Supply Chain Security and Usama bin Laden

For several years, I have been speaking about cyber jihadist activities, most notably about Al-Qa’eda and UBL (Usama bin Laden). During these talks at various places such as SecureworldExpo, RSA, Johns Hopkins Applied Physics Lab and Infragard, I covered what I believed to be the supply chain for audios and videos emanating from UBL and others. The link herein (created on March 5, 2008) shows the flow I had determined as the method of couriers and routes moving from Chitral (Chatraal) in the Hindu Kush to a location such as Peshawar for enhancements and online distribution. It was not exact in the location or in the methods but the timing of distribution seems to have been accurate.  Apparently, it is much easier to hide the source of your supply chain in heavily populated areas where it can blend it as opposed to standing out in a single location where heat signatures from above can stand out. The needle in a haystack analogy is apropos.

https://www.treadstone71.com/media/Treadstone71CJMedia.ppsx

I had determined based upon research that UBL used a system of several couriers each knowing the next but not knowing all in the chain. By this I mean the first and third do not know of one another nor do the second and fourth. It appears that I gave UBL too much credit for protecting his supply chain in a manner that would create enough denial and deception whereby capturing one of the couriers along the way (sans the first) would provide enough operational security and time for UBL to learn of the capture and then escape. It would also be difficult to determine the full route of the chain and identities of other couriers. In this case, the first was enough.

Regardless, UBL decided to depend upon one or two trusted couriers who lived directly under his stead. Apparently, he believed these men to be the only trustworthy method of distributing audio to the world. Maybe he thought that including too many in the supply chain would complicate the process and leave his security open to penetration. Too many hands in the cookie jar perhaps? On the other hand, too few hands in the cookie jar and the determination as to who is eating the cookies could (potentially) be an easier play. (Not to oversimplify the analysis and efforts taken by the intelligence community (IC) to determine who the couriers were.) I would imagine that this was not all they carried and not all they did for UBL.  He simplified his supply chain and kept his costs low. In the end, for his situation, he was wrong. Dead wrong.  

What this instance demonstrates is the absolute importance of supply chain security. Any break in the chain and the whole chain can crumble. Any mistakes in your operational security measures within your supply chain structures, whether it is your partner, a third party working for the partner or weakness in protection measures throughout, and you can expose the whole chain to exploitable vulnerabilities.  Once exploited, the whole chain can go out of business. At least for the time being.

It will be interesting to see what other parts of the supply chain now fall. Will media production capabilities periodically suffer? Will those who produce the cloud media (As-Sahab) be eliminated or has this already been completed? Will they be on the run and start making mistakes of their own? How will this change the Opsec of Adam Gadhan and Ayman Thawahiri? Penetration of this supply chain will surely result in changes in methods and modes of distribution. 

It would also be interesting to know if the IC monitored the supply chain flow collecting information and planning counterintelligence and espionage operations outside the recent raid. How long have satellites monitored the house in Abbottabad and what did they see with respect to movement. Did they track the movements of vehicles coming and going and if so, where did those vehicles go? What new supply chain did they uncover?

Jon Oltsik of the Enterprise Strategy Group published a paper on supply chain security last year. You can contact Jon at jon.oltski@enterprisestrategygroup.com for a copy of the paper. I would take heed to review this document and to examine your own cyber supply chain for weaknesses. Weak operational security over critical infrastructure supply chains leads to penetration. It did so in the matter of Stuxnet and it occurred again in the matter of UBL. It is a matter of life, and death.

One last item to cover. The PowerPoint also contains information on the two spokesmen for the Taliban. Use it as you wish.

JSB