Last week's Security Weekly discussed how the digital revolution has allowed terrorist operatives employing leaderless resistance methods to act as their own media. For groups such as al Qaeda and the Islamic State, this ability greatly enhances the effectiveness of propaganda. At the same time, however, the information disseminated benefits authorities by providing valuable insight into the planning and execution of attacks.
Three weeks ago I countered the misconception that leaderless resistance always means that assailants act alone. Terrorists can also organize small cells, which can prove more dangerous than individual attackers. Unlike lone wolves, the members of these cells can combine their skills and resources to launch more effective attacks, although operational security becomes more difficult.
Building on these two themes, this week I will focus on how operatives carry out attacks. This is key — understanding the process can help authorities identify operatives not directly connected to a terrorist organization who would otherwise go unnoticed.
The Terrorist Attack Cycle
Counterterrorism agencies and programs are very good at targeting known groups and individuals — this is what they were designed to do. But they struggle with the ambiguity of leaderless resistance. This is, of course, why the jihadist movement and others have adopted this strategy.
Authorities have had their successes. There have been numerous cases in which these actors, practicing poor operational security, have reached out to outsiders (most often a government informant) to seek help conducting an attack. In other instances, they have even identified themselves on social media. These amateurish mistakes have made these particular operatives easy pickings for investigators, but more skilled operatives have shown themselves adept at hiding in the murky ambiguity of society. These are often identified too late, only after they have conducted an attack.
These more sophisticated grassroots operatives know how to operate under the radar, but this does not mean they are not vulnerable. This is because regardless of ideology or operational model, anyone planning a terrorist attack must follow the steps of the terrorist attack cycle. This is underscored by the 14th edition of Inspire magazine, released Sept. 9, in which al Qaeda in the Arabian Peninsula provided a step-by-step tutorial on how to plan assassinations that highlighted the terrorist attack cycle.
Unlike lone wolves, the members of these small cells can combine their skills and resources to launch more effective attacks, although operational security becomes more difficult.
This cycle will always vary at least slightly based on the specific circumstances. A simple pipe bomb attack, for example, will require less surveillance than an assassination or kidnapping, and a suicide attacker needs no escape plan. Despite these variations, certain steps will need to be taken, meaning there will be windows when planners are unavoidably vulnerable to detection. Operatives are most open to detection during the pre-operational surveillance, weapons acquisition and deployment phases of the attack cycle.
Sophisticated terrorist organizations understand this and will attempt to minimize this risk of detection by using different cells for specific functions. The Provisional Irish Republican Army, for example, used separate cells for surveillance, weapons acquisition, bombmaking and launching the attack itself. Sophisticated jihadist attacks have followed a similar strategy, including the 1998 East Africa embassy bombings and David Headley's surveillance of targets prior to the Mumbai attacks.
Grassroots operatives working alone are particularly weak in this regard because they must conduct every step of the terrorist attack cycle by themselves. They therefore expose themselves to detection multiple times before they can even launch an attack. Even grassroots cells, however, are limited — they rarely have the manpower or membership needed to conduct multiple tasks. On top of this, grassroots operatives have limited terrorist tradecraft in areas such as surveillance, planning and bombmaking.
Because they have limited resources, authorities normally deploy countermeasures such as surveillance detection only at hard targets. For this reason, grassroots operatives tend to focus on soft, poorly defended targets. And there are always soft targets. No government can protect everything, even with a massive security budget or powerful internal security service. When authorities shift their focus to protect one class of targets, terrorists can switch to more vulnerable alternatives. But the operatives must still follow the same cycle — and this behavior is evident if someone is paying attention.
The terrorist attack cycle is extremely vulnerable during the pre-operational surveillance phase. Most operatives are particularly bad at surveillance tradecraft. They tend to behave suspiciously, look out of place and lurk — what we refer to as bad demeanor. The only reason they are able to succeed is that in general nobody is watching for these signs.
Many people think that the government is all-powerful, but nothing could be further from the truth. In the United States, the FBI has fewer than 14,000 special agents to investigate all of the criminal statutes it is responsible for enforcing. This includes counterintelligence, white-collar crime, bank robbery and kidnapping. At any one time there are only around 2,000 or 3,000 FBI special agents assigned to work counterterrorism across the entire United States, which includes transnational responsibilities. By way of comparison, there are more than 34,000 police officers in the New York Police Department alone.
These limited counterterrorism resources are mostly focused on monitoring people with known terrorist training and connections, who tend to be the most dangerous. The chance of a grassroots operative being caught in an operational act by an FBI agent or even a police officer assigned to a Joint Terrorism Task Force is fairly small unless he makes an egregious operational security blunder.
No government can protect everything, even with a massive security budget or powerful internal security service.
Especially with a soft target, a grassroots operative has a far greater chance of being observed conducting an operational act such as surveillance by an ordinary citizen or regular police officer. Indeed, this is why we have long stressed that police officers and citizens play an important role as grassroots defenders in helping provide the last line of common defense against the grassroots terrorist threat.
This has worked several times already. In July 2011, an alert gun store clerk notified police after a man behaved suspiciously while purchasing smokeless powder. The authorities investigated and learned that the man, an Army deserter, had planned to construct a pressure cooker bomb and attack a restaurant frequented by U.S. Army personnel. A device constructed with the same plans from Inspire magazine was later used in the Boston Marathon bombing.
There are other telltale signs. Attackers will frequently test bomb components they have manufactured. This will often result in small, unexplained explosions. Other indicators of bombmaking activity include the presence of unusual quantities or unexplained presence of chemicals such as acetone, acid, peroxide and methyl alcohol, or metallic powders such as aluminum, magnesium and ferric oxide. Beyond chemicals, bombmakers tend to use laboratory implements such as beakers, scales, protective gloves and masks — things not normally found in a hotel room or residence. (Some of this same equipment is associated with the manufacture of methamphetamines.)
Additionally, although electronic devices such as cellphones or wristwatches may not seem unusual in the context of a hotel room or apartment, signs that such devices have been disassembled or modified and have wires protruding from them should raise a red flag because these devices are commonly used as initiators for improvised explosive devices.
Obviously, not every person lurking suspiciously outside of a shopping mall is a terrorist, and not every container of nitric acid will be absolute confirmation of bombmaking activity, but reporting such incidents to the authorities will give them an opportunity to investigate and determine whether the incidents are innocuous or sinister.
That said, it is important to note that grassroots defenders should not be vigilantes, and this is not a call to institute the type of paranoid informant network that existed in East Germany. It is also not a call to Islamophobia — the Muslim community itself is an important component of grassroots defense, and many plots have been thwarted based upon tips from inside this community. Indeed, it is the children of Muslim families who are being recruited by jihadists to serve as shock troops or human smart bombs, and Muslims have suffered terrible losses at the hands of the jihadists. Grassroots defenders are just citizens who take responsibility for their own security and for the security of those around them. In an era when the threat of attack comes from increasingly diffuse sources, a good defense requires more eyes and ears than the authorities possess.