the terrorist attack cyclethe terrorist attack cycle attacks designed to instill terror, not only...
TRANSCRIPT
The Terrorist Attack CycleDecember 1, 2009
STRATFOR Global Information Services
STRATFOR Global Information Services publishes intelligence, analysis and research for professionals in government, corporations and research institutions. For more than a decade, this information has helped customers monitor, track and manage political risk and instability around the world.
STRATFOR Global Information Services delivers information in three ways: via password protected websites, customized information and data feeds and customized briefings and presentations. More than 1 million professionals rely upon this information at organizations that range from The U.S. Air Force to Yale University to The Federal Reserve Bank of Atlanta and others.
STRATFOR Global Information Services700 Lavaca Street, Suite 900Austin, TX 78701Tel: 1-512-279-9462www.stratfor.com
Electronic deliveryReports are also available online by subscribing at www.stratfor.com.
Copyright© 2009 STRATFOR. All Rights Reserved. Neither this publication nor any part of it may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission of STRATFOR.
All information in this report is verified to the best of the author’s and the publisher’s ability. However, STRATFOR does not accept responsibility for any loss arising from reliance on it.
To learn more please contact Patrick Boykin, Vice President, by calling 1-512-279-9462.
iii
The Terrorist Attack CycleDecember 1,2009
5 Vulnerabilities in the Terrorist Attack Cycle
7 Operational Planning
9 Selecting the Target
11 Deployment and Attack
13 Media Exploitation
The Terrorist Attack Cycle
Attacks designed to instill terror, not only among the surviving victims and those in the immediate vicinity of the violence, but among society in general, always appear to occur suddenly — to come “out of the blue.” The actual event, however, is the culmination of the six-stage attack cycle: target selection, planning, deployment, the attack, escape and exploitation.
During the target selection and planning stages, terrorists conduct pre-operational surveillance. In this stage, terrorists are no different from other criminals in preparing for an operation. The complexity and extent of the surveillance, however, vary with the scale of the operation and the end goal. A purse snatcher, for example, might size up the target for only a few seconds, while pre-operational surveillance for a terrorist attack could take several weeks.
The purpose of surveillance is to determine the target’s patterns of behavior if it is an individual, or possible weaknesses and attack methods if the target is a building or facility. When the target is a person, perhaps targeted for assassination or kidnapping, terrorists will look for things such as the time the target leaves for work or what route is taken on certain days. They also will take note of what type of security, if any, the target uses. For fixed targets, the surveillance will be used to determine patterns and levels of security. For example, the plotters will look for times when fewer guards are present or when the guards are about to come on or off their shifts. In both cases, this information will be used to select the best time and location for the attack, and to determine what resources are needed to execute the attack.
Because part of pre-operational surveillance involves establishing patterns, terrorists will conduct their surveillance multiple times. The more they conduct surveillance, the greater the chances of being observed themselves. If they are observed, their entire plan can be compromised by alerting security personnel to the fact that something is being planned. Conversely, the terrorists could end up being surveilled themselves and can unwittingly lead intelligence and law enforcement agencies to other members of their cell.
Despite some impressions that al Qaeda is capable of conducting stealthy, clandestine surveillance, evidence recovered in Afghanistan during the U.S.-led invasion in October 2001 and other places suggest that most of the terrorist network’s surveillance is sloppy and even amateurish.
Al Qaeda training manuals, including the infamous “Military Studies in the Jihad against the Tyrants,” and their online training magazines instruct operatives to perform surveillance, and even go so far as to discuss what type of information to gather. The texts, however, do not teach how to gather the information. This is the stage at which al Qaeda’s operations often have found to be lacking.
The skills necessary to be a good surveillance operative are difficult to acquire, and take extensive training to develop. It is extremely difficult, for instance, to act naturally while performing an illegal act. Quite often, surveillance operatives
Vulnerabilities in the Terrorist Attack Cycle
5
will get the so-called “burn syndrome,” the feeling that they have been detected even though they have not. This feeling can cause them to act abnormally, causing them to blow their cover. As a result, it is very easy for amateurs to make mistakes while conducting surveillance, such as being an obvious lurker, taking photos of objects or facilities that would not normally be photographed, and not having a realistic cover story when confronted or questioned.
In some cases, however, al Qaeda operatives have conducted extensive, detailed surveillance of their potential targets. In July 2004, the arrest in Pakistan of an individual identified by U.S. officials as Mohammad Naeem Noor Khan revealed a personal computer that contained detailed information about potential economic targets in the United States. The targets included the New York Stock Exchange and Citigroup headquarters in New York, the International Monetary Fund and World Bank buildings in Washington, D.C., and Prudential Financial headquarters in Newark, N.J. From the information on the computer, it appeared that the targets were under surveillance for an extended period.
Courtesy of ANTONIO SCORZA/AFP/Getty Images.Security personnel monitor the surveillance cameras during a terrorist attack drill at the Engenha stadium in Rio de Janeiro, Brazil, November 24, 2009.
6
Countersurveillance — the process of detecting and mitigating hostile surveillance — is an important aspect of counterterrorism and security operations. Good countersurveillance is proactive; it provides a means to prevent an attack from happening. Countersurveillance can be an individual or group effort, involving a dedicated countersurveillance team. Individuals can and should conduct their own countersurveillance by being aware of their surroundings and watching for individuals or vehicles that are out of place.
Countersurveillance is the proactive means of spotting terrorist and criminal surveillance during the target selection and planning stage — the time the operation is most vulnerable to interdiction. Law enforcement and intelligence agencies, corporations and individuals must understand the importance of countersurveillance — and be capable of recognizing hostile surveillance before the next phase of the attack cycle begins. Once the actual attack has begun, it cannot be undone. The genie cannot be put back into the bottle.
Terrorist attacks often require meticulous planning and preparation. As we have said, this process takes place in a six-stage attack cycle: target selection, planning, deployment, the attack, escape and exploitation. After a target is selected and surveilled, operational planning for the actual attack begins.
During this phase, the who, how, where and when of the attack are determined. To make these decisions, the plotters must conduct more surveillance, initiate logistic support and assemble the attack team. In the course of performing these acts, the cell is further exposed to vulnerabilities that can compromise the operation.
Surveillance conducted during the target-selection stage of the attack cycle is aimed at determining which aspects of a target make it a desirable candidate for attack. Once these factors are established and a specific target is chosen over others, planning for the actual attack begins. This preparation includes more surveillance, weapons selection or bomb assembly, money transfers, bringing the attack team together and sometimes conducting dry runs.
During this time, communication in the form of phone calls or Internet traffic increases, as does the movement of group members. This increase in activity naturally leaves signs that can tip-off law enforcement or intelligence personnel. The money transfers, the communications traffic and the movement of individuals across borders leave trails that can be followed. If enough pieces of the puzzle are collected from this activity, a complete picture of the planned attack can emerge.
During the operational planning stage, target surveillance is often more difficult to detect than during the target-selection stage. For one thing, the operatives conducting operational surveillance generally are better at their jobs than the ones who conduct target-selection surveillance. Instead of gathering information about possible targets, these operatives are looking at specific aspects of the target. In many cases, those conducting the surveillance are the ones who will carry out the actual attack.
Operational Planning
7
This also creates vulnerability in the attack cycle. Because the operatives who will carry out the attack usually are more closely linked to the plotters than those who initially surveilled the target, they likely are known to intelligence or law enforcement agencies. Knowing this makes them more careful, or more nervous, depending on the individual. If they are more nervous about being observed by countersurveillance personnel, they might make mistakes that can expose them.
During the planning stage, terrorists begin performing operational acts that are more visible to law enforcement and intelligence agencies. Some of the training and preparation — the pilot training for the Sept. 11 attacks, for example — can take months or even years. In addition, if counterterrorism personnel have good intelligence that allows them to piece the puzzle together, they possibly can
Courtesy of YOSHIKAZU TSUNO/AFP/Getty Images.This crowded street scene in Tokyo can be evocative of the actual busy streets that terrorists employ for both surveillance and dry runs.
8
determine which stage of the attack cycle the cell is in. Cell members can then be rounded up immediately, or allowed to continue operating so as to expose others involved in the operation. From a counterterrorism perspective, the critical decision is, at what point to strike. Moving in too early could result in failure to round up the entire team; too late could find the attack in progress.
During the attack cycle, law enforcement and intelligence agencies usually receive some indication that an operation is being planned. Lack of resources, including in human intelligence and analytical capacities, however, sometimes prevents the full picture from forming in time to prevent an attack.
It is during the planning stage that terrorists begin carrying out duties that can attract attention, even though counterterrorism personnel often lack the resources to understand what they are seeing. This is a critical phase of the attack cycle in which a cell can either be exposed or move one step closer to committing its attack.
Terrorist attacks and criminal operations often require meticulous planning and preparation. As we have said, this process takes place in a six-stage attack cycle: target selection, planning, deployment, the attack, escape and exploitation. The cycle begins with selecting a target based on several factors.
Terrorist targets rarely are chosen based on military utility, such as disrupting lines of communication or supply, or otherwise limiting an enemy’s capacity to operate. On the contrary, terrorists generally choose targets that have symbolic value or that will elicit the greatest media reaction. One way to guarantee the latter is by killing and maiming a large number of people — to generate graphic, provocative images that can be splashed across television screens and the front pages of newspapers.
The reason for this need to generate media attention is that terrorists, unlike insurgent groups, are not after military targets. Their target audience is people around the world who “witness” the unfolding events via the media. The Sept. 11 al Qaeda attacks, for example, were designed to send a message to the Western world and the Muslim streets that went far beyond the immediate destruction.
Because they usually are lightly armed and equipped compared to modern military units, terrorists usually prefer to avoid attacking “hard targets” — heavily defended or robust targets such as military units or installations. In addition, less-protected targets, such as civilians and civilian infrastructure, will generate a higher number of casualties and generate more media attention. Therefore, soft targets — lightly or undefended civilian targets and important symbols — more often are chosen by terrorists during this stage of the attack cycle.
Criminals use similar criteria when choosing their targets, although their operations are often not as complex. Criminals often select their targets based on vulnerability and lack of defenses or protection. Like terrorists, criminals use a rational cost/benefit analysis in selecting their targets, although for mentally imbalanced criminals, such as stalkers, the target selection process rarely follows
Selecting the Target
9
a rational pattern. Their targets are chosen based in large part on delusion or emotion.
All of the Sept. 11 targets selected by al Qaeda were highly symbolic, including the Pentagon. Had al Qaeda really wanted to impact the U.S. ability to conduct military operations, it would have attacked a communications or command and control node. Instead, the attack against the Pentagon did very little to disrupt the U.S. military capabilities on the day of the attack or in the days that followed. In fact, U.S. Secretary of Defense Donald Rumsfeld was able to give a press conference from one part of the building while the affected part still burned.
During the target selection phase, terrorists research potential targets. The depth and detail of the research varies with the group and the target selected. In recent years, the Internet has made this stage of the attack cycle much easier. By using any number of search engines, terrorists can obtain pictures, maps, histories and even satellite images of their targets. Activists such as anti-globalization groups or environmental groups are very good at conducting research, known as “electronic scouting,” over the Internet. After the information is gathered electronically, the
Courtesy of NICOLAS ASFOURI/AFP/Getty Images.Pakistani students speak on the telephone a few miles away from the scene of a bomb blast at Islamic International University in Islamabad on October 20, 2009.
10
plotters then conduct pre-operational surveillance of targets to determine which are the most vulnerable and desirable.
In recent years, embassies and diplomatic missions have been adapting to better deter and defend against terrorist attacks. In some parts of the world, Western embassies are practically fortresses, with thick, bullet-proof glass and concrete barriers to keep potential vehicle-borne improvised explosive devices (VBIEDs) away. More important, new embassies are constructed farther away from streets to provide them stand-off distance to lessen the impact of VBIEDs.
Because embassies have become hard targets, terrorists have turned to attacking hotels, which also are symbols of Western influence in many parts of the world. In many ways, large Western hotel chains have become today’s embassies. Lowering their highly visible profile by removing company signs and logos to discourage attacks would be contrary to most business practices, especially abroad.
Because they are soft targets, attacks against hotels can be expected to generate a high number of casualties, many of them Western tourists or business people. In November 2002, 15 people were killed when al Qaeda-linked suicide bombers attacked the Israeli-owned Paradise Hotel in Kilifi, Kenya. In August 2003, the Jemaah Islamiyah militant group attacked the JW Marriot in Jakarta, Indonesia, killing more than a dozen people and injuring more than 100. In July, four al Qaeda-linked suicide car bombers attacked hotels in Egypt’s Sharm el-Sheikh resort, killing 34 people.
The criteria used by terrorists to select their targets should be taken into account when developing anti-terrorism measures. Making a target less attractive — by reducing access to it, increasing security and defense measures, reducing the potential casualty count or by using countersurveillance to interrupt the attack cycle — could encourage terrorists to move on to another target that offers fewer challenges.
Anti-terrorism experts who say the key is not to be able to run faster than the bear, just faster than the other person, are right on target.
Terrorist attacks often require meticulous planning and preparation. As we have said, this process takes place in a six-stage attack cycle: target selection, planning, deployment, the attack, escape and exploitation. After a target is selected and surveilled, operational planning for the attack begins. When the planning stage is complete, the terrorists deploy for the actual attack — the point of no return.
In the deployment stage, the attackers will leave their safe houses, collect any weapons, assemble any improvised explosive devices being used, form into teams and move to the location of the target. If counterterrorism and law enforcement personnel have not stopped them by this point, the terrorists will press home their attack.
Once terrorists have deployed for the attack, the cycle is beyond stopping. In order to prevent an attack, in other words, counterterrorism personnel must interdict the plot before it reaches the deployment phase. Even if part of the cell
Deployment and Attack
11
carrying out the attack has been interdicted, the remaining members will still go on with their plan. In fact, they may be unaware that their colleagues have been apprehended. This was the case in the attack on the U.S. Consulate in Jeddah, Saudi Arabia in December 2004. The attack was planned with two attacking elements, but Saudi intelligence and anti-terrorism forces disrupted the larger of the two in advance of the operation, leaving only the smaller element — which still attacked the consulate. The second group quite possibly had no idea that the first one had been interdicted, and expected it to take part in the attack as planned.
In some cases, the selected target will still be attacked even if a previous attempt has failed. The October 2000 attack on the USS Cole in Aden harbor, Yemen, went forward despite the failure of a previous attempt against USS The Sullivans in the same harbor. The strike against The Sullivans failed when the attacking boat sunk under its own weight, but the tactic was successfully used 10 months later against the USS Cole.
Counterterrorism and intelligence agencies sometimes mistakenly assume that terrorists will refrain from attacking a target that has been attacked once before. As a result, intelligence collection, vigilance and security around that target may be decreased. This can have tragic consequences — as demonstrated by the
Courtesy of Mark Wilson/Getty Images.The USS Cole departs the Norfolk, Virginia on June 8, 2006 for the Middle East for the first time since it was bombed by terrorists in Yemen in 2000 killing 17 sailors.
12
repeated attacks on the World Trade Center and tourist resorts on the Indonesian resort island of Bali.
Incorrectly identifying the attacking element of a terrorist cell is another mistake. This happened in the November 2004 assassination of Dutch filmmaker Theo van Gogh by Mohammed Bouyeri, a Dutchman of Moroccan descent. Bouyeri had been under surveillance by Dutch authorities for his connection to the Hofstad Network, a group of individuals with jihadist sympathies in Holland. However, in the course of their surveillance, the Dutch investigators did not consider Bouyeri to be a threat; rather, they assumed that his role in the network was a logistical rather than an operational one, and shifted their attention to other suspects.
Once the attack stage begins, the only way to mitigate the level of death and/or destruction is for the intended victims to put in motion their pre-planned countermeasures. During the planning phase, terrorists seek to achieve tactical surprise — they have control over the time, place and method of attack. If the target is surprised and freezes like a deer in the headlights, the consequences will be dire. It is critical that the target realizes it is being attacked (this is called attack recognition) and takes immediate action to flee the attack zone.
Once the attack goes operational, for the most part it will be successful — and only effective protective security countermeasures can mitigate the blast effect or reduce the body count. More established groups, such as al Qaeda, factor in all visible security measures as part of their overall tactical plans, thus negating that factor as a means of protection. This can increase the number of casualties. Only by conducting drills, establishing safe havens, and practicing emergency action plans can those who occupy targeted locations have a chance of surviving an attack.
Terrorist attacks are made of six stages: target selection, planning, deployment, the attack, escape and exploitation. After the perpetrators successfully stage an attack, they will attempt to derive additional value from it by generating publicity. The goal — beyond flaunting the success and spreading the terror — is to gain wider support and sympathy from those most inclined to agree with the perpetrators’ goals and tactics. Brutal and well-publicized attacks also make it easier for terrorist or insurgent groups to collect “revolutionary taxes” — protection money — from farmers or businessmen in their areas of operation.
The best way to elicit widespread coverage, of course, is to carry out spectacular, brazen and particularly violent acts, or attacks against prominent people — meaning potential media reaction is considered during the first phase of the attack cycle, target selection. An attack against a prominent target or one carried out in a densely populated area with a probability of generating a high number of casualties makes more of a media impact than hitting a target who is not as well known or has less potential for producing shocking scenes of mass deaths and injuries.
Because of the built-in sensationalism, the media tacitly assists the terrorists in this goal by providing timely, sometimes around-the-clock coverage of attacks.
Media Exploitation
13
In some cases, the media actually contributes to the hype surrounding terrorist threats.
The Internet is having a new and dramatic impact on the way terrorist groups exploit their activities. By posting statements to certain Web sites, these groups are able to gain almost instant access to the world’s media. The Internet has been used in combination with the particularly graphic and brutal spectacle of beheadings. By posting the videos of beheadings on the Internet along with a statement, Abu Musab al-Zarqawi achieved a high degree of shock value and infamy. This notoriety catapulted him into the high-level leadership tier of the international jihadist movement.
An excellent example of a terrorist attack that became a media circus is the June 1985 hijacking of Trans World Airlines Flight 847. The flight from Athens to Rome was hijacked by terrorists demanding the release of Shiite Muslim prisoners from Israeli jails. The hijackers forced the crew to fly the Boeing 727 to Beirut, which was in the middle of a civil war. The hijackers then demanded to be flown to Algiers, Algeria, then back to Beirut, then back to Algiers and finally back to Beirut.
Courtesy of Courtney Kealy/Getty Images The Mukefaha, a Lebanese Army anti-terrorism special unit, train at the Beirut International Airport October 26, 2001. The same airport was the scene of the 1985 TWA Flight 847 hijacking.
14
During the three-day ordeal, the media were allowed to get close enough to the aircraft for the hijackers to issue statements and give interviews from an open cockpit window. At times, the hijackers brandished weapons for the media’s benefit and threatened to kill hostages. The most graphic coverage occurred during the second stop in Beirut, when the hijackers killed Robert Stethem, a 22-year-old U.S. Navy diver who had been on leave when the flight was hijacked. After discovering that he was a member of the U.S. military, the hijackers brutally beat Stethem, an event the plane’s pilot reported to controllers on the ground as it happened. The international media then broadcast recordings of the pilot’s report. During Flight 847s second stop in Beirut, the hijackers stood the barely conscious Stethem in the door of the aircraft, shot him in the head and dumped his body on the tarmac as international media recorded the event.
Well-publicized hijackings also can be exploited to gain the release of imprisoned comrades, as was the case with the December 1999 hijacking of an Air India flight from Kathmandu to New Delhi. After a stalemate on the runway in Kandahar, Afghanistan, the five-man hijacking crew succeeded in achieving the release of three of their fellow Kashmiri militants from prison in India, including Harkat-ul-Mujahideen leader Masood Azhar.
Media exploitation can work both ways, however. The United States makes an effort to report any possible rifts or friction within groups such as al Qaeda and the Taliban. These reports may be legitimate or part of a disinformation campaign, but either way the leaders of these groups must expend energy to refute false claims, or attempt to repair real rifts. This has been a significant part of the U.S. strategy against al Qaeda in Iraq and Afghanistan.
In early October, a Pentagon spokesman reported that al Qaeda’s second-in command Ayman al-Zawahiri had written a letter to al Qaeda in Iraq leader Abu Musab al-Zarqawi warning that the terrorist network is losing force in Afghanistan due to the loss of leadership figures, disruptions in its lines of communication and lack of funds. In the letter, al-Zawahiri reportedly criticized al-Zarqawi for committing acts that could alienate otherwise sympathetic Muslims.
In a purported letter to al Qaeda leader Osama bin Laden posted on Islamist Web sites in June, al-Zarqawi said his ability to conduct operations is dwindling and warned his group would have to move to another country — or members would have to die as martyrs — should the group be unable to assume control of Iraq. In May, U.S. forces in Iraq reported seizing a letter reportedly written by Abu Asim al-Qusaymi al-Yemeni, an al Qaeda operative in the country, addressed to “the Sheikh,” a name often used to refer to al-Zarqawi. In the letter, al-Yemeni, a member of al Qaeda in Iraq, criticizes “the Sheikh” for the incompetence of jihadist leaders and decreasing support for the movement.
By going to the media with these supposed rifts and deficiencies in the global jihadist movement, law enforcement and intelligence agencies hope to complicate the networks’ ability to operate. Militant leaders, then, must provide their own “spin” on the reports in order to downplay any purported weaknesses or disunity — or risk losing the confidence of their supporters.
15
STRATFOR Global Information Services
STRATFOR Global Information Services publishes intelligence, analysis and research for professionals in government, corporations and research institutions. For more than a decade, this information has helped customers monitor, track and manage political risk and instability around the world.
STRATFOR Global Information Services delivers information in three ways: via password protected websites, customized information and data feeds and customized briefings and presentations. More than 1 million professionals rely upon this information at organizations that range from The U.S. Air Force to Yale University to The Federal Reserve Bank of Atlanta and others.
STRATFOR Global Information Services700 Lavaca Street, Suite 900Austin, TX 78701Tel: 1-512-279-9462www.stratfor.com
Electronic deliveryReports are also available online by subscribing at www.stratfor.com.
Copyright© 2009 STRATFOR. All Rights Reserved. Neither this publication nor any part of it may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission of STRATFOR.
All information in this report is verified to the best of the author’s and the publisher’s ability. However, STRATFOR does not accept responsibility for any loss arising from reliance on it.
To learn more please contact Patrick Boykin, Vice President, by calling 1-512-279-9462.