Jihadi Gang Warfare

The Brussels gang of Islamic militants was not professional

This is a hot mess. Source: Jamestown

A reponse to this Jamestown article, which argues that the ISIS threat in Europe demonstrates that ISIS has professionalized their external operations branch. While the ISIS Central external operations branch does seem to professional and well run, it is hard to characterize the sloppy practices of the European network as anything other than amateurish. Poor planning, bad tradecraft, no security, and haphazard secrecy are all hallmarks of the European network, traits not normally associated with professional clandestine operatives. It is safe to say that the existence of sympathetic communities, and the systemic limitations of the Belgian counterterrorism capability, were more instrumental in the success of the attacks than any security practices employed.

Veteran…ish

Many of these guys were pulling guard duty in Syria. Others were clearly not very experienced (the three stadium suicide bombers were total amateurs, although, to be fair, finding experienced suicide bombers can be a challenge.) What experience many of the militants had in Syria was limited to weapons training, although at least the leaders had some combat experience. There was probably some minimal training in clandestine operations. Very minimal, from what has been reported via e.g. Reda Hame, and the two guys caught in Austria.

Being an experienced combatant and a skilled terrorist are different competencies. Combat operations and terrorist tradecraft have very little overlapping skill sets. Operating underground, using cover, avoiding detection, secret communication etc doesn’t really intersect much with marching, small unit operations, planning assaults, shooting, etc… The skill of a terrorist is survival and the ability to endure, actually effecting combat operations is a minor part of terrorism.

My feeling is that experience in Syria would be beneficial for conducting attacks, the execution phase, but not at all for the “living underground” part of being a terrorist. I can’t see being a veteran jihadi in Syria as being a huge benefit to learning tradecraft. Tradecraft is more important to the success of a terrorist organisation than handling firearms.

Planning: I knew I forgot something

The basic fact is that the attacks in Paris were not very professional. Abaaoud’s plan for the attack seemed to leave a lot of “learnable lesson” events. The planning stopped after the attack itself, with no attention paid to the post attack operational phases. Totally amateur hour.

Stadium Fail

The Hollow Boom of Failure

Recalling his encounter with Hadfi he described how the baby-faced attacker tried to tailgate a fan through the turnstile. Salim stopped him, blocking his path with his arm, little knowing that he had brushed against the suicide belt, concealed underneath Hadfi’s jacket. The young man claimed he had a ticket, but was waiting for his cousin to bring it to him, however Salim did not fall for his ruse and refused him entry to the stadium.

He watched as the young man took an unusual interest in the security measures around the stadium and made several phone calls on his mobile. His behaviour roused Salim’s suspicions and as he saw Hadfi attempt again to get past another security guard, he rushed from his position to warn his colleague. Hadfi disappeared into the crowd. 50 minutes later, Salim heard the first of three explosions. — ibtimes

The attack on the stadium was a complete disaster because apparently they forgot to buy tickets for the suicide bombers. It is not at all clear how they expected this plan to work. They arranged for three suicide bombers to be at the stadium at a specific time. They arranged a car to drive them there (apparently driven by Salah Abdeslam). They allegedly had some sort of ambush planned, where Hadfi’s attack inside the stadium would drive people out into the streets where the other two bombers were lurking. All this, and yet no plan to get Hadfi inside the stadium. No backup plan for when the guy without a ticket failed to get inside the stadium.

After he got bounced, Hadfi called Abaaoud who must have told him to just detonate his vest elsewhere. At this point, clearly it would make more sense for one bomber to kill the guard(s) checking tickets, then the others try to rush through the opening that was created. Instead they spread out and attempted to conduct individual attacks, apparently without clear directions.

Actually, anything other than “wander around outside and detonate your vest down a deserted street” would have been a better plan. What sort of professional sends a suicide bomber to enter a football stadium without a ticket? Or tells the bombers (supposedly) waiting in ambush to detonate their vests on deserted streets?

Now What?

Abaaoud, if he intended to die during the attacks, didn’t do a very good job on the follow through. If he was planning on surviving the attack, he makes a large number of monumental errors.

He wears high visibility orange shoes (a critical detail that helped to identify and track him.) He chats on the phone while watching the Bataclan attacks from a doorway. He wanders around for a while after watching the Bataclan attack. He heads off and lives in the woods with a mate for a couple days. He has his mate call a girl who likes him, asks her to come pick him up. She doesn’t know who she’s gonna meet (thinks it is Abaaoud’s younger brother) so she brings along the couple she lives with. They’re not at all onboard with the “help a mass murderer” plan. Abaaoud gets in the car with them, then changes his mind, issues death threats if they talk to anyone and gets out. This was possibly a fatal mistake, because after he leaves the couple unmonitored, the woman calls security forces and that is pretty much the end of Abaaoud and his mate.

This whole episode is rank amateur. The attacks were planned up until the action, but no provisions at all were made for what happens afterwards. This is a typical mistake made by amateurs — they picture their fantasy up until the point they achieve their goal, but nothing after. The real professionals are planning the full logistical “escape and evasion” process, not just “target selection” and “execution”… Professionals know after an action is complete is when things are most dangerous and risky.

It is only after the attacks are over and he is in hiding that Abaaoud begins preparations for further attacks. These preparations consist of asking a party girl to be his logistical support network, supplying safe houses, disguises, food, etc. It is as if he had never imagined getting to a “post Paris” situation and was making it up as he went along.

I can’t see a guy who calls some girl to come pick him up, because he forgot to prepare a safe house, as “a professional.” That seems very un “state sponsored terrorism,” much more like “civilian plans violent fantasy and then gets surprised when it works.”

Same Same But Different: Salah

Salah (R), on the run, on CCTV at a gas station the day after he shot up Paris. YOLO

Salah’s whole “I changed my mind, I want to go home” deal seems like it wasn’t accounted for in the planning. The guy just doesn’t want to blow himself up. I don’t know how they evaluate and vet their suicide bombers, maybe some percentage always gets cold feet… but maybe they would have noticed he wasn’t totally keen on the “martyr” bit? Maybe not, though. At any rate, it is abundantly clear that he was supposed to die in Paris, but he had a change of heart and made some friends come pick him up.

Salah was a jihadi who lacked the conviction of his peers. He was totally cool with driving around, and buying things, and renting flats and so on (the logistics support that he provided), and he may even have been up for shooting at people. But following through on the whole “die for your cause” seems to have been not his cup of tea.

That is (probably) fine. Terrorist groups typically have ways of handling levels of risk tolerance, allowing committed but risk averse members to handle less dangerous roles such as media relations or logistics. They need people to do logistics and provide support. Except, the way he did the logistical support totally burned him for any further operational work. He booked hotel rooms using his credit card. He rented cars in his name. I seem to remember that he registered SIM cards for the guys. Those things are fine if the security of the person doing them isn’t a real consideration (i.e. he is going to die)… but when he didn’t die, he became nothing but a liability.

After the Paris attacks Salah Abdeslam had absolutely no value. He was the most wanted man in Europe. He couldn’t travel freely. He couldn’t rent a flat on AirBnB with his credit card. He couldn’t go work in a shop, or sell drugs, or do any other fund raising activity. He was not an asset to the network in any way. He was too hot to handle.

This is the crazy thing — they let him hang around with people that were planning another attack!

On December 10th, the police searched a third-floor apartment on Rue Henri Bergé, in the Brussels neighborhood of Schaerbeek. Nobody was present, at the time, but they found traces of explosives and three suicide belts. In addition to Abdeslam’s fingerprints, his DNA was lifted from the scene, but it was impossible to assess when he had last been there. — Source: New Yorker

On The Run, Presumably Smoking Crack

Abdeslam’s fingerprints were found in the apartment in which Belkaid was killed, and police began tracking the cell phones of the two men who fled the building during the attacks, one of whom was Abdeslam. Remarkably, Abdeslam did not get rid of his phone or SIM card during or after the encounter with police, but continued using them, allowing police to track him through his phone. — Source: WSWS

a tapped telephone led police to a mobile phone number used by Abdeslam and, by triangulating the device’s location, established that he was at the house in rue des Quatre-Vents in Molenbeek. — Source: HuffingtonPost

Salah Abdeslam is apparently unclear on the concept of “burner phone,” which requires the user to discard it when it is contaminated. This guy was nothing but a liability. His security is abysmal, and yet he had access to active operatives planning new operations. There is no way this is a professional organisation. This is a bunch of guys hanging out in squats.

Whither Security?

This huge network is indicative of a very bad security posture. It is the sort of sprawl that happens when people recruit and join up based on social ties and interest, and there is no one with authority and experience (no hierarchy in place) to ensure strict compartmentation. This is a normal social network, not a professional clandestine organization. This is like the WWII resistance networks that Germans had such an easy time rolling up.

The “large network that can flexibly switch from support to operations” is a sign of a bad network. It shows bad security, poor planning, no management. This was a bunch of like minded guys just hanging out. It was extremely vulnerable. One arrest, which could happen at any time, would jeopardise the entire network. The inevitability of arrest is why professional clandestine organisations try so hard to enforce compartmented cells.

The weakness of a large network can be seen by how the network had to alter their attack plans after “the most wanted man in Europe” — who was hanging out with them as they plan their next attack — was (shock!) arrested. He was captured after he turned on a mobile phone that was known to the security forces. These sorts of mistakes are inevitable, which is why exposing the active operatives to a liability like Salah is so mind boggling.

They were planning another operation while hanging out with “the most wanted man in Europe” who had literally nothing to offer. He was not able to provide logistics, funds, or support of any sort. Furthermore, he had already demonstrated that he was incapable of being a suicide bomber. This guy was the world’s worst liability. The last thing they should be doing was hanging out with him. If they were smart they would’ve buried him in a ditch where he wouldn’t be a threat to them any longer. Failing that, find some far away safe house and stick him in that, in isolation, forever. Instead, because he was a friend and this network was fundamentally a social network, they just let him hang out with them.

They had a “friends and family” support network. There is the interesting aspect of using existing criminal networks, which is certainly innovative. They apparently have some access to old AQ “caravan” networks for moving people around. What they don’t have, is an effective professional terrorist network. They have a gang, not a system of compartmented cells with strict division of labor.

Don’t Call Me, I’ll Call You

Despite the constant rhetoric about encrypted messengers enabling ISIS operatives to ghost through the European surveillance network, evidence indicates that the Brussels ISIS network made extensive use of normal phone calls. It was a lack of wiretaps and interpreters that enabled the ISIS militants to evade detection.

Belgian prosecutors’ request to tap the phone calls and emails of the Abdeslam brothers was turned down by police because of a lack of resources — Source: Politico

The police were not blinded by encryption, but by lack of resources.

Like Fish In The Sea

The network enjoyed the “natural security” of a population that was neutral or sympathetic. Neither the Molenbeek nor Schaerbeek communities were actively helping security forces hunt for militants in their midst. Combined with the relatively poor capabilities of the Belgian security forces (few translators for wire taps, fewer Maghrebi speakers, etc), this created a lax operational environment in which even poor tradecraft was enough.

They did not have particularly good tradecraft. The only thing they seemed to have done correctly was to do (at least some of) their meetings face to face, rather than over the phone. You know, as friends do. Really, the biggest enabler of the network was the poor resource constrained Belgian police work. They had massive luck in operating in a country that is totally incapable of handling a large gang.

• Belgium is dysfunctional, hampered by bureaucracy, and practically paralysed
• It is hampered by serious systemic problems stemming from chronic underfunding and poor management
• There is no clear policy/plan/process on how to handle returnees or suspected militants
• They had (have?) limited capabilities, such as few/no Maghrebi speakers, very few arabic speakers, few wiretaps, and reliance on the US for SIGINT capability (which is slow due to liaison status + classification issues)

The European ISIS network got lucky. The Belgian police had limited capability to detect them, and the population was not actively working against them.

The militants did not need good tradecraft, the police were, very literally, not listening. I maintain that the lax operational environment in Belgium was the single greatest contributing factor to the success of the network. Until that is changed, there is the chance of further attacks.

Terrible Terrorist Skills

The bomb maker for the group was not very sophisticated, to put it mildly. The bombs he produced were as complex as a flashlight: some wire, a battery and a switch. There was no safety.

The bombs were primitive and poor quality. The suicide vests were tied around the torso with two bits of rope. When the one bomber detonated his vest in the middle of a packed restaurant, he managed to kill only himself. Of the three bombs in Brussels Airport, only 2 detonated — the third was a dud.

Najim Laachraoui, the ISIS bomb maker, has apparently never heard of wearing gloves when committing a crime. His fingerprints and DNA were all over the devices. This is some sort of hobbyist level production, not professional at all. The ELF/ALF has better tradecraft.

Concluding Thoughts

• Bad security. The terrorist network was a huge messy sprawl with everyone knowing everyone. This limits long term effectiveness as interdiction by security forces becomes an almost certainty.
• Bad planning, as there were no provisions made for what to do after the attack.
• Bad management, not only did they not isolate and neutralize Salah, they included him in their future planning sessions! This is just beyond comprehension.
• Bad tradecraft. These guys were using their mobile phones, making calls and sending SMS to each other all the time. They used WhatsApp to call Syria and collected money that was wired to them. They made audio recordings of planning sessions with Syrian based commanders. They didn’t know to use gloves when building bombs. The bombs were unreliable, made with TATP (I’m informed there are better alternatives), and built like a flashlight.

I really have a hard time seeing a huge network that fails to plan effectively, has only an amateur bomb maker (who ends up killing himself on their second op), allows a liability like Salah to hang out with active operatives, etc as “professional.” It really just feels like a huge gang that was operating in an area where the police are ineffective.

Rather than a veteran jihadi professional terrorist network, I think they are a sloppy gang of thugs. The reason for the lack of professional is that ISIS is fundamentally a battlefield organization. They are locked in a battle for legitimacy against al Qaeda, and a desperate fight for survival on multiple fronts in Syria and Iraq. Their resources are being taxed at home, so they’re not about to squander talented members on suicide missions in distant foreign lands. If all it takes to operate in Europe is a gang of thugs who can manage to keep off Facebook for a few months, that’s all ISIS is going to commit. The problem for Europe is — that’s enough.

I am indebted to readers who provided early feedback.