By Donald J. Mihalek and Richard Frankel
As the kinetic confrontation with the Iranian regime escalates, concerns are being raised about the possibility of retaliation that could impact the United States. Those implications are relevant not only for national security officials but also for state and local law enforcement.
Terrorism: Iran’s primary weapon
Iranian leaders have publicly vowed retaliation for recent U.S. strikes. “You have crossed our red line and must pay the price,” Iran’s parliamentary speaker Mohammad Bagher Qalibaf warned in remarks reported by international media.
Historically, Iranian retaliation has often taken the form of terrorism carried out directly or through proxy groups. The U.S. State Department designated Iran a state sponsor of terrorism in 1984, noting its role in providing “funding, weapons, and training to organizations like Hezbollah, Hamas and the Houthis, fueling regional instability and targeting American interests.” According to State Department reporting, Iran has spent over $16 billion funding terrorist groups worldwide, including inside the United States.
| RELATED: Rebuilding intelligence and information sharing in a changing threat landscape
What this means for state and local agencies
Security analysts warn that the threat is not purely theoretical. In recent years, multiple plots tied to Iranian actors have been disrupted inside the United States. A Department of Homeland Security (DHS) bulletin has also warned of Iran’s “long-standing commitment to target U.S. government officials.”
With the DHS currently facing a funding impasse and shutdown, local agencies must bridge the gap in intelligence gathering and target hardening. A DHS warning noted that, “the likelihood of violent extremists in the Homeland independently mobilizing to violence in response to the conflict would likely increase if Iranian leadership issued a religious ruling calling for retaliatory violence against targets in the Homeland.”
Since then, Iranian clerics have issued two fatwas against the United States, calling on Muslims worldwide to avenge the death of Ayatollah Ali Khamenei. This brings multiple potential threat vectors into focus for impacted state and local agencies: the “lone actor” attack, a coordinated group attack and a cyber-attack.
The “lone actor” and soft target threat
While jurisdictions with federal facilities, military bases, or critical infrastructure may increase security around those locations, soft targets often remain the most vulnerable. The recent shooting attack in Austin, Texas — where the shooter arrived wearing a “Property of Allah” sweatshirt and an Iranian flag shirt — highlights how attackers often choose locations where security is limited but the potential impact is high.
The recent IED attack in New York City provides another example of this threat environment. During protests outside the mayor’s residence at Gracie Mansion, suspects ignited and threw improvised explosive devices (IEDs) toward the crowd and responding officers. Authorities later confirmed the devices were functioning explosives capable of causing serious injury or death.
Investigators say the attack is being treated as ISIS-inspired terrorism, with suspects allegedly influenced by extremist propaganda and pledging allegiance to the group. This incident underscores the broader concern among law enforcement that online extremist messaging and calls for violence can rapidly translate into real-world attacks targeting gatherings and other soft targets.
Behavioral patterns in these types of attacks often mirror findings from the U.S. Secret Service National Threat Assessment Center’s study on mass attacks in public spaces:
- Grievance: Many attackers exhibit a specific grievance or perceived injustice that drives their planning and target selection.
- Psychological Factors: Some attackers experience significant personal stressors or mental health struggles that contribute to escalation.
- Symbolism: Attackers frequently select locations they believe represent the source of their grievance or provide symbolic value.
Recognizing these behavioral indicators — regardless of motivation — can help officers, investigators and community partners identify and mitigate a threat before violence occurs.
| RELATED: How the NJ ROIC transformed threat management with agile intelligence and real-time collaboration
The cyber threat
Federal officials have also warned that Iran and its affiliated actors could pursue cyber retaliation. While a large-scale physical attack on U.S. soil remains unlikely, analysts note that Iranian cyber operations have historically targeted government networks and critical infrastructure.
Officials have warned that Iran-aligned hacktivists could escalate retaliatory actions against U.S. networks, potentially including website defacements, phishing campaigns or distributed denial-of-service attacks targeting government systems.
The current DHS shutdown also affects the Cybersecurity & Infrastructure Security Agency (CISA), the federal entity that helps state and local governments defend against cyber threats. With some federal support functions limited during the shutdown, local and state agencies may face increased responsibility for identifying and reporting cyber incidents affecting government facilities and critical infrastructure networks.
Taken together, these risks underscore a reality that has shaped homeland security for more than two decades: when global conflicts escalate, the first indicators and responses often occur at the local level.
What agencies should consider now
Review soft-target security: Work with local and private sector partners to review security posture around soft targets such as houses of worship, entertainment venues, transportation hubs and large public gatherings. Increased awareness and coordination with venue operators can help identify vulnerabilities before they are exploited.
Strengthen intelligence sharing: Ensure officers and investigators remain connected to regional fusion centers, Joint Terrorism Task Forces and federal partners. Timely reporting of suspicious activity and intelligence sharing across agencies and the private sector can help detect emerging threats earlier.
Reinforce suspicious activity reporting Remind officers and community partners of the importance of reporting behaviors that may indicate pre-attack planning. Patterns such as surveillance of locations, attempts to access restricted areas or unusual interest in security procedures should be documented and shared.
Assess cyber readiness: Coordinate with municipal IT departments to review cyber incident reporting procedures and ensure contingency plans are in place for potential disruptions affecting government networks or critical infrastructure.
Increase situational awareness during high-profile events: Periods of geopolitical tension can elevate risk during public events or large gatherings. Agencies should consider conducting a site advance with event organizers and add increased security and overlapping security measures during times of heightened threat awareness.
| RELATED: Why special event policing must become intelligence led in 2026
The front line is local
Much like the period following the September 11, 2001 attacks, state and local law enforcement remain a critical layer of homeland security. While federal agencies lead intelligence and counterterrorism efforts, local officers are often the first to identify suspicious activity, respond to threats and coordinate security measures within their communities. Strengthening partnerships with federal agencies, sharing intelligence and working closely with private-sector and community stakeholders remain essential to reducing vulnerabilities.
Iran’s retaliatory strategy has historically relied on asymmetric tactics — including proxy violence, cyber operations, symbolic targeting and incentivizing “lone actor” attacks — rather than direct confrontation with U.S. forces. These threat streams often focus on softer targets such as public venues, transportation systems, critical infrastructure and government networks. For state and local agencies, preparedness, vigilance and coordinated information sharing remain key components of protecting the communities they serve.
| RELATED: How police and corporate security are building a shared intelligence network
About the authors
Donald J. Mihalek is a retired senior Secret Service agent and regional field training instructor who served on the president’s detail and during presidential transitions.
Richard M. Frankel is a former special agent in charge for the FBI with the JJTC and detailee to the Office of the National Director of Intelligence.
