WikiLeaks logo
The Global Intelligence Files,
files released so far...

The Global Intelligence Files

The Global Intelligence Files

On Monday February 27th, 2012, WikiLeaks began publishing The Global Intelligence Files, over five million e-mails from the Texas headquartered "global intelligence" company Stratfor. The e-mails date between July 2004 and late December 2011. They reveal the inner workings of a company that fronts as an intelligence publisher, but provides confidential intelligence services to large corporations, such as Bhopal's Dow Chemical Co., Lockheed Martin, Northrop Grumman, Raytheon and government agencies, including the US Department of Homeland Security, the US Marines and the US Defence Intelligence Agency. The emails show Stratfor's web of informers, pay-off structure, payment laundering techniques and psychological methods.

Re: Counterterrorism: Shifting from the Who to the How

Released on 2012-08-09 18:00 GMT

Email-ID 1038271
Date 2009-11-03 23:05:17
Great piece, one small question.
On Nov 3, 2009, at 2:06 PM, scott stewart wrote:

A joint Stick/Fred production.

We know what we are talking about, and this makes sense to us - but
please make sure that we have explained this in terms that can be
understood by someone other than Fred and me.

The Who

The How

Counterterrorism: Shifting from the Who to the How

In the eleventh edition of the online magazine [link ] Sada
al-Malahim (The Echo of Battle) which was released to jihadist Web sites
last week, the leader of al Qaeda in the Arabian Peninsula (AQAP) [ link
] Nasir al-Wuhayshi, wrote an article in which he called for jihadists
to conduct simple attacks against a variety of targets. The targets he
mentioned included *any tyrant, intelligence den, prince,* or *minister*
(referring to the governments in the Muslim world like Egypt, Saudi
Arabia and Yemen), and *any crusaders whenever you find one of them,
like at the airports of the crusader western countries that participate
in the wars against Muslim, or their living compounds, trains etc.*
(obviously referring to the U.S. and Europe.)

Al-Wuhayshi, an ethnic Yemeni who spent time in Afghanistan serving as a
lieutenant under Osama Bin Laden, noted these simple attacks could be
conducted using readily available weapons, such as knives, clubs or
small improvised explosive devices (IEDs). According to al-Wuhayshi,
jihadists *don*t need to conduct a big effort or spend a lot of money to
manufacture 10 grams of explosive material more or less* and that they
should not *waste a long time finding the materials, because you can
find all these in your mother*s kitchen, or at your hand or in any city
you are in.*

The fact that these instructions were given by al-Wuhayshi in an
internet magazine distributed via jihadist chat rooms and not some
secret meeting with his operational staff demonstrates that they are
clearly intended to reach [link ]
grassroots jihadists * and are not intended just as internal guidance
for AQAP members. Al- Wuhayshi was encouraging grassroots jihadists to
*do what Abu al-Khair did* referring to [link
] AQAP member Abdullah Hassan Taleh al-Asiri, the Saudi suicide bomber
who attempted to kill Saudi Deputy Interior Minister Prince Mohammed bin
Nayef with a small IED on August 28, 2009.

The most concerning aspect of al-Wuhayshi*s statement is that it is
largely true. Improvised explosive mixtures are relatively easy to make
from readily available chemicals -- if a person has the proper training
-- and attacks using small IEDs or other readily attainable weapons such
as knives or clubs [link ] (or firearms
in the U.S.) are indeed quite simple to conduct.

As STRATFOR has [link ] noted for
several years now, with al Qaeda's structure under continual attack and
no regional al Qaeda franchise groups in the Western Hemisphere, the
most pressing jihadist threat to the U.S. homeland at present stems from
grassroots jihadists and not the al Qaeda core. This trend has been
borne out by the large number of plots and arrests over the past several
years, to include several so far in 2009. The grassroots have likewise
proven to pose a critical threat to Europe.

From a counterterrorism perspective, the problem posed by grassroots
operatives is that unless they somehow self-identify [link
] by contacting a government informant or other person who reports them
to authorities, or they [link ]
conduct electronic correspondence with a person or organization under
government scrutiny, they are very difficult to detect.

The threat posed by grassroots operatives, and the difficulty
identifying them, highlight the need for counterterrorism programs to
adopt a proactive, protective intelligence approach to the problem -- an
approach that focuses on *the how* of militant attacks instead of just
*the who*.

The How

In the traditional, reactive, approach to counterterrorism, where
authorities respond to a crime scene after a terrorist attack in order
to find and arrest the militants responsible for the attack, it is
customary to focus on *the who* behind the attack. Indeed, in this
traditional approach, the only time much emphasis is placed on *the how*
is either in an effort to identify a suspect when the attack was
conducted by an unknown actor, or to prove that a particular suspect was
responsible for the attack during a trial. Beyond these limited
purposes, not much attention is paid to *the how.*

Now, catching and prosecuting those who commit terrorist attacks is a
good thing, but from our perspective what is even more important is
preventing the attack in the first place, and prevention requires a
proactive approach. In order to pursue such a proactive approach to
counterterrorism, *the how* becomes the critical question. By studying
and understanding how attacks are conducted, authorities can then
establish systems to proactively identify early indicators that attack
planning is occurring. People involved in that attack planning can then
be focused on, identified, and action can be taken prevent them from
conducting the attack(s) they are plotting. This means that focusing on
*the how* can lead to previously unidentified suspects * those who do
not self-identify.

How is the primary question addressed by [link
] protective intelligence, which is, at its core, a process for
proactively identifying and assessing potential threats. Focusing on
*the how* then, requires protective intelligence practitioners to
carefully study the tactics, tradecraft and behavior associated with
militant actors involved in terrorist attacks in order to search for and
identify those behaviors before an attack takes place. Many of these
behaviors are not by themselves criminal in nature, visiting a public
building and observing the security measures or standing on the street
to watch the arrival of a VIP at her office are not illegal, but they
can be indicators that an attack is being plotted, and in the grand
scheme of things those legal activities could turn out to be overt
actions in furtherance of an illegal conspiracy to conduct the attack *
but even in a case where a conspiracy cannot be proves, steps can be
still taken to prevent a potential attack and to mitigate the risk posed
by the people involved.

Protective intelligence is based on the fact that attacks don*t just
happen out of the blue. Rather, every terrorist attack follows a [link ] discernable
attack cycle, and there are critical points in that cycle where a plot
is most likely to be detected by an outside observer and the critical
activity that happens at these points can then be looked for. Among the
most vulnerable times of in the attack cycle are while surveillance is
being conducted and weapons are being acquired, but there are other,
less obvious points where such activity can be spotted by someone who is
looking for it.

In order to really understand *the how*, protective intelligence
practitioners cannot just simply acknowledge that something like
surveillance occurs. Rather they must turn a powerful lens on topics
like pre-operational surveillance in order to study them at a granular
level so that it can be studied and fully understood. Dissecting an
activity like [link ]
preoperational surveillance requires not only examining subjects such as
the demeanor demonstrated by those conducting surveillance prior to an
attack and the specific methods [link ] and cover
for action and cover for status utilized, but identifying certain times
where surveillance is most likely to happen and certain optimal vantage
points (called perches in surveillance jargon) where a surveillant is
most likely to operate from, if he is seeking to surveil a specific
facility or event. This type of complex understanding of the topic of
surveillance can then be used to help focus human or technological
countersurveillance efforts to where they can be most effective.

Unfortunately, many counterterrorism investigators are so focused on
*the who* that they do not focus on collecting this type of granular
*how* information. We have talked to law enforcement officers
responsible for investigating some recent grassroots plots, and when
asked to describe specifically how the suspects had conducted
surveillance on the intended targets, we were met with blank stares.
They simply had not paid attention to this type of detail. But this is
not really the fault of these investigators. Nobody had ever explained
to them why paying attention to and recording this type of detail was
important. Additionally, it takes specific training and a practiced eye
to pick out these details without glossing over them. For example, one
must first conduct a lot of surveillance in order to become a first-rate
countersurveillance officer. The experience of conducting surveillance
allows you to understand what a surveillant must do and where he must be
in order to conduct surveillance of a specific person or place.

Similarly, in order to truly understand the tradecraft required to build
an IED and the specific steps that a militant needs to complete in order
to do so, it helps to go to an IED school where the investigator learns
the tradecraft firsthand. Militant actors can and do change over time.
New groups, causes and ideologies emerge, and specific militants can be
killed, captured or retire. But the tactical steps that a militant must
complete in order to conduct an attack are constant. It doesn*t matter
if the person planning an attack is a radical environmentalist, a
grassroots jihadist or a member of the al Qaeda core, while these
diverse actors will exhibit different levels of professionalism in
regard to terrorist tradecraft, they still must follow essentially the
same steps, accomplish the same tasks and operate in the same areas.
Knowing this allows protective intelligence to guard against different
levels of threats.

Of course tactics can be change and be perfected and new tactics can be
developed -- and technology can emerge (like cell phones and Google
earth) -- which can alter the way in which some of these activities are
conducted, or the time it takes to do so. However possessing a profound
knowledge of the tradecraft and behaviors needed to execute the tactics
allows protective intelligence practitioners to respond to such changes
and even alter how they operate. Technology can also help the protective
intelligence forces in their mission. There are tools such as Trapwire
(what is trapwire? a quick phrase would help a reader who's not in the
know) that can be focused on critical areas and that can help law
enforcement and security forces cut through the fog of noise and
activity to help identify things like hostile surveillance occurring in
those critical areas identified by protective intelligence. These
technological tools can help turn the tables on the unknown *who* by
focusing on *the how*. They will likely never replace human observation
and experience, but they are valuable aids to human perception.

Of course protective intelligence does not have to be the sole
providence of the authorities. Corporate security managers and private
security contractors can also apply the principles to protecting the
people and facilities in their charge.

Keeping it Simple?

Al-Wuhayshi is right that it is not difficult to construct improvised
explosives from a wide range of household chemicals such as peroxide and
acetone or chlorine and brake fluid. He is also correct that some of
those explosive mixtures can be concealed in objects ranging from
electronic items to picture frames or can be employed in forms ranging
from hand grenades to suicide vests. Likewise, low-level attacks can
also be conducted using knives, clubs and guns.

However -- and this is an important however -- if a militant is going to
conduct such an attack against some of the targets al-Wuhayshi suggests,
such as an airports, a train, or a specific leader or media personality,
complexity creeps into the picture, and the attack planning cycle must
be followed. The prospective attacker must observe and quantify the
target, construct a plan to attack it and then execute that plan. It is
the demands of conducting this process that will cause even an attacker
previously unknown to the authorities to place himself in a position
where he is vulnerable to being identified. If the attacker does this
while there are people watching for him, he will likely be seen. If he
does this while there are no watchers, there is little chance that he
will become a *who* until after the attack has been completed.

Scott Stewart
Office: 814 967 4046
Cell: 814 573 8297

Mike Jeffers
Austin, Texas
Tel: 1-512-744-4077
Mobile: 1-512-934-0636