The following are some initial thoughts on the Paris attacks. The analysis relies on information in the public domain and includes what is known about previous attacks of a similar nature. I hope the following helps others to understand the questions that will need to be answered over the coming months. The goal is to inform the general public about the attacks.
As the authorities continue to identify the attackers, we need to analyse the attacks. The attacks were coordinated which raises the questions of how, where, and when were they planned. Were they planned abroad and executed locally? If this is the main operating assumption, then several more questions emerge.
If the attackers coordinated their efforts, how did they communicate? If they relied on an external network for support what was the system they used to communicate? Did they rely on encrypted phones? Or, did they rely on less technological systems such as coded letters, face to face meetings, and pre-set plans? If they relied on encryption, was the French intelligence unable to track them? If the attackers were using less technically sophisticated systems, how can the intelligence services adapt? In particular, will this be a template for future attacks in US or UK?
The authorities will need to consider why the targets were chosen. The threat model will help them to protect against future attacks. However, we do not know why they chose these targets except for their availability and vulnerability. Many commentators have suggested that they were chosen as they were less guarded or “softer” than higher profile sites such as the Eiffel Tower. If they were, then we need to look at ways to protect those targets, which may need short term changes, such as identity checks, increased surveillance on known networks, changed security patrols in such areas.
Was President Holland a target for the attack on the football match? It is unlikely as the attackers will know he would be heavily guarded. The stadium may have been a target as it would contain a large crowd as well as a large television audience. If the President was the target, how did the attackers know he would be at the match? Although the President may not have been the target, the French authorities will need to check their security rules as well as publicity around the President’s travel itinerary.
The attackers would have chosen a specific time and date. However, we do not know why they chose this date or time so they may not be symbolic as they are opportunistic. If the date is symbolic or is connected to something else, future threat profiles will need to cross reference dates in the future.
The recovered weapons will help the authorities understand the network that supported the attack. The weapons will have been purchased abroad. Where and when they were purchased will provide details about the attackers’ logistics. The same questions will be asked about the grenades and other explosives. Many times these are bought separately and provided to a pre-arranged drop. The weapons will also show the level of training and experience the attackers had. They may have travelled abroad for weapons training or may even be ex-military. Even though the weapons are not advanced, the user needs some training and experience to use them effectively.
If the explosives are homemade, then it indicates they could not buy them. The weapons seem to be ones that are relatively easy to get and traffic without raising as much attention. More exotic weapon such as chemical weapons or a fertilizer bomb will attract more attention. At the time of writing, we do not know the type of explosives or their make. If a network supplied the attackers, the weapons may have been purchased by a different group so it would not seem linked to the group or their plan.
It is too soon to call this an intelligence failure. The phrase is now used as a sloppy short cut to say the authorities failed if an attack succeeds. It creates a false image of intelligence and how the security services detect, disrupt and prevent such attacks. Often times, the intelligence exists but no one can see the pattern until after the missing details emerge. We do not know what intelligence was available and how the warning signals were shown from the noise. We have to remember that intelligence is about connecting the dots quickly *backwards* to prevent something. No one can connect the dots going forward as contingencies can always disrupt or delay plans.
The French intelligence services may have seen signals and were in the midst of unravelling them when the attacks occurred. If we consider the following scenario, we can see the difficulty with intelligence and surveillance. The French could have received intelligence that an attack was planned this week in Paris. What exactly would they do? They could increase security or awareness, but where do they focus? The main targets? As they know neither the date nor the time nor the place, it is hard to prevent such an attack even if you pick up signals.
As we know from the 7/7 attacks in the UK or the Lee Rigby attack, it matters little if an attacker is “known to the police” as they do not have the resources to track everyone constantly in real time and know their motives. They face limited resources; especially the natural issue of what is a “threat”, against variable threats which means they have to manage the current risk against an expected risk.
If the plan was set up several months ago and applied over 48 hours, then it is harder to prevent. How can the French police intervene even if they have real time intelligence that an attack is due the week of 9 November? The French would be unlikely to know the quality of a plan designed 6 months ago and be able to connect it to events that might or might not unfold over the next 48 hours.
To disrupt or prevent attacks or plots, the authorities need to penetrate those networks. To penetrate a network, though, the authorities need more than electronic surveillance. They need to have human intelligence that can provide reliable intelligence. The intelligence agencies have to be able to decide whether the source is legitimate or trying to spread false information.
As we know from the attempt to track down Osama Bin Laden, Al Qaeda can conduct counter intelligence. They killed a number of CIA officers after they were enticed with plausible intelligence on Bin Laden. All intelligence agencies have to sift the valid signal from the noise and the false signals.
Was there a cost to responding to Charlie Hebdo?
The French authorities may have disrupted their own intelligence networks to capture the Hebdo attackers, which left them vulnerable to the latest attack. We have to consider that the intelligence effort to find the Hebdo attackers, such as squeezing assets for information could reveal those assets. It may have reduced their use as an asset. Once others are aware of people in a neighbourhood or a community are involved with the security service, they might be killed or avoided in the future, which reduces their effectiveness as an asset. The Charlie Hebdo attack may have been a practice for this attack or as a cover for this to distract the French from the other plots. We have to consider the possibility that there could be sleeper cells that can be activated to plans prepared months earlier.
A further problem is that the attackers may have coordinated their attacks from abroad. The local networks that the French monitor would be unaware of the attack. If the attackers arrived recently, it would be too late to warn the authorities. For example, someone hears something on Thursday but does not know its significance. They might tell their French intelligence handler but the urgency or importance of the information is not understood. Moreover, it may need to be connected to information not yet known.
The counter intelligence and anti-terrorist work is designed as much to stop attacks as to make it more difficult to prepare. Security is always layered and works from the most extreme or abstract (nuclear war) to the very basic (police on the beat). The whole system has to work together for an attack to be prevented. The more security layers and the types of security both soft, or passive, a legitimate government that creates a shared identity, and the most aggressive, drone strikes on senior leaders in Syria, are needed to deter, prevent, and stop attacks. It is rare that all systems work or can work perfectly. The attacker only has to succeed once the defender has to always win. Much will depend on luck or accident to prevent attacks.
I hope that this analysis helps readers understand the attacks and the difficulties associated with preventing them. The questions it raises will need to be answered to respond effectively. There are no easy solutions only a lot of questions to be answered.