Social Network Analysis [SNA] is a mathematical method for mapping and measuring human networks. SNA helps us 'connect the dots' of behavior in complex human systems.
Early in 2000, the CIA was informed of two terrorist suspects linked to al-Qaeda. Nawaf Alhazmi and Khalid Almihdhar were photographed attending a meeting of known terrorists in Malaysia. After the meeting they returned to Los Angeles, where they had already set up residence in late 1999.
 |
| What do you do with these suspects? Arrest or deport them immediately? No, we need to use them to discover more of their terrorist network. Once suspects have been discovered, we can use their daily activities to uncloak their network. Just like they used our technology against us, we can use their planning process against them. Watch them, and listen to their conversations to see... |
- who they call / email (i.e meta-data)
- who visits with them locally and in other cities
- where their money comes from
 |
Figure 2 shows the two suspects and their immediate ties. All direct ties of these two hijackers are colored green, and link thickness indicates the strength of connection.
|
 |
- All 19 hijackers were within 2 steps of the two original suspects uncovered in 2000!
- Social network metrics reveal Mohammed Atta emerging as the local leader -- most of the conversations in the network flowed through him!
The structure of their extended network begins to emerge as data is discovered via surveillance. A suspect being monitored may have many contacts -- both accidental and intentional. We must always be wary of 'guilt by association'. Accidental contacts, like the mail delivery person, the grocery store clerk, and neighbor may not be viewed with investigative interest.
How do investigators know whether they are on to something big? Often they don't. Yet in this case there was another strong clue that Alhazmi and Almihdhar were up to no good -- the attack on the USS Cole in October of 2000. One of the chief suspects in the Cole bombing [Khallad] was also present [along with Alhazmi and Almihdhar] at the terrorist meeting in Malaysia in January 2000.
Once we have their direct links, the next step is to find their indirect ties -- the 'connections of their connections'. Discovering the nodes and links within two steps of the suspects usually starts to reveal much about their network. Key individuals in the local network begin to stand out. In viewing the network map in Figure 2, most of us will focus on Mohammed Atta because we now know his history. The investigator uncloaking this network would not be aware of Atta's eventual importance. At this point he is just another node to be investigated.
Figure 3 shows the direct connections of the original suspects as green links, and their indirect connections as grey links. With hindsight, we have now mapped enough of the 9-11 conspiracy to stop it. Again, the investigators are never sure they have uncovered enough information while they are in the process of uncloaking the covert organization! They also have to contend with superfluous data. This data was gathered after the event, so the investigators knew exactly what to look for. Before an event, it is not so easy. Yet, we can use this "after action/event review" to learn from.
As the network structure emerges, a key dynamic that needs to be closely monitored is the activity within the network. Network activity spikes when a planned event approaches. Is there an increase of flow across known links? Are new links rapidly emerging between known members of the network? Are money flows suddenly going in the opposite direction? When activity reaches a certain pattern and threshold, it is time to stop monitoring the network, and time to start removing nodes.
This bottom-up approach of uncloaking a network around known suspects is more effective than a top down search for terrorist needles in the public haystack(tracking everybody) -- and it is less invasive of the general population, resulting in far fewer "false positives".
In early 2002 I wrote an academic article describing how I mapped the network of the 19 hijackers using public (open source) data.
Interesting approach, however to extrapolate on the network approach, my research has shown that clusters will morph/split/reconfigure in the planning stage of the event. The reason being that they will most probably be looking to optimise resources (in networks, that would be anything relating to social capital: nodes, bridges or structural holes for opportunities). In which case it would be interesting to identify brokers (not necessarily super-connectors, but those with access to heteroclite clusters) within the network. These are the nodes who are most likely to identify opportunities, recruit and reconfigure the structure.
ReplyDelete