Setback in Baghdad: Counter-Forensics and Counter-Terror

Counter-forensics has long been part of the terrorist playbook, so today’s attack on the central forensics lab in Baghdad is by no means unprecedented in the annals of terrorism.


CSI Belfast
According to Tony Geraghty’s fascinating The Irish War: The Hidden Conflict Between the IRA and British Intelligence the IRA was obsessed with preventing evidence from falling into the hands of British authorities. The developed extensive internal research and development capabilities to counter British forensic science and wrote manuals to train their members how not to leave evidence. The manuals get very detailed, including instructions about the dangers of incriminating particles and fibers in the hair and clothes of operatives.

The IRA had good reason to be concerned. British authorities found clothes and hair to be forensic bingo and actually ran an undercover operation operation disguised as a mobile valet service to gather forensic evidence.

The IRA found that a good offense was the best defense and ambushed the mobile valet unit in October 1972. They also bombed the Northern Ireland Forensic Laboratory – twice. The first time they faked and accident so that a car with a bomb planted inside would be taken into the forensics lab, where it detonated and destroyed substantial quantities of forensic evidence. Later, in September 1992, the IRA set off a 3,000 lb on the lab’s perimeter.

CSI Baghdad
In many cases the most sensitive nodes are people – killing key leaders or specialists can disable a movement or organization. At least some of the victims of the bombing were investigators and they will not be easy to replace. The specialized equipment will also be difficult to replace. But, if the IRA’s history is any example, the accumulated physical evidence could be the greatest loss for Iraq’s counter-terror efforts. In almost any kind of research quality data is everything.

Terrorists in Iraq are clearly ramping up activities, having carried out two terrible deadly attacks in as many days. Breaking clandestine networks requires the careful sifting of evidence, seeking clues and patterns. But now, the evidence is gone and the investigators are back to square one.

Today’s attack was a strategic one, reducing the government’s ability to defeat its enemies both in the short and long-term.

Cited by the Bulletin of Atomic Scientists

A recent column in the highly regarded Bulletin of Atomic Scientists cites (favorably) an op-ed I co-authored with Jim Hendler in The Washington Times discussing realistic scenarios for cyber-war.

The column, by Joshua Pollack, a contributor to Arms Control Wonk - which also inspired the name of this blog - is titled Is the cyber threat a weapon of mass destruction?

The article discusses China's recent attack on Google, observing that placing aggressive cyber activity on a par with WMD is inaccurate. Overall China's activity is more akin to spying then to warfare. However, the article states:

The damage to goodwill has been considerable. It isn't shocking that one major power spies on another, or necessarily even intolerable. As the saying goes, "It's all in the game." But the game has never been friendly, and there's something breathtakingly crude about how it's being played today. The attempt to capture as many computers as possible is aggressive and indiscriminate, reaching into the lives of private citizens in the United States and beyond. In a particularly insidious turn, the spies have been known to take advantage of professional contacts between Americans and Chinese in order to assemble convincingly spoofed messages and to mine e-mail address books for targets.

Targeting Jordan

An important detail of the December 30 attack on the CIA Camp Chapman is that the Jordanian intelligence officer killed, Ali bin Zaid, was a relative to Jordanian King Abdullah II. It cannot be a coincidence that a cousin of the king was personally in charge of this highly sensitive portfolio. This illustrates broad points about how much of Middle Eastern politics is in fact a “family affair,” but it also has specific implications for the Kingdom of Jordan.


Clan Tectonics
Much of what passes for politics in the greater Middle East are in fact driven by family, clan, and tribal interests. There is a famous Arabic expression:

I against my brother;
I and my brothers against my cousins;
I and my brothers and my cousins against the world.

In other words, my family against another family, my clan against another clan, my tribe against another tribe and so forth. This is a fundamental organizing principle in the societies of the greater Middle East. (It has also existed in the West – consider Romeo and Juliet, the Guelphs and the Ghibellines, and the Hatfields and McCoys – but has been ameliorated by competing values and institutions.) Religious and political splits (such as the Sunni-Shia) are often based heavily on clan affairs – the real tectonic forces of the region.

These dynamics are excellently described in a short article The Arab World’s Travails: The Desert’s Burden by Gideon Kressel of Ben-Gurion University of the Negev. Prof Kressel writes:

The huge role of male lineage and tribes in the Middle East derives from the desert milieu….

The logic is simple: the power and status of a nomadic patrilineal group depends principally on the number of combatant men available. The larger an agnate group, the larger the territory it can protect against competing groups, and therefore the larger its camel herd and the greater its power. Feuds are the chief mechanism by which tribes effect changes in status...

One can go further and argue that the framework of feuding provides the backdrop for conflict between states. The Middle East's notoriously high incidence of fighting across international borders relates to this personal feuding; governments, like families, stress such matters as kinship, honor, and revenge. Most notably, these have been recent themes of the conflict between Iraq and its neighbors, Iran and Kuwait; northern and southern Yemen; and Morocco, Mauritania, and Libya. These themes were also critical in the delimitation of Saudi Arabia's borders with its neighbors.

These points are explained at greater length in Philip Carl Salzman’s Culture and Conflict in the Middle East. Another good short article on these themes is Stanley Kurtz’s Root Causes.

Implications for Jordan
For Westerners clan dynamics are abstract. For Jordanians the implications of the death of a royal at a CIA base at the hands of an al-Qaeda operative will be clear. It highlights the close relationship between Jordan’s royal family and the United State – an alliance that is not popular among many Jordanians. Emphasizing this partnership may spur greater opposition to the Jordanian regime. It a blow to Jordan’s vaunted intelligence service, which has been praised both within intelligence circles, in print, and on screen. The fact that a member of the royal family was killed is also a sign of weakness that may embolden the regime’s enemies.

A recent failed attack on Israeli diplomats in Jordan would, in this light, have been particularly disastrous. That attack would also have emphasized both regime weakness and the regime’s close relationship with an ally that is unpopular with the general public.

Besides being a reliable ally of the United States, Jordan has a particular significance. It, as much as any regime in the region, represents a viable, modernizing path. With its admittedly limited resources, the Hashemites have invested in education and science. By Western standards, Jordan is far from a liberal democracy, but within the Arab world it is towards the head of the pack for freedoms. Perhaps, most importantly, the Hashemites have attempted to build a legitimate regime that relies on more than force to hold power.

Threats to this regime are profound threats to American interests, but also to the future of the region.

Terror Taxonomy: Re-Emergence of al-Qaeda Prime

Since 9/11 there have been innumerable articles on the emergence of al-Qaeda 2.0 or 3.0. The attack in Afghanistan that killed several CIA officials along with a Jordanian intelligence officer, harks back to al-Qaeda prime – the disciplined organization that from the late 1990s to 9/11 carried out a series of sophisticated, meticulously planned, multi-pronged strikes against hard targets.

The attack on the CIA base in Afghanistan similarly involved a careful analysis of American systems and vulnerabilities and tremendous patience and tradecraft. And it did devastating damage to a particularly sensitive node – experienced CIA operatives are the products of decades of experience, they are not easy to replace. In addition procedures for vetting information and agents will become more cumbersome, further hampering operations.

Yemen Franchise
If the attack on the CIA in Afghanistan represents al-Qaeda Prime, the attacks emanating from Yemen are examples of al-Qaeda 2.0 and 3.0. While the attacks linked to Yemen have received far more press and drew more blood – they have not had the same level of sophistication. From a technical standpoint the attempted Christmas bombing was only a slight variation on a previously tried tactic – that has had only limited success in the past. The operational security was not sophisticated (which is why so many are in an uproar that US intelligence failed to intercept the bomber.) This is al-Qaeda 2.0, a regional affiliate operating independently and while not as capable as al-Qaeda prime, still possessing substantial capabilities.

The other two attacks in the U.S. linked to Yemen are indicative of al-Qaeda 3.0 – the self-starters and “lone wolves.” The two attacks are Nidal Hassan’s murderous spree at Ft. Hood, Texas and the June 1 shooting at an army recruiting center in Little Rock Arkansas that killed one soldier and wounded another (and has been lost in the shuffle of terrorism news.) Hassan received inspiration and justification from Yemen-based radical cleric Anwar al-Awlaki, while the Little Rock shooter had travelled to Yemen where he became radical (exactly what he was doing in Yemen is a matter of dispute).

Some have taken comfort in the relative lack of sophistication of the Yemen-based attacks. The lone-wolf attacks are tragic for the victims and their families, but not true strategic dangers to the United States. I stand by my own analysis that complex strategic attacks against the U.S. homeland remain difficult because of the barriers to moving trained operatives. Getting one past security is all too possible. But the more complicated the plan, the more operatives required and the greater probability of detection.

Nonetheless, there are causes for concern.

Blinking Red

Then director of Central Intelligence George Tenet told the 911 Commission that in the summer of 2001 “The system was blinking red.”

However, the previous successful al-Qaeda strikes (1998 embassy bombings and 2000 Cole bombing) were against U.S. targets abroad, thus the intelligence community focused on that possibility – missing the signs of 9/11.

Apparently, the same situation prevailed in late 2009 – a focus on al-Qaeda attacks abroad. Now, the Christmas bombing is driving the vast U.S. intelligence apparatus to re-focus its gaze on Islamist attempts to reach the U.S. While necessary to some extent, it could also prove a vast strategic distraction.

But given the inherent challenges of long-range strikes, as well as the growing capability to hit hard targets abroad – al-Qaeda may choose to focus its efforts on more useful targets closer to its operating theaters. While space may dilute the long-range effectiveness of al-Qaeda of the Arabian Peninsula, closer to home it is may show greater sophistication. The October attack on Saudi Prince Nayef foreshadowed the Christmas bombing technically, but operationally was more akin to the attack on the CIA base. The attacker reached the prince by claiming to be a terrorist prepared to surrender personally to Prince Nayef, who directs Saudi counter-terror efforts.

Al-Qaeda has also shown political/strategic sophistication in its targeting and there are an enormous number of hard targets in their operational strongholds – including U.S. Embassies and other installations, oil facilities, high-profile political targets in Pakistan, Saudi Arabia, Jordan and other U.S. allies, and the ultimate prize, Pakistan’s nuclear program (to name just a few.) Alternately, rather than going for “spectaculars” they may more attacks like the CIA bombing that effectively throw sand in the gears of American military organizational machinery.

Again, the system is blinking red, but are we monitoring the right gauges?

SOMA on TV!

Since SOMA, a project I've worked on, is in the news. I'd be remiss in failing to mention that it has also been on popular television. The CBS crime drama Numb3rs mentioned it (although it failed to give the University of Maryland credit.)

Also - as far as credit goes - I didn't conceive of, or build, the system. My contribution was interpreting the results.

Without further ado...here are the clips.

Calculated Terror - Mannes & Subrahmanian in Foreign Policy

Foreign Policy has just published an article I co-wrote with my colleague VS Subrahmanian discussing our work modeling the behavior of terrorist organizations. This piece focuses on our results on Hezbollah, which provide a credible explanation to Hezbollah's decision to keep the Israeli-Lebanese border quiet since the end of the 2006 war.

For more on our work, visit the website of my employer the Laboratory for Computational Cultural Dynamics. The specific system discussed here is the Stochastic Opponent Modeling Agents.

Foreign Policy
Argument

Calculated Terror
How a computer model predicts the future in some of the world's most volatile hotspots.
BY AARON MANNES, V.S. SUBRAHMANIAN | DECEMBER 15, 2009

On Oct. 27, a Katyusha rocket was fired from Lebanon and struck down in an open area outside the northern Israeli town of Kiryat Shmone. This was the ninth such rocket strike since the end of the 2006 war between Israel and Hezbollah. No group claimed responsibility for the attack, but smaller Palestinian groups hoping to spark another round of fighting are the most likely suspect. Hezbollah, despite its extreme anti-Israel politics, did not join the fight, even after Israeli counterstrikes.

The "Blue Line" separating Israel from Lebanon is one of the most volatile borders in the world. But predicting when this area, and other tense regions throughout the world, will erupt into violence often appears to be little more than guesswork. How can policymakers overcome their own biases and limited information to anticipate if an incident like the recent rocket strike on Israel will spark a larger conflict, like the 2006 war, or fizzle out?

Increasingly, the answer is: Develop a computer model from historical data. The University of Maryland's Laboratory for Computational Cultural Dynamics (LCCD) constructed one such model that predicted this period of quiet along the Israeli-Lebanese border, and also provides insight into Hezbollah's priorities. LCCD developed a framework, known as Stochastic Opponent Modeling Agents (SOMA), that examines historical data and automatically generates rules assessing the probability that a group will take certain actions under certain conditions.

SOMA examines historical data about the group's behavior and tries to find conditions such that, when the condition is true, the group takes a given action with high probability and, when the condition is false, the group takes the action with very low probability. A human analyst could make these connections when there are relatively few variables being tracked. But when there are dozens of variables there are millions of such possible rules -- far more than an analyst can process. This is often the case in the interconnected world of Middle East politics, where events are shaped by the actions of many actors working in a diverse array of countries.

SOMA rules have also been extracted on the behavior of other Middle Eastern groups. Hamas, for example, is twice as likely to commit kidnappings during periods of conflict with other Palestinian organizations (the probability increases from approximately 33 percent to 67 percent). If another round of Fatah-Hamas fighting erupts in the West Bank, this may present a new challenge for Israeli security. While the rules had not been extracted in 2006, it is worth noting that the Israeli soldier Galid Shalit was kidnapped as the conflict between Hamas and Fatah expanded after the 2006 Palestinian elections.

SOMA is not specifically designed to model the behavior or Hezbollah or even of terrorist organizations -- it has also examined the behaviors of various actors in the Afghan drug trade under different circumstances. This model was built on a hypothetical situation, not systematically gathered data, but demonstrates the way in which SOMA can be applied to a broad range of conflicts and scenarios. The analysis showed that frequently used strategies such as burning poppy fields and destroying drug labs in Afghanistan are unlikely to lead to a long-term decline in the Afghan drug trade.

Models require data, and limitations of that data can limit the accuracy of a system such as SOMA. For the analysis of Hezbollah (and several other groups) SOMA used the Minorities at Risk Organization Behavior (MAROB) data set created at the University of Maryland's Center for International Development and Conflict Management. MAROB identifies factors that motivate members of ethnic minorities to form activist organizations and move from conventional politics to terrorism. MAROB has systematically collected information on more than 150 variables from over 100 organizations across the Middle East during the last several decades. Hezbollah is one of the organizations profiled; the data collected covers Hezbollah from its 1982 founding through 2004.

In examining the rules generated by SOMA about Hezbollah's behavior, the most striking finding was the correlation between Hezbollah attacks on Israeli citizens and Lebanese elections. Since the re-establishment of Lebanon's parliamentary democracy in 1992, there was a 62 percent chance Hezbollah would target Israeli civilians (primarily through rocket attacks) in any given year through 2004. In off-election years the likelihood jumped to 78 percent, while in election years the probability was negligible. The one election year in which Hezbollah fired rockets at Israel was 1996. Though Hezbollah won a propaganda victory when Israel's response caused heavy Lebanese civilian casualties, the organization lost parliament seats in the 1996 elections. Hezbollah has since sought to keep its fighting with Israel within certain boundaries, avoided major escalations during election years, and re-emphasized its provision of social services within Lebanon.

The test for any model is whether or not its predictions hold. During Israel's Operation Cast Lead against Hamas in Gaza, there was concern that Hezbollah would initiate a second front to aid its ally. But Hezbollah offered only rhetorical support to Hamas. During the Gaza operation, a few rockets were fired from Lebanon into Israel and Hezbollah quickly and credibly denied responsibility. With an election later in the year, Hezbollah determined that it could not risk renewed violence with Israel -- particularly in the wake of the 2006 war, which many Lebanese felt was brought on by Hezbollah and that left much of south Lebanon in ruin.

Beyond its predictive value, these findings provide insight into Hezbollah's behavior and priorities. The SOMA results highlight how Hezbollah needs to maintain its position within Lebanon's political system, even if that restricts its ability to wage war on Israel. Though the conflict with Israel is the organization's raison d'être, Hezbollah's leadership has taken steps -- such as participating in the Lebanese parliament -- to prevent the party from being politically isolated.

However, this balancing act is becoming more difficult to maintain, as these two aspects of Hezbollah are coming into increasing conflict. The 2006 war inflicted massive costs on the Lebanese people, which has made them less likely to tolerate Hezbollah's foreign adventurism. Earlier in October an explosion at a private home revealed the presence of a Hezbollah arms cache (Hezbollah disputes this). This incident reminded the Lebanese that Hezbollah remains capable of launching another round of fighting with Israel, and raised the specter of the conflict being sparked by accident. The recent Israeli seizure of a cargo ship carrying nearly 400 tons of weapons apparently intended for Hezbollah raised further concerns that Lebanon could again become a battlefield between foreign powers. If one appreciates that Lebanese popular opinion exerts a strong influence on Hezbollah's actions, it should be clearer that another Israel-Hezbollah war remains unlikely.

SOMA's analysis of Hezbollah's behavior serves both analysts and policymakers by making a specific prediction about the group's likely actions, and also by highlighting this important underlying dynamic. As the data collected expands in breadth and depth, it may become possible to make specific predictions about how, when, and under what circumstances regional changes will occur. While the Oct. 27 rocket strike on northern Israel seems to be just the sort of incident which could cause an unpredictable chain reaction in the region, in the future its repercussions may largely be known before the rocket leaves the ground.

Aaron Mannes, a researcher at the University of Maryland's Laboratory of Computational Cultural Dynamics, is a doctoral student at the University of Maryland's School of Public Policy. V.S. Subrahmanian, a professor of computer science, is the director of the University of Maryland Institute for Advanced Computer Studies.

Conflict & Computer Science

Conflict has often been a driver for technological advances and computer science has been no exception. The requirements of code breaking during World War II led to the construction of Colossus – the first totally electronic computer device, while the Internet was originally constructed to provide a secure communications network for the military in the event of a nuclear war. While terrorist use of technology, and particularly the Internet, receives tremendous press, the current conflict is also sparking important developments in computer science that will have impacts far beyond the security realm.

My employer, the Laboratory for Computational Cultural Dynamics (LCCD) at the University of Maryland is one group seeking to develop the theory and algorithms required for tools to support decision-making in cultural contexts. LCCD has developed numerous systems including T-Rex, which can rapidly scan text in several languages and convert it into a database and SOMA (Stochastic Opponent Modeling Agents) which can extract rules of likely behaviors by organizations from their past behaviors.

LCCD sponsors an annual conference, the International Conference on Computational Cultural Dynamics (ICCCD2009) – to be held this year on December 7-8 at the University of Maryland. Papers being presented include efforts to model insurgencies as well as piracy in Somalia, a tool used to map the Indonesian blogosphere, and SCARE (Spatial Cultural Abduction Reasoning Engine) which can help predict the locations of weapons caches in an urban environment. (See the full program here.)

Augmenting the Mind
The human brain is an impressive system, which also builds models. In some regards it far exceeds anything on the horizon in the realm of computer science. The ability of human beings to take information and place it in context and draw conclusions from it is profound. We build complex models of how the world works in order to function in it. But computers can process some forms of data far faster than humans and will do so systematically. Human minds cannot quickly process large quantities of data. In attempting to make sense of large amounts of information a human beings may discount or ignore information that does not fit in their model of how the world works – or alternately draw significant conclusions based on a very limited amount of data. Imagine an economist ignoring issues of ethnic identity in analyzing a nation’s policies or a political philosopher focusing on ideology while ignoring logistics in studying a terrorist group’s behavior. In short, computer systems are capable of substantially augmenting the power of human reason.

Things to Come
The impacts of these technologies will be profound. Real-time data collection and processing will potentially improve decision-making in many ways. Beyond providing better intelligence, it will allow the creation of in-depth virtual environments, which facilitate training to operate in different cultures. The Marines and Army have built mock Afghan and Iraqi villages staffed by actors for this kind of training. These are terrific facilities, but a computer simulation could inexpensively augment the real world training.

According to the late Alexander George, a renowned scholar of the presidency, many foreign policy accidents have occurred because leaders were unable to see the situation from the perspective of their counterpart. Leaders make assumptions about their opposite number and his (or her) actions based on an intuited model of their behavior. Models not operating on limiting assumptions may provide alternate explanations for behaviors and thereby give leaders the insight to avoid escalating conflicts that arose from misunderstandings.

But these systems will also have civilian applications. Game theory systems used to predict the behavior of adversaries may also be used to understand the behavior of business competitors. Tools that can analyze the opinions expressed on jihadi websites could also be used to analyze public opinion for marketing research. Models that identify the outbreak of terrorism and insurgency may also be turned to studying the outbreak of disease.

But this focuses on applications designed for policy-makers – and no doubt there will be many such tools. But only twenty years ago, very few people imagined a ubiquitous, international system that facilitated instantaneous communications and put vast amounts of information virtually at every user’s fingertips. Models and game theory will not remain in the realm of executives and professional analysts. They will also become everyday tools used by regular people to better plan their activities and make decisions about their lives.

In this vein, ICCCD2009 could prove to be a fascinating glimpse into the future.