Note: The opinions and comments stated in the following article, and views expressed by any contributor to In Homeland Security, do not represent the views of American Military University, American Public University System, its management or employees.
By Erik Kleinsmith
American Military University
The aftermath of almost any spectacular terrorist attack follows an almost predictable pattern. Once the immediate shock of the barbarity wears off, there is the inevitable media scramble for information about the perpetrators. A parallel search for information goes on within the U.S. Intel Community. This is true almost every recent case: San Bernardino, Paris, Fort Hood, London, Madrid, Mumbai and even after 9/11 – although I’ve already testified that some of us had the warnings on that one.
This type of reaction to a violent attack is totally understandable. Unfortunately, part of the discovery process comes with the realization that much of the needed information about the attackers is already available. Hidden amongst varying reports, databases and even open source media stories are the bits and pieces of information that would’ve told us a lot about the attackers; who they are, how they chose their targets, and – in some cases – the reasons why they were motivated to take such drastic action. This is the enduring challenge of intelligence analysis; it is much harder to accurately predict and preempt an attack than run an investigation of it afterwards.
One of the predictive analysis tools that intelligence analysts have at their disposal is threat profiling. Threat profiling is an analytical technique to help analysts understand and organize intelligence information related to threat groups. It is simply a way to help collect relevant information about the group, prioritize analysis of that information and present their analysis within a common understood framework.
I began building threat profiles when I was the Chief of Intelligence of a U.S. Army Unit known as the Land Information Warfare Activity or LIWA in 1999. Working with some of the brightest analysts I’ve known, we started building profiles of cyber threat groups in order to better match the persons behind the 1’s and 0’s that were attempting to hack Army networks. This nascent methodology was then used during our support to the now well-known Able Danger program in our attempts to map and profile the al-Qaeda terrorist group prior to 9/11. It has since been incorporated into several different Army Joint Intel training courses and taught to many thousands of analysts in both the government and commercial sectors.
Frustratingly, the word “profiling” triggers political correctness alarms throughout our overly sensitive culture. In one case, it is commonly and inaccurately associated with the biased and bigoted thought process known as racial profiling. Threat profiling is not racial profiling – in fact its intent is to combat it. Rather than make assumptions about a single person or group solely based on their race, ethnicity, religion or skin color, threat profiling looks at an entire set of social demographics and psychographics of a group. It also does this in context with a host of other areas like motivations, leadership, targets, etc. Instead of making generalizations, threat profiling is designed to help identify trends and exceptions equally.
Threat profiling can also be confused with behavioral profiling, a type of psychographic analysis of a single perpetrator used by law enforcement and made popular by movies like “Silence of the Lambs“ and just about every current crime drama on TV now. Where behavioral profiling is conducted on a single individual, threat profiling is designed to help analysts understand entire threat groups be they terror cells, gangs, organized crime syndicates, militias or cyber threats.
Virtually every piece of information about a group can be organized into a category or component. To create a threat profile, the analyst collects and organizes all information related to a particular group into a defined set of component that they can more easily work with. There are normally between six and eight components. Analysts can do this by creating separate folders, directories, queries, algorithms or in the finished product of their analysis. The threat profile components I’ve used and taught over the years have evolved slightly to the current set of eight components:
1. Motivations, Goals, Objectives
2. Demographics and Psychographics
3. Organization and Leadership
5. Methods of Operation
7. Strengths and Capabilities
8. Weaknesses and Vulnerabilities
The beauty of using this technique is in its simplicity. Each component can be further sub-categorized and tailored to a specific group but keeping to a small set of main components helps for better memorization and recall of the information. It’s also a fairly universal way to analyze different types of extremist groups along a common baseline; terror groups, organized crime syndicates, gangs, irregulars, insurgents, hacker groups, even spy networks can be profiled using these components.
Using threat profiling can help analysis of an extremist group in a number of ways. For starters, it helps to organize your collection efforts on a particular group or to organize the seemingly disparate pieces of information that you already have on a group. Once you have your information organized within the components of your threat profile, it can further help you prioritize your analytical workload. This benefit is particularly useful if you’re only looking at a particular aspect of your group. For example, you can get a better understanding of which websites a hacker group may be targeting by understanding the demographics of the group or the hacking capabilities they’ve already demonstrated.
Perhaps most importantly, using threat profiling will help to establish a common framework of understanding about a group within your organization. Often, analysis about a particular group can be a group effort unto itself. Using it as an accepted standard for within a group of analysts or throughout an entire organization will help to combat duplication of effort. It will also help to identify gaps in analysis between the different people working the effort. Finally, using a standard threat profile will also help in their presentation of analysis – whether it is through a briefing, discussion, presentation or published product. Those outside of the world of intel will be more easily able to make sense of your assessments.
Intelligence analysis can be an extremely complex undertaking; using the scant bits and pieces of information available to understand a threat group and then predicting their future actions is quite a daunting endeavor. It comes with broad estimations, misconceptions, false positives, leaps of logic and flat-out errors in analysis. Threat profiling is designed to help make the analytical process more manageable. While it’s not an analytical process it itself, it does help you conduct other analytical processes and present your findings more effectively.
About the Author: Erik Kleinsmith is the Associate Vice President for Strategic Relationships in Intelligence, National & Homeland Security, and Cyber for American Military University. He is a former Army Intelligence Officer and the former portfolio manager for Intelligence & Security Training at Lockheed Martin. Erik is one of the subjects of a book entitled The Watchers by Shane Harris, which covered his work on a program called Able Danger tracking Al Qaeda prior to 9/11. He currently resides in Virginia with his wife and two children.
Erik will giving a presentation entitled “Profiling and Mapping the Threat” at the UK Defence Academy on February 4, 2016. The precding article is a summarized version of a presentation made at the UK Defence Academy’s Countering Extremism Symposium from Feb. 3-4, 2016. Information about Symposiums at Shrivenham can be found here.