaking on ‘Any Questions’, referred to the Southport attack as “not what I recognise as terrorism, where you get bands of people – like you had under the 2007 bombings, 3 or 4 people working together with an ideology”.[1] 

Modern terrorist tactics have evolved from “bands of people” conducting coordinated attacks as part of planned resistance, such as those that took place in South Africa and Northern Ireland, to uncoordinated actions of lone perpetrators performed, often after self-indoctrination, and described so accurately as conducting “leaderless jihad” by Marc Sageman.[2] The explosion in internet use and communication media in the late 1990’s, followed swiftly by the development of the smartphone, and publicly available messaging software, using encryption standards only previously used by governments, afforded those wishing to conduct direct action additional anonymity.   

The use of direct, and even violent, action by British protest groups has always been a major concern for the British government but, by the mid to late 1960’s, the threat was considered so severe that the Metropolitan Police had formed the Special Demonstration Squad to combat the threat of so-called “left-wing actions groups”.[3] To combat the threat of infiltration by the Police and Security Services, these groups began to use the tactics honed by terrorist organisations.[4] 

It is in this environment, previously only inhabited by governments, that the security industry finds itself operating.  Worse of all, the cell structure under which groups previously operated has devolved into individual action which is both unpredictable and virtually undetectable. 

We are operating in the age of “Leaderless Resistance”.

Particularly popular within climate change groups owing to the operational security it affords; these individual acts of resistance are becoming more commonplace as the distributed effect of unpredictability lessens the opportunity for detection and increases the chance of success.  

On 25 January 2025, City of London Police arrested a ‘Shut The System’ activist for attacking cabling[5] providing connectivity to 52 Lime Street, The Scalpel[6], significantly impacting the operations for a variety of large businesses in the area.  What is concerning is that imagery shown on the Instagram page[7] of the group claiming responsibility appears to show how easily the activist gained access to subterranean cabling. 

Attacks on internet infrastructure have been a theme of hybrid warfare[8], as seen recently as cables in the Baltics are repeatedly severed by anchor-dragging vessels[9]; this form of hybrid attack requires a multi-faceted defence. 

The National Institute of Standards and Technology (NIST) core functions[10] of Identify; Protect; Detect; Respond; Recover, which are as equally suited to physical and people security as they are to cyber security - and provide a perfect framework for a converged solution.  The ‘Identify’ function involves conducting the ‘converged security risk assessment’, jointly performed by all stakeholders to identify all interconnected risks. 

 
Physical 
Cyber / Intelligence 
People 
Identify 

Converged risk assessment identifying vulnerabilities, risks, and activities to be undertaken 
Protect 
  • Armoured cable 
  • Physical barriers 
  • Protective security 
  • Diverse physical routing of cables
  • Threat intelligence platform 
  • Cloud-based networking, storage, and backup 
  • Diverse physical routing of cables 
  • Insider threat programme 
  • Robust diligence / recruitment processes 
Detect 
  • Integrity inspections 
  • Protective surveillance 
  • Behavioural detection 
 
  • Optical Time-Domain Reflectometer 
  • Optical Spectrum Analyzer 
  • Visual Fault Locator 
  • Insider threat programme 
  • Suspicious activity reporting programme
 
Respond 
  • Reactive security capacity 
  • Communication with first responders 
  • Crowd management 
  • Redundant network connection 
  • UPS / Backup power 
  • Alternative communication systems 
  • Implement disaster recovery 
  • Robust HR procedures 
  • Good incident management 
  • Strong PR and media  
Recover 
  • Reassess protective physical security practices 
  • Adapt protective measures 
  • Contact power supplier and, or, ISP and return to primary connections 
  • Test all services 
  • Review disaster recovery procedures and adapt 
  • Full after-action review 
  • Debrief to all involved 
  • Press conference and incident close 

Only by taking each aspect of the NIST core functions and applying them to the physical, cyber, and people security dimensions – and adding an intelligence gathering function – can we be sure to have anticipated the potential activities required for full 360-degree protection of our organisation’s critical assets and infrastructure.

 

[1] Any Questions, BBC Radio 4 (24 Jan 2025)  - https://www.bbc.co.uk/sounds/play/m002752l 

[2] Sageman, M (2008), Leaderless Jihad 

[3] Harrison, Brian (2009). Seeking a Role: The United Kingdom 1951–1970 

[4] https://www.csis.org/blogs/examining-extremism/examining-extremism-violent-animal-rights-extremists 

[5] https://www.theguardian.com/uk-news/2025/jan/24/man-arrested-after-climate-activists-cut-uk-insurance-firms-fibre-optic-cables 

[6] https://www.arup.com/projects/52-lime-street/ 

[7] https://www.instagram.com/p/DFDEI0mNNbI/ 

[8] https://www.wilsoncenter.org/article/risky-game-hybrid-attack-baltic-undersea-cables 

[9] https://www.voanews.com/a/finland-discovers-anchor-dragging-track-amid-suspicions-of-russian-subsea-sabotage/7919073.html 

[10] https://www.nist.gov/cyberframework/getting-started/online-learning/five-functions 
View full post