• United States



by Nick Selby

Boston bombings was not about failed intelligence

Apr 24, 201312 mins
Data and Information SecurityInvestigation and ForensicsIT Leadership

Intelligence firm executive Nick Selby balks at the notion that last week's Boston Marathon bombings was the result of an intelligence failure.

Amidst the emotion and confusion of the Boston Marathon Bombing investigation, a growing industry of intelligence observers (and a bunch of yahoos) found their cause celebre. The repeated use of the phrase, “intelligence failure” has been used to describe the fact that the FBI interviewed one of the suspects, Tamarlan Tsarnaev, several times.

As a relative novice in the world of law enforcement intelligence and as an IT expert in the predictive intelligence and analysis business, I maintain it’s a preposterous assumption that any single person or any agency could have predicted this.

That is in many ways a very good thing. In fact, we couldn’t have designed it better.

One quick note: Everything I say here about specifics is speculation — I’m not in any way involved in the investigation other than as Tuesday-morning quarterback.

Have you noticed a paucity of bombs in your life here in America? If so, it means (among other things) that our intelligence processes are working pretty well.

But it’s true: the people made a compact with the government: keep us safe and you can take our contact-lens solution, corkscrews and jelly donuts at the airport; spend absurd quantities of our money and occasionally crow about your accomplishments. Under the compact, the FBI has repeatedly stood up and claimed that terror prevention is one of its several “number-one” priorities. So of course, when bombs explode in a spectacular fashion and kill and maim Americans, it’s reasonable to question whether we can have our donuts back — or at the very least whether someone was asleep at the switch. And if they were, was it the same kind of nap they took before 9-11? If indeed there were problems, are these new problems, or a repeat of bad practices from the past?

In the private sector, intelligence and big data processing are hyped to be the answer to most problems. The reality in government (and in fact, in the private sector) is that the data is never as well aggregated, indexed or accessible for correlation as one might think — certainly most of the work done in the hours after the bombing could have been assisted by a range of expensive technology — that’s the subject of another article.

There are legitimate questions to be asked of the FBI, and we can only hope that those get asked. Until those get asked, we’re left with the question: did the FBI fail in its intelligence process?

Most of the public criticism and comments (here, here, here and, most egregiously, here) perpetrate a classic conflation of forensic investigation with intelligence. For example, someone doing some great public open source forensic work has been the Hactivist Th3J35t3r — great stuff, but it’s not predictive and not claimed to be so.

Let’s break them out.

Intelligence and FailureTime, CBS, The New York Times and from Senator Diane Feinstein, question how the FBI could have interviewed a person several times and not put together that he was becoming a terrorist.

The most common “intelligence failure” theme from places like

“They knew he was on a list that Russia had prepared,” people have said. “They knew that he was in Chechnya. How could they not have known that he was becoming radicalized?”

What would it take for “they” to understand Tamarlan’s travel plans, online presence and mood? For one, to understand he was traveling to a given place; further to track him once outside the country; further to synthesize these data-points with those of prior statements of foreign governments and interview reports from field agents who spoke with this young man would mean, by necessity and at a minimum, collaboration between FBI; airlines and trains and buses inside and outside the US; CIA, Customs and Border Protection — and capture and analysis of social media traffic over a period of months.

They do it all the time on NCIS, but it’s important to note that, before the bombing, Tamarlan had not been charged with any crime. On what basis should he have been so intrusively surveilled? More specifically, how would you like it if “they” did that to your mom? I’m all for profiling, but it would seem that “they” spoke to him and some human decisions were made that he didn’t pose an immediate threat — at what point do you triage limited resources and move off?

Bluntly: If you say you think that the FBI “should” have gotten all up into Tamarlan’s life on the strength of a stoolie from Moscow and some YouTube videos, I challenge your respect for the Constitution of the United States of America and your expectations of inter- and intra-agency cooperation.

“But,” say some, “The Russians told us he was a terrorist!”

I’m not sure what you think is the reputation of the Russian FSB (KGB) in US federal circles, but let’s just say that a routine heads-up from the Russkies is probably not going to result in a manhunt in Quincy. Sure, the FBI tells us that they run down tips to prevent attacks. In this case, they did seem to run them down and were apparently satisfied, based on the agent’s training and experience, that this was not an immediate threat. They’re busy. If there was a procedural or human interpretation failure at these points, that’s not necessarily indicative of an intelligence failure.

Intelligence is a process; predictive intelligence work is designed to be directionally, as opposed to literally, correct. The predictive techniques we use at StreetCred to determine the location of a given fugitive are based on about 120 sets of questions we ask of the data we aggregate. Note that, when we run those questions, the fugitive is someone who is the target of an arrest warrant that’s been signed by a judge.

The only predictor guaranteed to produce an outcome is Question One: “Is the fugitive known to be dead?” This is the only question we know whose correct, affirmative answer can end an investigation.

Even that’s not foolproof — while a confirmed listing in the Social Security Death Index can end a hunt, a non-listing in SSDI is not positive confirmation the fugitive is still alive.

We just have intelligence that he is not dead; based on that, we go ahead and ask the other 119 sets of questions. If we predict correctly 80 percent of the time, we’re rock stars. Our stuff is easy — the guys who do predictive intel for counter terror need to be a lot more right, a lot more often than that.

But intelligence is not about being perfect, despite promises to “keep us safe.” Predictive intelligence is, as I have just described, about being as directionally correct as possible based on the facts at the time, while not capitulating to things like confirmation bias, political pressure or “policymaker interest”, or internal organizational pressure. Not to mention fear of being accused of poorly exercising discretion.

Lots of luck.

Boston was a big deal precisely because Boston was the rarity, the anomaly. This is not because of legislation or controls — we can’t legislate against pressure cookers or backpacks (the last time they tried stuff like that I got all my contact lens solution taken away). It’s because of a combination of many things including good intelligence work. No matter what Diane Feinstein says.

Hundreds of thousands of people fit the same profile Tamarlan did when viewed through the prism of “who might go bad?” — If you’re looking for bad guys and you have a profile of, say, “People the Russians say are poopy and who come from a bad country,” then everyone looks guilty. It’s as much a testament to integrity and a respect for the First, Fourth and Fourteenth Amendments as it is to organizational incompetence and budgetary pressure that we surveil as few people as we do. Do we surveil too many? Absolutely. But like advertising, only 50 percent of it is effective – we just can’t tell which 50 percent it is.

For example, tens of thousands of people in the US post, or express their “like” of radical videos on YouTube. Unless you support the idea of giving each of them a team of agents, the best we can do is to make a determination based on analysis of the totality of the known circumstances whether to speak with them, and if we do, whether they seem to pose an immediate threat.

This is a big issue. There are many people, many agencies, doing this kind of thing every day, looking at many, many people. So far their record is demonstrably excellent in terms of not hassling people who are merely peacefully and lawfully hating America and wishing death upon us. It happens and it is terrible, but it is not the rule but the exception — and we believe that the number of times this happens should be reduced.

However, some of the same people who are loudly stating that failure to aggressively surveil someone after visiting him several times and determining that they don’t seem an immediate threat is an intelligence failure, while at the same time calling loudly for less government intrusion and fewer surveillance cameras of the sort used to solve the Boston Marathon Bombing . I don’t care what people say, security is not zero-sum, it is a balance along a continuum. Sometimes a delicate one. Until we have pre-cog, this is about as good as it gets.

On the other side of the equation, the forensic investigation after the bombing went extremely well. That’s not intelligence, it’s forensic investigation and, in the words of a recently retired senior law enforcement administrator, “Once the bombs went off, it was a ground ball.” Meaning not that it’s easy, but that the investigation is not about prediction, it’s about following the clues.

Imagine being Richard DesLauriers, the FBI guy who confidently stated on Monday that he and the FBI were in charge. You got nothing, but you’re leading an investigation that is being watched around the world, will be used to justify trillions in past and billions in new spending; has political ramifications at the international and national level and within federal, state, tribal, county and local law enforcement. You have tens of thousands of images and thousands of hours of video footage to sift through while you pray against all hope that you don’t step on your genitalia.

That’s Monday.

To the palpable disappointment of the tin-foil-hat community, the vast majority of the work done was manual examination of photos and videos, manual computer searches, manual aggregation and correlation. It happened in a shabby task force building in Boston, not a gleaming data center under the Idaho permafrost.

By Thursday afternoon, you’ve solidly put together enough to know at least two actors, and have wrangled the above-mentioned politics to reach the courageous decision to ask for the public’s help . By late Thursday night this publicity and other factors resulted in the suspects showing themselves. By Friday morning, amidst a dramatic and bloody series of events, the names of the suspects emerged.

I have, unbelievably, heard those heroic accomplishments described as “intelligence failure” — because the FBI didn’t put the name to the face faster. After all, “they had a file on him!”

When people say that the FBI has a “file” on Tamarlan, I’m not sure how many realize that they are referring to an actual, manila, you know, file: stuffed with papers, Xerox copies, emails and other investigative flotsam. Sure there are computer records tied to this as well, but we’re talking about an investigation that didn’t go anywhere out of a field office. It was not placed into a central data aggregation system that normalizes and key-phrase tags each datum for rapid and universal access. Because none exists. (In fact, given the culture I have seen, such a thing would be a Coke bottle hurled from an airplane into the FBI’s tribal village: it would lead to trouble out of sheer feature shock. This will be the topic of a different article.)

No, Virginia, Abby Sciuto doesn’t exist. Cops — even federal agents — can’t see your face in a monitor, “zoom in and enhance” and then get your name and the results of your last stool sample analysis. In the real world, at least until recently, it took a fair bit of paperwork for an FBI agent to be permitted to run a Google search as part of an active investigation — let alone one of someone not charged with a crime.

Is it awful? Yes. But much of the procedural awfulness is to ensure that federal agents don’t just get all up in your bidness, pardna.

It’s that constitutional thing again.

To those who would confuse the response and investigation with “failure” I would ask what success would look like. Because from my perch here in the cheap seats, about a trillion dollars in IT spending would have gotten us a name on Wednesday afternoon as opposed to Thursday. Sure, we can better integrate technology, we can get better workflow and better data aggregation.

We just must be very careful to understand the civil liberties ramifications when we do it.

Nick Selby is a sworn Texas law enforcement officer, blogger at and CEO of StreetCred Software, which provides fugitive case management and predictive intelligence software to law enforcement.