Schneier on Security
A blog covering security and security technology.
« Quantum Ghost Imaging |
| Stabbing People with Stuff You Can Get Through Airport Security »
November 18, 2009
How Smart are Islamic Terrorists?
Organizational Learning and Islamic Militancy (May 2009) was written by Michael Kenney for the U.S. Department of Justice. It's long: 146 pages. From the executive summary:
Organizational Learning and Islamic Militancy contains significant findings for counter-terrorism research and policy. Unlike existing studies, this report suggests that the relevant distinction in knowledge learned by terrorists is not between tacit and explicit knowledge, but metis and techne. Focusing on the latter sheds new insight into how terrorists acquire the experiential "know how" they need to perform their activities as opposed to abstract "know what" contained in technical bomb-making preparations. Drawing on interviews with bomb-making experts and government intelligence officials, the PI illustrates the critical difference between learning terrorism skills such as bomb-making and weapons firing by abstraction rather than by doing. Only the latter provides militants with the experiential, intuitive knowledge, in other words the metis, they need to actually build bombs, fire weapons, survey potential targets, and perform other terrorism-related activities. In making this case, the PI debunks current misconceptions regarding the Internet's perceived role as a source of terrorism knowledge.
Another major research finding of this study is that while some Islamic militants learn, they do not learn particularly well. Much terrorism learning involves fairly routine adaptations in communications practices and targeting tactics, what organization theorists call single-loop learning or adaptation. Less common among militants are consequential changes in beliefs and values that underlie collection action or even changes in organizational goals and strategies. Even when it comes to single-loop learning, Islamic militants face significant impediments. Many terrorist conspiracies are compartmented, which makes learning difficult by impeding the free flow of information between different parts of the enterprise. Other, non-compartmented conspiracies are hindered from learning because the same people that survey targets and build bombs also carry out the attacks. Still other operations, including relatively successful ones like the Madrid bombings in 2004, are characterized by such sloppy tradecraft that investigators piece together the conspiracy quickly, preventing additional attacks and limiting militants' ability to learn from experience.
Indeed, one of the most significant findings to emerge from this research regards the poor tradecraft and operational mistakes repeatedly committed by Islamic terrorists. Even the most "successful" operations in recent years -- 9/11, 3/11, and 7/7 -- contained basic errors in tradecraft and execution. The perpetrators that carried out these attacks were determined, adaptable (if only in a limited, tactical sense) -- and surprisingly careless. The PI extracts insights from his informants that help account for terrorists' poor tradecraft: metis in guerrilla warfare that does not translate well to urban terrorism, the difficulty of acquiring mission-critical experience when the attack or counter-terrorism response kills the perpetrators, a hostile counter-terrorism environment that makes it hard to plan and coordinate attacks or develop adequate training facilities, and perpetrators' conviction that they don't need to be too careful when carrying out attacks because their fate has been predetermined by Allah. The PI concludes this report by discussing some of the policy implications of these findings, suggesting that the real threat from Islamic militancy comes less from hyper-sophisticated "super terrorists" than from steadfast militants whose own dedication to the cause may undermine the cunning intelligence and fluid adaptability they need to survive.
Posted on November 18, 2009 at 1:45 PM
• 41 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"The perpetrators that carried out these attacks were determined, adaptable (if only in a limited, tactical sense) -- and surprisingly careless."
Reminds me of the CIA 'operatives' who kidnapped that guy in Italy. Leaving a trail of mobile call info, use of swanky hotels on the tax-payers' dime etc. etc.
@Even the most "successful" operations in recent years -- 9/11, 3/11, and 7/7 -- contained basic errors in tradecraft and execution.
Reminds me of an earlier post that attributed part of their success on 9/11 "dumb luck." While I do not disagree that there are no doubt a lot of dumb and careless terrorists, I don't consider successfully hijacking 4 of 4 planes within minutes and reaching the target on 3 of 4 of them was "dumb luck" or "careless." If that were the case, I suspect we would have seen some failed hijack attempts and more than one failed collision.
Dumb and careless terrorists? Yes. Is 9/11 included in that? That is debatable.
Planning vs execution. Idiots can carry out a solid ops plan. They will err in doing so. The point of otherwise useless measures such as airport and border screening, physical security measures, etc. is to create more opportunities for failure points.
@Andrew at November 18, 2009 2:39 PM
I agree... idiots can do a lot of damage before they are caught or stopped. Idiots are also notorious for copycatting since they cannot really devise a master plan on their own (I'm not talking airline security there).
What is this crap about hyper-sophisticated "super terrorists"?
BING BING BING - movie plot threat!
Now, take everything that was mentioned in that article and compare it to what would be needed to buy some handguns and shoot up a shopping mall during a heavy shopping day.
And that's just one person. A few people could coordinate at multiple malls.
But then, these scenarios have been discussed here time and time again.
So reading the internet to learn how to build a bomb is like reading the internet to learn kung-fu? That makes a lot of sense. Mere information isn't that useful without the opportunity to practice, using experiential feedback to develop technique.
Skorj: mostly yes.
But I would say that *building* a bomb is not that hard for anyone with some mechanical skills, and here formal instruction can be effective. Making and handling *explosives* is the tricky part. To do it properly without blowing off one's body parts - that is what requires experience, practice and skill.
Not very politically correct.
It is difficult to stop a determined man who has decided to die and take you with him. The Japanese kamikazes were difficult to stop as well. The US had to alter tactics by destroying all Japanese airfields within range of the fleets and increase the AA barrage to throw a lead shield around the fleet and still a few planes got through killing over 5,000 men at Okinawa. The planes were usually obsolete, and the airmen for the most part weren't well trained, and most of them died before reaching their objectives, but the few that did made up for the losses of the others. I wonder if the navy's postwar study about the kamikaze problem was similar in tone to this paper?
Whilst the 2001 attacks were the fruit of careful thought and planning, there is much evidence that their security was very poor indeed - numerous people involved carelessly disclosed a great deal of sensitive information, prior to execution of the attack.
If their carelessness had not been equaled by that of Western intelligence and law enforcement, their attack might well have been interdicted, and the 4/4 highjack success rate could easily have been 0/4.
I think we all agree it doesn't take a particularly intelligent person or group of people to coordinate some attacks. Even a group of people half as smart as Forrest Gump could wait until their watch says 9am and open fire on a group of people.
I just don't put the 9/11 hijackers in this category. Some of them may have been idiots helping more intelligent terrorists, I could see that. Yet, I don't think without some reasonable measure of intelligence they could have took control of all 4 planes and navigated 3 of them to targets. That is not to say they were all geniuses, but I didn't think that attack was dumb luck.
Clearly, many of them overall are not particularly intelligent and succeed through dumb luck.
@MarkH: "If their carelessness had not been equaled by that of Western intelligence and law enforcement, their attack might well have been interdicted, and the 4/4 highjack success rate could easily have been 0/4."
I still don't think 9/11 was as easy to detect as one may think. There is tons of intelligence all over the map, and it is not as simple to put together accross geography and agency as one may think. Not to mention, this would have fallen easily under the "Movie Plot" category on 9/10/2001.
I could not believe how blindly naive that article was and how it stereotyped Islamic terrorist into the category of being a bunch of illiterate bums that are incapable of carrying out a cyberwar.
Here is the wake-up call. Cyber-Jihadist are the sharp edge of the global cybercrime world. And for the last couple of years - cyber-jihadist have been ruthlessly and relentlessly finding ways to steal money and create economic instability in the Internet commercial economy.
For some reason the dunces all think that a cyber - jihadist is going to attack physical infrastructure. But not one person ( except of course myself ) have publicly pointed the finger at global cyber-jihadist as being behind a significant percentage of attacks against the economic infrastructures of non-Muslim countries.
Let us be clear. In a call for Jihad.. a 'good Muslim' does not have to strap a bomb on himself or commit physical attacks against non-believers. In fact, in a call to Jihad, 'good Muslims' can and do participate in whatever way they can... and that includes looting and robbing bank accounts of non-believers.
As well, a call to Jihad can also be carried out by 'good Muslims' by non-actions - such as acts as simple as providing disinformation. A Muslim, saying that "Muslims are not behind cybercrime' is in fact accomplishing Jihad.
But let us get back to basics for a second. The Islamic faith represents 25% of the global population - and probably represents a similar percetange of people on the Internet of the Islamic faith.
The followers of Islam are not demographically located in just the Middle East... they populate every country in the world. And so attacks against the financial pocketbooks of non-Muslims can be originating from any country in the world.
For some reason the media is quite cowardly at connecting the dots of the role that cyber-jihadist may be playing in the never ending expansion of cybercrime globally. Possibly those media sources are fearful of being called bigots, rascist or some other worn out catch-phrase.
And most commercial security companies are also fearful to mention the role that cyber-jihadist are playing in cybercrime. Possibly they are fearful at offending 25% of the Internet population that are Muslim.
And so I trust you will see that I found the government's considerations and musings about cyberwar to be quite laughable.
The cyberwar is happening already and has been happen for the last couple of years. And frankly THEY ARE WINNING and inflicting economic damages that are significant and possibly fatal to countries with already weakened economies.
Maybe someday folks will start looking a little deeper into the religious leanings or backgrounds of some of the cybercrime players......
HJohn, don't equate ignorance, particularly lack of metis (i.e. practical experience) with lack of intelligence. A person can be intelligent but if they have had no opportunity to learn by doing it won't necessarily translate into practice.
Think the Big Bang Theory guys trying to play a sport versus learn its rules.
The 9/11 hijackers could have been intelligent and determined and yet still careless and make mistakes and - with a good dose of luck and mistakes on the intelligence side - be successful.
The exec summary does note the increased counter-terrorism effort as futher limiting opportunities to train -- i.e. they couldn't do it again that way and get away with it, but (again in the article) since they are dead anyway we don't need to worry about them learning from their mistakes.
In short, it sounds like the article is stating something that should be obvious to anyone with even basic hands on training in anything: if you never get the opportunity to learn by doing, you won't be very good at doing when the time comes and the pressure's on, and even the relatively successful terrorists are pretty low on the skills/experience level.
@CyberJihad = Cybercrime which = Cyberwar at November 18, 2009 4:14 PM
You are exaggerating. (And that assessment comes from the guy that usually irritates people by telling them they downplay.)
@sheldon at November 18, 2009 4:27 PM
Fair enough. Of course intelligent people can be ignorant of certain things or be careless and make mistakes / leave clues, etc. Then again, the title of the post is about how smart terrorists are. My opinion: some are smart (9/11), others are dumb, but any can be careless and ignorant.
The TSA seems to operate under the assumption that terrorists are as stupid and inept as they are, and can thus be stopped with the inconsistent application of illogical rules. So maybe they've had it right all along?
The entire piece is well worth the time to read it. A nice bit of CT research with real world practical applications. Note however that in order to catch people using 'sloppy tradecraft,' that the good guys must actually be looking.
I think that the description of the 9/11 terrorists as "careless" is actually something of a veiled indictment of the intelligence/counter-terrorism establishment beforehand. Alternately, it could simply mean that they left a lot of operational information "hidden in plain sight" and lucked out on account of analysts never having had cause to find and examine that information. I think at this point, that it would be necessary to read more than just the executive summary of the report to see what reasons (if any) are given for the ultimate success of such a "carelessly" executed attack.
But there was a similar attempt in the late 90's to hijack a number of planes over the Pacific ocean and knock-out buildings. The jihadists had a conference in Malaysia, I think I recall, to plan out it.
But it was busted hard, 'cause the intelligence services in the pacific rim outclassed the jihadists -- by doing such clever things as going to the conferences and tracking the guys involved.
Which says a lot about the 'metis' of our own folks -- given the fact that they were advantaged in knowing about the previous attempt.
Fool me once....
The NY Times just published an article that, although they probably had the best journalistic intentions in mind, is really just a huge ad for snake oil security. Since this is in the NY Times, a huge number of users are going to be affected.
It is full of pearls such as:
It would be nice if the NYT could be persuaded to provide a more balanced counter-article to this article.
It also illustrates why snake oil security is so pervasive - when an average journalist tries to explain security, it in sounds like snake oil anyway!
Ok, the pearls didn't make it the first time, but here they are:
When a user visits such a site, SafeCentral asks if the user wants to proceed securely. If the answer is yes, a background resembling armor plating appears. In this safe room of sorts, certain Windows features regularly abused by attackers have been disabled.
Kemesa says it has created a “digital fortress.” To start, the product (which uses an add-on for the Internet Explorer and Firefox browsers and a Web site), puts an encrypted token on the computer, which makes it extremely difficult for a remote attacker to gain access to personal records.
At Kemesa, customer information is not just encrypted, it’s broken up into tiny pieces that are then stored in different databases on different networks, making reassembly by an attacker grueling. It also monitors for intrusions, regularly tests its defenses, keeps its physical location in lockdown and otherwise sticks to Defense Department security standards.
I doubt it would be that complex to actually time simultaneous events in the downtowns of the following cities on a weekday. 10 AM in LA & SF, 11 AM in Denver, 12 PM in Houston & Chicago, and 1 PM in NY, Boston & DC would paralyze the country at least for a few hours if on a large scale. Beyond the materials and resolve to do it participants would have to be able to read a watch.
There is no such thing as a "smart terrorist". A smart terrorist wouldn't be a terrorist at all.
I smell a new TV show - perhaps hosted by Jeff Dunham - in place of Jeff Foxworthy?
"Are you smarter than an Islamic Terrorist?"
@ A smart terrorist wouldn't be a terrorist at all.
Not, indeed. He would be called "Mr. President" or "Mr. Secretary General" or "Dear Leader" or such.
The devastation he would cause will be much bigger than any garden-variety dumbo terrist could hope to do - by several orders of magnitude, at least.
And, of course, nobody gives peace Nobels to dumb terrorists. Only to smart ones.
From Sun Tzu's The Art of War:
He who lacks careful thought and strategy and underestimates the enemy will surely be captured by the opponent.
Given that Obama was trained by the West and hasn't been captured by the largest man hunt in recent history; whilst I hesitate to say that he was 'smart', canny seems more appropriate; and would that the CIA had been cannier...
@CyberJihad = Cybercrime which = Cyberwar
I'd like to know more about that interesting subject. Your reasoning sounds perfectly probable.
Could you supply more information about the involvement of djihadists in cybercrime ? Are there any studies, statistics on that ?
I think you meant to say "Osama" or am I missing some US political joke here?
I think the analysis is on the mark!.
That's what makes people like KSM real important.
Osama appears at the model of the bombers -- KSM is the more careful executioner as a recent NYT article on him showed.
Even a simple plot like the one you describe requires getting all the people involved together, either online or in person, and (if in person) distributing them to the right places. Also weapons training, so that they don't screw up something simple. All of those things can potentially leave traces.
I think that there's a common implicit assumption that every city in the world is riddled with weapons-trained terrorist wannabes just waiting for their master and commander to give them the orders about what to blow up. Before it foundered on anything else, such a big plan would probably stall on arguments about what time to commit the fatal act, because everyone would want it to happen at peak traffic for their time zone...
"I don't consider successfully hijacking 4 of 4 planes within minutes and reaching the target on 3 of 4 of them was 'dumb luck' or 'careless.'"
An unpatched security hole in a computer system can generally be hijacked 100% of the time and use of it may be almost as successful until word of the hole gets around and countermeasures are taken.
The 9/11 attacks were really no different than this. They exploited an existing hole (hijackers generally want to take the place somewhere and park for a while, not use the plane as a weapon against a building) that has since been patched.
Doesn't the fact that the operations were successful despite some mistakes in execution demonstrate at least some sophistication in the planning stage? It means that the plan had enough contingencies to manage some level of failure and still succeed. It's kind of like defense in depth; any complex operation needs to assume that some parts will fail. It looks like they planned in for some level of failure while still allowing the operations to proceed successfully.
"Doesn't the fact that the operations were successful despite some mistakes in execution demonstrate at least some sophistication in the planning stage?"
The problem is that "sophistication" doesn't relay any information.
The more complex the operation, the more sophistication needed to plan it and to ensure that it is somewhat error-proof.
Hijacking planes doesn't take much sophistication (at that time).
Hijacking planes and flying them into buildings took more sophistication and training. And they correctly determined the amount of training that was necessary.
There are not many terrorists out there with that degree of intelligence and dedication. Which is why we do not see many attacks such as that. (BTW, there aren't many NON-terrorists with that degree of intelligence, either.)
The key for the terrorists is to match:
1. Their level of sophistication
2. The complexity of the attack.
Unsophisticated terrorists can easy plan, train and carry out simplistic attacks.
The more sophisticated the attack, the smaller the pool of people who could successfully complete it.
And with suicide attacks, the pool is self-limiting. A successful attack removes those members from the pool.
Anyone who's ever tried to coordinate an event involving multiple parties in different cities knows how complicated it is to actually make things happen at just the right time. Conceptually, it seems easy, but, Conceptually, so is Kung Fu. Organizing people and getting them to do things just right isn't easy, no matter how smart they are.
I think some of the best security we have is the fact that Wester movies and TV make it seem so damn easy to learn to do certain things (shoot a moving target, make a bomb, fly a plane, learn Kung Fu). This, at least, allows the FBI to entrap the dumb attackers, who might get lucky with a car bomb, but, instead, wind up trying to buy parts from the feds.
"I don't consider successfully hijacking 4 of 4 planes within minutes and reaching the target on 3 of 4 of them was "dumb luck" or "careless." If that were the case, I suspect we would have seen some failed hijack attempts and more than one failed collision."
and they took over all 4 planes with BOX CUTTERS ... not firearms which makes me believe they had a little more than dumb luck going for them
@Rick You're absolutely right, my mistake - I hate it when I mix up my bs!
My comment was about carelessness, not intellect. I have always respected the competence of the planning and preparation for their murderous attack. But apparently, people involved in the planning and execution "blabbed" (bragging, etc.) - seemingly hundreds (or even thousands) folks with absolutely no "need to know" had at least some vague knowledge of the attack before it took place.
Luckily for their plans, this massive leakage didn't reach anyone who was both 1) unsympathetic and 2) prepared to act on the information.
Operationally, they were very successful. In the separate dimension of security, they were careless.
"Islamic Terrorists". In the world, there are around 1.5 billion muslims and unfortunately get upset when they hear this term. Have you ever heard "christian terrorists" or "Jewish terrorists"? But who killed millions of people in the 1. world war, 2. world war, in Palestine, in Irak, in Afghanistan? Muslims? (see Jürgen Todenhöfer for more info @youtube)
@Bruce: Terrorism can not have any religion. The media/some people use this term deliberately. Security-aware person requires seeing the world from other perspectives; not from the perspective of he is forced to see. Please more empathy!
The 9/11 attack was rendered much more spectacular by the collapse of the World Trade Center buildings. I read the engineering analysis of the failure.
Many more people would have been saved if the buildings did not fail; however, it's my belief that they (the planners) were just as surprised as we were when the buildings collapsed.
The 'long tail' model already employed by Iraqi bombers and Somali pirates will likely provide the necessary expertise at all levels, from strategic to kinetic.
The greatest weakness I see in the DOJ analysis is that it overlooks entirely the probability that most future conflict will be of the 5GW variety, and therefore more entrepreneurial than ideological.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.