NETWORK ANALYSIS TO PREVENT ATTACKS
A trademark of al Qaeda global operations is extensive prior preparation. Many of the larger operations have taken years to execute. This build-up period presents counter-terrorists with the opportunity to unearth potential members of the operational cell well prior to the "h-hour of the op." These early discoveries, if handled correctly can lead to the members of the rest of the operational network. Unfortunately, most of our security systems are geared towards the immediate arrest and detention of suspects, once identified. A smarter approach would be identify, observe, and act (only when a critical mass of the network is identified) -- very much like that used by financial or organized crime investigations. Perversely, new powers that enable law enforcement to arrest and detain suspected terrorists at will, with the hope of pressuring confessions in detention, works against us.
Valdis Krebs (an extremely talented analyst of terrorist networks -- which matters a lot in a field that is as much mindset as method) demonstrates this in a new article that details how the 9/11 network could have been unearthed based on the early 2000 discovery of 2 cell members (see -- Krebs, "Connecting the Dots"). In his example, he demonstrates how the careful tracking of connections between potential members -- money flows, e-mail/phone contact, and potential face-to-face contact -- can be mapped using social network analysis. Ties to known terrorists convert a suspected network into an active one. Connections of connections identify emerging network "leadership."
Action against the network should only be taken if a critical number of members have been identified (evidenced by diminishing returns from further investigation) or there is a sign of impending attack. These signs include:
- Increased activity in the network. Networks are dynamic and the rate of connection activation is a critical data point.
- Reversal of money flows. This happens when excess funds not needed for an operation are removed for protection from post operation arrests.
- Large face-to-face meetings of key members. A meetings are infrequent (they may only occur once) to prevent discovery but are necessary for pre-action coordination. A "pulsed" face-to-face meeting is a significant signal of impending attack.
Valdis Krebs' article is interesting, but even he says that the social network analysis is written with 20/20 hindsight.
In order to "observe" the network of casual contacts, aliases and misspelled surnames, *before* an actual attack, you would need to construct a Big Brother surveillance police state, just like Saddam Hussein's stalinist model.
Posted by: Watching Them, Watching Us | Thursday, 01 July 2004 at 10:25 AM
WTWU does not get it.
The FBI figured out who was in each Mafia family by starting with one or two known members and then using old-fashioned surveillance [not the Patriot Act] to unravel the connections. The same methods applied to the two San Diego hijackers would have provided much info/insight during the 18 months before 9/11.
There was eventually a mad dash by the FBI, in August 2001, to find these two. If they had ongoing surveillance of them, and just a partial network map, they could have severely crippled [or cause to be cancelled] the 9/11 attacks.
Posted by: Valdis K | Thursday, 01 July 2004 at 11:18 AM
I still do not get it.
The only way that a network map of the plotters, with the level of detail that Valdis has drawn up, could have been created *before* the actual attack, would have been if at least one of the plotters was *already* an informer or agent provocateur or was under intensive covert surveillance by the authorities.
None of this was the case.
Only a police state could disrupt an attack by relying on a "partial network map" i.e. one based on a very incomplete picture, with no evidence of a specific terrorist target and no evidence that any of the plotters had access to illegal weapons etc.
A police state does not care about "evidence" or "false postives" - the innocent get arrested, tortured and killed along with the actual "global guerrilla" plotters. This should not be option for Western democracies.
Intensive 24/7 covert surveillance of a terrorist suspect could easily require a team of 50 or more people, i.e. it is very expensive and is always in danger of tipping off the suspects - it is simply not feasible to devote such resources to "low level" suspects for a year or 18 months.
Here in Europe at least, the police and anti-terrorist agencies have been using graphical intelligence visualisation software since the mid 1980's e.g. Analyst's Notebook from i2 or Watson from Xanlys, which provide automatic interfaces for analysing phone records, bank statements etc. and relatively easy ways to enter other data turned up during an actual investigation. Such software helps to create not only "friendship tree" maps but also timelines, which are needed to help to build a criminal case which can stand up in court.
One of the weaknesses of this whole network analysis approach is that very often there is no indication of the true strength of a connection between those caught up in the net e.g. - lots of mobile phone calls from a suspect to and from a particular number can be entirely innocent, yet a single instance of a short message using a code word could be a vital link in a conspiracy. Network analysis mapping will tend to give a false picture of these two events, and will tend to divert scarce investigative resources towards the innocent connection, dragging in all the innocent 3rd party's other mobile phone calls into the investigation as well, simply because it is easy to do so.
Even the most detailed of such network maps cannot predict the future or even determine the actual intentions of people who may be in contact with the suspects being investigated.
Posted by: Watching Them, Watching Us | Monday, 05 July 2004 at 11:13 AM
define old-fashioned surveillance. I believe that special cases were made for organized crime investigations specifically designed to give the investigators more lee-way on such activities.
So - label someone a potential member of an organized crime syndicate, and you get special privlidges. Label someone as a potential terrorist you get some special privlidges as well.
Both seem rather difficult to control the abuse of to me - in one case you have names that end in vowels, in the other case you have people named after the prophet, and his sucessors.
Posted by: bender | Friday, 16 July 2004 at 05:48 PM
What if a scenario such as this existed today, would this help in preventing terrorist attacks against "positive vector" members of our society (those that work for the good of themselves and are mostly honest and not networked for the purpose of doing evil to our society -- "negative vectors"):
If a big-brother-like system was implemented in an automated way, using computers to acquire, track, and interrogate vectors and feed potential terrorists to human agents for further investigation. Would that be a violation of our privacy? This type of software assisted analysis has been used in satellite target acquisition, breast cancer detection, oil drilling analysis, etc., so why not terrorist analysis?
If such a system were developed that could acquire thru passive biometrics (thermal facial scanning, etc.) and tracked through a network, it would be possible to know what suspects are physically visiting. Feed this information thru an expert system and look for rules and patterns and now you have a way to build a network diagram as it's forming. If innocent Bob just happens to cross paths with al-Terrorist and becomes a suspect himself (in software only) he will be pruned later as his path will most likely ever cross with al-Terrorist again, either physically or via electronic surveillance (emails, IMs, phone, etc.) unless he really is part of the network. At each "crossing" his trust level goes down (meaning that he is likely not a "positive vector" but a potential negative one). Even if Bob later buys pot, buys porn, visits hookers, and any other private activity, these will not trigger any rules and be brought out into the "public" view unless it's related to another known low-trust-level member of al-Terrorist's network.
Maybe something like this is what the "Virtual Borders" project is tasked to develop. I would much rather have an early detection system like this being started now and perfected through dev-cycles than to just rely on gum-shoe techniques and many-man-hour dedication of those that really want to weed the garden of "negative-vectors" so that the rest of us can lead our lives (which is a principal function of any Government).
Posted by: scott | Wednesday, 21 July 2004 at 01:44 PM
scott's scenario seems like a living hell, where the terrorists will have won, by destroying our core values regarding the rule of law, the presumption of innocence and the fundamental human right of privacy.
Treating everyone like a criminal suspect, and then acting against "negative-vectors" who have been judged and convicted by some automatic or semi-automatic system of panopticon surveillance using, inevitably secret criteria, is actually evil.
How can you ever be sure that such a repressive infrastructure will not, in the future, be subverted to target you, your family, your ethnic or religous group or people who support your particular political view ?
You might be able to convince people to accept this if the consequences of being singled out as a possible terrorist suspect were entirely benign and had a trivial effect on your life if you are "innocent". In real life such a false positive accusation has horrendous consequences: false arrest, imprisonment, loss of employment, social vilification etc. if you are lucky enough to live in a Western democracy, and leads to death squads and torture if you do not.
Why do people think that there is some sort of technological fix to entrenched political problems ?
The "Virtual Borders" concept will remain as expensive "security theatre", something that politicians can point to to claim that they are "doing something". Does anyone seriously believe that such a project will totally eliminate smuggling across borders ? If it cannot, then it cannot stop terrorism either and it can never do anything about "home grown" terrorists who do not physically cross borders.
Posted by: Watching Them, Watching Us | Thursday, 22 July 2004 at 12:52 AM
I agree it could be a living hell, but will most likely become a reality if America becomes more like the Middle East, with increasing violence.
My point is that software should be used, in a research setting, to help as an indicator just like it is being used to point out interesting details to Oncologists screening for cancer or Geologists looking for resources under ground.
A report such as: X came into our country from Canada on a work visa 8 months ago, has been taking flying lessons, has met face-to-face with 3 other highly watched subjects-of-interest in the last three days before a holiday weekend, has rented a Ryder truck and is heading toward NYC.
If such a report where to exist and you or a family member worked in NYC, wouldn't you want it investigated? This doesn't mean that X is immediately arrested and enters into some Kafka nightmare, it just means that some human is given an electronic tap on the shoulder and asked to look into the activities X is involved in. Sure X may have an interest in learning to fly and is helping a friend move to NYC over a three day weekend, and that will come out in the investigation but if it turns out he's wanted my Interpol...
Posted by: Scott | Sunday, 25 July 2004 at 05:30 PM