The challenges of watching terrorists

Finding fault with security intelligence and law enforcement agencies and personnel is a bit of a sport, I find.  Second guessing and armchair quarterbacking seem to appeal to many who latch on to any mistake, real or perceived, to case aspersion on the efforts of those who are supposedly there to keep us safe.  “What a bunch of dolts”, they say, “a veritable collection of Keystone Kops!”

For the record I do not wish to imply that spies and cops should be above criticism: like any other collection of humans they are capable of screwing things up and should indeed be called to task when they do so, especially if their errors are egregious.  Besides, can’t everyone learn from their shortcomings?

Where I do draw the line, however, is when the hoi polloi and ‘instant experts’ raise their voices in the wake of a terrorist attack when it turns out that the perpetrator was once on the ‘radar’ of security intelligence and/or law enforcement agencies but was dropped only to go on to commit an act of extremist violence.  A recent example comes to us from Sweden where last April’s terrorist driver was being watched by SAEPO, the Swedish Police Security Service, only to have the investigation terminated three months before his attack on the Drottninggatan in Stockholm.  What was SAEPO thinking?  A lot closer to home we have the case of Aaron Driver, the Islamic State wannabe who was on a peace bond (a Canadian version of the UK’s control orders) and yet who made a martyrdom video as well as two (lousy) bombs but who was stopped only thanks to a tip-off to the RCMP by the FBI.  What was the RCMP thinking?

To those with little to no actual experience in counter terrorism these alleged lapses in judgment are puzzling.  Why, they probably ask, would you stop looking at someone who clearly poses a threat to national security and why aren’t these people simply arrested and put away?   To those who are incredulous I offer a very simple response, based on three decades in intelligence (of which 15 in counter terrorism and counting).  We don’t ‘miss’ things: things ‘miss’ us.  Allow me to explain.

Any spy service or police force can launch an investigation (for the purposes of this blog I will limit myself to terrorism ones) if it has reasonable grounds to suspect or believe someone is involved in threat-related activities.  Depending on what the initial investigation finds, the investigating agency can recruit and run human sources/agents, apply for a court warrant to monitor communications, carry out physical surveillance, and ask for help from other partners, both domestic and international.  All of the information (intelligence or evidence) collected is analysed to determine what next steps, if any, are needed.  In an ideal scenario the threat posed is clear, the data is robust and action is taken to ensure the subject does not succeed in doing what he is planning.

The situation is, alas, seldom ideal.  Information is almost always piecemeal, fragmented and often contradictory.  There is never just one investigation at any given moment to consider but rather dozens (or hundreds if the organisation is large enough and the threat level is high enough).  Each investigation demands resources and agencies are forced to re-evaluate all those efforts continually.  Decisions are made based on what is known at a particular juncture and which threat is deemed to be more serious.  Resources – whether they be investigators, surveillants, linguists or other support staff – are finite and people can only work so many hours in a day. As a result, some investigations are dropped.

Most critically it is very rarely crystal clear just what a person of interest intends to do.  In my experience every person we investigated while I was at CSIS ‘talked the talk’ (of violent extremism) but very few ‘walked the walk’ and ended up carrying out an attack (or planned to but were thankfully stopped before they could).  Furthermore, all the algorithms and methodologies and theories out there on the relationship between radicalisation and mobilisation, as the transition is now called, are inadequate and always will be.  I am not saying that there are no useful indicators that have come out of good researchers armed with real data, but the bottom line is that no one can offer advice with any degree of certainty that person A is just a poser while person B is the real McCoy.  There is far too much variability in human behaviour and decision making to allow for a foolproof diagnostic.

So, in the Swedish case SAEPO undoubtedly made the decision to stop investigating Rahmat Akilov in January 2017 because there were either higher priorities at that time or there was not enough information to warrant more work on his case.  I find  it ironic that many who chastise security and law enforcement agencies for not stopping every terrorist attack are also those who criticise those organisations for looking at people of interest in the first place, seeing their effort as some kind of violation of civil liberties.  We cannot have it both ways: we either let our protectors do their jobs – and they will interdict the vast majority of plots although some will sneak through – or we don’t and more bad stuff happens.  It’s up to all of us as citizens, taxpayers and voters to decide which is better.  My money is squarely on the former, for what it is worth.



By Phil Gurski

Phil Gurski is the President and CEO of Borealis Threat and Risk Consulting Ltd. Phil is a 32-year veteran of CSE and CSIS and the author of six books on terrorism.

Leave a Reply