Learning from terrorist tradecraft


A week after he was arrested in Chicago on Oct. 3, David Coleman Headley was charged in a federal criminal complaint with conspiring to commit terrorist attacks outside the United States and providing material support to terrorist organizations.

The charges alleged that Headley was involved in a plot to attack a newspaper in Denmark that had published a collection of cartoons satirizing the Prophet Mohammed in September 2005.

Since Headley’s arrest, there have been almost daily disclosures of new information regarding his activities and those of his co-conspirators. These new details have emerged during court proceedings and from leaks by U.S., Indian and Pakistani government officials.

On Dec. 7, new federal charges were filed against Headley alleging that he had conducted extensive surveillance against targets in Mumbai that were attacked during the November 2008 armed assault in that city, which resulted in the deaths of some 170 people.

Headley reportedly became an informant for the U.S. Drug Enforcement Administration (DEA) after being arrested and charged with smuggling heroin into the United States from Pakistan in 1997. Following the 9/11 attacks, he allegedly worked for the FBI as a terrorism informant. Now, following his arrest on Oct. 3, he is reportedly again cooperating with the U.S. government.

From the information that has emerged so far, it appears that Headley, who was born Daood Gilani in 1960 in Washington, D.C., to a Pakistani father and American mother, worked as a surveillance operative and operational planner for the Pakistan-based militant groups Lashkar-e-Taiba (LeT) and Harkat-ul-Jihad e-Islami (HUJI).

In 2006, Headley legally changed his name from Daood Gilani to David Coleman Headley, anglicizing his first name and taking his mother’s maiden surname. He apparently did this to disguise his Pakistani heritage and Muslim faith while traveling to places such as India and Denmark.

Details of this case will continue to emerge as the court proceedings against Headley and his co-conspirators progress, but the information released to date reveals a great deal about Headley and about LeT and HUJI.

What We’ve Learned About Headley

First, it is evident that Headley was not merely a low-level cannon fodder-type operative. Most of the men who attend jihadist training camps are taught basic infantry and guerrilla-warfare skills such as hand-to-hand combat and how to fire an AK-47 and throw a hand grenade.

A handful of the best and brightest of these students are then selected to attend additional training in advanced combat skills that often include terrorist tradecraft, which is the set of skills required to conduct a terrorist attack. Terrorist tradecraft includes things like surveillance, bombmaking and covert communications and is quite distinct from basic infantry skills.

In his Dec. 7 indictment, we learned that Headley reportedly attended LeT training camps in Pakistan in February and August of 2002 and in April, August and December of 2003. This indicates that Headley progressed far beyond basic militant training, and it is likely that he was taught during his later training sessions the tradecraft required to conduct preoperational surveillance for terrorist attacks and to participate in the operational planning for such attacks.

One element of terrorist tradecraft that was evident in the indictment and the Oct. 11 criminal complaint is Headley’s careful use of language and of multiple methods of communications, including the use of cell phones and using long-distance calling cards, e-mail communication (using a variety of accounts) and face-to-face briefings.

For the most sensitive communications and planning activities, Headley traveled to Pakistan to meet in person with LeT and HUJI leaders, a very secure way to communicate. He also had numerous phone and e-mail conversations in which he discussed the status of his work or planned reconnaissance trips.

During such conversations, Headley would use terms to disguise the true objective of his work. For example, when referring to attack plans, Headley and his alleged co-conspirators reportedly called them “investment plans” or “business plans,” and when discussing the plot against Jyllands-Posten, the newspaper that published the Mohammed cartoons, Headley and his co-conspirators referred to it as the “Mickey Mouse Project,” the “MMP” or “the Northern Project.”

Headley also used a common militant communication method of creating messages and then saving them in the drafts folder of a Web-mail service rather than sending the message. The person creating such a message can then provide a colleague with the user name and password for the Web-mail account, which enables the second person to log on and read the communication in the draft folder without an e-mail having been sent. This procedure is referred to as an “electronic dead drop.”

In addition to facilitating communication, these dead drops can be used to save notes that a terrorist operative does not want to physically carry on his person for fear of being caught with them.

In September, we noted that Najibullah Zazi used this method to send his bombmaking notes from a training camp in Pakistan to himself rather than risk physically carrying the notes into the United States, where they could have been found during a search of his belongings.

According to the Oct. 11 criminal complaint, before leaving Pakistan for the United States in December 2008, Headley used this process to save a list of taskings he had received for his surveillance work in Denmark. The list, which was entitled “Mickey Mouse,” included the following entries (presented here as contained in the complaint, verbatim and unedited):

  • Route Design (train bus air)

  • Cross (cover authenticator)

  • Trade? Immigration?

  • Ad (Lost Luggage) (Business) (Entry)?

  • King’s Square (French Embassy)

  • YMCA

  • Car Trip + Train Option (Nufoozur Rehman) (Weekend?)

  • Residence for clients

  • Complete Area Coverage (P.S. e.t.c.)

  • Countersurveillance (magic eye)

  • NDC option; Lunch + coffee spots

  • Security (armed?)

  • Foreman residence

  • Zoom; Entry and exit method in the house

  • Feasible plan

  • On return, procurement of machinery

  • Uniform

  • Mixed fruit Dish

  • Cell phone and camera

  • Border Crossing

  • City Guide Map

  • Alternate Investment

  • Got Papers? (Clients)

  • Make Visiting Cards

We’ve included all the items listed in the complaint to demonstrate the depth of the surveillance work he was tasked with by his contacts in Pakistan. These responsibilities included determining the best way to get the attack team (“clients”) into the country, finding them a place to stay, procuring weapons (“machinery”) and conducting thorough surveillance of the newspaper and its surroundings. This would have included security in the area, countersurveillance activity and closed-circuit television cameras in place. Headley may also have been tasked with locating the residence of the newspaper’s editor.

According to the Oct. 11 federal complaint, Headley traveled from Chicago to Copenhagen in January 2009 to conduct surveillance of the Jyllands-Posten offices in Copenhagen and Aarhus, Denmark, and to photograph and videotape the surrounding areas.

He then traveled to Pakistan, where he met with his co-conspirators to brief them on his surveillance operations and to construct a plan for the attack. Following his return to Chicago, Headley traveled back to Copenhagen in August 2009 to conduct additional surveillance (presumably to address issues that arose during the operational planning session in Pakistan).

During this second trip, Headley made some 13 additional videos and took many photos of the potential targets and the areas around them.

In the Dec. 7 indictment, the U.S. government alleges that in order to conduct surveillance for the Mumbai attacks, Headley made five extended trips to Mumbai: one in September 2006, two in February and September of 2007 and two in April and July of 2008. During each of these trips Headley reportedly took pictures and made videos of various targets, including those attacked in November 2008.

He also reportedly traveled to Pakistan after each of these trips to brief his co-conspirators there and to provide them with his maps, sketches, photos and videos. In March 2008, Headley and his co-conspirators reportedly discussed potential landing sites for a team of attackers who would arrive by sea in Mumbai, and he was instructed to take boat trips in and around the Mumbai harbor and make videotapes of the area, which he allegedly did during his visit to India in April 2008.

During much of his surveillance activity, Headley identified himself as an employee of the immigration services company First World, but there is no evidence that Headley ever worked for that company. There is also no information in the documents released so far that would explain how Headley paid for his extensive international travel, much less earned money to cover his day-to-day expenses.

Finally, there is the issue of Headley’s alleged work as a DEA and FBI informant (which could help explain at least some of the financial mysteries discussed above). Given the demonstrated — and considerable — nexus between heroin trafficking and terrorism funding for the jihadist groups operating in Pakistan and Afghanistan, such a crossover of an informant from narcotics to terrorism is no surprise — especially following the incredible push by the U.S. government to recruit human intelligence sources with links to the jihadist world following the 9/11 attacks.

If Headley were reporting to the FBI, it could also explain the very specific warnings that the U.S. government gave to the government of India about plans to attack hotels in Mumbai in September 2008. Following the warning, the government of India initially increased security measures at these sites, but the measures were dropped before the attacks were launched in November 2008.

At present, it is very difficult to ascertain if Headley was a double agent who was really reporting to LeT and HUJI the entire time he was ostensibly working for the U.S. government or if he was merely a rogue informant who was playing both ends against the middle for his own personal benefit.

Such rogue sources have been seen in jihadist cases before. If Headley was either a double agent or a rogue source, there may be some significant blowback for the U.S. government as further revelations are made about the case.

What We’ve Learned About LeT and HUJI

First of all, this case demonstrates that LeT and HUJI have each developed a sophisticated central-planning apparatus. This is something they needed to do as they drifted out from under the wings of the Pakistani Inter-Services Intelligence (ISI) directorate, though undoubtedly they learned a lot about planning from their long association with the ISI.

Second, the Headley case shows that as of October 2009 (almost a year after the Mumbai attacks), LeT and HUJI still enjoyed a great deal of operational freedom in Pakistan. They were able to travel, raise funds, communicate, train and plan operations with seemingly little interference.

This is a stark contrast to al Qaeda, which is hunted, on the run and experiencing a great deal of difficulty moving operatives, communicating, raising funds and conducting operations. The links between Headley and his associates to current and former Pakistani military officers and government officials are likely what is affording LeT and HUJI their operational freedom.

As far as targeting, we have seen LeT and HUJI shift away from strictly Indian targets and toward more of a transnational al Qaeda-like target set. Not only did they attack Western interests and a Jewish target in Mumbai, but they were also planning to conduct an attack against a newspaper in Denmark that had absolutely no relation to the cause of Kashmiri independence from India.

That said, despite having a highly trained surveillance operative and operational planner living inside the United States, these groups did not appear to task him to use his terrorist tradecraft to conduct target surveillance or plan and conduct attacks inside the United States.

According to court documents, HUJI leader Ilyas Kashmiri appears to have been the force driving the Denmark attack plans, and Headley seems to have been frustrated when his LeT contacts did not want to proceed with the Denmark attack after Kashmiri was reportedly killed in an American unmanned aerial vehicle (UAV) strike in Pakistan.

LeT wanted Headley to help them plan another attack in India instead. The report of Kashmiri’s death was ultimately proved false, but the UAV attack apparently caused Kashmiri to go to ground and for Headley and his LeT contacts to lose communication with Kashmiri for a period of time.

It is known that Kashmiri is closely affiliated with al Qaeda, and the plans for the Denmark attack are an indication that HUJI has become more closely aligned with the transnational jihadist targeting philosophy as a result of Kashmiri’s contacts with bin Laden and company. It appears that LeT, on the other hand, has retained more of a focus on India. So, while the two organizations continue to cooperate, they do have some differences in targeting philosophy, and it would seem that HUJI is creeping further into the al Qaeda orbit than LeT.

The information released to date in this case also underscores the importance of interpersonal relationships in the jihadist milieu and how these relationships, which are based on family, friendship and trust, often lead to an overlap in which people interact with different groups, and groups such as LeT and HUJI share resources and work together. The jihadist world can be a very murky place and operatives can work with different “companies,” to use Headley’s term.

Protective Intelligence Implications

This case also has some significant protective intelligence implications, and it underscores much of what we have been saying about surveillance and countersurveillance for several years now.

While Headley is a U.S. citizen and changed his name in order to camouflage his heritage and religious affiliation, he conducted an inordinate amount of surveillance activity by himself. Conducting a surveillance operation with only one person is among the most difficult — and risky — activities that any surveillance operative can be tasked to perform.

Any time a person conducts surveillance he or she is vulnerable to detection. That vulnerability is mitigated somewhat if the surveillance is conducted by a team of individuals and the team members can take turns exposing themselves to potential countersurveillance. Doing a solo surveillance operation means that the surveillance operative is forced to show his face time and again to anyone watching.

Furthermore, activities such as taking photographs and making video recordings are far riskier than simply observing a target. Having one single surveillance operative visit two offices of the same newspaper and then take dozens of photos and make 13 video recordings of the offices — in a one-week span, no less — is terrible surveillance tradecraft.

Had someone been conducting countersurveillance on one of the targets Headley was studying — or, better yet, countersurveillance of more than one of these potential targets — the countersurveillance assets almost certainly would have noticed his abnormal behavior.

American tourists may frequently take photos and shoot videos while visiting foreign capitals, but they do not take the time to capture extensive still and video images of newspaper offices.

Even people who have conducted thousands upon thousands of hours of surveillance would have a hard time creating cover for action and status that would justify that much surveillance activity — especially when the surveillant is a foreigner and working alone.

The only rational explanation for why Headley was not noticed while conducting his surveillance is that nobody was looking.

The use of an American citizen to conduct surveillance once again illustrates the importance of focusing on the “how” of terrorist attacks and not just the “who.” And when considering the actor, the focus must be placed on his or her behavior, not just nationality or religious creed.