On December 25,2009 a Nigerian national, Umar Farouk Abdulmutallab attempted to detonate an explosive device while onboard flight 253 from Amsterdam to Detroit. The device did not explode, but instead ignited, injuring Mr. Abdulmutallab and two other passengers. The flight crew restrained Mr. Abdulmutallab and the plane safely landed. Mr. Abdulmutallab was taken into custody by Customs and Border Protection (CBP) and later was questioned by the Federal Bureau of Investigation (FBI). Mr. Abdulmutallab was not on the U.S. Government's (USG) terrorist watchlist, but was known to the U.S. Intelligence Community (IC).
Following the December 25, 2009 attempt to bring down the flight by detonating an explosive device onboard flight 253, the President directed that Assistant to the President for Homeland Security and Counterterrorism John Brennan conduct a complete review of the terrorist watchlisting system and directed that key departments and agencies provide input to this review. What follows is a summary of this preliminary report.
First, it should be noted that the work by America's counterterrorism (CT) community has had many successes since 9-11 that should be applauded. Our ability to protect the U.S. Homeland against terrorist attacks is only as good as the information and analysis that drives and facilitates disruption efforts. The thorough analysis of large volumes of information has enabled a variety of departments and agencies to take action to prevent attacks. On a great number of occasions since 9-11, many of which the American people will never know about, the tremendous, hardworking corps of analysts across the CT community did just that, working day and night to track terrorist threats and run down possible leads in order to keep their fellow Americans safe. Yet, as the amount of information continues to grow, the challenge to bring disparate pieces of information - about individuals, groups, and vague plots -- together to form a clear picture about the intentions of our adversaries grows as well.
These actions, informed by the excellent analytic work of the very same individuals and structure that is under review, have saved lives. Unfortunately, despite several opportunities that might have allowed the CT community to put these pieces together in this case, and despite the tireless effort and best intentions of individuals at every level of the CT community, that was not done. As a result, the recent events highlight our need to look for ways to constantly improve and assist our CT analysts, who are at the forefront of providing warning of terrorist attacks and keeping Americans safe.
The preliminary White House review of the events that led to the attempted December 25 attack highlights human errors and a series of systematic breakdowns failed to stop Umar Farouk Abdulmutallab before he was able to detonate an explosive device onboard flight 253. The most significant failures and shortcomings that led to the attempted terror attack fall into three broad categories:
A failure of intelligence analysis, whereby the CT community failed before December 25 to identify, correlate, and fuse into a coherent story all of the discrete pieces of intelligence held by the u.s. Government related to an emerging terrorist plot against the U.S. Homeland organized by al-Qaida in the Arabian Peninsula (AQAP) and to Mr. Abdulmutallab, the individual terrorist;
A failure within the CT community, starting with established rules and protocols, to assign responsibility and accountability for follow up of high priority threat streams, run down all leads, and track them through to completion; and
Shortcomings of the watchlisting system, whereby the CT community failed to identify intelligence within u.S. government holdings that would have allowed Mr. Abdulmutallab to be watchlisted, and potentially prevented from boarding an aircraft bound for the United States.
The most significant findings of our preliminary review are:
The U.S. Government had sufficient information prior to the attempted December 25 attack to have potentially disrupted the AQAP plot-i.e., by identifying Mr. Abdulmutallab as a likely operative of AQAP and potentially preventing him from boarding flight 253.
The Intelligence Community leadership did not increase analytic resources working on the full AQAP threat.
The watchlisting system is not broken but needs to be strengthened and improved, as evidenced by the failure to add Mr. Abdulmutallab to the No Fly watchlist.
A reorganization of the intelligence or broader counterterrorism community is not required to address problems that surfaced in the review, a fact made clear by countless other successful efforts to thwart ongoing plots.
FAILURE TO "CONNECT THE DOTS"
It is important to note that the fundamental problems identified in this preliminary review are different from those identified in the wake of the 9111 attacks. Previously, there were formidable barriers to information sharing among departments and agencies--tied to firmly entrenched patterns of bureaucratic behavior as well as the absence of a single component that fuses expertise, information technology (IT) networks, and datasets-that have now, 8 years later, largely been overcome.
An understanding of the responsibilities of different analytic components of the CT community is critical to identifying what went wrong and how best to fix it. The National Counterterrorism Center (NCTC) was created by the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) to be "the primary organization in the U.S. government for analyzing and integrating all intelligence possessed or acquired by the U.S. government pertaining to terrorism and counterterrorism." Intelligence Community guidance in 2006 further defined counterterrorism analytic responsibilities and tasked NCTC with the primary role within the Intelligence Community for bringing together and assessing all-source intelligence to enable a full understanding of and proper response to particular terrorist threat streams. Additionally, the Director of NCTC is in charge of the DNI Homeland Threat Task Force, whose mission is to examine threats to the U.S. Homeland from al-Qa'ida, its allies, and homegrown violent extremists.
Notwithstanding NCTC's central role in producing terrorism analysis, CIA maintains the responsibility and resource capability to "correlate and evaluate intelligence related to national security and provide appropriate dissemination of such intelligence. The CIA's responsibility for conducting all-source analysis in the area of counterterrorism is focused on supporting its operations overseas, as well as informing its leadership of terrorist threats and terrorist targets overseas. Therefore, both agencies -- NCTC and CIA -- have a role to play in conducting (and a responsibility to carry out) all-source analysis to identify operatives and uncover specific plots like the attempted December 25 attack.
The information available to the CT community over the last several months -- which included pieces of information about Mr. Abdulmutallab, information about AQAP and its plans, and information about an individual now believed to be Mr. Abdulmutallab and his association with AQAP and its attack planning - was obtained by several agencies. Though all of that information was available to all-source analysts at the CIA and the NCTC prior to the attempted attack, the dots were never connected, and as a result, the problem appears to be more about a component failure to "connect the dots," rather than a lack of information sharing. The information that was available to analysts, as is usually the case, was fragmentary and embedded in a large volume of other data.
Though the consumer base and operational capabilities of CIA and NCTC are somewhat different, the intentional redundancy in the system should have added an additional layer of protection in uncovering a plot like the failed attack on December 25. However, in both cases, the mission to "connect the dots" did not produce the result that, in hindsight, it could have - connecting identifying information about Mr. Abdulmutallab with fragments of information about his association with AQAP and the group's intention of attacking the U.S.
The majority of these discreet pieces of intelligence were gathered between mid-October and late December 2009.
For example, on November 18, Mr. Abdulmutallab's father met with U.S. Embassy officers in Abuja, Nigeria, to discuss his concerns that his son may have come under the influence of unidentified extremists, and had planned to travel to Yemen. Though this information alone could not predict Mr. Abdulmutallab's eventual involvement in the attempted 25 December attack, it provided an opportunity to link information on him with earlier intelligence reports that contained fragmentary information.
Analytic focus during December was on the imminent AQAP attacks on Americans and American interests in Yemen, and on supporting CT efforts in Yemen.
Despite these opportunities and multiple intelligence products that noted the threat AQAP could pose to the Homeland, the different pieces of the puzzle were never brought together in this case the dots were never connected, and, as a result, steps to disrupt the plot involving Mr. Abdulmutallab were not taken prior to his boarding of the airplane with an explosive device and attempting to detonate it in-flight.
BREAKDOWN OF ACCOUNTABILITY FOR THREAT WARNING & RESPONSE
Intelligence is not an end to itself, nor are analytic products-they are designed to provide senior government leaders with the necessary information to make key decisions, but also to trigger action, including further collection, operational steps, and investigative adjustments. As noted above, NCTC and CIA have the primary and overlapping responsibility to conduct all-source analysis on terrorism. As with this intentional analytic redundancy, the CT community also has multiple and overlapping warning systems to ensure that departments and agencies are kept fully aware of ongoing threat streams.
NCTC is the primary organization that provides situational awareness to the CT community of ongoing terrorist threats and events, including through several daily written products that summarize current threat reporting for a broad audience, as well as meetings and video teleconferences that provide the opportunity for the CT community to engage in a real-time manner on this information. While the threat warning system involves analysis, it also extends to other elements within the CT community that should be responsible for following up and acting on leads as a particular threat situation develops.
In this context, the preliminary review suggests that the overlapping layers of protection within the CT community failed to track this threat in a manner sufficient to ensure all leads were followed and acted upon to conclusion. In addition, the White House and the National Security Staff failed to identify this gap ahead of time. No single component of the CT community assumed responsibility for the threat reporting and followed it through by ensuring that all necessary steps were taken to disrupt the threat. This argues that a process is needed to track terrorist threat reporting to ensure that departments and agencies are held accountable for running down all leads associated with high visibility and high priority plotting efforts, in particular against the U.S. Homeland.
FAILURE TO WATCHLIST
Although Umar Farouk Abdulmutallab was included in the Terrorist Identities Datamart Environment (TIDE), the failure to include Mr. Abdulmutallab in a watchlist is part of the overall systemic failure. Pursuant to the IRTPA, NCTC serves "as the central and shared knowledge bank on known and suspected terrorists and international terror groups.,,4 As such, NCTC consolidates all information on known and suspected international terrorists in the Terrorist Identities Datarnart Environment. NCTC then makes this data available to the FBI-led Terrorist Screening Center (TSC), which reviews nominations for inclusion in the master watchlist called the Terrorist Screening Database (TSDB). The TSC provides relevant extracts to each organization with a screening mission.
Hindsight suggests that the evaluation by watchlisting personnel of the information contained in the State cable nominating Mr. Abdulmutallab did not meet the minimum derogatory standard to watchlist. Watchlisting would have required all of the available information to be fused so that the derogatory information would have been sufficient to support nomination to be watchlisted in the Terrorist Screening Database. Watchlist personnel had access to additional derogatory information in databases that could have been connected to Mr. Abdulmutallab, but that access did not result in them uncovering the biographic information that would have been necessary for placement on the watchlist. Ultimately, placement on the No FIy List would have been required to keep Mr. Abdulmutallab off the plane inbound for the U.S. Homeland.
Mr. Abdulmutallab possessed a U.S. visa, but this fact was not correlated with the concerns of Mr. Abdulmutallab's father about Mr. Abdulmutallab's potential radicalization. A misspelling of Mr. Abdulmutallab's name initially resulted in the State Department believing he did not have a valid U.S. visa. A determination to revoke his visa, however, would have only occurred if there had been a successful integration of intelligence by the CT community, resulting in his being watchlisted.
KEY FINDINGS EMERGING FROM PRELIMINARY INQUIRY & REVIEW
The U.S. government had sufficient information to have uncovered and potentially disrupted the December 25 attack-including by placing Mr. Abdulmutallab on the No Fly list -- but analysts within the CT community failed to connect the dots that could have identified and warned of the specific threat. The preponderance of the intelligence related to this plot was available broadly to the Intelligence Community.
NCTC and CIA are empowered to collate and assess all-source intelligence on the CT threat, but all-source analysts highlighted largely the evolving "strategic threat" AQAP posed to the West, and the U.S. Homeland specifically, in finished intelligence products. In addition, some of the improvised explosive device tactics AQAP might use against U.S. interests were highlighted in finished intelligence products.
The CT community failed to follow-up further on this "strategic warning" by moving aggressively to further identify and correlate critical indicators of AQAP's threat to the U.S. Homeland with the full range of analytic tools and expertise that it uses in tracking other plots aimed at the U.S. Homeland.
NCTC and CIA personnel who are responsible for watchlisting did not search all available databases to uncover additional derogatory information that could have been correlated with Mr. Abdulmutallab.
A series of human errors occurred -- delayed dissemination of a finished intelligence report and what appears to be incomplete/faulty database searches on Mr. Abdulmutallab's name and identifying information.
"Information sharing" does not appear to have contributed to this intelligence failure; relevant all-source analysts as well as watchlisting personnel who needed this information were not prevented from accessing it.
Information technology within the CT community did not sufficiently enable the correlation of data that would have enabled analysts to highlight the relevant threat information.
There was not a comprehensive or functioning process for tracking terrorist threat reporting and actions taken such that departments and agencies are held accountable for running down all leads associated with high visibility and high priority plotting efforts undertaken by al-Qaida and its allies, in particular against the U.S. Homeland.
Finally, we must review and determine the ongoing suitability of legacy standards and protocols in effect across the CT community, including criteria for watch lists, protocols for secondary screening, visa suspension and revocation criteria, and business processes across the government.
1 This report reflects preliminary findings to facilitate immediate corrective action. Neither the report nor its findings obviate the need for continued review and analysis to ensure that we have the fullest possible understanding of the systemic problems that led to the attempted terrorist attack on December 25,2009. Note further that sensitive intelligence data was removed from this public report to protect sources and methods.
U.S. Copyright Status: Text = Public domain.