Find a Security Clearance Job!

Intelligence


Table of Contents

PART 4. THE ANALYTICAL TOOLS

Time and information are the investigators most precious commodities. The rules of the game, however, demand that the investigator maximize the usefulness of information while putting serious limits on the time allowed for collection, collation, and analysis. This section discusses a number of techniques. and tools available to investigators to assist them in drawing together fragments of information, gleaning the most from their content, while squeezing the greatest benefit from the valuable time spent in analysis.

Five analytic techniques are particularly useful for investigating terrorist group activities:

  • Matrix manipulation
  • Link analysis
  • Time charting
  • VIA (Visual Investigative Analysis) charting
  • PERT (Program Evaluation Review Technique) charting

Each of these tools involves the processing of information in order to create a chart or graph that can easily be read. Each takes fragmented bits of information and organizes it using systematic symbols so that internal and implied connections hidden among the pieces of information become clear.

Constructing and Manipulating Matrices

Constructing a matrix is the best way to show connections among a number of items. The items can be anything that is important to an investigation people, places, automobile licensee, weapons, telephone numbers, or locations. In terrorism analysis, matrices are often used to identify "who known whom," or "who has been where" is a clear and concise manner. They simply place data in as ordered format. As they are based on simple mathematical concepts, however, data-stored in matrices can also be used in sophisticated as thematical operations if people with proper training are available. An investigator need have no special background in math to use them: mileage charts found on many road maps that show the driving distance or travel time between cities are one form of matrix that most everyone is familiar with and uses frequently.

A matrix is a rectangular array of numbers or symbols in which information is stored is columns (running vertically) and rows (running horizontally). There is no limit on the number of columns or rows that appear in a matrix. Their number and content are determined by the kind and quality of data that is available to the investigation.


figure 1

Matrices take many forms and serve a variety of purposes. The simplest matrix is a list of suspects arranged is a column. A single column matrix, like the one in Figure 1., is called a column vector. Another simple matrix may be a list of actions or incidents that a terrorist group is known to have performed. Arranged in a row, as in Figure 2, this single row matrix is called a row vector. If as investigation uncovers who on the list of suspects is Figure 1 has participated is the actions listed in Figure 2, a more complex matrix can be created. Figure 3 shows a matrix that identifies the action teams that the alleged terrorist group used in staging four separate operations. The rows represent suspects. The columns represent the operations. A closed Circle in the intersection of any row with any column indicates that the suspect participated in the operation. A zero indicates that the suspect did not participate.


Figure 2

The matrix stores a considerable amount of information about the group. First, with the exception of David, everyone has participated in at least one operation; Baker, Charley, Edward and Frank have participated in at least two apiece. Second, looking down the column, it is evident that the group used at least two people in each of the four operations. Two operations utilized team sizes of three. Third, the matrix reveals that teams can be made up of people who have acted together more than once -- Edward and Frank both participated in the Van Nuys bank job and the Los Angeles shootout. In most cases, however, the teams are made up of people who have not previously worked together.


Figure 3

The connections among the suspects can be displayed in yet another kind of matrix. Figure 4 is an "Association Matrix". It represents a "who knows whom" within the group, based on the assumption that people operating together know one another. The association matrix is a square matrix, in that it has the same number of rows and columns. It is also considered symmetrical. As the rows and columns of the matrix are arranged from the same list, both halves of the matrix, divided along the diagonal, are exactly the same. The intersection of the first column with the third row (ABLE-CHARLEY) contains the same information as the intersection of the third row column with the first row (CHARLEY-ABLE). As the two sides are identical, infromation needs to be stored in only one half of the matrix. This become quite important when the investigation is using computers, and computer storage space is at a premium. It also means certain kinds of manipulations can be performed on an association matrix, because it fulfills the requirements of symmetry.


Figure 4

The matrix also reveals substantial amounts of information about the group. Again, with the exception of David, everyone in the group knows at least two people. Edward knows four, and Frank knows three. Communications within the operational net would flow well, as no one is separated from anyone else by more than one person. If necessary, Able, who does not know Charley, can communicate with him through Frank. Frank, who does not know Baker, can communicate with him through either Edwards or Charley. Within a six member group, arranged like this, communications and operations could be crippled by removing two people -- Frank and Edwards. Only one contact among the six would remain --between Charley and Baker.

What the matrices reveal is the group's operational cell structure. Starting out with fragmented reports on four seemingly unrelated actions, the skilled investigator can construct the basic matrices and rapidly discover a group's:

  • Organizational structure
  • Team sizes
  • Communications network

Reading the matrix as easily as the average motorist reads a mileage chart, the investigator can then pinpoint the optimal suspects for continued surveillance, identify crucial suspects within the organization, and increase considerably the investigation teams's understanding about the group and how it is structured. The techniques can also be used as briefing tools, to present evidence to superiors, prosecuting attorneys, or new investigators rapidly and in a concise manner. The examples in the figures above may seem simple, but consider the utility of the matrices if the investigation is facing a group that has engaged in sixty or seventy incidents, involving one or two hundred suspects. the techniques cannot replace standard reporting procedures, biographical cards on suspects, or incident analyses. They can, however, be used to store crucial information that is immediately available to investigators when they need it.

Link Analysis

There is another option for displaying information that has been organized into matrices like those in Figures 3 and 4. The option is called Link Analysis(1). Using a matrix, the relationships among individuals or places are represented with numbers. In link analysis, pictures or symbols are used to show the same relationships. The difference between matrices and link analysis is the same as that. between a mileage chart and a road map. The mileage chart shows the connections between cities using numbers that represent travel distances. The map uses symbols that represent cities, locations, and roads to show how two or more cities are linked to each other. Different symbols on the map have different meanings, and it is easy to display or discover the best route between two places as well as identify obstacles (like unpaved roads or bodies of water) that separate things.

The same is the case in link analysis. Different symbols are used to identify different things. Obstacles, indirect routes or connections, and suspected connections can be displayed easily and clearly. In many cases, the pictures are easier to follow and work with than the matrices. Information is presented in a way that maximizes clarity. Using symbols instead of numbers, the results of link analysis cannot be manipulated mathematically the way matrices can, so the investigator Interested in mathematical experimentation should use both link analysis and matrices together. This way, the benefits of each technique can be used to their fullest. Indeed the authors use the tools as campanion to support one another rather than looking to them as alternatives.


Figure 5

The symbols used in link analysis are easy to describe and explain. Circles are used to represent people. Each suspect is displayed with a single circle. Lines are used to represent connections between people. A solid line indicates a confirmed relationship. A dotted line represents a suspected relationship that has not been confirmed. These symbols are displayed in Figure 5. Note that for clarity, the circles can be labled to show who the individual is.


Figure 6

In some cases, invetigators might come across references to two individuals whom they suspect is actually one person using AKA's. Their suspicions might not be confirmed, but physical descriptions, behavior, method of operation, or other clues lead the investigators to assume that the two people - "Mike and Joe" - are really the same person. Such a belief can be displayed using intersecting circles, as in Figure 6. The use of intersecting circles allows investigators to pursue analysis as thought the two people are the same individual, while reminding them that the data do not yet confirm the assessment.


Figure 7

Using the information about "who knows whom" in Figure 4, a simple link diagram can be drawn. The diagram appears in Figure 7. The diagram displays the same information as Figure 4. Edward has the most connections to other suspects, with four. Frank is connected to three other suspects: Able, Charley, and Edwards. David has been identfied as a suspect, but has no known connections to any of the other suspects in the group. Once again, it can be seen clearly that Frank adn Edwards are important connections in the group. If they were removed, Able, Charley, Baker, and Davide would float without clear lines of communication.


Figure 8

Figure 7 also follows the "house rules' used in preparing link diagrams. Each individual is assigned one circle For the sake of clarity, the circles and lines are arranged so that no lines cross. Often, especially when dealing with large groups, it is very difficult to construct a link diagram in which no lines cross. Intersecting lines, however, muddle the drawing and reduce its clarity. Care should therefore be taken try arrange the suspects so that their relations can be displayed without crossing lines. Figure 8 shows an example of an Incorrect link diagram. Sometimes, as With the link analysis of the Japanese Red Army that appears later in this section, it is physically impossible to avoid line crossing. In these complex and extraordinary cases, every effort should be made to keep the number of intersections at an absolute minimum.


Figure 9

Link diagrams can also be drawn to, show organizations, cells, or action teams. These are displayed by placing each individual belonging to the organization in a rectangle. As with Individuals, each rectangle represents one organization, one cell or one action team. Individuals may belong to more than one organization or team. In these cases, the rectangles overlap. Figures 9 and 10 show how the organizational symbol is used.


Figure 10

There is more to overlapping organizations than is immediately obvious. On the surface, the overlap indicates that an individual belongs to more than one organization or cell, It also indicates a connection between the organizations that the individual belongs to. As shown in Figure 11, Bernardine Dohrn was a student worker with the National lawyers Guild when she joined SDS (Students for a Democratic Society) in 1968. Her joining SDS also represented a connection between SDS and the lawyers Guild. As the Lawyers Guild had previously been known as the legal arm of the Communist Party U.S.A. before breaking away to form a more radical and militant organization, the linkage represented a possible indirect connection between SDS and CPUSA, through the NLG.


Figure 11

Figure 11 displays more of the rules of constructing link diagrams. As is the case with individuals, each organization is represented by a single rectangle. Connections between organizations can be displayed by overlapping them through joint membership, or with a line. The figure also points out how the diagram can be interpreted to glean the most from the data that are displayed and the clarity with which relationships among people and organizations can be shown.


Figure 12

Using the data in Figures 3 and 4 and the rules discussed above; a link diagram showing the operational cell structure of our alleged terrorist group can be drawn. The diagram appears in

Figure 12. The figure shows a tight cellular structure in which individuals are members of more than one operational cell. It also shows haw multiple players can be included in a single cell. Note that the lines connecting the individuals have been omitted. It is assumed that individuals belonging to the same cell know one 'another. Thus, the connections among them are implied, and the lines are no longer necessary.


Figure 13

A final set of rules applies to the construction of link diagrams. These rules are for cases in which individuals are connected to a cell, but are not a member.of that cell. Two possibilities exist. First, investigators might be aware that an individual has contacts with a cell, but they do not know who the contact point in the cell is. Here, a line is drawn from the individual outside the cell to the rectangle representing the cell. In the second possibility, an individual outside a cell may have confirmed contacts with an identified individual within a cell. In this case, the rule for person-to-person connections is followed, and a line is drawn between the circles representing each individual. Both possibilities are displayed in Figure 13.

Constructing a Link Analysis

Keeping the above discussion in mind, link analyses can be performed effectively. As it is a complex form of analysis, it may require a little time and effort. The payoff is in the powerful impact of the results, which are worth the investment.

Link diagrams are constructed in three steps:

  • "Raw" data or fragments of information are organized into a logical order. Names of individuals, suspects, organizations, and operations are put in lists.
  • An association matrix is constructed showing "who knows whom." An activity matrix, showing "who participated in what" may also be constructed.
  • Drawing relationships from the matrices, individuals are grouped into org izations or cells based on information about joint activities or membership. Lines representing connections between individuals or organizations are drawn to complete the diagram. The finished product clearly displays the linkages among individuals, cells, or other groupings.

In practice, construction of a link diagram consists of following nine sequential exercises:

  • All raw data related to an investigation are collated and placed in an organized form. They may be put in a narrative or report format. This step is especially important because the basic data may come from many different sources, ranging from news clippings, to interviews, or reports from surveillance units, photo analysis teams, undercover operatives, or informants.
  • Relevant data points are identified. In this case, the data points are the names of suspects, the people they know, phone numbers they call, locations they frequent, organizations they belong to, or activities in which, they have been involved. Underline these references in the reports, and make lists.
  • Matrices are constructed from the lists. Data points (the names of suspects and organizations or activities) are organized into rows and columns as in Figures 1-4.
  • Contact or association points (Able knows Baker) are put in the matrix where the corresponding rows and columns intersect. If the investigation is working with both confirmed and unconfirmed contacts among suspects, different symbols may be used to represent the strength of evidence. Use a "1" for a confirmed contact between two datapoints. Use a "2" or any other symbol for unconfirmed contacts. Zeros can be entered into matrix intersections where no known contact between suspects exists.
  • The matrix is analyzed to determine the number of links associated with each suspect or activity. Count through each row to find out how many entries appear in it. Do the same for the columns.
  • A draft link diagram is drawn, grouping suspects together into rectangles representing cells, actions, or organizations. Start with the individual with the largest number of contacts and work outward. Use circles to represent individuals and rectangles for organizations or cells.
  • Additional drafts of the link diagram are drawn to clarify the relationships, avoiding crossed lines.
  • A final draft is completed. Examine the relationships that appear. Study the diagram carefully and make assessments about patterns in contacts and cell memberships. Is there a uniform size to the cells, or does size vary? Do suspects belong to more than one cell? Are the cells linked tightly together, sharing a number of suspects, or are they spread out, with few connections?
  • Recommendations are made about the group's structure. Identify areas for further investigation. Are there suspected connections that need verification? Are there people; who appear central to the organization, without whom the structure would collapse? Are there a few individuals with contacts to many others who would be the best targets for surveillance? Be prepared to substantiate logically the conclusions and assessments drawn from the link analysis.


Figure 14

A well draws link diagram and thorough analysis of the information it contains can reveal a great deal about an organization. The group's leadership, both strategic sad tactical, can often be identified. Its strong sad weak points can.be pinpointed. Operational patterns can be gleaned. Forecasts of future behavior can be made.


Figure 15

Figure 14 and Figure 15 are as association matrix and link diagram of the Japanese Red Army. An anarchist terrorist group with strong links to Palestinian terrorists, the JRA engaged in a bloody, terror campaign in Europe between 1972 and 1977. Members are presently is Japan, the Middle Fast,. and Western Europe, allegedly planning a new campaign of activity with assistance from the PLO, East Germany, North Korea, Libya, and domestic Japanese groups.

The association matrix illustrates all of the identified contacts, both confirmed and suspected, among the groups' members. They range from a low of zero to a high of 19. There are 43 identified individuals in the group, but the average member knows fewer than eight other people. No one is the group knows all 42 other members. Membership is tightly compartmentalized, and communications within the group are strictly controlled.

The link diagram depicts a subset of the group. The suspects portrayed are those who have engaged is armed actions or intelligence gathering operations. A number of assessments can be based on it. First, note that the group's first armed action, the 1970 hijack to North Korea, used a nine-person team. All nine were taken into custody is Pyong Yang. Since then, the group has not risked losing that many operators on any single mission. Indeed, the average team size is four. One or two people are used on intelligence gathering missions. Three are used for assaults. Four to five are used for hijackings and barricade and hostage incidents. These numbers are reflected consistently. Second, note that the group relied consistently on a core of proven operators. Individuals such as Wako, Okudaira, and Nishikawa are used repeatedly,some as many as three times. Third, repeat performers often acted with some of the same people with whom they had acted previously. This reflects stability within a given action team. The members know one another, have acted together before, and know what each is capable of doing. It is a technique that can build confidence and assurance within a team. Finally, the group's leader, Fusako Shigenobu, is outside of the action cells. While she plans and organizes the operations, her actual involvement in team building and the execution of incidents is limited. This ensures her survival and that of the group's ideological leadership. It is a pattern that appears is a number of terrorist groups.


Rote Armee Frakton (RAF) Link Analysis 1977


PFLP Link Analysis

Part 5. Time Event Charting



NEWSLETTER
Join the GlobalSecurity.org mailing list