WikiLeaks logo
The Global Intelligence Files,
files released so far...

The Global Intelligence Files

The Global Intelligence Files

On Monday February 27th, 2012, WikiLeaks began publishing The Global Intelligence Files, over five million e-mails from the Texas headquartered "global intelligence" company Stratfor. The e-mails date between July 2004 and late December 2011. They reveal the inner workings of a company that fronts as an intelligence publisher, but provides confidential intelligence services to large corporations, such as Bhopal's Dow Chemical Co., Lockheed Martin, Northrop Grumman, Raytheon and government agencies, including the US Department of Homeland Security, the US Marines and the US Defence Intelligence Agency. The emails show Stratfor's web of informers, pay-off structure, payment laundering techniques and psychological methods.

RE: Counterterrorism: Shifting from 'Who' to 'How'

Released on 2012-08-09 18:00 GMT

Email-ID 376889
Date 2009-11-05 01:46:25
Appreciate the update Fred. Thanks and all the best. Hope the new book is
working out
for you. Steve

Very respectfully,

Steve Musgrove

> From:
> To:
> Subject: Counterterrorism: Shifting from 'Who' to 'How'
> Date: Wed, 4 Nov 2009 16:57:03 -0600
> By Scott Stewart and Fred Burton
> In the 11th edition of the online magazine Sada al-Malahim (The Echo of
> Battle), which was released to jihadist Web sites last week, al Qaeda in
> Arabian Peninsula (AQAP) leader Nasir al-Wahayshi wrote an article that
> called for jihadists to conduct simple attacks against a variety of
> The targets included "any tyrant, intelligence den, prince" or
> (referring to the governments in the Muslim world like Egypt, Saudi
> and Yemen), and "any crusaders whenever you find one of them, like at
> airports of the crusader Western countries that participate in the wars
> against Islam, or their living compounds, trains etc.," (an obvious
> reference to the United States and Europe and Westerners living in
> countries).
> Al-Wahayshi, an ethnic Yemeni who spent time in Afghanistan serving as a
> lieutenant under Osama bin Laden, noted these simple attacks could be
> conducted with readily available weapons such as knives, clubs or small
> improvised explosive devices (IEDs). According to al-Wahayshi, jihadists
> "don't need to conduct a big effort or spend a lot of money to
> 10 grams of explosive material" and that they should not "waste a long
> finding the materials, because you can find all these in your mother's
> kitchen, or readily at hand or in any city you are in."
> That al-Wahayshi gave these instructions in an Internet magazine
> via jihadist chat rooms, not in some secret meeting with his operational
> staff, demonstrates that they are clearly intended to reach grassroots
> jihadists -- and are not intended as some sort of internal guidance for
> members. In fact, al-Wahayshi was encouraging grassroots jihadists to
> what Abu al-Khair did" referring to AQAP member Abdullah Hassan Taleh
> al-Asiri, the Saudi suicide bomber who attempted to kill Saudi Deputy
> Interior Minister Prince Mohammed bin Nayef with a small IED on Aug. 28.
> The most concerning aspect of al-Wahayshi's statement is that it is
> true. Improvised explosive mixtures are in fact relatively easy to make
> readily available chemicals -- if a person has the proper training --
> attacks using small IEDs or other readily attainable weapons such as
> or clubs (or firearms in the United States) are indeed quite simple to
> conduct.
> As STRATFOR has noted for several years now, with al Qaeda's structure
> continual attack and no regional al Qaeda franchise groups in the
> Hemisphere, the most pressing jihadist threat to the U.S. homeland at
> present stems from grassroots jihadists, not the al Qaeda core. This
> has been borne out by the large number of plots and arrests over the
> several years, to include several so far in 2009. The grassroots have
> likewise proven to pose a critical threat to Europe (although it is
> important to note that the threat posed by grassroots operatives is more
> widespread, but normally involves smaller, less strategic attacks than
> conducted by the al Qaeda core).
> From a counterterrorism perspective, the problem posed by grassroots
> operatives is that unless they somehow self-identify by contacting a
> government informant or another person who reports them to authorities,
> attend a militant training camp, or conduct electronic correspondence
with a
> person or organization under government scrutiny, they are very
difficult to
> detect.
> The threat posed by grassroots operatives, and the difficulty
> them, highlight the need for counterterrorism programs to adopt a
> protective intelligence approach to the problem -- an approach that
> on "the how" of militant attacks instead of just "the who."
> The How
> In the traditional, reactive approach to counterterrorism, where
> respond to a crime scene after a terrorist attack to find and arrest the
> militants responsible for the attack, it is customary to focus on the
> or on the individual or group behind the attack. Indeed, in this
> the only time much emphasis is placed on the how is either in an effort
> identify a suspect when an unknown actor carried out the attack, or to
> that a particular suspect was responsible for the attack during a trial.
> Beyond these limited purposes, not much attention is paid to the how.
> In large part, this focus on the who is a legacy of the fact that for
> years, the primary philosophy of the U.S. government was to treat
> counterterrorism as a law-enforcement program, with a focus on
> rather than on disrupting plots.
> Certainly, catching and prosecuting those who commit terrorist attacks
> necessary, but from our perspective, preventing attacks is more
> and prevention requires a proactive approach. To pursue such a proactive
> approach to counterterrorism, the how becomes a critical question. By
> studying and understanding how attacks are conducted -- i.e., the exact
> steps and actions required for a successful attack -- authorities can
> establish systems to proactively identify early indicators that planning
> an attack is under way. People involved in planning the attack can then
> focused on, identified, and action can be taken prevent them from
> the attack or attacks they are plotting. This means that focusing on the
> can lead to previously unidentified suspects, e.g., those who do not
> self-identify.
> "How was the attack conducted?" is the primary question addressed by
> protective intelligence, which is, at its core, a process for
> identifying and assessing potential threats. Focusing on the how, then,
> requires protective intelligence practitioners to carefully study the
> tactics, tradecraft and behavior associated with militant actors
involved in
> terrorist attacks. This allows them to search for and identify those
> behaviors before an attack takes place. Many of these behaviors are not
> themselves criminal in nature; visiting a public building and observing
> security measures or standing on the street to watch the arrival of a
VIP at
> their office are not illegal, but they can be indicators that an attack
> being plotted. Such legal activities ultimately could be overt actions
> furtherance of an illegal conspiracy to conduct the attack, but even
> conspiracy cannot be proved, steps can still be taken to identify
> assailants and prevent a potential attack -- or at the very least, to
> mitigate the risk posed by the people involved.
> Protective intelligence is based on the fact that successful attacks
> just happen out of the blue. Rather, terrorist attacks follow a
> attack cycle. There are critical points during that cycle where a plot
> most likely to be detected by an outside observer. Some of the points
> the attack cycle when potential attackers are most vulnerable to
> are while surveillance is being conducted and weapons are being
> However, there are other, less obvious points where people on the
> can spot preparations for an attack.
> It is true that sometimes individuals do conduct ill-conceived, poorly
> executed attacks that involve shortcuts in the planning process. But
> type of spur-of-the-moment attack is usually associated with mentally
> disturbed individuals and it is extremely rare for a militant actor to
> conduct a spontaneous terrorist attack without first following the steps
> the attack cycle.
> To really understand the how, protective intelligence practitioners
> simply acknowledge that something like surveillance occurs. Rather, they
> must turn a powerful lens on steps like preoperational surveillance to
> an in-depth understanding of them. Dissecting an activity like
> preoperational surveillance requires not only examining subjects such as
> demeanor demonstrated by those conducting surveillance prior to an
> and the specific methods and cover for action and status used. It also
> requires identifying particular times where surveillance is most likely
> certain optimal vantage points (called perches in surveillance jargon)
> where a surveillant is most likely to operate when seeking to surveil a
> specific facility or event. This type of complex understanding of
> surveillance can then be used to help focus human or technological
> countersurveillance efforts where they can be most effective.
> Unfortunately, many counterterrorism investigators are so focused on the
> that they do not focus on collecting this type of granular how
> When we have spoken with law enforcement officers responsible for
> investigating recent grassroots plots, they gave us blank stares in
> to questions about how the suspects had conducted surveillance on the
> intended targets. They simply had not paid attention to this type of
> -- but this oversight is not really the investigators' fault. No one had
> ever explained to them why paying attention to, and recording, this type
> detail was important. Moreover, it takes specific training and a
> eye to observe and record these details without glossing over them. For
> example, it is quite useful if a protective intelligence officer has
> conducted a lot of surveillance, because conducting surveillance allows
> to understand what a surveillant must do and where he must be in order
> effectively observe surveillance of a specific person or place.
> Similarly, to truly understand the tradecraft required to build an IED
> the specific steps a militant needs to complete to do so, it helps to go
> an IED school where the investigator learns the tradecraft firsthand.
> Militant actors can and do change over time. New groups, causes and
> ideologies emerge, and specific militants can be killed, captured or
> But the tactical steps a militant must complete to conduct a successful
> attack are constant. It doesn't matter if the person planning an attack
is a
> radical environmentalist, a grassroots jihadist or a member of the al
> core, for while these diverse actors will exhibit different levels of
> professionalism in regard to terrorist tradecraft, they still must
> essentially the same steps, accomplish the same tasks and operate in the
> same areas. Knowing this allows protective intelligence to guard against
> different levels of threats.
> Of course, tactics can be changed and perfected and new tactics can be
> developed (often in response to changes in security and law enforcement
> operations). Additionally, new technologies can emerge (like cell phones
> Google Earth) -- which can alter the way some of these activities are
> conducted, or reduce the time it takes to complete them. Studying the
> tradecraft and behaviors needed to execute evolving tactics, however,
> protective intelligence practitioners to respond to such changes and
> alter how they operate in order to more effectively search for potential
> hostile activity.
> Technology does not only aid those seeking to conduct attacks. There are
> variety of new tools, such as Trapwire, a software system designed to
> with camera systems to help detect patterns of preoperational
> that can be focused on critical areas to help cut through the fog of
> and activity and draw attention to potential threats. These
> tools can help turn the tables on unknown plotters because they are
> to focus on the how. They will likely never replace human observation
> experience, but they can serve as valuable aids to human perception.
> Of course, protective intelligence does not have to be the sole
> responsibility of federal authorities specifically charged with
> counterterrorism. Corporate security managers and private security
> contractors should also apply these principles to protecting the people
> facilities in their charge, as should local and state police agencies.
In a
> world full of soft targets -- and limited resources to protect those
> from attack -- the more eyes looking for such activity the better. Even
> general public has an important role to play in practicing situational
> awareness and spotting potential terrorist activity.
> Keeping it Simple?
> Al-Wahayshi is right that it is not difficult to construct improvised
> explosives from a wide range of household chemicals like peroxide and
> acetone or chlorine and brake fluid. He is also correct that some of
> explosive mixtures can be concealed in objects ranging from electronic
> to picture frames, or can be employed in forms ranging from hand
grenades to
> suicide vests. Likewise, low-level attacks can also be conducted using
> knives, clubs and guns.
> Furthermore, when grassroots jihadists plan and carry out attacks acting
> lone wolves or in small compartmentalized cells without inadvertently
> betraying their mission by conspiring with people known to the
> they are not able to be detected by the who-focused systems, and it
> far more difficult to discover and thwart these plots. This focus on the
> absolutely does not mean that who-centered programs must be abandoned.
> Surveillance on known militants, their associates and communications
> continue, efforts to identify people attending militant training camps
> fighting in places like Afghanistan or Somalia must be increased, and
> who conduct terrorist attacks should be identified and prosecuted.
> However -- and this is an important however -- if an unknown militant is
> going to conduct even a simple attack against some of the targets
> al-Wahayshi suggests, such as an airport, train, or specific leader or
> personality, complexity creeps into the picture, and the planning cycle
> be followed if an attack is going to be successful. The prospective
> must observe and quantify the target, construct a plan for the attack
> then execute that plan. The demands of this process will force even an
> attacker previously unknown to the authorities into a position where he
> vulnerable to discovery. If the attacker does this while there are
> watching for such activity, he will likely be seen. But if he does this
> while there are no watchers, there is little chance that he will become
> who until after the attack has been completed.
> This report may be forwarded or republished on your website with
> to
> Copyright 2009 Stratfor.


Hotmail: Trusted email with powerful SPAM protection. Sign up now.