Counterterrorism: Shifting from ‘Who’ to ‘How’
November 4, 2009
By Scott Stewart and Fred Burton
In the 11th edition of the online magazine Sada al-Malahim (The Echo of Battle), which was released to jihadist Web sites last week, al Qaeda in the Arabian Peninsula (AQAP) leader Nasir al-Wahayshi wrote an article that called for jihadists to conduct simple attacks against a variety of targets. The targets included “any tyrant, intelligence den, prince” or “minister” (referring to the governments in the Muslim world like Egypt, Saudi Arabia and Yemen), and “any crusaders whenever you find one of them, like at the airports of the crusader Western countries that participate in the wars against Islam, or their living compounds, trains etc.,” (an obvious reference to the United States and Europe and Westerners living in Muslim countries).
Al-Wahayshi, an ethnic Yemeni who spent time in Afghanistan serving as a lieutenant under Osama bin Laden, noted these simple attacks could be conducted with readily available weapons such as knives, clubs or small improvised explosive devices (IEDs). According to al-Wahayshi, jihadists “don’t need to conduct a big effort or spend a lot of money to manufacture 10 grams of explosive material” and that they should not “waste a long time finding the materials, because you can find all these in your mother’s kitchen, or readily at hand or in any city you are in.”
That al-Wahayshi gave these instructions in an Internet magazine distributed via jihadist chat rooms, not in some secret meeting with his operational staff, demonstrates that they are clearly intended to reach grassroots jihadists — and are not intended as some sort of internal guidance for AQAP members. In fact, al-Wahayshi was encouraging grassroots jihadists to “do what Abu al-Khair did” referring to AQAP member Abdullah Hassan Taleh al-Asiri, the Saudi suicide bomber who attempted to kill Saudi Deputy Interior Minister Prince Mohammed bin Nayef with a small IED on Aug. 28.
The most concerning aspect of al-Wahayshi’s statement is that it is largely true. Improvised explosive mixtures are in fact relatively easy to make from readily available chemicals — if a person has the proper training — and attacks using small IEDs or other readily attainable weapons such as knives or clubs (or firearms in the United States) are indeed quite simple to conduct.
As STRATFOR has noted for several years now, with al Qaeda’s structure under continual attack and no regional al Qaeda franchise groups in the Western Hemisphere, the most pressing jihadist threat to the U.S. homeland at present stems from grassroots jihadists, not the al Qaeda core. This trend has been borne out by the large number of plots and arrests over the past several years, to include several so far in 2009. The grassroots have likewise proven to pose a critical threat to Europe (although it is important to note that the threat posed by grassroots operatives is more widespread, but normally involves smaller, less strategic attacks than those conducted by the al Qaeda core).
From a counterterrorism perspective, the problem posed by grassroots operatives is that unless they somehow self-identify by contacting a government informant or another person who reports them to authorities, attend a militant training camp, or conduct electronic correspondence with a person or organization under government scrutiny, they are very difficult to detect.
The threat posed by grassroots operatives, and the difficulty identifying them, highlight the need for counterterrorism programs to adopt a proactive, protective intelligence approach to the problem — an approach that focuses on “the how” of militant attacks instead of just “the who.”
In the traditional, reactive approach to counterterrorism, where authorities respond to a crime scene after a terrorist attack to find and arrest the militants responsible for the attack, it is customary to focus on the who, or on the individual or group behind the attack. Indeed, in this approach, the only time much emphasis is placed on the how is either in an effort to identify a suspect when an unknown actor carried out the attack, or to prove that a particular suspect was responsible for the attack during a trial. Beyond these limited purposes, not much attention is paid to the how.
In large part, this focus on the who is a legacy of the fact that for many years, the primary philosophy of the U.S. government was to treat counterterrorism as a law-enforcement program, with a focus on prosecution rather than on disrupting plots.
Certainly, catching and prosecuting those who commit terrorist attacks is necessary, but from our perspective, preventing attacks is more important, and prevention requires a proactive approach. To pursue such a proactive approach to counterterrorism, the how becomes a critical question. By studying and understanding how attacks are conducted — i.e., the exact steps and actions required for a successful attack — authorities can establish systems to proactively identify early indicators that planning for an attack is under way. People involved in planning the attack can then be focused on, identified, and action can be taken prevent them from conducting the attack or attacks they are plotting. This means that focusing on the how can lead to previously unidentified suspects, e.g., those who do not self-identify.
“How was the attack conducted?” is the primary question addressed by protective intelligence, which is, at its core, a process for proactively identifying and assessing potential threats. Focusing on the how, then, requires protective intelligence practitioners to carefully study the tactics, tradecraft and behavior associated with militant actors involved in terrorist attacks. This allows them to search for and identify those behaviors before an attack takes place. Many of these behaviors are not by themselves criminal in nature; visiting a public building and observing security measures or standing on the street to watch the arrival of a VIP at their office are not illegal, but they can be indicators that an attack is being plotted. Such legal activities ultimately could be overt actions in furtherance of an illegal conspiracy to conduct the attack, but even where conspiracy cannot be proved, steps can still be taken to identify possible assailants and prevent a potential attack — or at the very least, to mitigate the risk posed by the people involved.
Protective intelligence is based on the fact that successful attacks don’t just happen out of the blue. Rather, terrorist attacks follow a discernable attack cycle. There are critical points during that cycle where a plot is most likely to be detected by an outside observer. Some of the points during the attack cycle when potential attackers are most vulnerable to detection are while surveillance is being conducted and weapons are being acquired. However, there are other, less obvious points where people on the lookout can spot preparations for an attack.
It is true that sometimes individuals do conduct ill-conceived, poorly executed attacks that involve shortcuts in the planning process. But this type of spur-of-the-moment attack is usually associated with mentally disturbed individuals and it is extremely rare for a militant actor to conduct a spontaneous terrorist attack without first following the steps of the attack cycle.
To really understand the how, protective intelligence practitioners cannot simply acknowledge that something like surveillance occurs. Rather, they must turn a powerful lens on steps like preoperational surveillance to gain an in-depth understanding of them. Dissecting an activity like preoperational surveillance requires not only examining subjects such as the demeanor demonstrated by those conducting surveillance prior to an attack and the specific methods and cover for action and status used. It also requires identifying particular times where surveillance is most likely and certain optimal vantage points (called perches in surveillance jargon) from where a surveillant is most likely to operate when seeking to surveil a specific facility or event. This type of complex understanding of surveillance can then be used to help focus human or technological countersurveillance efforts where they can be most effective.
Unfortunately, many counterterrorism investigators are so focused on the who that they do not focus on collecting this type of granular how information. When we have spoken with law enforcement officers responsible for investigating recent grassroots plots, they gave us blank stares in response to questions about how the suspects had conducted surveillance on the intended targets. They simply had not paid attention to this type of detail — but this oversight is not really the investigators’ fault. No one had ever explained to them why paying attention to, and recording, this type of detail was important. Moreover, it takes specific training and a practiced eye to observe and record these details without glossing over them. For example, it is quite useful if a protective intelligence officer has first conducted a lot of surveillance, because conducting surveillance allows one to understand what a surveillant must do and where he must be in order to effectively observe surveillance of a specific person or place.
Similarly, to truly understand the tradecraft required to build an IED and the specific steps a militant needs to complete to do so, it helps to go to an IED school where the investigator learns the tradecraft firsthand. Militant actors can and do change over time. New groups, causes and ideologies emerge, and specific militants can be killed, captured or retire. But the tactical steps a militant must complete to conduct a successful attack are constant. It doesn’t matter if the person planning an attack is a radical environmentalist, a grassroots jihadist or a member of the al Qaeda core, for while these diverse actors will exhibit different levels of professionalism in regard to terrorist tradecraft, they still must follow essentially the same steps, accomplish the same tasks and operate in the same areas. Knowing this allows protective intelligence to guard against different levels of threats.
Of course, tactics can be changed and perfected and new tactics can be developed (often in response to changes in security and law enforcement operations). Additionally, new technologies can emerge (like cell phones and Google Earth) — which can alter the way some of these activities are conducted, or reduce the time it takes to complete them. Studying the tradecraft and behaviors needed to execute evolving tactics, however, allows protective intelligence practitioners to respond to such changes and even alter how they operate in order to more effectively search for potential hostile activity.
Technology does not only aid those seeking to conduct attacks. There are a variety of new tools, such as Trapwire, a software system designed to work with camera systems to help detect patterns of preoperational surveillance, that can be focused on critical areas to help cut through the fog of noise and activity and draw attention to potential threats. These technological tools can help turn the tables on unknown plotters because they are designed to focus on the how. They will likely never replace human observation and experience, but they can serve as valuable aids to human perception.
Of course, protective intelligence does not have to be the sole responsibility of federal authorities specifically charged with counterterrorism. Corporate security managers and private security contractors should also apply these principles to protecting the people and facilities in their charge, as should local and state police agencies. In a world full of soft targets — and limited resources to protect those targets from attack — the more eyes looking for such activity the better. Even the general public has an important role to play in practicing situational awareness and spotting potential terrorist activity.
Keeping it Simple?
Al-Wahayshi is right that it is not difficult to construct improvised explosives from a wide range of household chemicals like peroxide and acetone or chlorine and brake fluid. He is also correct that some of those explosive mixtures can be concealed in objects ranging from electronic items to picture frames, or can be employed in forms ranging from hand grenades to suicide vests. Likewise, low-level attacks can also be conducted using knives, clubs and guns.
Furthermore, when grassroots jihadists plan and carry out attacks acting as lone wolves or in small compartmentalized cells without inadvertently betraying their mission by conspiring with people known to the authorities, they are not able to be detected by the who-focused systems, and it becomes far more difficult to discover and thwart these plots. This focus on the how absolutely does not mean that who-centered programs must be abandoned. Surveillance on known militants, their associates and communications should continue, efforts to identify people attending militant training camps or fighting in places like Afghanistan or Somalia must be increased, and people who conduct terrorist attacks should be identified and prosecuted.
However — and this is an important however — if an unknown militant is going to conduct even a simple attack against some of the targets al-Wahayshi suggests, such as an airport, train, or specific leader or media personality, complexity creeps into the picture, and the planning cycle must be followed if an attack is going to be successful. The prospective attacker must observe and quantify the target, construct a plan for the attack and then execute that plan. The demands of this process will force even an attacker previously unknown to the authorities into a position where he is vulnerable to discovery. If the attacker does this while there are people watching for such activity, he will likely be seen. But if he does this while there are no watchers, there is little chance that he will become a who until after the attack has been completed.