Poll of a Billion Monkeys

Thursday, December 14, 2006

Conventional approaches to unconventional problems: Analyzing terrorism

Signal, Sygnet, and Sigil - Conventional approaches to unconventional problems: Analyzing terrorism


I'm looking for new writers and contributors for both The
and the B-Reader.

This is an article written by a friend of mine for the MIPB.

It is an older article but is still applicable
and valuable.

He requested I post it. I am setting it up so that he may post
independently in the future.

Del has had a wide and varied military
career, especially as regards Intelligence and Analysis. He is also a very good

It is my hope that Del will become a more or less regular
contributor to the Missal when he has the time, and that in the future he
will become a contributor to the B-Reader as well.

today is MCW Day at the Missal I thought this would be
the perfect time to post Del's first article.


Conventional approaches to unconventional problems: Analyzing terrorism
Military Intelligence Professional Bulletin, Jan-March, 2002 by Del Erin Stewart

Considering the implications of the 11 September 2001 attack on the United States, many changes must occur in how the U.S. Army conducts its counterterrorist operations. New methodologies and tactics, techniques, and procedures (TTP) must emerge if the Army is to address this new threat. Based on experience, the following methodology is one possible interim fix.

The theory is simple: if you know your enemy's capabilities, vulnerabilities, methods, and thought processes, you are more likely to successfully predict when, where, and how he will attack and be able to plan countermeasures. While we used the following methodology experimentally at an analytical cell at a numbered Army level, the tools and techniques discussed below may be useful for other echelons.

When predicting traditional or conventional military threats, the U.S. Army employs analytical methodologies such as intelligence preparation of the battlefield (IPB) and related tools. The terrorist threat, however, is unique in that its nature and survival require it avoid direct engagements with main force units. Terrorists are exceedingly mobile, have mastered the art of blending into the surrounding population, and employ harsh measures to ensure security.
On the other hand, our national collection assets provide so much diverse information that making sense of it all is a daunting task. Reports on terrorist activity originate from all intelligence disciplines, to include open source. The information that surfaces is usually of limited scope, fragmented, and can address anything from financial issues to those focused on training or operations. Currently approved doctrinal symbols do not reflect terrorist operations types of data, nor is there generally a doctrinal method for graphically portraying such activities. The question is, then, how can an analyst take the disparate, seemingly unrelated data points, and move forward toward accurate predictive analysis? One thing is certain: the effort will involve all intelligence disciplines.

We rethought and revisited these methodologies because the commander was very unhappy with detailed, multicolored charted and graphed after-the-fact analysis; he wanted reasonably accurate predictions to help in his decision-making process for recommending countermeasures. First, it is useful to look at existing tools and methodologies for analysis, then additional areas of focus, and recommending countermeasures.

Existing Analytical Methodologies Applied Against Terrorist Operations

The following analytical tool descriptions and examples are from FM 34-60, Counterintelligence, Section VI, Counter-Human Intelligence Analysis, to Appendix A, Counter-Human Intelligence Techniques and Procedures. We modified the wording slightly for ease of use in this forum. This section discusses a chronological record and three analytical techniques.

Time-Event Charting. The time-event chart shown in Figure 1 is a chronological record of individual or group activities designed to store and display large amounts of information in as little space as possible. This tool is easy to prepare, understand, and use. Symbols used in time-event charting are very simple. Analysts use triangles to show the beginning and end of the chart and to show shifts in methods of operation or changes in ideology. Rectangles or diamonds indicate significant events or activities.

Analysts can highlight particularly noteworthy or important events by drawing an "X" through the event symbol (rectangle or diamond). Each of these symbols contains a chronological number (event number), date (day, month, and year of event), and may contain a file reference number. The incident description is a very brief explanation of the incident, and may include the team size, type of incident or activity, place and method of operation, and duration of incident. Arrows indicate time flow.

Analysts also use a variety of symbols, such as parallelograms, pentagons, and others, to depict different types of events and activities. Using these symbols and brief descriptions, an analyst can analyze the group's activities, transitions, trends, and operational patterns. Time-event charts are excellent briefing aids as well as flexible analytical tools.

Association Matrix. The association matrix delineates the existence of relationships between individuals. The part of the problem deserving the most analytical effort is the group itself. Analysts examine the group's elements (members) and their relationships with other members, other groups and associated entities, and related events. Analysts can show the connections between critical players in any event or activity in an association matrix (see Figure 2), which shows associations within a group or similar activity, and is based on the assumption that people involved in a collective activity know one another.

The construction of this type of matrix is in the form of a right triangle, and analysts list personalities in exactly the same order along both the rows and columns to ensure that all possible associations appear correctly. The purpose of the personality matrix is to show who knows whom. Analysts determine a known association by "direct contact" between individuals; a number of factors determine direct contact, including face-to-face meetings, confirmed telephonic conversation between known parties, and all the members of a particular organizational cell.

Analysts indicate a known association between individuals on the matrix by a dot or filled-in circle. They consider suspected or "weak" associations between persons of interest to be associations that are possible or even probable, but they cannot confirm it using the above criteria. When a person of interest dies, a diamond next to his or her name on the matrix relays that fact.

Activities Matrix. The activities matrix helps to determine connectivity between individuals and any organization, event, entity, address, activity, or anything other than persons. Unlike the association matrix, the construction of the activity matrix is in the form of a square or a rectangle (see Figure 3). The analyst can tailor rows or columns to fit the needs of the situation at hand or add them later as the situation develops. The analyst determines the number of rows and columns by the needs of the problem and by the amount of information available.
Analysts normally construct this matrix with personalities arranged in a vertical listing on the left side of the matrix and activities, organizations, events, addresses, or any other common denominators arranged along the bottom of the matrix. This matrix can store an incredible amount of information about a particular organization or group, and can expand on the information developed in the association matrix.

Link Diagram. The third analytical technique is link diagramming. Analysts use this technique to depict the more complex linkages between a large number of entities, and can include persons, organizations, or almost anything else. Analysts use link analysis in a variety of complex investigative efforts including criminal and terrorist investigations, analysis, and even medical research. Several regional law enforcement training centers are currently teaching this method as a technique in combating organized crime. The particular method discussed here is an adaptation especially useful in counterintelligence (CI) investigative analysis in general and terrorism analysis in particular.

In link analysis, a number of different symbols identify various items. Analysts can easily and clearly display obstacles, indirect routes or connections, and suspected connections. In many cases, the viewer can work with and understand the picture more easily than the matrix. Link analysis can present information in a manner that ensures clarity.

As with construction of association matrices, analysts should follow certain rules of graphics, symbology, and construction. Standardization is critical to ensure that everyone constructing, using, or reading a link diagram understands exactly what the diagram depicts. The standard rules follow:

* Show persons as open circles with the name written inside the circle.
* Show person known by more than one name (alias, also known as [AKA]) as overlapping circles with names in each circle.
* Show deceased persons with a diamond next to the circle that represents that person.
* Show nonpersonal entities (organizations, governments, events, locations) by squares or rectangles.
* Show linkages or associations by lines: solid for confirmed and dotted for suspected.
* Show each person or other entity only once in a link diagram.

Complementary Methodology Developed

The approach used to meet the commander's intent for predictive analysis was to use traditional IPB-style graphic overlays, but then modify this methodology to specifically monitor the actions of a terrorist group and its associated elements. The use of overlays on training, organizations, finances, and warnings can be effective.

Training. The first overlay (Training) may contain all the available information on training camps and locations, by country, which this organization and its associated elements reportedly use. This data will primarily come from imagery intelligence (IMINT), human intelligence (HUMINT), and signals intelligence (SIGINT). There is utility in knowing what topics specific camps train, and recognizing changes in what they are teaching or training. As an example, if a camp that traditionally worked on the use of RPGs (Soviet antitank grenade launchers) and small arms suddenly changes to one of hostage taking, analysts would note this radical change as a possible alteration in organizational objectives. Certainly it would be a key indicator.

Organizations. The second overlay (Organizations) may contain all of the available information on non-governmental organizations (NGOs) and subordinate or related elements (e.g., branch offices of the same organization, but in a different country). That overlay depicts known and suspected relationships between NGOs (especially those that Were essentially front organizations) and the terrorist groups. As appropriate, analysts can include other organizations. Information allowing completion of this overlay will mainly come from reports issued by HUMINT, Cl, and SIGINT sources. Knowing what surrogates are available is essential to understanding the extent of the potential threat. For example, a legitimate mining operation may have second- or third-hand ties to a terrorist group, which could mean that industrial-grade explosives might be available for the group to use in future attacks.
Note: A crucial consideration in evaluating this data is to ensure compliance with intelligence oversight requirements, and not store or depict any data that violates AR 381-10, U.S. Army intelligence Activities, Executive Order 12333, United States Intelligence Activities, and related regulatory requirements.

Finances. The third overlay (Finances) depicts information available on finances, business transactions, assets, and related issues. Nearly everything costs money and, as the maxim states, "follow the money." The money trail leads through organizations to people and equipment, which in turn helps provide an understanding of the terrorist's objectives and capabilities. Of particular importance are reports pertaining to the transfer of funds for training, either directly or via NGO surrogates. Again, this will come mostly from HUMINT and SIGINT sources as well as foreign and domestic law enforcement agencies and other interagency reporting.

Personalities. The fourth overlay (Personalities) depicts the current location of essential personnel within the terrorist organizations. These reports will at least include SIGINT, HUMINT, and some measurement and signature intelligence (MASINT) and IMINT (e.g., a photograph or a sensor confirmed that a vehicle was at a particular site at a specific time). When looking at the movement of individuals, analysts should ask "Why?" All movement is risky; someone can blow a person's cover and interdict vehicles, so why is he taking this risk? Such risktaking can be an indicator in itself, while answering the question of "why?" may lead to other issues and concerns.

Warnings. The fifth overlay (Warnings) shows where (by country) national agencies issued warnings and advisories, where previous attacks occurred (if the security posture allowed one attack to occur, will others follow?) and where authorities thwarted attacks because the adversaries clearly intended something. These interdictions could include confiscation of arms shipments. The warning reports originate from all intelligence disciplines and may include law enforcement and other interagency information.

Convergence. Analysts may create additional overlays as needed. Because there are no doctrinal symbols for most of these overlays, analysts will have to create their own symbols, and post a legend to define them. Flexibility is paramount to success. Similar to chess masters, analysts look for convergent lines to indicate the possibility of attack. Despite the adversary's ability to project into areas where they have not previously conducted an attack, normally there are indicators graphically depicted in two or more areas, (for example, to show movement of important personalities, supplies, and funds).

The current doctrinal analytical tools discussed above work well to explain how something happened. The critical point, however, is to go beyond the stage of describing history to the essential point of predicting when, where, and how the adversaries will strike next. Getting there requires personal skill, time, experience, and dedication. Additionally, it will require analysts possessing access to all levels of reporting and analysts from different disciplines who focus exclusively on this form of analysis.

Other Considerations

Open-Source Data. Regarding open-source reporting, the Foreign Broadcast Information Service (FBIS) and Cable News Network (CNN) provide some of the most readily accessible and timely reporting in the world. Terrorists have been using propaganda, media manipulation, and other similar aspects of information operations for a long time, as the requirement to gain popular support is crucial to their success. Terrorist organizations need to "get the word out" to legitimize their operations, actions, and positions. The trained, experienced analyst can exploit this fact. For example, if a respected terrorist leader were to say something like, "In the course of jihad, many innocents may have to be sacrificed for the greater good of the will of Allah." That could portend an attack where mass casualties might occur, and it might also mean that the attack might occur in an area where Islam is a dominant religion.

An experienced analyst will consider numerous aspects including-
* Timing of the pronouncement (Is it a significant date, by either the solar or lunar calendars?)
* Location. (Is this a culturally or religiously significant site that issued the pronouncement?)
* Important personalities who were present (which may indicate support for the pronouncement, an end to differences between the groups, etc.).
* Other factors.

There may be other similar cues in other public pronouncements, some of them web-based instead of traditional newspaper and radio media. Just tracking the public pronouncements and postings, looking at them in detail, cross-referencing the announcements with other data, and so forth, is a full-time job-which means dedicating analysts to monitor these sites. There is a difference between the "normal" rhetoric and something that, in symbolic context, is genuinely a potential indicator. Again, deciphering these cues requires analysts who have the requisite experience and training, so that the terrorism analysis section does not begin to suffer from the "chicken little" syndrome in the eyes of the senior intelligence officer and the commander.
Visual Cues. Graphic aids are nothing more than visual cues to check the report details, develop requests for further information, and study the matter in greater detail. No system or software can begin to deal with these complex issues. The group synergy and crosstalk derived from experts in different disciplines looking at the same data is what makes or breaks this effort. Additionally, having "broken the code" on what the adversary might be planning is, in itself, insufficient; the analyst must pass data to the affected elements. Normally, at the commander and senior intelligence officer levels, this transmission will be via secure videoteleconference or similar methods. Behind the scenes, analysts often highlight a specific set of messages for one another in daily secure E-mail crosstalk. Because the amount of reporting is so great, each echelon has its own set of filters for sorting through the messages. When dealing with more than one thousand messages a day, it is easy for someone to leave out or overl ook something inadvertently. Cooperation is fundamental to success.

Because the level of detail required involves individuals, and may include single individuals to squad-sized elements (as employed in the 11 September 2001 attacks), there is absolutely no utility in developing traditional decision-support templates or similar tools. However, depending on circumstances, location, echelon, and other considerations, there may be utility in devising specific activity-based templates for depicting possible courses of action, etc. Being in the loop for the daily data feed exceeding one thousand messages a day is an all-consuming business. In my experience, the graphics aid was an effective cue for conducting deeper analysis for converging lines.

When using the IPB-style graphics overlays, not only can this be a successful methodology, it also has the additional advantage of serving as a briefing aid. Words alone, and reams of reports alone, can be confusing. Today's senior intelligence officers are accustomed to acquiring data in visual icon form. The methodology described herein lent itself to transitioning instantly from conducting analysis to briefing that analysis in a manner in which the G2 was accustomed.


The final step is recommending countermeasures. It is easy to develop a siege mentality, such as that which existed throughout U.S. Army elements stationed in the Middle East after the bombings of the Office of the Program Manager, Saudi Arabian National Guard (Riyadh) in 1995, and the Khobar Towers (Dhahran in 1996) in Saudi Arabia. However, when everything is always on "high alert," it defeats the purpose of the heightened alert status. Instead of temporarily raising defense levels, the defense level remained at threat condition (THREATCON) Delta (now called force protection condition or FPCON) for a prolonged period.

Such a prolonged state of high alert had at the minimum the following effects:

* Left open the potential for complacency.
* Created a state where a new (stable) pattern nullified the intent of thwarting hostile surveillance efforts.
* Negatively impacted the local economy.

Consider the fact that when U.S. forces no longer engage in or stimulate a local economy, the merchants (and their families, associates, etc.) have no further economic incentive to having U.S. forces present. What may then develop is a general attitude that is at best ambivalent towards U.S. forces; for if there is no perceived benefit for the presence of U.S. forces, then it is a short move towards resentment of the U.S. presence. Once popular sentiment opposes the presence of U.S. forces, it is difficult to regain good will. From an intelligence perspective, it is useful to keep these economic considerations in mind when evaluating the threat, the enemy's ability to blend in with the local populace (will they be reported for suspicious activity), and related factors.

The fear that "something might happen" was so great in the Middle East after the 1996 Khobar Towers attack that Army intelligence and CI elements sometimes found it difficult to leave the compound and perform their missions. In fact, at least one G2 proposed taking all of his intelligence collectors and agents and incorporating them into the analysis cell! Analysts, however, will have nothing to analyze if the collectors do not collect. To be effective, intelligence and CI assets need to leave the compounds, and commanders must provide them with the necessary freedom of movement as prescribed in AR 381-20, U.S. Army Counterintelligence. Risk management must not become risk avoidance. Defensive postures and countermeasures must change appropriate to the threat.

Final Thoughts

The options and techniques detailed above are not radical. Our fundamental analytical methodologies are adequate to deal with this unconventional threat, with only minor adjustments; if we grant ourselves some flexibility, current doctrine will suffice. The critical principle of translating intelligence into viable options and recommendations for the commander to evaluate and implement remains unchanged.

Chief Warrant Officer Del Stewart is currently serving as a Training Senior Writer, Doctrine Division, Directorate of Combat Developments, U.S. Army Intelligence Center and Fort Huachuca. Excluding his 12 years of enlisted experience, some of his assignments have included the 102d MI Battalion, Korea; Chief, Counter-terrorism Analysis Section, 3d U.S. Army, Fort McPherson, Georgia; and the 501st MI Battalion, Dexheim, Germany (with 11 months in Bosnia supporting IFOR as the OCE Chief for 1st Brigade Combat Team, 1st Armored Division).

No comments: