Posts Tagged 'intelligence analysis'

Islamist violent extremism and anarchist violent extremism

Roughly speaking, three explanations for islamist violent extremism have been put forward:

  1. It’s motivated by a religious ideology (perhaps a perversion of true Islam, but sincerely held by its adherents);
  2. It’s motivated by political or insurgent ends, and so the violence is instrumental;
  3. It’s the result of psychological disturbance in its adherents.

In the months after the 9/11 World Trade Center attacks, Marc Sageman argued vigorously for the first explanation, pointing out that those involved in al Qaeda at the time were well-educated and at least middle class, were religious, and showed no signs of psychological disturbances. There was considerable push back to his arguments, mostly promoting Explanation 3 but, in the end, most Western governments came around to his view.

In the decade since, most Western countries have slipped into Explanation 2. I have argued that this is largely because these countries are post-Christian, and so most of those in the political establishment have post-modern ideas about religion as a facade for power. They project this world view onto the Middle Eastern world, and so cannot see that Explanation 1 is even possible — to be religious is to be naive at best and stupid at worst. This leads to perennial underestimation of islamist violent extremist goals and willingness to work towards them.

It’s widely agreed that the motivation for Daesh is a combination of Explanations 1 and 2, strategically Explanation 1, but tactically Explanation 2.

The new feature, however, is that Daesh’s high-volume propaganda is reaching many psychologically troubled individuals in Western countries who find its message to be an organising principle and a pseudo-community.

“Lone wolf” attacks can therefore be divided into two categories: those motivated by Explanation 1, and those motivated by Explanation 3, and the latter are on the rise. Marc Sageman has written about the extent to which foiled “plots” in the U.S. come very close to entrapment of vulnerable individuals who imagine that they would like to be terrorists, and take some tiny initial step, only to find an FBI agent alongside them, urging them to take it further. (M. Sageman, The Stagnation in Terrorism Research, Terrorism and Political Violence, Vol. 26, No. 4, 2014, 565-580)

Understanding these explanations is critical to efforts at de-radicalization. Despite extensive efforts, I have seen very little evidence that de-radicalization actually works. But it make a difference what you think you’re de-radicalizing from. Addressing Explanation 1 seems to be the most common strategy (“your view of Islam is wrong, see the views of respected mainstream Imams, jihad means personal struggle”).

Addressing Explanation 2 isn’t usually framed as de-radicalization but, if the violence is instrumental, then instrumental arguments would help (“it will never work, the consequences are too severe to be worth it”).

Addressing Explanation 3 is something we know how to do, but this explanation isn’t the popular one at present, and there are many pragmatic issues about getting psychological help to people who don’t acknowledge that they need it.

Reading the analysis of anarchist violence in the period from about 1880 to around 1920 has eerie similarities to the analysis of islamist violence in the past 15 years, both in the popular press, and in the more serious literature. It’s clear that there were some (but only a very few) who were in love with anarchist ideology (Explanation 1); many more who saw it as a way (the only way) to change society for the better (Explanation 2) — one of the popular explanations for the fading away of anarchist attacks is that other organisations supporting change developed; but there were also large numbers of troubled individuals who attached themselves to anarchist violence for psychological reasons. It’s largely forgotten how common anarchist attacks became during these few decades. Many were extremely successful — assassinations of a French president, an American president, an Austrian Empress, an Italian king — and, of course, the Great War was inadvertently triggered by an assassination of an Archduke.

Western societies had little more success stemming anarchist violence than we are having with islamist violence. The Great War probably had as much effect as anything, wiping out the demographic most associated with the problem. We will have to come up with a better solution.

(There’s a nice recap of anarchist violence and its connections to islamist violence here.)

Inspire and Azan paper is out

The paper Edna Reid and I wrote about the language patterns in Inspire and Azan magazines has now appeared (at least online) in Springer’s Security Informatics journal. Here’s the citation:

“Language Use in the Jihadist Magazines Inspire and Azan”
David B Skillicorn and Edna F Reid
Springer Security Informatics.2014, 3:9
Security Informatics

The paper examines the intensity of various kinds of language in these jihadist magazines. The main conclusions are:

  • These magazines use language as academic models of propaganda would predict, something that has not been empirically verified at this scale AFAIK.
  • The intellectual level of these magazines is comparable to other mass market magazines — they aren’t particularly simplistic, and they assume a reasonably well-educated readership.
  • The change in editorship/authorship after the deaths of Al-Awlaki and Samir Khan are clearly visible in Inspire. The new authors have changed for each issue, but there is an overarching similarity. Azan has articles claiming many different authors, but the writing style is similar across all articles and issues; so it’s either written by a single person or by a tightly knit group.
  • Jihadist language intensity has been steadily increasing over the past few issues of Inspire, after being much more stable during the Al-Awlaki years (this is worrying).
  • Inspire is experimenting with using gamification strategies to increase motivation for lone-wolf attacks and/or to decrease the reality of causing deaths and casualties. It’s hard to judge whether this is being done deliberately, or by osmosis — the levels of gamification language waver from issue to issue.

ISIS is putting out its own magazine. Its name, “Islamic State News”, and the fact that it is entirely pictorial (comic or graphic novel depending on your point of view) says something about their view of the target audience.

Pull from data versus push to analyst

One of the most striking things about the discussion of the NSA data collection that Snowden has made more widely known is the extent to which the paradigm for its use is database oriented. Both the media and, more surprisingly, the senior administrators talk only about using the data as a repository: “if we find a cell phone in Afghanistan we can look to see which numbers in the US it has been calling and who those numbers in turn call” has been the canonical justification. In other words, the model is: collect the data and then have analysts query it as needed.

The essence of data mining/knowledge discovery is exactly the opposite: allow the data to actively and inductively generate models with an associated quality score, and use analysts to determine which of these models is truly plausible and then useful. In other words, rather than having analysts create models in their heads and then use queries to see if they are plausible (a “pull” model), algorithmics generates models inductively and presents them to analysts (a “push” model). Since getting analysts to creatively think of reasonable models is difficult (and suffers from the “failure of imagination” problem, the inductive approach is both cheaper and more effective.

For example, given the collection of metadata about which phone numbers call which others, it’s possible to build systems that produce results of the form: here’s a set of phone numbers whose calling patterns are unlike any others (in the whole 500 million node graph of phones). Such a calling pattern might not represent something bad, but it’s usually worth a look. The phone companies themselves do some of this kind of analysis, for example to detect phones that are really business lines but are claiming to be residential and, in the days when long distance was expensive, to detect the same scammers moving across different phone numbers.

I would hope that inductive model building is being used on collected data, and the higher-ups in the NSA either don’t really understand or are being cagey. But I’ve talked to a lot of people in government who collect large data but are completely stuck in the database model, and have no inkling of inductive modelling.

More thwarted attacks in Canada

Some things in life happen because of a lot of little decisions over time — if you don’t brush your teeth you’re going to get cavities; others happen very quickly — you might see a TV program about a hobby only once and it becomes something that you do through your whole life. Radicalisation is more like the latter than the former.

As a rule of thumb, in Western countries about 1 in 10,000 Muslims becomes a violent extremist. So that means that 9,999 people in the same families, suburbs, schools, work environments, with the same access to government services, and with the same neighbours don’t become radicalised. Right away, that’s a pretty strong signal that the causes of radicalisation are not macro causes, but much smaller ones, related to individual personalities and life journeys. The problem isn’t with any government’s international policies, or with it’s domestic policies, or with its social support system; it’s about the accidental events. Which means that there isn’t a lot to be done about it via the heavy hammers of government programs.

It also means that finding people who have become violent extremists is difficult. There is an advantage to a global brand like al Qaeda: it encourages wannabees to get in touch with it, providing an opportunity for intelligence and law enforcement to notice. Canada’s record at finding Islamist violent extremists before they carry out attacks has been good, much better than its record at finding those who’ve been blowing up hydro towers and banks precisely because these other violent extremists don’t need to communicate outside of whatever their small group is.

We’ll wait to see if Nuttall and Korody really did ‘self-radicalise’ without any contact with someone who was already radicalised, and whether the security services got onto them without a tipoff from someone who knew them — if either of these, that will be a first for Canada.

It’s not secret if it’s been in the papers

Everything (except for a few small factoids) that Snowden has revealed publicly so far also appeared in the May 10th 2006 USA Today front-page article, so much of the breast-beating of the past two weeks has had elements of farce associated with it.

And based on what’s come out so far, the US would have some trouble convicting Snowden of more than some low-level improper handling of data charges — someone with a security clearance is not prevented from saying things that are in the public domain. Obviously a trial would also be something of an embarrassment as well. Perhaps that’s why the US pursuit of Snowden has been somewhat laconic.

He may, of course, have taken other material which is more damaging. Even here, though, it’s hard to see what this could be. The media has been full of “Now our enemies (Russians, Chinese, al Qaeda) know that we intercept their signals”. But, of course, they already knew, not least because of the USA Today article. Reuters put out an article explaining how jihadists were adapting their technology now that they know about this US capability. Absolute rubbish! The only people who might not have known were low-level amateurs, and even then they’d have to be not very bright or rather disconnected from the internet. So knowledge of the existence of these programs does not aid the enemy.

What about targeting details? The US military testified before Congress last year that they worked on the assumption that their military networks (air gapped from the internet) were compromised; and the subtext wasn’t that they wished they had the skills to do the same to the military networks of other countries. Lists of compromised IP addresses are not especially valuable since enemies assume that all IP addresses might have been. In other words, the enemy are not going to look at this kind of data and say “Shoot, they got into that system” because they will already have assumed that they had. (Of course, despite efforts to be professional, there’s always a difference between “We assume this system has been compromised” and “We know this system has been compromised”.)

Details of technologies used might be of some interest. Other countries will certainly already have this information (that’s what their intelligence services are for) but terrorist groups might not. On the other hand, the technical possibilities are fairly obvious — for example, there was a recent paper showing that content in encrypted Skype traffic could be detected in some detail.

What might be more interesting to enemies is details of timelines and policies, for example how quickly is something interesting likely to be noticed and how quickly would it flow up the chain of command for action to be taken. This kind of information is hard to infer from the technical layout of the system — but, for that reason, it’s probably something Snowden didn’t know much about.

How does collaboration change behaviour?

If you wanted to know whether someone who was collaborating with others or someone working alone would have the most variable behaviour, I think you could make arguments for both sides. On the one hand, someone collaborating is getting stimulus from those others which might lead to greater variation; on the other hand, some, especially in the business community, might characterise ‘stimulus’ as ‘interruption’ or constraints and think that it might lead to less variation.

The paper “Detecting Collaboration from Behavior” by Bauer, Garcia, Colbaugh, and Glass, presented at the recent ISI2013 in Seattle shows that the answer, at least for Wikipedia editors, is that collaboration increases variation as measured by entropy.

Obviously, this result needs to be followed up in other domains to see if it continues to be true — but there isn’t a lot about the analysis that’s specific to Wikipedia, or editing, so it looks like it will. From an intelligence point of view this suggests another channel for seeing what going on inside and between groups of violent extremists. It fits nicely with the analysis my group is doing looking at how language patterns across conversations (for example, email threads) reveal the interactions among the authors.