By Scott Stewart
Over the past several weeks, the Paris, Bamako and San Bernardino attacks have focused my writing on armed assaults. I've written about how, contrary to the hype, armed assaults are not a new tactic, and the threat they pose should not be allowed to push politicians to rashly adopt security measures that undermine personal liberties while doing little to actually keep people safe. I have also written about ways that security forces and individuals can respond to such attacks to help mitigate their impact. Finally, I discussed how advances in medical equipment and the procedures followed by medical first responders and trauma centers have helped to save the lives of many armed assault victims.
But all of these themes are reactive and do very little to help prevent such attacks. However, while I've been writing on these reactive topics, I have also been working with a team to forge a new Stratfor product that focuses on protective intelligence, which is inherently proactive. The confluence of these two concepts — armed assaults and protective intelligence — has me again thinking about ways to prevent armed assaults rather than merely responding to them. Obviously, prevention is always better than mitigation.
The first step in working to prevent any type of attack is to understand how such attacks are conducted. This pertains not just to the tactics and techniques used in the actual attack but also to the planning process that must occur before the attack can be launched. Viewing attacks as the result of a discernible planning process — what we refer to as the terrorist attack cycle — and then breaking that process into its distinct phases and tasks makes it possible to identify times during the attack cycle when those conducting it are vulnerable to detection.
Different types of actors carried out the recent armed assaults. The operatives in the Paris attacks had received small-arms training at camps in Syria and had fought in Syria and Iraq, but the San Bernardino attackers were grassroots jihadists who had not received such training. However, despite differences in their levels of training and experience, all actors must follow the same steps if they are going to plan an attack. Individuals who have received advanced training in terrorist tradecraft skills such as pre-operational surveillance are likely to be more sophisticated during the attack cycle than untrained individuals, but training does not absolve them of having to follow it.
Sometimes individuals do conduct ill-conceived and poorly executed attacks that involve shortcuts in the planning process. But this type of spur-of-the-moment attack is usually associated with mentally disturbed individuals rather than terrorists. It is extremely rare for a terrorist to conduct a spontaneous attack without first following the steps of the attack cycle.
Furthermore, the cycle is independent of ideology. It does not matter if the person planning an attack is a white supremacist, a radical environmentalist, a grassroots jihadist or a member of the al Qaeda core. They must all follow the same steps, accomplish the same tasks and operate in the same predictable areas. Understanding this helps to guard against different types and levels of threats.
Protective intelligence is the process of studying the attack cycle and using an understanding of the cycle to proactively identify, assess and mitigate potential threats. Protective intelligence practitioners carefully study the tactics, tradecraft and behavior associated with militant actors. This then allows security teams to search for and identify elements of those tactics and behaviors that can provide indications of attack planning prior to the launch of an assault. Many of these indicators are not inherently criminal. For example, visiting a public building and observing security measures or standing on the street to watch the arrival of a VIP at an office building are not illegal, but they could indicate that someone is plotting an attack. Even in cases where such behaviors cannot be stopped legally, steps can be taken to identify the potential assailants and let them know that they have been detected, or measures can be put in place to help mitigate the threat.
Some of the points during the attack cycle when potential attackers are most vulnerable to detection are during surveillance, while they are acquiring weapons or building bombs, and while they are testing bomb components. There are other, less obvious points when people on the lookout can spot preparations for an attack, such as while the potential assailants are training for an attack or even during pre-attack deployment.
To really understand the intricacies involved in planning attacks, protective intelligence practitioners cannot simply acknowledge that something like surveillance occurs. They must carefully deconstruct the activity to gain an in-depth understanding of it. Dissecting an activity like pre-operational surveillance requires not only examining aspects such as the demeanor demonstrated by those conducting surveillance and the specific methods and cover used; it also requires identifying particular times when surveillance is most likely and noting certain optimal vantage points (called "perches" in surveillance jargon) from which a surveillant is most likely to observe a specific facility or event. This complex understanding of surveillance can then be used to help focus human or technological countersurveillance efforts to make them most effective. This same type of deconstruction must be done for every step and activity of the planning process.
Applying Knowledge Proactively
But in many cases, especially those involving grassroots jihadists and other poorly trained operatives, the selected target will not have the kind of formal protective intelligence assets mentioned above. Attackers with little training tend to avoid targets that have robust security and countersurveillance teams. Does this mean that armed assaults against such soft targets can't be stopped? The answer is an emphatic no.
Even though there are no formal security teams watching for signs of hostile surveillance at soft targets, aspiring attackers still need to conduct pre-operational surveillance, and this activity is vulnerable to detection by an outside observer. Such observation is aided by the fact that most terrorist operatives practice poor surveillance technique and exhibit terrible demeanor while conducting it — and grassroots terrorists tend to display even worse demeanor than professionals. This opens them up to detection by what I refer to as "grassroots defenders" — ordinary citizens who practice good situational awareness and who report people engaged in suspicious activity such as building or testing bombs, suspiciously acquiring weapons or conducting pre-operational surveillance. I also consider regular police officers to be important grassroots defenders. Attentive police officers on patrol and conducting traffic stops have discovered and thwarted a number of terrorist plots.
It is important to note here that grassroots defenders are not vigilantes, and this is not a call to institute the type of paranoid informant network that existed in East Germany. It is also not a call to Islamophobia; indeed, the Muslim community is an important component of grassroots defense, and many plots have been thwarted based on tips from the Muslim community. Grassroots defenders are simply citizens who possess the proper mindset to take responsibility for their own security and the security of others and who report possible terrorist behavior to the authorities. Some have scoffed at the "If you see something, say something" campaign, but the principle works, especially when people are educated about terrorist behavior — one of our goals at Stratfor.
If people know what they are looking for, it is often possible to tell if your neighbor is making bombs, or if someone is involved in other pre-operational activity. But aside from such discreet indicators, there are frequently far more overt signs. It is very common after an attack to hear witnesses talk about how the attacker had made threats or had showed signs of becoming increasingly radicalized. Reporting such signs to the authorities can stop — and has stopped —attacks.
One recent example of a grassroots defender saving lives by preventing an armed assault was when a concerned citizen called the police department in Waseca, Minnesota, to report a person with a suspicious demeanor entering a storage facility. When police responded, they found that the suspect was storing gunpowder, pyrotechnic chemicals, a pressure cooker, steel ball bearings and other items used in bombmaking inside the locker. After interviewing the suspect, 17-year-old John LaDue, the police learned that he was planning a Columbine-style gun and bomb attack against his school.
In another example, an alert gun store employee in Killeen, Texas, called the police after a customer behaved suspiciously while purchasing a large quantity of smokeless powder. The police were able to track the suspect based on the license plate the employee provided. Their investigation determined that the subject, Pfc. Naser Jason Abdo, was an Army deserter who had planned to conduct a bombing and armed assault against a Killeen restaurant frequented by soldiers from the nearby Fort Hood.
Obviously, not every person lurking suspiciously outside a shopping mall is a terrorist, and not every small explosion indicates terrorist bombmaking activity. But reporting such incidents to the authorities will give them an opportunity to investigate and determine whether the incidents are innocuous or sinister. The grassroots threat may be amorphous, but it is not invisible; it can be detected and stopped.