TERRORISM THREAT & MITIGATION REPORT 2019 2/ 53 · GCHQ), Alexander Babuta (National Security Research Fellow at RUSI), Andrew Silke (Professor of Terrorism at Cranfield University)

TERRORISM THREAT & MITIGATION REPORT 2019 2/ 53

01/TERRORISM THREAT & MITIGATION REPORT 2019 3/ 53

POOL RE’S RESPONSE TO THE EVOLVING THREATS OF TERRORISMI am pleased to present this year’s Terrorism Threat & Mitigation Report, our fourth to date. Since 2016, and the creation of our Terrorism Research and Analysis Centre (TRAC), we have produced an annual report examining the terrorism risk landscape globally and in the UK. This 2019 edition, however, marks an exciting turning point not only for the company’s flagship risk report, but also for TRAC and Pool Re’s broader terrorism risk analysis expertise.

The publication accompanies the launch of Pool Re Solutions, a new in-house centre of excellence within Pool Re which will streamline and amplify our emphasis over the past five years on risk awareness, risk modelling, and risk management. As the terrorism threat continues to change and become more complex, there has emerged a corresponding need for Pool Re to support its Members with an equally dynamic set of underwriting tools, technical services, training, and insight, to support the traditional provision of reinsurance cover.

Solutions represents a significant development in Pool Re’s offering to the UK’s terrorism risk market, since it has been designed to provide and stimulate the insurance industry with

Julian Enoizi Chief Executive Officer/ Pool Re

the tools and information it needs to evaluate, price, manage and mitigate terrorism risk to a degree hitherto unseen in this country. We expect as a result to see further increases in the amount of risk Members are prepared to take, while simultaneously continuing to diversify the UK’s financial exposure through the growing involvement of the global reinsurance and capital markets. We are also committed to continuing to unite commercial, academic and political engagement in understanding and bridging protection and information gaps, building on our success in relation to Non-Damage Business Interruption (NDBI) and cyber terrorism.

As the analysis in this report demonstrates, terrorist groups have shown themselves to be highly adaptable and innovative. The contemporary terrorist threat is more diffuse and complicated than ever before, and radically different from the IRA threat Pool Re was created in response to. The threat of ‘spectacular’, 9/11-style attacks remains a tangible risk. However, contemporary Islamist and, increasingly, right-wing extremists aim to cause mass casualties, attacking unprotected targets rather than focusing on hardened commercial or government targets.

Julian Enoizi has been CEO of Pool Re for six years. Previously he was CEO of ProSight at Lloyd’s. Julian held senior executive roles with AIG Europe and Chubb Insurance Company of Europe based in London, Paris and Brussels. Julian is a graduate of the Universities of Birmingham and Limoges, France. He holds an LLB (Hons) degree in Law and French Law and a Diplôme D’Etudes Juridiques Françaises. He is a qualified lawyer and practised in London, Milan and Brussels before embarking on his insurance career.


Horizon scanning and investing in the research necessary to understand the parameters of evolving or emerging threats is a responsibility we take seriously, as is increasing the commercial viability of risks which are difficult to insure, and future-proofing UK businesses with the protection they need. The Solutions platform is designed to enable Pool Re and its Members to more effectively and holistically address some of the market’s persistent challenges, such as the problematic low take-up of cover by SMEs.

RISK AWARENESSPool Re’s Risk Awareness division will build on our current in-house expertise and established reputation as a thought leader in the field by providing analysis, intelligence and expertise on all aspects of the terrorism threat to our private and public stakeholders. Our strong partnerships with academia, government agencies and specialist think tanks will inform our regular reporting and workshops, whilst also supporting our actuarial and modelling capabilities. Our commitment to raising the level of awareness and understanding of terrorism risk and what businesses

and techniques by building pathways which link government agencies, academia, risk professionals and the insurance industry. Indeed, the latest CONTEST report recognises Pool Re and the insurance industry’s potential to shape Insureds’ behaviour and improve safety, security and resilience.

This recognition is at the heart of our flagship risk mitigation product, the Vulnerability Self-Assessment Tool (VSAT). It allows businesses to conduct a detailed security audit to UK Government and internationally recognised standards, and trigger premium discounts, which from the beginning of 2020 will be rising to 7.5%. In addition, we are also now delivering terrorism risk management training courses for Member Company risk engineers. These courses, which are amongst the first of their kind, are training risk engineers and claims handlers to improve national terrorism risk literacy and integrate terrorism within broader property risk management practice. These and other initiatives will not only reduce the underlying terrorism risk the UK faces, but mitigate and reduce effects of attacks that do occur.

can do to protect themselves extended this year to agreeing to finance a unique information exchange platform run by the Metropolitan Police, to allow the industry to benefit from the expertise of the UK’s counter-terrorism agencies.

RISK MODELLINGThe Risk Modelling division will continue to create and build terrorism modelling tools and techniques that can underpin better pricing and greater deployment of capacity or capital into terrorism (re)insurance. The new paradigm these models represent was demonstrated in February this year, when they were a decisive factor behind Pool Re’s placement of an historic £75 million Insurance Linked Security. The models are being developed in partnership with academia, insurance modelling experts and government agencies, and are a result of Pool Re’s ability to bring together such diverse expertise.

RISK MANAGEMENTFinally, the newly established Risk Management division will be working to become the key facilitator of terrorism risk management information

We are very grateful for the contributions made by our guest writers, who bring a different perspective and experience to the challenges of delivering enduring counter-terrorism strategies. I very much hope you enjoy the articles written by Conrad Prince (former Director General of Operations at GCHQ), Alexander Babuta (National Security Research Fellow at RUSI), Andrew Silke (Professor of Terrorism at Cranfield University) and Jerry Smith (Senior Partner at CHC Global).

It has never been so important for Pool Re and its public and private partners to understand terrorism; what drives it, how it manifests now and may manifest in the future; and how we can together build lasting resilience against a threat which above all seeks to destabilise and divide. In that spirit, I trust you will find this report informative.

Julian Enoizi Chief Executive Officer

THE THREE PILLARS OF POOL RE SOLUTIONS



Reflecting on the last 12 months, it would superficially appear that the threat posed by Islamist extremism peaked during 2017 and that the followers of Daesh have dispersed to other ungoverned spaces and failed states across the globe. While largely true that Daesh is adopting a transnational, affiliated model, the threat posed to the UK by Islamist extremism remains as high as ever. Of concern is the threat posed by committed Daesh fighters who may return to the UK with battle honed-skills and the intent to use them in attacks, as well as by unknown lone actors acting independently of any direction from ‘Daesh central’. The threat posed by Al Qaeda (AQ), in particular its affiliates in Syria, still remains especially its aspiration to commit another spectacular attack. It is unsurprising then that the UK threat level remains at SEVERE (meaning an attack is ‘highly likely’).

In order to better understand why the threat of terrorism has not gone away, and remains at an unprecedented high, it is necessary to unpack the current range of threat actors and methodologies, and the associated risks to Pool Re, our Members and Insureds.

The threat landscape in the UK remains very complex, fast-moving and occupied by a diverse group of threat actors, a number of whom want to conduct mass casualty

Ed ButlerChief Resilience Officer/ Pool Re

ENDURING AND MULTIFARIOUS THREATS

THE THREAT LANDSCAPE IN THE UK REMAINS VERY COMPLEX AND INCREASINGLY UNPREDICTABLEattacks, targeting crowded places

and iconic targets. Moreover, it is continually evolving and increasingly difficult to predict. These threat actors – be they Islamist extremists, Right Wing terrorists (RWT), Left Wing terrorists (LWT) or Violent Dissident Republicans (VDR) – employ a wide array of methodologies, ranging from the unsophisticated (knives and vehicles as weapons) to more complex attacks involving Improvised Explosive Devices (IEDs) and firearms. Increased VDR actions have the potential to provoke a response from Loyalist paramilitaries, who still exist but have almost exclusively been focused on criminal activities in the last few years. This in turn may feed into a re-energised extremist British Nationalist movement1. There remains concern about the use of Chemical, Biological, Radiological or even Nuclear (CBRN) material forming part of an IED, and more ‘novel’ technologies to achieve a devasting event similar in scale to 9/11.

The above view may not be appreciated by much of the public; there has not been an attack in Great Britain on a similar scale to Manchester or Borough Market since 2017, and the so-called Caliphate was militarily defeated Syria and Iraq, its appeal much diminished from its height in 2016.

Ed Butler, CBE DSO, is Pool Re’s Chief Resilience Officer and leads its Risk Awareness Team. He is responsible for developing the company’s capacity and capability in understanding the terrorism threat landscape and how to mitigate against these perils. Ed has over 35 years of experience in counter-terrorism, security and risk management, including 24 years in the British Army and eight years business consulting. He was privileged to command 22 SAS and retired as a Brigadier in 2008.

Daesh’s forces in Syria and Iraq may have been seriously degraded, and with it the group’s ability to directly command and sponsor attacks in Western Europe, but its capabilities and ability to inspire violence endure. The threat of Islamist extremists acting alone remains acute, as evidenced by the police and MI5 undertaking 700 live investigations at any one time and the interdiction of one major late-stage attack plot on average every four weeks.

The defeat of the so-called Caliphate will not have changed the views of core Daesh followers, as demonstrated by ongoing attacks across the globe by its supporters. It appears the group has recognised the vulnerabilities attendant to holding territory in the face of action by Coalition forces. Rather, the group has gone to ground while it regroups in its heartland, carrying out attacks abroad to demonstrate its continued relevance and vitality. The Easter bombings in Sri Lanka reflect this. Demonstrating sophisticated planning over a protracted period, the attackers were able to acquire large quantities of explosives and exploit Sri Lankan intelligence failures. Elsewhere, the group continues to regularly claim attacks, while reasserting itself in Iraq and Syria through a campaign of revenge and intimidation.


timescale4 and, secondly, the opportunity for further radicalisation and fraternisation with the criminal community of convicted terrorists increases once incarcerated.

We are fortunate that we in the UK have a very sophisticated counter-terrorism architecture and mature security and intelligence capability, which continues to operate very effectively against all forms of terrorism. Efforts are being made to improve the collaboration with IT and social media companies to take down online terrorist content, but there is little evidence to date which shows that this is effective against those already radicalised who have the intent to undertake attacks.

However, other threat actors are occupying an increasing share of the UK’s counter-terrorism resources. Right Wing Terrorism (RWT) now accounts for a significant proportion of the police and MI5’s workload and this threat has intensified over the last few years; seven of the 22 plots foiled since March 2017 have been RWT, and there have been a further two successful RWT attacks since the murder of Jo Cox MP in 2016. According to the latest Home Office statistical bulletin, extreme right-wing concerns accounted for 18% of all referrals to PREVENT, and 44% of individuals receiving support from the programme.

Where then does this leave the threat to the UK? Some might argue that we have entered something of an equilibrium with Islamist extremism in this country and question what more can be done to suppress the threat of lone actors. Certainly, attacks are being planned at a faster rate than in 2014 and are quicker and cheaper to execute. We are likely to see the continued use of low sophistication techniques – the use of vehicles and knives as weapons – with an increasing appetite and capability for IEDs to inflict greater casualties and generate more media attention. There is a real concern about the high number of returning fighters who could use their battlefield experience in attacks in the UK. These fighters are likely to try and plan more complex attacks, most likely involving a combination of techniques (blades, guns2, vehicles and IEDs) to maximise casualties3. Of more concern would be the teaming up of so-called frustrated travellers (those who could not get out to Syria) with returning fighters.

A lower tolerance for the risk of attacks such as those at Borough Market and Manchester requires our CT agencies to interdict these plots at a much earlier stage. These early stage interdictions have a number of unfortunate consequences. First, shorter sentences mean that convicted extremists are back out on the streets within a shorter

Driving the threat of RWT are several related ideologies, with cultural nationalism, white nationalism and white supremacism the most prevalent. While there are still significant variations in the motivations of RWT in different countries, there is evidence that common themes like ‘the great replacement’ theory and anti-Muslim attitudes increasingly tie formerly disparate right-wing actors across the globe. Rising political polarisation and regional inequalities across Western countries are likely to continue to provide fertile ground for radicalisation.

While in Britain right-wing extremists are increasingly organised, with some establishing links to extremist groups overseas, most RWT attacks worldwide continue to be carried out by lone actors with no or only peripheral connections to proscribed organisations. The internet continues to provide a space for right-wing extremists to share ideas and incite attacks. Against the backdrop of online hatemongering, recent high profile RWT attacks have spurred copycats, with the Christchurch attacks in March credited with inspiring a further four RWT attacks in the US, Britain and Norway.

Further such attacks are likely. The involvement of former military personnel in extremist circles is a particular concern, with their potential

THE POLICE AND MI5 ARE UNDERTAKING 700 LIVE INVESTIGATIONS AT ANY ONE TIME WITH THE INTERDICTION OF ONE MAJOR PLOT EVERY FOUR WEEKS


SIGNIFICANT ACTIVITY/

MANCHESTER VICTORIA STABBING ATTACK

Mahdi Mohamud, a Somali-born British resident, stabbed two civilians and a police officer at Victoria Station in Manchester while shouting Islamist slogans. Daesh routinely calls for its supporters to mount stabbing attacks against civilian targets in crowded areas, but Mohamud is not believed to have any ties to overseas extremists. The station was temporarily cordoned off but no property damage occurred during the attack. This incident highlights the possibility of terrorists successfully launching attacks outside of London.

DATE: 31 December 2018

LOCATION: Manchester, London

OFFENDER: Mahdi Mohamud, unaffiliated Islamist extremist

METHODOLOGY: Bladed weaponsDEATHS: 0 INJURIES: 3


to bring battlefield experience to the planning and execution of attacks. While the targeting priorities differ somewhat from Islamist extremists, the recruiting tactics and attack methodologies they employ are much the same.

The threat level from Northern Ireland Related Terrorism (NIRT) is SEVERE in the Province. The frequency of terrorist attacks, mainly by the New IRA but also with some significant attacks from the Continuity IRA, remains constant with 15-40 incidents on average per year; between March 2018 – March 2019 there were 15 bombings and 37 security related shootings, including paramilitary ‘punishment’ attacks. The killing of Lyra Mckee in March 2019, and several under-vehicle explosive devices and IEDs since are a reminder of the intent and capability that Violent Dissident Republicans (VDRs) possess. A ‘no deal’ Brexit could well exacerbate these tensions, elicit a reaction from Loyalist paramilitaries and lead to even more attacks in the latter part of the year. It is currently assessed that these are unlikely to spill over onto the mainland, but this cannot be discounted – as demonstrated by the sending of several incendiary devices through the post in March this year and the 2016 arrest of Ciaran Maxwell who had 18 viable pipe-bombs in his possession.

UNCONVENTIONAL TERRORISM AND FUTURE THREATSTerrorists are innovating as police and MI5 get better at interdicting plots; as illustrated by the sizeable growth in the use of information technology and the use of data and encrypted communications, in attack planning over the last two to three years. We are also seeing more technology transfer from the battlefield to the streets, as well as between state and non-state actors. Collusion, especially in the cyber world, between the criminal fraternity and terrorist groups remains a constant concern. There is good evidence that Hamas is moving up the ‘value chain’ (as reported in Conrad Prince’s article in this report) and is now undertaking quite sophisticated cyber espionage operations. As the barrier to entry for malware and cyber tools lowers, along with the introduction of 5G6, so does our vulnerability to cyber-attack increase.

The former Minister for Security, Ben Wallace MP stated in January 2017 it is a ‘question of when not if’ there is a CBRN attack in the UK7. There have been a number of plots interdicted in the last two years, including three plots in Europe involving the production of ricin.8

Instructions on making CBR devices have featured in Islamist extremism media over the last three to four years and chemical (military grade) IEDs were used regularly in Syria and Iraq (at their peak over a 100 per month were being deployed by both Islamic State fighters and the Assad regime9). The aspiration to use CBR material is nothing new; AQ published its Poison Handbook in the early 1990s and it is known that AQ did possess a ‘poison gas dispenser’. Due to extensive controls on military and commercial grade material, it is more likely that terrorists would use hazardous chemical ingredients to construct an IED. A device such as this is unlikely to have any long-term persistency and an area would be decontaminated very quickly; property damage would be restricted to the size of the blast and burns would be the most likely injuries sustained. However, the psychological impact would be considerable. “Chemical IED exploding in London” would be an alarming newspaper headline and we could expect significant and extended loss of attraction and consumer confidence in the affected areas.



CHRISTCHURCH MOSQUE SHOOTINGS

Tarrant, an Australian white supremacist, consecutively attacked worshippers at two mosques with semi-automatic firearms before being arrested. IEDs found in his car were defused by police. The gunman livestreamed the attack on Facebook and published a manifesto online citing previous right-wing terrorists (RWTs) as inspiration. He was later linked to extremist networks in Europe, and his actions were seemingly intended to incite copycat attacks. The attack highlighted the vulnerability of places of worship, and the intent of RWTs to target crowded places associated with minorities.

DATE: 15 March 2019LOCATION: Christchurch,

New ZealandOFFENDER: Brenton Tarrant,

unaffiliated right-wing extremist

METHODOLOGY: Firearms / Improvised Explosive Devices

DEATHS: 51 INJURIES: 49


HOW CAN BUSINESSES IMPROVE THEIR RESILIENCE TO SEEN AND UNSEEN THREATS?

FORECAST – WHAT MIGHT EMERGE FROM THE SHADOWS?

The constantly evolving threat landscape exposes new vulnerabilities for businesses, especially SMEs, during the so-called ‘new age’ of terrorism which has emerged since 2014. It is therefore essential to adopt a rigorous, analytical and realistic approach to this peril, one that minimises the full spectrum of human business and economic losses.

Organisations should develop a strategy to deal with the effects of a terrorist attack. While they may not be directly targeted by a terrorist group or an individual attack, organisations can suffer the indirect consequences of attacks (denial of access due to cordons and subsequent loss of attraction), or contagion risks associated with terrorist activities in another area. Therefore, all organisations should consider the potential impacts of any terrorist attack happening on their doorstep (or affecting their networks, given the growing threat of cyber terrorism), and how best to minimise them.

Terrorism risk transfer is Pool Re’s business. We provide, indirectly through conventional insurance companies, the insurance backstop which provides cash indemnity and supporting services designed to ensure that organisations will have the resources necessary to recover as quickly as possible from a terrorist

attack. In Britain, commercial organisations are able to purchase terrorism insurance. Claims can be made for losses due to an act of terrorism even when a terrorist attack has done no physical damage. For example, owners and customers were denied access to businesses by the police cordon at Borough Market for over a week following the London Bridge attack. Many small traders suffered considerable losses from a drop-off in footfall and spoilage of consumables. Since the event, Pool Re has created affordable ‘non-damage business interruption’ coverage for terrorism related losses.

The threat of terrorism is persistent, and it isn’t just about London. Small and medium sized organisations across the country are equally likely to be affected, either directly or indirectly. Taking a risk by not buying terrorism insurance, and instead adopting the belief ‘it will never happen here’ is a high-risk strategy in a world where terrorism is now, sadly, part of everyday life. Companies, large and small, can reduce the impact of terrorism by having a comprehensive risk strategy which covers all aspects of this diverse and unpredictable peril. An intelligence-led approach and plan will ensure effective and enduring resilience. Transferring risk through appropriate insurance is a must.

We are likely to see more of the same from Islamist extremists, RWT and NIRT, with their focus remaining on the use of low complexity ways and means to achieve their ends. The methodologies will remain quite similar, with only a variance in target selection. We cannot discount a spectacular attack, be it a 9/11 or an Anders Brevik type incident.

Against the backdrop of political polarisation, disenchantment of some people from the mainstream and declining social cohesion in many communities within the UK, we could well see a cycle of violence and counter violence by terrorist and extremist groups. A hard or no deal Brexit may lead to an increase in attacks by Violent Dissident Republicans in Northern Ireland, with potential spillover effects. As previously mentioned, a counter reaction by Loyalist extremists in Northern Ireland to rising VDR activities could destabilise the Good Friday Agreement and any Brexit negotiations. A reaction by extreme left-wing movements (LWT) off the back of civil disorder over Brexit10 cannot be ignored either.

It also cannot be discounted that any terrorist group or individual will move further up the violence scale and deploy a weapon (or methodology) of mass effect to inflict multiple casualties. The likely perpetrators

of such an event remain Islamist extremists and the aviation sector remains one of the most likely targets for this type of scenario.

As with previous terrorist campaigns, the unpredictability of what, when and where should be a given; we need to have maximum readiness not to be surprised by the next type of attack and have the full suite of mitigations in place, including terrorism insurance, to ensure we are resilient to any event.

THE CONSTANTLY EVOLVING THREAT LANDSCAPE EXPOSES NEW VULNERABILITIES TO BUSINESSES

Several actions contribute to a comprehensive risk and resilience strategy for dealing with terrorism risk, including: developing in-depth risk awareness and knowledge; assessment of exposures; appropriate mitigation and risk management; and importantly, risk transfer through insurance. Less complex businesses with little spare time or expertise to perform such assessments should ensure that terrorism is considered within their broader security considerations and importantly, is not ignored from an insurance perspective. Advice and information is available from the police’s National Counter Terrorism Office, and through local Counter Terrorism Security Officers.

RISK MITIGATION


https://counterterrorbusiness.com/features/terrorism-risk-strategies-mitigate-manage-transfer

FAR RIGHT ISLAMIST EXTREMISTS THE DATA REINFORCES THE POINT THAT THE MAJORITY OF DEATHS ARE CAUSED BY SINGLE EVENTS, AND NOT AN ACCUMULATION OF SMALLER EVENTS. THIS IS TRUE ACROSS ADVANCED MARKET COUNTRIES.

25%OF ALL DEATHS IN ADVANCED MARKETS THIS DECADE

62% OF ALL DEATHS IN ADVANCED MARKETS THIS DECADE

71% OF ALL DEATHS IN ADVANCED MARKETS LAST YEAR

29% OF ALL DEATHS IN ADVANCED MARKETS LAST YEAR

BACK/

1 https://www.bbc.co.uk/news/uk-northern-ireland-politics-47072147

2 https://www.theguardian.com/uk-news/2019/sep/08/police-raid-arms-terror-group

3 Although current statistics suggest that most foreign fighters will not get involved in an attack on return home. http://www.washingtonpost.com/blogs/monkey-cage/wp/2013/11/27/number-of-foreign-fighters-from-europe-in-syria-is-historically-unprecedented-who-should-be-worried/

4 Current statistics suggest that re-offending by released terrorists is very low in the UK. https://repository.uel.ac.uk/download/ d1d99fcc687fcbda9685336c5f6cdc63f 649049214a492ec6a23a467e461bdd2/37 8097/Risk%2520assessment.pdf

5 The attack on the 19th August near Wattlebridge in County Fermanagh was the fifth attempt by VDRs to kill police officers this year and followed another attempt on officers at the end of July in Craigavon, County Armagh.

6 https://www.telecomstechnews.com/news/2018/aug/14/uk-spy-agency-5g-cyber-terror-threat/

7 https://www.independent.co.uk/news/uk/home-news/isis-terror-attacks-uk-plots-supporters-travel-syria-frustrated-basu-foreign-fighters-a8576431.html

8 These are in addition to the RWT ricin plot that was foiled in Durham in 2009.

9 Assad’s regime make indiscriminate use of chemical munitions, including nerve agents. And IS have used mustard gas against Kurdish forces and are reported to have had chemical weapons production facilities.

10 https://ukdefencejournal.org.uk/terrorist-radicalisation-in-the-uk-is-evolving-says-report/

NUMBER OF ATTACK FATALITIES IN ADVANCED MARKETS BY OFFENDER TYPE/ 1990-2018 (excl. 9/11)

Anti-government Extremists Far Right Islamist Extremists SeparatistsAnarchists, Far Left, Environmental, Student

20

40

60

80

100

120

140

160

180

200

220

1990 1991 1995 19961992 1994 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018


https://www.mi5.gov.uk/threat-levels






https://www.mi5.gov.uk/

03/TERRORISM THREAT & MITIGATION REPORT 2019 14/ 5314/ 63

Eden StewartSenior Analyst / Pool Re

Callum YourstonAnalyst / Pool Re

Eden Stewart joined Pool Re as an analyst on the Risk Awareness team in October 2017. Prior to joining Pool Re, Eden worked as an intelligence analyst specialising in cybercrime. Eden holds a Master’s Degree in Security and Intelligence Studies from Brunel University, and a BA in History from the University of Leeds.

Callum Yourston joined the Pool Re Risk Awareness team in September 2019. Before joining Pool Re, Callum worked as a political risk analyst covering the Middle East and North Africa. He holds an MA in Terrorism, Security and Society from King’s College London and an undergraduate degree in International Relations from the University of St Andrews. He is proficient in Arabic and French.

Pool Re has analysed 30 years of terrorist event data from the Global Terrorism Database (GTD) published by the University of Maryland. The GTD is the most comprehensive publicly available database of terrorist incidents and provides the ability to assess trends in terrorist activity over the history of Pool Re.

The GTD uses a very granular schema for recording the attribution, methodology and targets of terrorist attacks. To enhance the utility of the data to Pool Re and its Members, these attack attributes have been grouped into higher taxonomic ranks. The original data has also been enriched to facilitate additional analysis of weapon complexity, damage potential and loss values.

ANALYSIS OF THE GLOBAL TERRORISM DATABASE

Some attacks recorded in the GTD as separate events due to their geographic or temporal discontinuity have been grouped together to reflect Pool Re’s analytical practice. Others have been excluded from the analysed dataset entirely due to uncertainty over whether they constituted acts of terrorism.

While terrorist activity across the globe is addressed, the analysis focuses on a grouping of 29 countries which provide substantial insurance protection (based on insurance density and penetration as a percentage of gross national product). This grouping is classified as ‘Advanced Markets’.


https://www.start.umd.edu/gtd/downloads/Codebook.pdf

DECREASE IN ATTACK FREQUENCYIn recent years, the frequency of attacks worldwide has declined significantly. There was a large, sustained increase in global events following the 9/11 attacks, through to 2015, during which the yearly average number of attacks increased eightfold. This was largely driven by Islamist extremist violence, with global attacks reaching their peak while Daesh was at the height of its power. While the frequency of global attacks has decreased with Daesh’s territorial defeats, it remains well above the average for the 30-year period.

ADVANCED MARKETSWhile attacks in advanced markets also spiked between 2014 and 2017 with the wave of attacks inspired or directed by Daesh, the annual frequency of attacks fell back below the 30-year average in 2018 (although the number of fatalities remained well above the historic average). Indeed, the number of attacks in advanced markets in the 1990s was more than double that in the subsequent two decades. This marked drop is largely attributable to the cessation of most terrorist activity by nationalist separatist terrorists groups in Britain, Spain and France.

LETHALITY INCREASEWhile the frequency of attacks in advanced markets remains below that experienced in the 1990s, the lethality of attacks has increased significantly. Excluding 9/11, almost 44% of fatalities in advanced markets occurred in the last decade, with 2015, 2016, 2017 accounting for the bulk of these. This primarily reflects the increased prevalence of attacks by Islamist extremist actors who, in contrast to separatist groups overrepresented in the 1990s, favour mass casualty attacks, largely against unprotected targets.

RIGHT WING TERRORISTSAnother contributing factor is the increasing lethality of attacks by right-wing terrorists (RWT). Although higher in the 1990s, the number of attacks by RWT has increased considerably over the past decade, following a dip in the 2000s. Equally significantly, RWT have increasingly adopted methodologies employed by Islamist extremists, with the aim of causing mass casualties by targeting crowded places associated with minority groups, or other symbolic targets, such as places of worship.

TARGETING THE PUBLICThis is reflected in targeting trends across advanced markets. Police, military and government targets accounted for the majority of attacks worldwide over the 30-year period. This was also true of advanced markets for the 1990s. However, over the last decade, attacks against the public and symbolic targets have far exceeded those against police, military and government targets, reflecting the greater prevalence of attacks by Islamist and right-wing extremists.

LOW AND HIGH COMPLEXITYThe decline in attacks targeting commercial infrastructure corresponds with an increase in the prevalence of low complexity and firearms attacks, again reflecting the wider shift in intent from targeted to mass casualty attacks in advances markets. Notwithstanding this, most casualties continue to arise from a small number of high-impact events, with the majority of attacks causing no fatalities.

THE COMMERCIAL INFRASTRUCTUREAttacks against commercial targets have also fallen significantly, from about 18% of all attacks in advanced markets in the 1990s, to around 5% between 2015 and 2018. This mirrors the changes in the preponderant actor types and the methodologies they employ. Where commercial infrastructure was a preferred target of separatist groups, it has largely been eschewed by Islamist and right-wing terrorists, in favour of mass casualty attacks against crowded places and symbolic sites. In contrast, the proportion of attacks against critical national infrastructure and aviation has remained fairly constant over the 30-year period, indicating consistent interest in such targets across offender types.

THREAT LANDSCAPEWith man-made perils like terrorism, historical data is an unreliable predictor of future risks. However, for the near term at least, it is likely that Islamist extremism will continue to be the main driver of terrorism worldwide, even as attacks by its proponents wane. In advanced markets, the threat landscape is increasingly complicated by what appears to be a more active and lethal far-right movement. Attacks resulting in large-scale property damage or high numbers of casualties will continue to be rare events, but attacks which aim to cause mass casualties will probably continue to grow as a proportion of the total. As seen with the recent attacks across the West, these are more likely to cause business interruption losses than significant material damage.

KEY FINDINGS

36%of attacks in Advanced Markets in 2018 attributed to right-wing terrorists

44%Almost 44% of fatalities in advanced markets occurred in the last decade

5%the amount of attacks in advanced markets in the 1990s, between 2015 and 2018


ATTACKS WORLDWIDE AND IN ADVANCED MARKETS / 1990-2018

OBSERVATIONS & CONTEXTThe frequency of attacks in Advanced Markets remains well below the highs seen in the mid-1990s, during which these countries collectively experienced an average of 410 attacks per year. This figure dropped significantly in the 2000s, driven by a decline in attacks by separatist groups like ETA and the IRA. In the 2010s, the yearly average number of attacks in advanced markets was 192.

In contrast, the frequency of attacks worldwide steadily climbed after 2001, reflecting rising Islamist violence, particularly in the Middle East, Africa and South Asia. However, while the global picture is not necessarily

representative of attack frequency in Advanced Markets, both have seen substantial increases from 2012, largely driven by the rise of Daesh.

Since 2015, the frequency of global attacks has decreased significantly (corresponding with Daesh’s decline), whereas attacks in Advanced Markets continued to increase up to and including 2017. Despite a drop in 2018, attacks in Advanced Markets remain above historic averages in the 2000s and 2010s. This partly reflects increased activity by the right-wing terrorists but may also point towards another decoupling of global activity and advanced market attack frequency.

2,000

4,000

6,000

8,000

10,000

12,000

14,000

16,000

18,000

1990 1991 1992 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

Global attacks

Advanced Markets attacks

150,217 attacks worldwide since 1990

4.6% of global attacks since 1990 occurred in Advanced Markets

6,851 attacks in Advanced Markets since 1990s

2% of attacks in 2018 occurred in Advanced Markets

THE FREQUENCY OF ATTACKS IN ADVANCED MARKETS REMAINS WELL BELOW THE HIGHS SEEN IN THE MID-1990S

THE FREQUENCY OF ATTACKS WORLDWIDE HAS STEADILY CLIMBED SINCE 2001

Num

ber

of a

ttac

ksTERRORISM THREAT & MITIGATION REPORT 2019 17/ 53

NUMBER OF ATTACK FATALITIES IN ADVANCED MARKETS BY MAJOR EVENT / 1990-2018

OBSERVATIONS & CONTEXTMost deaths due to terrorism in Advanced Markets since 1990 have been caused by a small number of particularly lethal terrorist attacks; more people were killed in the 9/11 attacks than in all other attacks in Advanced Markets since 1990 combined. Even excluding 9/11, fewer than 30 individual attacks caused a

majority of all fatalities in Advanced Markets during the period.

Excluding 9/11, despite fewer attacks, 2015-2017 represented the deadliest three-year period in Advanced Markets since 1990 with a yearly average of 201 deaths, compared to a yearly average of 72

deaths in the 1990s.This reflects shifts in the intent and methodologies of threat actors. Separatist groups most active in Advanced Markets in the 1990s largely eschewed indiscriminate mass casualty attacks; the preferred modus operandi of Islamist and, increasingly, right-wing extremists who account for a larger share of attacks in recent years.

EXCLUDING 9/11, 2014- 2018 REPRESENTED THE DEADLIEST FIVE-YEAR PERIOD IN ADVANCED MARKETS SINCE 1990

137 people killed annually on average in Advanced Markets between 2014 and 2018

26 individual attacks accounted for 86% of deaths in Advanced Markets since 1990

MORE PEOPLE WERE KILLED IN THE 9/11 ATTACKS THAN IN ALL OTHER ATTACKS IN ADVANCED MARKETS SINCE 1990 COMBINED

20

40

60

80

100

120

140

160

180

200

220

240

260

1990 1991 1995 19961992 1994 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

Attack1995 Oklahoma City Bombing1995 Tokyo Subway2001 9/112004 Madrid Bombing2005 London 7/72009 Fort Hood Shooting2011 Norway Attacks2015 Paris2016 Brussels2016 Nice2016 Orlando Nightclub Shooting2017 Barcelona Attacks2017 Las Vegas Shooting2017 Manchester Arena BombingOther

2,977(Not scaled to axis)

Num

ber

of a

ttac

k fa

talit

ies


ATTACKS IN ADVANCED MARKETS / More than $50m Property Damage loss/ More than 12 fatalities / 1990-2018 (excl. 9/11)

OBSERVATIONS & CONTEXTThe majority of attacks that resulted in large property damage losses have generally caused fewer deaths, although there are exceptions like the 1995 Oklahoma City bombing which caused widespread damage and over 100 fatalities. Those attacks resulting in the largest losses, the 1993 Bishopsgate bombing and 1996 Manchester bombing, caused a single death, (although several hundred people were injured). Attacks resulting in widespread material damage largely happened in the 1990s, when groups such as the Provisional Irish Republican Army (PIRA) sought to attack financial infrastructure with large vehicle-borne explosive devices (VBIEDs). Due to increasing restrictions on explosive materials and the prioritisation of mass casualty attacks by the most prolific threat actors, such attacks have become infrequent.

More recent attacks have caused considerably more deaths but less material damage, with most attacks in the 2000s and 2010s causing less than $1 million in property damage. The exceptions to this include the 2011 Norway attacks, where the attacker used VBIED against a government office in Oslo, and a marauding firearms attack against a summer camp outside the capital. This combined methodology resulted in both high levels of property damage and a large number of fatalities.

Similarly, the 2015 Paris attacks caused many fatalities and considerable property damage due to the employment of both firearms and explosives (albeit much smaller devices than the one used in Oslo). Explosive attacks against transport infrastructure, like the 2004 Madrid bombing and 2005 London bombings, also resulted in high levels of property damage and casualties.

80% of the costliest attacks in Advanced Markets occurred in the 1990s

70% of the deadliest attacks in Advanced Markets occurred in the 2010s

THE MAJORITY OF ATTACKS THAT RESULTED IN LARGE PROPERTY DAMAGE LOSSES HAVE GENERALLY CAUSED FEWER DEATHS

0.02

0.05

0.1

0.2

0.5

1

2

5

10

20

50

100

200

500

1,000

2,000

0 20 40 60 80 100 120 140 160 180 200

London 7/7 ‘05

Baltic Exchange ‘92Manchester ‘96

London Docklands ‘96

Staples Corner ‘92 Oklahoma City ‘95

Paris ‘15

Amerithrax ‘01

Oslo/Utøya ‘11Brussels ‘16

Barajas Airport Madrid ‘06

Nice ‘16Pulse Nightclub, Orlando ‘16

San Bernardino ‘15

Manchester Arena ‘17

Charlie Hebdo ‘15

Madrid ‘04

Weiterstadt Prison ‘93

Berlin Christmas Market ‘16

World Trade Center ‘93

Bishopsgate ‘93

$US

D (m

illion

s)

Number of attack fatalities


AVERAGE NUMBER OF ATTACKS WORLDWIDE AND IN ADVANCED MARKETS BY TARGET / 1990-2018

OBSERVATIONS & CONTEXTSince 1990, police, military or government targets have been the most frequently attacked target type, followed by crowded places and private citizens, together accounting for 74% of all attacks worldwide. The majority of these attacks occurred in conflict zones, and since 2000, reflecting increasing violence in the Middle East, Africa and South Asia since the turn of the millennium.

While police, military or government targets, private citizens and crowded places were also the most common target types in Advanced Markets, the frequency of attacks against these has fallen significantly since the early 1990s. Attacks against commercial targets also declined significantly over the 30-year period, from 18% of all

There is very little variation in the number of attacks targeting of critical national infrastructure (CNI) and aviation since 1990, suggesting an equilibrium between terrorist capabilities and security measures and that the desire to attack these target types has remained relatively constant.

attacks in Advanced Markets in 1990, to 5% in 2015-2018. Equally, there has been a dramatic rise in attacks against places of worship and sites associated with minority groups in Advanced Markets since 2012. This corresponds with the increase in attacks by right-wing terrorists.

3,000

6,000

9,000

12,000

15,000

0 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 2014 2016 2018

100

300

200

400

500

600

0 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 2014 2016 2018

GroupAviation Police, Military & Government Private Citizens & Crowded PlacesPlace of worship / minority groupMedia & EducationCommercialCritical National Infrastructure

16.7% of attacks in Advanced Markets since 1990 targeted commercial interests

THE FREQUENCY OF ATTACKS WORLDWIDE AGAINST POLICE, MILITARY, OR GOVERNMENT TARGETS HAS FALLEN SIGNIFICANTLY SINCE THE EARLY 1990S

ATTACKS AGAINST COMMERCIAL TARGETS DECLINED SIGNIFICANTLY IN ADVANCED MARKETS OVER THE 30-YEAR PERIOD

Advanced marketsWorldwide

Num

ber

of a

ttac

ks

Num

ber

of a

ttac

ks


NUMBER OF ATTACKS WORLDWIDE AND IN ADVANCED MARKETS BY GRANULAR TARGET TYPE / 1990-2018

While police, military or government (PMG) targets were the most frequently attacked target type across the period, in both Advanced Markets and worldwide, there is considerable target-type divergence between the two geographic groupings.

For instance, financial and professional services were the third most common target type in Advanced Markets (although attacks in the 1990s largely account for this), whereas they account for a relatively small percentage of global attacks. Conversely, utilities accounted for a significant proportion of global attacks, but this was not reflected in Advanced Markets.

447 attacks on places of worship & minority groups in 2010s in Advanced Markets

177 attacks on places of worship & minority groups in 1990s in Advanced Markets

0 20,000 80,00060,00040,000Abortion Related

Marine

Energy & Extractive Industries

Aviation

Manufacturing

Pharmaceuticals / Healthcare

Telecommunications

Food & Agriculture

Real Estate, Property & Construction

Other Business

Not for pro�t (NGO/charity/heritage)

Entertainment & Media

Financial & Professional Services

Retail

Tourism, Hospitality & Leisure

Education

Political TargetUtilities

Transportation (excl Marine & Aviation)

Place of worship / minority group

Public Area

Private Citizens

Police, Military & Government

0 500 1,000 2,5002,0001,500

Energy & Extractive Industries

Marine

Pharmaceuticals / Healthcare

Food & Agriculture

Telecommunications

Real Estate, Property & Construction

Political Target

Manufacturing

Aviation

Utilities

Public Area

Education

Entertainment & Media

Abortion Related

Not for pro�t (NGO/charity/heritage)

Other Business

Retail

Transportation (excl Marine & Aviation)

Tourism, Hospitality & Leisure

Private Citizens

Financial & Professional Services

Place of worship / minority group

Police, Military & Government

2010s 2000s 1990s

Worldwide Advanced markets

OBSERVATIONS & CONTEXT

Number of attacks Number of attacks


PERCENTAGE OF ATTACKS IN ADVANCED MARKETS BY WEAPON COMPLEXITY / 1990-2018

OBSERVATIONS & CONTEXTLow-complexity weapons were used in around half of attacks in advanced markets 1990-2015. Since 2015, there has been a large increase in the use of simpler methodologies, with 78% of attacks in the three years to 2018 involving low-complexity weapons. Low-complexity weapons also now account for a much greater share of deaths in Advanced Markets than previously.

These trends partly reflect the improved ability of police and intelligence services to disrupt sophisticated plots involving the use of high-complexity weapons, compelling terrorists to use simpler alternatives. Extremist media has actively promoted the use of low-complexity weapons to offset the increasing efficacy of counter-terrorism efforts.

The greater prevalence of attacks using low-complexity weapons in recent years also reflects a shift in targeting priorities towards conducting mass casualty attacks against unprotected targets, for which simpler methodologies can be equally effective as those involving more complex weapons.

20

40

60

80

100

0 1990s

Low57%

High43%

2000s

Low55%

High45%

2010-2014

Low56%

High44%

2015-2018

Low78%

High22%

78% of attacks in Advanced Markets between 2015 and 2018 used low-complexity weapons

LOW-COMPLEXITY WEAPONS WERE USED IN AROUND HALF OF ATTACKS IN ADVANCED MARKETS 1990-2015

EXTREMIST MEDIA HAS ACTIVELY PROMOTED THE USE OF LOW-COMPLEXITY WEAPONS TO OFFSET THE INCREASING EFFICACY OF COUNTER-TERRORISM EFFORTS

Weapons complexity methodology: Weapons complexity references how difficult a weapon type is to obtain and it’s potential to cause widespread damage. High-complexity weaponry would typically include methodologies such as car-bombs, suicide bombs, improvised explosive devises and CBRN-related weapons. Low complexity weaponry includes guns, grenades, bladed objects and cars used as a battering ram.


ATTACKS BY OFFENDER TYPE IN ADVANCED MARKETS BY WEAPON COMPLEXITY / 1990-2018

OBSERVATIONS & CONTEXTSince the 1990s, separatist terrorists have most frequently employed complex weapons in attacks, whereas Islamist and right-wing extremists have made greater use of lower complexity weapons. This reflects both the different targeting priorities of these groups, and the generally greater sophistication (in terms of organisation, procurement and operational security) of separatist groups.

In contrast, recent years have seen right-wing and Islamist extremist attacks in advanced markets increasingly employ less complex methodologies, due to their ease of access and use, efficacy at causing mass casualties and the lower risk of detection by authorities.

20

40

60

80

100

0 AnarchistsFar LeftSeparatistsFar RightIslamist

Unknown 2%

Low67%

High32%

High16%

Low76%

Unknown 8%

High70%

Low26%

Unknown 3%

High43%

Low50%

Unknown 6%

High43%

Low53%

Unknown 4%

GroupIslamist ExtremistsFar RightSeparatistsFar LeftAnarchists

70% of separatist attacks in Advanced Markets since 1990 involved the use of high-complexity weapons

67% of Islamist attacks in Advanced Markets since 1990 involved the use of low-complexity weapons

RECENT YEARS HAVE SEEN RIGHT-WING AND ISLAMIST EXTREMIST ATTACKS IN ADVANCED MARKETS INCREASINGLY EMPLOY LESS COMPLEX METHODOLOGIES

SEPARATIST TERRORISTS HAVE MOST FREQUENTLY EMPLOYED COMPLEX WEAPONS IN ATTACKS

Weapons complexity methodology: Weapons complexity references how difficult a weapon type is to obtain and it’s potential to cause widespread damage. High-complexity weaponry would typically include methodologies such as car-bombs, suicide bombs, improvised explosive devises and CBRN-related weapons. Low complexity weaponry includes guns, grenades, bladed objects and cars used as a battering ram.


FREQUENCY OF ATTACKS IN ADVANCED MARKETS BY WEAPON TYPE / 1990-2018

OBSERVATIONS & CONTEXTIn advanced markets, explosives have broadly remained the most utilised methodology of attack since the 1990s, although the frequency of attacks has significantly decreased since 1996. This is partly due to tighter restrictions placed on materials needed to make explosives and increased capabilities by intelligence agencies to detect and disrupt plots using explosives.

Incendiary devices have been the second most utilised methodology since the 1990s. This high number is reflective of the ease of manufacturing viable incendiary devices, and of the prevalence of the methodology among left- and right-wing actors.

There has also been a significant increase since 2014 in attacks employing improvised weapons like vehicles and bladed/blunt weapons. This corresponds with the incitement of attacks using such weapons in extremist media. However, these methodologies continue to represent a small proportion of all attacks.

MeleeCBRN FirearmsExplosives Sabotage Equipment VehicleIncendiary

50% of attacks in Advanced Markets since 1990 involved explosives

1.4% of attacks in Advanced Markets since 1990 involved a CBRN component

THERE HAS BEEN A SIGNIFICANT INCREASE IN ADVANCED MARKETS SINCE 2014 IN ATTACKS EMPLOYING IMPROVISED WEAPONS LIKE VEHICLES AND BLADED/BLUNT WEAPONS

EXPLOSIVES HAVE BROADLY REMAINED THE MOST UTILISED METHODOLOGY OF ATTACK IN ADVANCED MARKETS SINCE THE 1990S

600

1990 1994 19981995 1996 1997 199919921991 2002 2006 2010 2014 2016200820042000 2001 2003 2005 2007 2009 2011 2012 2018

200

400

0

2013 2015 2017

Num

ber

of a

ttac

ksTERRORISM THREAT & MITIGATION REPORT 2019 24/ 53

AVERAGE NUMBER OF ATTACKS IN ADVANCED MARKETS BY OFFENDER TYPE / 1990-2018

2010-2018 in focus

OBSERVATIONS & CONTEXTThere has been a sharp decrease in the number of separatist attacks in advanced markets since the 1990s, with separatists now accounting for the least active ideology after anti-government extremists.

Far-right terrorists were the second most active offender type in advanced markets during the 1990s, although this decreased substantially after the millennium. However, since 2011 there has been a sustained rise in the number of attacks by right-wing terrorists. The far-right actors were the most prolific offender type in 2018.

Islamist extremists were responsible for a relatively small proportion of all attacks in Advanced Markets from 1990-2010, but were far more lethal than other offender types. Since 2014, the frequency of Islamist attacks has increased significantly, corresponding with the rise of Daesh and its incitement of attacks in the West.

250

200

150

1990 1994 199819961992 2002 2006 2010 2014 2016200820042000 2012 2018

100

50

0

50

40

30

2010 20142013 20162015 201720122011 2018

20

10

0

Anarchists Anti-government Extremists Islamist ExtremistsFar Left SeparatistsFar Right

36% of attacks in Advanced Markets in 2018 attributed to right-wing terrorists

55% of attacks in Advanced Markets in 1990 attributed to separatists

FAR-RIGHT TERRORISTS WERE THE SECOND MOST ACTIVE OFFENDER TYPE IN ADVANCED MARKETS DURING THE 1990S

Num

ber

of a

ttac

ks

Num

ber

of a

ttac

ks


ADDITIONAL INFORMATION/

OBSERVATIONS & CONTEXT

NIRT ATTACK FATALITIES IN THE UK MAINLAND AND NI/ 1990-2018

Northern IrelandUK Mainland

1990s

2000s

2010s

Islamist extremists have been the most lethal threat actors in Advanced Markets since 1990 by a wide margin. Even excluding 9/11, attacks by Islamist extremists accounted for almost three times the number of casualties as the next deadliest offender type (right-wing terrorists), despite there being very few mass

casualty attacks by Islamist actors in Advanced Markets prior to 2001.

Despite being the most active offender type, separatists caused markedly fewer casualties in advanced markets than either Islamist or right-wing extremists (however, violent dissident republicans were responsible for the

majority of attack fatalities in the UK, if the entirety of the UK is considered rather just mainland Great Britain).

Right-wing terrorists have become much more lethal in the past decade. While responsible for a large proportion of attacks in the 1990s, they caused relatively few deaths (with attacks often

targeting property). However, since 2011, right-wing terrorists have increasingly employed methodologies similar to Islamist extremists, with the intent of causing mass casualties. In 2018, right-wing terrorists were responsible for more fatalities in Advanced Markets than any other offender type.

NUMBER OF ATTACK FATALITIES IN ADVANCED MARKETS BY OFFENDER TYPE/ 1990-2018 (excl. 9/11)

Anti-government Extremists Far Right Islamist Extremists SeparatistsAnarchists, Far Left, Environmental, Student

20

40

60

80

100

120

140

160

180

200

220

1990 1991 1995 19961992 1994 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

Attack fatalities due to Northern Ireland Related Terrorism were substantially higher in the Province than on the UK mainland during the 1990s. The majority of attacks carried out by the Irish Republican Army on the UK mainland, such as the 1993 Bishopsgate bombing, targeted financial centres that had a high-economic impact but caused very few casualties. Attacks in Northern Ireland were extremely high during the 1990s, reflecting the conflict

that was ongoing at the time. However, since the 1998 Good Friday Agreement, deaths on the UK mainland due to NIRT have been extremely low, with only one in the 2000s and two in the 2010s. Similarly, attacks in the Province have dropped substantially. Attacks in Northern Ireland are likely to continue, however, due to uncertainty surrounding the Irish border following Brexit, and there is a possibility that this could begin to affect the UK mainland too.

Num

ber

of a

ttac

k fa

talit

ies


https://www.thecssc.com/

The underlying data was sourced from the Global Terrorism Database (‘GTD’). Their methodology is well documented in the GTD codebook, available here https://www.start.umd.edu/gtd/downloads/Codebook.pdf

Please note that the GTD does not provide data for 1993. Records for incidents in 1993 were lost prior to the University of Maryland’s compilation of the GTD from multiple collection efforts, and retrospective analysis was able to identify only a small proportion of estimated events to have occurred in 1993. Therefore, the database excludes the entire year for consistency. A full explanation can be found on p.4 of the GTD codebook.

The following outlines the additional data cleaning and enhancement work that was conducted using the raw GTD data.

As a reference point, the NaCTSO definition of a crowded place was aligned with the GTD target types and sub-types to create the “Private Citizens & Crowded Places grouping)1. All these target schema changes were performed using a Python script.

Weapons were classed by both their complexity to acquire and execute an attack with, and their damage potential. This mapping scheme can be provided to readers on request.

Any attack within Advanced Markets with more than seven deaths had a unified attack name assigned to it to facilitate highlighting these significant events in various graphs. All mappings were applied using a python script.

MappingsThe original GTD data uses a very granular schema for attributing terrorist attacks to actors, resulting in 468 unique terrorist actors in Advanced Markets alone, and 2,484 actors globally across the date range. Therefore, in order to identify trends, it was necessary to group similar actors together. This mapping scheme can be provided to readers on request.

The GTD has 23 target types and 207 target sub-types. These were grouped into two new target schema – “target types”, with seven target categories; and, “granular target types” with 25 target categories. The definitions of these grouping can be provided to readers on request. The purpose of these two target schemas is to provide a high-level view of the target selection trends (“target types”), as well as a more granular and sector-focused view (“granular target types”).

CalculationsThe GTD does not provide a unique number of victim deaths for events; rather, it includes the deaths of terrorist with their victims, as well as recording the number of terrorist deaths in a separate field. Additionally, when the number of deaths is unknown, the GTD records this as –99, thus leading to incorrect totals when the deaths across events are added. The number of victim deaths for each event was therefore calculated using a python script; events with an unknown number of deaths (recorded as –99 in the GTD) were treated as having no victim deaths.

1 https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/820082/170614_crowded-places-guidance_v1b.pdf

Exclusions Several events in the GTD data had high numbers of victim deaths but were likely not genuine cases of terrorism; these were excluded from the data and are listed below:

• 1992 Taiwan Hotel Fire(ID:199210200007)

• 1996 Taiwan County Magistrate Murders(ID:199611210005)

• 2001 Zug Local Assembly Shooting(ID:200109270003)

• 2013 Fertiliser Factory Fire (Texas)(ID:201304170041)

• 2016 EgyptAir Plane Crash (ID:201605190058

Geographical criteriaThe Swiss Re category of “Advanced Markets” was applied to the GTD to create a set of events which took place in countries with advanced insurance protection. Swiss Re’s definition of Advanced Markets is based on insurance density and penetration rates (as a percentage of GDP).

Within this grouping, Israel and Northern Ireland were excluded, leaving a total of 29 countries: Australia, Austria, Belgium, Canada, Cyprus, Denmark, Finland, France, Germany, Greece, Hong Kong, Iceland, Ireland, Italy, Japan, Luxembourg, Malta, Netherlands, Norway, New Zealand, Portugal Singapore, South Korea, Spain, Sweden, Switzerland, Taiwan, the United Kingdom (excl. Northern Ireland), and the United States.

STATISTICAL METHODOLOGY





TERRORIST USE OF DRONES


DRONES COULD BE EMPLOYED WITH LITTLE OR NO MODIFICATIONS TO CAUSE PUBLIC DISRUPTIONS AND SPREAD FEAR

Terrorists have long had the intent, and in some cases the capability to used unmanned aerial vehicles (drones) in attacks. However the proliferation of cheap, commercially available drones has significantly increased the likelihood of them being used in attacks.

The well-document use of drones by Daesh in Iraq and Syria, for targeting and surveillance and to deliver explosive payloads demonstrated the potential for such systems to be exploited by terrorists. By 2017/18, Daesh’s use of drones had become highly sophisticated. Other non-state actors subsequently adopted the technology for use in combat, and, in August 2018, off-the-shelf ‘quadcopter’ modified to carry IEDs were used in an attack on the Venezuelan President at a parade in Caracas.


To date, terrorist use of drones remains largely confined to active conflict zones. This is partly due to the continued viability of simpler, lower risk methodologies for causing mass casualties – the primary intent of most extremists operating in the West. A related factor is the difficulty of effectively weaponising drone technology without relevant material and expertise. Despite this, drones could be employed with little or no modifications to cause public disruptions and spread fear. Therefore, changes in the intent and targeting priorities of malicious actors could result in much greater exploitation of drone technology for terrorist purposes.

TERRORISM THREAT & MITIGATION REPORT 2019 29/ 53TERRORISM THREAT & MITIGATION REPORT 2019

THE THREAT TO AVIATION

DRONES AS AIRBORNE IEDS

DRONES AS DISPERSAL METHOD FOR CHEMICAL, BIOLOGICAL OR RADIOLOGICAL (CBR) AGENTS

DRONES POTENTIALLY CONFER NUMEROUS ADVANTAGES TO TERRORISTS PREPARING ATTACKS

The aviation sector remains a priority target for terrorists, and Islamist extremists in particular. There has been considerable public speculation about the potential for drones to be used to target in-flight commercial aircraft. At present, it is unclear how much of a threat drones pose to civil aviation, or whether terrorists have given serious consideration to using the technology to target aircraft. To date, there have been few verified collisions between airliners and drones, and little testing has been done on the potential effects of collisions or the ingestion of drones by aircraft engines. However, the likely damage of either scenario involving an unmodified drone is not believed to be materially worse than that caused by bird strikes, and it is unlikely to result in the complete loss

of an aircraft. However, modified drones potentially pose a greater threat to inflight aircraft. Airliners are most vulnerable to drone strikes while at low altitudes during take-off or landing. Therefore, exposures most at risk from attacks on aviation involving drones are properties in built-up areas below flight paths near airports, including airport terminals and buildings themselves.

More likely than attacks on aircraft hulls is the use of drones to disrupt commercial aviation operations by invading protected airspace around airports; a swarm of drones against an aircraft cannot be discounted. High safety standards and low risk appetites in commercial aviation mean safety regulations in the UK and other developed countries prohibit aircraft

Drones potentially confer numerous advantages to terrorists preparing attacks, including their ability to bypass terrestrial security measures and carry out attacks remotely, thereby reducing the risk of detection and disruption. However, to exploit the technology fully, terrorists must first be able to weaponise drones in their possession. The relatively small size and weight of commercially available drones restricts their utility as an unmanned firearms platforms or kinetic projectiles. Therefore, in these scenarios, drones are more likely to be used by terrorists to convey either explosive or chemical, biological or radiological (CBR) material to a target.

Explosives: Commercially available drones have been adapted by terrorists for use both as loitering munitions and unmanned aerial combat vehicles. While the transmission of such methodologies from overseas to the UK is a concern, the difficulties in either acquiring off-the-shelf explosives or manufacturing homemade devices mean the likelihood of such tactics being employed in the UK is low. Furthermore, drones are a less reliable delivery mechanism compared to vehicle or person-borne IEDs, and the requisite modifications demand specialist knowledge and material, increasing the risks associated with their use.

The advantages of drone technology to terrorists are less pronounced if the intent is to cause indiscriminate mass casualties. The ubiquity of relatively unprotected crowded places which do not require circumvention of terrestrial security measures means most current UK threat actors will likely forego the complexity of using drone-borne IEDs in favour of simpler, conventional conveyance methods. However, any changes to the targeting priorities of UK-based terrorists could increase the likelihood of drones being used as airborne IEDs.

The relatively small payload of most commercial drones in the UK also limits their utility as a delivery method; the most popular drones currently sold in the UK have a payload of less than 2kg, while few carry more than 4kg. The Manchester Arena and Parsons Green attacks in 2017 employed IEDs weighing approximately 14kg and 4kg respectively. Therefore, while possible to use currently available drone technology to deliver IEDs, the size and destructive power of such devices would be limited and, therefore, more suited to targeted attacks than indiscriminate, mass casualty ones.

The most destructive methodology in the UK would be if a terrorist actor used a drone to disseminate chemical, biological or radiological material. The use of CBR material in any circumstance could cause a significant amount of damage within a very short period of time. This is assessed to be of low probability but with high impact against all target types.

A chemical attack, utilising a drone, in the UK is considered to be possible3, although manufacturing a military grade CBR device is complex and risky; the use of HAZMAT material is more likely, for example a petrol tanker being hijacked and then set ablaze in a crowded place. Such an incident would cause considerable business interruption and there would likely be a large police cordon erected in all areas deemed to have been affected by the attack. The material or substance would require identification and the subsequent decontamination process could be extensive in terms of time and area. If a drone was used as a delivery method several areas could be contaminated in a short period of time. The small, localised event in Salisbury left some businesses closed for months, and one for over a year.

from flying in airspace where drones have been sighted. Threat actors can exploit this to prevent aircraft operations and cause significant disruption, as demonstrated by events at Gatwick Airport in December 2018. There is potential for non-damage business interruption claims in a similar scenario if it was certified as a terrorist attack. However, the perpetrator would have to be found to have had terrorist motivations. Most proscribed terrorist actors in the UK are currently considered less likely to employ such tactics. However, the use of drones to disrupt commercial aviation would represent a viable methodology for actors whose main intent is to inflict damage on the UK’s economy – as demonstrated by Extinction Rebellion2.



CARACAS DRONE ATTACK

Two drones carrying IEDs targeted a military parade in an alleged assassination attempt against Maduro. One drone detonated above the parade, injuring soldiers below. The other crashed into a nearby building. The drones’ failure to reach Maduro was possibly due the use of electronic countermeasures by Venezuelan security forces. The limited damage caused by the attack reflects the small payloads of such drones. The incident was the first use of commercially available drones as aerial IEDs outside a conflict zone. Further attacks of this nature are anticipated in future.

DATE: 04 Aug 2018LOCATION: Caracas,

VenezuelaOFFENDER: UnknownMETHODOLOGY: Drone-borne

Improvised Explosive Device

DEATHS: 0 INJURIES: 8


built-up areas, and other solutions like jamming carry the risk of targeted drones causing collateral damage when downed. Furthermore, there is currently no legal basis for private bodies to seize or destroy drones operating over private property. Consequently, while detector technology can by employed in the UK by private users with the correct permissions, the use of effectors is currently restricted to law enforcement bodies. Private organisations considering the acquisition of drone countermeasures should ensure that they fully understand procured technology and have the relevant knowledge and the permissions necessary for its correct employment.

The relative immaturity of drone technology means that regulatory responses to the threat continue to mature and there is currently no ‘silver bullet’ in countering them. While wide-ranging restrictions on the use of drones are unlikely, forthcoming regulations aim to ensure drones are only employed by competent users for legal purposes. While unlikely to deter terrorists from acquiring or using drones, this, and the establishment of operating norms and best practices, will enhance the ability of authorities to differentiate the

malicious use of drones from legal, largely recreational activity. Equally, improved recording and reporting of incidents will provide a better understanding of the threat and help inform the development of incident response guidance. Other potential regulatory responses include mandating the incorporation of safety features such as ‘geo-fencing’ (the establishment of virtual boundaries for geographic areas, the transgression of which would override the commands of the drone operator) into commercially available drones. Although such measures could be circumvented by more sophisticated terrorists with the requisite knowledge, it would make the malicious use of drones more difficult.

For most businesses, investment in specific counter-drone technology is unnecessary, with resources better committed to improving awareness of the threat, and developing procedures for identifying, reporting and responding to drone sightings. Understanding the implications of trying to impose post-incident cordons on something ‘which you can’t see’ should also be considered by security directors and risk managers.

Current counter-drone technology can largely be divided into ‘detectors’ and ‘effectors’; the former are designed to detect, track and classify drones, while the latter are intended to bring down hostile drones. Most countermeasures have been designed for the military market and are therefore often unsuitable for use in a civilian environment (due to collateral damage issues). The civilian drone market is also being inundated with new and evolving drone designs and technologies. Therefore, the detector technology needs to continue to adapt at pace to mitigate the full spectrum of threats. Thus, while detecting and countering drones is largely possible with current technology, doing so in a safe, legal and proportionate manner in a domestic setting remains challenging. Both detectors and effectors have the potential to interfere with electronic and communications systems and technologies (such as mobile phone signals) and must therefore be judiciously used to avoid disrupting many of the systems modern life depends on. This challenge is exacerbated in signal-rich environments like airports. The use of effectors is also problematic; kinetic effectors (e.g. missiles, lasers, firearms etc.) are unsafe to use in

MITIGATING THE RISK



https://www.cpni.gov.uk/

Conrad Prince/ Senior Cyber Terrorism Advisor to Pool Re

Pool Re is continuing to assess terrorist use of cyber, working with our partners at the Centre for Risk Studies at Cambridge University’s Judge Business School. Our focus is on the potential for terrorists to use cyber for destructive effect to property. This is not an easy area to assess. Terrorists are hard targets to penetrate even for the best intelligence agencies, and there is a lot of chaff to wade through in open source material, the truth of which is often hard to assess.

That said, there remains little or no evidence of terrorists developing cyber capabilities that have destructive effect. Terrorist use of digital technology continues to be primarily in traditional areas like communications and propaganda. Indeed, there are some indications that the use of the internet for sophisticated propaganda by Islamist terrorists is on the decline, perhaps in part as a result of disruption operations by Western agencies. A few references to cyber have been noted in extremist publications, but these are not prominent. And there is some suggestion of Islamist terrorist groups seeking to hijack dormant Twitter accounts for propaganda purposes, but this is not very sophisticated stuff.

RECENT DEVELOPMENTS IN OFFENSIVE CYBER OPERATIONS AND THE IMPLICATIONS FOR TERRORISM

TERRORIST USE OF CYBER CONTINUES TO BE PRIMARILY IN TRADITIONAL AREAS LIKE COMMUNICATIONS AND PROPAGANDA

However, the potential to exploit cyber will always be present. And various factors could rapidly increase terrorists’ capabilities. These might include specialist support from a hostile nation state, the appearance of destructive malware on the open market (either as a result of unauthorised disclosure of nation state capability, or the development and release of malware by an independent actor), or the availability of a sympathetic insider whose job might make a particular cyber-attack more achievable.

One factor to keep an eye on is any evidence of terrorists using cyber for more sophisticated purposes, which might stop short of disruptive or destructive effect, but which get them along that path. At present there is little sign of this. However, there is arguably at least one exception, in the shape of the Palestinian group, Hamas.

Precise attribution is always going to be difficult, as is saying for sure whether particular cyber activity is truly directed by a specific group. However, there is good evidence to show Hamas moving up the ‘cyber value chain’ over the last few years. At least a decade ago, they were conducting website defacements and sporadic denial of service attacks. More recently, however, analysts have concluded that Hamas has been undertaking more sophisticated cyber espionage operations.

Conrad Prince served as the Director General for Operations and Deputy Director of GCHQ from 2008 to 2015. In those roles he led GCHQ’s intelligence operations and oversaw the development of the UK’s national offensive cyber capability. From 2015 to 2018 he was the UK’s first Cyber Security Ambassador, leading cyber security capacity building work with a number of key UK allies. He retired after 28 years of Government service in January 2018, and now holds a range of advisory roles in cyber and security.


In 2017, the Israeli Defence Force (IDF) detailed an alleged Hamas cyber espionage campaign targeting IDF soldiers by initiating chats through fake online profiles. These culminated in persuading the soldier to download a fake video chat app, which was in fact malware infecting their mobile device, reportedly stealing data and geolocating it. The cyber company Kaspersky reported on the same campaign. Then in Summer 2018 there was reporting of a further Hamas cyber espionage campaign, along similar lines, followed a few weeks later by allegations that Hamas had released mobile malware that imitated the Israeli rocket warning app.

The story of Hamas cyber operations reached a dramatic culmination in May this year. During a period of intense fighting in the Gaza Strip, the IDF reported it thwarted an unspecified Hamas cyber-attack, which they described as aimed at ‘harming the quality of life of Israeli citizens’. The IDF then launched an air strike on the building reportedly housing Hamas’s cyber team. Following the strike, the IDF announced that Hamas no longer had cyber capabilities.

We can only speculate as to the details here, but it is possible that the cyber-attack the Israelis say they defeated was of a more aggressive kind than the espionage activities previously undertaken by Hamas. The fact that it took place during a period of conventional kinetic operations – and was perhaps co-ordinated with them – may also be relevant.

It is unclear whether this has put paid to Hamas’ cyber capabilities. Ten days after the IDF air strike, media reporting indicated that unspecified hackers had briefly interrupted an Israeli webcast of the Eurovision song contest semi-final by replacing the broadcast with a fake warning about an attack on Tel Aviv. The Israeli national broadcaster blamed Hamas, though there is no hard evidence for this.

The Hamas example is interesting in that it seems to demonstrate terrorists using cyber for more sophisticated purposes than simply propaganda and deploying a range of capabilities in doing so. It is impossible to say how far Hamas may have got with this progressive increase in the scale of their cyber operations. But the fact it culminated in Israeli military action is striking.

That said, this is still a long way from the use of cyber-attack for serious destructive purposes. There are relatively few examples of destructive attacks taking place, but it has happened. The most striking cases include Stuxnet, the cyber sabotage of centrifuges at an Iranian uranium enrichment plant in around 2007; an attack on a German steel mill reported by the German authorities in 2014, which prevented a blast furnace from being shut down, causing significant damage; and the 2015 attack on the Ukrainian power system, which took around 30 substations offline denying power to a quarter of a million people for several hours.

And concerns are growing about hostile nation state use of offensive cyber for destructive effect. In June 2019, Chris Krebs, Director of the US Department for Homeland Security’s Cybersecurity and Infrastructure Security Agency stated that his agency was aware of ‘a recent rise in malicious cyber activity directed at US industries and government agencies by Iranian regime actors and proxies’. Krebs noted that Iranian actors were ‘increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money’.


An acceptance that cyberspace is inevitably a domain of destructive action, not just propaganda or espionage, and that all nations with serious aspirations will develop and potentially deploy destructive capabilities. At a time where there is little by way of accepted cyber norms of behaviour or deterrence doctrine, this will be a cause of concern for some.

We may still be a long way from terrorist groups using these capabilities. But as they become more widely developed and adopted, the potential for terrorist use increases, not least through the kinds of factors described earlier, such as support from a state sponsor. For this reason alone we need to retain a clear focus on this potential threat and how it develops in our unstable international environment.

Meanwhile, there has been continued reporting from cyber security experts relating to threat actors associated with the TRITON malware. This malware was used in a 2017 attack on a Saudi chemical and refining facility during which it apparently successfully moved from the facility’s administrative IT systems onto its operational technology or industrial control systems. Researchers have suggested that the purpose of this attack was not to steal data but to enable the disruption of the facility’s operations.

In June this year, a cyber threat company that has been studying the threat actor associated with TRITON reported repeated reconnaissance attempts targeting electric utilities in North America, Europe and Asia Pacific, asserting additionally that multiple industrial control system vendors had also been targeted, perhaps to enable supply chain attacks. There are different views as to the identity of the threat actor, with cyber security company FireEye suggesting it is associated with Russia.

So there are continuing indications of hostile nation states exploring cyber capabilities with potentially destructive effect. And the West is responding. In 2018 the US Department of Defense issued its new cyber strategy, setting out the ‘defend forward’ doctrine. The tone is striking. Specifically calling out

Russia and China as strategic threats, the strategy states that the USA will ‘conduct cyberspace operations to…prepare military cyber capabilities to be used in the event of crisis or conflict’ and that the DoD will ‘persistently contest malicious cyber activity in day-to-day competition’.

This more assertive tone may be being reflected in actual action. In June this year the New York Times reported current and former US government

officials as stating that the USA was stepping up its cyber incursions into Russia’s electric power grid, placing implants on the electricity network that could be used for disruptive purposes when needed. It is impossible to judge the truth of this report, which the DoD described as ‘inaccurate’.

Meanwhile, there was widespread reporting shortly afterwards that the USA had launched a cyber-attack on Iranian rocket and missile associated command and control infrastructure, against the backdrop of escalating tension in the region including the downing by Iran of an American unmanned aerial vehicle.

In the UK, there has been press speculation suggesting the impending creation of a national cyber force, further developing the UK’s own offensive cyber capabilities. This would reportedly combine resources from GCHQ and MoD, potentially with a significant uplift in funding. GCHQ’s Director, Jeremy Fleming, has spoken publicly of UK offensive cyber operations against Daesh, and of the need for nations to have the ability, in extremis and in accordance with international law, ‘to project cyber power to disrupt, deny and degrade.’

Taken together, these developments might be seen to reflect an increasing normalisation of offensive cyber.


1 https://www.bbc.co.uk/news/uk-england-manchester-49645627

2 https://www.hstoday.us/subject-matter-areas/terrorism-study/terrorists-use-of-drones-promises-to-extend-beyond-caliphate-battles/

3 https://uk.reuters.com/article/uk-britain-security/possibility-of-chemical-attack-in-uk-getting-closer-security-minister-idUKKCN1MJ1HW

THERE REMAINS LITTLE OR NO EVIDENCE OF TERRORISTS DEVELOPING CYBER CAPABILITIES THAT HAVE DESTRUCTIVE EFFECT


https://www.ncsc.gov.uk/

Jerry Smith/ CHC Consulting

There have been no successful terrorist attacks involving chemical, biological, radiological or nuclear (CBRN) material in the UK or other developed economies over the past 12 months. However, terrorists retain the intent to employ such weapons against the UK, due to their potential to kill and maim on a large scale, and their outsized psychological impact relative to conventional methodologies.

While the challenges for non-state actors for successfully acquiring, weaponising and deploying CBRN material means such attacks are unlikely, advances in technology and the dissemination of terrorist tradecraft online have reduced these barriers. Furthermore, the continued use of chemical weapons by state actors has underlined the fragility of arms control agreements and increased the risk of proliferation to terrorist groups. Equally, while Daesh’s territorial collapse in Iraq and Syria has limited the group’s ability to develop and deploy CBRN weapons, the phenomenon of ‘returning fighters’ may have dispersed those members with relevant knowledge, increasing the risk of CBRN attacks in other regions.

CBRN PROLIFERATION AND THE THREAT TO THE UK

Eighteen months after the poisoning of Sergei and Yulia Skripal, Salisbury’s economy continues to suffer from decontamination and clean-up operations and business interruption costs. This relatively small incident also put significant pressure on emergency services and specialist responders, underlining the potential for CBRN attacks to overwhelm authorities and cause catastrophic human and financial losses.

TERRORISTS RETAIN THE INTENT TO EMPLOY CBRN WEAPONRY AGAINST THE UK DUE TO THEIR POTENTIAL TO KILL AND MAIM ON A LARGE SCALE, AND THEIR OUTSIZED PSYCHOLOGICAL IMPACT

With most losses in such a scenario likely to arise from the response of the authorities and the public, business should prepare for such a crisis by planning and rehearsing relocation and alternative work systems as part of their resilience preparation. This should include appropriate crisis communication tools to reassure and inform perceptions to ensure that fear, uncertainty and doubt do not unnecessarily exacerbate the situation.

Jerry Smith OBE is a senior partner at CHC Global, an independent London-based special risks intermediary and advisory company. He has over 25 years’ experience of security risks and crisis response, specialising in the management of CBRN perils. He is a former bomb disposal officer and UN weapons inspector.


THERE IS A REALISTIC POSSIBILITY THAT PREVIOUSLY TREATABLE DISEASE AND INFECTIONS WILL BECOME A RISK TO HUMAN HEALTH

CHEMICAL ATTACKS BIOLOGICAL CONVERGENCE

As the Syrian conflict moves to its next phase, there has been a reduction in the reporting of chemical weapon attacks. Along with the improving fortunes of the Assad regime, it is possible that the successful introduction of an attribution mechanism within the chemical weapons treaty guardians, the Organisation for the Prohibition of Chemical Weapons (OPCW), has been a measure of deterrence. The self-same organisation sent an international team of investigators to conduct independent analysis of the Salisbury attack, with their results supporting the UK’s identification of Novichok, a rare and super-toxic nerve agent.

A previous poisoning attack in 2017 occurred against Kim Jong-nam, the half-brother of the current North Korean leader, who was killed by VX nerve agent in Kuala Lumpur airport departures. The nature of the attack and the chosen poison suggests that the use of a chemical weapon for targeted extra-judicial killings remains a tool for governments, content to have implausible deniability of their direct actions.

Whilst these two events were not declared as terrorism, the blurring of division between state and non-state actors means it is entirely conceivable that a future use of chemicals in an attack could be ‘contracted out’ to a proxy organisation into what could be defined as a terrorist attack.

Biological attacks thankfully remain even more infrequent than chemical events. Though biological weapons have been used in war for centuries, producing an effective weaponised pathogen remains difficult. However, the smaller scale use of toxins (naturally occurring poisons) by non-state actors has been seen on recent occasions. Two individuals in Cologne are currently accused of acquiring and preparing to use ricin, a toxin from the castor bean plant, in a terror attack in Germany.

On a wider scale, we have seen the enduring tragedy of the Ebola outbreak in the Democratic Republic of Congo. Whilst this has not originated from malicious intent, it has certainly been exacerbated by violent non-state actors, as well as an under-developed healthcare system. Although there is little direct link to the UK, the outbreak and the international community’s reaction indicates how a response to an affected population could have a substantial impact on outcomes.

There is also significant concern around the increasing levels of antimicrobial resistance (AMR), whereby harmful bacteria are evolving immunity to many antibiotic drugs. Warnings have already been given by a number of government health organisations. Without integrated and coordinated action, there is a realistic possibility that previously treatable diseases and infections will again become a risk to human health. The US Biomedical Advance Research and Development Authority (BARDA) considers AMR now to be a homeland security issue not only because of the reduction in capability to treat a malicious bacterial attack, but also because it threatens the viability of mass medical intervention in the case of a conventional terrorist event.


NUCLEAR PROLIFERATION

NEW TECHNOLOGIES

UK REFORMS CBRN RESPONSE CAPABILITY

THE USE OF A CYBER MEANS TO DISRUPT INDUSTRIAL CONTROL SYSTEMS IS ANOTHER AREA WHERE HAZARDOUS INDUSTRIAL MATERIAL COULD BE MALICIOUSLY RELEASED

Understandably, nuclear threat concerns tend to focus on weapons and, more recently, the development efforts by Russia of a missile propelled by a nuclear engine. State-on-State issues, be it US-Iran or Pakistan-India, may appear remote. But a growth in weapon numbers, particularly of smaller battlefield systems, potentially increases the vulnerability of illicit acquisition by a non-state actor with intentions of deployment in the West.

Perhaps of more strategic interest is the upwards trend in the construction of nuclear power plants, with over 450 facilities in use globally and responsible for generating 11% of the world’s electricity. A number of countries, including Russia and South Korea, now have turn-key plants available for sale. The nuclear safety watchdog, the International Atomic Energy Agency (IAEA) has a number of well-established rules around reactors capable of making nuclear material for weaponisation. So, the principal risk is more to do with the acquisition and use of nuclear fuel as a radiological weapon, rather than that of a bomb. With nuclear plants now being constructed in developing nations, there is a risk that financial constraints could lead to the IAEA-mandated safety and security governance not being followed as well as it should be. This again could be an opportunity for terrorists to acquire material for use in some form of improvised device.

The increasing civilian use and technological advances of UAVs (drones) have the potential to allow terrorist actors to deploy toxic material directly to a target. Such delivery systems can be built or modified to overcome a range of control measures, such as geo-fencing and GPS location spoofing, although this requires a degree of specialist knowledge beyond the capability of many terrorist actors. However, consideration of further drone countermeasures is likely to continue apace.

The use of a cyber means to disrupt industrial control systems (ICS) is another area where hazardous industrial material, be it chemical, biological or radiological in nature, could be maliciously released. There is increasing recognition that more must be done to ensure cyber security extends to ICS networks.

Perhaps the most troubling technology issue on the horizon is that of synthetic biology. Warnings from organisations as disparate as the World Economic Forum, the Wellcome Foundation and Nuclear Threat Initiative (NTI) all express concern that the advent of

In the wake of the Salisbury poisoning attack, the government announced £48 million to fund a new ‘Chemical Weapons Defence Centre’ in addition to £11 million to boost the development of broader counter-CBRN capabilities. The Army has now taken responsibility for CBRN defence and formed a Royal Engineers regiment to lead a military response.

As part of the 2018 ‘Step Change’ initiative, a national policing body has been driving for closer collaboration with commercial entities that contribute in supporting counter-terrorism and resilience efforts. Whilst there appears to have been minimal commercial involvement in the Salisbury and Amesbury remediation work, the Department for Farming and Rural Affairs (DEFRA) has the responsibility to lead on private sector involvement in contamination removal from a terrorist CBR attack. ‘Defra CBRN Emergencies’ (formerly known as the Government Decontamination Service, GDS) coordinates contractor-involvement in contamination clean-up, with suppliers typically coming from the industrial chemical and waste management sectors. It is entirely plausible that in a larger CBRN event all available resources, both civilian and military, would be required.

advanced gene manipulation could change the global risk assessment for so-called designer pathogens. In 2017, a Canadian university was able to purchase various biological materials that allowed them to ‘make’ the horsepox virus in the university laboratory. Whilst this is harmless to humans, experts state that it is not a great leap to alter a number of elements to develop a human pathogen, such as smallpox. Such a disease could have a devastating impact on a population.



It has long been recognised that terrorism can be a remarkably effective low-cost form of conflict. For modest outlays on the part of perpetrators, terrorist violence can inflict disproportionately high economic costs. The potential for heavy economic impacts was a key factor behind the formation of Pool Re in the UK and other terrorism reinsurance schemes internationally.

While the insurance sector is aware of the possible large economic and commercial impacts of terrorism, what is less well understood is how terrorists themselves appreciate and think about the economic consequences of their attacks. To what extent does this play a role in terrorist targeting and strategy? What role does ideology play in the process? Are some terrorist movements more likely to select economic and commercial targets than others? This paper aims to shed light on how and why some terrorists deliberately aim for economic targets and impacts while others ignore them.

Andrew SilkeProfessor of Terrorism, Risk and Resilience/ Cranfield Forensic Institute / Cranfield University

HOW TERRORISTS THINK ABOUT THE ECONOMIC IMPACT OF ATTACKS

IDEOLOGY SPELLS OUT WHAT TARGETS ARE CONSIDERED LEGITIMATE AND WHICH ONES ARE PRIORITIES

Terrorist violence is often portrayed in the media as mindless and indiscriminate, but in reality, terrorist attacks are usually the result of deliberate and considered planning, and the weighing up of different choices and options. Some terrorist attacks take years to plan. Others just days or even hours.

For clandestine and secretive actors, terrorist movements are often surprisingly explicit around their ideologies and strategy. Most publish manifestos and guides intended to educate new recruits and supporters and these are frequently widely available on the internet. For those interested in understanding the drivers behind terrorist targeting, these can provide crucial insight into the nature of the threat.

Andrew Silke is Professor of Terrorism, Risk Management and Resilience at Cranfield University. He is internationally recognised as a leading expert on terrorism and counter-terrorism and has published widely on these subjects. He is a member of the UK Government’s Cabinet Office National Risk Assessment Behavioural Science Expert Group.


Ideology sets the wider context for the terrorist movement. It establishes who the enemy is and what the terrorists are fighting to achieve. Ideologies also spell out what targets are considered legitimate and which ones are priorities. Some groups place a high importance on economic impact. For example, with regard to Islamist terrorism, the writings of Al Qaeda’s current leader, Ayman al Zawahiri, consistently stress a focus on economic impact:

“�The�first�front�is�to�inflict�losses�on�the�western�crusader,�especially�to�its�economic�infrastructure�with�strikes�that�would�make�it�bleed�for�years.�The�strikes�on�New�York,�Washington,�Madrid� and�London�are�the� best�examples�for�that.”

– Ayman al Zawahiri2006

To make the Six Counties as at present and for the past several years ungovernable except by colonial military rule.

• To sustain the war and gain support for its ends by National and International propaganda and publicity campaigns.

• By defending the war of liberation by punishing criminals, collaborators and informers.

Interestingly, from the IRA’s perspective, economic impact was the second most important part of their overall strategy and certainly an examination of the IRA’s campaign of violence prior to the 1998 Good Friday Agreement shows a repeated focus on hitting high profile economic and commercial targets. The current capacity of active dissident groups to follow suit is much more limited, but a desire to do so appears to remain.

Such insight can be followed up by examining further documentation such as the instruction manuals many groups produce and use. Having established an appropriate range of targets for violence, these manuals and other writings often follow this by providing instruction to members on how to plan, prepare for and then carry out attacks (e.g. giving instructions on how to construct weapons and carry out reconnaissance of potential targets).

One sees the same trends with other terrorist groups which come from very different contexts and backgrounds. For example, the IRA’s instruction manual, The Green Book, outlines very clearly the overall strategy of the organisation for new members.

This states that the IRA’s aims are to carry out:

• A war of attrition against enemy personnel which is aimed at causing as many casualties and deaths as possible so as to create a demand from their people at home for their withdrawal.

• A bombing campaign aimed at making the enemy’s financial interest in our country unprofitable while at the same time curbing long term financial investment in our country.

IDEOLOGY IS A CRITICAL FACTOR IN TERRORIST TARGET SELECTION


ECONOMIC COST OF TERRORISM/ 1990-2018/ Advanced markets

POOL RE CLAIMS/ London, UK

POOL RE CLAIMS/ UK (excluding London)

1992 Baltic Exchange Building, London

$938m

1992 Staples Corner, London $134m

1993 Bishopsgate Bombing $1,266b

1993 Weiterstadt Prison Germany $99m

1993 World Trade Center $872m

1995 Oklahoma City Bombing $203m

1996 London Docklands Bombing $362m

1996 Manchester Bombing $1b

2001 11th September World Trade Centre

$100b

2004 Madrid Bombing $9m

2005 London 7/7 $82m

2006 Barajas Airport Madrid $65m

2011 Norway Attacks $29m

Economic cost of terrorism

1993 Bishopsgate Bombing £840,034,282 1993 Bournemouth Bombings £1,403,604 1994 West End Firebombing £599,191 1994 West End Firebombing £1,814,648 1994 Israel Embassy Bombing £5,275,160 1994 Balfour House Bombing £1,148,391 1994 Bognor Regis Bombing £94,400 1996 London Docklands Bombing £236,806,436

1996 Manchester Bombing £508,528,92 2001 BBC Television Centre Bombing £1,323,545 2001 Ealing Broadway Bombing £12,272,745 2005 London 7/7 £13,401,000 2013 Portishead Arson Attack £18,000,000 2017 Westminster Bridge Attack £4,000 2017 Manchester Arena Bombing £4,700,000 2017 London Bridge Attack £840,000

Pool Re Claims


While the rationales for targeting economic and commercial targets are often similar even if the ideological motives behind the attacks are radically different, some terrorist ideologies seem less interested in economic impact than others. We have already seen that economic impact is prominent in Islamist and some nationalist-separatist terrorism, but economic targets are much less significant in the thinking of far-right extremists. When it does feature it tends to be a secondary objective rather than a priority. For example, in 1996 Eric Rudolph carried out a bomb attack targeting the Atlanta Olympics. Rudolph was a lone actor motivated by a fundamentalist Christian ideology whose previous attacks had mainly targeted abortion clinics. In targeting the Olympics, he later said “the purpose of the attack … was to confound, anger and embarrass the Washington government in the eyes of the world for its abominable sanctioning of abortion on demand.” He added that a secondary aim was to “create a state of insecurity to empty the streets around the venues and thereby eat into the vast amounts of money invested”.

Terrorist attacks often have multiple objectives from the views of the perpetrators. An attack which receives a great deal of media attention is usually seen as much more successful than an attack which receives relatively little (even if the human casualties and physical damage caused by both attacks are similar). Indeed, even if an attack results in the death or capture of all the terrorists involved it can still be regarded as highly successful if it has received intense international media attention.

While the leadership of terrorist movements are often keenly aware of the strategic value in selecting economic targets, in practice their tactics and target selection are limited by the capability of the terrorist group. Terrorists have finite resources in time, money, information, skills and expertise. Lone actors are even more limited than groups. Thus, terrorist planning and preparation will never be perfect.

Even this secondary element for economic impact is unusual for far-right extremism. Examining the manifestos of some of the more notorious far-right terrorists emphasises that economics does not feature in their thinking. For example, Anders Breivik who was responsible for killing 77 people in attacks in Norway in 2011 released a 1,500 page long manifesto on the internet shortly before his attack. In this, he highlighted a list of “prioritised targets” which he encouraged other right-wing extremists to attack. The list included buildings, meetings and individuals associated with left-wing political parties, media centres and journalists, government buildings, university buildings, and finally mosques and other Islamic targets. There was no mention of explicitly economic or commercial targets, however, and overall this was not a feature of the strategy he advocated. Any economic impact resulting from attacks was incidental (at least from the perspective of the right-wing terrorist) and was not a significant aim in the decision-making around the attacks.

That many terrorist groups explicitly target economic and commercial targets is not surprising. Terrorism’s asymmetric nature invites attention towards maximising the economic impact of the violence and many ideologies embrace this and flag it as a priority for the cause. While economic attacks can be strategically and ideologically desirable from the terrorists’ perspective, practical limitations often restrict terrorists’ abilities to carry through on this. Nevertheless, paying attention to terrorist ideologies and writings gives us critical insight into the factors driving their attack planning and decision-making, and represents a crucial element in anticipating threats and introducing effective prevention and mitigation measures.

Pool Re collaborates with academia to better understand the peril and improve the UK’s resilience to terrorism. Pool Re collaborates with Cranfield University on a number of initiatives, including CBRN and blast modelling, the training of risk engineers and the sponsorship of students undertaking counter-terrorism MSc courses. Pool Re co-sponsors the Chair in Terrorism, Risk and Resilience at Cranfield University.

Pool Re works with the Centre for Risk Studies at the University of Cambridge’s Judge Business School to further understand the nature of the cyber terrorism threat, through threat monitoring and modelling of the risk.

ACADEMIC PARTNERSHIPS/


http://www.jbs.cam.ac.uk/home

http://www.cranfield.ac.uk

06/TERRORISM THREAT & MITIGATION REPORT 2019 44/ 5344/ 63TERRORISM THREAT & MITIGATION REPORT 2019

Alexander Babuta / Research Fellow in National Security Studies / Royal United Services Institute

Recent years have seen an increased focus on the use of data science methods for counter-terrorism risk assessment. Following the 2017 attacks in London and Manchester, a joint Operational Improvement Review conducted by the Security Service (MI5) and Counter Terrorism Policing proposed a ‘step change’ in how the organisations use data. This included the need for ‘improvements in the ability of MI5 and police to exploit data to detect activity of concern, particularly on the part of closed SOIs (subjects of interest) but in relation also to active SOIs and previously unknown individuals.’1

There is strong pressure on government agencies to use data more effectively to prevent individuals from ‘slipping through the net.’ Several of the 2017 attackers were closed SOIs at the time of their attacks; they were known to the authorities but assessed as not posing an immediate threat to national security. One was a live SOI, under active investigation by MI5. As is customary in UK media in the aftermath of an attack, many have questioned whether the agencies failed to ‘connect the dots’ – i.e. whether better use of data might have helped them join those dots and identify the threats before they materialised.

THERE IS STRONG PRESSURE ON GOVERNMENT AGENCIES TO USE DATA MORE EFFECTIVELY TO PREVENT INDIVIDUALS FROM ‘SLIPPING THROUGH THE NET’

Alexander Babuta is a Research Fellow in National Security Studies at RUSI. He leads the Institute’s research on intelligence, surveillance and policing, with a focus on big data, artificial intelligence and behavioural science.

Lord Anderson’s recently published implementation stock-take of the 2017 attacks provides further insights into how this ‘step change’ in data exploitation might work in practice. The report describes ‘the identification of capabilities and data needed to develop relevant behavioural triggers’,2 which will be achieved by ‘increasingly sophisticated use of artificial intelligence and behavioural analytics to extract information from bulk datasets.’3 The report concludes that ‘Behavioural analytics is here to stay, and its techniques may be effective not just in refining the assessment of risk from existing leads and SOIs but in discovering new leads who would not otherwise have come to the attention of authorities. Some indicators are geared to identifying immediate pre-attack behaviour, such as attempts to obtain firearms or researching attack methodologies. More general indicators – for example, personal frustrations or changes in baseline behaviour – may also have their place when applied to persons who are already under suspicion.’4

So, is this a realistic prospect? To what extent is it possible to apply these behavioural analytics techniques to counter-terrorism intelligence analysis? And what questions could this type of analysis help answer?

CAN DATA SCIENCE IDENTIFY ALL THE RISKS?


While big data and machine learning undoubtedly offer numerous opportunities for improving the efficiency of intelligence gathering and analysis capabilities, the ability of this technology to conduct complex behavioural analysis on individual subjects has almost certainly been overstated. Based on all available evidence, it seems neither feasible nor desirable to develop an AI-powered ‘scoring system’ to predict or prioritise terrorism risk at the individual level.

The reasons for this are twofold: first, terrorist attacks are too rare to provide the data needed to develop an individual-level statistical scoring system; second, the profiles and backgrounds of offenders are too diverse to identify generalisable ‘risk factors’ which would cover the full spectrum of possible risk.

This is not to say that behavioural analytics is incompatible with counter-terrorism. More effective use of such technology could almost certainly assist in identifying ‘immediate pre-attack behaviour’, such as unusual travel patterns, suspicious purchases or online activity. Predictive analytics applied to aggregated data from multiple sources could also assist in identifying locations and times where attacks are most likely to occur, allowing more evidence-based deployment of target-hardening measures. Anderson’s second suggestion – the use of behavioural analytics to identify warning markers such as ‘personal frustrations’ or ‘changes in baseline behaviour’ among a group of known individuals – poses greater challenges.

We might look to non-terrorist offender management processes to better understand the kind of analysis Anderson is alluding to. Across the criminal justice system, statistical scoring systems are widely used for assessing likelihood of future offending at the individual level. Tools such as the Offender Assessment System (OASys) and the Offender Group Reconviction Scale (OGRS) are routinely used by HM Prison and Probation Service (HMPPS) to calculate numerical scores corresponding to an offender’s predicted likelihood of reoffending.5 Various other systems have been developed for specific purposes, such as risk assessment of young offenders,6 violent offenders7 and sexual offenders.8 Large volumes of historical data are analysed to identify statistically significant factors correlated to offending risk. These risk factors are coded into a statistical model which is then applied predictively on new data, to assign individuals ‘risk scores’ corresponding to their likelihood of future offending. These risk scores assist agencies such as HMPPS in triaging, screening and prioritising a subset of offenders within a larger group who may require further, more detailed risk assessment.

THE ABILITY OF THIS TECHNOLOGY TO CONDUCT COMPLEX BEHAVIOURAL ANALYSIS ON INDIVIDUAL SUBJECTS HAS ALMOST CERTAINLY BEEN OVERSTATED.

Surely, given the vast quantity of digital data available to the police and security services, it must be possible to take these existing technologies and repurpose them to identify and predict terrorism-related behaviour? Perhaps such a system could be used to assign ‘risk scores’ to each subject of interest, enabling the agencies to more intelligently prioritise investigations depending on which subjects are identified as posing the greatest risk?

In reality, this is far more difficult than one might expect.

Research tells us that there is no consistent ‘terrorist profile’.9 The wide variation in both the demographic characteristics and the personal, political and social drivers that lead individuals to engage in terrorist violence, render it infeasible to identify statistically significant ‘risk factors’ that can be used to develop a statistical prediction tool at the individual level. As terrorism is such a rare and infrequent occurrence in Western countries, there is insufficient historic data to build a statistical model to any reasonable degree of predictive power. As summarised by John Monahan, ‘existing research has largely failed to find valid non-trivial risk factors for terrorism. Without the identification of valid risk factors, the individual risk assessment of terrorism is impossible.’10


But despite this lack of statistical data, research has nevertheless identified discernible behavioural markers that can be used as ‘indicators’ of terrorist intent.11 These indicators can then be used to structure and systematise intelligence analysis related to counter-terrorism risk assessment. Several frameworks have been developed to assist practitioners in identifying and assessing terrorism risk according to these known criteria. Examples include the Extremism Risk Guidance (ERG 22+),12 the Violent Extremism Risk Assessment (VERA),13 and the Terrorist Radicalization Assessment Protocol (TRAP-18).14 These are not statistical scoring systems. Instead, they follow a method known as ‘Structured Professional Judgement’ (SPJ), a systematic approach to risk assessment that aims to bridge the gap between professional judgement and statistical prediction.15 In doing so, the SPJ approach enables users to provide logical and coherent reasoning as to how they arrived at a certain judgement, while maintaining a clear link between identified risk factors and the ultimate intervention.

For some, these existing non-technological methods may seem outdated. The authorities have a legal and societal duty to protect the public from threats to their safety, and a reluctance to adopt new methods that may allow them to do this more effectively could be perceived as a failure to fulfil this duty.

But even if it were possible to develop a big data system that could identify and detect behavioural triggers in bulk datasets, this would not solve the fundamental challenge of ‘connecting the dots’. Conversely, increased reliance on technological methods could in fact lead to important case-specific information being overlooked.

As statistical scoring systems rely on identifying correlations in historic data to identify risk factors, practitioners may fail to identify highly relevant risk factors because they were not found to be statistically significant in historic data. The analyst is provided with a filtered subset of data which the algorithm has assessed as most relevant to the investigative task at hand, but if the algorithm has incorrectly ‘filtered out’ even a

single, seemingly irrelevant piece of information, the dots will not join up to create the full picture. To add to this challenge, certain variables may not be strong predictors of violence in isolation but interact with other risk factors in complex ways that are not apparent in statistical analyses. Individual factors may not be strong ‘behavioural triggers’, but when they appear in combination with other factors they can become highly relevant.

The machines might help us to identify which dots are most relevant.

So, is behavioural analytics really ‘here to stay’? Perhaps, but not for the purposes that some may expect. Rather than enabling automated risk assessment and prioritisation of individuals based on behavioural markers, the true value of this technology lies in its ability to rapidly extract information from multiple, disparate data sets, and present it in a coherent format for the human decision-maker to analyse and interpret. Making sense of the relevance and importance of that data in relation to an individual’s future risk requires complex behavioural assessments which could not possibly be replicated by a statistical model.

CONNECTING THOSE DOTS IN THE RIGHT WAY WILL ALWAYS DEPEND ON THE SINGLE GREATEST ASSET THAT COULD NEVER BE REPLICATED BY EVEN THE MOST INTELLIGENT ALGORITHM: HUMAN JUDGEMENT

1 David Anderson, ‘Attacks in London and Manchester, March – June 2017: Independent assessment of MI5 and police internal reviews’, p. 32 (December 2017).

2 David Anderson, ‘2017 Terrorist attacks MI5 and CTP reviews: Implementation stock-take’, p. 14 (June 2019).



5 National Offender Management Service, ‘A compendium of research and analysis on the Offender Assessment System (OASys), 2009-2013 (2015); Howard, Philip and Francis, Brian and Soothill, Keith and Humphreys, Leslie (2009) OGRS 3: The revised Offender Group Reconviction Scale. Research Summary, 7/09. Ministry of Justice, London.

6 Wilson, E., & Hinks, S. (2011). Assessing the predictive validity of the Asset youth risk assessment tool using the Juvenile Cohort Study (JCS). Ministry of Justice Research Series, 10(11)

7 Quinsey, V.L., Harris, G.T., Rice, M.E. and Cormier, C.A., 2006. Violent offenders: Appraising and managing risk. American Psychological Association, p. 121.

8 Craig, L.A., Beech, A. and Browne, K.D., 2006. Cross-validation of the risk matrix 2000 sexual and violent scales. Journal of interpersonal violence, 21(5), p. 616.

9 Raffaello Pantucci, Clare Ellis and Lorien Chaplais, ‘Lone-Actor Terrorism: Literature Review’, Countering Lone-Actor Terrorism Series, No. 1, p, 2015, RUSI; Paul Gill, John Horgan and Paige Deckert, ‘Bombing Alone: Tracing the Motivations and

Antecedent Behaviors of Lone-Actor Terrorists’, Journal of Forensic Sciences (Vol. 59, No. 2, March 2014), p. 434; Spaaij, ‘The Enigma of Lone Wolf Terrorism’, pp. 854–70; Paul Gill. Lone-actor terrorists: A behavioural analysis. Routledge, 2015.

10 Monahan, John. “The individual risk assessment of terrorism.” Psychology, Public Policy, and Law 18, no. 2 (2012), p. 19.

11 See Paul Gill, Lone-actor terrorists: A behavioural analysis. Routledge, 2015.

12 Monica Lloyd and Christopher Dean, ‘The development of structured guidelines for assessing risk in extremist offenders’, Journal of Threat Assessment and Management, vol. 2, no. 1 (2015), pp. 40-52.

13 Pressman, D. E. and John Flockton, (2012) “Calibrating risk for violent political extremists and terrorists: the VERA 2 structured assessment”, The British Journal of Forensic Practice, Vol. 14 Issue: 4, pp.237-251; Monica Lloyd, ‘Extremism Risk Assessment: A Directory’, Centre for Research and Evidence on Security Threats, March 2019, p. 39

14 Meloy, J. Reid. “The Operational Development and Empirical Testing of the Terrorist Radicalization Assessment Protocol (TRAP–18).” Journal of personality assessment 100, no. 5 (2018): 483-492; Monica Lloyd, ‘Extremism Risk Assessment: A Directory’, Centre for Research and Evidence on Security Threats, March 2019, p. 34.

15 Douglas, Kevin S., and P. Randall Kropp. “A prevention-based paradigm for violence risk assessment: Clinical and research applications.” Criminal Justice and Behavior 29, no. 5 (2002): 617-658.


07/TERRORISM THREAT & MITIGATION REPORT 2019 48/ 53TERRORISM THREAT & MITIGATION REPORT 2019

The collapse of Daesh’s so-called ‘caliphate’ has diminished the group’s mass appeal and crippled its ability to direct and coordinate strategic communications. While the group’s ability to propagandise is unlikely to be extinguished in the medium-term, it no longer possesses the resources, momentum or freedom of operation necessary to meaningfully reach overseas audiences on the scale or with the efficacy it had previously. Therefore, while attacks in the West by ‘self-radicalised’ or ‘inspired’ individuals are unlikely to abate entirely (while those supporters who were prevented from joining Daesh overseas remain free), far fewer of attacks directed from Daesh members in Syria and Iraq are anticipated in coming years. The group is instead likely to focus its efforts on its most devoted followers in support of the new amorphous, transnational operating model which the group appears to have adopted. This could lead to intensification of overseas attack planning by committed Daesh supporters. These plots, while much harder to execute than the low-complexity methodologies favoured by ‘inspired’ actors, are typically more sophisticated and have greater impact in terms of both loss of life and damage to property if successful.

Daesh has proven highly adept at strategic communications, effectively exploiting information technologies to reach large audiences around the globe. The group has also proved capable of adapting its narrative and messaging in response to changing circumstances in its Levantine heartland. With the collapse of its territorial holdings in Iraq and Syria, Daesh has recalibrated its propaganda efforts in line with its new strategic situation.

At its greatest territorial extent, Daesh’s al-Hayat media wing managed a sophisticated propaganda effort, overseeing the production of slick and voluminous online content for receptive audiences around the world. The group’s propaganda emphasised the purported military, social and religious accomplishments of its proto state, encouraging Hijra (emigration) by sympathisers to Iraq and Syria.

From 2016, with Daesh under growing pressure from Coalition action and extremist travel to the Middle East increasingly difficult, the group reframed its call for attacks by supporters in the West (first proposed in 2014) as a duty rather than an alternative to emigration. The call to action was accompanied by

WHAT DAESH’S COMMUNICATIONS STRATEGY MEANS FOR THE UK

DAESH HAS PROVEN HIGHLY ADEPT AT STRATEGIC COMMUNICATIONS, REACHING LARGE AUDIENCES AROUND THE GLOBE




ATTACKS IN LESS RESTLESS AREAS WILL, IN PROPAGANDA TERMS, BE MUCH MORE REWARDING FOR DAESH

detailed advice for mounting attacks alone, credited with influencing the employment of low-complexity methodologies used by numerous terrorists since then. The tone of Daesh’s propaganda had also changed considerably. Themes of loyalty, sacrifice and revenge supplanted the more positive messaging commonplace in earlier material.1

The approach was an apparent success, with the frequency of inspired attacks in the West continuing to climb through to the second half of 2017.2 However, by this time, the quantity and quality of propaganda released by the group had declined markedly as the group’s efforts came under increasing pressure from Coalition kinetic and network operations. While partially offset by global affiliates and grassroots supporters, by 2018 Daesh was producing a fraction of the material it had two years earlier.3 It struggled to maintain a persistent presence on social media networks, and the group became more reliant on less accessible encrypted channels to communicate with supporters. Content segmentation also became less pronounced as the group’s core suffered from lack of resources and came to rely more on disparate franchises and individual influencers.4 Centrally issued

propaganda focused on sustaining the morale of core supporters rather than cultivating mass appeal abroad, with the last edition of Daesh’s flagship foreign language publication Rumiyah (formerly Dabiq) released in September 2017.

This corresponded with a drop-off in the number of attacks in Europe and North America in 2018.5 Enhanced intelligence, security and risk mitigation measures undoubtedly played a crucial role in disrupting plots but, while correlation does not imply causation, it is plausible that the declining volume, accessibility and efficacy of Daesh’s propaganda did contribute to the reduction in the number of successful attacks.

The existence of Daesh’s so-called ‘caliphate’ and its subsequent erosion not only granted the group abundant media coverage and elevated its stature above that of terrorist groups; it was an animating force and powerful recruiting sergeant for the global violent Islamist milieu.

With the imminent loss of the last of its territory in Syria, Daesh recast its narrative, positing that the fall of its proto state was merely a temporary setback, and that the loss of territory was ultimately immaterial as the more significant objective of galvanising a global movement had been achieved.6

It appears the message has largely been accepted by the group’s most committed supporters.9 While the extent of Daesh’s involvement in the Easter bombings remains unclear, the attack was a major propaganda coup for the group, providing substance to Daesh’s claims and demonstrating it was still capable of orchestrating major attacks overseas. However, without its eponymous state in Iraq and Syria, Daesh is increasingly reliant on these kinds of attack to sustain its grandiose vision and retain the commitment of its supporters. While attacks in ungoverned or under-governed spaces will continue to be claimed and advertised by the group, those in less restless regions will, in propaganda terms, be much more rewarding for Daesh; attacks which demonstrate Daesh’s adaptability and organisational prowess even more so.

Therefore, the group is likely to redouble efforts to carry out complex attacks against Western interests. While British and allied intelligence services are alert to this threat, resource constraints inevitably mean that not every lead will be pursued, and the threat picture is further

This was accompanied by a reorganisation of Daesh’s Wilyat (notional province) structure, starting in late 2018, which minimised the importance of formerly held territory in Iraq and Syria as only two components of a much larger global ‘caliphate’. While the administrative reorganisation belies the tenuous links between Daesh’s leadership and its more distant adherents, it reflects the movement’s attempt to maintain its relevance to current and potential supporters and project an image of strength while it regroups in its Iraqi heartland.7

To this end, Abu Bakr Al-Baghdadi, Daesh’s leader, made his first video appearance in five years in April. In his speech Baghdadi claimed responsibility for the Easter bombings in Sri Lanka and accepted Bayat (pledges of allegiance) from groups in Africa, while articulating a transnational future for the group. In addition to refuting claims of his death, the speech was likely intended to assert Baghdadi’s continuing authority over Daesh’s distant franchises and its remnants in the Levant and outline a strategy for the group’s future.8


complicated by the diaspora of Daesh fighters which scattered following the group’s territorial collapse, and whose whereabouts are now uncertain. More than 200 British citizens alone who travelled to the Middle East to fight with Daesh still remain unaccounted for (the figure for Europe is believed to be roughly 2000)10,11. It is likely that a significant proportion of those still alive and at liberty remain committed to Daesh. Their linguistic and cultural knowledge represent a significant asset for Daesh and could be exploited for attack planning or developing cells in Europe.

Attacks by individuals inspired by Daesh’s ideology but acting independently are unlikely to abate entirely and these remain difficult to detect and interdict. Nonetheless, the very public setbacks faced by Daesh do appear to have diminished the group’s ability to further incite these types of attacks. However, Daesh retains a core of highly committed followers with the ability to fund, plan

and execute attacks overseas. Among these are organised British-based extremists who either avoided prosecution or have recently been released from prison.12 In the wake of the loss of the last of its territory in Iraq and Syria, the use of these capabilities is now critical to demonstrating the continued relevance of the group and sustaining its grand ambitions. Equally, the threat posed by other Islamist extremist groups, while overshadowed by Daesh, has not waned. Al Qaeda in particular continues to harbour the intent to conduct ‘spectacular attacks’ against Western interests.

Therefore, the UK will continue to face the prospect of complex attacks for some time yet. While the targets favoured by Daesh—crowded places and symbolic sites—are unlikely to change, plots executed by well-funded and trained terrorists are likely to result in greater damage to property and more widespread business interruption.

DAESH RETAINS A CORE OF HIGHLY COMMITTED FOLLOWERS WITH THE ABILITY TO FUND, PLAN AND EXECUTE ATTACKS OVERSEAS


1 https://www.bbc.co.uk/news/world-middle-east-41845285

2 https://trac.poolre.co.uk/tmr-2018/DataCentre

3 https://www.wired.co.uk/article/isis-islamic-state-propaganda-content-strategy

4 https://icsr.info/wp-content/uploads/2018/07/ICSR-Report-A-Tale-of-Two-Caliphates-Comparing-the-Islamic-State%E2%80%99s-Internal-and-External-Messaging-Priorities.pdf

5 https://trac.poolre.co.uk/tmr-2018/DataCentre

6 https://www.theatlantic.com/ideas/archive/2019/04/the-sri-lanka-bombings-were-a-preview-of-isiss-future/588175/

7 https://www.brookings.edu/blog/markaz/2018/01/18/what-happens-when-isis-goes-underground/

8 https://www.rand.org/blog/2019/04/what-the-baghdadi-video-means.html

9 https://www.theatlantic.com/ideas/archive/2019/04/the-sri-lanka-bombings-were-a-preview-of-isiss-future/588175/

10 https://www.independent.co.uk/news/ world/middle-east/uk-isis-recruits-syria-return-british-caliphate-terrorism-jihadis-a8781056.html

11 https://www.nytimes.com/2019/08/03/world/middleeast/islamic-state-attacks-europe.html

12 https://www.nytimes.com/2019/05/18/ world/europe/uk-extremist-cell-anjem-choudary.html


https://act.campaign.gov.uk/

ATTACKS BY OFFENDER TYPE IN ADVANCED MARKETS BY WEAPON COMPLEXITY / 1990-2018

20

40

60

80

100

0 AnarchistsFar LeftSeparatistsFar RightIslamist

Unknown 2%

Low67%

High32%

High16%

Low76%

Unknown 8%

High70%

Low26%

Unknown 3%

High43%

Low50%

Unknown 6%

High43%

Low53%

Unknown 4%

GroupIslamist ExtremistsFar RightSeparatistsFar Left, Environmental, Student ActivistsAnarchists

70% of separatist attacks in Advanced Markets since 1990 involved the use of high-complexity weapons

67% of Islamist attacks in Advanced Markets since 1990 involved the use of low-complexity weapons

RECENT YEARS HAVE SEEN RIGHT-WING AND ISLAMIST EXTREMIST ATTACKS IN ADVANCED MARKETS INCREASINGLY EMPLOY LESS COMPLEX METHODOLOGIES

SEPARATIST TERRORISTS HAVE MOST FREQUENTLY EMPLOYED COMPLEX WEAPONS IN ATTACKS


ABOUT THIS REPORT

The Pool Re Terrorism Threat & Mitigation Report provides an overview of significant acts of terrorism during the year as well as identifying key trends and themes that we believe are relevant to the terrorism (re)insurance market.

Our methodology is based on analysis of the wide range of publicly available open source material and collaboration with subject matter experts. We also used the Global Terrorism Database, compiled by the University of Maryland, to assess the frequency and severity of global terrorism since 1990.

We hope that this qualitative and quantative analysis of terrorist incidents, trends and themes will be helpful for our Members and other stakeholders as they seek a greater understanding on the frequency and severity of terrorist events and how the evolving threat impacts on their particular area of activity.

In this edition, we have focused on key terrorism events and trends in 2019.

MethodologyPool Re Solutions’ methodology is based on analysis of a wide range of publicly available open source material, and collaboration with subject matter experts. The information contained in this report has been verified and corroborated through extensive research drawn from academia, think tanks, social media, security, intelligence and risk conferences as well as extensive subscription-based content. The sum of this provides Pool Re with a unique perspective within the terrorism reinsurance market.

All assessments are made in relation to the threat posed to the UK and are tailored principally to the (re)insurance sector; but it is hoped these assessments are also of use to the wider business community. In order to fully understand the threat to the UK, Pool Re Solutions gathers information from wider global terrorism threats and incidents that could pose a threat to the UK mainland.

PurposeThe purpose of this report is to inform Pool Re Members and wider stakeholders of the current and future terrorism threat and its implications for the resilience of UK businesses and, by extension, the UK’s economy. Pool Re was created 26 years ago to protect society from the economic consequences of terrorism. The landscape more than a quarter of a century on is far more complex and diffuse, principally because in 1993 there was one main threat actor, militant republicans in the form of the Irish Republican Army (IRA), targeting the UK; now there is a wider spectrum of terrorist entities, using a broad range of methodologies, targeting our citizens, assets and economies. We hope that this annual report will go some way in providing further clarity and knowledge for our Members and other stakeholders.

Further information about Pool Re can be found on our website at www.poolre.co.uk or by following us on LinkedIn.

About Pool RePool Re is the UK’s terrorism reinsurance pool, providing effective protection for the UK economy and underwriting over £2 trillion of exposure to terrorism risk in commercial property across the UK mainland. Through its Risk Awareness Team Pool Re aims to improve the risk awareness of current and emerging terrorism perils for Members and other key stakeholders by highlighting the availability of terrorism cover for all UK mainland Commercial Insurance customers.

Intelligence cut-off dateThe analysis in this report was current as of 31 Aug 2019 and has not been updated to reflect developments since.

DisclaimerThis website has been prepared by Pool Reinsurance Company Limited (Pool Re). While this information has been prepared in good faith, no representation or warranty, expressed or implied, is or will be made and no responsibility or liability is or will be accepted by Pool Re, or by any of its respective directors, officers, employees or agents in relation to the accuracy or completeness of this document and any such liability is expressly disclaimed. In particular, but without limitation, no representation or warranty is given as to the reasonableness of future suggestions contained in this document. Pool Re is a company limited by guarantee and registered in England and Wales under company no. 02798901 having its registered office at Hanover House, 14 Hanover Square, London W1S 1HP.

Photography creditsPage 14 – 1993 Bishopsgate

bombing, City of London Police

Page 29 – Caracas drone attack, Xinhua


TERRORISM THREAT & MITIGATION REPORT 2019

Documents

TERRORISM THREAT & MITIGATION REPORT 2019 2/ 53 · GCHQ), Alexander Babuta (National Security Research Fellow at RUSI), Andrew Silke (Professor of Terrorism at Cranfield University)