Category: NCTC Speeches, Testimonies and Interviews

Source: US Department of Homeland Security

Preamble 

Commitment 

Next Step 

Source: US Department of Homeland Security

Source: US Department of Homeland Security

National Security Risks of Artificial Intelligence (AI) 

Countering Foreign Interference 

Lawful Access 

Child Sexual Exploitation and Abuse (CSEA) 

Migration  

Closing 

Source: US Department of Homeland Security

WASHINGTON – On October 15, the U.S. Department of Homeland Security (DHS), through U.S. Immigration and Customs Enforcement (ICE), conducted its second charter removal flight to the People’s Republic of China (PRC) of Chinese nationals this year.  The first large charter removal flight since 2018 was conducted in June in close coordination with the PRC’s National Immigration Administration. This week’s flight demonstrates the Department’s continued commitment to pursuing sustained cooperation with the PRC and other international partners to reduce and deter irregular migration.  

DHS continues to enforce U.S. immigration laws and deliver tough consequences for those who enter unlawfully. This includes swiftly returning those without a legal basis to remain in the United States, while encouraging the use of lawful pathways. On June 4, President Biden issued a Proclamation to temporarily suspend the entry of certain noncitizens across the southern border. As a result, since June 4 the Border Patrol’s encounters have decreased more than 55%, and DHS has operated more than 398 international repatriation flights through the end of August to more than 140 countries—including the PRC. 

“Intending migrants should not believe the lies of smugglers – Chinese nationals without a legal basis to remain in the United States are subject to swift removal,” said Secretary of Homeland Security Alejandro N. Mayorkas. “The Department of Homeland Security will continue to strengthen consequences for individuals unlawfully entering our country and enforce our nation’s laws.”

DHS regularly engages counterparts throughout the hemisphere and around the world to accept repatriations of nationals without a legal basis to remain in the United States and takes other steps to reduce irregular migration; promote safe, lawful, and orderly pathways; and hold transnational criminal networks accountable for abusing our lawful trade and travel systems, and the smuggling and exploitation of vulnerable people. Over the last year, DHS has removed individuals to a range of countries around the world, including Colombia, Ecuador, Peru, Egypt, Mauritania, Senegal, Uzbekistan, India, and the PRC. As a result of these efforts, DHS removed or returned more individuals in FY2024 than any year since FY2010. Efforts to expand removal flights continue.

Source: US Department of Homeland Security

Certain Lebanese nationals will be eligible for DED and TPS, allowing them to work and temporarily remain in the United States

WASHINGTON – The U.S. Department of Homeland Security (DHS) is announcing new actions to provide temporary immigration reprieve to eligible Lebanese nationals currently in the United States and allowing them the opportunity to request work authorization. Included in today’s announcement are details related to the Deferred Enforced Departure (DED) for Lebanese nationals as previously announced in July, and a planned new Temporary Protected Status (TPS) designation for Lebanon.

After consultation with interagency partners, Secretary Mayorkas is announcing a new TPS designation for Lebanon for 18 months due to ongoing armed conflict and extraordinary and temporary conditions in Lebanon that prevent nationals of Lebanon from returning in safety. Those approved for TPS will be able to remain in the country while the United States is in discussions to achieve a diplomatic resolution for lasting stability and security across the Israel-Lebanon border. The designation of Lebanon for TPS will allow Lebanese nationals (and individuals having no nationality who last habitually resided in Lebanon) who have been continuously residing in the United States since October 16, 2024 to file initial applications for TPS, if they are otherwise eligible. Lebanese nationals who entered the United States after October 16, 2024 will not be eligible for TPS. More information about TPS, including how to apply for employment authorization, will be included in a forthcoming Federal Register Notice which DHS intends to publish in the next few weeks. Individuals should not apply for TPS under this designation until this Federal Register Notice publishes.

Today, U.S. Citizenship and Immigration Services (USCIS)also posted a Federal Register Notice establishing procedures for those Lebanese nationals covered by President Biden’s July 26, 2024 grant of Deferred Enforced Departure to apply for Employment Authorization Documents (EADs) that will be valid through January 25, 2026. As described in the Federal Register Notice, eligible Lebanese nationals can apply for an EAD by filing Form I-765, Application for Employment Authorization. USCIS adjudicates each EAD application on a case-by-case basis to determine if an applicant meets all standards and eligibility criteria. More information about DED-based EADs is available on the USCIS website.

DHS is also publishing a Special Student Relief Notice for F-1 nonimmigrant students whose country of citizenship is Lebanon, or individuals having no nationality who last habitually resided in Lebanon, so that eligible students may request employment authorization, work an increased number of hours while school is in session, and reduce their course load while continuing to maintain F-1 status through the DED designation period.

In total, approximately 11,000 Lebanese nationals will likely be eligible for DED and TPS pursuant to these actions. There are also approximately 1,740 F-1 nonimmigrant students from Lebanon in the United States who may be eligible for Special Student Relief. 

Source: US Department of Homeland Security

WASHINGTON – Secretary of Homeland Security Alejandro N. Mayorkas issued the following statement on the Independent Review Panel report released today regarding the July 13, 2024 assassination attempt against former President Trump in Butler, Pennsylvania.

“We are grateful to the members of the bipartisan Independent Review Panel and their staff for their in-depth examination of the security failures that led to the July 13, 2024 assassination attempt on the former President and the loss of life and casualties suffered.  The members of the Independent Review Panel are highly accomplished individuals with extensive security and law enforcement backgrounds, and the U.S. Secret Service’s protection mission will benefit greatly from their recommendations.

“I have reviewed the Independent Review Panel’s report and have met with the Panel members. We will fully consider the Panel’s recommendations and are taking the actions needed to advance the Secret Service’s protection mission.  These actions will be responsive not only to the security failures that led to the July 13, 2024 assassination attempt, but, importantly, to what the Independent Review Panel describes as systemic and foundational issues that underlie those failures.  I commend Acting Director Rowe for his leadership and for proactively undertaking security enhancements, including those informed by the Secret Service’s internal Mission Assurance Review.

“I have the utmost confidence in the men and women of the United States Secret Service.  We are operating in a heightened and dynamic threat environment, and it is their talent, unwavering dedication, and tireless service that ensures the safety and security of their protectees and our nation.”

Following the events of July 13 President Joe Biden directed DHS to conduct an independent security review. On July 21, 2024 Secretary Mayorkas named a bipartisan panel with extensive law enforcement and security experience to conduct a 45-day independent review. The independent review panel of experts from outside of government was comprised of former DHS Secretary Janet Napolitano; the Hon. Mark Filip, a former federal judge and Deputy Attorney General to President George W. Bush; Ms. Frances Townsend, former Homeland Security Advisor to President George W. Bush; and Chief David Mitchell, the former superintendent of Maryland State Police and former Secretary of the Department of Public Safety and Homeland Security for the State of Delaware.

Source: US Department of Homeland Security

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released the Product Security Bad Practices for public comment today. This catalog outlines practices that are deemed exceptionally risky and provides recommendations for software manufacturers to mitigate these risks. It urges software manufacturers to avoid these bad practices, especially those who produce software used in service of critical infrastructure or national critical functions (NCFs). Members of the public may submit public comment on this guidance starting today.

The National Cybersecurity Strategy calls for a fundamental shift to rebalance the responsibility to defend cyber space onto those best positioned to bear it; namely, the software manufacturers who build products underpinning our collective digital infrastructure. Fully realizing this shift requires an understanding of the most egregious software development practices that software manufacturers must avoid. This catalog enumerates such practices.

“It’s 2024, and basic, preventable software defects continue to enable crippling attacks against hospitals, schools, and other critical infrastructure. This has to stop. These product security bad practices pose unacceptable risks in this day and age, and yet are all too common.” said CISA Director Jen Easterly. “We hope that by following this clear-cut, voluntary guidance, software manufacturers can lead by example in taking ownership of their customers’ security outcomes and fostering a secure by design future. Please provide input and let us know how we can improve this list of bad practices.”

“Our National Cybersecurity Strategy highlights the importance of securing our nation’s critical infrastructure and shoring up our cyber defenses,” said White House National Cyber Director Harry Coker Jr. “The impact of product security bad practices has wide-ranging consequences across our nation and is often felt by the American people. Our private sector partners must shoulder their responsibility and build secure products and I’m glad to see this document as another tool to help software manufacturers do just that. We need to work together to prioritize best practices to better protect our nation.”

“Bad practices in software development, especially when that software will be used by critical infrastructure, put both customers and our national security at risk,” said Assistant Director of the FBI’s Cyber Division Bryan Vorndran. “The FBI urges software manufacturers to avoid the risky practices described in this guidance, which lead to vulnerabilities that malicious actors routinely exploit.”

These product security bad practices represent the next major step in CISA and partners’ global Secure by Design initiative, which has joined forces with 18 U.S. and international agencies to publish guidance and catalyzed commitments from over 220 software manufacturers to CISA’s Secure by Design Pledge. The bad practices build on practices laid out in the pledge and other guidance including NIST’s Secure Software Development Framework. This catalog will be a central guiding document in CISA’s Secure by Design initiative going forward, playing a key role informing future guidance and actions.

This joint guidance lists the bad practices in three categories:

• Product properties, which describe observable, security-related qualities of a software product.
• Security features, which describe the security functionalities that a product supports.
• Organizational processes and policies, which describe the actions taken by a software manufacturer to ensure strong transparency in its approach to security.

CISA selected the bad practices based on the threat landscape as representing the most dangerous and pressing items that software manufacturers should avoid.

The public comment period concludes on Monday, December 2, 2024. During the comment period, members of the public can provide comments and feedback via the Federal Register at Request for Comment on Product Security Bad Practices Guidance. Following the public comment period, CISA will issue a revised version of the bad practices.

To learn more about the Secure by Design initiative, visit Secure by Design on CISA.gov.

###

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram. 

Source: US Department of Homeland Security

Summary

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) are releasing this joint Cybersecurity Advisory to warn network defenders of Iranian cyber actors’ use of brute force and other techniques to compromise organizations across multiple critical infrastructure sectors, including the healthcare and public health (HPH), government, information technology, engineering, and energy sectors. The actors likely aim to obtain credentials and information describing the victim’s network that can then be sold to enable access to cybercriminals.

Since October 2023, Iranian actors have used brute force, such as password spraying, and multifactor authentication (MFA) ‘push bombing’ to compromise user accounts and obtain access to organizations. The actors frequently modified MFA registrations, enabling persistent access. The actors performed discovery on the compromised networks to obtain additional credentials and identify other information that could be used to gain additional points of access. The authoring agencies assess the Iranian actors sell this information on cybercriminal forums to actors who may use the information to conduct additional malicious activity.

This advisory provides the actors’ tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs). The information is derived from FBI engagements with entities impacted by this malicious activity.

The authoring agencies recommend critical infrastructure organizations follow the guidance provided in the Mitigations section. At a minimum, organizations should ensure all accounts use strong passwords and register a second form of authentication.

Download the PDF version of this report:

For a downloadable list of IOCs, see:

Technical Details

Note: This advisory uses the MITRE ATT&CK^® for Enterprise framework, version 15. See the MITRE ATT&CK Tactics and Techniques section in Appendix A for a table of the actors’ activity mapped to MITRE ATT&CK tactics and techniques.

Overview of Activity

The actors likely conduct reconnaissance operations to gather victim identity [T1589] information. Once obtained, the actors gain persistent access to victim networks frequently via brute force [T1110]. After gaining access, the actors use a variety of techniques to further gather credentials, escalate privileges, and gain information about the entity’s systems and network. The actors also move laterally and download information that could assist other actors with access and exploitation.

Initial Access and Persistence

The actors use valid user and group email accounts [T1078], frequently obtained via brute force such as password spraying [T1110.003] although other times via unknown methods, to obtain initial access to Microsoft 365, Azure [T1078.004], and Citrix systems [T1133]. In some cases where push notification-based MFA was enabled, the actors send MFA requests to legitimate users seeking acceptance of the request. This technique—bombarding users with mobile phone push notifications until the user either approves the request by accident or stops the notifications— is known as “MFA fatigue” or “push bombing” [T1621].

Once the threat actors gain access to an account, they frequently register their devices with MFA to protect their access to the environment via the valid account:

• In two confirmed compromises, the actors leveraged a compromised user’s open registration for MFA [T1556.006] to register the actor’s own device [T1098.005] to access the environment.
• In another confirmed compromise, the actors used a self-service password reset (SSPR) tool associated with a public facing Active Directory Federation Service (ADFS) to reset the accounts with expired passwords [T1484.002] and then registered MFA through Okta for compromised accounts without MFA already enabled [T1556] [T1556.006].

The actors frequently conduct their activity using a virtual private network (VPN) service [T1572]. Several of the IP addresses in the actors’ malicious activity originate from exit nodes tied to the Private Internet Access VPN service.

Lateral Movement

The actors use Remote Desktop Protocol (RDP) for lateral movement [T1021.001]. In one instance, the actors used Microsoft Word to open PowerShell to launch the RDP binary mstsc.exe [T1202].

Credential Access

The actors likely use open-source tools and methodologies to gather more credentials. The actors performed Kerberos Service Principal Name (SPN) enumeration of several service accounts and received Kerberos tickets [T1558.003]. In one instance, the actors used the Active Directory (AD) Microsoft Graph Application Program Interface (API) PowerShell application likely to perform a directory dump of all AD accounts. Also, the actors imported the tool [T1105] DomainPasswordSpray.ps1, which is openly available on GitHub [T1588.002], likely to conduct password spraying. The actors also used the command Cmdkey /list, likely to display usernames and credentials [T1555].

Privilege Escalation

In one instance, the actors attempted impersonation of the domain controller, likely by exploiting Microsoft’s Netlogon (also known as ”Zerologon”) privilege escalation vulnerability (CVE-2020-1472) [T1068].

Discovery

The actors leverage living off the land (LOTL) to gain knowledge about the target systems and internal networks. The actors used the following Windows command-line tools to gather information about domain controllers [T1018], trusted domains [T1482], lists of domain administrators, and enterprise administrators [T1087.002] [T1069.002] [T1069.003]:

• Nltest /dclist
• Nltest /domain_trusts
• Nltest /domain_trusts/all_trusts
• Net group “Enterprise admins” /domain
• Net group “Domain admins” /domain

Next, the actors used the following Lightweight Directory Access Protocol (LDAP) query in PowerShell [T1059.001]to search the AD for computer display names, operating systems, descriptions, and distinguished names [T1082].

                                           $i=0
                                           $D= [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
                                           $L='LDAP://' . $D
                                           $D = [ADSI]$L
                                           $Date = $((Get-Date).AddDays(-90).ToFileTime())
                                           $str = '(&(objectcategory=computer)(operatingSystem=*serv*)(|(lastlogon>='+$Date+')(lastlogontimestamp>='+$Date+')))'
                                           $s = [adsisearcher]$str
                                           $s.searchRoot = $L.$D.distinguishedName
                                           $s.PropertiesToLoad.Add('cn') > $Null
                                           $s.PropertiesToLoad.Add('operatingsystem') > $Null
                                           $s.PropertiesToLoad.Add('description') > $Null
                                           $s.PropertiesToLoad.Add('distinguishedName') > $Null
                                           Foreach ($CA in $s.FindAll()) {
                                                         Write-Host $CA.Properties.Item('cn')
                                                         $CA.Properties.Item('operatingsystem')
                                                         $CA. Properties.Item('description')
                                                         $CA.Properties.Item('distinguishedName')
                                                         $i++
                                           }
                                           Write-host Total servers: $i

Command and Control

On one occasion, using msedge.exe, the actors likely made outbound connections to Cobalt Strike Beacon command and control (C2) infrastructure [T1071.001].

Exfiltration and Collection

In a couple instances, while logged in to victim accounts, the actors downloaded files related to gaining remote access to the organization and to the organization’s inventory [T1005], likely exfiltrating the files to further persist in the victim network or to sell the information online.

Detection

To detect brute force activity, the authoring agencies recommend reviewing authentication logs for system and application login failures of valid accounts and looking for multiple, failed authentication attempts across all accounts.

To detect the use of compromised credentials in combination with virtual infrastructure, the authoring agencies recommend the following steps:

• Look for “impossible logins,” such as suspicious logins with changing usernames, user agent strings, and IP address combinations or logins where IP addresses do not align to the user’s expected geographic location.
• Look for one IP used for multiple accounts, excluding expected logins.
• Look for “impossible travel.” Impossible travel occurs when a user logs in from multiple IP addresses with significant geographic distance (i.e., a person could not realistically travel between the geographic locations of the two IP addresses during the period between the logins). Note: Implementing this detection opportunity can result in false positives if legitimate users apply VPN solutions before connecting into networks.
• Look for MFA registrations with MFA in unexpected locales or from unfamiliar devices.
• Look for processes and program execution command-line arguments that may indicate credential dumping, especially attempts to access or copy the ntds.dit file from a domain controller.
• Look for suspicious privileged account use after resetting passwords or applying user account mitigations.
• Look for unusual activity in typically dormant accounts.
• Look for unusual user agent strings, such as strings not typically associated with normal user activity, which may indicate bot activity.

Mitigations

The authoring agencies recommend organizations implement the mitigations below to improve organizations’ cybersecurity posture based on the actors’ TTPs described in this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA. The CPGs, which are organized to align to the National Institute of Standards and Technology (NIST) Cybersecurity Framework, are a subset of cybersecurity practices, aimed at meaningfully reducing risks to both critical infrastructure operations and the American people. These voluntary CPGs strive to help small- and medium-sized organizations kick-start their cybersecurity efforts by prioritizing investment in a limited number of essential actions with high-impact security outcomes. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

• Review IT helpdesk password management related to initial passwords, password resets for user lockouts, and shared accounts. IT helpdesk password procedures may not align to company policy for user verification or password strength, creating a security gap. Avoid common passwords (e.g. “Spring2024” or “Password123!”).
• Disable user accounts and access to organizational resources for departing staff [CPG 2.D]. Disabling accounts can minimize system exposure, removing options actors can leverage for entry into the system. Similarly, create new user accounts as close as possible to an employee’s start date.
• Implement phishing-resistant MFA [CPG 2.H]. See CISA’s resources Phishing-Resistant Multifactor Authentication and More than a Password for additional information on strengthening user credentials.
• Continuously review MFA settings to ensure coverage over all active, internet-facing protocols to ensure no exploitable services are exposed [CPG 2.W].
• Provide basic cybersecurity training to users [CPG 2.I] covering concepts such as:
  • Detecting unsuccessful login attempts [CPG 2.G].
  • Having users deny MFA requests they have not generated.
  • Ensuring users with MFA-enabled accounts have MFA set up appropriately.
• Ensure password policies align with the latest NIST Digital Identity Guidelines.
  • Meeting the minimum password strength [CPG 2.B] by creating a password using 8-64 nonstandard characters and long passphrases, when possible.
• Disable the use of RC4 for Kerberos authentication.

These mitigations apply to critical infrastructure entities across sectors.

The authoring agencies also recommend software manufacturers incorporate secure by design principles and tactics into their software development practices to protect their customers against actors using compromised credentials, thereby strengthening the security posture of their customers.  For more information on secure by design, see CISA’s Secure by Design webpage and joint guide.

Validate Security Controls

In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating organization security programs against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

1. Select an ATT&CK technique described in this advisory (see Table 1 to Table 12).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

The authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

Contact Information

Organizations are encouraged to report suspicious or criminal activity related to information in this advisory to:

• CISA via CISA’s 24/7 Operations Center [report@cisa.gov or 1-844-Say-CISA (1-844-729-2472)] or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.
• For NSA cybersecurity guidance inquiries, contact CybersecurityReports@nsa.gov.

Disclaimer

The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring agencies.

Intrusion events connected to this Iranian group may also include a different set of cyber actors–likely the third-party actors who purchased access from the Iranian group via cybercriminal forums or other channels. As a result, some TTPs and IOCs noted in this advisory may be tied to these third-party actors, not the Iranian actors. The TTPs and IOCs are in the advisory to provide recipients the most complete picture of malicious activity that may be observed on compromised networks. However, exercise caution if formulating attribution assessments based solely on matching TTPs and IOCs.

Version History

October 2, 2024: Initial version.

Appendix A: MITRE ATT&CK Tactics and Techniques

See Tables 1–12 for all referenced actors’ tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Table 1: Reconnaissance

Technique Title	ID	Use
Gather Victim Identity Information	T1589	The actors likely gathered victim information.

Table 2: Resource Development

Technique Title	ID	Use
Obtain Capabilities: Tool	T1588.002	The actors obtained a password spray tool through an open-source repository.

Source: US Department of Homeland Security

Source: US Department of Homeland Security

Preamble

We, the Interior and Security Ministers of the G7, in the context of the G7 Coalition to Prevent and Counter the Smuggling of Migrants launched by our Governments at the G7 Apulia summit as part of an approach ‘to enhance border management and enforcement and curb transnational organized crime involved in migrant smuggling and trafficking in persons’, reiterate and confirm our determination to intensify our efforts to prevent, counter and eradicate organized crime groups engaged in migrant smuggling, also in its connection with trafficking in persons, and strip them of the proceeds generated by these heinous crimes while always providing protection and assistance to migrants and victims of trafficking in persons, particularly women and girls.

While the smuggling of migrants and trafficking in persons are different phenomena, they often interact and both endanger the lives of the most vulnerable, exposing them to dangerous journeys and to an increased risk of serious violence and exploitation, including, but not limited to, sexual and labour exploitation, forced begging, and forced criminality.

Although difficult to quantify in statistical terms due to its unlawful and hidden nature, the United Nations Office on Drugs and Crime (UNODC) estimates that the migrant smuggling trade generates about US$ 6.75 billion a year for criminal organizations in two of the principal migrant smuggling routes leading from East, North and West Africa to Europe and from South America to North America. The global figure is likely to be much higher. Migrant smuggling is a form of irregular migration which undermines the sovereign right of states to regulate and manage the entry of foreign nationals and control their borders, which impacts security and damage public confidence in our systems.

While migrant smuggling affects G7 countries in different ways, it is a global phenomenon and we affirm our collective commitment and shared responsibility to a whole-of-route, whole-of-society, integrated, comprehensive, inclusive, sustainable and balanced approach. We will, in partnership with one another and with civil society organisations, tackle the challenges irregular migration presents and seize the opportunities created by regular, controlled migration, in line with the Global Alliance to counter migrant smuggling launched by the EU, including its call to action.

Recalling our G7 Leaders’ Communique, in our shared efforts to counter organised crime involved in migrant smuggling, we reaffirm our commitment to protecting human rights and fundamental freedoms, regardless of their migratory status, and, in this regard, we also recall the right of everyone to seek asylum from persecution as set forth in the Universal Declaration of Human Rights, and the obligations of states parties related to international protection under the 1951 Refugees Convention and its 1967 Protocol. In this sense we also acknowledge the importance action carried by the UNHCR in protecting victims of trafficking in persons. Furthermore, we will seek to ensure compliance with our international obligations, including those under the United Nations Convention against Transnational Organised Crime.

Priorities of the Action Plan

Within this framework and shared approach, we have been instructed by our Leaders to develop the following “G7 Action Plan to Prevent and Counter the Smuggling of Migrants“, pursuing the following priorities:

• promote enhanced cooperation on investigative capacities, involving the relevant authorities in the countries of origin, transit and destination of irregular migratory flows as well as relevant international organisations;

• strengthen border management processes, while respecting the sovereign right of States to control their borders and their prerogatives to govern migration within their jurisdiction. This should be conducted in accordance with international law, in particular as regards to the applicable rights of migrants, and in compliance with the applicable non-refoulement obligations and the prohibition of torture and cruel, inhuman or degrading treatment;

• develop concrete collaborative actions to be taken in the global fight against transnational criminal organizations engaged in migrant smuggling and trafficking in persons;

• promote a productive and reliable exchange of information as well as effective cooperation activities between our law enforcement, immigration and border control agencies and those of Coalition partner countries, which are essential for joint law enforcement actions based on established evidence against migrant smuggling and human trafficking networks;

• engage with all facets of the international transportation system. Transportation companies – whether transport operators or supporting industries – play a critical role in preventing abuse of their service by migrant smugglers and traffickers in persons and in identifying potential victims of trafficking in persons. Engagement with aviation transport stakeholders – be it airlines or aviation authorities – is key to addressing the use of commercial means of transport to facilitate irregular migration, in line with the measures outlined in the EU’s ‘Toolbox addressing the use of commercial means of transport to facilitate irregular migration to the EU’;

• discourage migrants from embarking on irregular and potentially perilous journeys by informing them about the heightened risks associated with migrant smuggling including the risk of trafficking in persons and of return from the destination country, if there is no lawful right to remain as well as on the availability of legal migration pathways opportunities and alternative economic opportunities in their regions.

The Action Plan is divided into five pillars: (i) strengthening the operational and investigative capacities of law enforcement agencies; (ii) strengthening international, judicial and police cooperation; (iii) intensified cooperation with third countries of origin and transit of irregular migration flows; (iv) prevention and awareness raising; and (v) knowledge and monitoring of the phenomenon.

Development of the Action Plan

1. Strengthening the operational and investigative capacities of law enforcement agencies in the fight against organized criminal groups engaged in migrant smuggling and trafficking in persons by:

• creating in the G7 countries considering themselves affected by migrant smuggling, where not already existing, law enforcement units specialized in crimes and investigations in the field of migrant smuggling and trafficking in persons;

• creating or reinforcing, in the G7 countries considering themselves affected by migrant smuggling, a network of liaison officers from the relevant G7 countries (Police Liaison Officers, Internal Affairs and Justice Experts, etc.) in the countries of origin and transit of irregular migration flows;

• enhancing intelligence and information exchange as a crucial element for possible subsequent joint law enforcement actions, including in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT) and by using established channels (e.g. Interpol’s I-24/7, Europol’s SIENA) for this purpose;

• establishing and launching joint investigative actions by law enforcement officers from G7 countries considering themselves affected by the phenomenon, and also from third countries, where appropriate. These actions should be aimed at conducting investigations on targets of common interest and identifying “High Value Targets,” (i.e., organized transnational criminal groups, migrant smugglers and traffickers in persons) to be located for the purpose of capture, on which to focus the investigative attention and using INTERPOL and Europol capacities for centralised analysis;

• Working collaboratively with social media companies to monitor internet and social networks platforms, as appropriate, to prevent their use in enabling migrant smuggling and trafficking in persons including through collectively calling on social media companies to do more to respond to online content that advertises migrant smuggling services, taking into account the duty to comply with existing domestic and international legislation and to cooperate intra-industry, especially supporting smaller companies, and make effective use of new technology, such as Artificial Intelligence tools, to promptly remove online activity of smugglers promoting irregular migration and offering illicit transportation services to migrants.

• Encourage, where appropriate, trauma informed approaches to law enforcement interacting with survivors of migrant smuggling and victims of trafficking in persons.

 

2. Strengthening international cooperation between police, judicial and border officials to combat organized crime groups engaged in migrant smuggling and trafficking in persons;

• supporting key source and transit countries to fully implement their obligations under the UN Convention against Transnational Organised Crime (UNTOC) and its Protocols on the Smuggling of Migrants and Trafficking in Persons, working with the United Nations Office on Drugs and Crime (UNODC) as appropriate to assist those countries in the criminalization of smuggling of migrants;

• utilising existing multilateral forums and multilateral relations with international initiatives and stakeholders including the Roma-Lyon Group, the Venice Justice Group, the Financial Action Task Force, EU’s Global Alliance to Counter Migrant Smuggling, the International Criminal Police Organization (INTERPOL), the United Nations Office on Drugs and Crime (UNODC) and other United Nations bodies, and the European Union Agency for Law Enforcement Cooperation (Europol), through the European Multidisciplinary Platform Against Criminal Threats (EMPACT), and the European Border and Coast Guard Agency (Frontex) within their respective mandates, and regional initiatives such as Niamey, Rabat, Khartoum and Budapest Process – in order to improve the effectiveness of the implementation of this plan and avoid duplication considering available resources;

• using national-level and regional resources, Europol, and INTERPOL’s capabilities to support police, immigration and criminal intelligence cooperation and maximize the use of both national-level and multilateral databases and information exchange channels;

• develop and share good practice on disrupting the enablers of smuggling of migrants including work to degrade the supply and value chains. This should include sharing expertise on the seizure and confiscation of criminal proceeds or instrumentalities to maximise law enforcement efforts by taking a ‘follow the money’ approach. This would target the proceeds of organised crime groups engaged in migrant smuggling and trafficking in persons and would also strengthen cooperation to identify, trace, freeze, manage and potentially confiscate illegal profits from migrants smuggling. To this purpose, the G7 members should take full advantage of the the potential of the Financial Investigation Units’ network.

 

3.  Stronger cooperation with countries of origin and transit of irregular migration flows, where appropriate through:

• the development and implementation of cooperation initiatives for the support of transit and origin countries in managing the challenges associated with, and providing alternatives to, irregular migration;

• exploring equitable and mutually beneficial partnerships and bilateral or multilateral instruments with countries of origin, transit, and destination, aimed at cooperation in the field of combating smuggling of migrants, trafficking in persons and border security;

• collaborating, where appropriate, with international organizations to enhance multifunctional centres along key migration routes offering information and assistance to migrants and the facilitatation of the safe and orderly repatriation of those not entitled to remain in G7 countries;

• supporting host and transit countries along key migration routes in strengthening their capacities in the field of asylum and refugee protection;

• facilitating voluntary returns of migrants from transit and destination countries, fostering cooperation on enforced returns of persons with no right to stay, in full respect of human rights and the principle of non-refoulement, allowing for increased options for migrants and more effective management of migration flows;

• strengthening the management capacity of land and sea borders of the main countries of transit of irregular migration flows, identifying target countries and providing naval and land surveillance resources and assets or training;

• consideration of visa requirements for certain individuals with a nexus to migrant smuggling, where appropriate, and consistent with domestic and international obligations;

• working with the transportation industry and law enforcement of countries of transit to better identify potential migrant smuggling and cases of trafficking in persons and adjust responses based on emerging threats and knows risks;

• promoting the cooperation on international obligations to readmit own citizens who have no right to stay including under the Convention on International Civil Aviation of 7 December 1944, known as the Chicago Convention;

 

4. Prevention and awareness raising by:

• developing and promoting effective information and awareness raising campaigns in key countries of origin and transit, on the risks of irregular migration, smuggling of migrants and trafficking in persons. Campaigns may also signpost on available legal pathways, the effectiveness of migration policies and measures to repatriate migrants without authorization to remain in country, in cooperation with local authorities and international bodies (such as UNHCR, IOM and European External Action Service) present both in countries of origin and transit. This may be in collaboration with international organisations and civil society where appropriate.

• facilitate legal and safe migration alternatives, as set out in the G7 Apulia Leaders’ Communique which highlights regular pathways as a key part of comprehensive migration management strategies.

• Cooperation with social media companies, including through a roundtable event organised by G7 partners, for the active engagement to identify and counter online content which promotes and offers intermediation and irregular migration services.

 

5. Increasing knowledge and Monitoring of migrant smuggling

• Encourage the conducting of field studies, including in collaboration with the international organizations, civil society organizations and academia to monitor and anticipate developments and trends in irregular migration flows, at global level and with regional focus;

• sharing among the relevant authorities of the G7 countries of good practices, in the fight against migrant smuggling and trafficking in persons and all related offences and exploitation, in the protection of smuggled migrants and victims of trafficking in persons, as well as in maintaining border management;

• supporting and further developing collective mechanisms for the exchange and analysis of statistical data on irregular migration flows and related phenomena, in order for G7 countries to improve their ability to monitor, identify and respond to identified trends;

• encourage, in a manner consistent with applicable law, collection of gender and age disaggregated data, and dissemination of data on labor exploitation connected to trafficking in persons;

• monitoring and review of the state of implementation of this Action Plan, to be conducted within the Roma-Lyon Group with progress reporting to the RLG Heads of Delegation to take place at the bi-annual meetings.