WikiLeaks logo
The Global Intelligence Files,
files released so far...

The Global Intelligence Files

The Global Intelligence Files

On Monday February 27th, 2012, WikiLeaks began publishing The Global Intelligence Files, over five million e-mails from the Texas headquartered "global intelligence" company Stratfor. The e-mails date between July 2004 and late December 2011. They reveal the inner workings of a company that fronts as an intelligence publisher, but provides confidential intelligence services to large corporations, such as Bhopal's Dow Chemical Co., Lockheed Martin, Northrop Grumman, Raytheon and government agencies, including the US Department of Homeland Security, the US Marines and the US Defence Intelligence Agency. The emails show Stratfor's web of informers, pay-off structure, payment laundering techniques and psychological methods.

Re: Counterterrorism: Shifting from the Who to the How

Released on 2012-08-09 18:00 GMT

Email-ID 1038864
Date 2009-11-03 22:38:14
one overall thought:

you're talking about anything from a coffee shop to a line at the DMV
being a potential target. While you suggest broader and more extensive
countersurveillance and ied training and awareness, that's really only
great in an ideal world. One of the most important things al-Wuhayshi does
here is expand the target set dramatically. You can't defend everything,
especially in this sort of scenario. While it may not be a strategic
threat, any police department can only really expand its
counter-surveillance capabilities and awareness so far. It can give some
basic classes to most of its officers, perhaps, but it cannot provide
extensive operational experience and training to many more officers than
it already does.

So you still have to make choices about what you defend, and what
al-Wuhayshi has done is run around that problem and attempted to make
everything at risk. One point is that you can't actually defend everything
-- and you can't attempt to dramatically expand protection without
altering how society functions.

So in the other sense, al-Wuhayshi just reminds us that we're all
vulnerable all the time, but a little individual situational awareness can
sometimes go a long way.

comments within.

Counterterrorism: Shifting from the Who to the How

In the eleventh edition of the online magazine [link ] Sada
al-Malahim (The Echo of Battle) which was released to jihadist Web sites
last week, the leader of al Qaeda in the Arabian Peninsula (AQAP) [ link
] Nasir al-Wuhayshi, wrote an article in which he called for jihadists
to conduct simple attacks against a variety of targets. The targets he
mentioned included "any tyrant, intelligence den, prince," or "minister"
(referring to the governments in the Muslim world like Egypt, Saudi
Arabia and Yemen), and "any crusaders whenever you find one of them,
like at the airports of the crusader western countries that participate
in the wars against Muslim, or their living compounds, trains etc."
(obviously referring to the U.S. and Europe. plenty of infidel housing
compounds in the ME -- especially KSA, yes?)

Al-Wuhayshi, an ethnic Yemeni who spent time in Afghanistan serving as a
lieutenant under Osama Bin Laden, noted these simple attacks could be
conducted using readily available weapons, such as knives, clubs or
small improvised explosive devices (IEDs). According to al-Wuhayshi,
jihadists "don't need to conduct a big effort or spend a lot of money to
manufacture 10 grams of explosive material more or less" and that they
should not "waste a long time finding the materials, because you can
find all these in your mother's kitchen, or at your hand or in any city
you are in."

The fact that these instructions were given by al-Wuhayshi in an
internet magazine distributed via jihadist chat rooms and not some
secret meeting with his operational staff demonstrates that they are
clearly intended to reach [link ]
grassroots jihadists - and are not intended just as internal guidance
for AQAP members. Al- Wuhayshi was encouraging grassroots jihadists to
"do what Abu al-Khair did" referring to [link
] AQAP member Abdullah Hassan Taleh al-Asiri, the Saudi suicide bomber
who attempted to kill Saudi Deputy Interior Minister Prince Mohammed bin
Nayef with a small IED on August 28, 2009.

The most concerning aspect of al-Wuhayshi's statement is that it is
largely true. Improvised explosive mixtures are relatively easy to make
from readily available chemicals -- if a person has the proper training
-- and attacks using small IEDs or other readily attainable weapons such
as knives or clubs [link ] (or firearms
in the U.S.) are indeed quite simple to conduct.

even by amateurs (and indeed, targeting diffuse and non-descript soft
targets with little pre-operational surveillance leaves little room for

As STRATFOR has [link ] noted for
several years now, with al Qaeda's structure under continual attack and
no regional al Qaeda franchise groups in the Western Hemisphere, the
most pressing jihadist threat to the U.S. homeland at present stems from
grassroots jihadists and not the al Qaeda core. This trend has been
borne out by the large number of plots and arrests over the past several
years, to include several so far in 2009. The grassroots have likewise
proven to pose a critical threat to Europe.

From a counterterrorism perspective, the problem posed by grassroots
operatives is that unless they somehow self-identify [link
] by contacting a government informant or other person who reports them
to authorities, or they [link ]
conduct electronic correspondence with a person or organization under
government scrutiny, they are very difficult to detect.

The threat posed by grassroots operatives, and the difficulty
identifying them, highlight the need for counterterrorism programs to
adopt a proactive, protective intelligence approach to the problem -- an
approach that focuses on "the how" of militant attacks instead of just
"the who".

the saving grace of these grassroots operatives is that their capability
and resources are far more limited. though they may aspire to more
advanced attacks like coordinated highjackings of airliners and can
certainly get lucky and cause damage, they are far more likely than
trained, experienced and hardened operatives to get caught, blunder or
otherwise fail when attempting to reach beyond their training (which
they have none) and capability. Maybe cite richard reade's shoe bombing

The How

In the traditional, reactive, approach to counterterrorism, where
authorities respond to a crime scene after a terrorist attack in order
to find and arrest the militants responsible for the attack, it is
customary to focus on "the who" behind the attack. Indeed, in this
traditional approach, the only time much emphasis is placed on "the how"
is either in an effort to identify a suspect when the attack was
conducted by an unknown actor, or to prove that a particular suspect was
responsible for the attack during a trial. Beyond these limited
purposes, not much attention is paid to "the how."

Now, catching and prosecuting those who commit terrorist attacks is a
good thing, but from our perspective what is even more important is
preventing the attack in the first place, and prevention requires a
proactive approach. In order to pursue such a proactive approach to
counterterrorism, "the how" becomes the critical question. By studying
and understanding how attacks are conducted, authorities can then
establish systems to proactively identify early indicators that attack
planning is occurring. People involved in that attack planning can then
be focused on, identified, and action can be taken prevent them from
conducting the attack(s) they are plotting. This means that focusing on
"the how" can lead to previously unidentified suspects - those who do
not self-identify.

How is the primary question addressed by [link

] protective intelligence, which is, at its core, a process for
proactively identifying and assessing potential threats. Focusing on
"the how" then, requires protective intelligence practitioners to
carefully study the tactics, tradecraft and behavior associated with
militant actors involved in terrorist attacks in order to search for and
identify those behaviors before an attack takes place. Many of these
behaviors are not by themselves criminal in nature, visiting a public
building and observing the security measures or standing on the street
to watch the arrival of a VIP at her office are not illegal, but they
can be indicators that an attack is being plotted, and in the grand
scheme of things those legal activities could turn out to be overt
actions in furtherance of an illegal conspiracy to conduct the attack -
but even in a case where a conspiracy cannot be proves, steps can be
still taken to prevent a potential attack and to mitigate the risk posed
by the people involved.

Protective intelligence is based on the fact that attacks don't just
happen out of the blue. well, some illconceived ones happen with almost
no pre-op surveillance. need to mention that they do happen. Pre-op
surveillance/intel and general sit. awareness doesn't get you
everything, but done well it can significantly reduce attacks that
actually are carried out and their success, right? Rather, every
terrorist attack follows a [link ] discernable
attack cycle, and there are critical points in that cycle where a plot
is most likely to be detected by an outside observer and the critical
activity that happens at these points can then be looked for. Among the
most vulnerable times of in the attack cycle are while surveillance is
being conducted and weapons are being acquired, but there are other,
less obvious points where such activity can be spotted by someone who is
looking for it.

In order to really understand "the how", protective intelligence
practitioners cannot just simply acknowledge that something like
surveillance occurs. Rather they must turn a powerful lens on topics
like pre-operational surveillance in order to study them at a granular
level so that it can be studied and fully understood. Dissecting an
activity like [link ]
preoperational surveillance requires not only examining subjects such as
the demeanor demonstrated by those conducting surveillance prior to an
attack and the specific methods [link ] and cover
for action and cover for status utilized, but identifying certain times
where surveillance is most likely to happen and certain optimal vantage
points (called perches in surveillance jargon) where a surveillant is
most likely to operate from, if he is seeking to surveil a specific
facility or event. This type of complex understanding of the topic of
surveillance can then be used to help focus human or technological
countersurveillance efforts to where they can be most effective.

Unfortunately, many counterterrorism investigators are so focused on
"the who" that they do not focus on collecting this type of granular
"how" information. We have talked to law enforcement officers
responsible for investigating some recent grassroots plots, and when
asked to describe specifically how the suspects had conducted
surveillance on the intended targets, we were met with blank stares.
They simply had not paid attention to this type of detail. But this is
not really the fault of these investigators. Nobody had ever explained
to them why paying attention to and recording this type of detail was
important. Additionally, it takes specific training and a practiced eye
to pick out these details without glossing over them. For example, one
must first conduct a lot of surveillance in order to become a first-rate
countersurveillance officer. The experience of conducting surveillance
allows you to understand what a surveillant must do and where he must be
in order to conduct surveillance of a specific person or place.

Similarly, in order to truly understand the tradecraft required to build
an IED and the specific steps that a militant needs to complete in order
to do so, it helps to go to an IED school where the investigator learns
the tradecraft firsthand. Militant actors can and do change over time.
New groups, causes and ideologies emerge, and specific militants can be
killed, captured or retire. But the tactical steps that a militant must
complete in order to conduct an attack are constant. It doesn't matter
if the person planning an attack is a radical environmentalist, a
grassroots jihadist or a member of the al Qaeda core, while these
diverse actors will exhibit different levels of professionalism in
regard to terrorist tradecraft, they still must follow essentially the
same steps, accomplish the same tasks and operate in the same areas.
Knowing this allows protective intelligence to guard against different
levels of threats.

Of course tactics can be change and be perfected and new tactics can be
developed -- and technology can emerge (like cell phones and Google
earth) -- which can alter the way in which some of these activities are
conducted, or the time it takes to do so. However possessing a profound
knowledge of the tradecraft and behaviors needed to execute the tactics
allows protective intelligence practitioners to respond to such changes
and even alter how they operate. Technology can also help the protective
intelligence forces in their mission. There are tools such as Trapwire
that can be focused on critical areas and that can help law enforcement
and security forces cut through the fog of noise and activity to help
identify things like hostile surveillance occurring in those critical
areas identified by protective intelligence. These technological tools
can help turn the tables on the unknown "who" by focusing on "the how".
They will likely never replace human observation and experience, but
they are valuable aids to human perception.

Of course protective intelligence does not have to be the sole
providence of the authorities. Corporate security managers and private
security contractors can also apply the principles to protecting the
people and facilities in their charge.

Keeping it Simple?

Al-Wuhayshi is right that it is not difficult to construct improvised
explosives from a wide range of household chemicals such as peroxide and
acetone or chlorine and brake fluid. He is also correct that some of
those explosive mixtures can be concealed in objects ranging from
electronic items to picture frames or can be employed in forms ranging
from hand grenades to suicide vests. Likewise, low-level attacks can
also be conducted using knives, clubs and guns.

However -- and this is an important however -- if a militant is going to
conduct such an attack against some of the targets al-Wuhayshi suggests,
such as an airports, a train, or a specific leader or media personality,
complexity creeps into the picture, and the attack planning cycle must
be followed. The prospective attacker must observe and quantify the
target, construct a plan to attack it and then execute that plan. It is
the demands of conducting this process that will cause even an attacker
previously unknown to the authorities to place himself in a position
where he is vulnerable to being identified. If the attacker does this
while there are people watching for him, he will likely be seen. If he
does this while there are no watchers, there is little chance that he
will become a "who" until after the attack has been completed.

Scott Stewart
Office: 814 967 4046
Cell: 814 573 8297