WikiLeaks logo
The Global Intelligence Files,
files released so far...

The Global Intelligence Files

The Global Intelligence Files

On Monday February 27th, 2012, WikiLeaks began publishing The Global Intelligence Files, over five million e-mails from the Texas headquartered "global intelligence" company Stratfor. The e-mails date between July 2004 and late December 2011. They reveal the inner workings of a company that fronts as an intelligence publisher, but provides confidential intelligence services to large corporations, such as Bhopal's Dow Chemical Co., Lockheed Martin, Northrop Grumman, Raytheon and government agencies, including the US Department of Homeland Security, the US Marines and the US Defence Intelligence Agency. The emails show Stratfor's web of informers, pay-off structure, payment laundering techniques and psychological methods.

Security Weekly : Counterterrorism: Shifting from 'Who' to 'How'

Released on 2012-08-09 18:00 GMT

Email-ID 1350587
Date 2009-11-04 21:50:38
Stratfor logo
Counterterrorism: Shifting from 'Who' to 'How'

November 4, 2009

Global Security and Intelligence Report

By Scott Stewart and Fred Burton

In the 11th edition of the online magazine Sada al-Malahim (The Echo of
Battle), which was released to jihadist Web sites last week, al Qaeda in
the Arabian Peninsula (AQAP) leader Nasir al-Wahayshi wrote an article
that called for jihadists to conduct simple attacks against a variety of
targets. The targets included "any tyrant, intelligence den, prince" or
"minister" (referring to the governments in the Muslim world like Egypt,
Saudi Arabia and Yemen), and "any crusaders whenever you find one of
them, like at the airports of the crusader Western countries that
participate in the wars against Islam, or their living compounds, trains
etc.," (an obvious reference to the United States and Europe and
Westerners living in Muslim countries).

Related Special Topic Pages
* Surveillance and Countersurveillance
* Terrorist Attack Cycle

Al-Wahayshi, an ethnic Yemeni who spent time in Afghanistan serving as a
lieutenant under Osama bin Laden, noted these simple attacks could be
conducted with readily available weapons such as knives, clubs or small
improvised explosive devices (IEDs). According to al-Wahayshi, jihadists
"don't need to conduct a big effort or spend a lot of money to
manufacture 10 grams of explosive material" and that they should not
"waste a long time finding the materials, because you can find all these
in your mother's kitchen, or readily at hand or in any city you are in."

That al-Wahayshi gave these instructions in an Internet magazine
distributed via jihadist chat rooms, not in some secret meeting with his
operational staff, demonstrates that they are clearly intended to reach
grassroots jihadists -- and are not intended as some sort of internal
guidance for AQAP members. In fact, al-Wahayshi was encouraging
grassroots jihadists to "do what Abu al-Khair did" referring to AQAP
member Abdullah Hassan Taleh al-Asiri, the Saudi suicide bomber who
attempted to kill Saudi Deputy Interior Minister Prince Mohammed bin
Nayef with a small IED on Aug. 28.

The most concerning aspect of al-Wahayshi's statement is that it is
largely true. Improvised explosive mixtures are in fact relatively easy
to make from readily available chemicals -- if a person has the proper
training -- and attacks using small IEDs or other readily attainable
weapons such as knives or clubs (or firearms in the United States) are
indeed quite simple to conduct.

As STRATFOR has noted for several years now, with al Qaeda's structure
under continual attack and no regional al Qaeda franchise groups in the
Western Hemisphere, the most pressing jihadist threat to the U.S.
homeland at present stems from grassroots jihadists, not the al Qaeda
core. This trend has been borne out by the large number of plots and
arrests over the past several years, to include several so far in 2009.
The grassroots have likewise proven to pose a critical threat to Europe
(although it is important to note that the threat posed by grassroots
operatives is more widespread, but normally involves smaller, less
strategic attacks than those conducted by the al Qaeda core).

From a counterterrorism perspective, the problem posed by grassroots
operatives is that unless they somehow self-identify by contacting a
government informant or another person who reports them to authorities,
attend a militant training camp, or conduct electronic correspondence
with a person or organization under government scrutiny, they are very
difficult to detect.

The threat posed by grassroots operatives, and the difficulty
identifying them, highlight the need for counterterrorism programs to
adopt a proactive, protective intelligence approach to the problem -- an
approach that focuses on "the how" of militant attacks instead of just
"the who."

The How

In the traditional, reactive approach to counterterrorism, where
authorities respond to a crime scene after a terrorist attack to find
and arrest the militants responsible for the attack, it is customary to
focus on the who, or on the individual or group behind the attack.
Indeed, in this approach, the only time much emphasis is placed on the
how is either in an effort to identify a suspect when an unknown actor
carried out the attack, or to prove that a particular suspect was
responsible for the attack during a trial. Beyond these limited
purposes, not much attention is paid to the how.

In large part, this focus on the who is a legacy of the fact that for
many years, the primary philosophy of the U.S. government was to treat
counterterrorism as a law-enforcement program, with a focus on
prosecution rather than on disrupting plots.

Certainly, catching and prosecuting those who commit terrorist attacks
is necessary, but from our perspective, preventing attacks is more
important, and prevention requires a proactive approach. To pursue such
a proactive approach to counterterrorism, the how becomes a critical
question. By studying and understanding how attacks are conducted --
i.e., the exact steps and actions required for a successful attack --
authorities can establish systems to proactively identify early
indicators that planning for an attack is under way. People involved in
planning the attack can then be focused on, identified, and action can
be taken prevent them from conducting the attack or attacks they are
plotting. This means that focusing on the how can lead to previously
unidentified suspects, e.g., those who do not self-identify.

"How was the attack conducted?" is the primary question addressed by
protective intelligence, which is, at its core, a process for
proactively identifying and assessing potential threats. Focusing on the
how, then, requires protective intelligence practitioners to carefully
study the tactics, tradecraft and behavior associated with militant
actors involved in terrorist attacks. This allows them to search for and
identify those behaviors before an attack takes place. Many of these
behaviors are not by themselves criminal in nature; visiting a public
building and observing security measures or standing on the street to
watch the arrival of a VIP at their office are not illegal, but they can
be indicators that an attack is being plotted. Such legal activities
ultimately could be overt actions in furtherance of an illegal
conspiracy to conduct the attack, but even where conspiracy cannot be
proved, steps can still be taken to identify possible assailants and
prevent a potential attack -- or at the very least, to mitigate the risk
posed by the people involved.

Protective intelligence is based on the fact that successful attacks
don't just happen out of the blue. Rather, terrorist attacks follow a
discernable attack cycle. There are critical points during that cycle
where a plot is most likely to be detected by an outside observer. Some
of the points during the attack cycle when potential attackers are most
vulnerable to detection are while surveillance is being conducted and
weapons are being acquired. However, there are other, less obvious
points where people on the lookout can spot preparations for an attack.

It is true that sometimes individuals do conduct ill-conceived, poorly
executed attacks that involve shortcuts in the planning process. But
this type of spur-of-the-moment attack is usually associated with
mentally disturbed individuals and it is extremely rare for a militant
actor to conduct a spontaneous terrorist attack without first following
the steps of the attack cycle.

To really understand the how, protective intelligence practitioners
cannot simply acknowledge that something like surveillance occurs.
Rather, they must turn a powerful lens on steps like preoperational
surveillance to gain an in-depth understanding of them. Dissecting an
activity like preoperational surveillance requires not only examining
subjects such as the demeanor demonstrated by those conducting
surveillance prior to an attack and the specific methods and cover for
action and status used. It also requires identifying particular times
where surveillance is most likely and certain optimal vantage points
(called perches in surveillance jargon) from where a surveillant is most
likely to operate when seeking to surveil a specific facility or event.
This type of complex understanding of surveillance can then be used to
help focus human or technological countersurveillance efforts where they
can be most effective.

Unfortunately, many counterterrorism investigators are so focused on the
who that they do not focus on collecting this type of granular how
information. When we have spoken with law enforcement officers
responsible for investigating recent grassroots plots, they gave us
blank stares in response to questions about how the suspects had
conducted surveillance on the intended targets. They simply had not paid
attention to this type of detail -- but this oversight is not really the
investigators' fault. No one had ever explained to them why paying
attention to, and recording, this type of detail was important.
Moreover, it takes specific training and a practiced eye to observe and
record these details without glossing over them. For example, it is
quite useful if a protective intelligence officer has first conducted a
lot of surveillance, because conducting surveillance allows one to
understand what a surveillant must do and where he must be in order to
effectively observe surveillance of a specific person or place.

Similarly, to truly understand the tradecraft required to build an IED
and the specific steps a militant needs to complete to do so, it helps
to go to an IED school where the investigator learns the tradecraft
firsthand. Militant actors can and do change over time. New groups,
causes and ideologies emerge, and specific militants can be killed,
captured or retire. But the tactical steps a militant must complete to
conduct a successful attack are constant. It doesn't matter if the
person planning an attack is a radical environmentalist, a grassroots
jihadist or a member of the al Qaeda core, for while these diverse
actors will exhibit different levels of professionalism in regard to
terrorist tradecraft, they still must follow essentially the same steps,
accomplish the same tasks and operate in the same areas. Knowing this
allows protective intelligence to guard against different levels of

Of course, tactics can be changed and perfected and new tactics can be
developed (often in response to changes in security and law enforcement
operations). Additionally, new technologies can emerge (like cell phones
and Google Earth) -- which can alter the way some of these activities
are conducted, or reduce the time it takes to complete them. Studying
the tradecraft and behaviors needed to execute evolving tactics,
however, allows protective intelligence practitioners to respond to such
changes and even alter how they operate in order to more effectively
search for potential hostile activity.

Technology does not only aid those seeking to conduct attacks. There are
a variety of new tools, such as Trapwire, a software system designed to
work with camera systems to help detect patterns of preoperational
surveillance, that can be focused on critical areas to help cut through
the fog of noise and activity and draw attention to potential threats.
These technological tools can help turn the tables on unknown plotters
because they are designed to focus on the how. They will likely never
replace human observation and experience, but they can serve as valuable
aids to human perception.

Of course, protective intelligence does not have to be the sole
responsibility of federal authorities specifically charged with
counterterrorism. Corporate security managers and private security
contractors should also apply these principles to protecting the people
and facilities in their charge, as should local and state police
agencies. In a world full of soft targets -- and limited resources to
protect those targets from attack -- the more eyes looking for such
activity the better. Even the general public has an important role to
play in practicing situational awareness and spotting potential
terrorist activity.

Keeping it Simple?

Al-Wahayshi is right that it is not difficult to construct improvised
explosives from a wide range of household chemicals like peroxide and
acetone or chlorine and brake fluid. He is also correct that some of
those explosive mixtures can be concealed in objects ranging from
electronic items to picture frames, or can be employed in forms ranging
from hand grenades to suicide vests. Likewise, low-level attacks can
also be conducted using knives, clubs and guns.

Furthermore, when grassroots jihadists plan and carry out attacks acting
as lone wolves or in small compartmentalized cells without inadvertently
betraying their mission by conspiring with people known to the
authorities, they are not able to be detected by the who-focused
systems, and it becomes far more difficult to discover and thwart these
plots. This focus on the how absolutely does not mean that who-centered
programs must be abandoned. Surveillance on known militants, their
associates and communications should continue, efforts to identify
people attending militant training camps or fighting in places like
Afghanistan or Somalia must be increased, and people who conduct
terrorist attacks should be identified and prosecuted.

However -- and this is an important however -- if an unknown militant is
going to conduct even a simple attack against some of the targets
al-Wahayshi suggests, such as an airport, train, or specific leader or
media personality, complexity creeps into the picture, and the planning
cycle must be followed if an attack is going to be successful. The
prospective attacker must observe and quantify the target, construct a
plan for the attack and then execute that plan. The demands of this
process will force even an attacker previously unknown to the
authorities into a position where he is vulnerable to discovery. If the
attacker does this while there are people watching for such activity, he
will likely be seen. But if he does this while there are no watchers,
there is little chance that he will become a who until after the attack
has been completed.

Tell STRATFOR What You Think

For Publication in Letters to STRATFOR

Not For Publication

This report may be forwarded or republished on your website with
attribution to
Terms of Use | Privacy Policy | Contact Us
(c) Copyright 2009 Stratfor. All rights reserved.