Another mass casualty incident has occurred and I engaged the tried and true method of triggering my compulsion to smash my face with my palm by looking at Twitter. Yep, it was that bad. It never ceases to amaze me that no matter how many times I tweet or blog about the painstaking work of attacker attribution, people continually participate in oversimplified and error-prone "analysis". They're often trying to do this without being at the scene, with no prior investigative experience, and in real-time. To say the least, the amount of wrong is significantly higher than actual "I called it", despite what the authors say.
You're probably wondering why I'm so passionate about the inclinations others have toward this kind of "analysis". I believe it speaks volumes about how much we value the arduous work it takes to do the investigations needed to make accurate attribution claims. It's also a HUGE part of the myth that "anyone can do security". Over the years, I have been practically screaming how false that is. What we as professionals do, takes time, significant knowledge, limited resources, and countless hours of practical experience.
Yet, here we are. Today, I have seen tweet after tweet proclaiming the attack was immediately the work of jihadist invaders or lone wolf extremists of some variety. These suppositions have come in the early moments of reporting on the attack. As it developed, we were informed of a suspect, a Somali refuge named Abdul Razak Ali Artan. As of this writing, there are tweets claiming this is conclusive "evidence" of terrorism. The actual cops working the scene haven't made one statement, as far as I know, yet about any determination of motive. But Twitter says otherwise. A population where 99.99% of people with zero to any relevant law enforcement or security experience have done in hours what it will take seasoned and ordained professionals weeks to do. Yeah, it's crap.
So, if not terrorism, then what is it, Mr. "Security Professional"? Glad, you asked. I don't have a clue and neither do you unless you're on the scene actually investigating this incident. I should know. I used to do this thing all the time. Speaking from firsthand experience, I can confirm how easy it is to engage in this hasty sort of "analysis". What I can tell you is that we often make the mistake, as amateurs, of reaching conclusions about violent mass casualty incidents with little to any information. We do this based on what we either know of the attacker or the incident. This happens with minimal confirmation from official sources or reading too much into either first reports from witnesses, police scanner traffic, or what's told in early press conferences and releases. The often-ignored practice of "wait and see" has turned into "Holy crap! Something bad happened. Let me get my initial reaction out into the Twitterverse so my followers can give me reaffirmation for the sake of my ego and incessant desire to be first to comment on all-things tragic."
There are a few ways we can fix this.
- Stop assuming race, ethnicity, or religion can explain why people commit acts of violence. While these things can play a role in attacks, it's unlikely they can explain every single one. Instead, disregard them initially until other information develops that establishes motive or crime typology (act of terror or just a crazy person).
- No one has an exclusive monopoly over non-sanctioned violence. Just because an attacker uses a pipe bomb or even their vehicle doesn't mean the attack is terror-related. Let me put it bluntly - there are no "exclusive" tricks of the trade among bad guys. For example, looking at just the initial information we knew about Christopher Dorner's attacks and his weapons of choice, we could have assumed the attack was probably carried out by militias or other extremists versus an ex-cop with a grudge.
- It's too easy to get caught in the brutality of an attack and high casualty numbers and assume the attack was terrorism. Don't get caught in the weeds here, folks. Take a deep breath. Examine what we have and nothing else. When bad things happen, we naturally allow fear and our ever-incessant desire for immediate vengeance to cloud our thinking. Attribution is a game of facts and truth not emotion.
- Attack attribution requires more than just your gut feeling. A great example of this is a scene from Designated Survivor. It's a show about a newly, fired HUD Secretary being the "designated survivor" for a State of the Union address by which most of government is killed in an explosion. The newly, sworn President, played by Keifer Sutherland, is doing his best to determine who the attackers are. His advisers are pleading with him to name a known group as being responsible. Much of their evidence is based on wild speculation, self-interested political jockeying, and warhawking. The Chairman of the Joint Chiefs asks the president to name this group. The President asks the FBI how sure they are of the identity of the attackers and they respond "75 percent, sir." Sutherland's character declines making the call to name the attackers. When pressed by the Chairman of the Joint Chiefs how much more certainty he needed, the President responds with "Give me 25 percent more." I won't lie. This was by far the best dialogue I've seen in a fictional television show regarding attribution. There are dire consequences when we rely on anything other than empirical data when making attribution calls.
- The likely suspects could be people you like and it's not wrong to not rule them out. So much of the attack attribution that occurs on social media is wrought with people trying to make the facts fit their narrative. If a person is overtly political, this is more telling than they're ready to acknowledge. In fact, they often dismiss other possible and probable theories outright. Many times, I've seen the "expert" credentials of various participants in this crazy dialogue come into play. Stop it. Take long deep breaths and remember if you're not on-scene, you know absolutely nothing.
- Analysis is not a crystal ball. One of the most often over-played narratives is the intelligence community or law enforcement missed "something". Why? They assume those in these professions have to be right all the time as a part of what they do. It's as if some of us are expected to have superhuman abilities to predict the future accurately. Sometimes, like all things we think we understand, we get things wrong. It sucks when we do but it happens. Stop asking "How could they have missed this?" and start asking "What led them to believe this person posed no discernible danger?"
Every time law enforcement does a threat assessment on supposedly dangerous persons, an interview with the subject is conducted if possible. Given our legal framework and the very imprecise art and science of "reading" people, some actually dangerous people are missed. It happens. Not often but it does. A more poignant avenue to approach is the examination of how law enforcement and security professionals have been inadvertently incentivized to go after "low-hanging fruit" rather than being given sufficient resources to investigate and mitigate these threats. - The most important component to any terrorism attribution work is understanding what legally constitutes terrorism. I know the US Code is such a drag but it is the legal framework for which cops use to determine whether something is or is not an act of terror.
Most people assume a car bomb is immediate evidence of a terrorist attack. Yeah, not quite. Other people use bombs to commit murder for a variety of reasons. They were used quite often by the mob and other organized crime networks. Yet, none of these bombers were charged with terrorism. Why? Because their motives were not terror related. Terrorism is one of the few crimes which require motive in the "elements of the offense".
Remember that "legal framework" I mentioned in the US Code? Here it is:
"18 U.S.C. § 2331 defines "international terrorism" and "domestic terrorism" for purposes of Chapter 113B of the U.S. Code, entitled "Terrorism.”
"International terrorism" means activities with the following three characteristics: - Involve violent acts or acts dangerous to human life that violate federal or state law;
- Appear to be intended (i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping; and
- Occur primarily outside the territorial jurisdiction of the U.S., or transcend national boundaries in terms of the means by which they are accomplished, the persons they appear intended to intimidate or coerce, or the locale in which their perpetrators operate or seek asylum.*
- Involve acts dangerous to human life that violate federal or state law;
- Appear intended (i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination. or kidnapping; and
- Occur primarily within the territorial jurisdiction of the U.S.
- Is calculated to influence or affect the conduct of government by intimidation or coercion, or to retaliate against government conduct; and
- Is a violation of one of several listed statutes, including § 930(c) (relating to killing or attempted killing during an attack on a federal facility with a dangerous weapon); and § 1114 (relating to killing or attempted killing of officers and employees of the U.S.)."
I don't have all the answers and neither do you. Let's all take a deep breath and allow the cops to do their jobs.
