The Next Worst Thing
By David Cid
Without exception, any emerging threat displays warning signs before becoming a resilient crime problem. If such a threat surprises law enforcement agencies, it is because they did not recognize these signals or their significance. Anticipatory knowledge allows officers to take preemptive action to disrupt or suppress an emerging criminal or terrorist threat. Thus, helping investigators avoid surprise is one of the most important functions of strong intelligence.
Often, this anticipatory knowledge results from analyzing signals known as indicators and warnings. Lists of indicators and warnings exist for a wide array of criminal and terrorist acts. While becoming familiar with this information can prove helpful, simply memorizing a list of indicators and warnings will not suffice to prevent emerging threats or help investigators keep up with changing tactics of both criminals and terrorists. Further, the sheer number of criminal groups makes studying their tactics daunting. The list of recognized terrorist groups at one time included over 100 entries.
Additionally, the adversary will not remain static. When law enforcement agencies employ new investigative techniques or crime suppression measures, criminals respond by changing their tactics. Criminal enterprises seek efficiency to maximize profits, and efficiency improvements may drive operational changes. New methods replace the old, new personalities replace previous ones, alliances and rivalries shift, and opportunities and challenges arise. These internal and external changes will foster new indicators and warnings for each threat. The list never will be complete, and, therefore, depending on the list alone leaves law enforcement officers vulnerable.
Agencies will develop better intelligence at an earlier stage of investigations if officers learn other tactics of intelligence gathering. These include identifying new indicators and warnings, deconstructing criminal or terrorist acts, learning how crime and terrorism tactics evolve, placing events and actions in context, analyzing the specific components of a threat, and using all of these tools to develop sound threat assessments. This helps law enforcement personnel develop a dynamic, intellectual framework for assessing current threats, as well as identifying the next worst possibility before it occurs.
Identifying the Signals
Gathering and analyzing indicators and warnings comprise crucial intelligence collection techniques. Indicators are discrete events or series of events, and warnings occur when the indicators reach a critical mass and an imminent threat looms. Investigators identify indicators and warnings by scanning the environment for actions that may or must occur prior to a criminal or terrorist act. Scanning encompasses an ongoing, holistic process that employs all of the tools and techniques of information collection, including reviewing citizen complaints, field interviews and contact reports, suspicious activity reports, community contacts and informants, and the results of ongoing investigations.
When identifying indicators and warnings, officers should focus on observable behaviors and actions, some clearly criminal and others merely suspicious, that indicate potential criminal or terrorist activity. Race, religion, ethnic origin, and political affiliation are not lawful or useful indicators of criminality, and considering them as such quickly will prove ineffective. Instead, by employing a behavior-based model, investigators maintain their moral high ground, their actions remain lawful, and they avoid the analytical pitfall of bias, which often leads in the wrong direction.
Examining Indicators and Warnings in Context
To further analyze indicators and warnings, investigators can examine a suspect’s actions or patterns of behavior in conjunction with other events. Any action or series of actions provides information about the actor, some more definitively than others. Taken alone, they present only limited insights; however, all actions prove more meaningful when examined in context or in relation to the other circumstances that surround an event.
Mr. Cid serves as the executive director of the Memorial Institute for the Prevention of Terrorism (MIPT) in Oklahoma City, Oklahoma.
| Figure 1 | |
| Planning A Trip | |
| When | Make the first night’s hotel reservation. Write a note to the school about a child’s anticipated absence. Request vacation time. |
| Where & When | Search the Internet for hotel options. Make the first night’s hotel reservation. |
| How | Purchase a roof-mounted luggage carrier. Have the car serviced. Purchase a GPS device. |
| With Whom | Write a note to the school about a child’s anticipated absence. |
| Figure 2 | |
| Bombing | |
| Likely Sequential | Activate the device. Drive to the target. Assemble a team for the operation. Conduct dry runs. Select the target. Conceal the completed device. Assemble the device. Store the components. Acquire the components. Recruit the coconspirators. |
| Likely Random | Stage the event. Raise funds through criminal activity. Assemble a team for the operation. Conduct clandestine activities. Gather intelligence. Ensure communication security. Plan for operational security. Aquire weapons and perform training. |
For example, a subject takes his family on a road trip from New York to California, with a northern route to Los Angeles and a southern route coming home. Prior to the trip, an investigator sees the subject engage in a series of actions that provides clues about his plans. When examined individually, each event presents several possible interpretations. When taken as a group, however, they point more definitively in one direction. The subject:
- has his car serviced, possibly suggesting good stewardship of his automobile, a mechanical problem with the vehicle, the anniversary of a required service date, or preparation for a car trip;
- purchases a GPS device, maybe indicating a poor sense of direction, a need to find local addresses efficiently, the purchase of a gift, or preparation for a car trip;
- searches the Internet for hotel options, perhaps suggesting that the subject needs a hotel room for an upcoming trip or that he wants to inquire about hotel rates in a particular city for future reference;
- makes the first night’s hotel reservation, possibly showing that the subject and his family intend to spend the night in a particular city;
- writes a note to his children’s school about an anticipated absence, perhaps suggesting the children will miss school on those days due to a trip, a family event, or other circumstances;
- requests a vacation, maybe indicating that the subject plans to be absent from his job for a specified period of time for any number of reasons; and
- purchases a roof-mounted luggage carrier, possibly showing the subject will use his vehicle for a trip at some point in the future or that he desires additional storage space in his vehicle.
When examined individually, any one of these actions does not provide strong clues to lead an investigator to a definitive hypothesis. However, analyzing them as a group provides context and allows the investigator to logically predict the subject’s plans.
| Figure 3 | |||
| Recruitment of Coconspirators | Acquisition of Components | Storage of Components | Assemblage of Device |
| Secret communications with individuals | Unusual or structured purchases of high nitrate fertilizer | Rental of storage space | Clandestine meetings |
| Association with known terrorists or their supporters | Unusual or structured purchases of fuel oil | Purchase of metal drums | Purchase of protective clothing |
| Clandestine meetings with persons | Acquisition of manuals on explosives | Purchase of dolly or other moving equipment | Chemical stains on hands or clothing |
| Application of operational security to a meeting | Acquisition of igniter | Medical attention for chemical burns or inhalation | |
One way to develop context is to categorize events or actions according to the questions they answer. This provides insights and suggests a course of action (figure 1). In this example, even after analyzing the actions in context, questions remain unanswered (e.g., the subject’s final destination and planned routes). But, with a high degree of certainty, the investigator can conclude that the subject plans to embark on a road trip, most likely with his children, for a specific period of time, and at the city where he reserved a hotel room. With this initial hypothesis, the investigator can employ other tactics to determine the final destination. As this example demonstrates, indicators and warnings rarely give a complete view of a subject’s plans, but they can point the investigator in the right direction.
Deconstructing Threats
After a criminal or terrorist incident, investigators can gather lessons learned from the event though a process called “deconstruction,” which provides another preventative technique for investigators to amass intelligence about a threat. Many patrol officers carry out this process intuitively, but applying it logically gives them a sense of how they can discover new indicators and warnings.
Deconstructing criminality or terrorism involves working backward to identify the indicative behaviors or actions that preceded the event. For example, if terrorists want to execute a truck bombing using ammonium nitrate/fuel oil of a building in a major city, they must take certain prior steps in a specific sequence (figure 2).
As the diagram illustrates, terrorists cannot detonate an explosive device without first acquiring and assembling the needed components. Each of these actions also may link to its own precursor events that investigators can identify through further deconstruction. Some actions are specific, while others apply to multiple events (figure 3).
| Figure 4 | |
| Predictive | 1. Presence: Is a terrorist group or criminal enterprise present in your jurisdiction? 2. Capability: Do the members have the capacity to commit an act of terrorism or engage in organized criminal behavior? 3. History: What does past behavior tell us? |
| Reactive | 4. Interest-intention: Do they have the interest or intention to commit an act of terrorism or crime? 5. Targeting: Is there current intelligence indicating that they are engaging in target selection, movement toward a target, or ongoing criminal activity? |
Law enforcement personnel can use deconstruction to analyze precursor events at a deeper level and pinpoint new indicators and warnings. This framework allows investigators to reexamine behaviors, place them in a logical construct for informed speculation, and articulate why they may be suspicious. Also, deconstruction encourages officers to view intelligence gathering as a prevention technique, which facilitates earlier interventions of criminal and terrorist threats.
Examining Past Performance
Though criminal techniques evolve, past behavior remains a reliable predictor of future actions. Many terrorist acts show the hallmarks of a particular group because even when tactics progress, often, some historical behaviors endure. These patterns provide a starting point and direction for analysis. Many terrorist and criminal groups, like other enterprises, repeatedly use their tried-and-true tactics until they no longer are effective. When investigators recognize clues from these past behaviors, their investigation likely will proceed down the correct path.
Linking Indicators and Warnings
Indicators and warnings prove most useful for intelligence collection when they contribute to a threat assessment. A threat is a potential for harm, while a threat assessment measures the likelihood of that harm occurring. The threat assessment model includes five components: presence, capability, history, intention, and targeting (figure 4). The first three are predictive (observable statically), while the last two are reactive (require action). The intention to harm is the most critical factor of the five.
Intention also is the least tangible because it represents thoughts and motivations. However, once subjects develop firm intentions, they quickly may acquire the means to act because capability may require nothing more than picking up a gun.
| Figure 5 | |
| Components of a Threat Assessment | |
Presence may be measured by: Capability may be measured by: | History may be measured by: Interest-intention may be measured by: Targeting may be measured by: |
Developing a Threat Assessment
To assess a threat, investigators measure the five components through both inference and intelligence. At times, a threat assessment raises more questions than answers. By identifying these questions, or unknowns, investigators can determine intelligence gaps and establish collection requirements to fill them. Also, law enforcement personnel can develop even deeper intelligence by deconstructing each component of the threat assessment to identify additional indicators and warnings for each (figure 5).
Conclusion
Anticipating criminal or terrorist events is not an exact science, and even the most skilled experts can draw incorrect conclusions. The value of good judgment, common sense, experience, and collaboration cannot be overstated for this process. Analysts and investigators should partner to develop sound threat assessments because analysts supply the rigor of science and empiricism, while officers bring intuition and experience.
By analyzing the five components of a threat assessment, officers and analysts can identify and deconstruct indicators and warnings for each, revealing deeper levels of intelligence. Further, deconstruction allows the officer or analyst to develop a logical framework to identify new indicators and warnings as they emerge.
The threat assessment model, enriched by these processes, provides superior insights. When developed effectively, a threat assessment supports empirical judgments about when to intervene, admonish, or arrest a suspect. The model helps law enforcement professionals pursue the correct investigative path and prosecutorial strategy. When investigators employ these methodologies effectively, they can decrease the possibility of surprise, prevent crimes more frequently, and enhance public safety.