Join War on the Rocks and gain access to content trusted by policymakers, military leaders, and strategic thinkers worldwide.
Just before midnight on Nov. 24, 2025, New Castle County police officers conducting a routine property check in Wilmington’s Canby Park spotted a white Toyota Tacoma parked after hours. What initially appeared to be a standard traffic stop uncovered a detailed terror plot. The suspect — a University of Delaware student — was found in possession of a converted machine gun, more than 100 rounds of ammunition, body armor, and a handwritten notebook mapping out a planned attack on the campus police department, including entry points, escape routes, and the name of a specific officer. When FBI agents interviewed him, he stated that achieving martyrdom was “one of the greatest things you can do.” The acting U.S. Attorney called it “a quintessential example” of law enforcement collaboration that stopped a catastrophe.
Public safety professionals have spent two decades training to detect threats like the one in Delaware, yet it was a chance traffic stop that ultimately exposed it. But the threats arriving now are far subtler. State-sponsored reconnaissance, espionage, and pre-operational surveillance do not announce themselves with machine guns and manifestos — picture a graduate student flying a drone over a shipyard, a photographer lingering near a port crane, or a series of probing visits to a water treatment facility. If our patrol officers are catching terrorism by accident, they are almost certainly missing foreign adversary surveillance entirely.
When we think about national security, we consider the military apparatus and the intelligence services, but homeland security is primarily a policing function. Our cops are not trained to think like soldiers or intelligence officers — and the post-9/11 investment in law enforcement, while significant, focused on tactical capability and equipment, not on surveillance detection and counterintelligence skills. Cops think in terms of civil or criminal infractions, not international plots to disrupt American life. Yet, in this age of great-power competition, conflict is already arriving on our shores in the form of espionage, sabotage, cyber intrusions, and pre-operational surveillance by foreign adversaries, and we need to prepare local police to identify and respond to these threats before they become crises.
This is far from a hypothetical threat. In 2024, Fengyun Shi, a Chinese graduate student, was caught flying a drone over Navy warships under construction at Newport News Shipbuilding — one of only two shipyards in the country that builds nuclear aircraft carriers. It was a nearby resident — not a police officer — who grew suspicious and called the authorities. Shi fled across state lines and tried to board a one-way flight to China before federal agents arrested him at the gate. He was ultimately convicted under the Espionage Act — the first person charged under a World War II–era statute prohibiting aircraft photography of sensitive military installations. Nonetheless, the initial detection came from a civilian, not from any trained officer or institutional system designed to catch state-sponsored intelligence collection.
How many more events like this are occurring undetected or misidentified by local police departments across the country?
I write this from a position that straddles the worlds of military intelligence and law enforcement. As a Navy intelligence, surveillance, and reconnaissance mission commander, I spent over 1,000 hours flying combat recon missions, immersing myself in studying the methods and telltale signs of terrorist organizations and adversary state actors. Now serving in the Navy Reserve as a leader in an intelligence unit, I see even more adversarial activity — espionage, sabotage, cyber penetration, and pre-operational surveillance — which increasingly includes industrial and civil infrastructure targets inside U.S. borders. I am also the founder of a public safety technology company. While I have a commercial interest in law enforcement preparedness, my unique perspective on these issues is shaped by direct, firsthand experience.
The infrastructure to fix the surveillance detection deficit already exists. The Suspicious Activity Reporting system, DHS/FBI fusion centers, corporate security networks, and emerging AI-enabled pattern detection tools can all be leveraged — but they need to be reoriented from counterterrorism toward the surveillance detection mission that defines the actual threat. What follows is a blueprint for doing exactly that.
Foreign adversaries are already conducting surveillance and pre-operational reconnaissance against U.S. critical infrastructure — the question is whether local law enforcement can recognize it when they see it.
Police academies train officers in probable cause, reasonable suspicion, use-of-force decision-making, and criminal investigation. What they do not teach is surveillance detection — the ability to recognize when a foreign operative is conducting pre-operational reconnaissance against critical infrastructure. This is a skill that intelligence and counterintelligence professionals spend months developing. Local police receive none of it, and there is almost no institutional mechanism to tell a patrol officer what foreign reconnaissance looks like in their jurisdiction or what to do when they encounter it.
We already have some infrastructure in place. The Nationwide Suspicious Activity Reporting Initiative, established in 2010, connects local police to fusion centers through standardized reporting. The problem is that its reporting criteria filter for a “terrorism nexus” — and activity that does not fit that template gets dismissed, even when it represents state-sponsored surveillance or pre-operational reconnaissance.
A short vignette illustrates the gap: Imagine a Wilmington, Delaware patrol officer encounters someone photographing Port of Wilmington crane operations with unusual rigor. Under the current Suspicious Activity Reporting system, the officer files a report, a supervisor reviews it, and a fusion center analyst then evaluates whether it has a “terrorism nexus.” It probably does not — this is not the Islamic State — so it goes nowhere. The Chinese reconnaissance operative walks away unchallenged. Multiply this by a thousand unreported or dismissed incidents across the country, and it becomes clear how adversary networks like Volt Typhoon penetrated our water systems and other critical infrastructure undetected.
Here is what the system should do to address the threats we actually face.
Expand Suspicious Activity Reporting Criteria Beyond Terrorism
State-sponsored reconnaissance — photographing infrastructure, probing security protocols, coordinated timing near military exercises — needs its own reporting category. The National Suspicious Activity Reporting Initiative’s 16 behavior indicators were built for suicide bombers, not operatives from China’s Ministry of State Security. The criteria should be updated to reflect the espionage and sabotage threats that define today’s competitive landscape.
This expansion will inevitably raise legitimate civil liberty concerns. Broadening suspicious activity categories to include photographing infrastructure and probing security protocols could risk chilling press freedom, academic research, and the rights of ordinary citizens exercising their First Amendment protections. The American Civil Liberties Union has already litigated against the existing Suspicious Activity Reporting program on precisely these grounds in Gill v. DOJ, representing plaintiffs flagged in federal databases for activities like photographing public art on a gas storage tank.
Any expansion should include robust safeguards: clear evidentiary thresholds beyond mere photography; mandatory training to distinguish between constitutionally protected activity and genuine operational indicators; and meaningful oversight mechanisms, such as regular government review of Suspicious Activity Reporting challenged on constitutional grounds. Getting this balance wrong would undermine both the program’s legitimacy and the public trust that local law enforcement depends on. But getting it right means we stop dismissing state-sponsored reconnaissance because it does not fit a terrorism template.
Deploy AI for Pattern Detection
Technology can now flag when officers in different jurisdictions report similar activity near critical infrastructure. The Camp Grayling incident is instructive: It was not five random Chinese students looking at meteors, but a coordinated operation during the Northern Strike exercises. AI could have connected those dots before the FBI issued warrants well after the operatives had already fled the country. When police departments in three different states each file a report or issue a bulletin about someone photographing the same type of facility in the same week, an algorithm should be connecting those reports and escalating them to the relevant intelligence analysts.
Close the Feedback Loop
Cops need to know when their reports contribute to disrupting broader operations. Right now, they file Suspicious Activity Reports into a black hole. Give them the same kind of intelligence briefings we give intelligence, surveillance, and reconnaissance crews — okay, almost. Tell cops: “Your report on suspicious photography at the water treatment plant was one of fifteen similar incidents across the region. Here is what analysis revealed about targeting patterns.” That is how you train street cops to think like intelligence officers.
Integrate Corporate Security
A chemical plant security director knows what adversarial surveillance looks like — a patrol officer sees someone taking pictures. Both need to be talking to each other — and to the FBI fusion centers — to connect the dots before an incident occurs, not after. Local police leadership needs to be directly engaged with private corporate security teams, specifically around companies that produce technologies like semiconductors, nuclear power, hydro power, AI, precursor chemicals, and pharmaceuticals. Corporate security teams have sophisticated physical security protocols and counterintelligence training that most municipal police departments lack. They know what normal reconnaissance looks like versus adversarial surveillance. Get them talking, formalize relationships, and create institutionalized channels where threat intelligence flows down to patrol level and suspicious activity reports flow back up.
National Defense Authorization Act Funding
This coordinated use of technology for threat intelligence may be controversial. Local law enforcement agencies — not the FBI — will ultimately deploy the technology that detects these anomalous patterns. However, these local agencies face tight budgets and often lack the funds to quickly acquire new technology, forcing tradeoffs that prioritize immediate needs — like replacing a police cruiser — over investing in long-term preparedness. This challenge is compounded by the fact that federal funding for local law enforcement technology is decreasing following the expiration of programs like the American Rescue Plan Act. We need to fund this initiative through the National Defense Authorization Act, not just through the Department of Justice and the Department of Homeland Security, because this is a national defense problem, not merely a law enforcement one.
There is recent precedent for this approach. The Fiscal Year 2026 National Defense Authorization Act’s (NDAA) SAFER SKIES Act expanded counter-drone authorities to state and local law enforcement agencies. Additionally, the separately introduced DRONE Act, also included in the FY2026 NDAA, authorized the use of Byrne Justice Assistance Grants and Community Oriented Police Services funding for drone acquisition — both provisions that moved defense-adjacent technology capabilities to local agencies through the defense authorization process.
Notably, the SAFER SKIES Act itself originated from the Senate Homeland Security and Governmental Affairs Committee — the Peters, Johnson, Grassley, and Cortez Masto bill — but rode the NDAA to passage, a precedent that cuts both ways. However, this recommendation implies real jurisdictional sensitivities on Capitol Hill. The NDAA is the province of the Armed Services Committees, and routing local law enforcement technology funding through defense authorization will draw objections from both the Homeland Security Committees and the Judiciary Committees, which have traditionally controlled federal law enforcement assistance programs.
Defense and homeland security appropriators may see this as a turf encroachment, and they will not be wrong. The case for doing it anyway is that the threat itself does not respect committee jurisdictions: Chinese intelligence operatives conducting pre-operational surveillance of naval installations is a defense problem that manifests as a local policing encounter. The funding mechanism should reflect that reality, even if it means a harder legislative fight.
The surveillance detection infrastructure exists. We just need to retool a counterterrorism system for the threat we are actually facing: state-sponsored espionage, sabotage, and cyber operations targeting U.S. critical systems from within.
We need to be prepared at home to win the fight abroad. Right now, we are not. But these recommendations would give our first responders the tools and the mindset to identify and stop threats before they escalate. The cop on the corner is not just keeping the peace. That officer is — or should be — our first and most vital intelligence node in defending the homeland. It is time we started treating law enforcement as the national security mission it has become.
Matt White is the co-founder and CEO of Multitude Insights, a public safety technology company. A former EP-3E Mission Commander with over 1,000 hours of combat reconnaissance missions across the Pacific and the Middle East, he holds a master’s in public administration from the Harvard Kennedy School and an MBA from MIT Sloan. He currently serves as the electronic warfare lead on the 7th Fleet staff in the U.S. Navy Reserve. The views expressed here are his own.
Image: Metropolitan Transportation Authority via Wikimedia Commons
