The ISIS Tailspin of Terrorism

Watching YouTube won’t produce a skilled terrorist

NOTE: incomplete post from 2017–08–15. ISIS collapsed faster than my interest in finishing this post.

ISIS’ capability as a transnational terrorist organisation continues to collapse. They are unable to bring recruits to controlled territory for training, but rather have to rely entirely on remotely managed raw amateurs who are ineffective and error prone. This shows that counterterrorism efforts are working effectively to limit the damage that ISIS, the organisation, can do. Unfortunately, their trained and battle hardened members who survive and escape will be extremely dangerous. Good news — right now they suck; bad news — the post ISIS world is scarier.

This post will examine why having an entirely remote external operations arm is not a winning strategy for a terrorist group. The positives:

  • cheap to implement,
  • hard for security forces to stop (in theory)
  • scales well,
  • creates the illusion of global reach

These apparent benefits are actually outweighed by the negatives of using only trained professional operatives. The negatives:

  • ineffective attacks (inept, low impact) are bad for the brand
  • essentially no strategic control (timing, region, targeting, messaging)
  • low success rate (interdiction is very high, so is the drop out rate)
  • inherent limitations of purely remote terrorist operation make addressing these problems decidedly non trivial

An effective terrorist organisation makes strategic use of violence to attempt to achieve the result they want. At its most generic this is some sort of utopian ideal (global communism, the caliphate, freedom, the independence and/or union of greater population group). Since achieving this vision is a matter of developing and executing a strategy (class warfare, removal of colonial ruling elites, agitating for political autonomy, etc.) the leaders of the group, the centre, must be able to use their military resources with strategic precision (in theory anyway.)

A purely remote control agent is basically the least strategically effective mechanism available — the centre has no control over their targeting, timing, effectiveness, success rate; and there is basically no way to increase the amount of control over the remote agent. A group that is unable to execute operations that further their strategic goal is severely handicapped. Even worse, the application of violence to further strategic goal is extremely tricky as violence needs to be calibrated and targeted very specifically. Too much violence can reduce support, as can too little, and embarrassing or incompetent acts of violence can also reduce popular support.

Remote control agents are basically only good for creating the temporary illusion of power projection, a false impression of global reach. In the long run, they only help to weaken popular support because the centre is unable to exercise strategic control over their violence.

Remote Control is Worst Control

From a security point of view, using remote control agent seems like a great win (they could be anybody!), but there are several innate elements that make them far more prone to interdiction than a trained terrorist.

  • Initial poor security posture means they are easy targets for security forces
  • High volume of comms traffic — chatter — makes monitoring more easy
  • Remote control means lots of commo

Firstly, they slowly migrate into the terrorist group — this process of going from civilian to “secret soldier” leaves a predictable trail for which security forces are vigilant and actively hunting. The primary point of contact to initiate the recruitment must be publicly visible and accessible for the volunteer agent to be able to find it. More simply, the agent lacks the security training necessary to safely seek out and join the group.

Secondly, the remote control aspect of the agent means that there is a high volume of traffic from the terrorist group to the agent. This chatter is the most heavily monitored and surveilled terrorist group external operations elements in contact with this agent who lacks adequate security training. Naturally, this means that remote control agent are brought to the attention of security force rapidly, making the least prepared to protect their security the most targeted for surveillance.

Thirdly, the remote agent is less vetted and less committed than another recruit. This leaves the handler in a position where they are unsure what level of compliance they will have from the remote agent. There are almost no consequences for defection (leaving the group or operation), as the handler cannot force compliance. Compounding this, the lack of vetting makes it difficult for the handler to determine whether they have a committed agent rather than a poseur, informant, or time waster. Indeed, one common aspect of remote control agent that actually conduct their attacks is the sheer volume of encouragement and cajoling messages from their handler. “Do it, O Lion! Seriously though, please, you have to, you promised, you’ll be disappointing so many people if you don’t, I command you, I beg you, I implore you! O chosen one of the super greatness”


Key Elements of Underground Group Success

Terrorists and revolutionaries (basically) never win. The best they can hope for is that the existing regime loses and they’re around to step into the governing role. As a result, typically what a terrorist group is trying to accomplish is endurance. Most terrorist groups don’t last past one year, and even fewer make it to ten years. Individuals who join a terrorist group have had, usually, from 18 months to 5 years before they are in exile, in jail, or in the ground. Terrorist groups, therefore, have to keep bringing new recruits in, otherwise simple attrition will prevent that endurance necessary to have any chance of success. The way to bring in new recruits is to have visibility to the recruitment pool, and a message that motivations them — The Vision.

Fresh recruits are not enough though. Angry young men can be found in groups anywhere, and easily united behind a Vision that allows them to rationalise their acts. This ranges from propaganda efforts, to fund raising (e.g. robbing banks, or other criminal activity), to violence. All of these activities require some level of knowledge and planning, but the most complex terrorist activity is violence. Effective violence requires knowledge, training, planning and equipment. For a terrorist group to be successful at violence it needs to have foot soldiers who are capable of using weapons (and, obviously, it needs to have those weapons.)

Terrorism, as a physical act of violence, requires knowledge. There is teknewhat you learn from reading and metiswhat you learn from practice. Conducting a suicide bombing is not something one can practice, although constructing suicide vests is. When ISIS has to use lone amateur recruits who need to both construct their vests and use them, they’ve been spectacularly unsuccessful. This is obviously because learning to build an effective suicide vest takes practice, but using one prevents such practice. When the user and the maker are the same person, they only get one single (generally unsuccessful) chance.

ISIS have had very poor success training someone to built a suicide bomb vest that kills anyone other than the wearer (and although a successful detonation is definitely an accomplishment when dealing with homemade explosives, clearly this is not the pinnacle achievement that the group, or the agent, are striving for.) Even their trained bomb maker for the Paris attacks produced pretty shoddy vests – one was detonated in the middle of a packed restaurant killing: one (the wearer.) The Brussels airport and subway attacks were themselves bizarre — no one in their right might would say “first thing we do, we cook up 600kg of TATP!”*

* My personal speculation is that given the infighting and squabbling of the cell, they needed a goal, a focal point, “a future mission of some sort” to keep the group from collapsing entirely. The only guy keeping things together in the high stress environment of being hunted by, and living under the combined gaze of, most of the world’s security forces was the bomb maker, and he turned to making TATP (the only thing he could do under the circumstances) as a sort of hobby to fill the time and keep himself occupied.


Distance Learning For Deadly Dummies

Terrorism Tutorials aren’t Enough

Although the ability of a terrorist organisation to recruit agents and instigate an attack remotely, without first indoctrinating and training them, seems scary (borders offer no protection against insider threats), they’re actually the lesser of two evils. An indicator that counterterrorism activities are successful, forcing terrorist groups to opt for a less effective strategy of violence.

Physically conducting terrorist attacks requires acquiring the skills and knowledge of effecting violence against human beings or property (generally speaking, actually killing people can harm a terrorist groups’ cause.) Killing requires some mental preparation (dehumanisation, transfer of responsibility, etc.), while actually conducting a terrorist operation requires a different set of real skills (bomb making, firearms training, physical fitness, driving, operational security, etc.) A raw amateur might be able to work themselves up into a frame of mind allowing them to enact violence, but acquiring the skills to actually commit deadly violence is a different story. One is no more capable of becoming a concert violinist by only watching YouTube video, or reading books, than they are of becoming a competent bomb maker.

Recently, the most effective tools of violence have been the tools that a terrorist is trained and practiced at using — a vehicle. Shooting is harder than it looks, and requires a gun anyway, knives simply don’t scale, and producing a functioning and effective bomb isn’t trivial. There simply isn’t much chance to practice bomb making in Europe without drawing the attention of the security forces. A car, or a truck, however, is simple to acquire, easy to learn how to operate, and killing people with a tonne (or more) of high velocity metal is simple enough for even the typical jihadi idiot to manage.

Tactical instruments of terror: the bomb

Learning how to construct effective bombs is not something you pick up from an eLearning course (not that I’m expecting the Khan Academy “Applied Terrorism: Practical Technologies and Techniques” course) An effective bomb maker needs to be trained with practical hands on guidance and testing of the results[0]. This is especially the case when the device involves more hand made components, such as the typical terrorist IED — made from artisanal TATP, bespoke detonators and tailored timers or triggers.

A bomb is fundamentally just a very simple electrical circuit with some chemistry at one end, but these amateur recruits in-place are typically losers and only get one chance at getting it right. Bombs are systems with a lot of components that require diverse skills for the logistics, assembly, storage, and placement. Getting it right is a lot more likely with training – they’re complex terrorism tools for an amateur. To cap it off, with a few notable exceptions, they have relatively low lethality.

Bombs are a security risk as well:

  • Training in their construction risks alerting people (loud bangs tend to attract attention)
  • Acquisition and storage of the components is incriminating (few people ever need litres of high concentration acetone, or ice baths and well ventilated cooking spots.)
  • Preparation of TATP is dangerous, risky for professionals (Hamas calls it the “Mother of Satan”[1]) , and error prone for amateurs[2][3], and the chemical reaction produces a strong smelling odour that must be ventilated (a security risk as it may alert the neighbours “oh, those taciturn quiet young men next door must be having boiled bleach and nail polish remover for dinner tonight”)[4].
  • TATP is very literally cooked from a recipe. The imaginative geniuses behind ISIS and al Qaeda have thus tended to use “open codes” based on cooking, “rice” in one case for ISIS, and “dal” in another for al Qaeda. Since it is a bit tricky to get right, the amateur bomb makers often have to contact their handlers for assistance.
  • TATP can become inert if it gets damp, such as by absorbing humidity from the atmosphere. It can also detonate fairly easily. Combined, these two properties make it poorly suited for long term storage. A bomb maker basically has to cook up a batch and use it quickly.

The combination of these traits makes the improvised bombs (of the type favoured by ISIS) a catalog of serious security problems:

  1. Practice is likely to raise the alarm,
  2. Acquiring and storing the precursors is incriminating
  3. Preparing the stuff is dangerous and can, very literally, blow up in their face
  4. The act of cooking TATP has a high likelihood of leading to chatter between the terrorists and their handler, and it’s probably going to be about a recipe 🙄
  5. Because of its instability, preparing TATP is a strong indicator of an imminent attack.

To sum up: TATP is, by its very nature, likely to alert security forces that an attack is imminent and, even if successful, the attack is likely to be low lethality. Cold comfort for those caught up in the destructive wake of an attack, but compared with the alternatives, let’s hope these losers stick with the worst possible option.

Support more posts like this.


[0] Breivik spent three years practicing, learning, and teaching himself how to build a bomb that ultimately killed 12 people.

[1] http://www.ibtimes.co.uk/brussels-attack-what-tatp-explosive-material-authorities-suspect-terrorist-used-bombs-1551361

[2] AQ attack in NYC that was foiled partially due too the inability to cook TATP without assistance. The suspects’ request for help preparing “dal for a wedding,” emailed in plain text to Pakistan put the FBI into high alert.

[3] https://en.m.wikipedia.org/wiki/Acetone_peroxide

[4] https://www.nytimes.com/2017/02/04/world/asia/isis-messaging-app-terror-plot.html

https://www.nytimes.com/interactive/2017/02/04/world/isis-remote-control-enabled-attack.html

https://www.propublica.org/article/isis-via-whatsapp-blow-yourself-up-o-lion

There’s some good meat in this worth digging into, but I’ll save it for a later post. The switch from Telegram to an XMPP+OTR system is notable for a few reasons:

  1. OTR is more secure than Telegram, but XMPP relies on third party servers and provides a wealth of metadata for the investigators and surveillance team
  2. ISIS still has a weird love affair with Tutanota, a propriety encrypted email format based in Germany. As usual, it hits the key points of ISIS infosec requirements: it claims to be “encrypted”, has an Android app, and is free.
  3. The mystical belief in Tails is alive and well. As is the faith in ChatSecure (I assume for Android), which has been deprecated and end of lifed. On the other hand, unlike superior apps (not named for the simple reason – fuck you ISIS, figure it out on your own), ChatSecure is free.
  4. The operational security system used for handling incriminating evidence by the ISIS handler and their professional criminal contacts is rock solid. They use strong compartmentation, dead drops, and external weapons caches that keep the operative’s home free of evidence. There are multiple examples of this sort of thing