A trademark of al Qaeda global operations is extensive prior preparation. Many of the larger operations have taken years to execute. This build-up period presents counter-terrorists with the opportunity to unearth potential members of the operational cell well prior to the "h-hour of the op." These early discoveries, if handled correctly can lead to the members of the rest of the operational network. Unfortunately, most of our security systems are geared towards the immediate arrest and detention of suspects, once identified. A smarter approach would be identify, observe, and act (only when a critical mass of the network is identified) -- very much like that used by financial or organized crime investigations. Perversely, new powers that enable law enforcement to arrest and detain suspected terrorists at will, with the hope of pressuring confessions in detention, works against us.
Valdis Krebs (an extremely talented analyst of terrorist networks -- which matters a lot in a field that is as much mindset as method) demonstrates this in a new article that details how the 9/11 network could have been unearthed based on the early 2000 discovery of 2 cell members (see -- Krebs, "Connecting the Dots"). In his example, he demonstrates how the careful tracking of connections between potential members -- money flows, e-mail/phone contact, and potential face-to-face contact -- can be mapped using social network analysis. Ties to known terrorists convert a suspected network into an active one. Connections of connections identify emerging network "leadership."
Action against the network should only be taken if a critical number of members have been identified (evidenced by diminishing returns from further investigation) or there is a sign of impending attack. These signs include:
- Increased activity in the network. Networks are dynamic and the rate of connection activation is a critical data point.
- Reversal of money flows. This happens when excess funds not needed for an operation are removed for protection from post operation arrests.
- Large face-to-face meetings of key members. A meetings are infrequent (they may only occur once) to prevent discovery but are necessary for pre-action coordination. A "pulsed" face-to-face meeting is a significant signal of impending attack.