WikiLeaks logo
The Global Intelligence Files,
files released so far...

The Global Intelligence Files

The Global Intelligence Files

On Monday February 27th, 2012, WikiLeaks began publishing The Global Intelligence Files, over five million e-mails from the Texas headquartered "global intelligence" company Stratfor. The e-mails date between July 2004 and late December 2011. They reveal the inner workings of a company that fronts as an intelligence publisher, but provides confidential intelligence services to large corporations, such as Bhopal's Dow Chemical Co., Lockheed Martin, Northrop Grumman, Raytheon and government agencies, including the US Department of Homeland Security, the US Marines and the US Defence Intelligence Agency. The emails show Stratfor's web of informers, pay-off structure, payment laundering techniques and psychological methods.

Re: Counterterrorism: Shifting from the Who to the How

Released on 2012-08-09 18:00 GMT

Email-ID 1049005
Date 2009-11-03 23:02:32
i sort of see that. but by the time you're talking about journalists and
'like at airports' it sort of seems like he's talking about killing
westerners whenever whereever and however you can...

scott stewart wrote:

Um, well he kept the target set fairly confined. Tyrants, ministers,
princes, spooks, crusaders, journalists.....

It was the attackers and types of attacks he attempts to expand.


[] On Behalf Of Nate Hughes
Sent: Tuesday, November 03, 2009 4:38 PM
To: Analyst List
Subject: Re: Counterterrorism: Shifting from the Who to the How
one overall thought:

you're talking about anything from a coffee shop to a line at the DMV
being a potential target. While you suggest broader and more extensive
countersurveillance and ied training and awareness, that's really only
great in an ideal world. One of the most important things al-Wuhayshi
does here is expand the target set dramatically. You can't defend
everything, especially in this sort of scenario. While it may not be a
strategic threat, any police department can only really expand its
counter-surveillance capabilities and awareness so far. It can give some
basic classes to most of its officers, perhaps, but it cannot provide
extensive operational experience and training to many more officers than
it already does.

So you still have to make choices about what you defend, and what
al-Wuhayshi has done is run around that problem and attempted to make
everything at risk. One point is that you can't actually defend
everything -- and you can't attempt to dramatically expand protection
without altering how society functions.

So in the other sense, al-Wuhayshi just reminds us that we're all
vulnerable all the time, but a little individual situational awareness
can sometimes go a long way.

comments within.

Counterterrorism: Shifting from the Who to the How

In the eleventh edition of the online magazine [link ] Sada
al-Malahim (The Echo of Battle) which was released to jihadist Web
sites last week, the leader of al Qaeda in the Arabian Peninsula
(AQAP) [ link
] Nasir al-Wuhayshi, wrote an article in which he called for jihadists
to conduct simple attacks against a variety of targets. The targets he
mentioned included "any tyrant, intelligence den, prince," or
"minister" (referring to the governments in the Muslim world like
Egypt, Saudi Arabia and Yemen), and "any crusaders whenever you find
one of them, like at the airports of the crusader western countries
that participate in the wars against Muslim, or their living
compounds, trains etc." (obviously referring to the U.S. and Europe.
plenty of infidel housing compounds in the ME -- especially KSA, yes?)

Al-Wuhayshi, an ethnic Yemeni who spent time in Afghanistan serving as
a lieutenant under Osama Bin Laden, noted these simple attacks could
be conducted using readily available weapons, such as knives, clubs or
small improvised explosive devices (IEDs). According to al-Wuhayshi,
jihadists "don't need to conduct a big effort or spend a lot of money
to manufacture 10 grams of explosive material more or less" and that
they should not "waste a long time finding the materials, because you
can find all these in your mother's kitchen, or at your hand or in any
city you are in."

The fact that these instructions were given by al-Wuhayshi in an
internet magazine distributed via jihadist chat rooms and not some
secret meeting with his operational staff demonstrates that they are
clearly intended to reach [link ]
grassroots jihadists - and are not intended just as internal guidance
for AQAP members. Al- Wuhayshi was encouraging grassroots jihadists to
"do what Abu al-Khair did" referring to [link
] AQAP member Abdullah Hassan Taleh al-Asiri, the Saudi suicide bomber
who attempted to kill Saudi Deputy Interior Minister Prince Mohammed
bin Nayef with a small IED on August 28, 2009.

The most concerning aspect of al-Wuhayshi's statement is that it is
largely true. Improvised explosive mixtures are relatively easy to
make from readily available chemicals -- if a person has the proper
training -- and attacks using small IEDs or other readily attainable
weapons such as knives or clubs [link ] (or
firearms in the U.S.) are indeed quite simple to conduct.

even by amateurs (and indeed, targeting diffuse and non-descript soft
targets with little pre-operational surveillance leaves little room
for detection)

As STRATFOR has [link ] noted
for several years now, with al Qaeda's structure under continual
attack and no regional al Qaeda franchise groups in the Western
Hemisphere, the most pressing jihadist threat to the U.S. homeland at
present stems from grassroots jihadists and not the al Qaeda core.
This trend has been borne out by the large number of plots and arrests
over the past several years, to include several so far in 2009. The
grassroots have likewise proven to pose a critical threat to Europe.

From a counterterrorism perspective, the problem posed by grassroots
operatives is that unless they somehow self-identify [link
] by contacting a government informant or other person who reports
them to authorities, or they [link ]
conduct electronic correspondence with a person or organization under
government scrutiny, they are very difficult to detect.

The threat posed by grassroots operatives, and the difficulty
identifying them, highlight the need for counterterrorism programs to
adopt a proactive, protective intelligence approach to the problem --
an approach that focuses on "the how" of militant attacks instead of
just "the who".

the saving grace of these grassroots operatives is that their
capability and resources are far more limited. though they may aspire
to more advanced attacks like coordinated highjackings of airliners
and can certainly get lucky and cause damage, they are far more likely
than trained, experienced and hardened operatives to get caught,
blunder or otherwise fail when attempting to reach beyond their
training (which they have none) and capability. Maybe cite richard
reade's shoe bombing fiasco?

The How

In the traditional, reactive, approach to counterterrorism, where
authorities respond to a crime scene after a terrorist attack in order
to find and arrest the militants responsible for the attack, it is
customary to focus on "the who" behind the attack. Indeed, in this
traditional approach, the only time much emphasis is placed on "the
how" is either in an effort to identify a suspect when the attack was
conducted by an unknown actor, or to prove that a particular suspect
was responsible for the attack during a trial. Beyond these limited
purposes, not much attention is paid to "the how."

Now, catching and prosecuting those who commit terrorist attacks is a
good thing, but from our perspective what is even more important is
preventing the attack in the first place, and prevention requires a
proactive approach. In order to pursue such a proactive approach to
counterterrorism, "the how" becomes the critical question. By studying
and understanding how attacks are conducted, authorities can then
establish systems to proactively identify early indicators that attack
planning is occurring. People involved in that attack planning can
then be focused on, identified, and action can be taken prevent them
from conducting the attack(s) they are plotting. This means that
focusing on "the how" can lead to previously unidentified suspects -
those who do not self-identify.

How is the primary question addressed by [link

] protective intelligence, which is, at its core, a process for
proactively identifying and assessing potential threats. Focusing on
"the how" then, requires protective intelligence practitioners to
carefully study the tactics, tradecraft and behavior associated with
militant actors involved in terrorist attacks in order to search for
and identify those behaviors before an attack takes place. Many of
these behaviors are not by themselves criminal in nature, visiting a
public building and observing the security measures or standing on the
street to watch the arrival of a VIP at her office are not illegal,
but they can be indicators that an attack is being plotted, and in the
grand scheme of things those legal activities could turn out to be
overt actions in furtherance of an illegal conspiracy to conduct the
attack - but even in a case where a conspiracy cannot be proves, steps
can be still taken to prevent a potential attack and to mitigate the
risk posed by the people involved.

Protective intelligence is based on the fact that attacks don't just
happen out of the blue. well, some illconceived ones happen with
almost no pre-op surveillance. need to mention that they do happen.
Pre-op surveillance/intel and general sit. awareness doesn't get you
everything, but done well it can significantly reduce attacks that
actually are carried out and their success, right? Rather, every
terrorist attack follows a [link ] discernable
attack cycle, and there are critical points in that cycle where a plot
is most likely to be detected by an outside observer and the critical
activity that happens at these points can then be looked for. Among
the most vulnerable times of in the attack cycle are while
surveillance is being conducted and weapons are being acquired, but
there are other, less obvious points where such activity can be
spotted by someone who is looking for it.

In order to really understand "the how", protective intelligence
practitioners cannot just simply acknowledge that something like
surveillance occurs. Rather they must turn a powerful lens on topics
like pre-operational surveillance in order to study them at a granular
level so that it can be studied and fully understood. Dissecting an
activity like [link ]
preoperational surveillance requires not only examining subjects such
as the demeanor demonstrated by those conducting surveillance prior to
an attack and the specific methods [link ] and cover
for action and cover for status utilized, but identifying certain
times where surveillance is most likely to happen and certain optimal
vantage points (called perches in surveillance jargon) where a
surveillant is most likely to operate from, if he is seeking to
surveil a specific facility or event. This type of complex
understanding of the topic of surveillance can then be used to help
focus human or technological countersurveillance efforts to where they
can be most effective.

Unfortunately, many counterterrorism investigators are so focused on
"the who" that they do not focus on collecting this type of granular
"how" information. We have talked to law enforcement officers
responsible for investigating some recent grassroots plots, and when
asked to describe specifically how the suspects had conducted
surveillance on the intended targets, we were met with blank stares.
They simply had not paid attention to this type of detail. But this is
not really the fault of these investigators. Nobody had ever explained
to them why paying attention to and recording this type of detail was
important. Additionally, it takes specific training and a practiced
eye to pick out these details without glossing over them. For example,
one must first conduct a lot of surveillance in order to become a
first-rate countersurveillance officer. The experience of conducting
surveillance allows you to understand what a surveillant must do and
where he must be in order to conduct surveillance of a specific person
or place.

Similarly, in order to truly understand the tradecraft required to
build an IED and the specific steps that a militant needs to complete
in order to do so, it helps to go to an IED school where the
investigator learns the tradecraft firsthand. Militant actors can and
do change over time. New groups, causes and ideologies emerge, and
specific militants can be killed, captured or retire. But the tactical
steps that a militant must complete in order to conduct an attack are
constant. It doesn't matter if the person planning an attack is a
radical environmentalist, a grassroots jihadist or a member of the al
Qaeda core, while these diverse actors will exhibit different levels
of professionalism in regard to terrorist tradecraft, they still must
follow essentially the same steps, accomplish the same tasks and
operate in the same areas. Knowing this allows protective
intelligence to guard against different levels of threats.

Of course tactics can be change and be perfected and new tactics can
be developed -- and technology can emerge (like cell phones and Google
earth) -- which can alter the way in which some of these activities
are conducted, or the time it takes to do so. However possessing a
profound knowledge of the tradecraft and behaviors needed to execute
the tactics allows protective intelligence practitioners to respond to
such changes and even alter how they operate. Technology can also help
the protective intelligence forces in their mission. There are tools
such as Trapwire that can be focused on critical areas and that can
help law enforcement and security forces cut through the fog of noise
and activity to help identify things like hostile surveillance
occurring in those critical areas identified by protective
intelligence. These technological tools can help turn the tables on
the unknown "who" by focusing on "the how". They will likely never
replace human observation and experience, but they are valuable aids
to human perception.

Of course protective intelligence does not have to be the sole
providence of the authorities. Corporate security managers and private
security contractors can also apply the principles to protecting the
people and facilities in their charge.

Keeping it Simple?

Al-Wuhayshi is right that it is not difficult to construct improvised
explosives from a wide range of household chemicals such as peroxide
and acetone or chlorine and brake fluid. He is also correct that some
of those explosive mixtures can be concealed in objects ranging from
electronic items to picture frames or can be employed in forms ranging
from hand grenades to suicide vests. Likewise, low-level attacks can
also be conducted using knives, clubs and guns.

However -- and this is an important however -- if a militant is going
to conduct such an attack against some of the targets al-Wuhayshi
suggests, such as an airports, a train, or a specific leader or media
personality, complexity creeps into the picture, and the attack
planning cycle must be followed. The prospective attacker must observe
and quantify the target, construct a plan to attack it and then
execute that plan. It is the demands of conducting this process that
will cause even an attacker previously unknown to the authorities to
place himself in a position where he is vulnerable to being
identified. If the attacker does this while there are people watching
for him, he will likely be seen. If he does this while there are no
watchers, there is little chance that he will become a "who" until
after the attack has been completed.

Scott Stewart
Office: 814 967 4046
Cell: 814 573 8297