62s-long: systems analysis: a tool to understand and ...sauterv/analysis/62s-long-intel.pdf ·...

VTC 1-1 Copyright © 1992-2002. Vitech Corporation.

Systems Analysis:A Tool to Understand andPredict Terrorist Activities

Vitech Corporation2070 Chain Bridge, Suite 320 FAX: 703.883.1860Vienna, VA 22182-2536 E-mail: [email protected]: 703.883.2270 Web: www.vitechcorp.com

With contributions from: J. L. BeVier and Associates, LLC

James E. Long

October 2002


Objective of the Experiment

• Apply elements of the systemengineering process to three terroristsituations to evaluate possible utility tothe practice of intelligence analysis


Intelligence Analysis Starts with Databut Needs to Generate Predictions

At the beginning, for the “subject ofinterest”:

• Boundaries unclear• Intentions of subject unclear• Elements/components unclear• Data comes from multiple sources• Relevant information must be

filtered from large amounts ofirrelevant and unrelated data

Intelligence Analysis goal: Get to the top ofIntelligence Analysis goal: Get to the top ofthe pyramid quickly and accurately for thethe pyramid quickly and accurately for thegiven subject of interestgiven subject of interest

Infer

ActivityReconstruction

Event Reporting

Source Data1

2

3

4

Ref: J. BeVier & Associates, LLC


Technical Approach• Successful Intelligence Analysis is about predicting the future – not

documenting the past.– But we predict with a model which is assembled from historical

information and hypothesis testing.– The model is reverse-engineered from multi-source, sampled data.– The model provides evidence of how well the target is understood.

• How do we do this?– Recognize that a target may be viewed as a dynamic system

• Systems may be analyzed statically or dynamically.• Systems need to be represented as separate functional and physical

models.• System functions change slowly with time while physical elements may

change dramatically.– Making and testing of hypotheses is a key element of refining and converging the

models.• Total analysis is never completed.


Three Illustrations of ourConcepts (Source of Material)

• Osama bin Laden: FinancialSupport Networks (TreasuryDepartment CongressionalTestimony)

• Terrorist Pilot Training(Washington Post)

• WTC Terrorist Cell Activities(Washington Post)

InferActivity

Event ReportingSource Data1

23

4

1

3

3

2

2


Views From Osama bin Laden:Financial Support Networks

Source: Mr. Johnathon Winer testimony to USSenate Banking Committee, September 2001

InferActivity


23

4


Top Level Organization for the OBLFinancial Networks

Question: Does this structure and content look familiar?

built from built from built from built from built from built from

0OBL Support

NetworksBank

1Banking andInvestment

Bank

2Charitable

OrganizationsCharity

3

Drug Trade

Business

4Industry/

Service SectorBusiness

5International

Money Chann...Bank

6Money

Laundering E...Business


Postulating the OBL Functional Modelputs the Organization in Context

• Initial modellacksfunctions toprovidecontext forthe data.

• Modelsindicate whatinformationneeds to beacquired.

Terror Event

1

Manage RevenueSources

Organizationor Business

2

Plan Terror Events

FundsAvailableReport

Funds

DistributionPlan, Rules,

Overide Policy

3

Distribute Funds

FundingRequests

CandidateOperatives

ResourcesNeeded

SupportFunds

4

Recruit & PlaceOperatives

WeaponsFunds

5

Acquire Weapons

Weapon &Access

Requirements

Plan

Weapons

6

Place TerroristPlan In Operation

TrainedOperatives

Types ofTraining

TrainingFunds

TrainersUntrainedPersonnel

7

Training


Views From the Terrorist PilotTraining Data

Material/data extracted from variousWashington Post articles

InferActivity


23

4


System-On-System Modeling IsFeasible, Straightforward, and Useful

Intelligence / Defended System

Action

Reaction

System of Interest / Threat

Ref: Colleen Palmer, NSA


Functions at the Context Level – WeHave Three Systems Interacting

AND

1

al Qaeda

2

Cell Operation

3

US Civil AirOperations

AND

Requestguidance

MoneyReturned

Initiate Task

Financialauthorization

Untrained PilotMedical

ExaminationResults

Tuition Payment

EnrollmentRequest

AcceptanceLetter

Status -Graduated

from Flight S...

Trained Pilot

Date:July 15, 2002

Author:Administrator

Number:0

Name:Terrorest Pilots Training - Context Level


N2 Interface Diagram – Lack of InteractionBetween al Qaeda and US School is Easily Visible

1

al Qaeda

Money ReturnedRequest guidance

Financial authorizationInitiate Task

2

Cell Operation

Acceptance LetterStatus - Graduated from

Flight SchoolTrained Pilot

Enrollment RequestMedical Examination

ResultsTuition PaymentUntrained Pilot

3

US Civil Air Operations

Date:July 15, 2002


Number:0

Name:Terrorest Pilots Training - Context Level


Functional Architecture at the Next LevelShows Sequencing and Partitioning of Roles

US Aviation School

Al QAEDA

Cell Operation

Support & Logistics

Financial

Cash Infusions

TrainingAND

1.1

Activate Operation

1.2

Supply FinancialAid

1.3

Recover UnspentFunds

4

Start CellOperations

AND

2.1.1

Initial BankTransfer

IT

2.1.2

Receive NewDeposits

IT

2.1.4

?Hand-carried cashdeposits

2.1.5

Funding Returned

AND

2.2.2

Apply to FlightSchool

2.2.3

Undergo MedicalExamination

AND

2.2.4

Receive AcceptanceLetter

2.2.5

Pay for FlightTraining

2.2.6

Prepare for FlightTraining

14

Practice Flying

15

Monitor Status

16

Maintain LocalSupport & Logistics

AND

3.1

Receive EnrollmentRequest

3.2

Receive Tuition

3.3

Flight Training

AND

Initiate Task

$14,000$20,000

Financialauthorization

Deposits <$10,000

MoneyReturned

Money

EnrollmentRequest

MedicalExamination

Results

AcceptanceLetter

Tuition Payment

Untrained PilotStatus -

Graduated fromFlight School

Trained Pilot

$100,000

Date:July 15, 2002


Number:0

Name:Terrorist Pilots Training - Detailed Level


Physical Links Indicate Mechanismsof Communication

Student to Instructor L...

Bank Deposit Link

Face-to-Face Link

US Mail Link

al Qaeda / Terrorist Phone Link

al Qaeda - Flight

Business

Civil Air Operations

Business

Terrorist Cell -Flight

Business

Date:July 14, 2002


Number:0

Name:Flight Training - context


More Correct and Complete System-on-System Model for Terrorist Pilot Training1

al Qaeda - E

CommunicationEnvironment

Financial RequestsStatus Reports

OPLAN AQ-1

al Qaeda OPLAN C1Financial Shipments

Operational Commands

2

Atta Cell Operation - E

Trained Pilots

Cell OPLANStudents for Training

WTC Attack

3

US Operations

Military Support andSecurity

Operating Charter,Materiel, Personnel, etc.

4

CINC Operations

Intelligence Reports

5

NSA Analyst Operations

Collection Data

AQ Observables

Cell Observables

Intelligence CollectionRequests

6

Collection ManagementOperations

Date:August 21, 2002


Number:0

Name:Scenario 3 - Expanded Context - Pre Attack


Views/Scenarios From the WorldTrade Center Terrorist Attack

Material/data extracted from variousWashington Post articles

InferActivity


23

4


Activities of WTCHighjackers-TopLevel• Behavior and N2

Modeling includedhierarchies down to theindividual terrorist level(see COREsim simulatoroutput for Atta)

• The cell is made up of 19terrorists organized in 4coordinated teams

• The total timeline fromfirst terrorist entry intoUS until the attack onthe WTC and Pentagoninvolved about 33months

Stony Creek Township

North Tower WTC

South Tower WTC

Pentagon

AND

Team 1Activities (AA

Flight 11)

Team 2Activities (AA

Flight 77)

Team 3Activities (UAFlight 175)

Team 4Activities (UA

Flight 93)

AND

CoordinationEvent 12

CoordinationEvent 4


CoordinationEvent 3


CoordinationEvent 9


Activities of Team 1 (AA Flight 11) –At the Next Level of Detail

Suqami's Activities

Alamari's Activities

Wail Alshehri's Activities

Atta's Activities

Skip Day

Don't Skip

Waleed Alshehri's ActivitiesAND

10.1

ObtainVirginiaDriver'sLicense

- Aloma...

August...

Alomari- Waittime 1

10.2

PurchaseOne-Way

Ticketslinked t...

August...

Alomari- Waittime 2

10.3

StayComfortInn with

Atta -Portlan...

Septe...

10.4

BoardAircraft 10

Septe...

Atta -Wait

time 00

Atta -Wait

time 0

6.1EntersUnitedStates

-Tourist ...

June 0...

Atta -Wait

time 1

6.2

ToursFlight

School

July 01...

Atta -Wait

time 2AND

6.3

BeginsFlight

Training

July 06...

Atta -Wait

time 3

6.4

RegistersPontiac

Grand Prix

July 17...

ANDAtta -Wait

time 4

6.5

TakesJet

SimulationTraining

Decem...

Atta -Wait

time 5

6.6

Flies toMadrid,Spain

Januar...

Atta -Wait

time 6AND

6.7

RentsPiper

Cherokee

Februa...

6.8

InquiresAboutCrop

Duster

Februa...

ANDAtta -Wait

time 8

6.9

MovesOut of

Apartment

March...

Atta -Wait

time 9

6.10

ReceivesTrafficTicket

April 26...

Atta -Wait

time 10

Atta -Wait

time 22

6.11

GetFloridaDriver's

Licenses

May 0...

Atta -Wait

time 11

6.12

Fails toAppearin Court

May 2...

Atta -Wait

time 12AND

6.13

Moveinto

CountryClub

Commu...

June 1...

Atta -Wait

time 13AND

Atta -Wait

time 23

6.27

RentsP.O. Box

July 01...

AND

Atta -Wait

time 24

6.15

Registersfor

Month'sMembership at...

July 01...

6.14

Stays inLas

Vegas

June 2...

Atta -Wait

time 14

6.16

Flies toSpain

July 09...

ANDAtta -Wait

time 15

6.17Rents

Carfrom

Warrick'sRent-a...

August...

Atta -Wait

time 16

6.18

Returnsto LasVegas

August...

Atta -Wait

time 17LP

6.19

RentsSingleEnginePlane

August...

Atta -Wait

time 18

6.19.a

RentsSingleEngine

Plane (a)

August...

LE

OR LPAtta -Wait

time 19

6.20Open

AAFrequent

FlyerAccount

August...

AND

6.21

Staysat

PantherInn

August...

Atta -Wait

time 20

6.22

BuysOne-Way

Tickets- AA

August...

6.23

RentsAnother

Car

August...

Atta -Wait

time 21

6.24

Eats atRaw Bar

Septe...

AND

6.25Stays

atComfort

Inn -Portlan...

Septe...

6.26

BoardAircraft 6

Septe...

AND

AND

WaleedAlshehri

- Waittime 0

7.1

AcquireFloridaDriver'sLicense

May 0...

WaleedAlshehri

- Waittime 1

AND

7.2

Checksinto

HomingInn

June 2...

WaleedAlshehri

- Waittime 2

7.3

AcquiresMonth'sMembership at World...

July 01...

WaleedAlshehri

- Waittime 3

7.4

Purchases

Tickets- AA

Reserva...

August...

AND

WaleedAlshehri

- Waittime 4

7.5

BoardAircraft 7

Septe...

WailAlshehri-

Waittime 0

AND

8.1TakesMonth'sMembership at World...

July 01...

WailAlshehri- Waittime 1

8.2

ReceiveFloridaID Card

July 03...

AND

WailAlshehri

- Waittime 2

8.3Buys

Tickets- AA

Reservations

August...

WailAlshehri

- Waittime 3

8.4

BoardAircraft 8

Septe...

Suqami- Waittime 0

9.1

EntersUnitedStates

May 2...

Suqami- Waittime 1

AND

9.2

Enrollsat

WorldGym

July 01...

Suqami- Waittime 2

9.3

ReceiveFlorida

ID Cards

July 03...

ANDSuqami- Waittime 3

9.4

BuysOne-Way

Tickets

August...

Suqami- Waittime 4

9.5

Stay atMilnerHotel

Septe...

9.6

BoardAircraft 9

Septe...

AND

Event 1 -Driver's License


Event 2 -Tickets Event 3 - Motel

CoordinationEvent 4

Event 4 - Tour

Event 5 -Begin Training

Event 6 -Jet Simulation

Event 7 - Moves out

CoordinationEvent 8

Event 8 -Moves In

Event 9 -Panther Inn

Event 10 -Raw Bar



Date:December 12, 2001


Number: Name:AA Flight 11 - Detailed

• Each mainbranchrepresentsthe activitiesof oneterrorist (5 onthis plane)

• Linkedactivitiesbetweenterroristsindicated byinterfacingitems


Details of a Segment of ATTA’sTimeline

NOTE:• Behavior diagrams and scenarios are represented in a

graphical language that is executable, allowingautomatic simulation of the graphical model

6.1

EntersUnitedStates -Tourist

Visa

June 03,...

Atta -Wait time

1

6.2

ToursFlight

School

July 01,...

Atta -Wait time

2AND

6.3

BeginsFlight

Training

July 06,...

Atta -Wait time

3

6.4

RegistersPontiac

Grand Prix

July 17,...

ANDAtta -

Wait time4

6.5

Takes JetSimulation

Training

Decembe...

Atta -Wait time

5

6.6

Flies toMadrid,Spain

January ...

Atta -Wait time

6AND

6.7

RentsPiper

Cherokee

February...

6.8

InquiresAboutCrop

Duster

February...

ANDAtta -

Wait time8

6.9

MovesOut of

Apartment

March 11...

AttWait

9

Event 4 - Tour

Event 5 - BeginTraining

Event 6 - JetSimulation

Event 7 - Moves out

Unknown activitiesand schedule

Known activitiescoordination data

Known activitiesand schedule


Details of ATTA’s Activities are inthe Repository


Multiple Views Provide Insight of the Model• We use reverse engineering to build the model since the system

exists but its features are not completely known to us.• The N2 chart is a natural view for reverse engineering a system with

only partial or missing data– N2 is an interface chart– N2 does not represent time sequences– Patterns of interface relationships emerge from incomplete data– Interface information is continuously added. Density of interface

instances yields model insight• Predictions are most easily made from the timelines, likely triggered

by inference from an event in context– Scenarios capture time and sequencing of activities– Allocation of activities to physical elements combine the physical and

functional models– Stimulus-response patterns are deducible from the allocated scenarios

and provide a basis for predictions


Requirements for Inference• For inference, we need to identify events relating to some

combination of:– Target– Weapon,– Schedule,– Team, and– Postulated scenarios

• Inference requirements are interdependent. Once some aresatisfied, others become constrained

• Observables need to be placed in context• Functional scenarios/models must have realizable physical

allocations

62s-long: systems analysis: a tool to understand and ...sauterv/analysis/62s-long-intel.pdf ·...

Documents