Immediately following September 11, 2001, our country was largely unified in the fight against terrorism. As the years have passed and political polarization has spread, that national unity has given way to a more fractured domestic landscape, a rise in domestic attacks and the proliferation of grievance-driven violence.
In addition to Charlie Kirk’s murder yesterday, in just over a year, we’ve seen the ideologically motivated murder of a sitting CEO; Minnesota state lawmakers attacked (one killed) in their homes; Israeli Embassy staff members killed in Washington, D.C.; two assassination attempts against a Presidential candidate; and the tragic murder of office workers in New York City.
What makes these attacks particularly challenging to disrupt, is that they are largely perpetrated by subjects with little to no criminal background and limited online telegraphing (recognizing we still do not know the identity, motive, or online footprint of Kirk’s killer).
This paradigm, whereby aggrieved individuals seek symbolic or ideological targets, isn’t new, it’s the very attack planning cycle we aimed to disrupt during the height of the Global War on Terrorism. But the difficulty of detecting and defeating a single individual, intent on harm, cannot be overstated.
Post 9/11 international terror threats had enormous potential for large scale loss of life, but terrorist organizations also had a comparatively high profile with established infrastructure, helping the intelligence community to penetrate them and disrupt their plans.
Individuals set on violence, on the other hand, are often much less visible and their motives and targets difficult to anticipate. That said, there are lessons from combatting terrorism that now, unfortunately, can all too readily be applied to companies seeking to protect their employees, customers and operations from lone wolf attackers.
Risk can never be fully eliminated, only managed, particularly in a free society, where we are intent to preserve our way of life. Effective risk management, however, entails considering some sobering scenarios, and fighting against optimism bias, the natural tendency to ignore worst case outcomes— or to unconsciously assume they will happen to “someone else.”
Despite a steady increase in grievance-motivated violence, it’s surprising just how many organizations still fail to fully consider an active assailant in their security planning. After developing a realistic list of threats and tactics that may be used, the next step is to consider vulnerabilities. For example, are there measures in place to limit physical access? Detect weapons? Surface credible online threats?
Once threats and vulnerabilities are considered, the last task is to evaluate the impacts and consequences should an adversary successfully exploit a vulnerability Companies are generally adept at measuring and addressing financial risk, but less so when it comes to assessing dynamic security risk. Security risk is a business risk, and it requires the same level of attention, expert advice and planning — particularly ahead of significant or controversial business decisions.
The threat landscape today is complex. Leaders must contend with unpredictable risks, a tense domestic political environment, and a steady drum beat of coded threats in the darker corners of the internet calling for executives to be “Luigi’d.” These converging risks are set against the backdrop of uncertainty around how quickly AI will transform the labor market and disrupt people’s livelihoods and identity.
After 9/11, we were right to build defenses against international terrorism, but the landscape has changed. Now we must fight against grievance motivated attacks with some of the same tenets we used to disrupt organized terrorism: a commitment to vigilance, a focus on public-private collaboration and innovation, and, above all, finding ways to effectively manage risk while living meaningful, engaged lives.
Ben Joelson is a former U.S. Air Force Security Forces & Antiterrorism officer, and the Principal and Head of The Chertoff Group’s Security Risk & Resilience practice.
