Análisis Security Weekly, 10.09.2015 Scott Stewart
Last week's Security Weekly discussed how the digital revolution has allowed terrorist operatives employing leaderless resistance methods to act as their own media. For groups such as al Qaeda and the Islamic State, this ability greatly enhances the effectiveness of propaganda. At the same time, however, the information disseminated benefits authorities by providing valuable insight into the planning and execution of attacks.
Three weeks ago I countered the misconception that leaderless resistance always means that assailants act alone. Terrorists can also organize small cells, which can prove more dangerous than individual attackers. Unlike lone wolves, the members of these cells can combine their skills and resources to launch more effective attacks, although operational security becomes more difficult.
Building on these two themes, this week I will focus on how operatives carry out attacks. This is key — understanding the process can help authorities identify operatives not directly connected to a terrorist organization who would otherwise go unnoticed.
The Terrorist Attack Cycle
Counterterrorism agencies and programs are very good at targeting known groups and individuals — this is what they were designed to do. But they struggle with the ambiguity of leaderless resistance. This is, of course, why the jihadist movement and others have adopted this strategy.
Authorities have had their successes. There have been numerous cases in which these actors, practicing poor operational security, have reached out to outsiders (most often a government informant) to seek help conducting an attack. In other instances, they have even identified themselves on social media. These amateurish mistakes have made these particular operatives easy pickings for investigators, but more skilled operatives have shown themselves adept at hiding in the murky ambiguity of society. These are often identified too late, only after they have conducted an attack.
These more sophisticated grassroots operatives know how to operate under the radar, but this does not mean they are not vulnerable. This is because regardless of ideology or operational model, anyone planning a terrorist attack must follow the steps of the terrorist attack cycle. This is underscored by the 14th edition of Inspire magazine, released Sept. 9, in which al Qaeda in the Arabian Peninsula provided a step-by-step tutorial on how to plan assassinations that highlighted the terrorist attack cycle.
This cycle will always vary at least slightly based on the specific circumstances. A simple pipe bomb attack, for example, will require less surveillance than an assassination or kidnapping, and a suicide attacker needs no escape plan. Despite these variations, certain steps will need to be taken, meaning there will be windows when planners are unavoidably vulnerable to detection. Operatives are most open to detection during the pre-operational surveillance, weapons acquisition anddeployment phases of the attack cycle.
Sophisticated terrorist organizations understand this and will attempt to minimize this risk of detection by using different cells for specific functions. The Provisional Irish Republican Army, for example, used separate cells for surveillance, weapons acquisition, bombmaking and launching the attack itself. Sophisticated jihadist attacks have followed a similar strategy, including the 1998 East Africa embassy bombings and David Headley's surveillance of targets prior to the Mumbai attacks.
Grassroots operatives working alone are particularly weak in this regard because they must conduct every step of the terrorist attack cycle by themselves. They therefore expose themselves to detection multiple times before they can even launch an attack. Even grassroots cells, however, are limited — they rarely have the manpower or membership needed to conduct multiple tasks. On top of this, grassroots operatives have limited terrorist tradecraft in areas such as surveillance, planning and bombmaking.
Because they have limited resources, authorities normally deploy countermeasures such as surveillance detection only at hard targets. For this reason, grassroots operatives tend to focus on soft, poorly defended targets. And there are always soft targets. No government can protect everything, even with a massive security budget or powerful internal security service. When authorities shift their focus to protect one class of targets, terrorists can switch to more vulnerable alternatives. But the operatives must still follow the same cycle — and this behavior is evident if someone is paying attention.
The How
The terrorist attack cycle is extremely vulnerable during the pre-operational surveillance phase. Most operatives are particularly bad at surveillance tradecraft. They tend to behave suspiciously, look out of place and lurk — what we refer to as bad demeanor. The only reason they are able to succeed is that in general nobody is watching for these signs.
Many people think that the government is all-powerful, but nothing could be further from the truth. In the United States, the FBI has fewer than 14,000 special agents to investigate all of the criminal statutes it is responsible for enforcing. This includes counterintelligence, white-collar crime, bank robbery and kidnapping. At any one time there are only around 2,000 or 3,000 FBI special agents assigned to work counterterrorism across the entire United States, which includes transnational responsibilities. By way of comparison, there are more than 34,000 police officers in the New York Police Department alone.
These limited counterterrorism resources are mostly focused on monitoring people with known terrorist training and connections, who tend to be the most dangerous. The chance of a grassroots operative being caught in an operational act by an FBI agent or even a police officer assigned to a Joint Terrorism Task Force is fairly small unless he makes an egregious operational security blunder.
Especially with a soft target, a grassroots operative has a far greater chance of being observed conducting an operational act such as surveillance by an ordinary citizen or regular police officer. Indeed, this is why we have long stressed that police officers and citizens play an important role as grassroots defenders in helping provide the last line of common defense against the grassroots terrorist threat.
This has worked several times already. In July 2011, an alert gun store clerk notified police after a man behaved suspiciously while purchasing smokeless powder. The authorities investigated and learned that the man, an Army deserter, had planned to construct a pressure cooker bomb and attack a restaurant frequented by U.S. Army personnel. A device constructed with the same plans from Inspire magazine was later used in the Boston Marathon bombing.
There are other telltale signs. Attackers will frequently test bomb components they have manufactured. This will often result in small, unexplained explosions. Other indicators of bombmaking activity include the presence of unusual quantities or unexplained presence of chemicals such as acetone, acid, peroxide and methyl alcohol, or metallic powders such as aluminum, magnesium and ferric oxide. Beyond chemicals, bombmakers tend to use laboratory implements such as beakers, scales, protective gloves and masks — things not normally found in a hotel room or residence. (Some of this same equipment is associated with the manufacture of methamphetamines.)
Additionally, although electronic devices such as cellphones or wristwatches may not seem unusual in the context of a hotel room or apartment, signs that such devices have been disassembled or modified and have wires protruding from them should raise a red flag because these devices are commonly used as initiators for improvised explosive devices.
Obviously, not every person lurking suspiciously outside of a shopping mall is a terrorist, and not every container of nitric acid will be absolute confirmation of bombmaking activity, but reporting such incidents to the authorities will give them an opportunity to investigate and determine whether the incidents are innocuous or sinister.
That said, it is important to note that grassroots defenders should not be vigilantes, and this is not a call to institute the type of paranoid informant network that existed in East Germany. It is also not a call to Islamophobia — the Muslim community itself is an important component of grassroots defense, and many plots have been thwarted based upon tips from inside this community. Indeed, it is the children of Muslim families who are being recruited by jihadists to serve as shock troops or human smart bombs, and Muslims have suffered terrible losses at the hands of the jihadists. Grassroots defenders are just citizens who take responsibility for their own security and for the security of those around them. In an era when the threat of attack comes from increasingly diffuse sources, a good defense requires more eyes and ears than the authorities possess.
Militancy: A Threat With Many Faces
Análisis Security Weekly, 24.09.2015 Scott Stewart
Last week, while attending a security conference for nongovernmental organizations, I had the opportunity to talk with a friend of mine about analyzing the threats posed by militant groups. After the conversation was over, I realized it might be worth sharing those thoughts with Stratfor's readers.
I use the word "militant," as opposed to "terrorist," intentionally. Over the years, many readers have criticized Stratfor for its description of jihadist group members as militants. Some believe that in refusing to use the terrorist label, we are somehow being soft on such groups. But nothing could be further from the truth.
A Multifaceted Threat
Throughout history, there have been very few organizations that could be truly be termed terrorist groups. Terrorism, which I loosely define as violence directed against noncombatants for a political purpose, is a tactic. In the same way that war, in the words of Carl von Clausewitz, is "the continuation of politics by other means," so too is terrorism an extension of politics through the use of violence against noncombatants. But most actors who have practiced terrorism have done so within the context of a larger military campaign. Even groups such as Black September and the Abu Nidal Organization, which were specifically established to conduct terrorist attacks, were part of a broader Palestinian military effort that also featured guerrilla warfare.
It is critical, then, to think of groups such as al Qaeda in the Arabian Peninsula or the Islamic State's Wilayat al-Sudan al-Gharbi (formerly known as Boko Haram) as much more than just practitioners of terror. These groups also possess significant guerrilla warfare and insurgent capabilities, and in some cases they even have conventional mobile warfighting skills. Terrorism is just one of the many diverse military tactics they employ, meaning that the threat they pose is quite different from that of an actor that only employs terrorism.
Marxist, Maoist and Focoist militant groups often use terrorism as the first step in a longer armed struggle. In some ways, al Qaeda followed suit: It used terrorism in the hope of shaping public opinion and raising popular support for its cause, with the expectation that it would grow strong enough to wage an insurgency and eventually conventional warfare to establish an emirate and, over time, a global caliphate. Jihadist groups spawned from al Qaeda, such as the Islamic State, Jabhat al-Nusra and al Qaeda in the Arabian Peninsula, have grown into militant organizations that can conquer, hold and govern a territory.
Terrorism can also be used to supplement an insurgency or conventional warfare. In such cases, terrorism is often employed to unbalance and distract the enemy, usually by striking vulnerable targets at its rear. The Afghan Taliban uses terrorism in this manner, as does the Islamic State, which has also become quite adept at employing a form of hybrid warfare that employs suicide car bombs at the outset of battles to destroy its opponents' will to fight. This method is not unlike larger militaries' use of air power for the same purpose.
Judging Capability
Still, the skills required for various types of military operations differ. Most U.S. soldiers would not make good irregular warfare fighters just out of boot camp. There is a reason programs for more advanced training, such as the U.S. Army's Special Forces Qualifications Course and Ranger School, exist. The same holds true for militant training. Most jihadist fighters receive basic guerrilla warfare training, where they are taught to fire assault rifles and learn hand-to-hand combat, but this initial preparation does not equip them to conduct terrorist attacks overseas. Terrorist attacks, especially those perpetrated far from the group's main area of operations, require a very different set of skillsthan guerrilla warfare. In many ways, the elements of terrorist tradecraft are far more similar to that of espionage: A terrorist must be able to travel internationally without raising suspicion and completethe terrorist attack cycle, which includes conducting surveillance, acquiring weapons and deploying for an attack, without being detected.
In much the same way that soldiers are selected to attend Ranger School or the Qualifications Course, only a few of the tens of thousands of jihadists who attend basic guerrilla warfare training at al Qaeda camps are selected to attend courses in bombmaking and terrorist tradecraft. But before a group can impart such skills to its recruits, it must first possess the skill itself. Therefore, an important part of assessing a group's capability to project power, whether through military or terrorist operations, is to determine its level of military proficiency and terrorist tradecraft. This can be done by carefully evaluating the attacks it has conducted, both individually and in comparison with one another.
To determine the type, scope and severity of the threat posed by a specific group, it is also important to analyze its capabilities independently rather than conflating them. For example, the Islamic State's Wilayat al-Sudan al-Gharbi has a long history of conducting effective guerrilla warfare operations in its core territory. However, it has struggled to expand its efforts beyond this area of operation. The group has also had difficulty attacking hardened targets with strong security measures in place. Launching a suicide attack against a market in Maiduguri is a far cry from attacking a ministry building in Abuja or a foreign energy company on Nigeria's coast.
Even groups with considerable terrorist tradecraft capabilities, such as al Qaeda in the Arabian Peninsula, have struggled to overcome security measures designed to prevent terrorists from traveling. They have responded to these obstacles by engaging in remote attacks such as the underwear and printer bomb incidents of 2009 and 2010. In such cases al Qaeda's expert bombmaker built the bombs in Yemen before secretly dispersing them to operatives abroad. The challenge of getting a trained terrorist operative into the United States or Europe ultimately prompted such groups to adopt the leaderless resistance model of operations starting in 2009.
Detecting Intent
Examining an actor's military and terrorist tradecraft gives us the ability to assess the capabilities component of the threat equation, but it does not provide any insight into the question of intent. In many ways, a group's intent can be far more ambiguous and difficult to gauge than capability, which can be empirically measured by looking at past attacks. As noted earlier, terrorism is ultimately an extension of politics; much of what militant commanders and propaganda organs produce is simply rhetoric meant to achieve a political goal rather than to reveal a group's true intent. Such rhetoric can come in a wide variety of forms, including threats designed to inspire terror among a target population, boasts that exaggerate the group's strength or statements that validate the group's cause and justify its actions. Militant groups also frequently employ disinformation in an attempt to conceal their plans for strategic or tactical purposes. Thus, separating rhetoric from actual intent can be very difficult.
Sometimes analyzing a group's intent becomes easier when the organization publishes clear guidance pertaining to its targeting policies. Al Qaeda, for instance, has repeatedly stated that it primarily targets the United States and Europe, as opposed to local governments in the Muslim world. However, in practice al Qaeda's franchise groups often diverge from the core leadership's stated intent, and only a few of their attacks have been directed at "the far enemy." This is partially because of a lack of capability, but some groups, such as al Qaeda in the Islamic Maghreb, have to some extent resisted guidance from the al Qaeda core, opting instead to adhere to their own targeting criteria. In such cases, the franchise groups' operations, rather than their rhetoric, often better reveal their true intent.
With so many factors at play, gauging the intent of a militant group is more of an art than a science. Still, it can be done if one is careful and remembers that actions speak louder than words.
