In the wake of the July 22 Oslo attacks, as I have talked with people in the United States and Europe, I have noticed two themes in the conversations. The first is the claim that the attacks came from an unexpected source and were therefore impossible to stop. The second theme is that detecting such attacks is the sole province of dedicated counterterrorism authorities.
As discussed in last week’s Security Weekly, even in so-called “unexpected” attacks there are specific operational tasks that must be executed in order to conduct an operation. Such tasks can be detected, and unexpected attacks emanating from lone wolf actors can indeed be thwarted if such indicators are being looked for. Alleged Oslo attack perpetrator Anders Breivik reportedly conducted several actions that would have made him vulnerable to detection had the authorities been vigilant and focused on those possible actions.
This is why it is critical to look at the mechanics of attacks in order to identify the steps that must be undertaken to complete them and then focus on identifying people taking such steps. Focusing on the “how” rather than the “who” is an effective way for authorities to get on the proactive side of the action/reaction continuum.
Considering this concept of focusing on the how, one quickly reaches a convergence with the second theme, which involves the role and capabilities of dedicated counterterrorism resources. The primary agency tasked with counterterrorism in most countries tends to have limited resources that are stretched thin trying to cover known or suspected threats. These agencies simply do not have the manpower to look for attack-planning indicators — especially in a world where militant actors are increasingly adopting the leaderless-resistance model, which is designed to avoid detection by counterterrorism forces.
When these factors are combined they highlight the fact that, as the threat posed by militants adhering to the leaderless-resistance model (whom we frequently refer to as “grassroots militants”) increases, so does the need for grassroots defenders.
As we noted last week, Breivik’s concept of self-appointed and anonymous “Justiciar Knights” who operate as lone wolves or in small phantom cells is not a unique concept. Breivik was clearly influenced by the militant-group case studies he outlined in his manifesto. In recent decades, governments have become fairly efficient at identifying and gathering intelligence on known groups that pose a threat to conduct violent attacks. This is especially true in the realm of technical intelligence, where dramatic increases have been made in the ability to capture and process huge amounts of data from landline, cellphone and Internet communications, but governments have also become quite adept at penetrating militant groups and recruiting informants. Even before 9/11, government successes against militant groups had led white supremacist groups and militant animal-rights and environmentalist groups to adopt a leaderless resistance model for their violent and illegal activities.
In the post-9/11 world, intelligence and security services have dramatically increased the resources dedicated to counterterrorism, and the efforts of these services have proved very effective when focused on known organizations and individuals. Indeed, in recent years we have seen a trend where jihadist groups like al Qaeda and its franchises have encouraged aspiring militants to undertake lone wolf and small cell activities rather than travel to places like Pakistan and Yemen to link up with the groups and receive training in terrorist tradecraft. For several years now, STRATFOR has emphasized the nature of this decentralized threat.
We see no sign of this trend toward leaderless resistance reversing in the near future, and our forecast is that the grassroots threat will continue to grow, not only from the jihadist realm but also from far-right and far-left actors.
As noted above, most counterterrorism intelligence efforts have been designed to identify and track people with links to known militant groups, and in that regard they are fairly effective. However, they have been largely ineffective in identifying grassroots militants. The focus on identifying and monitoring the activities of someone connected to a known militant group is understandable given that operatives connected to groups such as Hezbollah or al Qaeda have access to much better training and far greater resources than their grassroots counterparts. In general, militants linked to organizations pose a more severe threat than do most grassroots militants, and thus counterterrorism agencies focus much of their attention on the more potent threat.
That said, grassroots operatives can and do kill people. Although they tend to focus on softer targets than operatives connected to larger groups, some grassroots attacks have been quite deadly. The July 2005 London bombings, for example, killed 52 people, and Breivik was able to kill 77 in his twin attacks in Norway.
One problem for most counterterrorism agencies is that counterterrorism is not their sole (and in some cases even primary) mission. Often, such as the case with MI5 in the United Kingdom, the primary counterterrorism agency also has substantial foreign counterintelligence responsibilities. In the case of the FBI, it has not only counterterrorism and foreign counterintelligence missions but also a host of other responsibilities such as investigating bank robberies, kidnappings, white-collar crime, cyber crimes and public corruption.
The resources of the primary counterterrorism agencies are also quite finite. For example, the FBI has fewer than 14,000 special agents to fulfill its many responsibilities, and while counterterrorism has become its top mission in the post-9/11 era, only a portion of its agents (estimated to be between 2,500 and 3,000) are assigned to counterterrorism investigations at any one time.
Counterterrorism investigations can also be very labor intensive. Even in a case where a subject is under electronic surveillance, it takes a great deal of manpower to file all the paperwork required for the court orders, monitor the surveillance equipment and, if necessary, translate conversations picked up from the surveillance efforts and run down and or task out additional investigative leads developed during the monitoring. Seemingly little things like conducting a “trash cover” on the subject (sifting through the trash a subject places out on the curb for evidence and intelligence) can add hours of investigative effort every week. If full physical and electronic surveillance is put in place on a subject, such a 24/7 operation can tie up as many as 100 special agents, surveillance operatives, technicians, photographers, analysts, interpreters and supervisors.
Again, given the potential threat posed by known or suspected al Qaeda, Hezbollah or, currently, Libyan government operatives, it is understandable why so many resources would be devoted to investigating and neutralizing that potential threat. However, the problem with this focus on known actors is that it leaves very little resources for proactive counterterrorism tasks such as looking for signs of potential operational activities such as preoperational surveillance or weapons acquisition conducted by previously unknown individuals. Indeed, this is a huge undertaking for agencies with limited resources.
Furthermore, in the case of a lone wolf or small cell, there simply may not be any clear-cut chain of command, a specific building to target or a communication network to compromise — the specialties of Western intelligence agencies. The leaderless-resistance organization is, by design, nebulous and hard to map and quantify. This lack of structure and communication poses a problem for Western counterterrorism agencies, as Breivik accurately noted in his manifesto. Also, since this grassroots threat emanates from a large variety of actors, it is impossible to profile potential militants based on race, religion or ethnicity. Instead, their actions must be scrutinized.
All grassroots militants engage in activities that make their plots vulnerable to detection. Due to the limited number of dedicated counterterrorism practitioners, these mistakes are far more likely to be witnessed by someone other than an FBI or MI5 agent. This fact highlights the importance of what we call grassroots defenders, that is, a decentralized network of people practicing situational awareness who notice and report possible indications of terrorist behavior such as acquiring weapons, building bombs and conducting preoperational surveillance.
Clearly, the most important pool of grassroots defenders is ordinary police officers on patrol. While there are fewer than 14,000 FBI agents in the entire United States, there are some 34,000 officers in the New York City Police Department alone and an estimated 800,000 local and state police officers across the United States. While the vast majority of these officers are not assigned primarily to investigate terrorism, they often find themselves in a position to encounter grassroots militants who make operational security errors or are in the process of committing crimes in advance of an attack, such as document fraud, illegally obtaining weapons or illegally raising funds for an attack.
In July 2005, police in Torrance, Calif., thwarted a grassroots plot that came to light during an investigation of a string of armed robberies. After arresting one suspect, Levar Haney Washington, police searching his apartment uncovered material indicating that Washington was part of a small jihadist cell that was planning to attack a number of targets. Hezbollah’s multimillion-dollar cigarette-smuggling network was uncovered when a sharp North Carolina sheriff’s deputy found the group’s activities suspicious and tipped off the Bureau of Alcohol, Tobacco and Firearms and Explosives, thus launching the massive “Operation Smokescreen” investigation.
Traffic stops by regular cops also have identified several potential grassroots jihadists. In August 2007, two Middle Eastern men stopped by a sheriff’s deputy for speeding near Goose Creek, S.C., were charged with possession of a destructive device. Likewise, a traffic stop by a police officer in September 2001 in Alexandria, Va., led to an investigation that uncovered the so-called Virginia Jihad Network. At the time of the 9/11 attacks, the operation’s leader, Mohamed Atta, was the subject of an outstanding bench warrant for failing to appear in court after being stopped for driving without a license. More recently, in May 2011 we saw the New York Police Department disrupt an alleged jihadist plot. Then in June, the Seattle Police Department detected a plot that it thwarted with the cooperation of the FBI. Both of these plots were disrupted during the weapons-acquisition phase.
In some countries, networks have been established to promote this concept of heightened local-police vigilance and to provide training for officers and crime analysts. The U.S. government has established something it calls the National Suspicious Activity Reporting Initiative, which is an attempt to provide local police with training to optimize their situational awareness and to help them collect and analyze information pertaining to potential terrorist-planning activity and then to share that information with other agencies enrolled in the program. However, the initiative has only a handful of state and local law enforcement agencies participating at the present time.
But police are not the only grassroots defenders. Other people such as neighbors, store clerks, landlords and motel managers can also find themselves in a position to notice operational planning activities. Such activities can include purchasing bombmaking components and firearms, creating improvised explosive mixtures and conducting preoperational surveillance. On July 27, 2011, an alert clerk at a gun store in Killeen, Texas, called the local police after a man who came into the store to buy smokeless powder exhibited an unusual demeanor. They located the individual and after questioning him learned he was planning to detonate an improvised explosive device and conduct an armed assault against a local Killeen restaurant popular with soldiers from nearby Fort Hood. The clerk’s situational awareness and his decision to call the police likely saved many lives.
And it’s important to remember than an alert street vendor was the first person to sound the alarm in the failed May 2010 Times Square bombing attempt, and it was a concerned family member who provided authorities with the information to thwart a planned November 2010 attack against a Christmas tree lighting ceremony in Portland, Oregon.
Ordinary citizens exercising situational awareness can and have saved lives. This reality has been the driving force behind programs like the New York Police Department’s “If You See Something, Say Something” campaign. This program was subsequently adopted by the U.S. Department of Homeland Security as a means of encouraging citizens to report potential terrorist behavior.
There is one other factor to consider. As we have previously discussed, counterterrorism spending comes in a perceptible boom-and-bust cycle. Next month will mark the 10th anniversary of the 9/11 attacks. Since those attacks there has not been a successful large-scale terrorist attack on U.S. soil. This, along with the budget problems the United States is facing, will increase the current downward trend of counterterrorism funding in the United States and accentuate the need for more grassroots defenders.