Table of Contents
Indicator analysis it the process of identifying and then taking advantage of indicators – elements that an analyst uses to understand when something is happening. For a counter-terror analyst, an indicator might be an increase in encrypted telephone conversations that occurs before terrorist attacks. For a criminal intelligence analyst it might be a change in gang activity, with known gang members being spotted in neighborhoods outside of their
To identify indicators, it is important to review your existing intelligence and perform some research. Indicators will be evident when situations are examined to develop a baseline and then reviewed again after an incident in order to see what has changed.
For example, a car parked where it is not supposed to be, or an increase in telephone traffic may both be indicators of an upcoming attack. See Terrorist Attack Pre-Incident Indicators (TAPI) below for more information.
Terrorist Attack Pre-Incident Indicators (TAPI)
Terrorist attacks, like other forms of crime are often preceded by indicators that indicate that something that may lead to a terrorist attack is underway. A challenge of intelligence analysis, as well as risk and threat assessments is identifying these indicators among the noise of cities where terrorists can blend into the local culture. This is even more important in foreign countries where analysts may operate (such as Threat Assessment analysts working in Iraq or Afghanistan) but is also important domestically.
Terrorist Attack Pre-incident Indicators (TAPI) is a specialized form of indicator analysis that explores the specific identifiers preceding terrorist attacks in the form of risk factors and warning signs.
Risk factors include elements that generally increase a target’s risk of being attacked. Risk factors can be static (such as a building being very prominent, like the World Trade Center, or having an underground parking garage), or dynamic like having public access or hosting famous individuals at a specific time.
Warning signs are elements that are represent a specific, credible threat. For instance, the presence of a suspicious vehicle in an area it should not be. In the Oklahoma City bombings, Timothy McVeigh parked his rented Ford F-700 truck in front of the building and left a note on his getaway vehicle that claimed it was disabled and would be moved by April 23, one week after the bombing. (Clay, 1997)
Terrorist Attack Preparation
Freeman, Tucker & Merten (2010) identify nine stages of preparation before a terrorist attack:
- Networking and Indoctrination
- Terrorist Training
- General Planning
- Operational Planning
- Weapons Procurement
- Logistical Preparation
- Operational Preparation
Demographic and Temporal Analysis
The review by Freemen, Tucker & Merten (2010) indicates that initial networking begins up to 30 months before the attack, while operational planning begins within 6 months of the attack and “attack-specific phases . . . occur closer to the attack itself.”
Smith, Damphousse & Roberts (2006) provide backup to this: their review of 191 terrorist incidents (or attempted incidents) revealed that the first known activity of a terrorist cell occurred approximately 40 months prior to the attack, while “planning and preparatory behavior” for specific acts begun between 54 and 99 days prior to the attack.
Of course, the more complex the attack the longer the planning time. For instance, in the Oklahoma City bombing gathering materials began at least as early as September 1994 for an April 1995 attack (8 months; History Commons, n.d.), while in the 9/11 terrorist attacks initial planning began in 1998 or 1999 for the 2001 attack. (National Commission on Terrorist Attacks Upon the United States, 2004)
Smith, Damphousse & Roberts (2006) also revealed that approximately one half of terrorists lived within 30 miles of their target and performed their planning and preparation within this same distance from their residences. On the other hand, about one-quarter lived very far from their targets, therefore necessitating airport screening in order to prevent terrorists from flying to their targets.
Indicators can fall into the legal (surveillance, phone calls, travel), the illegal but not necessarily linked to terrorist attack (parking violations, robbery) and illegal and clearly linked to terrorist activity (acquiring bomb materials.) This can make it difficult to use indicators without further investigative and intelligence support.
Pre-incident indicators can also be determined based on the type of attack being planned or suspected. The Regional Organized Crime Information Center (ROCIC, 2004) provides the following examples of warning signs of a vehicle-borne IED:
- Theft or purchase, often with cash of delivery vehicles, vans or other large vehicles
- Attempts to purchase (or inquire about purchasing) commercial vehicles by individuals who seem unfamiliar with the industry or lack the credentials/connections to operate them (e.g. someone lacking a Commercial Driver’s License attempts to purchase an 18-wheeler)
- Modification of vehicles to handle heavier loads or increase storage space or fuel capacity
- Batteries, wires, timers or other components in the passenger area of a vehicle may indicate the presence of a bomb
Theft or purchase of materials (signage, paint, decals) that could be used to disguise the vehicle as a military, police, security, emergency, or delivery/utility vehicle
- Theft or purchase of agricultural/industrial chemicals or other explosives components (e.g. ammonium nitrate fertilizer is a commonly used bomb ingredient)
Additionally they provide indicators related to individuals:
- Attempting to obtain a CDL when an individual lacks employment or the desire to be employed in that industry
- Operating large vehicles without training, in rural areas or at night to avoid detection
Linder (2006) provides a detailed chronology of the Oklahoma City Bombing and later trial starting with McVeigh’s birth in 1968 and finishing in 2006 with his co-conspirator Michael Fortier’s release from prison.
Smith, Damphousse & Roberts (2006) provide the following sixteen potential indicators of terrorist activity, which are applied to a case study later in the article. These sixteen items are presented in alphabetical order. Although many of these occurred more than once, only one example from the timeline is presented:
- Acquiring Bomb Materials – September 30, 1994 McVeigh purchases a ton of ammonium nitrate
- Attending a Gun Show – January 26, 1993 McVeigh attends a gun show and begins selling guns
- Engaging in Conspiracy (to commit a crime) – September 13, 1994 is the first date Timothy McVeigh and Terry Nichols begin imagining their attack
- Issue of a Fatwah – Because this was a domestic terrorist attack by far-right Christians, this was not relevant
- Procurement of Funds – February 1994 McVeigh takes a job at a lumberyard, likely to fund their attacks
- Illegal Entry to the US – Nichols and McVeigh were American citizens so this was not necessary
- Larceny/Theft – July 1994, McVeigh and Fortier steal from a National Guard Armory
- Meetings – October 12, 1993 McVeigh meets individuals at Elohim City, a far-right militant compound. One of the individuals they met would go on to be convicted of a series of bank robberies
- Motor Vehicle Theft – In the case of the Oklahoma City bombing, McVeigh rented his vehicles so theft was unnecessary
- Parking Violations – December 1993, McVeigh gets a speeding ticket near Elohim City
- Phone Calls – April 5, 1993 McVeigh calls Elohim City.
- Travel by Air – McVeigh did not need to travel by air for their bombing.
- Robbery – December 1994 McVeigh participates in a series of bank robberies with elements from Elohim City
- Smuggling – Smuggling was not an element in this crime, though material was kept in a storage unit and moved by car.
- Standoffs – There was no stand-off in this crime, as McVeigh was arrested for “for having no vehicle registration, no license plates, and carrying a concealed weapon without a permit.”
- Surveillance – December 1994 After McVeigh reviews a variety of targets, him and Fortier drive to Oklahoma City so McVeigh can show the Murrah Building to Fortier
Terrorist Attack Pre-incident Indicators (TAPI) offer an opportunity for law enforcement, intelligence and security personnel to recognize when terrorist groups or individuals are in the planning stages of attacks and deter them.
By recognizing activities, whether criminal (like obtaining bomb-making supplies or conducting a robbery to obtain funding) or non-criminal (such as conducting surveillance on sensitive targets) opportunities exist to prevent terrorist attacks from occurring and deter future activities.