THE I&W PARADIGM AS APPLIED TO 9/11

Fritz W. Ermarth
25 September 2002

The revelations of recent months as to who knew and reported what and when, or did not, allow
for the hypothesis that the attacks of 9/11 could have been prevented with the information we
had. The public testimony of the Joint Inquiry Staff of the House and Senate intelligence
committees released on 18 September fortifies this hypothesis considerably. Defining and testing
this hypothesis should form a part of the agenda of inquiry as to whether there was an
intelligence failure, where and when it occurred, and how to correct it for the future. The issue
turns, first of all, on how the warning problem should have been and should be conceptualized to
address the threat of terrorist attack.

During the Cold War, with Pearl Harbor in recent memory, we worked massively on the
"indications and warning" (I&W) problem, and very successfully. We erected an "industrial age"
system for collecting strategic warning (there is an enemy who prepares energetically for war),
operational warning (here is how he mounts up for war and how we can tell), and tactical warning
or warning of attack (he is executing his attack plans). Moreover, and most importantly, this I&W
system was tightly linked to military and other response options and action plans, such as alerting
and dispersing forces, and, ultimately, war plans. Happily, this system worked well, not by

i4*rt ^averting a Pearl Harbor, which never came (even Cuba 62 did not involve intent to begin war), but
cby giving us confidence day by day that a Pearl Harbor was not in the offing, a confidence that
allowed us to act calmly even in periods of tension, and not bring about war by overreaction and

^H inadvertence. And the fact that our I&W system was very effective probably helped deter the
enemy from gambling on surprise, to which his military doctrine assigned a very high value.

The problem of terrorism and warning of it is vastly different from and far more difficult for
intelligence to deal with by its very nature than warning of massive military attack. The whole
point of the terrorist is to avoid giving warning by chosing operations and targets for which
elaborate military-style preparations are not necessary. Yet he must make preparations that do
or can give some warning. He must mobilize, motivate, organize, prepare, and execute...all the
while feeding, fueling, funding, and cajoling his operation. So in very rough terms, the Cold War
paradigm of strategic-operational-tactical warning, and connection to vulnerability and response,
has some utility.

Prior to 911, we definitely had strategic warning. We saw the enemy, Al Qaeda, forming up and
growing in strength. We knew his hostile intent. We saw him preparing capabilities, especially in
Afghanistan. We experienced his attacks on our overseas perimeter. We heard him proclaim
determination to hit us at home, and saw him try it in 1993. Three DCIs and other authorities
repeated that it was only a matter of time before major attacks were launched inside the US.

We had a kind of operational warning in the summer of 2001. By then we knew something about
the enemy's operational repertoire and knew or had strong mason tn suspp^t that guiniriai MSP nf
airplanes as bombs was in it. And we were hearing enough about something major in the works
to conclude that the threat was mounting in the period immediately ahead. The recent Joint Staff
testimony is eloquent on both counts

Our challenge was to move beyond strategic and operational to tactical warning. Or, at the very
least, to turn what we had in strategic and operational warning into a threat assessment on which
preventive action could be taken. Most public commentary about intelligence failure before 9/11
focuses on the first construction of the challenge, and concludes that we were just not lucky
enough or energetic enough to penetrate the enemy's immediate plans, to "uncover the plot" as
FBI Director Mueller puts it. Or, put another way, there were not quite enough of the right dots to
connect to make a precise threat picture.
But the hypothesis here is that we could have done better on the second formulation, extracting
actionable warning and threat assessment from what we had.

Doing so would have required something like the following: There should long before the
summer of 2001 have been formed a special team of analysts charged to lay out on the table \^
what we had in strategic and especially operational warning: What kinds of attacks do we know 0 «j£-
he is planning; what kinds could he be planning simply because they exploit our vulnerabilities; o>^
and, above all, where do such possibilities correlate with what are high value targets to the / ^
enemy, and to us, that are particularly vulnerable, but which vulnerabilities are susceptible to
correction? As to targets, we knew he had prominent public buildings and WTC on his list.

Had such an echeloned, largely analytical, l&W-Threat Assessment- Response system been in
place, it would have or could have led to a menu of probable threats with something like the 9/11
scenario high on the list. Other threats would probably have been there as well, such as large-
scale truck bombings (because he did it at Khobar Towers), and perhaps BW attack (because it's
easy and terribly destructive).

But "planes as bombs" would certainly have been there, because we had indicators (e.g., from
the Philippines in the mid-1990s and later) that this was in the enemy's attack repertoire, and
could readily assess it as an easily reconnoitered and executed attack mode under the existing
security regime and rules-of-engagement (ROE) for response to hijacking attempts (surrender
and fly to Havana for negotiations or rescue).

The irony and tragedy is that the actual attack exploited, and probably discovered by careful
reconnaissance, vulnerability to high-value attack which we could have significantly, perhaps
decisively, remedied had we thought of the attack mode chosen. We could readily have
reasoned that the attacker had to get multiple hijackers aboard fuel laden aircraft with lethal
weapons that would pass through security even if observed, e.g., very small knives. And he had
to count on the old ROE derived from a history of hijacking for ransom or bargaining, which called
for surrender of the flight plan, not the cockpit. We could have tightened airport security against /-n
hitherto allowed lethal weapons. We could have put sky marshals on aircraft in rank order of their /
bomb "yield" potential, i.e., fuel load. We could have locked the cockpit doors. Above all, we
could have changed the ROE for dealing with hijack attempts. Had these rules been changed to
oblige aircrew to block entry to the cockpit at all cost, including enlisting passenger help, even if
lives were threatened or lost, these attacks would have failed. They could have been readily
defeated by arming aircrew with simple bludgeons such as the expandable police baton. Had
such measures been announced, the hijackers might have been deterred, or if not, we would
have defeated the attacks and captured the hijackers, much as the hijacking of Flight 93 was
defeated, alas too late to save the plane and the lives of the people on it.

Of course, the foregoing relies on hindsight. Our present hindsight is still not 20-20 and won't be
until investigations have been completed. The following questions must be asked:

Was any special analytical effort tasked to combine warning indicators of all kinds with
threat potential, target value and vulnerability information, and possible defensive
options?

If not why not, and where was the lapse? If so, did it yield an actionable threat menu? If I
not why not? One reason might be that the resulting threat menu was too long and too \d to prioritize to b

Even if the true threat had been prominently recognized by intelligence as possible, even
probable, defensive action might not have been taken because the action authorities would not
believe the threat assessment or did not believe it convincing enough to take measures that
would alarm the flying public. But this link in the l&W-Assessment-Response chain is moot if the
first ones are missing.
By definition, 9/11 was a huge intelligence failure in that available threat information did not cause
defensive action when it well might have, just as in 1941. That there were failures beyond the
people and organizations labeled intelligence is clear. But these failures were inevitable if the
intelligence input, especially the analytical input, was weak or lacking.

On available evidence, it seems that the matter was not one of a requisite warning system not
having enough evidence because of weaknesses in collection or communication, although those
weaknesses existed, but that the system simply was not there or was insufficiently robust. To be
sure, there were lots of analysts working on the terrorism problem throughout the 1990s. But
most of them were apparently doing operational support (homework for chasing bad guys) or
current intelligence (packaging the results of collection), not real warning and threat analysis. A
public indication of this is the proud claim of the intelligence community that everyday it sends to
the policymakers a "threat matrix" containing 50-100 cells of information. This is a confession of
analytic vacuum, the more frightening because it seems to be unrecognized as such. This threat
matrix is surely not the only analytic product sent to policymakers. But to give it pride of place in
defense of the warning performance suggests a defensive reflex at best, and a misappreciation of
the function at worst.

Given that we had and publicly recognized strategic warning of terrorist attack on our homeland,
why did we not create a real warning response system? Probably a variety of factors were at
work. 1) The terrorism warning problem is different from and analytically harder than the military
warning problem. It takes a lot of cerebration and invention to migrate the logic of the latter to the
former task. 2) The counter-terrorism business is dominated by operators who are focused on
running ops and collecting data, not on squeezing the most actionable judgments from limited
information. 3) Throughout our national security establishment, including intelligence, there was
a pervasive spirit of getting the Cold War behind us. Laudable to a degree, this may have blurred
appreciation of Cold War lessons applicable to our new situation. 4) The peculiarities of the
administration which governed through most of the past decade may have played a role. 5) The
new administration, while festooned with people critical of the intelligence community, had other
matters higher on its agenda than fixing intelligence problems. 6) Bureaucratically or
organizationally, a fix to the terrorism warning problem does not come naturally. During the Cold
War, most of the intelligence entities responsible for warning, especially operational and tactical,
were in the DOD as were nearly all the threat evaluation and response entities below the
President, namely the military commands. Creating an I&W system for terrorism must lace
together intelligence with many hugely different entities, such as FAA for airport security, DOE for
security at nuclear sites, and CDC for BW attack. Even with the shock of 9/11 and the creation of
a Department of Homeland Security, this will be hard to do.

Because it is written from a distance by one not involved in the action, this critique may be too
harsh and unfair. Final judgments on the extent, locus, and nature of failure in 9/11 must rest on
careful study with complete access to the record of the last decade in counter terrorism. Our
intelligence and law-enforcement leaders claim to have successfully thwarted or interdicted a
significant number of terrorist attacks in this period. That record of success must be examined to
bring a balanced conclusion on the meaning of 9/11. Even more important, that record should
give important lessons on how to design and run an effective I&W system for counter terrorism.

We need to look back at this tragic experience through the lens of strategic-operational-tactical
warning combined with threat, value, vulnerability, and response option assessment to find the
true reasons for failure. And if that lens does not presently exist in robust form, it must be
promptly created, polished, and applied to the present and future threat of terrorist attack. The
place for this lens is probably in the new Department of Homeland Security. But the logic and the
impact of the function it performs must reach out to all the nation's elements of intelligence,
defense, and public safety.
Fritz W. Ermarth is Director of National Security Programs at the Nixon Center. He is
also a part-time Senior Analyst in the Strategies Group of Science Applications
International Corporation. He had several tours on the NSC staff, served as Chairman of
the National Intelligence Council 1988-93, and retired from CIA in 1998. The judgments
in this article are the author's own and should not be attributed to any of his past or
present affiliations.