TERRORISM T HREAT & MITIGATION REPORT 2018€¦ · comprehensive ecosystem for financing and managing terrorism risk. As this year has already shown, this ecosystem is capable of

TERRORISM THREAT & MITIGATION REPORT 2018

https://www.poolre.co.uk/

The last 12 months have seen two of the most significant enhancements to Pool Re’s cover since it was established to provide liquidity and stability to the UK commercial property market during the IRA’s mainland bombing campaign. New cover for physical damage caused by an act of cyber terrorism, combined with incoming legislation to allow the pool to cover non-damage business interruption (NDBI), together represent a new global standard of terrorism cover. Moreover, we have grown our international retrocession programme, are exploring a ground-breaking terror catastrophe bond placement, and continue to support our Members, their policyholders and the Government through a variety of risk mitigation initiatives.

Pool Re is committed to developing a scheme which goes beyond providing mere solvency to its Member insurers, offering a dynamic, comprehensive ecosystem for financing and managing terrorism risk. As this year has already shown, this ecosystem is capable of fostering both greater national resilience, and the conditions to gradually reintegrate terrorism risk within the private (re)insurance market for the first time since 1993.

Since 2016, Pool Re, through its Terrorism Research and Analysis Centre (TRAC), has established itself as an expert and thought leader in the field.

2018: A TRANSFORMATIVE YEAR FOR POOL RE25 years on from Pool Re’s establishment, this fourth annual Terrorism Threat and Mitigation Report comes at the end of a watershed 2018.

Julian EnoiziChief Executive, Pool Re

£2+ trillionPool Re’s current exposure across mainland UK

50%of the 10 most costly global terrorism events, in terms of property damage, have occurred in the UK

£600m Value of claims Pool Re has paid out to date

£6bnValue of Pool Re’s current fund

£800mToday’s value of the claim from the Bishopsgate bombing in 1993

Worldwide attacks resulting in property damage

54%

resulting in property damage of

+US$10m

SUMMARY

Property damage

Since 2014, there have been 7 attacks worldwide

Pool ReTERRORISM THREAT & MITIGATION REPORT 02

2018: A TRANSFORMATIVE YEAR FOR POOL REcontinued

Central to these core aims is a deep understanding of the contemporary threat, combined with a marked shift in our ability to model a notoriously unpredictable and complicated risk class. Since 2016, Pool Re, through its Terrorism Research and Analysis Centre (TRAC), has established itself as an expert and thought leader in the field. TRAC is designed to empower our Members and broader stakeholders with analysis of the threat landscape as it relates to the market and domestic affairs. Its quarterly Frequency reports culminate in this annual edition which, as well as qualitative insights and commentary from a range of expert contributors, showcases for the first time Pool Re’s Terrorism Database. This statistical resource will play an important role in our ongoing actuarial and distribution work, and ultimately, should enable our Members to feel sufficiently comfortable with the risk to commit increasing capacity and resource to exploit growth and capital opportunity in new markets. This will correspondingly promote the economic resilience and protective security of UK Plc, since bridging information gaps and incentivising the uptake of police-accredited risk mitigation measures becomes mutually beneficial to the public and private sectors.

Following our landmark cyber extension in March, the inclusion of cover for NDBI [...] will be an essential and timely evolution of the protection our Members will be able to market to businesses across the country.

Following our landmark cyber extension in March, the inclusion of cover for NDBI, which subject to parliamentary approval will be introduced in January 2019, will be an essential and timely evolution of the protection our Members will be able to market to businesses across the country. It will be particularly attractive to the presently poorly penetrated SME market which can be vulnerable to disproportionate business interruption in the wake of an atrocity. The first major pool to offer this cover, Pool Re is committed to working with its Members and representative bodies such as the Federation of Small Businesses, Chambers of Commerce and The British Insurance Brokers’ Association to promote the necessity, availability and affordability of this targeted response to the altered risk profile.

This year’s progress also evidences what the Economic Secretary to the Treasury called the ‘open and constructive relationship1’ between Pool Re and its Government partners, central to ensuring we ‘remain a world leading terrorism reinsurance pool2’. Our work to unite and harness the respective strengths of the public and private spheres has also been recognised in this year’s Counter Terrorism Strategy (CONTEST). We will be building on the success of our Vulnerability Self-Assessment Tool with a pilot training course for Member risk engineers in collaboration with our academic partners at Cranfield University.

Above all, Pool Re is committed in the next 12 months to continue to cement partnerships and develop market solutions which mutualise systemic threats to our society. In that spirit, I hope you enjoy this report.

Julian EnoiziChief Executive, Pool Re

1 Pool Reinsurance Company Insight, May 2018 edition.2 ibid


Pool Re has now compiled its own data on terrorist attacks since 2014, since the establishment of the so-called Caliphate.

THREAT Whilst we recognise the event outside the Palace of Westminster on 14 August is being treated as potentially terrorist in nature, there have been no other terrorist attacks on the UK Mainland during the year to date. The intent of Islamist extremists, however, to inflict mass casualties in crowded places remains clear and present. The lack of successful attacks in 2018 is in stark contrast to 2017 which witnessed five successful attacks (four Islamist and one Extreme Right Wing (XRW)), resulting in 36 deaths and over 300 injured. A further 17 plots have been disrupted since March 2017. It would be too easy and premature to say that the loss of the physical, so-called Caliphate in Syria and Iraq has led to this decrease in attacks and that the threat of Daesh and al Qaeda (AQ) has diminished. The Police and MI5 currently state that one major terrorist plot is being thwarted every month.

It is therefore unsurprising that the UK threat level from Islamist extremism remains at SEVERE and is likely to remain so for the next 18 to 24 months. It is probably too early to make any predictions on what might happen next and what form ‘Daesh 2.0’ might take and, more importantly, whether we are at a ‘tipping point’ in the Islamist extremist campaign against the West. Our guest writers express their views, supported by Pool Re subject matter experts.

Dr Andrew Glazzard comments in his article that “Daesh is down but not out and, on the surface, Daesh appears to be downtrodden in Syria and Iraq and has entered, probably quite deliberately, into ‘survival mode’ as it considers its options, recuperates, regroups and rearms.”However, there have been recent incidents of increasingly brazen attacks by small groups of Daesh fighters who are now operating in cells along traditional insurgency lines. The emergence of increasingly powerful affiliates in Afghanistan, Yemen and Southeast Asia – leveraging off areas of weak governance and local issues – is evidence that the perverse ideology that it promotes is far from extinguished. The contagion effects of this ideology will continue to spread across the globe and fuel extremist behaviour. Whether these ‘foreign’ affiliates will pose a direct threat, in the near future, to the UK (as Daesh achieved during the height of the so-called Caliphate, with its ‘directed operations’ from Syria/Raqqa) remains to be seen. Ali Soufan goes one step further by proposing that the “fracturing of Islamic State could lead to the emergence of new, and in some cases more violent and operationally capable, splinter organisations.” Soufan raises the concern that these “follow on franchise groups could ultimately develop to be highly operationally capable and focused on attacking the West, as we have seen before with the evolution of al Qaeda (AQ) in the Arabian Peninsula (AQAP) in Yemen.”

ENDURING THREAT, MATURING RESPONSEPool Re’s Terrorism Research and Analysis Centre (TRAC) is pleased to present its fourth Terrorism Threat and Mitigation Report.

SUMMARY

Global attacks 2014-18

Ed Butler CBE DSOHead of Risk Analysis, Pool Re

8 Attacks in Great Britain since June 2014

37Deaths in Great Britain since June 2014

261 Injuries in Great Britain since June 2014

2 Successful attacks against airliners globally since June 2014

13 Islamist plots disrupted in the UK since March 2017

17 Plots disrupted in the UK since March 2017

4 XRW plots disrupted in the UK since March 2017

4,340+terror attacks worldwide

44%of which occurred in the Middle East and North Africa

48%of which occurred in Iraq


ENDURING THREAT, MATURING RESPONSEcontinued

A review of the attacks across Europe in 2017 and the first half of 2018 suggest that most attacks were undertaken by inspired or self-radicalised individuals, utilising low technology methods to inflict lethal effect. The TRAC database highlights that, across Europe, the main targets remain police, government and military figures, although attacks in the UK have been predominantly against crowded places. Andrew Glazzard comments that “homegrown terrorists, inspired and not necessarily directed by Daesh or AQ, will remain the biggest problem.”This is supported by other experts in the counter terrorism (CT) field who predict that there will be an organic growth of ‘inspired’ terrorist groups, many of them portraying more cult and group-based behaviours than genuine followers of Islamist extremism. Anticipated attacks by returning fighters, enabled by battle hardened experience and technical competence from the front line, has yet to fully materialise in the UK, but this does not discount the possibility of it happening or the mounting of a spectacular attack by Daesh or AQ. Ali Soufan highlights one of the reasons for this being to “maintain group morale and burnish the group’s brand”.The aviation sector, be it a plane or airport, remains the most highly desired target for AQ.

It would be too easy and premature to say that the loss of the physical, so-called Caliphate in Syria and Iraq has led to this decrease in attacks and that the threat of Daesh and al Qaeda (AQ) has diminished.

While the most determined and effective global terrorist entity remains Islamist extremism, the growth of extreme right-wing (XRW) groups and individuals and the underlying threat posed to the UK by dissident republican groups in Northern Ireland continue to concern MI5 and the CT Police. The threat posed by XRW terrorists, especially those with former military training and knowledge of explosives, could manifest itself in the form of lone attacks over the coming years as opposed to large-scale and complex spectaculars. Andrew Glazzard notes that extreme right-wing groups and individuals in the UK “may become more organised” and, although the statistics for the UK lag well behind the US, there is “good reason to expect an incremental increase in the threat”. This view is also supported by Ali Soufan and Sir David Omand.

The threat posed by terrorist use of emerging, unconventional methodologies, such as Chemical, Biological, Radiological and Nuclear (CBRN) material, cyber and drones is covered in this report. The consensus is that a number of terrorist groups have the intent to utilise a CBRN device in an attack and it is known that Daesh has tested and used chemical devices in Syria and Iraq. Both AQ and Daesh, unconstrained by what Soufan refers to “as the norms that might give other groups pause before committing an attack” have declared their intent to use either a ‘dirty bomb’ or a chemical/biological device to achieve the most lethal of attacks.

The main concern is about the growing symbiotic relationship between criminals, terrorists and non-state actors sharing ideas and technology which can be used for more offensive means.

Conrad Prince assesses the growing threat of cyber terrorism in his article, set against the context of the wider (state, state-proxy, criminal, hacktivist) cyber threat which “is growing and changing at pace.”It is highly likely that terrorist and extremist use of the internet, encryption and social media to promulgate their propaganda and attack planning will continue to be exploited. However, we are yet to see examples of terrorists or extremists using cyber means to launch effective, disruptive or destructive acts of terrorism. The main concern is about the growing symbiotic relationship between criminals, terrorists and non-state actors sharing ideas and technology which can be used for more offensive means. Encrypted messaging services, social media and on-line recipes and operational advice will continue to provide competitive advantage to terrorist groups who seek to promote their propaganda, recruit, fundraise and undertake successful attacks.

RESPONSEThe need for greater collaboration between the public and private sector has been driven by the increasing and persistent nature of the terrorist threat facing the UK. In the insurance sector, Pool Re has led on much of this thinking and, as stated in the 2018 CONTEST Review, has been acting as a conduit between the Government, business and academia, identifying appropriate initiatives which will improve the protective security of the insureds, as well as looking after our Members’ interests. Many of these initiatives involve closing the protection gaps in terrorism cover which we have identified over the last few years. Other initiatives have already been identified and these will all support our vision to build an ecosystem which will enable greater risk transfer to the commercial market. In so doing, this will enhance the UK’s economic and national security interests and, as a result, its overall resilience.

This year has been significant as it has seen the inclusion of an ‘Act of Terrorism’, which utilises a cyber trigger to cause physical damage to property, being included in our scheme. More notable is the likely inclusion of cover for non-damage business interruption (NDBI), subject to parliamentary approval. This change to the 1993 Reinsurance (Acts of Terrorism Act) will assist in the closing of the insurance gap that was highlighted during the attack at London Bridge and Borough Market in June 2017. Steve Coates, our Chief Underwriting Officer, provides more detail about the NDBI cover that is being proposed and how these changes will impact on our scheme and our Members. Pool Re, as covered later in the report, continues to invest heavily into risk management and risk mitigation initiatives, including a Vulnerability Self-Assessment Tool (VSAT), the training of Member risk engineers, improving information exchange between the public and private sectors and ongoing work with academic institutions such as Cranfield University, Cambridge Centre for Risk Studies, the Wharton School at the University of Pennsylvania and the Cass Business School.

As stated in the 2018 CONTEST Review, Pool Re has been acting as a conduit between the Government, business and academia, identifying appropriate initiatives which will improve the protective security of the insureds, as well as looking after our Members’ interests.


ENDURING THREAT, MATURING RESPONSEcontinued

William Farmer, at AXA XL, traces the history of the terrorism insurance market, highlighting the key drivers that have driven demand and how the market has adapted and increased its capacity to meet current and emerging threats.

The 2018 refresh of the Government’s counter terrorism strategy, CONTEST, and its 16-year journey since its inception post 9/11 is discussed by Sir David Omand, one if its principal authors. Sir David stresses the importance of having an “essential strategic aim – to reduce the risk from terrorism to the UK and our interests overseas so that people can go about their normal lives, freely and with confidence”.In his judgement, CONTEST has achieved this aim with respect to the UK and the new version of CONTEST has evolved to meet the changing threat, while adhering to the Rule of Law. He summarises his piece by saying: “The threat has therefore mutated, but the aim of the strategy in CONTEST in countering the threat remains apt.”

By way of comparison, we asked Ali Soufan to explain how the US Administration’s global and domestic CT strategies have evolved over the same period. Soufan observes that “for the US, countering (global) terrorism has witnessed both progress and setbacks over the past 16 years.”He concludes that “few countries are as tactically proficient as the US when it comes to countering terrorism but, without question, Washington has struggled to translate counter-terrorism success into strategic victories.”

CONCLUSION Islamist extremism will continue to pose the main threat to the UK in the foreseeable future, with Daesh remaining the most effective global entity. The risk of a spectacular attack, by either AQ or Daesh, cannot be discounted, nor can the growing threat posed by XRW terrorism. In the light of this persistent and likely incremental increase of a multi-faceted threat Pool Re remains committed to developing its understanding of this peril in both qualitative and quantitative terms. In so doing, we are building a world class ecosystem that will allow greater risk transfer from Pool Re back to its Members, thereby improving the resilience of UK plc to terrorist action. Furthermore, we will continue to facilitate collaboration between the public and private sector, utilising all the benefits that such a partnership brings in the fight against terrorism.

We are building a world class ecosystem that will allow greater risk transfer from Pool Re back to its Members, thereby improving the resilience of UK plc to terrorist action.



TERRORISM THREATS TO THE UK

THREAT LEVELThe Joint Terrorism Analysis Centre (JTAC) assesses that the threat from international terrorism to the United Kingdom (UK) is SEVERE, meaning an attack is highly likely. MI5 assesses that the threat from Northern Ireland-related terrorism to Great Britain is MODERATE, meaning an attack is possible, but unlikely.

Last year the UK threat level was twice raised to CRITICAL, meaning an attack was imminent. This represents 46% of the time the country has spent at CRITICAL since the threat levels were made public in 2006.

Andrew DonaldsonDeputy Head of Risk Analysis, Pool Re

KEY ACTORS Islamist extremists Islamist extremists are the principal threat to the UK. Daesh and AQ associates remain the key threat actors and likely targets are police, military and Government personnel and crowded places associated with iconic sites and the transport sector. Crowded places represent an opportunity for causing mass casualties, and the transport sector is a favoured target amongst Islamist extremists. Civil aviation remains a desired target, with the 2015 bombing of Metrojet Flight 9268 from Sharm el Sheikh triggering a new wave of aviation themed plots, reminding the Western world that security protocols were not infallible.

MOVES TO CRITICAL 2006-2018

Transatlantic aircraft (liquid bomb) plot 10 August 2006

Glasgow Airport attack30 June 2007

Manchester Arena attack23 May 2017

Parsons Green attack 15 September 2017


RELEASED PRISONERS

“The long-term management of terrorist offenders is critical to our ongoing responsibility to keep the public safe”

Assistant Commissioner Specialist Operations Neil Basu QPM, National Lead for Counter Terrorism Policing, 2018

With currently over 650 active terrorist investigations in the UK, unprecedented demand is being placed on the CT police and MI5. The attacks in London and Manchester in 2017 are likely to influence the amount of risk a Senior Investigating Officer is willing to take, so more plots disrupted earlier should be expected. This is likely to mean convictions for lesser terrorism offences, meaning shorter custodial sentences. For the second year running, the largest proportion of terrorist sentences were under four years (accounting for 41% of sentences, 37 of 90 convictions). These convicted terrorists, subject to time spent whilst on remand, could be released back into the community after as little as 12 months. This is likely to compound the UK terrorist threat considering the measures and monitoring required when they are released.

There are a number of measures available to manage and monitor terrorists when released into the community, or those who cannot be deported or prosecuted. Terrorism Prevention and Investigation Measures (TPIMs) offer one option, with (according to official statistics2) at least seven currently in place within the UK. An aspect of TPIMs is the capability to relocate the subject a maximum of 200 miles from their residence. Considering the contribution extremists from East London and East Birmingham make to the UK threat, the 200 miles radius from these locations represent areas of particular counter terrorism concern and threat.

1 Operation of Police Powers under the Terrorism Act 2000, quarterly update to June 2018, accessed via https://www.gov.uk/government/statistics/operation-of-police-powers-under-the-terrorism-act-2000-quarterly-update-to-june-2018

2 Terrorism in Great Britain: the statistics (House of Commons Library Briefing Paper Number CBP7613), 7 June 2018.

There were four successful Islamist extremist attacks in 2017 in the UK and the investigation into those attacks and the numerous disrupted plots are likely to have impacted upon the capabilities of both lone actors and extremist networks in the UK. Additionally, the attacks are likely to have reduced the threshold for risk the CT police and MI5 have in counter terrorism investigations. As such, it is probable that plots will be disrupted in far more immature stages which are likely to result in convictions for offences which carry a shorter custodial sentence. This shortened cycle of conviction, custodial sentence and release of terrorist prisoners is likely to compound the domestic terrorist threat. The severity of the UK threat is unlikely to reduce over the next two years. The latest official statistics1 on terrorism arrests in 2018 show a 22% reduction on 2017; this may be accredited to the large number of arrests made in response to the Manchester and London attacks which accounted for a significant number of the 2017 arrests. With that in mind, 351 arrests for terrorism-related activity is still comparatively high and Islamist extremism accounts for both the majority of the arrests and 82% of the total terrorism prison population.

It is probable that plots will be disrupted in far more immature stages which are likely to result in convictions for offences which carry a shorter custodial sentence.

EAST BIRMINGHAM

EAST LONDON

THE AFGHAN CONNECTION

International terrorism from the 1980s was heavily shaped by those involved in, or influenced by, the various conflicts in Afghanistan, which attracted fighters from the Middle East and Central and South Asia especially.

During the 1990s, Afghanistan became a haven for extremists to train, develop strategies and form international alliances; veterans of the conflicts in Afghanistan also fought in the Algerian civil war, in Bosnia and Chechnya and carried out terrorist attacks internationally. Some veterans subsequently sought asylum in the UK, where the combination of extremists from different regions with a variety of experiences and skills helped shape the contemporary Islamist threat to the UK.

AQ’s weakened position in Afghanistan post-9/11 was a significant setback to the group. It retained, however, well established extremist networks which were regenerated to some degree in 2015 with their pledge to Taliban Mullah Akhtar Mansour, subsequently amplified by Hamza bin Laden. Mansour also at the time attempted to resist the Daesh recruitment drive which was starting in Afghanistan.

With the fall of the so-called Caliphate in Iraq and Syria, Afghanistan represented a logical option for many Daesh assets to resettle and once again recruit from established extremist networks. That capability is represented in IS-Khorasan (ISKP), which international coalition forces recognise as a threat to their national security and whose senior leaders have been targeted in military action, including air strikes. Despite that action, Afghanistan is likely to re-emerge as a source of global terrorism as an operating base for both AQ and Daesh. Considering the historical links from the country to the UK, an increased role in UK attack plots should be expected in the future.

TERRORISM THREATS TO THE UKcontinued


Knives and vehicles

IEDs

Firearms

Chemical

Arson

Biological

Hostage taking

DronesRadiological

Nuclear

Destructive cyber

Commercial aircraftused as a weapon

UK attack methodology scaleThe methodology of attacks may be wide ranging, with low complexity attacks using knives and vehicles as weapons being the most probable. The use of improvised explosive devices is likely to continue, particularly those incorporating TATP (Triacetone Triperoxide) above any other homemade explosives. The acquisition and use of firearms cannot be ruled out and remains a significant risk.

TERRORISM THREATS TO THE UKcontinued

Northern Ireland-related terrorism (NIRT) In March 2018 MI5 reduced the threat level from NIRT to Great Britain to MODERATE, meaning an attack was possible, but unlikely. This indicates that whilst some degree of hostile intent may remain within dissident republicans to attack the mainland, they currently lack the capability to do so or there has been an absence of active attack plans. The case of Ciaran Maxwell, the former Royal Marine convicted of terrorism offences and his suspected affiliations with the Continuity IRA (CIRA) appear an isolated incident although a stark reminder of both the military grade weapons which dissident republicans have available and how police, military and Government personnel are the likely focus of any attention. NIRT remains extremely active in Northern Ireland, with attacks highly likely and the New IRA representing the most significant threat.

Extreme Right Wing The threat from XRW groups to the UK is growing. In 2017 there was one XRW attack, targeting people leaving Finsbury Park Mosque, and since March that year there have been at least four disrupted XRW attack plots, accounting for around 24% of disrupted plots in the UK. Arrests and custodial sentences for XRW activity in the UK have also steadily increased over the past three years. Latest official statistics state 13% of terrorist prisoners hold XRW ideologies, representing 28 people and an increase from 10 people in the previous year.

The greatest XRW threat to the UK is the proscribed organisation National Action, described by Assistant Commissioner of Specialist Operations Neil Basu QPM as the first XRW group to represent a national security threat. The presence of many serving military personnel within National Action compounds the threat they pose, given their training and access to firearms and explosives, all of which indicate the severity of such attacks may increase.

Assessment Islamist extremist attacks are highly likely to continue and, considering the diminished role of the so-called Caliphate in Iraq and Syria and disrupted communications from senior leaders there, attackers within the UK are less likely to have received specific instructions from overseas. Attackers are more likely to be inspired by a general Islamist extremist rhetoric. Likely targets are police, military and Government personnel and sites, along with crowded places associated with iconic sites and transport. XRW activity is likely to continue and probably increase, and violence directed towards the Muslim community using vehicles and military grade weapons cannot be ruled out.


The terrorist threat to the UK comes from three types of threat actor. The most capable and determined are violent Islamists, principally Daesh, AQ, and their various franchises and affiliates, together with individuals or networks inspired by their ideology. Second are XRW groups and individuals, generally viewed as being less capable, but surprisingly numerous in counter-terrorism casework. The third set comprises a wide range of nationalist-separatist groups, the most significant being dissident republican groups in Northern Ireland. Other nationalist or separatist groups (such as Sikh extremists, Palestinian nationalists, Kurdish separatists) have been quiescent for many years.

Daesh is down but not out, and it will remain the greatest terrorist threat to the UK for some time to come. It almost goes without saying that Daesh is the major threat to the UK and its interests and has been since it emerged in 2013. While celebrations of its imminent demise have been premature, it has undeniably lost most of its territory in Syria and Iraq under military pressure from the Global Coalition. This fact changes but does not eliminate the threat of Daesh-directed attacks against Western targets.

Territory is important as it has provided Daesh with resources as well as space in which to plan and operate. However, it is the loss of territory that may be the greatest determinant of intent to mount external attacks. After Daesh started to come under territorial and military pressure from 2014, its declared strategy changed to embrace attacks in the West in addition to state building and expansion within its Middle Eastern heartlands. As Daesh’s territory continued to shrink in 2015-17, the tempo and severity of Daesh-linked attacks in the West (and against Western interests) increased.

But Daesh-directed attacks in Europe have tailed off in 2018, so are we — as some analysts have asserted — over the worst? Not necessarily. In July 2018, Daesh South Asian franchise ISKP claimed one of the deadliest attacks in Pakistan’s history, which killed over 130 people in Baluchistan. Daesh affiliates are active in regions extending from West Africa to the Philippines. Moreover, there are reasons to be fearful about the threat in the longer term. Daesh is a product of many factors but governance failures and political and economic grievances are among the most important. These are getting worse, not better, in most of the countries that have fed Daesh recruitment, including Syria, Iraq, Libya, Sinai and Yemen. Then there are the thousands of Daesh recruits, including the so-called foreign terrorist fighters (FTFs), who remain unaccounted for.

Since 2013, over 40,000 men, women and children from 80 countries are estimated to have travelled to Iraq and Syria to connect with Daesh. Around 5,000 are estimated to have come from Europe, and only 1,500 of these are believed to have returned. 900 individuals of security concern are estimated to have travelled from the UK, of whom around 40% have returned, with 20% estimated killed, leaving around 360 presumably at large.1

Dr Andrew GlazzardSenior Research Fellow; Director National Security and Resilience Studies

1 The UK estimates come from CONTEST: The United Kingdom’s Strategy for Counter-Terrorism (HMSO, 2018), p. 18. For other estimates, see Joana Cook and Gina Vale, From Daesh to ‘Diaspora’: Tracing the Women and Minors of Islamic State, International Centre for the Study of Radicalisation, 2018, pp. 14-19.

DAESH 2.0: WHAT’S NEXT FOR THE UK?

ANALYSIS BY DR ANDREW GLAZZARD“To what extent will the current components which make up the UK terrorist threat change over the next three years?”


DAESH 2.0: WHAT’S NEXT?continued

Fears of foreign fighters are not misplaced but they are probably exaggerated. Since 2014, a major concern has been that these foreign fighters, radicalised and motivated, armed with battlefield skills and linked to new extremist networks, will return home and mount terrorist attacks. Empirical research suggests that a very small proportion of returnees go on to attempt terrorist attacks, and most of these take place in the first 12 months after return.2 Thomas Hegghammer estimated that up to one in nine returnees might become terrorists, but his more recent data-driven research with Peter Nesser suggests that, in the Daesh era, the figure is closer to one in 360.3

Nevertheless, given the numbers who travelled in the first place, such figures may give little comfort, especially when the risk tolerance for terrorism is so low in the UK. And if Daesh planners are determined to use Western fighters to mount attacks in their home countries, as happened with the attacks in France and Belgium in 2015 masterminded by Abdelhamid Abaaoud, who had travelled to Syria in 2013, they have plenty of personnel to draw upon.

‘Homegrown’ terrorists, inspired but not necessarily directed by Daesh or AQ, will remain the biggest problem.The low conversion rate from foreign fighters to domestic terrorists suggests that we should be more concerned about those who never went to Syria and Iraq. Indeed, experience suggests we should be at least as concerned about individuals who were prevented from travelling to conflict zones as those returning from them: Michael Adebolajo, one of the murderers of Fusilier Lee Rigby in 2013, was arrested in Kenya in 2010 and was believed to be travelling to join al Shabaab, an AQ-affiliated group, in Somalia. Chérif Kouachi, one of the brothers responsible for the ‘Charlie Hebdo’ attacks in Paris in January 2015, had been prevented from travelling to Iraq in 2005.

Since 2013, over 40,000 men, women and children from 80 countries are estimated to have travelled to Iraq and Syria to connect with Daesh.

The widely-cited statistics of terrorist suspects in the UK are headline-grabbing but are not quite as alarming as they might appear. The 20,000 ‘closed subjects of interest’ to MI5 are closed cases which pose a residual risk: they have appeared on the security radar, but there is nothing to suggest they are actively involved.4 From the Government’s perspective, these individuals pose a political or reputational risk, as much as a security one. However, as the UK’s senior counter-terrorism police officer ACSO Neil Basu has pointed out, it is more important to focus on the 3,000 active subjects of interest.5 These are individuals believed to be linked to terrorist investigations, and therefore they pose a higher risk. But this figure is also, in part, a measure of police and MI5 capacity: in 2004-5, when AQ was planning major attacks against

the UK and the US, the number of international terrorist suspects was much lower, at 500-800.6 And police and intelligence service successes mean that Islamist terrorists are less strategically ambitious, and so more inclined to use weapons at hand, such as knives and cars. We should expect this to remain the case.

In risk management terms, this means we will see a greater threat in terms of volume, but lower impact in terms of each incident, even if Islamist terrorists have found that a small-scale, low-fatality attack can still generate exceptionally good returns in terms of publicity.

One source of concern is the number of offenders being released from prison. Analysis by the Guardian newspaper shows that at least half of the 195 convicted for terrorism offences in the 2007-16 period will be free by the end of 2018; by the end of 2021 only around 40 will still be in jail.7 Fortunately, research shows that, at around 10-20%, rates of recidivism are much lower in terrorism cases than other forms of crime, where it is generally 50%.8 Also, many of those due to be released would have been convicted for relatively minor offences. But it is another piece of evidence suggesting that the CT authorities will have more, not less work to do over the next three years.

In risk management terms, this means we will see a greater threat in terms of volume, but lower impact in terms of each incident, even if Islamist terrorists have found that a small-scale, low-fatality attack can still generate exceptionally good returns in terms of publicity.

Right-wing extremists are less capable but are growing in number and pose an increasing threat. Right-wing extremists have carried out a small number of fatal attacks, the most prominent being the murder of Mohammed Saleem in Birmingham by the Ukrainian Pavlo Lapshyn in 2013, the murder of Jo Cox MP by Thomas Mair in 2016, and Darren Osborne’s attack against Muslim worshippers outside the Muslim Welfare House in North London in 2017. For the first time since the Second World War, in 2017 the Government proscribed a right-wing group — National Action —suggesting that the extreme right-wing may be becoming more organised. Moreover, lone actors are able to mount very significant terrorist attacks, as demonstrated by Anders Behring Breivik in 2011; using only the internet and self-purchased resources in an isolated farmhouse, Breivik built a large explosive device and acquired enough firepower to murder 77 people in Oslo and Utøya. In the US, extreme right-wing groups and individuals were estimated to have committed 59% of extremist murders in 2017.9

The UK has a long way to go before it can match the US in XRW violence. But there is good reason to expect an incremental increase in threat, as cases in the Government’s Channel intervention (under its Prevent Programme) may be something of a leading indicator.

Channel is a voluntary intervention to support individuals judged to be at risk of being drawn into terrorism. 37% of those receiving Channel support in 2016-17 were XRW cases.10 And in the UK’s uncertain political environment, there is a possibility that a significant political event will mobilise right-wing extremists further.

Dissident republicans will remain active in Northern Ireland, and occasionally on the mainland.Most terrorist attacks in the UK take place in Northern Ireland. Although terrorism related to Northern Ireland remains at historically low levels, dissident republican groups such as the so-called New Irish Republican Army (NIRA) have continued to mount attacks against security forces alongside vigilantism and feuding with organised crime groups. In 2017, Parliament’s Intelligence and Security Committee reported an MI5 assessment that Northern Ireland is the “most concentrated area of terrorist activity probably anywhere in Europe”.11

Although one Real IRA (RIRA) splinter group declared a ceasefire in 2017, it seems likely that groups like NIRA will continue to attempt attacks against security forces in NI and potentially on the mainland. And uncertain politics may change things for the worse: the contested status of the Irish border in the Brexit negotiations could mobilise republicans (and hence loyalists) if a hard border is put in place, or if NI emerges with a different status from the rest of the UK.

The likeliest scenario for the UK threat is more of the same – an incremental increase in existing threats. This would mean a persistent and possibly increased threat from Daesh and AQ globally, continued attacks by individuals and networks inspired by global jihadism, some of which could be on a larger scale than seen in 2017, an increased frequency of attempted attacks by right-wing extremists, and a continued threat from groups like the New IRA.

2 David Malet & Rachel Hayes, Foreign Fighter Returnees: An Indefinite Threat? Terrorism and Political Violence, July 2018.

3 Thomas Hegghammer and Peter Nesser, Assessing the Islamic State’s Commitment to Attacking the West, Perspectives on Terrorism, 2015.

4 See David Anderson, Attacks In London and Manchester, March-June 2017: Independent Assessment of MI5 and Police Internal Reviews, December 2017, p. 8.

5 Raffaello Pantucci, A View from the CT Foxhole: Neil Basu, Senior National Coordinator for Counterterrorism Policing in the United Kingdom, Combatting Terrorism Center, February 2018. Available at https://ctc.usma.edu/view-ct-foxhole-neil-basu-senior-national-coordinator-counterterrorism-policing-united-kingdom/

6 Evidence provided by Security Service (MI5) to 7 July Inquest Main Hearing, 21 February 2011. Transcript available at: http://webarchive.nationalarchives.gov.uk/20120216080050/http://7julyinquests.independent.gov.uk/evidence/fullday/210211fullday.pdf

7 Jamie Grierson and Caelainn Barr, ‘Police facing surge in extremists released from jail, analysis finds’, The Guardian, 3 June 2018.

8 Malet And Hayes, Foreign Fighter Returnees.9 Report available at: https://www.adl.org/resources/reports/murder-and-

extremism-in-the-united-states-in-2017#the-incidents10 Individuals referred to and supported through the Prevent Programme,

April 2016 to March 2017: Statistical Bulletin 06/18, 27 March 2018 (Home Office, 2018).

11 Intelligence and Security Committee Annual Report 2016-17 (HMSO, 2017), p. 27.


HOW DO THE UK AND US COMPARE?The UK’s revised Counter Terrorism Strategy (CONTEST) was published in June 2018. The importance of working closely with the private sector, including the insurance sector, in counter-terrorism was highlighted as a theme across the four pillars, and Pool Re was recognised as an excellent example of how Government and industry can work together to mitigate the effects of a terrorist attack in the UK.

CONTEST was first published in 2003 to “reduce the risk to the UK and its interests overseas from terrorism, so that people can go about their lives freely and with confidence”. 15 years after the original report, Pool Re asked Sir David Omand, who was instrumental in developing the original strategy, for his thoughts on the success of the strategy and its latest edition.

CASE STUDY

CONTEST 2018: Partnership with Pool Re The insurance industry has the potential to shape behaviour and improve safety, security and resilience, including helping to promote security-minded behaviours in areas where there is less regulation. The Home Office works closely with insurance providers to explore areas where they might support our counter-terrorism objectives.

Pool Reinsurance Company (Pool Re) is an excellent example of a public-private partnership set up specifically to mitigate the financial impact of a terrorist attack.

Pool Re and the police have worked together to develop the Loss Mitigation Credit: a discount on insurance premiums for businesses implementing the Government’s accredited Protective Security Improvement Activity. This benefits both businesses and security.

As well as working closely with the private sector, the UK has deep ties with its allies in counter-terrorism. To compare the approaches of UK and USA counter-terrorism strategies, Pool Re has compared Sir David’s thoughts with those of Ali Soufan, a former FBI agent and CEO of The Soufan Group, including on the US’s counter-terrorism strategy.

Camilla ScrimgeourSenior Analyst, Pool Re


words to maintain conditions of normality, is certainly still right. The new version of CONTEST, however, sensibly widens the definition of threat to include the extreme right. The important qualifiers of the strategic aim, freely and with confidence, are also still there (freely meaning that the citizen has not had to give up essential freedoms and individual rights to achieve the objective; with confidence meaning that the citizen trusts the authorities to manage the risk, aviation and public transport including the London underground are used, tourists still visit the UK, there is inward investment, the public is not in fear of the terrorist).

The operationalisation of the aim through keeping the 4Ps, Pursue, Prevent, Protect and Prepare is sensible since that connects implementation of the strategy directly to the well-understood original risk management logic of CONTEST. The risk from terrorist attack is the product of likelihood, by vulnerability, by initial impact if the terrorists get through our defences, and the duration of any period of disruption the attack causes. Each of those factors can be influenced by Government, the private sector and the public working together thus reducing the overall risk. Of course, the detailed measures under each P will change as programmes are completed and new needs arise, as we see with the latest work on Prevent.

QWas the AQ threat post-9/11 so different from anything that had gone before that a new approach was needed (there had been no CONTEST type strategy to counter NIRT)?

Many (perhaps most) of us involved in the design of the original CONTEST strategy had worked on Northern Irish terrorism in previous years. The Northern Ireland experience did influence our approach. For example (and these may seem very obvious points but we now know that the architects of the US war on terror had a very different approach): • Be seen to act in ways that reinforce not undermine the values

of law abiding society• Have a strategic objective: deny the terrorists what they most seek

which is to disrupt through placing the public in terror; prevent the terrorists destabilising public confidence in the authorities

• Encourage fortitude when attacks take place and to prepare for such set-backs harness in advance the strengths of all sectors and communities in society behind the strategy

• Understand the terrorists in order to frustrate them through a clear unified counter-strategy

• Accept the need for patience, and avoid the temptation of extra-legal short-cuts

There was very wide and active participation in the research behind the strategy and there were lively discussions in an official Cabinet committee as to how best to set out the strategic aim (which has not changed in the latest version of CONTEST) and to operationalise it (though the 4P programmes of work – Prevent, Pursue, Protect and Prepare). The strategy was presented to the Home Secretary’s CT Cabinet Committee and then to the full Cabinet, which endorsed it. After that the implementation began in earnest.

QIf, with hindsight, you could add one additional element to the original CONTEST, what would it be?

With hindsight we could have made more in public of the cross-cutting supporting themes, for example the acquisition and use of pre-emptive intelligence that involved substantial investment, not least in the emerging field of digital intelligence, as now regulated by the Investigatory Powers Act 2016. That essential step, now eventually endorsed by Parliament, could have been better explained to the public at the time. Another such theme was public information and awareness of the strategy itself, and with hindsight we could have developed this strand, not as a separate pillar but underpinning the whole strategy as intelligence does.

Although not a separate strand, with hindsight we should have explicitly included the domestic reaction from the extreme right as one of the threats to be countered under both Pursue and Prevent. It was certainly not ignored in the early work on CONTEST but was not made explicit. That gap has now been remedied in the 2018 version of CONTEST.

QTo what extent can the current CONTEST deal with emerging, unconventional threats (such as CBRN and cyber terrorism)?

The original CONTEST strategy and its subsequent revisions and updating did provide for defence against CBRN threats. After 9/11 the allied operations in Afghanistan to dismantle the AQ infrastructure revealed that terrorist operatives passing through the AQ training camps were being trained in chemical and biological means of conducting terrorism. CONTEST therefore included: under the Pursue programme a high priority to be given to tracking down terrorist suspects interested in such vectors of attack, under the Protect programme investment in the development and deployment of analytical capabilities for CBRN defence and under the Prepare programme the development of a joint CBRN training centre at Winterbourne Gunner for the emergency services to learn together how to tackle such threats. Regular live exercises are held to practice procedures.

Countering radiological dispersal devices was also a focus of attention in CONTEST given what intelligence revealed of the terrorist intentions. The response included developing and installing radioactive detection portals at UK ports and airports to detect any attempt to smuggle such material into the UK and action by police and security authorities to ensure adequate security for radioactive sources used in medicine and engineering in the UK and safe disposal of unwanted devices.

DECODING TWO DIFFERING RESPONSES TO A COMMON THREATcontinued

UK

Sir David Omand GCBOne of the original authors of the CONTEST strategy

QWhat are your thoughts, 15 years after the original CONTEST, on the 2018 revised strategy?

Looking back, I am very glad to see the strategic continuity between then and now, with the same underlying strategic aim of maintaining normality in domestic society in the face of a continuing terrorist threat. During the 15-year duration of CONTEST we have already seen four Prime Ministers of different political persuasions embrace it, and no less than eight Home Secretaries and seven Foreign Secretaries. You cannot have effective strategy at national level that changes with each change of political personality. Sometimes major changes of direction in public policy are called for, that is the direct product of our democratic system of government. But there is a price to be paid for the discontinuity of effort whilst the efforts of the very many organisations involved in any major public policy are reoriented to the new direction of travel. That has not happened with counter-terrorism and we are all safer as a result.

You cannot have effective strategy at national level that changes with each change of political personality.

What has ensured the continuity of approach, which is essential, is the strategic logic of CONTEST. Of course there have been course corrections along the way, and shifts of emphasis not least as the threat has mutated under pressure from the security forces. But the underlying aim has not wavered, and that makes it much easier to generate an ‘all of nation’ effort and to garner support from all the communities affected by terrorism.

The CONTEST strategic aim of reducing the risk from terrorism so that people can go about their lives, freely and with confidence, in other


QConsidering the global terrorism threat we face, to what extent could there be a global CONTEST strategy where allies unite?

There is already now, helpfully, considerable convergence of strategy on tackling the risks from terrorism on both sides of the Atlantic. As the thinking developed in London that became the 2002/3 CONTEST strategy, the UK and US set up a jointly chaired Homeland Security Contact Group to share experiences and technical expertise in how to improve domestic security, including taking concerted action to boost aviation security and develop new technology for protective security. Such cooperation continues and includes work conducted under well-funded EU research and development programmes.

The UK has also deepened its global CT intelligence cooperation, not just with the US and Five Eyes allies1, but also European partners and many other friendly states around the world. The UK has been active in offering support and training to countries afflicted by terrorism and to help them build up their domestic capabilities.

UK law enforcement also cooperates closely with EU partners on countering terrorism, organised crime and cyber crime and sharing evidence to bring suspects to justice. Such active cooperation is mutually beneficial and takes place at an EU level under EU justice and home affairs arrangements, and with recourse by the citizen to the Courts and when necessary ultimately to the European Court of Justice. The UK has, however, been warned by the Commission that outside the EU after Brexit it will be unable legally to enjoy the same level of law enforcement cooperation, including membership of Europol, information sharing under the Schengen agreements and use of the European arrest warrant.

The UK is nevertheless a major European nation (and will always be so, regardless of our exact status vis a vis the EU after March 2019 and Brexit) and will have to continue to face, as EU partners do, the common threat of Salafist-Jihadist terrorism. When in 2005 the UK held (under Tony Blair) the presidency of the European Council, the EU adopted its own counter-terrorism strategy based closely on the CONTEST model. There has been close cooperation on strategy ever since. Having the UK continue to be able to work as an active security partner with EU member states is essential for the future security of the continent as well as for the British Isles. So, some legal framework (such as an EU/UK Security Treaty as proposed by the UK Prime Minister) is needed to allow current law enforcement cooperation to continue after Brexit, and to develop as the threat evolves, as it surely will. At the time of writing it is not at all clear whether the EU negotiators will recommend such an approach to the Council.

US

Ali SoufanChairman and CEO of The Soufan Group and former FBI Agent

QTo what extent have the US Administration’s CT strategies evolved over the past 16 years?

During the past 16 years, counter-terrorism strategy in the United States has evolved considerably. The initial years of the Global War on Terror were dominated by the relentless efforts to dismantle AQ’s leadership, undertaken in tandem with Operation Enduring Freedom in Afghanistan. Less than two years later, however, the United States committed to one of its most significant foreign policy decisions in the post-Cold War era by invading Iraq and soon becoming mired in a bloody insurgency, caught in the middle of an escalating sectarian conflict that would reinvigorate the global jihadist movement and give rise to al-Qaeda in Iraq (AQI), which would eventually morph into the so-called Islamic State, or Daesh.

The Obama administration continued many of the policies of the Bush administration’s two terms, and even adopted a more aggressive posture with respect to the use of drones. Under President Obama, the United States even expanded its interpretation of the authorisation of the use of military force to include broader authorities to strike other groups affiliated with AQ, including al-Shabaab, the militant Islamist group operating throughout the Horn of Africa.

For the United States, countering terrorism has witnessed both progress and setbacks over the past 16 years. President Obama acknowledged as much in a speech in December 2016 when he asserted that, while the US has made great strides against both AQ and Daesh, terrorism would remain a threat to the US for the foreseeable future. Indeed, the threat posed by Salafi-Jihadists specifically, and terrorist groups more broadly, continues to pose a range of challenges for the US across the globe.


Cyber terrorism was not considered a major threat in the original CONTEST strategy given the then state of global digital technology. What has emerged in the subsequent years is of course the ability of adversary states and non-state actors to damage and disrupt through cyber means, ranging from simple denial of service attacks using criminally provided software available on the dark net to highly sophisticated malware such as the 2017 NotPetya attack that Russia aimed at Ukraine but which spread through the Internet and, for example, totally destroyed the computer network of the giant global shipping company Maersk. So far terrorist groups have used digital technology for secure communications with their supporters and to recruit and mobilise for attacks, but not as a direct vector to disrupt society by attacking critical infrastructure. But this could quickly change and the latest version of CONTEST does have this threat identified as does the National Cyber Security Strategy.

QHow successful would you assess CONTEST to have been over the last 15 years?

The essential strategic aim – to reduce the risk from terrorism to the UK and our interests overseas so that people can go about their normal lives, freely and with confidence – has been achieved in respect of the UK. The risk is being managed, including by highly successful intelligence operations to generate pre-emptive intelligence to frustrate terrorist plots, although tragically not without some terrorist successes over the years. That state of normality has been achieved whilst maintaining our essential freedoms and liberties – and confidence has been maintained in the UK – tourists come, public transport and aviation are busy, the public is not in a state of fear. So the terrorists are failing, not winning.

The threat has therefore mutated, but the aim of strategy in CONTEST in countering the threat remains apt.

All that said, the threat remains high and has evolved and internationalised well beyond that from AQ against which the original CONTEST strategy was pitched. We were all surprised, and perhaps we should not have been, when Sunni extremists in Iraq that had been part of AQAP under their former leader Abu Musab al-Zarqawi took the opportunity offered by chaos in Syria to seize territory in Syria and Iraq to form the so-called Islamic State. That provided them with the ability not just to have a sanctuary but to raise and command significant financial resources. It has taken considerable military effort, and cost many lives, to dismantle that construct. A very necessary operation, but one that has inevitably left Daesh survivors, some of whom have already entered Europe bent on revenge and furthering their ideology. The threat has therefore mutated, but the aim of strategy in CONTEST in countering the threat remains apt.

1 The Five Eyes is an intelligence alliance between the United Kingdom, the United States of America, Australia, Canada and New Zealand.



For the United States, countering terrorism has witnessed both progress and setbacks over the past 16 years.

The Trump administration is attempting to keep pace with terrorist abilities to adapt to US countermeasures while maintaining a high operational tempo punctuated by aggressive counter-terrorism strikes. However, the United States still lacks a broader strategy for conflicts in which it is engaged, including both Afghanistan and Syria, meaning that the Global War on Terror continues on in perpetuity. In short, counter-terrorism itself has supplanted a more comprehensive US grant strategy, which is myopic and counter-productive in the long term.

Continued reliance on unmanned aerial systems, special operations forces and a limited military presence can be expected. One major question is whether Trump, who has been critical of Obama’s handling of Daesh, will change the role of the US military in Iraq and Syria from “advise and assist” to full-fledged combat operations. Another open question is whether the United States will be able to increase its leverage in Syria to play some kind of meaningful role there in a potential post-conflict reconstruction scenario, or whether a political solution will be dominated by Russia, Iran and Turkey, while the US remains on the sidelines. Few countries are as tactically proficient as the United States when it comes to counter-terrorism but, without question, Washington has struggled to translate counter-terrorism success into strategic victories.

QIs the US CT strategy suitable for emerging, unconventional (such as CBRN and cyber) threats?

The United States counter-terrorism strategy is better suited to deal with threats external to the homeland, as it is more offensive than defensive in nature. No gaps in US CT strategy are more important than those relevant to the responsibility to prevent CBRN and cyber-terrorism. Of the range of possible WMD-attacks, of particular concern is bio-terrorism, for several reasons. First, there is an increasing availability of “bio-chem” agents. Second, the United States Government retains only limited means to control this science, market and industry. Third, there is a desire among some terrorist groups like AQ and Daesh to commit the most lethal attacks possible, and these groups are not limited by norms that might give other groups pause before committing an attack generally considered ‘beyond the pale’ –the attacks of 9/11 proved this nearly two decades ago. Fourth, and finally, there is the danger of contagion and the difficulty associated with detecting and preempting preparations for attack, since these conspiracies can involve lone individuals or small cells of terrorists.

While AQ, Daesh, or a lone-actor motivated by Salafi-Jihadist ideology might attempt to conduct a CBRN attack, there is also the possibility that a terrorist group or cult with apocalyptic views could be motivated to do so. Because so much of the focus in the United States has been dedicated to Sunni terrorists, there is a blind spot when it comes to right-wing extremists and other individuals and groups that could engage in political violence. Still, it is important to recognise that the difficulty of preparing and conducting a CBRN attack and the consequences of an attack, vary dramatically among different types of weapons. In terms of cyber, there is less of a threat from terrorists conducting a cyber-attack against critical infrastructure than there is from terrorist groups harnessing social media and encrypted communications to enhance their ability to recruit, fundraise and spread their propaganda online.

An attack using a chemical weapon like sarin gas or chlorine is perhaps the least difficult to pull off. An attack using a radiological device or ‘dirty bomb’ could result in substantial casualties, but would be difficult for a small group to assemble. Accordingly, the bigger the group and the more elaborate the preparation, the greater the chance of detection. Acquiring, much less building, a nuclear-fission weapon is for now something only determined nation-states can do, though it cannot be ruled out that a nefarious nation-state would arm and instruct a terrorist group, even if the odds remain miniscule, for a number of reasons. A terrorist attack using biological agents, however, could be planned, implemented and executed by a relatively small group. The fall out could be disastrous, particularly considering the difficulty of containing the second and third-order effects, including psychological impact and public health emergencies.

QWhat do the next three years of Islamist extremism look like in the West?

The threat of Islamist extremism in the West over the next three years will be driven by the continued collapse of the Daesh Caliphate. Even though the main objective of the Coalition to defeat Daesh was targeting and effectively defeating it, the degradation of a terrorist organisation can lead to organisational fractures or splintering. As such, thousands of Daesh fighters from the West could move to other battlefields, with a small portion seeking to return home to their countries of origin in Europe, North America, Australia and elsewhere.

Dismantling Daesh is a necessary strategic objective, but policymakers, Government officials, and military leaders must also be prepared to deal with splinter groups as they emerge in the aftermath of what seems to be a relatively successful campaign against the parent group.

While causing Daesh to break apart might seem like a positive outcome – it is a double-edged sword in the truest sense, clichés aside. The fracturing of Daesh could lead to the emergence of new, and in some cases more violent and operationally capable, splinter organisations. Dismantling Daesh is a necessary strategic objective, but policymakers, Government officials, and military leaders must also be prepared to deal with splinter groups as they emerge in the aftermath of what seems to be a relatively successful campaign against the parent group. With Daesh, these splinters could form their own, new organisation, or be absorbed into existing franchise groups or affiliates from North Africa to Southeast Asia. The follow-on franchise groups could ultimately develop to be highly operationally capable and focused on attacking the West, as we have seen before with the evolution of AQAP in Yemen.

Daesh’s ability to plan and execute attacks, against both conventional and unconventional forces on the battlefield, as well as abroad in Western cities, makes it a relatively unique organisation in terms of its operational capabilities. Its fighters have mastered a diverse array of tactics, from vehicle-borne improvised explosive devices (VBIEDs) to ambushes and hit-and-run attacks. Moreover, the leadership’s exhortation for its followers to conduct attacks abroad, including so-called vehicular terrorism or ramming attacks, is a tactic pioneered by Daesh that has emerged as a new trend in terrorist attacks directed at the West. There is no reason to believe that these attacks will diminish and, indeed, they may increase in frequency as Daesh becomes less relevant in the Middle East. To remain relevant, as Daesh loses its last remaining territory in Iraq and Syria, it may seek to rely on launching spectacular terrorist attacks in the West to maintain group morale and burnish the group’s brand.

Daesh’s unique contribution to tactical evolution has been impressive. Daesh has pioneered the use of the virtual planner model for external operations. This innovation allows terrorists in one location to direct attacks in another part of the world with only an Internet connection and reliable encryption. In many cases, jihadists can leverage local criminal networks that act as facilitators to help acquire the logistics and resources necessary for an attack. Even as Western nations have devoted substantial resources to countering this threat, savvy tacticians within the global jihadist movement will continue to rely on encrypted online messaging applications to identify local recruits and provide them with directions and technical expertise to attack targets, a development that poses a formidable threat to countries with less than adequate military, intelligence and law enforcement capabilities. The devastating Paris November 2015 attacks could serve as the model operation from the terrorists’ point of view.


MOVING WITH THE TIMESPrior to 9/11, the market for stand-alone terrorism insurance was limited to providing solutions for property owners and trade/investment exposures in countries with elevated terrorism risk. Separately there were several local pooling solutions to address domestic terrorism – including Pool Re, Sri Lankan Pool, SASRIA, Consorcio. The largest providers, outside of the pools, were Lloyd’s of London (Lloyd’s) and American International Group (AIG) with whom limits of up to US$200m could be built. The market has evolved rapidly post 9/11.

193617 July 1936Start of the Spanish Civil War

1937Waterborne Agreementprecluded Lloyd’s underwriters from insuring land-based war risks.

1980SIran-Iraq conflict IRA active

Numerous bombings in London and across the UK. (Northern Ireland has a different scheme)We start to see the beginning of Islamic Terrorism (ex WTC 1 – 1993)

1980SSkandia International leads Arab War Risks Insurance Syndicate (due to Iran-Iraq conflict).

Terrorism was generally included/silent on commercial property insurance.

LPO 437 was released 1982and covered Terrorism and Riots, Strikes and Civil Commotion.

William FarmerStrategic Head of Crisis Management & Special Risks, AXA XL


199210 April 1992Baltic Exchange BombCity of London

IRA – 3 people killed and damage of £800 million

199324 April 1993Bishopsgate BombCity of LondonIRA – £350 million of damage

Beginning of Islamic Terrorism(ex WTC 1 – 1993)

1993Pool Re was established in reaction to the market failure triggered by the Baltic Exch. bombing.Pool Re pays out £262m (largest claim to date) after Bishopsgate bombing

FROM TANGIBLE TO INTANGIBLEcontinued

1997Lloyd’s offers stand-alone war on land – Lloyd’s 667 Wording.

200111 September 2001Attack on Twin Towers, New York, Pentagonkilling 2,976 people and causing circa US$35bn insured loss

2001Multiple claims came in on policies where Terrorism was silent

Terrorism Exclusion Clauses introduced – NMA2918 etc.

Map Syndicate (Lloyd’s) released the T3 Wording (a stand-alone Terrorism policy). T3A – BI Extension Introduced

20021 January 2002, Treaty Reinsurers exclude Terrorism

TRIA 2002 – (US based) requires US insurers to offer terrorism coverage with Govt. backstop.

Various country Pools established 2002France – GAREAT Germany – EXTREMUS Australis – ARPC (India/Netherlands/Denmark/ Belgium and others came later)

July 2002 Pool Re was extended to an ‘all risks’ basis (no longer restricted to fire or explosion and CBRN exclusions were removed)

200411 March 2004Attack on commuter trains in Madrid, Spain Killing 192 people

2004Beazley Syndicate releases full PV wording

20057 July 2005Attack on London tube trains and buses Killing 52 and injuring hundreds

2005TRIA 2002 Extended (becomes TRIEA 2005)

2006London Market produces updated version of T3 – LMA3030 (Includes sabotage)

Catlin Syndicates offer stand-alone NCBR coverage

2007TRIEA 2005 Extended (becomes TRIPRA 2007) Terrorism Risk Insurance Program Reauthorization Act of 2007

2010-2011Arab Spring

2010-2011Policies purchased didn’t fit the problems posed by the Arab Spring. T3 and LMA3030 were built with properties and cities in mind.

2011LMA 3092 full PV wording introduced



2013-2016An increased number of attacks on ‘soft’ targets. These attacks can be carried out with guns, knives or via vehicles.

Examples include: 2013: Westgate Shopping, Kenya2014: Sydney café siege 2015: Charlie Hebdo, Paris2015: Bataclan, Paris2015: Sousse Beach, Tunisia2016: Orlando Nightclub, USA

2015TRIPRA 2007 extended and becomes TRIPRA 2015

2015-2017Introduction of niche products to market such as: Active Assailant, Threat and Loss of Attraction, Terrorism Liability and Contingent BI. Policies extended to include Vehicle Ramming

Cyber extensions selectively available

2016-2017A series of attacks using vehicles across Europe, 8+ attacks including:

Nice: 86 killed, 434 injuredBerlin: 12 killed, 56 injuredWestminster: 5 killed, 32 injuredStockholm: 5 killed, 14 injuredLondon Bridge: 8 killed, 45 injuredBarcelona: 16 killed, 152 injured

2018April 2018 Pool Re lifts its cyber exclusion and announces intention to offer NDBI reinsurance.

TODAY’S MARKET CAPACITY AND NUMBER OF PLAYERSFrom a ‘per risk’ capacity point of view, the direct market began to settle in 2004 with about US$1bn. There has been incremental growth since 2004 driven by existing underwriters increasing their capacity, and some new entrants – especially in Lloyd’s. Currently ‘per risk’ global capacity stands around US$2bn.

The stand-alone terrorism market is small compared to the global property insurance market (approximately US$1.5bn capacity for any one risk, compared to over US$6bn for property all risks). To make best use of available capacity, ‘first loss’ policies are the norm with limits normally ‘aggregated’.

Despite large pricing reductions, premium has increased significantly since 2002, peaking in 2014.

Despite ‘HIM’ (Natural Catastrophe events in late 2017), soft conditions prevail in 2018.

Estimated global terrorism premiums (US$m)Premiums have increased significantly since 2001, peaking US$1,050m in 2014.

1,200

1,000

800

400

600

200

0

2000

2001

2002

2004

2003

2005

2006

2009

2010

2011

2012

2013

2014

2015

2016

2017

2007

2008

$1,050m

Changes in demand In the early days after 9/11, the US market contributed more than 50% of worldwide stand-alone terrorism premium. This share has declined (post Terrorism Risk Insurance Act) to around 30% but the US is still by far the most significant market. Demand is well spread globally; typical buyers are larger and multinational companies. Penetration is notably strong in Canada, Mexico, Scandinavia, Ireland, Turkey, Singapore, Hong Kong, India and UAE. A robust stand-alone market has also developed to compete against or complement local Government-backed pool arrangements in the UK, Germany, Israel, South Africa and the Far East.

Factors that have contributed to increase demand include:

• Better distribution and product awareness• Risk perception – terrorism is rarely out of the news• Reduced pricing• Stronger corporate governance globally• Broader coverage and flexible wordings• Political Violence and War extensions becoming widely available• E trade portals for SME business



PRODUCTS TO ADDRESS CHANGING ENVIRONMENT T3/LMA3030 based stand-alone terrorism policy wordings were born out of demand post 9/11. The focus was to cover property damage and consequent business interruption from catastrophic/major attacks.

The spate of attacks in the UK, France, US, Belgium, Spain and Germany in the past three years has not resulted in any knee jerk reaction on pricing or capacity – partly because losses paid have been low relative to the annual premium. Conversely, the stand-alone market has been very quick to offer new products to address the changing ‘peril landscape’. Key new products and product enhancements on offer include:

• Non Damage Business Interruption (NDBI) extensions – see expanded section below

• Policies that can be triggered by Bodily Injury as well as property damage

• Follow form wordings – following ‘broadform’ property policies• Extensions for malicious acts, workplace violence that are not

certified as terrorism• Terrorism and active assailant liability• Cyber Terrorism and malicious cyber extensions

Several solutions were brought to market. ‘Active Assailant’ policies remove any grey area surrounding the motive of attack, and will trigger if there is bodily injury (in addition to triggering if there is property damage). This type of policy can be sold as stand-alone coverage or as an extension to a property damage policy.

The spate of attacks in the UK, France, US, Belgium, Spain and Germany in the past three years has not resulted in any knee jerk reaction on pricing or capacity.

BUSINESS INTERRUPTION AND NON DAMAGE BUSINESS INTERRUPTION (NDBI)The socio-economic climate differs to that 17 years ago. To show the scale of this difference in 1975 83% of the value of the S&P 500 came from Tangible Assets (structure, equipment, property); in 2015 this number fell to 13% – with 87% of all value coming from intangible assets such as brand, customer databases, reputation, employees, IP, R&D and technology.

Swing of S&P 500 Index value from tangible to intangible assets 1975-2015 (%)

1975

2017

Property damage is typically not the largest concern of a company. Business interruption following property damage can have a huge effect on the top line, but the same event might have unspecified long-term effects on the brand.

Terrorism events are often critical to a country’s security as well as being highly emotive and politically charged events. This can result in significant disruption due to cordons, post-event investigations and lock-downs. The events at Borough Market in London (3 June 2017) and aftermath are a key example.

Terrorism policies and extensions have a relatively short history and started out as very basic property coverage, often with little or no coverage for NDBI. Coverage has broadened to include the likes of ‘denial of access’ of ‘incoming utility’, ‘supplier and customer’ extensions. Other NDBI extensions such as ‘Loss of Attraction’ and ‘Threat’ have become more widely available since 2017.

Loss of Attraction cover will trigger if a peril covered under the master policy occurs at a scheduled attraction property or at a location within a stipulated radius of the insured property, which subsequently results in a measurable downturn at the Insured’s premises.

Threat cover will trigger if there is a specific threat against the insured to inflict bodily injury to any employee, or contractor, or threat to damage, destroy or contaminate any property at the scheduled location. Cover can also be triggered if there is a threat against any director, partner or officer.

Extended Extra Expense cover is available as well. Extra expense can include, public relations costs, relocation expenses, counselling and or psychiatric care costs, medical expenses, job retraining costs, recruitment costs, forensic accounting and temporary security costs. Coverage will assist in rehabilitating any damage to brand and ensure duty of care responsibilities are met.

Pool Re has taken a lead in UK in seeking to extend coverage to include NDBI within a radius of the insured location.

Business interruption following property damage can have a huge effect on the top line, but the same event might have unspecified long-term effects on the brand.

Tangible assets Intangible assets

Tangible assets Intangible assets



ATTRACTING SME BUYERSMost terrorism purchases are voluntary and price sensitive. Pools that are mandatory or dominant in the local market (such as GAREAT, ARPC, NHT) have fewer issues around anti-selection. Non mandatory pools and stand-alone insurers have to work hard to attract SME clients. The challenge is that no insurer wants a portfolio made up of the worst risks and trophy buildings clustered in the top accumulation zones. This was probably acceptable in the stand-alone market of 2002/2004, but the distressed pricing was never going to last.

There are several reasons why SME businesses are less inclined to buy terrorism coverage:

• Perception that the business is not a target• Lower level of corporate governance• Mortgage covenants on property less onerous than for large loans• Lack of awareness of products available• The ‘vanilla’ terrorism products not being suitable• SMEs not approached by brokers and insurers due to relatively

low premiums

Recent events, including the aftermaths of Borough Market (3 June 2017), Westminster (22 March 2017) and the Boston Marathon bombing (15 April 2013) have illustrated that SME business may not be targeted but can suffer badly from being in the vicinity of an attack.

Pool Re is in the vanguard of work to attract more SME buyers. This includes offering improved risk related pricing, providing meaningful NDBI extensions (launching soon), initiatives to encourage good risk management and improving access to the product via marketing campaigns

Recent events [...] have illustrated that SME business may not be targeted but can suffer badly from being in the vicinity of an attack.

CHALLENGES FOR THE TERROR/POLITICAL VIOLENCE MARKET ON THE NEAR HORIZONDrones are certainly a realistic delivery method for small IEDs. Existing terrorism policies cover use of drones, but it is doubtful that drones are specifically factored in to pricing models.

CBRN (Chemical, Biological, Radiological, Nuclear) attacks remain a major concern but is not a threat that has emerged recently. Capacity in private markets remains very limited with only a handful of direct insurers offering products. Government pools (Pool Re, GAREAT and ARPC in particular) are able to offer large limits by virtue of strong capitalisation, reinsurance and Government backstops. Drones might be an effective means of delivering Chem/Bio/Radioactive agents. Drone technology for agricultural spraying is advancing rapidly and could be used to devastating effect if terror groups can obtain a suitable chem/bio agent.


1,200

1,000

800

600

200

400

0

Minor ($-$1m) Attritional ($1m-$10m) Upper Retention ($10m-$150m)

East A

sia

Europ

e

Latin

Am

erica

& th

e Car

ibbea

n

Midd

le Eas

t & N

orth

Afric

a

North

Am

erica

Russia

& C

IS S

tates

South

Asia

South

Pac

i�c

South

east

Asia

Sub-S

ahar

an A

frica

Eden StewartSenior Analyst, Pool Re

DATA CENTREIn June 2014 Daesh declared its so-called Caliphate across Iraq and Syria, precipitating a wave of attacks globally. In order to understand fully the impact of the establishment of the so-called Caliphate on the wider terrorism landscape, Pool Re has compiled a database of terrorist attacks from June 2014 to June 2018.

4,340+ attacks in total

32,053+ deaths in total

54.8%of attacks estimated to cause property damage

100 attacks in Europe

8 attacks in Great Britain

7 attacks causing estimated property damage over $10m

OVERVIEW

Global attacks by region (2014-2018)

Number of attacks

Property damage %

Number of deaths

East Asia 7 33.33 130 Europe 100 26.00 418 Latin America & the Caribbean 133 45.86 145 Middle East & North Africa 1,940 58.48 15,512 North America 32 35.71 132 Russia & CIS States 76 60.53 128 South Asia 934 49.00 6,572 South Pacific 7 0.00 6 Southeast Asia 210 44.33 417 Sub-Saharan Africa 901 57.43 8,592

Global attacks – Region• There were at least 4,340 attacks worldwide during the reporting

period. The majority (87%) of these occurred in the Middle East and North Africa, South Asia and Sub-Saharan Africa.

• Europe experienced 100 attacks (2.3% of total), of which 8 were in Great Britain.

• At least 32,053 people were killed in terrorist attacks during the reporting period. The Middle East and North Africa accounted for almost half of the total, with at least 15,512 deaths.

• 418 people were killed in attacks in Europe (1.3%), of which 37 were killed in Great Britain.

• 54% of attacks globally are estimated to have resulted in property damage.

• Attacks in Europe, North America, East Asia and the South Pacific were less likely to result in property damage than those in less developed regions.

• Only 14% of attacks which resulted in property damage are estimated to have caused a loss greater than $1m.

• There have been seven attacks resulting in estimated property damage of over $10m.

• The largest single loss is assessed to be the October 2015 bombing of Metrojet Flight 9268 over Egypt.

• The largest estimated loss from an attack in Europe was the March 2016 bombing of Zaventum Airport in Brussels.

Regional distribution of attacks causing property damage by estimated loss band

2,059 Number of attacks in loss band: Minor ($1-$1m)

270 Number of attacks in loss band: Attritional ($1m-$10m)

7Number of attacks in loss band: Upper Retention ($10m-$150m)


DATA CENTREcontinued

Global attacks – Methodology• The use of firearms was the most common methodology employed

by terrorists worldwide (35% of worldwide total). • The most common methodology seen in Europe was the use of

bladed weapons, which accounted for 38% of all attacks in the region. • Attacks involving vehicle-borne improvised explosive devices (VBIEDs)

were most likely to cause property damage (88% of such attacks). • Attacks involving bladed weapons were least likely to cause property

damage (less than 5%). • Attacks employing firearms were responsible for at least 10,994

deaths, more than any other methodology type. • Attacks employing VBIEDs were the most lethal, killing on average

13 people per attack (total killed: 6,541). • VBIEDs were also responsible for more injuries than any other

methodology type, wounding at least 12,060 people (28% of total).

Bladed

315Number of attacks

7.3% Proportion of attacks

940 Number of deaths

2.9% Average lethality

4.7% Proportion of attacks causing property damage

Explosives

1,296 Number of attacks


4,518 Number of deaths



Firearms

1,517 Number of attacks



7.2%Average lethality


PBIED

515 Number of attacks





VBIED






Vehicle



160 Number of deaths


25% Proportion of attacks causing property damage

Global attacks – Target• Deliberate attacks against property were relatively rare, comprising

only 1.3% of recorded events. However, over half of recorded attacks resulted in some property damage regardless of the intent to do so.

• Excluding the deliberate targeting of property, attacks against crowded places (71%) and critical national infrastructure (67%) were most likely to result in property damage.

• Attacks on crowded places resulted in nearly half of all deaths (45%). • Attacks on Critical National Infrastructure (CNI) resulted in the

highest number of casualties on average (13 per attack), followed by symbolic targets and crowded places (12 and 11 deaths per attack respectively).

1.3% of attacks exclusively targeting property

45% of global deaths caused by attacks on crowded places

13 average deaths per attack, attacks on CNI most lethal

15,000

12,000

9,000

6,000

3,000

0PMG Crowded

placeSymbolic CNI Individual

Attacks Attacks causing property damage Deaths

12,000

10,000

8,000

6,000

4,000

2,000

0Bladed Explosives Firearms PBIED VBIED Vehicle

Attacks Attacks causing property damage Deaths

Global attacks – Offender• Islamist terrorists were the most active offender type, responsible

for 74% of attacks worldwide.• Daesh were the most active Islamist group, responsible for 34% of

all attacks worldwide and 47% of all attacks attributed to Islamists.• Attacks by Islamist terrorists were most likely to cause property

damage (60% of attacks by Islamists). This is likely due to the greater use by Islamists of methodologies involving explosives.

• Islamist extremists were responsible for almost 90% of global deaths. This reflects not only the preponderance of attacks attributed to Islamist extremists, but also the greater lethality of methodologies employed by Islamist extremists, and their selection of target types to maximise casualties. Islamist extremist attacks resulted an average of 9 deaths per attack, compared to 2-3 for other offender types.

• Sectarian/separatist* actors were responsible for 15% of global attacks and 5.3% of global deaths. Around 36% of attacks by sectarian/separatist terrorists caused property damage.

• XLW actors were responsible for 5% of global attacks and 1.2% of global deaths. Around 40% of attacks by XLW terrorists caused property damage.

• XRW actors were responsible for 1% of global attacks and 0.3% of global deaths. Around 30% of attacks by XRW terrorists caused property damage.

*Terrorists motivated by the desire for secessionist politics based on cultural, ethnic or racial differences

89% Islamist extremists responsibilty for global deaths

47% of attacks committed by Islamist extremists were attributed to Daesh and its followers

1%XRW responsibility for global attacks

3,500

3,000

2,500

2,000

1,500

1,000

500

0Islamist XRW XLW Sectarian/

Separatist

Attacks Attacks causing property damage


European attacks – Methodology• The most common attack methodology involved the use of

bladed weapons (38% of attacks in Europe), while vehicle attacks accounted for a further 13%. This reflects the prevalence of attacks by ‘inspired’ Islamist terrorists employing low-complexity methodologies with widely available bladed weapons.

• The most lethal attack during the period in Europe was the November 2015 attacks in Paris, resulting in 130 deaths (30% of all deaths in Europe).

BladedThe incidence of bladed attacks was much higher in Europe than worldwide.

38Number of attacks


ExplosivesExplosives were most likely to be used in attacks by XLW actors in Europe.



FirearmsThe November 2015 Paris attack was the deadliest attack in Europe involving firearms.



PBIEDThe May 2017 Manchester Arena bombing was the deadliest single methodology attack in Europe involving a PBIED.

3 Number of attacks


VBIEDThe June 2017 Champs Elysee attack was the only VBIED attack in Europe during the period. The explosive device caused no casualties other than the driver.

1 Number of attacks

0% Proportion of attacks causing property damage

VehicleThe July 2016 Nice truck attack was the deadliest vehicle attack worldwide during the period.



European attacks – Target• Reflecting the global picture, Police, Military and Government targets

were the most common target type (49% of European attacks), followed by crowded places (22% of European attacks). Excluding the deliberate targeting of property, attacks on crowded places were most likely to result in property damage (40%).

49% of attacks in Europe were against Police, Military and Government targets

40% of attacks on crowded places in Europe resulted in property damage

40

30

35

25

20

10

15

5

0Bladed Explosives Firearms PBIED VBIED Vehicle


100attacks in Europe during the period

2.3% of total global attacks occurred in Europe

38%of European countries suffered at least one attack

33% of all attacks in Europe during the period occurred in France


EUROPE• Europe experienced 100 attacks during the period, around 2.3%

of the global total. • While 38% of countries in the region witnessed at least one incident,

over half of total attacks occurred in just three countries: France, Germany and the UK. France saw the highest number of attacks by a wide margin, accounting for 33% of all attacks in Europe during the period.

50

40

30

20

10

0PMG Crowded

placeSymbolic CNI Individual


European attacks – Offender• XLW terrorists were responsible for 13% of attacks in Europe during

the reporting period. Attacks by the XLW were most likely to cause property damage (71%); extreme left-wing groups in the region typically mounted symbolic attacks employing small explosive devices against totemic targets.

• XRW terrorists were responsible for 9% of attacks in Europe during the reporting period. Europe was the single largest source of far-right terrorism globally (30% of total).

65% of attacks in Europe were by Islamist extremists

30% of attacks by XRW terrorists occurred in Europe

71%of attacks by XLW terrorists caused property damage

70

60

50

40

30

20

10

0Islamist XRW XLW Sectarian/

Separatist




European Islamist attacker profiles• During the period, there was a shift from ‘directed attacks’

(those conceived and planned abroad) to inspired attacks (those conducted by individuals with little direct connection to overseas terror groups) in continental Europe. In 2015, 57% of individuals involved in Islamist attacks were directed by overseas terrorist groups. In 2016 this fell to 19%. To date in 2018, all attacks in continental Europe were by inspired individuals. In Great Britain, active involvement of overseas groups in attack planning appears limited to the Manchester Arena bombing.

• Individuals involved in Islamist attacks in Europe frequently displayed common characteristics. 44% were citizens of the targeted country. At least 34% had a criminal conviction, and 38% were known to police or security services as a potential terror risk.

90+ Islamist extremists have been involved in attacks in Europe during the period

90

80

70

60

50

40

30

20

10

0‘Inspired’ Had a criminal

convictionIdenti�ed

as a potentialterrorism threat

Citizen ofa targeted

country

Low-complexity attacks in Europe• The increase in low-complexity attacks by Islamist terrorists

corresponded with wider changes in the Islamist extremist landscape; extremist travel and attendance at overseas training camps became more difficult from 2013. Security initiatives and intelligence operations successfully disrupted sophisticated attack plans and terror cells with overseas links. This led Islamist extremists to call for lone operatives in the West to mount low-complexity attacks without direction or direct affiliation to overseas groups. This strategy was propagated in extremist media and by senior leaders, and particularly by Daesh spokesman Mohammed al-Adnani.

50% of attacks during the period involved bladed weapons or vehicles

50

40

30

20

10

02014 2015 2016 2017 2018

Total attacks Attacks involving bladed weapons or vehicles

GLOBAL PICTURE

Most lethal attacks 2014-2018 The first half of 2018 saw the number of terror attacks worldwide continue to fall, with a year-on-year decline of almost 12%. This suggests a trend towards lower levels of terrorist violence globally, with 2017 recording an 11% annual decrease in the number of attacks over the previous year. However, 2017 saw three of the five deadliest attacks to occur during the period, all of which were attributable to Islamist extremists.

AFGHANISTAN

Date21 April 2017AreaBalkh ProvinceOffenderTaliban

256Number of deaths

EGYPT

Date31 October 2015AreaSinaiOffenderDaesh

224Number of deaths

EGYPT

Date24 November 2017AreaBir al-AbedOffenderDaesh

309Number of deaths

IRAQ

Date03 July 2016AreaBaghdadOffenderDaesh

342Number of deaths

SOMALIA

Date14 October 2017AreaMogadishuOffenderAl Shabaab

587Number of deaths



Global attacks by region – Methodology • There have been relatively small changes in the distribution of attack

methodologies employed worldwide over the period. Firearms and explosive devices have consistently been the most commonly employed weapons. The use of bladed weapons and vehicles spiked in 2015 due to the wave of low-complexity attacks in Israel and Palestine. Since then, the frequency of these methodologies has returned to period-average figures, respectively around 7% and 1% of total attacks.

• The use of firearms was the most commonly employed methodology in every region except Europe, East Asia and the South Pacific where firearms are generally more strictly controlled. These regions also saw a higher-than-average proportion of attacks involving bladed weapons.

• Attacks in Europe, North America, East Asia and the South Pacific were less likely to result in property damage than those in less developed regions.

• The relative prevalence of bladed attacks in developed economies contributed to overall lower levels of property damage in these regions.

• Africa, South Asia and the Middle East saw a high percentage of attacks employing vehicle or person-borne explosive devices, likely due to the widespread availability and knowledge of explosives.

• Attacks resulting in property damage losses of over $10m were concentrated in the Middle East, South Asia and Sub-Saharan Africa. This was mainly due to the greater use of large explosive devices in built-up areas in those regions.

Bladed Explosive Firearms Other PBIED VBIED Vehicle

Sub-Saharan Africa

Southeast Asia

North America

South Asia

Latin America & the Caribbean

South Pacific

Middle East & North

Africa

Russia & CIS StatesEurope

East Asia

0

100100%

80%

60%

40%

20%

0%

Global attacks by region – Target• All regions saw Police, Military and Government targets attacked

more frequently than other target types. This was particularly pronounced in Latin America and Russia and CIS States. These regions also saw proportionally fewer attacks on crowded places than elsewhere.

• Regions with high levels of Islamist extremist violence generally saw greater numbers of attacks on crowded places, reflecting the intent of Islamist terrorists to inflect mass casualties.

51.3% of attacks on crowded places occurred in the Middle East and North Africa

9.6% of attacks on CNI occurred in Latin America

1.0%of attacks on crowded places occurred in North America

0

100100%

80%

60%

40%

20%

0%

PMG Crowded place Symbolic CNI Individual Property

Sub-Saharan Africa

Southeast Asia

North America

South Asia


South Pacific

Middle East & North

Africa


East Asia

63.8% of VBIED attacks occurred in the Middle East and North Africa

13.8 Bladed attacks were most lethal in East Asia, causing an average of 13.8 deaths per attack

10.2Vehicular attacks were most lethal in Europe, causing an average of 10.2 deaths per attack



Global attacks by region – Offender • Only Latin America saw negligible activity by Islamist extremists,

while the South Pacific (Australia) exclusively witnessed attacks by Islamists. Other regions displayed varying levels of diversity in offender types.

• XLW and XRW terrorists accounted for 5% and 1% of global attacks respectively. XLW activity was overwhelming concentrated in Latin America, India and the Philippines, while XRW attacks occurred almost exclusively in western countries.

84.2% of attacks in Latin America attributed to XLW extremists

33% of attacks in North America attributed to XRW extremists

16.6%of attacks in Middle East and North Africa attributed to Sectarian/Separatist

Islamist XRW XLW Sectarian/Separatist Other Unknown

Sub-Saharan Africa

Southeast Asia

North America

South Asia


South Pacific

Middle East & North

Africa


East Asia

100%

80%

60%

40%

20%

0%

Proportion of global attacks attributed to Daesh and its followers• More than a third (34%) of global attacks during the period were

attributed to Daesh and its followers. This rose from 11% in 2014, peaking at 44% in 2016, before decreasing as the group’s Levantine heartland came under increased pressure from local and international forces. The reduction in Daesh’s capabilities in Iraq and Syria was a major driver of the improved global picture.

34% of global attacks were attributed to Daesh and its followers

800

700

600

400

300

500

100

200

0

100

80

60

20

40

02014 2015 2016 2017 2018

Attacks attributed to Daesh % of global attacks attributed to Daesh

Average number of attacks worldwide per month• The highest proportion of attacks each year occurred in June,

suggesting the period around Ramadan experienced higher numbers of terrorist attacks.

118 The month of May had the highest monthly average of attacks

120

100

80

60

40

20

0Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec


GLOBAL ISLAMISTS

Daesh Core

Syria

Iraq

34% of global attacks were attributed to Daesh and its followers

Since declaring its so-called Caliphate in June 2014, Daesh has been the most violent terrorist group worldwide, accounting for 34% of global attacks. The vast majority of these have occurred within the Middle East and North Africa (MENA) region, primarily in Iraq and Syria. The number attacks attributed to Daesh escalated significantly as Iraqi and multinational forces retook territory held by the group; in 2015, the group was responsible for 86 attacks in the MENA region. In 2016, this rose to 699. While continuing action against Daesh by Coalition forces reduced the group’s capabilities, it was still able to carry out 410 attacks in the region during 2017. Daesh has now lost most of the territory it held in Iraq and Syria and now exercises control over only residual strips of land in Western Syria and on the Iraqi border. Thus, its ability to finance, plan and execute attacks has been significantly diminished. Nonetheless, the group continues to mount frequent attacks in the region (104 attacks in the first half of 2018).

Since 2014, Daesh’s core in the Levant has encouraged attacks globally with considerable success, employing sophisticated propaganda to incite remote individuals to undertake independent attack planning. As the group has lost ground in Iraq and Syria, its propaganda has become increasingly aggressive and targeted towards prospective lone actors in distant regions. Their efforts enjoyed some success as evidenced by the significant increase in ‘inspired’ attacks in the West from 2016 onwards. However, Daesh’s ability to produce high quality propaganda has declined as its territory in the Levant has come under pressure. While the group still issues significant volumes of extremist content for global consumption, its quality and coherency has decline as the group’s media operations became decentralised more poorly resourced. This, together with CT capabilities in country, likely contributed to the recent decline in the number of Daesh-inspired attacks in the West.

Daesh Sinai Province

Egypt

9% of global attacks were attributed to Wilayat Sinai

Since Ansar Bait al Maqdis pledged allegiance to al Baghdadi in November 2014, becoming Wilayat Sinai, the group has proved to be one of Daesh’s most resilient and effective affiliates. Responsible for almost 9% of global attacks attributed to Daesh, Sinai Province has been Daesh’s most active regional franchise. The group’s attacks have employed a range of methodologies and are directed primarily at military and religious minority targets in the Sinai and, to a lesser extent, on the Egyptian mainland. This includes the November 2017 attack on Sufi Mosque in El Arish which killed 311, the third deadliest attack during the period. The group has also claimed attacks on foreign targets in the country, including two low complexity attacks against European tourists in the resort of Hurghada, and the bombing of the Italian consulate in Cairo in July 2015. Most significantly, the group also claimed responsibility for the bombing of Metrojet Flight 9268 over Egypt in October 2015. This was the only attack which resulted in a hull loss and the deaths of all passengers during the period. It is also estimated to be the single costliest attack. The total number of attacks attributed to the group rose significantly from 2015, peaking in 2016 at 56, before falling slightly in 2017 to 49. However, following the 2017 El Arish attack, the group came under significant pressure from Egyptian security forces, and carried out only six attacks in the first half of 2018.

Daesh Khorasan Province (ISKP)

Afghanistan

7% of global attacks were attributed to Daesh Khorasan Province

Daesh’s Khorasan Province was the group’s second most active regional affiliate, responsible for at least 117 attacks during the period, more than 7% of Daesh’s global total. Most of these have occurred since June 2016, although sporadic attacks by ISKP started in April 2015. Since 2016, attacks by the group have steadily escalated, and in 2018 it was responsible for over 24% of all attacks attributed to Daesh worldwide. Police, Military and Government targets are most frequently attacked, likely a reflection of ISKP’s rivalry with the Taliban, with the two organisations competing to supplant the authority of the state.


IFTRIP

135 attacks in IFTRIP Member countries were by Islamist extremists

88% of attacks in IFTRIP Member countries attributed to Islamist extremists

35%of attacks in IFTRIP Member countries employed bladed weapons

28% of attacks in IFTRIP Member countries resulted in property damage

The International Forum of Terrorism Risk (Re)Insurance Pools was established in October 2016 to foster closer ties and greater collaboration between the world’s terrorism reinsurance entities. There are 13 member countries: Austria, Belgium, Denmark, France, Germany, Netherlands, Spain, UK, USA, Russia, Australia, Namibia, South Africa. Find out more at www.iftrip.org

Since mid-2014, there have been 135 attacks in IFTRIP member countries. Most of these (88%) were committed by Islamist extremists, with the XRW responsible for a further 7%. Reflective of European trends, the annual number of attacks increased steeply from 2015, before dropping significantly in the first half of 2018. The most commonly employed methodology was the use of bladed weapons (35% of attacks), with vehicle attacks accounting for a further 15%. The prevalence of these lower complexity methodologies is attributable to both the increase in ‘inspired’ terrorists conducting attacks with little training or direction, and the counter-terrorism capabilities of member countries, resulting in fewer successful sophisticated attacks. The number of attacks resulting in property damage was also considerably lower than the global average (28% in IFTRIP, 71% globally), again reflecting the high proportion of attacks employing low complexity methodologies less likely to cause property damage. In total, IFTRIP countries accounted for only 1.9% of global deaths during the period despite representing almost 7% of countries in the world.


Al Qaeda in the Arabian Peninsula (AQAP)

Yemen

30% of global attacks were attributed to AQAP

AQAP is potentially AQ’s most technically sophisticated affiliate and is a major source of Islamist propaganda. It was responsible for almost 30% of global attacks attributed to AQ. The group is based primarily in Yemen, where it has exploited the country’s weak state authority and fractured politics to accrue influence and resources. Despite claiming responsibility for the January 2015 attack on the Charlie Hebdo magazine offices in Paris, attacks by the group during the period occurred almost exclusively in Yemen. There, it has pursued a policy of engagement with the country’s southern tribes, effectively positioning itself as part of the wider anti-Houthi movement. This has granted it considerable operational freedom in the country, despite pressure from Western and Gulf forces. Notwithstanding its current regional focus, the affiliate maintains the intent to target Western interests. It has historically targeted aviation and is believed to have considerable explosives expertise at its disposal, particularly in the manufacture of non-metal content IEDs which would pass airport security.

Boko Haram

Chad

Cameroon

Nigeria8% of global attacks were attributed to Boko Haram

Boko Haram has consistently been one of the most active terrorist groups worldwide. The group was responsible for nearly 8% of recorded attacks worldwide since June 2014, and over 40% of attacks in sub-Saharan Africa. A major counter-insurgency campaign initiated by Nigeria and its neighbours in 2015 failed to have a significant impact on the number of attacks mounted by Boko Haram; 2016 saw a 20% increase in the number of attacks attributed to the group on the previous year. However, the group’s activity has become more diffuse, with Nigeria’s neighbours, particularly Chad and Cameroon, witnessing big increases in the number of attacks over the period. The region’s borders are highly porous, and the 2015 multinational offensive may have simply displaced elements of Boko Haram to neighbouring countries where they have subsequently established themselves. The group’s increasing factionalism may also have contributed to its dispersion. There are now believed to be three distinct factions operating under the Boko Haram rubric, two of which are nominally affiliated with Daesh. However, the group remains almost entirely focused on local issues and displays little appetite for extra-regional plots.

Al Shabaab

Somalia

5% of global attacks were attributed to Al Shabaab

Al Shabaab remains highly active in Somalia and frequently carries out attacks in neighbouring countries. The group was responsible for 32% of attacks in sub-Saharan Africa since mid-2014, and over 5% of attacks globally. While the group is focused primarily on regional actors, it has been linked to other Islamist terrorist groups overseas and has counted a notable number of westerners in its ranks. The group has displayed relatively sophisticated tradecraft, especially in the manufacture of IEDs (45% of attacks attributed to the group involved PBIEDs). It is believed to be responsible for the deadliest attack since 9/11, the October 2017 Mogadishu truck bombing which killed at least 587 people. It also claimed responsibility for the Daallo Airlines Flight 159 bombing in February 2016. Despite its focus on local issues, Al Shabaab has repeatedly displayed intent to target Western interests in the region, and its connections to Somali communities in the US and Europe could see individuals affiliated with the group attempt to carry out attacks in the West.


However, in contrast to the Taliban, ISKP also frequently target symbolic sites associated with religious minorities, especially Afghanistan’s Shia Hazara communities. While ISKP has conducted some attacks against Western targets in Afghanistan, and its propaganda has called for attacks in the West, the group remains very largely focused on Afghanistan and neighbouring countries. Nonetheless, Afghanistan has become a major source of Daesh propaganda which could incite individuals overseas to execute attacks abroad independently.

Al Qaeda in the Islamic Maghreb (AQIM)

Algeria

Mali

56% of global attacks were attributed to AQIM

Despite French and allied intervention in the region, AQIM remains highly active, accounting for 56% of global attacks attributed to AQ. It is also likely al Qaeda’s wealthiest franchise due to its control of smuggling routes and the ransoming of kidnapped Westerners. However, the affiliate lacks cohesion and consists of various armed groups which coalesce to pursue mutual interests. AQIM’s Algerian leadership remains nominally dedicated to overthrowing the Algerian Government, but due to the country’s sophisticated counter-terrorism apparatus, the group has mainly conducted attacks elsewhere in the region since 2014. French-led security forces in Mali are the primary target for attacks by AQIM (accounting for 61% of total attacks by the affiliate), however, it also targets crowded places frequented by Westerners. Ambushes involving firearms, IEDs and mortars are the most common methodologies employed, but the group also uses VBIEDs and PBIEDs. AQIM is believed to have extra-regional ties with Islamist groups in East Africa and the Middle East, and with North African communities in Europe, from which it may receive some funding. However, the group appears overwhelmingly focused on the Sahel region and attacking Western interests there rather than targeting Western homelands directly.


DRIVING CHANGE IN OUR INDUSTRYRisk management and mitigation is a core function of catastrophe reinsurers, although the shape and method of deployment differs.

As a reinsurer of extreme catastrophe risk, Pool Re should engage in risk management provided such engagement is consistent with its mission and objectives. The broad principle now guiding Pool Re is that there is significant value in deploying resources to help key stakeholders understand and mitigate terrorism risk.

Since 2015, Pool Re has collaborated more actively with its public sector partners. This has included:

1. Proactively addressing terrorism protection gaps (cyber and non-damage business interruption – NDBI) and working closely with Her Majesty’s Treasury, its guarantor.

2. Investing in and developing expertise through the creation of the Terrorism Research & Analysis Centre (TRAC) in January 2016. TRAC issues regular reports analysing the contemporary threat landscape, hosted cross-sector networking and awareness events, and works closely with academic partners.

3. Successfully developing the Loss Mitigation Credit and the online Vulnerability Self-Assessment Tool (VSAT) mitigation initiatives and piloting other cross-sector risk management initiatives (detailed below).

The broad principle now guiding Pool Re is that there is significant value in deploying resources to help key stakeholders understand and mitigate terrorism risk.


RISK MANAGEMENT AND MITIGATION


RISK MANAGEMENT AND MITIGATION continued

POOL RE – THE TERRORISM CERTIFICATION PROCESS AND CLAIMSWith unlimited capacity through the aid of UK Government funding, the Reinsurance (Acts of Terrorism) Act 1993 allows Pool Re to provide reinsurance funding to the insurance industry and their policyholders.

Reinsurance cover is provided for commercial property and business interruption lines of insurance business, and includes chemical, biological, radiological and nuclear (CBRN) as well as remote digital interference (cyber).

An ‘Act of Terrorism’ is defined as “persons acting on behalf of, or in connection with, any organisation which carries out activities directed towards the overthrowing or influencing, by force or violence, of Her Majesty’s Government in the United Kingdom”.

HMT has Certified 16 ‘Acts of Terrorism’ within Pool Re’s 25-year existence, including the Westminster, Manchester and London Bridge attacks in 2017. Since its creation, Pool Re has paid over £600m in reinsurance claims to the UK insurance industry.

The Certification of an ‘Act of Terrorism’ CLOSING THE PROTECTION GAP: MAIN INITIATIVES Cyber Terrorism Cover 2018 has proved to be a landmark year for Pool Re. Firstly, with effect from 1 April 2018, Pool Re extended its cover to include an ‘Act of Terrorism’, which utilises a cyber trigger to cause physical damage to property. We have also deepened our knowledge of the threat posed by terrorists using the cyber domain and have undertaken further modelling work with the Centre of Risk Studies at Judge Business School, as well as holding multi-disciplinary workshops with public and private sector colleagues. Conrad Prince CB, Former Director General for Operations and Deputy Head of GCHQ, has joined as our Senior Cyber Terrorism Advisor. He brings a wealth of experience of cyber, government and business.

Non-Damage Business Interruption (NDBI)

Steve CoatesChief Underwriting Officer, Pool Re

Since the June 2017 Borough Market attack illustrated the terrorism insurance gap, Pool Re has been working with its Members, Government and other key scheme stakeholders to find a solution. Pool Re’s remit is defined by statute and restricted to loss from acts of terrorism that result in damage to commercial property.

Given recent attacks, both in the UK and Europe, have shown that terrorists are capable of causing interruption to business without causing damage to property, it was vital this gap was closed, and businesses were able to buy cover that was relevant to today’s terrorist threat.

To facilitate this, the Reinsurance (Acts of Terrorism) Act 1993 required amendment and Government incorporated a clause within the Counter-Terrorism and Border Security Bill that would extend Pool Re’s remit to non-damage business interruption caused by terrorists. This Act is making good progress through the parliamentary process and we are hopeful we will be able to provide wider cover from January 2019. This cover will respond to acts of terrorism that result in access to premises being denied and/or a reduced attraction to customers, providing such coverage is provided in the underlying general business interruption policy.

Pool Re Member companies notify Pool Re of claims made by their policyholders following an incident deemed to have arisen from terrorism.

Pool Re then requests formal Certi�cation of the incident from HM Treasury.

2

3

4

1

HM Treasury has 21 working days to Certify should they deem the circumstances of the incident to fall within the de�nition of an ‘Act of Terrorism’.

5Certi�cation allows Pool Re Member companies to claim against their reinsurance agreement.

Members can trigger an independent tribunal process for �nal and binding decision.[Speci�c protocols govern the tribunal process]


RISK MANAGEMENT AND MITIGATION continued

This is an important change for Pool Re and we are currently working on developing our proposition, building a rating model and creating material to help Members improve penetration of terrorism coverage.

Information Sharing and Knowledge Pool Re, through TRAC reporting and other channels, continues to improve the understanding and knowledge of its Members, private sector and other stakeholders. Our current and future focus is very much on providing quantitative data and analysis for modelling purposes so that this peril can be better priced, allowing our Members to increase their own capacity and resource to provide broader and deeper cover for the insured.

VSAT Through our work with ARL Partners, we have developed the Vulnerability Self-Assessment Tool (VSAT). This tool builds on the work undertaken with NACTSO in recognising those clients who fell within their Crowded Places initiative, but which could not extend beyond the core 50 companies. VSAT can be used by any Pool Re Member policyholder with assets greater than £50m and is available via the Pool Re website.

Risk Engineer training In collaboration with ARL Partners and Cranfield University, Pool Re is developing a terrorism risk management training course that will be made available to its Members. As the training develops, we will explore with Cranfield how we might create a form of Pool Re accreditation for terrorism risk engineers.

International collaboration Pool Re continues to support international collaboration between all the terrorism global pools through the International Forum of Terrorism Risk (Re)Insurance Pools (IFTRIP). The fourth annual conference was held in Russia, hosted by the Russian Antiterrorism Insurance Pool (RATIP) during October 2018. IFTRIP continues to promote initiatives for closer international collaboration and to share expertise and experience to combat the threat of potential major economic loss resulting from terrorism. All the IFTRIP conferences to date have demonstrated the continuing need to share knowledge, experience and lessons learnt from the threat and consequences of global terrorism.

Links to sources of further information

Action Counters Terrorism (ACT)Knowing how to recognise and report suspicious activity is important in keeping safe from terrorism.

https://act.campaign.gov.uk

Centre for the Protection of National Infrastructure (CPNI)Their website offers a wide range of advice, not just for national infrastructure assets.

https://www.cpni.gov.uk

Cross-sector Safety and Security CommunicationsA partnership between law enforcement agencies, local and national government organisations and private sector businesses.

https://www.thecssc.com

The UK threat levels are set by MI5 and the Joint Terrorism Analysis Centre, JTACRead more about them and international terrorism via the MI5 website.

https://www.mi5.gov.uk/threat-levels

London ProtectRun by the Metropolitan Police, London Protect publishes monthly newsletters to provide regular updates advising and informing businesses in the London region of relevant protective security information.

https://twitter.com/NatCoordPandP

See It, Say It, SortedA campaign to encourage train passengers and station visitors to report any unusual items or activity. Text 61016 or call 0800 40 50 40 to help keep the UK’s rail network safe.

http://www.btp.police.uk/about_us/our_campaigns/see_it_say_it_sorted.aspx

Run, Hide, TellInformation and resources to stay safe if you are caught up in a firearms and weapons incident in the UK.

http://www.npcc.police.uk/NPCCBusinessAreas/WeaponAttacksStaySafe.aspx

National Cyber Security Centre (NCSC)A part of GCHQ, the NCSC vision is to help make the UK the safest place to live and do business online.

https://www.ncsc.gov.uk


CBRN. DRONES. CYBER.Recent terrorist attacks in the UK have involved a range of methodologies. Whilst the UK is yet to directly experience a terrorist attack incorporating CBRN, drones or destructive cyber activity, many aspects continue to be promoted in extremist media or witnessed overseas.

CBRN

Andrew DonaldsonDeputy Head of Risk Analysis, Pool Re

A terrorist attack involving chemical or biological means is increasing in probability in the UK.

Despite there being no such attacks using CBRN material in Europe or the West over the past 12 months, the disrupted hydrogen sulphide (H2S) plot in Australia in 2017 demonstrates enduring intent for such attacks to take place. Islamist extremists are most likely to employ this methodology. There has not been any public indication in the UK of XRW or Northern Ireland related groups having the intention to utilise them in attacks. The topic continues to feature heavily in Islamist extremist media, providing simple, easy to follow instructions allowing extremists to construct devices with little or no previous training. With this high level of intent and instructions and material being readily available, the probability of such an attack now taking place is inevitable.

In the UK, there have been no public reports of disrupted terrorist plots involving chemical weapons (CW). The most likely CWs to be employed in the UK are either toxic industrial chemicals, which can be legitimately obtained, or H2S, the manufacturing instructions of which are readily available online. Pool Re has previously highlighted how vulnerable aviation, in particular, is to this form of attack. That threat was made explicit with the Australian and American Governments applying restrictions to quantities of powder being taken into aircraft cabins in July 2018. That change in security posture is a likely reaction to the CW nature of the disrupted Australia plot last year. Additionally, Public Health England and the emergency services have implemented the ‘remove, remove, remove’ advice campaign, offering guidance for members of the public in how to react to chemical incidents.

The topic continues to feature heavily in Islamist extremist media, providing simple, easy to follow instructions allowing extremists to construct devices with little or no previous training.

Online instructions and incitement for biological attacks are also persistent. This manifested in at least two disrupted plots in Europe, one in France and one in Germany, where Islamist extremists were in the planning stages of deploying ricin as a weapon. Whilst the intended targets of the attacks are undisclosed, it is likely they would have targeted crowded places. Despite the two plots being at different stages of maturity, the incidents illustrate the continuing intent of Islamist extremists to conduct attacks using biotoxins. The arrest in Germany also demonstrates the relative ease of manufacturing ricin. Whilst other means of biological attack remain possible, such as the weaponisation of pathogens, the most likely attack method in the UK currently appears to be the use of ricin.

UNCONVENTIONAL ATTACK METHODOLOGIES


UNCONVENTIONAL ATTACK METHODOLOGIEScontinued

The use of radiological and nuclear material in an attack remains possible but highly unlikely. The level of security around such material in the UK remains extremely high, which reduces opportunity for extremists to acquire it. Additionally, the expertise required for making such devices is limited and instruction, incitement and encouragement for lower complexity attacks remain more common across extremist media.

RicinRicin is a poison found naturally in castor beans which looks like a white powder when extracted. It has been cited as a viable method of attack in several extremist publications with instructions and online recipes.

Only a small amount of castor beans can produce a lethal dose, but it is dependent on the purity of the ricin made, its form and the pathway to poisoning.

Hydrogen sulphide (H2S) Hydrogen sulphide (H2S) is a colourless, flammable and extremely toxic gas. Encouragement and instructions in the use of H2S have been circulated online by Islamist extremists. It may prove to be a relatively low complex CBRN attack method by extremists in the UK.

Please see: https://naru.org.uk/wp-content/uploads/2018/03/IOR-REMOVE-AIDE-MEMOIRE.pdf

UNMANNED AERIAL VEHICLES (DRONES)

Camilla ScrimgeourSenior Analyst, Pool Re

New legislation came into effect in the UK on 30 July 2018, imposing further restrictions on the use of drones by the public. It is now illegal to fly above 400 ft or within one kilometre of airport boundaries, to protect infrastructure and aircraft from airprox incidents, 67 of which have already taken place in 20181. In 2019, drones weighing 250g or more will need to be registered with the Civil Aviation Authority. Whilst it is clear the Government has concerns about the potential malicious use of drones, the legislation does not change the likelihood of their use in a terrorist attack. It is more difficult to mitigate against airborne threats than terrestrial ones, but mitigation measures must be proportionate to the threat. Daesh and other extremists’ use of drones in theatre is well documented but they have yet to feature in attack plans within the UK.

Whilst it is clear the Government has concerns about the potential malicious use of drones, legislation does not change the likelihood of their use in a terrorist attack.

The vulnerability of airspace and the opportunity it provides to expand targets for an attack is increasingly recognised. Airborne threats are not exclusive to terrorism: in July 2018, Greenpeace activists flew a drone shaped as Superman into the Bugey nuclear plant in Lyon, France, and during President Trump’s visit to Scotland in July 2018, a protester paraglided into restricted airspace over his golf course. The incident in Venezuela in August 2018 reportedly involving two explosives-laden drones has brought the threat of the technology back to the forefront of security discussions.

The effectiveness of a drone as a weapon depends largely on the payload it carries. The most plausible use of a drone in a UK attack would be as a delivery mechanism of an IED. Whilst the drones involved in the August 2018 incident in Venezuela are easily acquired, they reportedly each carried one kilogram of military-grade C4 explosives. It is very difficult to acquire C4 explosives in the UK. A viable alternative would be the use of TATP, as seen in previous UK attacks, however the volatility of it may make it unsuitable for transportation by drone. Furthermore, the risks involved in making an explosive device may incentivise UK terrorists to utilise more conventional delivery mechanisms.

Pool Re highlighted in its Terrorism Threat & Mitigation Report January-July 2017 that regulation is only effective if adhered to or enforced. The new legislation is unlikely to prevent a terrorist from using a drone in an attack, and is more likely to deal with nuisance use of drones rather than terrorism.

RAF Drone Safety – Ask, Look, Listen

If you think someone has been exposed to a HAZARDOUS SUBSTANCEUse caution and keep a safe distance to avoid exposure yourself.

ACT QUICKLY. These actions can SAVE LIVES.

MY TACTICAL ADVICE CONTACT:

supported by JESIP

TELL THOSE AFFECTED TO:

THEMSELVES...

OUTER CLOTHING...

THE SUBSTANCE...

...from the immediate area to avoid further exposure to the substance. Fresh air is important.

If the skin is itchy or painful, find a water source.

REPORT... use M/ETHANE

…if affected by the substance.

Try to avoid pulling clothing over the head if possible.

Do not smoke, eat or drink.

Do not pull off clothing stuck to skin.

...from skin using a dry absorbent material to either soak it up or brush it off.

RINSE continually with water if the skin is itchy or painful.

REMOVE

REMOVE

REMOVE

REMEMBER: Exposure is not always obvious. SIGNS CAN INCLUDE:

Unexplained signs of skin, eye or airway irritation, nausea, vomiting, twitching, sweating, disorientation, breathing difficulties.

A change in environment, such as unexplained vapour, odd smells or tastes.

The presence of hazardous or unusual materials.

1 https://www.airproxboard.org.uk/Topical-issues-and-themes/Drones/


https://naru.org.uk/wp-content/uploads/2018/03/IOR-REMOVE-AIDE-MEMOIRE.pdf

https://naru.org.uk/wp-content/uploads/2018/03/IOR-REMOVE-AIDE-MEMOIRE.pdf

https://www.youtube.com/watch?v=--OH6wUosG4&sns=em RAF Drone Safety – Ask, Look, Listen


The UK DRONE Code https://dronesafe.uk/drone-code/

400ft (120m)

THE DRONECODEDon’t fly near airports or airfields

Remember to stay below 400ft (120m)

Observe your drone at all times – stay 150ft (50m) away from people and property

Never fly near aircraft

Enjoy responsibly

ASSESSING THE THREAT OF CYBER TERRORISM

Conrad Prince CB Senior Cyber Terrorism Advisor to Pool Re

The cyber threat is growing and changing at pace. Hostile nation states are increasingly assertive in how they exploit cyber, whether by looking to influence the democratic process for malign ends, stealing intellectual property or other secrets, preparing for and conducting destructive cyber attacks on critical infrastructure, or simply taking money. Cyber criminals are becoming more aggressive and adopting more effective tradecraft, while malware and cyber attack as a service are becoming increasingly accessible on the dark web.

Terrorists are yet to use cyber for significant destructive effect, having low cyber capability and continuing to prioritise physical attacks. But the growing availability of cyber attack tools, and the continuing high global threat from terrorism, makes it essential to get as good a picture as possible of terrorist groups’ capability and intent in this area.

This is not easy. While there may be a lot of noise from extremists on line, it is not easy to disentangle the truth about their capabilities and intent from disinformation or fantasy.

We are focusing on the possibility of terrorists using cyber attack for disruptive or destructive purposes and, in particular, in the case of Pool Re’s cover, for attacks that directly cause physical destruction to property. We know that terrorist groups are highly skilled at using the internet for slick on-line propaganda, for communicating with one another and delivering command and control in a highly secure way, for information gathering on potential targets, and publishing personal details of individuals they cite as potential targets. There are also examples of terrorists and extremists defacing web sites. But while this could be described as terrorist use of cyber, it is not really cyber terrorism.

So far, we have not seen examples of terrorists or extremists using cyber to launch disruptive or destructive attacks. However, the intent to do so has been expressed, and there has been at least one case of an insider threat with the potential to enable or launch a cyber attack (an individual working at Heathrow who was ultimately convicted of terrorist offences).

Today, the kind of sophisticated high-end destructive cyber attacks that feature in movies, and increasingly in real life, generally need the capabilities and resources only possessed by the top tier of cyber nation states. Disrupting an air traffic control system or causing the industrial control systems in a power station to malfunction needs dozens of experts to plan and prepare, and the technical ability to achieve deep penetration of complex target IT networks for a prolonged period without detection. Such operations can take months of intensive effort to develop and execute.

But this may not always be the case. Increasingly capable cyber tools are becoming available for anyone to acquire on the dark web. And we have seen how ransomware and related attacks can have a significant global disruptive effect, impacting on networks and systems well beyond the original intended targets.

Pool Re is working with experts, including the Cambridge Centre for Risk Studies and relevant Government agencies, to track and assess the cyber terrorism threat and to gather available data on potentially relevant terrorist activity which might indicate an increase in the capability or intent to use cyber for destructive purposes.

So far, we have not seen examples of terrorists or extremists using cyber to launch disruptive or destructive attacks; however, the intent to do so has been expressed.

There is a growing availability of offensive cyber tools on the dark web. As the ability to deliver more complex and higher impact attacks becomes commoditised, there is no reason why terrorist groups could not purchase these capabilities or services in the same way as criminal group do. There is also the ongoing potential for offensive capabilities developed by nation states to be released unauthorised into the wild, whether deliberately or just as a result of human error. Anything that makes it easier for small determined groups to access capabilities developed by others and which are relatively easy to deploy against a desired class of target will increase the risk of successful destructive terrorist cyber attack.



We should also look for evidence of terrorist and extremist groups moving up the capability scale in their use of cyber. At the moment there is little evidence of such groups doing anything more destructive than defacing websites. But there is no reason why terrorists could not use widely-available ransomware tools just as criminals and nation states do, whether to extort money or simply to create as much havoc as possible. Were terrorists to start down this path, it might indicate a willingness to move up the cyber capability chain in a way that could ultimately lead them to destructive attack.

Pool Re is working with experts to track and assess the cyber terrorism threat and to gather available data on potentially relevant terrorist activity which might indicate an increase in the capability or intent to use cyber for destructive purposes.

Also relevant would be extremist leaders advocating or endorsing the use of cyber for destructive purposes. Or an increased focus on cyber attack in on-line extremist media. These endorsements can be important in influencing behaviour.

We know Daesh and other extremist groups have counted IT experts amongst their ranks, but often such people have been used as rank and file operatives, irrespective of those skills, rather than focused on IT-dependent operations. So any indications of terrorist groups deliberately seeking to recruit IT experts, and using their expertise in some coherent way, would be significant. A well placed insider could also be a game changer.

Finally, we should look for other ways that terrorist groups might look to compensate for lack of expertise or capability. One might be to link up with a competent cyber criminal group. Even more concerning would be if a terrorist group were to ally itself to a hostile nation state with an offensive cyber capability, then the cyber terrorism threat could increase significantly.

As in all cases where cyber attack for destructive effect is considered as a possibility, it’s important to ask basic questions, like would it not be simpler just to use a bomb? Often the answer will be yes. And for terrorists in particular physical attack continues to be the method of choice, for various reasons. But we cannot bury our heads in the sand. Cyber is becoming an increasingly attractive and viable attack tool, and can potentially reach places much harder to hit today through conventional attack. That’s why Pool Re is working with UK academic and Government experts to develop a coherent approach to assessing the changing nature of the cyber terrorism threat. The results could give us a critical insight into the future shape of this threat.

THE INTERNET OF THINGS: A STING IN THE TAIL?There could be 20 billion internet connected devices worldwide by 2020. There’s an inexorable drive to connect everyday devices, and a major shift to new internet-connected capabilities in critical industries like health care, energy, banking and manufacturing. The benefits are obvious but the risks are significant.

• There’s a huge increase in opportunities for hackers to find a weak point on a network and use that to conduct a wider attack. IoT compromise could enable anything from covert surveillance of a home or office, to disabling building security systems, or disrupting safety devices. And attackers can hijack multiple IoT devices to overwhelm internet connected systems and prevent them from functioning.

• The security in IoT devices is crucial, but for cost reasons manufacturers are often not building in the security we need. The Government’s IoT ‘secure by design’ strategy aims to persuade manufacturers to address this. But it’s a voluntary approach and the challenge is how to ensure take up.

• Underpinning all this is the infrastructure of the internet – fibre optic cables, routers, and the mobile network, where 5G is set to be a key enabler of the IoT. Chinese firms are increasingly dominant providers of internet infrastructure, with an aggressive state-backed exports strategy combined with world-beating pricing.

• The country that ‘owns’ the internet infrastructure can affect its availability, or exploit its potential to be used as a global surveillance system. And serious doubts are being raised about the security of Chinese-provided infrastructure.

• Poor IoT security creates new opportunities for terrorists, through better intelligence gathering to help conduct attacks, or by making it easier to launch cyber attack, maybe by using poorly-secured IoT devices to conduct major denial of service against critical infrastructure.

The IoT revolution may have a sting in the tail. And the ways of mitigating it seem worryingly limited.

20bninternet connected devices worldwide by 2020


ABOUT THIS REPORTThe Terrorism Threat and Mitigation Report provides an overview of significant acts of terrorism during the year as well as identifying key trends and themes that we believe are relevant to the terrorism (re)insurance market.

Sir David Omand GCBSir David Omand was the first UK Security and Intelligence Coordinator, responsible to the Prime Minister for the professional health of the intelligence community, national counter-terrorism strategy and ‘homeland security’. He served for seven years on the Joint Intelligence Committee. He was Permanent Secretary of the Home Office from 1997 to 2000, and before that Director of GCHQ.

Ali SoufanAli Soufan is the Chief Executive Officer of The Soufan Group. Mr Soufan is a former FBI Supervisory Special Agent who investigated and supervised highly sensitive and complex international terrorism cases, including the East Africa Embassy Bombings, the attack on the USS Cole, and the events surrounding 9/11.

Conrad Prince CBConrad Prince served as the Director General for Operations and Deputy Director of GCHQ from 2008 to 2015. In those roles he led GCHQ’s intelligence operations and oversaw the development of the UK’s national offensive cyber capability. From 2015 to 2018 he was the UK’s first Cyber Security Ambassador, leading cyber security capacity building work with a number of key UK allies. He retired after 28 years of Government service in January 2018, and now holds a range of advisory roles in cyber and security.

William FarmerWilliam Farmer is ‘Strategic Head of Crisis Management & Special Risks’ at AXA XL. William has worked in the London insurance market since 1986. Firstly as an aviation broker and then becoming a specialist in War, Terrorism and Political Risk. From 2002, in the aftermath of 9-11 his focus was terrorism insurance and reinsurance. William joined Catlin as a terrorism underwriter in 2007.

GUEST WRITERSWe are privileged that the following guest writers have contributed their time and expertise to this report:

Our methodology is based on the TRAC Terrorism Database, analysis of the wide range of publicly available open source material and collaboration with subject matter experts.

Pool Re, through TRAC, has now compiled its own data set of terrorist attacks worldwide since 2014, when Daesh announced the establishment of the so-called Caliphate. In this edition, we also analyse the frequency and severity of global terrorism over this period.

We hope that this qualitative and quantitive analysis of terrorist incidents, trends and themes will be helpful for our Members and other stakeholders as they seek a greater understanding on the frequency and severity of terrorist events and how the evolving threat impacts on their particular area of activity. Pool Re will be utilising the data derived from the TRAC Database and other sources in our actuarial and modelling processes.

In this edition, we have focused on key terrorism events and trends in 2018.

Dr Andrew GlazzardDr Andrew Glazzard is a Senior Research Fellow and Director of the National Security and Resilience Studies research group at RUSI.


ABOUT THIS REPORTcontinued

PURPOSEThe purpose of this report is to inform Pool Re Members and wider stakeholders of the current and future terrorism threat and its implications for the resilience of UK businesses and, by extension, the UK’s economy. Pool Re was created 25 years ago to protect society from the economic consequences of terrorism. The landscape 25 years on is far more complex and diffuse, principally because in 1993 there was one main threat actor, militant republicans in the form of the Irish Republican Army (IRA), targeting the UK; now there is a wider spectrum of terrorist entities, using a broad range of methodologies, targeting our citizens, assets and economies. We hope that this annual report will go some way in providing further clarity and knowledge for our Members and other stakeholders.

Further information about Pool Re can be found on our website at www.poolre.co.uk or by following us on LinkedIn.

METHODOLOGYTRAC’s methodology is based on analysis of a wide range of publicly available open source material, and collaboration with subject matter experts. The information contained in this report has been verified and corroborated through extensive research drawn from academia, think tanks, social media, security, intelligence and risk conferences as well as extensive subscription-based content. The sum of this provides Pool Re with a unique perspective within the terrorism reinsurance market.

All assessments are made in relation to the threat posed to the UK and are tailored principally to the (re)insurance sector; but it is hoped these assessments are also of use to the wider business community. In order to fully understand the threat to the UK, TRAC gathers information from wider global terrorism threats and incidents that could pose a threat to the UK mainland. TRAC produces quarterly Frequency Reports and Post Incident Reports.

ABOUT POOL REPool Re is the UK’s terrorism reinsurance pool, providing effective protection for the UK economy and underwriting over £2 trillion of exposure to terrorism risk in commercial property across the UK mainland. Through its Terrorism Research and Analysis Centre (TRAC), Pool Re aims to improve the risk awareness of current and emerging terrorism perils for Members and other key stakeholders by highlighting the availability of terrorism cover for all UK mainland Commercial Insurance customers.

DISCLAIMERThis report has been prepared by Pool Reinsurance Company Limited (Pool Re). While this information has been prepared in good faith, no representation or warranty, expressed or implied, is or will be made and no responsibility or liability is or will be accepted by Pool Re, or by any of its respective directors, officers, employees or agents in relation to the accuracy or completeness of this document and any such liability is expressly disclaimed. In particular, but without limitation, no representation or warranty is given as to the reasonableness of future suggestions contained in this document. Pool Re is a company limited by guarantee and registered in England and Wales under company no. 02798901 having its registered office at Hanover House, 14 Hanover Square, London W1S 1HP.


Documents

TERRORISM T HREAT & MITIGATION REPORT 2018€¦ · comprehensive ecosystem for financing and managing terrorism risk. As this year has already shown, this ecosystem is capable of