Man Hunting, The Sport of Security Forces
Tracking Down Salah Abdeslam
Bottom Line Up Front
- Intelligence agencies must cooperate more rapidly and proactively to counter ISIS’ rapid and haphazard operational tempo.
- Clandestine operatives must rely on support networks that include overt members of the public. These networks are easily mapped out based on metadata available to nation state level security forces.
- Fugitives should learn to cook if they want to minimize their footprint and improve their security.
- Exposure of clandestine networks is inevitable, given modern data sources. Only extremely disciplined non-organic organizations can hope to survive for long.
The capture of Salah Abdeslam is certainly good news, he will be a rich source of information about ISIS inside Europe. The man hunt was intense and his ability to remain hidden inside Belgium for months was quite an accomplishment, particularly given the poor ISIS security. Belgian police, with considerable assistance from international intelligence agencies, have been following leads and conducting raids.
“Changed my mind, haven’t seen Paul Blart Mall Cop 2 yet”
Salah went missing after he wimped out of “martyrdom,” ditching his suicide vest and calling friends to come pick him up and take him home. The car was stopped by the French and everyone IDed, but their names weren’t available to the police yet.
Clearly, security forces are not sharing counterterrorism information fast enough to handle modern operations. A slow moving target like the Soviets, or even al Qaeda, allows for a more relaxed approach. ISIS’ operational tempo and behavior is too fast and haphazard.
Defunct Safe Houses
The Molenbeek area where Salah has been hiding is riddled with radical support networks and sympathizers. He was able to rely on his friends and other support networks. Police targeted elements of these support networks, and eventually discovered a link to Salah himself.
Belgian and French police, who had worked intensively together since November 13, carried out a midday check on what, according to several officials, they thought was a defunct terrorist safe house. The utility bills hadn’t been paid in months, officials said, leading police to assume the apartment in the Forest district of southern Brussels stood empty. The six-person team didn’t expect to meet resistance and brought no police backup or special forces support.
When the police opened the door, they were shot at with a Kalashnikov and “a riot gun,” according to the Belgian authorities. Four officers were wounded, including a French policewoman. Heavily-armed police pursued suspects across the rooftops. One gunman was killed. Two fled the scene, evading capture even though police had sealed off the area.
The “defunct” safe house had a glass with Salah’s fingerprint. Police developed a number of leads and ended up monitoring a house in the Molenbeek area.
Speculation: those leads were based on analysis of mobile devices, and knowledge of existing social networks. Using the identities of the suspects from the safe house as an entry point into the support network, based on social ties, further likely suspects could be identified.
Update: the lead was based on metadata — a phone call.
Update: the house where Salah was captured was the home of Abid Aberkam, a friend of his.
Staking out the house, the police became convinced that a larger group of people was there after a woman who seemed to live there ordered several pizzas, according to two security officials
Just like the raid on el Chapo Guzman was triggered by a large food order, it seems Salah’s capture was based on too many pizzas. Maybe fugitives might want to consider cooking at home, rather than ordering delivery.
Social Networks, Not Just For Entrepreneurs
It seems that significant parts of the manhunt were enabled by recovering and analyzing mobile phones used by the various suspects.
Aside from the fingerprint found on Tuesday, earlier raids on suspected terrorist hideouts brought other important leads, according to officials. Electronic devices confiscated in earlier raids helped authorities track Abdeslam down, said a Belgian source. Once a suspect’s mobile number and sim card have been identified, investigators can then serve a court order on telecoms operators to track the number and card down to the nearest phone tower.
The location information generated by the mobile devices (phones and possibly tablets) enabled security forces to track not only individuals, but to map out their networks via e.g. co-location. Mobile phones, even when encrypted and even when using encrypted communications tools, still provide a rich source of intelligence information to security forces.
Big Data Analysis Beats Covert Networks
Modern connected society is a huge data source for the intelligence analyst. Social connections are mapped out via online social networks such as Facebook, but also in meat space via the mobility of personal tracking devices such as mobile phones. An underground operative, such as Salah, can avoid using mobiles and computers, but the various elements of his above ground support network are as reliant on modern tools as anyone else.
“The guerrilla must move amongst the people as a fish swims in the sea.” — Mao Zedong
The problem for underground operatives is that they are reliant on support networks. Support networks for clandestine organizations are almost always based on social networks. Modern society makes support networks an open book for anyone with access to the data (social apps, telco records, etc) and the analytic tools to parse that data (eg Palintir, analysts notebook, etc).
If there is real risk involved, as in political or criminal undergrounds, people build links in the secret society through stronger ties. One result is that secret societies rarely have the lovely cell structure that people think is best for overall organizational secrecy and survival. Most underground networks just grow along the messy lines of pre-existing strong ties, unless some people have enough resources to control this growth and force it into a more hierarchical outcome.
Tracing threads has become trivial (even with encrypted comms), the hard part is merely finding an entry point.
