As the accused accomplices of terrorist Mohammed Merah stood trial in France in October 2017, aggregate web page traffic related to the location of the trial, hostile vehicle mitigation equipment, and eyewitness videos of past vehicle attacks in France all surged. A few days later, police announced they had arrested two men for trespassing on the judicial complex where the trial was taking place, one of whom, according to press reports, had loose ties to a terrorist cell in Paris.
Was this activity simply coincidence or the open web traces of pre-attack planning? When I worked on counterterrorism programs in the U.S. Government, I often faced this type of challenge, separating credible threat intelligence from spurious. With the proliferation of indicators and warnings derived from publicly available information, the challenge is now even greater.
Recent technological advances can help address this challenge. Knowing that internet activity precedes real world action, we can use machine learning to find predictive trends in anonymized and aggregated raw data.
Both companies and governments have used this technology to better understand terror risk throughout Europe, most recently the attack on March 23rd in southeastern France. Redouane Lakdim, though known to police, was not specifically on a terrorism watch list before he killed four people during a carjacking and subsequent hostage taking at a rural shopping center. Two weeks earlier, web page traffic for road barriers, French counterterrorism operations, and key ISIL commanders in Syria had intensified in line with the predictive pattern for terrorism in France.
Similar patterns have emerged ahead of major counterterrorism operations across Europe over the past year. British police conducted raids in northern England in December 2017, reportedly foiling a Christmas time plot. This past June, German authorities seized thousands of ricin pellets in Cologne, claiming the seizure thwarted an imminent attack. In both of these cases, activity on pages about ISIL commanders and recent attacks in France was in line with the pattern identified using machine learning; the authorities’ intervention appears to have been well timed.
Using this technology, analysts can also understand periods of low terrorism risk, of great interest to authorities intent to devote counterterrorism resources where the threat is most critical. In January, Belgian authorities were questioned for lowering their official terrorist threat designation. However, analysis of web traffic patterns revealed that the typical precursor activity for terrorist incidents in Belgium was muted in comparison to its neighbors, supporting the Belgian decision.
These types of predictive analytics are not yet widely used in counterterrorism, but they have the potential to change the way agencies and decision-makers keep us safe. During my government tenure, there were instances when the intelligence pointed to terrorist threats that we viewed as credible and serious. However, the intelligence was usually of a sufficiently general nature that policymakers were left grappling with how to prioritize counterterrorism resources.
With risk indicators derived from machine learning algorithms, analysts and decision-makers can better contextualize warnings coming from specific threat streams. Further, risk of a terrorist attack is not always apparent to the naked eye. The models often reveal unexpected linkages between the concepts, organizations, and individuals that contribute to terrorism risk, which can improve assessment of the likely timing and vector of a particular threat. Authorities can also use data-driven risk indicators to evaluate the efficacy of counterterrorism interventions. There is always an opportunity cost to counterterrorism operations, so better understanding the threat environment ensures limited resources are applied as efficiently as possible.
In the case of the Merah accomplices trial in France in October 2017, machine learning technology, parsing the surge in traffic on web pages related to the trial location, attack vectors, and prior terrorist attacks, identified the recurring pattern that indicates high risk of a terror attack. In other words, this surge likely was pre-attack planning and police likely prevented an attack in the heart of Paris.
