How do we determine threat levels?

There are a lot of misconceptions out there on how intelligence agencies do what they do.  It is not hard to see why this is: after all, spy services work in the shadows and seldom say anything publicly (“I can neither confirm nor deny…”).  On the contrary, if these organisations were open books then they couldn’t do their jobs.

I have addressed several myths in previous blogs (such as the ridiculous “they failed to join the dots” accusation).  It’s time to look at another: threat levels and how they are determined and why bad things still happen.

If you recall way back to the summer of 2001, the US intelligence community reported that there was a constant stream of threat reporting rushing in suggesting that Al Qaeda was planning a terrorist attack (or, more accurately, attacks – plural).  As a result the enormous US intelligence apparatus was on high alert.  And yet 9/11 still occurred.  So what good are threat levels?

We had our own reminder today here in Canada that how threat levels are set is not well understood.  CBC reported (see article here) that there were three different threat warnings in the days leading up to the Parliament Hill attack a year ago.  So, why didn’t the Mounties stop Zehaf-Bibeau?  Who dropped the ball?

No one.  Threat information does not come in the following format: Phil Gurski of 123 Main Street will leave his house this morning at 8:34, drive his Nissan Altima (licence plate ABC 123) to the corner of Fifth and Wellington, stop for a Timmies, then get back into his car and drive to the Governor General’s place where he carry out a terrorist attack.”  If only it did.

Here’s the reality (drawn from my 30+ year experience).  On any given day there are DOZENS (sometimes more) discrete pieces of intelligence tied to some kind of threat.  Sometimes the discrete pieces are linked, more often they are not.  The information is usually fragmentary.  It comes from a wide variety of sources (human, intercept, allied agency…) and it is not always clear how reliable it is.  Agencies such as CSIS and the RCMP have to wade through this and determine which piece – if any – is worth dropping everything else for.  This decision has consequences since, at any given time, there are several high profile investigations already underway.  Putting one aside also can have serious consequences.

Combine this with the flood of propaganda from groups like Al Qaeda and the Islamic State in publications such as Inspire and Dabiq (“how to build a bomb in the kitchen of your mom” or the “welding steel blades to the grill of a truck and driving up on crowded sidewalks to ‘mow down the enemies of Allah’ plan”), and you get a sense of what these agencies have to deal with.

And here’s the reality: the vast, vast, vast majority of threats and plots NEVER MATERIALISE!!  Agencies carry out their due diligence, but successful plots are rarer than a Toronto Maple Leafs’ Stanley Cup (sorry, couldn’t resist!).

So “threat levels” are usually based on several months’ worth of collection and analysis and refer to a general threat environment (I occasionally saw a threat assessment based on a specific piece of intelligence or referring to a specific event or entity, but very occasionally).  In other words, the warnings issued last October were accurate but did not point to what happened the morning of the 22nd.  It is unclear what could have been done to prevent that attack, short of having Zehaf-Bibeau subject to a major investigation which would have included surveillance, wiretap and perhaps human source penetration.

The bottom line is that there is a constant threat level.  Sometimes it goes up, sometimes it goes down.  Issuing these levels helps our security and law enforcement agencies sharpen their senses and narrow their attention.  But they are seldom intended to stop specific acts.


By Phil Gurski

Phil Gurski is the President and CEO of Borealis Threat and Risk Consulting Ltd. Phil is a 32-year veteran of CSE and CSIS and the author of six books on terrorism.

Leave a Reply