Friday, November 6, 2015

Mapping Networks of Terrorist Cells

Krebs, V.E. (2002).

Through this article, Krebs attempts to map the social networks of the 19 hijackers involved in the terrorist attacks of September 11, 2001. He uses the same approach as he does for mapping project teams within organizations; however, while overt networks can be fairly easy to map, covert networks are significantly more difficult.

Krebs cites Malcolm Sparrow (1991) in describing three major problems of analyzing criminal networks:

  1. Incompleteness - the inevitability of missing nodes and links that the investigators will not uncover
  2. Fuzzy boundaries - the difficulty in deciding who to include and who not to include
  3. Dynamic - these networks are not static, they are always changing. Instead of looking for the presence or absence of a tie, Sparrow recommends looking at waxing or waning strength of ties based on the situation.
These terrorist networks are held together by deep, trusted ties that are usually not visible to outsiders. Ties are strengthened when terrorists spend time together, specifically in classes or training. 

Krebs' initial social network (Figure 1) was created using strong ties built between terrorists who lived and learned together. Interestingly, many of the individuals on the same flight were more than two steps away from each other (beyond the horizon of observability). This practice minimizes the damage to a network if an individual is captured or compromised. Interestingly enough, Osama bin Laden reiterated this strategy: "Those who were trained to fly didn't know the others. One group of people did not know the other group" (Department of Defense, 2001). 
Figure 1. Trusted Prior Contacts
This initial network poses the question how work gets completed if members are so unconnected? Essentially, meetings are held which develop short-cut ties to coordinate between distant nodes in the network (Figure 2). However, after these meetings are held, the short-cut ties fall dormant until the need for activity again. These shortcuts improve the overall information flow in a network.
Figure 2: Trusted Prior Contacts + Meeting (Short-cut) Ties
Mohamed Atta, the hijacker's ring leader, scored the highest on measures of degrees and closeness, and was second in betweenness centrality. These measures do not necessarily identify Atta as the leader, but there are likely a number of nodes and links absent from these maps. Figure 3 includes contacts and intermediaries who assisted the 19 hijackers and clearly shows Atta at the center of the 'Hamburg cell' (in the bottom left) and his importance to the overall network.
Figure 3: Hijacker's Network Neighborhood
Social network analysis is frequently used for prosecution; once the investigators have a suspect, they can map the criminal's network through financial transactions, phone records, messaging services, and other types of government records. Attempting to prevent illegal activities based on social network analysis is much more difficult. Covert networks limit their outside ties and keep their internal, strong ties dormant unless necessary. Reducing overall number and activity of ties reduces the visibility of the network and minimizes the possibility for a leak.

Interestingly, many of the strong ties in Figure 3 were concentrated around the hijackers trained as pilots. This concentration of both unique skills and connectivity within the same nodes makes a network very vulnerable to disruption. These key individuals can be targeted by law enforcement for capture or compromise and severely deteriorate the operational and logistical capabilities of the covert network. 

While this knowledge could be used to prevent illegal activities by covert networks, the challenge still lies in identifying members of the network before it is too late. In order to overcome this hurdle, Krebs recommends that the various intelligence agencies share and aggregate their information to build a larger, more complete network. There are significant difficulties in putting this recommendation into practice, but it would be an advantageous first step to discovering and disrupting covert networks.

The article presents a detailed view of how social network analysis can be used to assess and take action against covert networks. Krebs' analysis that the most connected members of this network were also those with the unique skills (the pilots) is something that can be applied to similar terrorist network structures in order to prevent their activities. One improvement that should be made, or a measure that can be considered in future research, is the use of Eigenvector centrality. Eigenvector centrality is used to determine the influence of nodes in a network through their connections to other high or low scoring nodes. This measure would have likely shown Mohamed Atta to be the leader of this particular social network.

Krebs, V.E. (2002). Mapping networks of terrorist cells. Connections24(3), 43-52.
Retrieved from: 


  1. Andrew, I really like the article you posted, as social network analysis is (in my own opinion) one of the best methods used in non-conventional settings. The most interesting key finding that caught my attention is that the author noted how activity falls dormant after a meeting. The problem with a dormant cell is when activity starts to flow again, the nodes may often times be misidentified as new actors which may add “false” or unnecessary connections, leading to a misguided conclusion. Though this issue is less probable for higher tier targets, extensive intelligence collaboration is necessary to ensure the social network analysis is accurate for the low level actors.

  2. Andrew, this article clearly shows the difficulties of creating a SNA for an ambiguous terrorist organization. I think, there are pros and cons of it. A SNA for an ambiguous terrorist organization may let us better understand its structure and identify the intelligence gaps. However, It may also create a conformation bias for analyst during the further steps of the analysis. Therefore, it is crucial to benefit from SNA in a careful manner.

    1. I think Osman raises a good point about confirmation bias. I think on of the most powerful aspects of SNA is that is is so compelling visually, but once you see the information laid out like that I could easily imagine it solidifying in your mind. This could lead you to biases as the analysis continues.

    2. I believe that we have to take SNA as a tool for our whole analysis. Therefore, pondering on confirmation bias too much may impede focusing on solid findings. Because, while creating a SNA (for example on i2), we just enter evidences not our 'assumptions'. Thus, I would say SNA outputs can be very solid in determining the key node and key relations. Just to restate, over mentioning confirmation bias may take us to a point that we may not perform normally let alone productivity due to the high degrees of skepticism.