Multilayered Security

Disrupting Terrorist Attacks Requires More than Connecting Dots

Disrupting terrorist attacks requires more than connecting the dots; Ken Gude outlines measures to improve the U.S. security system.

A TSA officer signals an airline passenger forward at a security check-point at Seattle-Tacoma International Airport on Monday, January 4, 2010. (AP/Elaine Thompson)
A TSA officer signals an airline passenger forward at a security check-point at Seattle-Tacoma International Airport on Monday, January 4, 2010. (AP/Elaine Thompson)

Read also: “Connecting the Dots” Requires a Commitment to IT Infrastructure

Eight years after an almost identical and unsuccessful attempt to destroy an airliner using explosives smuggled onboard in a passenger’s shoes, an Al Qaeda affiliate group again failed to bring down Northwest flight 253 on Christmas Day when explosives in a passenger’s underwear did not detonate. Quick action from passengers and crew ensured that the would-be bomber did not succeed, but disturbing information soon emerged that raised serious questions about why Umar Farouk Abdulmutallab was allowed to board the plane in the first place.

Much of the attention has been focused on the apparent inability to “connect the dots” about Abdulmutallab and either prevent him from boarding the plane or otherwise disrupt the attack. But it is extremely difficult and unreliable to try to pick out just a handful of fragments of information from a constant stream of thousands of pieces of information. It is far better to invest in a multilayered security system that has many points to identify potential threats and disrupt attacks.

The Obama administration should improve the security system that protects Americans against terrorist attacks by:

  • Harmonizing the watch list system for broader screening prior to takeoff. National Counterterrorism Center should control the master watch list, and security agencies should use the Terrorist Identities Datamart Environment, or TIDE, database to flag individuals for the highest level of scrutiny at the point of departure. Beginning seven days prior to departure, flight manifests should be sent to DHS once a day and any matches in the TIDE database, as well as anyone buying tickets the day of departure, should be flagged for the highest level of security.
  • Improving failsafe security checkpoints at airports. New scanners can detect explosives, and body imaging can find hidden items that are nonmetallic and would go unnoticed by current equipment. Screeners should vary their security procedures as they are best placed to identify potential threats.
  • Empowering officials at frontline agencies. The Obama administration must ensure that the Department of Homeland Security, Office of the Director of National Intelligence, and the National Counterterrorism Center have capabilities that match their responsibilities.
  • Not beating ourselves. Terrorism is a real and serious threat. But part of the terrorist strategy is to provoke a counterproductive response. The Obama administration must resist pressure to racially profile or add hundreds of thousands of names to the no-fly list.

Al Qaeda and other terrorist groups are constantly seeking out ways to attack the United States and our allies and partners around the world. To best guard against future attacks, it is vitally important that the U.S. government implement a robust, multilayered security system that affords numerous opportunities to identify potential terrorists and prevent attacks.

What the U.S. government knew about Abdulmutallab prior to his boarding NW #253

The U.S. government possessed some information about Umar Adbulmutallab and the general terrorist threat from Yemen that could have alerted security officials to a potential threat prior to his purchasing a ticket to travel to Detroit from Nigeria with a stopover in Amsterdam. Certain details about Abdulmutallab’s behavior as a potential passenger also could have flagged the Nigerian for additional scrutiny.

The British government denied Abdulmutallab’s visa renewal application in May 2009. According to British Home Secretary Alan Johnson, he was rejected because “he applied to study at a bogus college.” Abdulmutallab was then placed on a watch list that allows individuals to transit through the country, but would bar entry to the United Kingdom. It is unclear whether U.S. officials were alerted to either of the U.K. government’s actions.

Abdulmutallab’s father contacted U.S. embassy officials in Nigeria in November 2009 and reported that his son had disappeared and may be associating with extremists in Yemen. After that meeting, embassy officials forwarded the information to the National Counterterrorism Center in a “Visas Viper” memorandum. NCTC added Abdulmutallab to the Terrorist Identities Datamart Environment database at some point after this notification and prior to the departure of flight 253.

The National Security Agency intercepted communications from Yemen in August that a Nigerian was being trained for a potential terrorist attack. President Obama’s top counterterrorism adviser John Brennan was briefed in October by the Saudis that Al Qaeda had developed a technique to place explosives in an individual’s underwear.

It has widely been reported that Abdulmutallab purchased only a one-way ticket, but the Nigerian Civil Aviation Authority has contradicted that claim, saying he bought a round-trip ticket with a scheduled return on January 8. He did pay cash, purchasing the ticket at the KLM Royal Dutch Airlines office in Accra, Ghana eight days prior to the flight. And he did not check any bags for a supposed two-week trip. These actions could have raised alarms.

The agencies responsible for protecting against attacks lack capabilities

The reforms to the U.S. Intelligence Community that occurred in response to the 9/11 attacks established new agencies with frontline responsibilities, but low-level bureaucratic clout. The Department of Homeland Security, the Office of the Director of National Intelligence, and the National Counterterrorism Center were all formed in the aftermath of the attacks, but exist in the shadows of the FBI, CIA, NSA, and Defense Department.

The Department of Homeland Security was created by Congress in 2002 as a hodgepodge department that brought together agencies as disparate as the Animal and Plant Health Inspection Service and the Coast Guard. It has no independent intelligence collection or law enforcement capability even though it is responsible for protecting the United States from terrorist attack and controls the airport screeners under the Transportation Security Agency.

The 9/11 Commission recommended the formation of the Office of the Director of National Intelligence and it was created by Congress in 2004. The National Counterterrorism Center was originally the Terrorist Threat Integration Center formed in the CIA in 2003, but renamed the NCTC and moved under ODNI by Congress in the same 2004 law that established ODNI.

The Director of National Intelligence, Adm. Dennis Blair, is nominally the head of the 16-agency intelligence community. But after Blair and his predecessors lost several high-profile bureaucratic turf wars lost, most of the authority for intelligence collection and analysis still resides in the CIA and the Defense Department. NCTC is in a similar predicament; it does not participate in any counterterrorism operations and does not possess any tasking authority. NCTC is the government’s centralized all-source intelligence analysis center, but the best FBI, CIA, NSA, and DIA analysts stayed in those agencies and NCTC is not a sought-after posting.

The U.S. government has been left with officials and agencies that bear significant responsibility for protecting Americans from terrorist attack but lack the appropriate tools to fulfill their mission.

Why the security system failed to flag Abdulmutallab

The U.S. government can act on intelligence information or specific behaviors to deny an individual entry to the United States or the ability to travel by air, or flag them for greater scrutiny and additional screening. Each passenger also is subjected to screening at the point of departure that should act as the failsafe if the other layers are not triggered. The failed Christmas attempt indicates that each of these layers needs to be strengthened and improved.

Anyone who is not a U.S. citizen or permanent resident must receive a visa from the State Department before they travel to the United States. Abdulmutallab received a multiple entry visa from the U.S. embassy in London in 2008. At the time, there was no reason to deny his application, and he obviously also had valid entry documents to the United Kingdom given where he obtained his U.S. visa. But the British government’s decision to deny Abdulmutallab a student visa and his father’s report should have triggered a reassessment before he boarded the flight in Amsterdam. They did not.

Individuals can also be prohibited from boarding aircraft if their name appears on the so-called no-fly list. The Transportation Security Administration maintains this list of approximately 4,000 names, and if an individual of any nationality—including American—appears on the list, he or she is not able to fly to or within the United States. Because it is so restrictive, it is appropriate that there is a very high bar for entry onto this list. Abdulmutallab was clearly not on this list, and from the information available to the U.S. government, he should not have been.

The next layer of security is designed to identify individuals who are allowed to fly, but are deemed worthy of additional screening prior to boarding aircraft. That can occur either because of specific, suspicious behavior by a passenger or because his or her name appears on a different watch list. The types of behavior that can raise the red flag are purchasing a one-way ticket, paying in cash, buying the ticket on the day of travel, no checked luggage, or missing one or more legs of a connecting flight. It has been reported that Abdulmutallab met two of these criteria: he bought his ticket in cash and he had no checked luggage. He was not, however, singled out for additional scrutiny.

There are three other main terrorism watch lists beyond the no-fly list. The broadest list is the Terrorist Identities Datamart Environment database controlled by the NCTC that holds some 550,000 names that any U.S government agency or friendly government can request additions to for individuals that are either known or suspected terrorists. The FBI maintains a Terrorist Watch List, which includes 400,000 names with slightly higher standards. There must be “reasonable suspicion” that an individual is a known or suspected terrorist and there must be enough information in the database so that a screener can match the name with an individual. The TSA’s Secondary Security Screening Selectee list is the narrowest, with 14,000 names of individuals that are considered a potential threat to aviation. Only individuals on the SSSS list are flagged for additional screening at the point of departure. Abdulmutallab was only added to the TIDE database and therefore did not receive any additional screening in Amsterdam.

The final layer of security is the screening that all passengers go through at their point of departure: X-ray scanning of carry-on bags and shoes, and metal detectors. Some airports have additional screening devices—explosives detectors and body image scanners—but those cover only a small fraction of the security lines at terminals in the United States and abroad. This screening is the last line of defense to prevent terrorist attack on airliners. And Abdulmutallab was able to smuggle the explosive devise onto the plane in his underwear.

The carriers for all inbound international flights also submit their passenger manifest to DHS in the Advance Passenger Information System. The manifest is then checked against the various security watch lists and individuals are selected for greater scrutiny at customs and immigration control. The problem for aviation security with this system, of course, is that the manifest is usually only checked against the watch lists after the plane is in the air. APIS did flag Abdulmutallab, and immigration officials were preparing to interview him upon arrival in Detroit, but this was obviously too late to prevent the attack.

Connecting the dots is not a panacea

Identifying pieces of information that form a chain of events is easy once the end point is known and all the other unrelated bits of data are taken away. When we read, all in one place, that the NSA learned Yemeni terrorists were training a Nigerian, the U.S. government knew of Al Qaeda’s use of the underwear technique, a father told the CIA and the State Department that his Nigerian son had developed radical views and disappeared in Yemen, and the British denied a visa to this same Nigerian for unrelated but suspicious reasons, it seems obvious that Abdulmutallab was a serious threat. But that’s not how intelligence analysis works. These data points were hidden among thousands of other leads, tips, and fragments from different agencies coming in at different times and may not have been in this easily digestible form.

This is precisely what the NCTC was created to do, however, and one would hope that these particular fragments—if the U.S. government actually did possess this information—would stand out. The point of having a centralized, all-source analysis center is to overcome the obstacles to information sharing across agencies and even governments. The overlapping information from NSA, the father, and the British all pointed to Abdulmutallab. It is reasonable to question why he was not flagged for greater scrutiny, but it is also instructive. Even in a case where the information appears clear, analysts failed to connect the dots. Systems can and should be improved to reduce that possibility, but intelligence analysis is not going to be able to detect and disrupt every planned attack.

Playing the game of “connecting the dots” has become sort of a cottage industry in Washington these days after things go wrong, whether it is after security breaches like 9/11 and the underwear bomber, or economic problems like Enron and the financial crisis. The obsession with “connecting the dots” vastly overstates its significance. This kind of intelligence analysis can at best be a forward line of defense, blocking entry into the United States for known terrorist threats and flagging for greater scrutiny others who are suspected of involvement in terrorist activity. What is more important is genuine investment in a multilayered security system that has numerous points to identify and disrupt potential threats.

We must invest in multilayered security that empowers officials at all levels of the system

The early lessons from the failed Christmas Day plot go well beyond who is on the no-fly list, although it may be difficult to believe that given the overwhelming focus on “connecting the dots” since the failed Christmas Day attack. To better protect Americans, the Obama administration and Congress must invest in a multilayered security system and empower officials at frontline agencies, harmonize the watch list system, and improve the failsafe screening at airports. But neither can we beat ourselves by pursuing racial profiling or other counterproductive policies.

Harmonize the watch-list system and use APIS prior to takeoff. It makes little sense to have four different terrorism watch lists if only two are used to flag potential threats. NCTC is the centralized analysis center and should control the master watch list and the TIDE database to flag individuals for the highest level of scrutiny at the point of departure. NCTC must scrub TIDE and improve the level of information so that screeners can match names in the database to individuals. As an additional failsafe measure, the APIS database check on inbound international flights should be performed prior to takeoff. Beginning seven days prior to departure, flight manifests should be sent to DHS once a day and any matches in the TIDE database should be flagged for the highest level of security. Any passengers buying tickets the day of departure should automatically receive maximum screening. TSA should retain the high bar for inclusion on the no-fly list.

Improve failsafe security check points at airports. Modern technology can enhance the last line of defense against terrorists plotting attacks on airliners. New scanners can detect explosives, and body imaging can find hidden items that are non-metallic and would go unnoticed by current equipment. But as homeland security expert Steve Flynn correctly observes, we must not place too much reliance on technology or fall into familiar patterns of screening. Our best defense at the failsafe point is the human beings involved—the TSA screeners and even other passengers who can detect abnormal behavior better than a machine.

Empower officials at frontline agencies. Much has been made of Homeland Security Secretary Janet Napolitano’s misstatement that “the system worked” or the ridiculous story that NCTC Director Michael Leiter was on vacation in the aftermath of the attack. This distracting focus on the agency heads directs attention away from the agencies they lead—new agencies still struggling to find their voice in the crowded U.S. government bureaucracy. This is largely, but not exclusively, the fault of a Congress that created these organizations and then failed to support them as existing agencies fought hard for their turf. The Obama administration must ensure that DHS, ODNI, and NCTC have capabilities that match their responsibilities.

Don’t beat ourselves. Terrorism is a real and serious threat. Nearly 300 people would have died if Abdulmutallab had succeeded at destroying that aircraft. That is a high cost, but we must realize that terrorists not only seek to kill and maim in an attack, but provoke a counterproductive policy reaction based on fear rather than sound reasoning that further drains and destabilizes their enemies. After 9/11, it was the United States government that resorted to torture and unlawful detention that pushed hundreds if not thousands into the arms of our enemies. It was the United States government that started a war against the wrong enemy that cost thousands of lives and more than a trillion dollars. In response to this attack, some conservative commentators have called for strip searching all Muslim men aged 18-30 and other forms of racial profiling. Racial profiling is not an effective counterterrorism tool as it floods the system with false positives and undermines American outreach to Muslims. Others have called for adding the 550,000 names in the TIDE database onto the no-fly list. This would severely disrupt air travel for all Americans and could actually lower overall security as screeners would be lulled by an overreliance on the no-fly list. The Obama administration must resist this pressure and not give into these and other counterproductive policies that will only do more harm to Americans.

Read also:

The positions of American Progress, and our policy experts, are independent, and the findings and conclusions presented are those of American Progress alone. A full list of supporters is available here. American Progress would like to acknowledge the many generous supporters who make our work possible.


Ken Gude

Senior Fellow