VTC 1-1 Copyright © 1992-2002. Vitech Corporation.
Systems Analysis:A Tool to Understand andPredict Terrorist Activities
Vitech Corporation2070 Chain Bridge, Suite 320 FAX: 703.883.1860Vienna, VA 22182-2536 E-mail: [email protected]: 703.883.2270 Web: www.vitechcorp.com
With contributions from: J. L. BeVier and Associates, LLC
James E. Long
October 2002
VTC 1-2 Copyright © 1992-2002. Vitech Corporation.
Objective of the Experiment
• Apply elements of the systemengineering process to three terroristsituations to evaluate possible utility tothe practice of intelligence analysis
VTC 1-3 Copyright © 1992-2002. Vitech Corporation.
Intelligence Analysis Starts with Databut Needs to Generate Predictions
At the beginning, for the “subject ofinterest”:
• Boundaries unclear• Intentions of subject unclear• Elements/components unclear• Data comes from multiple sources• Relevant information must be
filtered from large amounts ofirrelevant and unrelated data
Intelligence Analysis goal: Get to the top ofIntelligence Analysis goal: Get to the top ofthe pyramid quickly and accurately for thethe pyramid quickly and accurately for thegiven subject of interestgiven subject of interest
Infer
ActivityReconstruction
Event Reporting
Source Data1
2
3
4
Ref: J. BeVier & Associates, LLC
VTC 1-4 Copyright © 1992-2002. Vitech Corporation.
Technical Approach• Successful Intelligence Analysis is about predicting the future – not
documenting the past.– But we predict with a model which is assembled from historical
information and hypothesis testing.– The model is reverse-engineered from multi-source, sampled data.– The model provides evidence of how well the target is understood.
• How do we do this?– Recognize that a target may be viewed as a dynamic system
• Systems may be analyzed statically or dynamically.• Systems need to be represented as separate functional and physical
models.• System functions change slowly with time while physical elements may
change dramatically.– Making and testing of hypotheses is a key element of refining and converging the
models.• Total analysis is never completed.
VTC 1-5 Copyright © 1992-2002. Vitech Corporation.
Three Illustrations of ourConcepts (Source of Material)
• Osama bin Laden: FinancialSupport Networks (TreasuryDepartment CongressionalTestimony)
• Terrorist Pilot Training(Washington Post)
• WTC Terrorist Cell Activities(Washington Post)
InferActivity
Event ReportingSource Data1
23
4
1
3
3
2
2
VTC 1-6 Copyright © 1992-2002. Vitech Corporation.
Views From Osama bin Laden:Financial Support Networks
Source: Mr. Johnathon Winer testimony to USSenate Banking Committee, September 2001
InferActivity
Event ReportingSource Data1
23
4
VTC 1-7 Copyright © 1992-2002. Vitech Corporation.
Top Level Organization for the OBLFinancial Networks
Question: Does this structure and content look familiar?
built from built from built from built from built from built from
0OBL Support
NetworksBank
1Banking andInvestment
Bank
2Charitable
OrganizationsCharity
3
Drug Trade
Business
4Industry/
Service SectorBusiness
5International
Money Chann...Bank
6Money
Laundering E...Business
VTC 1-8 Copyright © 1992-2002. Vitech Corporation.
Postulating the OBL Functional Modelputs the Organization in Context
• Initial modellacksfunctions toprovidecontext forthe data.
• Modelsindicate whatinformationneeds to beacquired.
Terror Event
1
Manage RevenueSources
Organizationor Business
2
Plan Terror Events
FundsAvailableReport
Funds
DistributionPlan, Rules,
Overide Policy
3
Distribute Funds
FundingRequests
CandidateOperatives
ResourcesNeeded
SupportFunds
4
Recruit & PlaceOperatives
WeaponsFunds
5
Acquire Weapons
Weapon &Access
Requirements
Plan
Weapons
6
Place TerroristPlan In Operation
TrainedOperatives
Types ofTraining
TrainingFunds
TrainersUntrainedPersonnel
7
Training
VTC 1-9 Copyright © 1992-2002. Vitech Corporation.
Views From the Terrorist PilotTraining Data
Material/data extracted from variousWashington Post articles
InferActivity
Event ReportingSource Data1
23
4
VTC 1-10 Copyright © 1992-2002. Vitech Corporation.
System-On-System Modeling IsFeasible, Straightforward, and Useful
Intelligence / Defended System
Action
Reaction
System of Interest / Threat
Ref: Colleen Palmer, NSA
VTC 1-11 Copyright © 1992-2002. Vitech Corporation.
Functions at the Context Level – WeHave Three Systems Interacting
AND
1
al Qaeda
2
Cell Operation
3
US Civil AirOperations
AND
Requestguidance
MoneyReturned
Initiate Task
Financialauthorization
Untrained PilotMedical
ExaminationResults
Tuition Payment
EnrollmentRequest
AcceptanceLetter
Status -Graduated
from Flight S...
Trained Pilot
Date:July 15, 2002
Author:Administrator
Number:0
Name:Terrorest Pilots Training - Context Level
VTC 1-12 Copyright © 1992-2002. Vitech Corporation.
N2 Interface Diagram – Lack of InteractionBetween al Qaeda and US School is Easily Visible
1
al Qaeda
Money ReturnedRequest guidance
Financial authorizationInitiate Task
2
Cell Operation
Acceptance LetterStatus - Graduated from
Flight SchoolTrained Pilot
Enrollment RequestMedical Examination
ResultsTuition PaymentUntrained Pilot
3
US Civil Air Operations
Date:July 15, 2002
Author:Administrator
Number:0
Name:Terrorest Pilots Training - Context Level
VTC 1-13 Copyright © 1992-2002. Vitech Corporation.
Functional Architecture at the Next LevelShows Sequencing and Partitioning of Roles
US Aviation School
Al QAEDA
Cell Operation
Support & Logistics
Financial
Cash Infusions
TrainingAND
1.1
Activate Operation
1.2
Supply FinancialAid
1.3
Recover UnspentFunds
4
Start CellOperations
AND
2.1.1
Initial BankTransfer
IT
2.1.2
Receive NewDeposits
IT
2.1.4
?Hand-carried cashdeposits
2.1.5
Funding Returned
AND
2.2.2
Apply to FlightSchool
2.2.3
Undergo MedicalExamination
AND
2.2.4
Receive AcceptanceLetter
2.2.5
Pay for FlightTraining
2.2.6
Prepare for FlightTraining
14
Practice Flying
15
Monitor Status
16
Maintain LocalSupport & Logistics
AND
3.1
Receive EnrollmentRequest
3.2
Receive Tuition
3.3
Flight Training
AND
Initiate Task
$14,000$20,000
Financialauthorization
Deposits <$10,000
MoneyReturned
Money
EnrollmentRequest
MedicalExamination
Results
AcceptanceLetter
Tuition Payment
Untrained PilotStatus -
Graduated fromFlight School
Trained Pilot
$100,000
Date:July 15, 2002
Author:Administrator
Number:0
Name:Terrorist Pilots Training - Detailed Level
VTC 1-14 Copyright © 1992-2002. Vitech Corporation.
Physical Links Indicate Mechanismsof Communication
Student to Instructor L...
Bank Deposit Link
Face-to-Face Link
US Mail Link
al Qaeda / Terrorist Phone Link
al Qaeda - Flight
Business
Civil Air Operations
Business
Terrorist Cell -Flight
Business
Date:July 14, 2002
Author:Administrator
Number:0
Name:Flight Training - context
VTC 1-15 Copyright © 1992-2002. Vitech Corporation.
More Correct and Complete System-on-System Model for Terrorist Pilot Training1
al Qaeda - E
CommunicationEnvironment
Financial RequestsStatus Reports
OPLAN AQ-1
al Qaeda OPLAN C1Financial Shipments
Operational Commands
2
Atta Cell Operation - E
Trained Pilots
Cell OPLANStudents for Training
WTC Attack
3
US Operations
Military Support andSecurity
Operating Charter,Materiel, Personnel, etc.
4
CINC Operations
Intelligence Reports
5
NSA Analyst Operations
Collection Data
AQ Observables
Cell Observables
Intelligence CollectionRequests
6
Collection ManagementOperations
Date:August 21, 2002
Author:Administrator
Number:0
Name:Scenario 3 - Expanded Context - Pre Attack
VTC 1-16 Copyright © 1992-2002. Vitech Corporation.
Views/Scenarios From the WorldTrade Center Terrorist Attack
Material/data extracted from variousWashington Post articles
InferActivity
Event ReportingSource Data1
23
4
VTC 1-17 Copyright © 1992-2002. Vitech Corporation.
Activities of WTCHighjackers-TopLevel• Behavior and N2
Modeling includedhierarchies down to theindividual terrorist level(see COREsim simulatoroutput for Atta)
• The cell is made up of 19terrorists organized in 4coordinated teams
• The total timeline fromfirst terrorist entry intoUS until the attack onthe WTC and Pentagoninvolved about 33months
Stony Creek Township
North Tower WTC
South Tower WTC
Pentagon
AND
Team 1Activities (AA
Flight 11)
Team 2Activities (AA
Flight 77)
Team 3Activities (UAFlight 175)
Team 4Activities (UA
Flight 93)
AND
CoordinationEvent 12
CoordinationEvent 4
CoordinationEvent 11
CoordinationEvent 3
CoordinationEvent 14
CoordinationEvent 9
VTC 1-18 Copyright © 1992-2002. Vitech Corporation.
Activities of Team 1 (AA Flight 11) –At the Next Level of Detail
Suqami's Activities
Alamari's Activities
Wail Alshehri's Activities
Atta's Activities
Skip Day
Don't Skip
Waleed Alshehri's ActivitiesAND
10.1
ObtainVirginiaDriver'sLicense
- Aloma...
August...
Alomari- Waittime 1
10.2
PurchaseOne-Way
Ticketslinked t...
August...
Alomari- Waittime 2
10.3
StayComfortInn with
Atta -Portlan...
Septe...
10.4
BoardAircraft 10
Septe...
Atta -Wait
time 00
Atta -Wait
time 0
6.1EntersUnitedStates
-Tourist ...
June 0...
Atta -Wait
time 1
6.2
ToursFlight
School
July 01...
Atta -Wait
time 2AND
6.3
BeginsFlight
Training
July 06...
Atta -Wait
time 3
6.4
RegistersPontiac
Grand Prix
July 17...
ANDAtta -Wait
time 4
6.5
TakesJet
SimulationTraining
Decem...
Atta -Wait
time 5
6.6
Flies toMadrid,Spain
Januar...
Atta -Wait
time 6AND
6.7
RentsPiper
Cherokee
Februa...
6.8
InquiresAboutCrop
Duster
Februa...
ANDAtta -Wait
time 8
6.9
MovesOut of
Apartment
March...
Atta -Wait
time 9
6.10
ReceivesTrafficTicket
April 26...
Atta -Wait
time 10
Atta -Wait
time 22
6.11
GetFloridaDriver's
Licenses
May 0...
Atta -Wait
time 11
6.12
Fails toAppearin Court
May 2...
Atta -Wait
time 12AND
6.13
Moveinto
CountryClub
Commu...
June 1...
Atta -Wait
time 13AND
Atta -Wait
time 23
6.27
RentsP.O. Box
July 01...
AND
Atta -Wait
time 24
6.15
Registersfor
Month'sMembership at...
July 01...
6.14
Stays inLas
Vegas
June 2...
Atta -Wait
time 14
6.16
Flies toSpain
July 09...
ANDAtta -Wait
time 15
6.17Rents
Carfrom
Warrick'sRent-a...
August...
Atta -Wait
time 16
6.18
Returnsto LasVegas
August...
Atta -Wait
time 17LP
6.19
RentsSingleEnginePlane
August...
Atta -Wait
time 18
6.19.a
RentsSingleEngine
Plane (a)
August...
LE
OR LPAtta -Wait
time 19
6.20Open
AAFrequent
FlyerAccount
August...
AND
6.21
Staysat
PantherInn
August...
Atta -Wait
time 20
6.22
BuysOne-Way
Tickets- AA
August...
6.23
RentsAnother
Car
August...
Atta -Wait
time 21
6.24
Eats atRaw Bar
Septe...
AND
6.25Stays
atComfort
Inn -Portlan...
Septe...
6.26
BoardAircraft 6
Septe...
AND
AND
WaleedAlshehri
- Waittime 0
7.1
AcquireFloridaDriver'sLicense
May 0...
WaleedAlshehri
- Waittime 1
AND
7.2
Checksinto
HomingInn
June 2...
WaleedAlshehri
- Waittime 2
7.3
AcquiresMonth'sMembership at World...
July 01...
WaleedAlshehri
- Waittime 3
7.4
Purchases
Tickets- AA
Reserva...
August...
AND
WaleedAlshehri
- Waittime 4
7.5
BoardAircraft 7
Septe...
WailAlshehri-
Waittime 0
AND
8.1TakesMonth'sMembership at World...
July 01...
WailAlshehri- Waittime 1
8.2
ReceiveFloridaID Card
July 03...
AND
WailAlshehri
- Waittime 2
8.3Buys
Tickets- AA
Reservations
August...
WailAlshehri
- Waittime 3
8.4
BoardAircraft 8
Septe...
Suqami- Waittime 0
9.1
EntersUnitedStates
May 2...
Suqami- Waittime 1
AND
9.2
Enrollsat
WorldGym
July 01...
Suqami- Waittime 2
9.3
ReceiveFlorida
ID Cards
July 03...
ANDSuqami- Waittime 3
9.4
BuysOne-Way
Tickets
August...
Suqami- Waittime 4
9.5
Stay atMilnerHotel
Septe...
9.6
BoardAircraft 9
Septe...
AND
Event 1 -Driver's License
CoordinationEvent 12
Event 2 -Tickets Event 3 - Motel
CoordinationEvent 4
Event 4 - Tour
Event 5 -Begin Training
Event 6 -Jet Simulation
Event 7 - Moves out
CoordinationEvent 8
Event 8 -Moves In
Event 9 -Panther Inn
Event 10 -Raw Bar
CoordinationEvent 10
CoordinationEvent 11
Date:December 12, 2001
Author:Administrator
Number: Name:AA Flight 11 - Detailed
• Each mainbranchrepresentsthe activitiesof oneterrorist (5 onthis plane)
• Linkedactivitiesbetweenterroristsindicated byinterfacingitems
VTC 1-19 Copyright © 1992-2002. Vitech Corporation.
Details of a Segment of ATTA’sTimeline
NOTE:• Behavior diagrams and scenarios are represented in a
graphical language that is executable, allowingautomatic simulation of the graphical model
6.1
EntersUnitedStates -Tourist
Visa
June 03,...
Atta -Wait time
1
6.2
ToursFlight
School
July 01,...
Atta -Wait time
2AND
6.3
BeginsFlight
Training
July 06,...
Atta -Wait time
3
6.4
RegistersPontiac
Grand Prix
July 17,...
ANDAtta -
Wait time4
6.5
Takes JetSimulation
Training
Decembe...
Atta -Wait time
5
6.6
Flies toMadrid,Spain
January ...
Atta -Wait time
6AND
6.7
RentsPiper
Cherokee
February...
6.8
InquiresAboutCrop
Duster
February...
ANDAtta -
Wait time8
6.9
MovesOut of
Apartment
March 11...
AttWait
9
Event 4 - Tour
Event 5 - BeginTraining
Event 6 - JetSimulation
Event 7 - Moves out
Unknown activitiesand schedule
Known activitiescoordination data
Known activitiesand schedule
VTC 1-20 Copyright © 1992-2002. Vitech Corporation.
Details of ATTA’s Activities are inthe Repository
VTC 1-21 Copyright © 1992-2002. Vitech Corporation.
Multiple Views Provide Insight of the Model• We use reverse engineering to build the model since the system
exists but its features are not completely known to us.• The N2 chart is a natural view for reverse engineering a system with
only partial or missing data– N2 is an interface chart– N2 does not represent time sequences– Patterns of interface relationships emerge from incomplete data– Interface information is continuously added. Density of interface
instances yields model insight• Predictions are most easily made from the timelines, likely triggered
by inference from an event in context– Scenarios capture time and sequencing of activities– Allocation of activities to physical elements combine the physical and
functional models– Stimulus-response patterns are deducible from the allocated scenarios
and provide a basis for predictions
VTC 1-22 Copyright © 1992-2002. Vitech Corporation.
Requirements for Inference• For inference, we need to identify events relating to some
combination of:– Target– Weapon,– Schedule,– Team, and– Postulated scenarios
• Inference requirements are interdependent. Once some aresatisfied, others become constrained
• Observables need to be placed in context• Functional scenarios/models must have realizable physical
allocations