Why Some Terrorist Attacks Succeed and Others Fail

In "Underlying Reasons for Success and Failure of Terrorist Attacks: Selected Case Studies" (Homeland Security Institute, June 2007), the authors examine eight recent terrorist plots against commercial aviation and passenger rail, and come to some interesting conclusions.

From the "Executive Summary":

The analytic results indicated that the most influential factors determining the success or failure of a terrorist attack are those that occur in the pre-execution phases. While safeguards and controls at airports and rail stations are critical, they are most effective when coupled with factors that can be leveraged to detect the plot in the planning stages. These factors include:
  • Poor terrorist operational security (OPSEC). The case studies indicate that even plots that are otherwise well-planned and operationally sound will fail if there is a lack of attention to OPSEC. Security services cannot "cause" poor OPSEC, but they can create the proper conditions to capitalize on it when it occurs.

  • Observant public and vigilant security services. OPSEC breaches are a significant factor only if they are noticed. In cases where the public was sensitive to suspicious behavior, lapses in OPSEC were brought to the attention of authorities by ordinary citizens. However, the authorities must likewise be vigilant and recognize the value of unexpected information that may seem unimportant, but actually provides the opening to interdict a planned attack.

  • Terrorist profile indicators. Awareness of and sensitivity to behavioral indicators, certain activities, or past involvement with extremist elements can help alert an observant public and help a vigilant security apparatus recognize a potential cell of terrorist plotters.

  • Law enforcement or intelligence information sharing. Naturally, if security services are aware of an impending attack they will be better able to interdict it. The key, as stated above, is to recognize the value of information that may seem unimportant but warrants further investigation. Security services may not recognize the context into which a certain piece of information fits, but by sharing with other organizations more parts of the puzzle can be pieced together. Information should be shared laterally, with counterpart organizations; downward, with local law enforcement, who can serve as collectors of information; and with higher elements capable of conducting detailed analysis. Intelligence collection and analysis are relatively new functions for law enforcement. Training is a key element in their ability to recognize and respond to indicators.

  • International cooperation. Nearly all terrorist plots, including most of those studied for this project, have an international connection. This could include overseas support elements, training camps, or movement of funds. The sharing of information among allies appears from our analysis to have a positive impact on interdicting attack plans as well as apprehending members of larger networks.

I especially like this quote, which echos what I've been saying for a long time now:

One phenomenon stands out: terrorists are rarely caught in the act during the execution phase of an operation, other than instances in which their equipment or weapons fail. Rather, plots are most often foiled during the pre-execution phases.

Intelligence, investigation, and emergency response: that's where we should be spending our counterterrorism dollar. Defending the targets is rarely the right answer.

Posted on February 28, 2008 at 6:25 AM • 29 Comments

Comments

Nick LancasterFebruary 28, 2008 7:03 AM

It's the concept of 'defense in depth,' and it's not some high, arcane art. Sports teams do it all the time, adjusting their coverage to an opposing team's plays or a specific player's abilities.


Dr. SeltsamFebruary 28, 2008 7:29 AM

The considerable number of thwarted terrorist attacks fit nicely into the context. Of course it's very kind of DHS to pinpoint in such a clear way all the things terrorist need to improve to better their "success rate".

LyleFebruary 28, 2008 7:33 AM

"Security services cannot "cause" poor OPSEC, but they can create the proper conditions to capitalize on it when it occurs."

I have long maintained that this is the (unstated) purpose of the 3-1-1 requirements.

DavidFebruary 28, 2008 7:50 AM

This seems like a bit of chicken and the egg argument. If we spend less money on defending the target, then the pre-execution phase becomes simpler and our chances of catching an OPSEC mistake becomes lower.

Bob RossFebruary 28, 2008 8:31 AM

In the interest of full disclosure, I was the sponsor for this study.

This is in response to some of the earlier comments. With regard to David's comments, there is no suggestion in this study that "defending the target" is inherently wrong or that it has no value. To the contrary, due to terrorist pre-op surveillance, it may be that the biggest impact of defending a target is that the defenses are detected and that this causes the terrorists to shift to an easier target or otherwise change their plans. Hopefully, any new target is of less value to us than the one being protected. This target-shifting phenomenon is not new. It is why people install burgler alarms on their homes - not to end burglary but to encourage any would-be burglars to rob the house next-door. Of course, we can't afford to protect every target - we must concentrate, in a phrase used by former DHS Deputy Secretary Admiral Jim Loy, on "the critical few rather than the important many." As shown in a RAND study which I also sponsored, terrorists do pay attention to security measures and respond to avoid or defeat them or, even worse, to exploit security measures in ways which turn them into new vulnerabilities for the good guys. As a result, it makes little sense to develop very costly, but easily defeated, defensive security measures. This RAND report is called "Breeching the Fortress Wall." It is available on-line at www.rand.org. With regard to Dr. Seltsam's comment, terrorists pretty much already know what they need to know in order to improve their attacks - at a minimum, this kind of info is available on-line and in any number of terrorist training manuals produced by al Qaeda and others.

Foolish JordanFebruary 28, 2008 8:41 AM

"The key ... is to recognize the value of information that may seem unimportant but warrants further investigation."

Of course that's the key, but it's a lot easier to say than to do. Most information that seems unimportant IS unimportant. How do they propose we tell the difference?

Aaron TeminFebruary 28, 2008 8:59 AM

Perhaps I mis-read the intention, but the last sentence of this post bothers me. I would certainly agree that only defending the targets (and not doing any of other other defensive activities) is not very effective. However, if the targets are completely undefended, I would think that it would be so easy for them to be attacked that that amount of effort and time required for planning would be so reduced that detection of pre-planning (intelligence, investigation) would be a lot more difficult to do. (I'm not advocating security theater; but I think some defense of targets is a positive deterrent, if only indirectly by making intelligence and investigation more effective).

Carlo GrazianiFebruary 28, 2008 9:05 AM

The part that sounds most poorly thought-out --- or at least with the greatest potential for mischief --- is the reliance on "ordinary citizens" to catch and report signs of incipient terrorist activity. We already know that this is a prescription for generating a huge amount of noise with very little signal embedded in it.

The costs --- law-enforcement drowning in a welter of crap tips, police freak-out behavior due to someone noticing funny-looking trash in a bin, people with unfamiliar names, dress, or habits getting turned in as terrorist plotters, etc. --- really outweigh the benefits of maybe someone recognizing something real. There's no sign of such a cost-benefit analysis of the effect of encouraging public alertness to terrorist activity in this report, so far as I can see.

DamonFebruary 28, 2008 9:53 AM

Bruce says: "Intelligence, investigation, and emergency response: that's where we should be spending our counterterrorism dollar. Defending the targets is rarely the right answer."

The ordering of these 3 is natural because that is their temporal ordering, but I think emergency response is an order of magnitude more important than the other two.

This study is more rational than most of the public discussion regarding terrorism, but it is still too much. The hysteria since 9/11 really needs to be fought at the grassroots --we need to tell the Powers That Be that there are more important things. The advantages of FUD-mongering for officials and the media makes it unlikely that they will ever choose to say "Listen, it's not as big a deal as obesity in America."

The infuriating thing to me is that much of the wasted efforts to stop terrorism are worse than security theatre, they are making us *less* safe.

Emergency response has the advantage that it helps even if there is never another terrorist attack.

SoWireTapsWorkFebruary 28, 2008 10:04 AM

>
One phenomenon stands out: terrorists are rarely caught in the act during the execution phase of an operation…

Pretty hard to arrest a guy with a bomb strapped to his chest.

USA not OKFebruary 28, 2008 10:25 AM

@SoWireTapsWork

So how many of these guys with bombs strapped to there chest have there been in the USA?

EamFebruary 28, 2008 10:43 AM

@David: "This seems like a bit of chicken and the egg argument. If we spend less money on defending the target, then the pre-execution phase becomes simpler and our chances of catching an OPSEC mistake becomes lower."

Interesting point, but it doesn't hold up in the context of new "security" measures.

Allowing people to keep their shoes on and carry liquids through airport checkpoints would not simplify the pre-execution phase of any terrorist plot against an airplane.

Similarly, random baggage screening at train stations is not going to make the pre-execution phase of any plot significantly harder. If you want to take out a train, you attack it on the tracks in a remote location.

On the other hand, if there were no security checkpoints or police patrols at all through airports, you'd be absolutely correct in saying that an attack would be easier to plan.

GeorgeFebruary 28, 2008 11:02 AM

@Bruce: Intelligence, investigation, and emergency response: that's where we should be spending our counterterrorism dollar. Defending the targets is rarely the right answer.

You're of course assuming that the purpose of "defending the targets" (e.g., TSA screening at airports) actually is to protect the targets. In the case of the TSA, I am increasingly convinced that's not the real purpose of the unduly intrusive and by all known measures ineffective screening.

One would think the administration would be embarrassed by subjecting millions of passengers to a reminder of the spectacular success Mohammed Atta and his gang of thugs have enjoyed, not only in destroying the Trade Center towers but in creating a permanent and very costly disruption to travel.

But what if the real intent isn't to "defend the target" at all? What if the real intent is to condition a formerly freedom-loving people into accepting (and even welcoming) intrusive TSA-style security checkpoints so they can eventually expand far beyond airports and become pervasive? Yes, the transition is a bit rough and people are grumbling. But as people accept arrogant and arbitrary intrusions (including warrantless wiretaps and National Security letters that let officials snoop whenever and wherever they want) as a fact of life about which they can do nothing, the grumbling will eventually turn to a numbed, resigned acceptance. Some people will even be grateful for and truly comforted by the "protection" the pervasive security provides-- they will be the reliable hecklers ready to shout down the few remaining people who question it. Then the administration will be free to expand its Security State with minimal protest.

Yes, that's a bit paranoid. But it seems as likely an explanation as any for the administration's apparent preference for highly visible, highly intrusive "security theater." The actual protection it provides may be minimal, but it's highly effective as propaganda to keep the population terrified into accepting the transformation of the constitutional form of government into a Unitary Executive.

AnonymousFebruary 28, 2008 11:16 AM

@Eam

"On the other hand, if there were no security checkpoints or police patrols at all through airports, you'd be absolutely correct in saying that an attack would be easier to plan."

I remain to be convinced. If I was thinking of attacking something, I'd want some pretty good information, and do detailed planning beforehand -- regardless of whether or not security was present. The quintessential example is Atta and the rest of the 911 gang: as far as they were concerned, airports were completely undefended. (And they remain in this state today.) Yet all reports agree they spent many months putting it all together. Whatever difficulty they had penetrating the security perimeter, it was certainly the least of their problems.

AnonymousFebruary 28, 2008 1:11 PM

@ Bob Ross

"Breeching" should be "Breaching", and looking at the website, it is.

Whew.

The mental image for "breeching" a fortress wall was just too strange:
breech: v.t.
1. to put into breeches.
2. to whip on the breech.
3. to fasten with a breeching (a strap around the hindquarters).
4. to equip with a breech.

Clive RobinsonFebruary 28, 2008 1:25 PM

@Bruce,

"Intelligence, investigation, and emergency response: that's where we should be spending our counterterrorism dollar."

I whole hartedly agree with this however you have left of two,

1, Improve inter agency communications.
2, Improve standard of training of operatives.

In almost all cases these are woefully ignored with predictable results.

In the U.K. we had a spectacular failier of all three of your points that resulted in an inocent man having his head blown off on an underground train by Police Officers.

There where some very significant lessons to be learned from the failure.

However a couple of "internal investigations" and a health and safety court case later we are left with the feeling that nothing that was learned has been implemented (unfortunatly the Judge that found the Met Police guilty only gave a token fine, if he had made it 20% of their anual budget they might just have taken it all onboard).

The base roots of the failure apear to be "communications" and "training".

The advantage of lots of armed gaurds running around protecting a fixed target is that you the individual have a degree of choice as to if you enter the area or not. If you keep out statisticaly your life chances have improved (marginaly). So the DHS way might be better from an individuals point of view in that they have an avoidence choice to get all warm and fuzzy about...

John DaviesFebruary 28, 2008 2:09 PM

@Bruce,

"Intelligence, investigation, and emergency response: that's where we should be spending our counterterrorism dollar."

If you're only worried about saving lives then you could make a good case for spending your counter terrorism dollars on improving road safety or reducing obesity or ...

I confidently predict that will never happen though :)

gatopeichFebruary 28, 2008 2:45 PM

My 2c of unimportant information...

So we talk the talk, but do we walk the walk?

Apart, it itches me the idea of formerly-unprepared regular policemen put to the task of "smelling terrorism".

AndrewFebruary 28, 2008 9:30 PM

As someone who is on the front lines of this little charade, at least in theory, let me comment that all the intelligence sharing tends to be one way -- from the beat to the suite, but almost never the other way around. The few warnings we get are cryptic, nonspecific and often so vague as to be worthless.

Spending more money on emergency response saves lives NOW . . . more police, medics, firefighters, helicopters, etc. and better coordination for major mass casualty incidents, which shockingly enough are rarely caused by terrorism.

As for intelligence and investigation money, who knows where it goes?

If I had only a few pennies to spend on the problem, I'd randomly change my security procedures and processes every now and again just to be a nuisance. Yes, to the public, but seriously hindering terrorists who rely on "A Plan."

gregFebruary 29, 2008 3:35 AM

@Andrew

I think most here are with you about the spending more money on emergency response.

As someone outside the US, I was (as was many others) very surprised at the poor response to Katrina.

As for randomization. It can the base plan in the first place and if done properly can be very cost effective and not such a nuisance to the normal folk. But it must be done properly and thats harder than it sounds.

poetryman69February 29, 2008 5:24 AM

Stop funding the terrorists!

No more Oil Wars!

Energy Independence Now!

Drill in Anwar.

Build more nuclear power plants

Use More coal.

Use more natural gas


Turn trash into energy


Double the efficiency of windmills and solar cells.

If France can do nuclear power so can we.


If Brazil can do biomass/ethanol power so can we.


If Australia can do LNG power so can we.


Domestically produced energy will end the recession and spur the economy.


Stop paying oil dollars to those who worship daily at the alter of our destruction.

syberghostFebruary 29, 2008 7:48 PM

re: creating opportunities to capitalize on poor OPSEC.

Actually, while you can't create poor OPSEC, you can create more opportunities for it to fail as well as for capitalizing on it when it fails.

For example, if the only ID people ever have to present is a driver's license that can be duplicated with a color laser printer and a laminator, then all terrorists have to do is buy those things, and there are few opportunities to screw up the OPSEC on a trip to Wal-mart for commonly-available office supplies.

But if the ID is harder to duplicate, incorporating holograms, hard-to-print graphical items, and other features that require specialized equipment, then the terrorists have to do a lot more to make their IDs. This creates opportunities for them to screw up the OPSEC.

This is why REAL-ID isn't security theater.

Nicholas JordanMarch 2, 2008 5:58 PM

@Apart, it itches me the idea of formerly-unprepared regular policemen put to the task of "smelling terrorism".

Rednecks are well suited to this type of work, let's replace all this college-educated silliness with traditional Neanderthal ass-kickin, now made public due to exigent nat-sec burden.

@In the interest of full disclosure, I was the sponsor for this study. - br

No doubt you will adhere a narrower take than my immediate previous comment but I cannot accept that any of these studies are anything other than profit-for-words. I would go through a military check going on post on a major installation. When it was teenagers packing $4,800 worth of Iron packing a plastic laminated license to kill in the hip pocket, real inspections were done. When the for-profit screening went operational it was so absurdly asinine that I could not begin to post the idiocy on any site other than those run by common-enemy hosts.

John David GaltMarch 3, 2008 12:05 PM

REAL-ID is security theater because there are lots of easier ways to attack it than printing your own phony license. The easiest way is probably to bribe or blackmail an employee of the agency that issues the IDs. Another is to make an end run by suborning an insider with legal, unscreened access to the area supposedly protected by ID checkpoints. The 9/11 villains did both.

I wonder what, if anything, TSA has done to close those loopholes, or even to catch and prosecute the airport employee who *must* have smuggled in those box cutters.

xd0sMarch 3, 2008 12:19 PM

with the rarity of real terrorist events and even terrorist attempts, it would see ma reasoned approach to spending on this issue would entail finding synergy with other already active efforts to reduce other more common issues.

That makes it seemingly "intuitive" that more spending on prevention and response be done that could be applicable to moore than just terrorism. Spending on law enforcement and emergency response qualifies easily in these cases.

That isn't to say defense against airline hijacking is bad, simply that our spending needs to be rationalized against the threat.

If the true intent is in fact desensitization and further promotion of a fascist state, then I'm guessing they are getting what they pay for and the money is (in their view) being well spent. I'm not sure I buy that as an agenda, but I can't fully discount it either.

Nicholas JordanMarch 5, 2008 1:24 PM

@intelligence sharing tends to be one way -- from the beat to the suite

After you have had them come and help you it is sometimes better if it stays that way.

chatJune 12, 2009 5:07 AM

REAL-ID is security theater because there are lots of easier ways to attack it than printing your own phony license. The easiest way is probably to bribe or blackmail an employee of the agency that issues the IDs. Another is to make an end run by suborning an insider with legal, unscreened access to the area supposedly protected by ID checkpoints. The 9/11 villains did both.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..