By Scott Stewart

In last week's Security Weekly, Tristan Reed and I provided a little bit of an "inside baseball" look at how we analyze the transnational criminal cartels in Mexico. We tried to explain some of the challenges that analysts face while analyzing a human network — Los Zetas in this instance — that is by its very nature a criminal and clandestine organization.

But cutting through the misinformation and disinformation surrounding murky human networks is not the only difficult task Stratfor analysts are faced with. Indeed, perhaps one of the most difficult things we are asked to do is untangle, decipher and contextualize breaking events for our readers and custom intelligence clients. Sometimes we are able to do so pretty well — a rapid reaction piece I wrote on Sept. 14, 2012, "Understanding What Went Wrong in Benghazi," continues to be a highly read analysis. But on occasion, we've even fallen into the trap set by erroneous reporting. For example, our very first analysis on the attack in Benghazi incorrectly stated that the casualties were caused by rocket-propelled grenade attacks on the motorcade leaving the compound and that the incident was the result of violent protests over a derogatory movie about the Prophet Mohammed instead of a calculated assault by a well-trained and heavily armed militia.

It is very difficult to cut through the confusion caused by the deluge of information that occurs during a breaking incident, especially when much of the information is redundant or inaccurate. This week I'd like to explain some of the challenges that analysts face in such situations and how those challenges can be overcome.

Donnelly's Law

When I was a young special agent working at the U.S. Embassy in Guatemala, I worked for a guy named Marty Donnelly who was not only an experienced senior agent but also a savvy former street cop. In addition to teaching me things, such as the invaluable skill of "selling" security to people who thought they did not need it, Marty also instilled in me a philosophy on understanding breaking events that has stuck with me through my entire investigative and analytical life. Whenever we would receive a report that something had happened, Marty would always warn "careful, the first report is never the true story." Then, more often than not, he would send me out and task me to investigate the facts and determine what had really happened. Whether it was the apparent kidnapping of Nobel laureate Rigoberta Menchu's grandniece, a military massacre in a village or an assault against an American filmmaker, I found that Marty was inevitably right: the first report was not the real story.

As I've become the veteran guy, I often find myself telling my analysts — and even my friends, my wife and my kids — "careful, the first report is never the true story," something I now refer to as "Donnelly's Law."

Why am I sharing all this ancient history? Because Donnelly's Law is one of the first challenges that faces analysts as we receive a report of an incident and then attempt to sort through the myriad details pertaining to the incident in an effort to make sense of it for our customers. The first reports are usually inaccurate, and in many cases they are conflicting.

A recent example of misleading reporting occurred during the attack against Nairobi's Westgate Mall in September. Initial reports indicated that there was a large team of attackers (security camera footage later showed there were only four). Other false reports alleged that the attack was led by an English-speaking woman, and that the attackers had detonated suicide vests, taken hostages, cached weapons in the mall beforehand and were armed with rocket-propelled grenades. In addition to this misinformation, we also saw a Twitter account purportedly run by al Shabaab attempt to inject deliberate disinformation into the picture by releasing a false list of nine assailants allegedly involved in the attack.

Sifting Through the Noise

How then is one to sort through the reports and determine what is true and what is false? One helpful aid is having a framework that provides a basis to work from when analyzing such situations. At Stratfor our tactical analysts all use the terrorist attack cycle as a framework for understanding an attack. This helps the analyst not only to classify the bits of information that flow in regarding the attack but also to focus on the tradecraft involved in the attack — how it was conducted, rather than just who did it. When you focus on the terrorist tradecraft involved in an attack, it often permits you to draw some valid analytical conclusions about who may be responsible.

For example, based on videos taken at the scene of the Boston Marathon bombing, we were able to very quickly determine several important facts about the devices involved. The damage and smoke caused by the devices told us that they were small devices, likely hidden in a bag or box, utilizing a low-explosive mixture and containing added shrapnel. This understanding of the nature of the devices allowed us to conclude that the attack was unsophisticated and could have been conducted by any number of actors. It was only later that we learned the attack was conducted by grassroots jihadists, but as additional details emerged from the authorities, we learned that the devices were indeed pressure cooker bombs that were placed in backpacks, used low-explosive powder from fireworks and had shrapnel added to them.

As seen from the Boston Marathon bombing, photos and videos of a scene are very valuable and can be far more reliable than eyewitness accounts. For example, in the June 3, 2011, assassination attempt against then-President Ali Abdullah Saleh of Yemen, an analysis of photos of the scene allowed us to dismiss reports that the attackers had used a standoff weapon such as a mortar or an anti-tank guided missile. Instead we were able to conclude that the attackers had employed an improvised explosive device concealed in the wall of the mosque in the presidential compound. This distinction is quite important because it changes the universe of potential actors. While almost anyone could have attacked the compound with a standoff weapon (though such an accurate strike would certainly indicate a great deal of skill), only an insider would have access to the mosque within the presidential compound.

In a similar manner, videos and photos have permitted us to determine that the many reports of "car bombs" being employed by the Mexican cartels were false. There is a big difference between a dedicated car bomb and a small device placed inside or under a vehicle, and this distinction has huge implications for the security of facilities and personnel in Mexico.

The best-case scenario is one where we can send an employee or a contact to the scene to record the specific things that will help us provide an accurate analysis of a breaking situation, but that is frequently not possible. As a result we must rely on photos and reports from the scene that come in through the mainstream or social media.

In terms of social media, technological advancements with smart phones, cameras and the Internet have dramatically altered the way information from the scene of an attack is disseminated. Previously, it could take hours or even days for a small pool of professional journalists to inform the world of a breaking event via the traditional media.



Today, with digital media, information can be recorded and disseminated globally in a very short time by anyone with an Internet-capable phone. It is now standard practice for intelligence agencies, private organizations like Stratfor and news agencies to watch outlets such as Twitter, Facebook and YouTube during a crisis event in order to receive almost real-time information as the event unfolds. The video we saw that allowed us to quickly diagnose the Boston bombing was found in this manner.

However, the ability for almost anyone to "inform" the world about a breaking event can also prove to be a double-edged sword. First, this capability has exponentially increased the amount of information that must be sifted through in such an event. While some of this material can be unique and insightful, much of it can also be misinformed or inaccurate — and some portion may be specifically designed to mislead, like the al Shabaab tweets regarding the Westgate Mall attack.

In such a free-for-all environment, it is increasingly easy for inaccurate information to be widely circulated as fact. One example of this was the amateur sleuthing carried out on the website Reddit in the aftermath of the Boston Marathon bombing. Users of this website were able to quickly amass a great deal of video and still imagery of the event from the Internet, and in a short amount of time they began their own investigation to identify the attackers. The problem with this was that they incorrectly identified a suspect and created a huge diversion as Reddit and other social media sites republished photos of the false suspect. The photos were then picked up and circulated by the traditional media.

Additionally, bystanders — and traditional journalists for that matter — simply do not often think like analysts, and therefore in many cases they do not photograph or videotape the aspects of an attack site that are most important to an analyst. While journalists and bystanders tend to focus much of their attention on the victims of an attack, analysts are also very interested in photos of things such as the seat of the blast (in a bombing), the extent and range of physical damage caused by an explosion, and the weapons and demeanor of the assailants in an armed assault.

Unfortunately for analysts working from afar, photos and videos of attack sites are often quite limited, and in some instances completely unavailable due to the location of the incident or censorship. In such cases, analysts are forced to rely on press reports and eyewitness statements.

Since the first story is never the true story, in our coverage of breaking events, we will normally begin with a brief statement of the facts as we judge them to be accurate at the time. We then work hard to refine our understanding and to add context and analytical depth as we cut through the inevitable misinformation and disinformation. In this way we are able to make sure our customers have quick access to the best information available at any given time.