Assessment Homeland Hemisphere Homeland Hemisphere docs/assessments/homeland-hemisphere/2026-06-18T0043Z-us-law-enforcement-threat-source-assessment.md

AssessmentHomeland HemisphereHigh ConfidenceDated

U.S. Law Enforcement Threat Source Assessment

The U.S. law-enforcement source lane is now mature enough to support a distinct homeland threat-source assessment. The main corpus change is not a new threat claim; it is the separation of evidence families that are often collapsed in open-source work. Mission pages, complaint statistics, designation records, legal cases, sanctions, border statistics, maritime source streams, and annual assessments each answer different questions and must not be treated as interchangeable proof.

Full Index

Classification: UNCLASSIFIED//OPEN SOURCE

Handling: Public open-source research. This product is for strategic source assessment and corpus organization only.

Product ID: WI-ASMT-HOMELAND-2026-0003

Prepared UTC: 2026-06-18T00:43:38Z

Information cutoff UTC: 2026-06-18T00:43:38Z

Scope: Assessment of public U.S. law-enforcement source lanes across terrorism, counterintelligence, cybercrime, WMD, transnational criminal organizations, narcotics, firearms, border, maritime, illicit finance, and national-security legal records.

Exclusions: This assessment excludes recommendations, targeting, collection tasking, investigative direction, enforcement guidance, operational planning, surveillance guidance, tactical instructions, exploit steps, route selection, evasion guidance, trafficking methods, procurement advice, domestic political profiling, private-person dossiers, and protected-speech analysis.

Source base: U.S. law-enforcement threat source capture packet; official U.S. intelligence and law-enforcement source register; FBI terrorism, counterintelligence, cyber, and WMD public pages; IC3 2024 Internet Crime Report; DHS, DOJ, DEA, ATF, CBP, Coast Guard, Treasury, State, and NCTC public source families; official threat source tracker; and existing homeland operating picture.

Analytic confidence: High for FBI and IC3 source identity, mission-lane routing, and source-treatment boundaries. Moderate for DHS, DOJ, DEA, ATF, CBP, Coast Guard, Treasury, State, and NCTC page-level currency pending later dated refreshes of each source family.

Bottom Line

The strongest immediate use is source routing: FBI pages anchor public definitions and mission boundaries for terrorism, counterintelligence, cybercrime, and WMD; IC3 provides a high-value cybercrime complaint data lane; DOJ, Treasury, State, DHS, DEA, ATF, CBP, and Coast Guard sources provide legal, sanctions, designation, border, narcotics, firearms, maritime, and homeland-security layers that require their own dated packets before the archive makes stronger trend judgments.

Key Judgments

FBI public mission pages provide a reliable official frame for terrorism, counterintelligence, cybercrime, and WMD source routing, but they are not by themselves trend reports. Their strongest analytic value is definition, jurisdictional framing, and source-family separation.
IC3 reporting is a core cybercrime evidence lane because it captures public complaint and loss data. It must be labeled as complaint-based reporting, not a full measure of cybercrime prevalence, capability, or attribution.
Domestic threat coverage must remain tied to violence, criminal conduct, and official public definitions. WARLOCK-INDEX should not convert ideology, identity, protest activity, religion, party affiliation, or protected speech into threat categories.
DOJ cases, State designations, Treasury sanctions, and agency assessments are different source classes. Allegations, indictments, convictions, designations, sanctions, complaints, and statistics carry different levels of proof and should not be blended without explicit labels.
Transnational criminal organization, narcotics, firearms, border, and maritime source streams are homeland-coupled strategic lanes. They should be assessed at the level of actors, pressures, source provenance, and public statistics, while excluding route, concealment, enforcement-evasion, patrol, interdiction, and trafficking-method detail.
Law-enforcement sources connect foreign and domestic effects through cybercrime, foreign intelligence activity, terrorism, illicit finance, WMD prevention, narcotics, and organized crime. The connection should be represented as a source architecture and strategic-risk model, not as operational instruction.

Evidence Architecture

Evidence family	Primary source lane	Best use	Handling rule
Terrorism mission framing	FBI terrorism, NCTC, State CT, DHS, DOJ	Definition, source routing, official public framing	Separate international terrorism, domestic terrorism, FTO status, case records, and assessment language
Counterintelligence framing	FBI counterintelligence, DOJ NSD, ODNI, State, Treasury	Foreign intelligence activity, economic espionage, state-linked activity	Avoid classified inference, target development, or private-person dossiers
Cybercrime and cyber actors	FBI cyber, IC3, CISA, NSA, DOJ, Treasury, State/RFJ	Complaint statistics, defensive context, legal actions, sanctions, rewards	No exploit steps, malware guidance, scanning guidance, provider vulnerability mapping, or live operational detail
WMD and proliferation	FBI WMD, State, Treasury, DTRA, DHS, FSAP, UN/IAEA lanes	Source routing for prevention, nonproliferation, and legal status	No methods, controlled lists, facility tables, synthesis, procurement, or vulnerability detail
TCOs and narcotics	DEA, FBI, DHS/HSI, CBP, Coast Guard, Treasury, DOJ	Strategic actor/source-family mapping and public statistics	No trafficking methods, route selection, concealment, or enforcement-evasion detail
Firearms and explosives	ATF, DOJ, FBI, Treasury where applicable	Legal/regulatory source routing and public statistics	No procurement, conversion, assembly, evasion, or tactical detail
Border and maritime pressure	DHS, CBP, Coast Guard, DEA, Treasury, DOJ	Strategic border/maritime source-family treatment	No live movement, patrol, interdiction, route, or facility-vulnerability detail
Legal and status records	DOJ, Treasury, State, Federal Register, courts	Official allegations, convictions, sanctions, designations, and status	Label procedural posture and do not treat legal status as full threat analysis

Assessment By Lane

Terrorism And Domestic Violence

The FBI terrorism lane remains the safest public anchor for separating international terrorism from domestic terrorism. Its value for the archive is terminological discipline: official public language ties terrorism to violent criminal acts and distinguishes foreign-directed or foreign-inspired activity from domestic influences. WARLOCK-INDEX should keep DVE/DVEs, FTOs, and foreign terrorist networks in separate source lanes and should avoid political-enemy or protected-speech framing.

Counterintelligence And Economic Espionage

The FBI counterintelligence lane supports a strategic category for foreign intelligence activity and economic espionage. The page-level source family is useful for identifying official public concern areas, including cyber-enabled intelligence activity and theft of advanced technologies. It does not support classified inference, targeting, or attribution claims beyond what official public sources state.

Cybercrime And Critical Infrastructure

FBI cyber and IC3 sources should be treated as separate but related lanes. FBI cyber pages establish mission scope and source routing; IC3 reporting provides complaint-based public data. CISA/NSA/FBI advisories, DOJ cases, Treasury sanctions, State reward notices, and allied advisories should be cross-checked in later products, with technical detail summarized defensively and without steps that enable misuse.

TCOs, Border, Narcotics, Firearms, And Maritime Security

The new law-enforcement capture packet places DEA, ATF, CBP, Coast Guard, DHS/HSI, DOJ, Treasury, and State in a common routing frame. This improves the homeland source map, but most of these lanes still need dated page-level or report-level packets before the archive makes stronger judgments about current trends. Until then, the proper use is evidence-family separation and safe cross-linking to TCO, border, maritime, illicit-finance, and legal-status products.

Source Treatment Rules

Use mission pages for definitions and source-family routing, not trend certainty unless the page itself gives dated trend evidence.
Label IC3 and similar statistics as reported complaints or public administrative data, not total prevalence.
Label DOJ records by procedural posture: complaint, indictment, plea, conviction, sentencing, civil forfeiture, or other public legal status.
Label Treasury and State records as sanctions, rewards, designations, or foreign-policy status records, not standalone proof of total threat scope.
Keep domestic threat references tied to violence or criminal conduct in official public sources.
Summarize cyber advisories at defensive strategic level and omit exploit, evasion, malware, scanning, or provider-specific vulnerability detail.
Summarize border, narcotics, firearms, and maritime lanes without routes, concealment techniques, procurement detail, patrol patterns, interdiction detail, or enforcement-evasion guidance.

Follow-On Collection Priorities

Priority	Product	Reason
1	FBI terrorism, counterintelligence, cyber, and WMD dated refresh packet	Converts mission-page source routing into a dated reference baseline
2	IC3 cybercrime complaint-data extraction map	Separates complaint volume, reported losses, victim categories, and reporting-bias caveats
3	DEA, ATF, CBP, Coast Guard, and DHS/HSI TCO source packet	Builds the transnational crime, narcotics, firearms, border, and maritime evidence spine
4	DOJ national-security and transnational-crime legal-record source packet	Separates case posture from threat assessment and sanctions/designation records
5	Treasury/State sanctions, designations, and rewards source packet	Connects illicit finance, terrorism, cyber, narcotics, and state-linked networks without blending legal/status categories