Assessing the current threat – why we should be more worried about the ‘known knowns’ than the ‘known unknowns’

Posted on Updated on

The known knowns

It’s becoming an all too familiar story. A small-scale and relatively unsophisticated (but high-profile) terrorist attack; a scramble to identify the individual(s) responsible; and finally, a drip feed of information confirming that they were well-known to the relevant authorities.

This pattern has repeated itself over the past 2-3 years, from the murder of Lee Rigby in London, the Charlie Hebdo shootings, and most recently, last week’s attempted attack in Texas.

That individuals radicalised to the point of committing a terrorist attack are on the radar of intelligence agencies should not in itself be surprising; were the opposite true, we would be more concerned.

But these aren’t instances of intelligence agencies having too many leads to pursue, or making legitimate priority calls based on the available intelligence. The perpetrators of the attacks above – and indeed Jihadi John – were known entities, comprehensively investigated by intelligence and law enforcement agencies. And in each case, authorities had ‘disrupted’ their activities, by preventing them from travelling for jihad, an overt approach from an intelligence agency, or through the criminal justice system.

Why are their attacks succeeding?

It is important to note that due to a seismic shift in the focus of Islamist terrorism over the past 3-4 years, these types of attacks are fundamentally very difficult to prevent. Gone (at least for now) are the large-scale, complex attacks that require months of planning and international co-ordination.

First Al-Qaida in the Arabian Peninsula (AQAP) and now ISIS have legitimised small-scale attacks using easily obtainable weaponry and requiring minimal planning. Unsurprisingly, this poses a significant challenge to conventional intelligence collection methods that rely on the communication of intent, a command and control structure, and enough lead-in time to develop a rounded intelligence picture.

What the identity of the perpetrators of these attacks also demonstrates however, is that although intelligence agencies have been (relatively) effective at identifying and disrupting individuals that pose a terrorist threat, counter-terrorism policy has been far too operationally focused. Unable to look beyond identifying and countering the next threat, insufficient consideration has been given to medium and long-term issues such as rehabilitation and reintegration.

The consequences of disruption

For some, the continued pursuit of jihad by these individuals is another consequence of the inability of criminal justice systems to rehabilitate, and prevent recidivism. But I’m not convinced that you can compare ideologically motivated violence and economically-driven crime types.

Where I think a comparison should be made is around one of the unintended consequences of law enforcement disruption, namely in generating a greater understanding of law enforcement capability and strategy amongst criminal networks.

Realising how they have been caught, criminal networks have evolved in an attempt to minimise their vulnerabilities. Similarly, an extremist arrested or prevented from leaving the country because of their communications practices, a high-profile social media presence or the open discussion of their ideology, is unlikely to make the same mistake twice.

And, as with other crime types, if you incarcerate the extremists that you disrupt in the same facility, there is a reasonable chance that co-location will become a force multiplier.

The next attack

It is for this reason that the relentless media focus on the threat posed by ‘cleanskin’ teenagers radicalised online while understandable, is perhaps misguided. To my mind, the individuals of greatest concern are those previously investigated and disrupted by the authorities.

These former counter-terrorism targets will typically have the same access to, and proclivity towards ISIS propaganda. But in contrast to a teenage cleanskin, they know that they are on the radar of security services and are unlikely to be able to travel to join the Caliphate (barring a monumental failure at passport control).

Crucially – and in contrast to the two teenage networks recently disrupted in Melbourne – they will also understand operational security and the likely tactics of the intelligence services.

Granted, the relative historical size of the extremist problem here in Australia makes this a bigger problem for the UK and much of the rest of Europe. But it should not be surprising if we discover that the next terrorist attacker in Australia – and an attack is definitely when, not if – fits this profile.

What should we do?

The short-term operational challenge for all intelligence agencies should be how to identify which former targets are a latent threat, while continuing to investigate what is likely to be a huge volume of new leads.

But the greater challenge for all countries facing the terrorist threat is considering what happens next when they identify an individual as a terrorist threat. And more specifically, how do they ensure that the short-term ‘disruption’ of an individual or network – both in terms of incarceration or an intelligence led approach – nullifies rather than magnifies the threat they pose?


In a follow-up post, I’ll look at the importance of a well-resourced de-radicalisation strategy at the core of any counter-terrorism policy, examining Australia as a case study and assessing the likely effectiveness of the current Government approach.

David Wells worked for UK and Australian intelligence agencies between 2005 and 2014, specialising in counter-terrorism.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s