Office of the Director of National Intelligence Washington, DC 20511
SEP 2 9 2015
Steven Aftergood Federation of American Scientists
1725 De Sales Street NW, Suite 600
Washington, DC 20036
Re: ODNI FOIA Request DF-2011-00039
Dear Mr. Aftergood:
This is in response to your 3 February 2010 email to the Office of the Director of National Intelligence (ODNI) (Enclosure 1 ), in which you requested, under the Freedom of Information Act (FOIA), a copy of the releasable portions of the report resulting from a review of intelligence lessons learned from the Fort Hood shooting, the Christmas Day bombing attempt, and other incidents.

Your request was processed in accordance with the FOIA, 5 U.S.C.  552, as amended.

A thorough search of our records and databases located material responsive to your request
(Enclosure 2).

Upon thorough review, the material was found to contain information that is currently and properly classified under Executive Order 13526, Section 1.4(c), and is therefore withheld pursuant to FOIA exemption (b)(1). Information was also withheld pursuant to the following FOIA exemptions:

-
(b)(3), which applies to information exempt from disclosure by statute, specifically:
o the National Security Act of 1947, as amended, 50 U.S.C.  3024(m)(1), which
protects, among other things, the names and identifying information of ODNI
personnel, and
o the National Security Act of 1947, as amended, 50 U.S.C.  3024(i)(l), which
protects information pertaining to intelligence sources and methods.
If you wish to appeal our determination on this request, please explain the basis of your appeal and forward to the address below within 45 days of the date ofthis letter.

Office of the Director of National Intelligence Information Management Office Washington, DC 20511
The document was also coordinated with other agencies-their redactions are noted in the document.

If you have any questions, email our Requester Service Center at DNI-FOIA@,dni.gov or call us at (703) 874-8500.

Sincerely, I J/ . /;~'hhL<rx4( 7 (
"\_6\-
Jennifer Hudson C
Director, Information Management Division Enclosures FBI

15 April 2010
Report to the Director of
National Intelligence on the
Fort Hood and Northwest
Flight 253 Incidents (U)

Intelligence Community Review Panel

CLBY:
              l<b)(3) I

CL REASON: 1.4 (b), (c), (d)
DECL ON: 25X1-human
DRV FROM: Multiple
Sources

TOP SECRET/{i IGSISJNORCONINOFORN.

l<b)(7)(E) I

## Report To The Director Of National Intelligence On The Fort Hood And Northwest Fligltt 253 Incidents (U) Executive Summary (U)

(b )(1)
(b)(3)
(b)(?)(E)
FBI

"In a way, I think this Christmas Day bomber did 118 a favor. "

-Gov. Thomas H. Kean, 25 Jatlfl01J' 2010. 1

The Director of National Intelligence (DNI) asked a panel of four senior
current and fonner national security officials in January to examine the
intelligence aspects of two recent events: the shooting attack on personnel
at Fort Hood by Army Major Nidal Hasan on 5 November and the
attempted bombing of Northwest Airlines Flight 253 on Christmas day by
a Nigerian citizen, Urnar Farouk Abdulrnutallab. a (U)

The panel's mandate was three-fold: To document the facts of these two
events, to add recommendations to what the Intelligence Community is
doing in response to them. and to add any further thoughts on what the
Intelligence Community might do to deal with existing terrorist threats or
what fonn new terrorist threats might take. (U)

To carry out this assignment, the panel read all of the relevant intelligence
reporting and carried out roughly 70 interviews, meetings, and roundtable
discussions with approximately 300 key decision makers, program
managers, officers, and agents from components in the Office of the
Director ofNational Intelligence (ODNI), the National Counterterrorism
Center (NCTC), the Central Intelligence Agency (CIA), including its
Counterterrorism Center (CTC), the Defense Intelligence Agency's (DIA)

Liberties Protection Officer in the Office of the Director ofNational Intelligence. (U)
Joint Intelligence Task Force-Counterterrorism (JfrF-cn, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Department ofHomd~ Security (DHS), the Office of the Undersecretary of Defense for Intelljgence, and the NatiQoal Security Council. It also asked a panel of experts from outside the Intelligence Community to offer ideas on future threats and called on four extemal readers-a scholar, the head of a major research institution. a two fonner senior intelligena officials-to critiqtre the study. (U)
Before~
the findings, SQme preliminary observations are in order regarding the context in which the pimel encourages readers to evaluate its findings. (U)
First, the panel was s1ruck by the enormous complexity of these issues and the challenges facing intelligence and law enforcement officers who must wrestle with them. The panel tried to evaluate these events dispassionately and clinically and, although it judges many actions critically, it is fully aware that whatever shortcomings it found.are not typical of the Intelligence Community's overall performance on counterterrorism.

- We saw our work as roughly akin to an FAA assessment of an airline
accident in which a single plane crash is seldom seen as emblematic of an
industrywide problem--5o it is with these events and the Intelligence
Community.
- Our simple aim was to develop a clear-eyed view ofhow the Intelligence
Community's counterterrorism performance can become even better and
how the adversary's task can be made harder. (U)
Second, it is important to understand the context for the Intelligence Community at the time of these events. During our review, we were consistently impressed by the pace, scope, breadth, and depth of US
counterterrorism efforts throughout 2009, many of which produced notable successes. Intelligence and law enforcement officers were tracking threats or supporting operations to counter them in Pakistan, neJt<liiig multiple requests for briefings; coordinating action with collectors, policymak:ers, and the law enforcement comm\Ulity; and providing analysis and support following the June shootings at a US military recruiting center in Little Rock, Arkansas.

j(b)(7)(E) I
Third, based partly on this surfeit of data, the panel concluded early on that it is too simple to call the challenge in these cases a "connect the dots"
problem-a metaphor that strips away context and trivializes the challenge counterterrorism officers face in dealing with truly massive volumes of infonnation. The 25 December case in particular is more akin to what scholar Roberta Wohlstetter in her classic study of Pearl Harbor called the
"signals to noise" problem. In short, the fragmentary clues about Abdulmutallab-the "signals"-were deeply submerged in a vast pool of intelligence reporting-thousands of messages a day, the "noise."

- The task then, and the North Star guiding this panel's efforts, has been
the question of bow to raise such alanning "signals" from a body of noise
that is growing rapidly as technology enables both the creation of more
data and the Intelligence Community's ability to collect it. (U)
Fourth, while petfection should be the goal for counterterrorism. there is really no formula to achieve it. Terrorists are "learning" enemies; they go to school on every one of our successes, play by no rules, do not respond to traditional deterrence techniques, and are prepared to die to achieve their aims~ So while the recommendations we offer and the steps the Community has ab:eady taken will redUce the odds of terrorist success, no one can g'Uanmtee that terrorists will not penetrate our defenses on some occasjon. (U)
Finally, in considering any set of recommendations on counterterrorism, it is important to remain aware that major


on various airline watchlists will produce a surge of false positives; using partial names to increase the likelihood of detecting terrorist travel risks

the Community
(S/INFt-

## What Happened? (U)

The ftrst task the DNI gave the panel was to determine the facts in these two cases. This is elaborately laid out in the first section of the report, in which we document chronologically what occurred. what advance intelligence reporting was available, and what intelligence and law enforcement officers did or did not do with it. There and throughout our report, we focus in more detail on the 25 December attempted bombing than on the Fort Hood shooting. Because ongoing legal proceedings limited our access to personnel and data associated with the Fort Hood case, we relied heavily on the joint preliminary review conducted by the Department of Defense (DoD), FBI, and ODNI. and a separate DoD
inquiry. Moreover, as we undertook this assignment, another group led by former CIA and FBI Director William Webster began an in-depth study focused on FBI's role in the Fort Hood case. (U)
To summarize what we learned about the nature of the intelligence reporting:
Counterterrorism officers were up against some tough challenges in assessing the implications of this reporting. Regarding the 25 December event, the panel nonetheless believes that analysts and collectors could have pursued strategies that would have raised Abdulmutallab out of the
"noise" or possibly even pointed to his target and timing. (U)
reporting the concerns of Abdulmutallab's fatherofficers would have assembled Abdulmutallab's full name, his biographic data. and his association with Aulaqi. This would have put him on officers' screens for more follow-up.

that linked him to Aulaqi. Meanwhile, name
-message. As a result, no one connected Abdulmutallab to Aulaqi and his hostile aims toward the US.

TOP SECRETJ;HCSIStHORCONINOFORN/1-
The panel recognizes that laying things out 1ihis way makes counterterrorism sound easier than it is in the real world of burgeoning volume, competing priorities, aud the attendant increase in "noise." We would be irresponsible, though, to simply conclude that detection in this case was impossible, unlikely, or that these cases were below the threshold.

OUt key point is simply ;that.it w~ possible to find the connections; the recommendations we summarize below and elaborate in the report are

## What Needs To Be Done? (U) (B)( 1) (B)(3) (B)(7)(E) Fbi

Alluring as it is to think the problems can be solved with such mundane procedural steps, the panel concluded that reducing the chances of reoccurretlCes requires much more. The panel was heartened to discover that the Community has indeed "gone to school" on these two cases; we counted over a hundred separate proposals for improvements in various stages of study or implementation. (U)
So in formulating our recommendations, the panel is aware that we are dealing with a moving target. We are convinced, however, that in most areas our diagnosis of problems and our recommendations go beyond or build on what the Community is doing or planning. We believe these must be pursued with the urgency they would have ifNW 253 had blown up in the sky above Detroit on Christmas. Nothing the US Government did prevented that from happening. (U)
A full list of our recommendations follows in Appendix A. Our recommendaliomfaO into four broad. categories. (U)
First, the Community needs more efficient internal processes for locating, retrieving. ami disseminating terrorism-related intelligence that may be submerged in "noise "-and some new business practices for how the Community uses that intelligence once it has been *identified.* Agency heads have already embarked on much of this-directing, for example, changes that require more rapid sharing of reports, updating of dissemination lists, more rigorous visa checks, and all-source approaches to name tracing. (U)
A.closely related part of this is the equally important issue of watchlisting-how analysts use and collate raw reporting to identify a potential terrorist and prevent him from entering the United States.

Watchlisting has improved ~tically since 9/ll, but the panel nonetheless believes there are still some important gaps to close. (U)
The essence of the problem is that the process is too segmented and that no single individual or entity has full end-to-end responsibility for a particular nomination. Everyone works very hard at it, but we found considerable confusion among the agencies about roles, responsibilities, and procedures.

As a result, few participants have a fully infonned substantive grasp from I
'fOP SEORETHI **les/st/IORGONINOF9RN..** (b )(?)(E)
start to finish. At each step of a multi-layered process, someone assumes that someone else took the hard substantive look or did the thorough diggiBg dun is required in watchlisting cases. (U)
We saw this glaringly in the Abdulmutallab case; it is only a matter of time before similar instances occur. (U)
Our report adcitresses in some detail the question of whether Abdulmutallab could have been kept off Flight 253 by designation for the "No Fly'' list.

We encountered strongly competing views on this, with data that can be marshaled on both sides. Our bottom line is that the intelligence was present to nominate him for the "No Fly" list; we are less certain that the nomination would have been approved, given differing interpretations of the criteria at the time. Our :fuller view of this is described in the textbox on page 19. (U)
Related to all of this is what we found to be ambiguity surrounding the Terrorist Identities Datamart Environment (fiDE)-the database that is commonly thought to be the broadest repository for data on people of possible terrorist concern. The panel concluded, however, that in practice TIDE is really a compilation of individuals who have been considered for watchlisting; people who fall below that threshold but who nonetheless merit concern are not necessarily included. This limits TIDE's utility as a tool that analysts populate with fragmentary data to build, identify, and shape a dossier on a suspected terrorist. (U)
To slUnttulrite *our* 1't!co~ns in this tll'ea, the CommlUfity should:

- Clarify the criterillfor Wtltehlisting in a way that does not become
excessively specific, onerous, and legalistic;
- EsttiJJiish a trllining program dud will proWde greater clarity on the
roles and responsibilities of every agency in the watchlisting process;
- Instruct tl1Uilysts to poplllate TIDE with partial derogatory
informatJon....-maldng TIDE "tht! place to build a dossier" -rather
than treating it as a library of completed watchlist nominations. (U)
The second major set of recommendations concerns the need for an information architecture that reduces the "signals to noise" ratio for analysts rather *than magnifying it.* This has been seen as a problem for years but the Community is still far away from uniform or broad application of the search and correlation capabilities available in the private sector or in the average US home; (U)
Slow progress on this is always attributed to the tensions between the need to share information versus the need to PI'9tect it. Many of these problems are understandable, 'but if the Community does not push through these barriers it guarantees that we will have more surprises like Abdulmutallab's attempted attack. (U)
The absence of adequate information technology runs through both the Fort Hood and Flight 253 narratives, particularly the inability of infonnation systems to help analysts locate relevant reporting in a sea of fragmentary data or to correct for seemingly minor human errors. This.

despite the existence throughout the Community of several excellent systems run by specific agencies or focused on a specific problem-but either not broadly available or broadly applied. (U)
Our recommendations call for actions in the near tenn, the medium tenn, and the longer tenn-in an effort to put infonnation technology objectives into a strategic context. (U)
In the near tenn, the priority should be on a problem we saw in both cases-that many officers do not know what data exist and how to access it or use it. Examples of things that. could be. done include: greatly increasing online documentation on what is available, how to get access, who has access, and tips from experienced users; embedding information specialists in fast-moving analytic or operational groups to handle support requests immediately; ensuring that all systems default to .. fuzzy logic" to help correct for imprecision or errors in searches; implementing the DNI's decision to support near-tenn enhancements to a particularly sophisticated CIA analytic tool to enable National Counterterrorism Center (NCTC) and CIA officers to use its unique capabilities with limited technical assistance.

(U)
In the medium term, but sooner rather than later, the Community must enable persistent search, attach analytic insights to data, and bridge the divides that separate datasets. For example, intelligence officers need usercontrolled alerting services that can flag incoming traffic and correlate it with existing reporting--a capability that could have linked communications between Aulaqi and Hasan as they arrived. Officers need to be able to see who else has looked at a report, attach comments electronically, and see what others think-a capability that would have enabled broader discussion among analysts interested in an unnamed Nigerian affiliated with Aulaqi And it is critical to incorporate into all programs tools that enable officers to access multiple databases across multiple networks through a single software interface. (U)
Over the longer term, the Community needs to push completion of state-ofthe-art search and correlation capabilities, including techniques that would provide a single point of entry to query databases for which officers have authorized access. We endorse the joint efforts of various agencies to build toward a common infonnation infrastructure with common data services, such as those for collaboration, access, discovery, audit processing, and storage. (U)
A critical step would be to establish the virtual equivalent of the nowcommon Community badge-that is, a uniform way across the Community of identifying logged-in individuals and their access permissions, together with tagging of data to descnbe the rights needed to access it. This is probably the key step needed to break through the barriers to sharing that result from legitimate concerns for protection of sensitive data. (U)
Intelligence Community Directive 501, which codifies procedures for discovery and sharing of data, effectively lays the policy groundwork for implementing our recommendations on information technology. (U)
To summtJTize our recommendations in this area:

- In the near term, tllke steps to ensure that counterterrorism officers
understand all of the dlltll avtlilable to them and have the tools simply
to ticcesS eflicieirtly what already exists-when they need it and where
they need it.
- In the medium term, augment capabilities to get more ollt of
inj'omuztion with tools that allow officers to team more from the dlltll
than what it presents on the surface-who luzs seen it, what others
think of it or have done with it, what related data are available, and
how it reltites to historictd reporting.
- In the longer term, move beyond an architectllre that relies so heavily
tin human initiative to one in which "data can talk to dllta"-so that
relationships embediled in complex dtttasets are brought to the surface
in ways that IIIOve the analyst's starting point further down the field
and closer to discovery of an adversary's plans and intentions.
- Plli'sue these objectives on 11 "crash" IHlsis. The panel is convinced that
delay will flSSIIre that more Umar FtmJIIks get through US defenses.
(U)
The panel's third set of concerns and recommendations has to do with closing or bridging the structural seams in the caunterterrorism mission.

The "seams" are visible in nmnerous ways--in the blurred distinctions between the NCTC and CIA missions, uncertainty about primary responsibility for homeland-related issues, and an underdeveloped appreciation for the benefits ofjointness" in some mission areas. (U)
We began this stt,ldy thinking that the redundancies in the Community's counterterrorism efforts represent healthy competition and that "lanes-inthe-road" issues in no way directly contributed to the Fort Hood or 25
December incidents. Officers we interviewed consistently said that turf considerations and bureaUCiatic overlap did not play a direct role in either incident (U}
There is no way for the panel to produce a definitive assessment on that point, but there are groundS for skepticism. Generally, the panel thought the competition for primacy on many issues between CIA's Counterterrorism Center (CTC) and NCTC, for example, needlessly diverts the creative energy and resources of both organizations. Both organizations are staffed by highly dedicated officers and both have enjoyed impressive successes. But the panel thinks this competitive climate contributes to the "signals to noise" problem-given that finding the "signals" is highly labor and detail intensive-and could hamper the Community's ability to detect and prevent the next Abdulmutallab-like attack. (U)
Managing this competition bas been a perennial problem since the creation ofNCfC in 2004 and flows from the overlap in the analytic responsibilities of the two organizations and their need to draw mainly on the same talent pool. The panel discussed the merits of merging the two organizations' analytic functions, but concluded that important distinctions in areas ranging from legal authorities to data access argue against that.

(U)
NCTC's unique access to homeland data, its legislative authorities, and its relationship to the FBI make it the natural lead on all threats with potential to reach US soil. CIA/CTC on other hand is the natural lead on terrorist operations abroad, particularly involving support to operators and collectors. We cannot improve on a recent DNI directive that captures these distinctions and embodies many of the views the panel bas expressed in its meetings with NCTC, CTC, and the DNI (See Appendix D). (U)
There have been numerous such efforts to clarify the "lanes in the road"
over the years, however, and in the end it will be a leadership and management responsibility to ensure that .each organization plays to its comparative advantage. (U)
Related to that, the panel sees a need to dramatically increase the focus on threats to the homeland. We believe that the segmented nature of the counterterrorism community and the fragmentary quality of the data require a singular focus by some unit on unearthing such plots. In our view, this should be the primary mission ofNCTC's new "pursuit" effort, which is focused on more fully developing fragmentary data that raise concerns about terrorism but lack specificity. We applaud this effort, which must avoid the temptation to put the bulk of its energy into the more familiar task of tracking threats overseas. (U)
To Sllmllll'ize Olll' recommemkztionsin this area:

- *Orgtmiztltionlll* respm~Sibilities should play to the clear strengths of
each orgtmizlltion. NCTC's rellltionship with FBI, its legislative
authorities, and its tie-in to the homelantl make it the llllrallead on
all threats with the potentittl to reoch US soiL CTC's natural strength
is in focliSing on terrorist operations abroad, particularly involving
SllpJ10rt to operators and collectors.
- Counterterrorism organizations must each maintain both a tactical and
strategic focus. They are mutllally reinforcing emphases in
counterterroris111.
- Wherever Intelligence COIIUIIunity leaders draw the "lanes in the
roat4" SDme ctHnpOnent MIIStfocllS relentlessly and exclusively on
developing allletuls that can point to the US homeland.
- To increase Sellllflessness throughollt the inteUigence and law
enforcement commllnities, agencies should increase the rotation of
officers among these organkations. (U)
Afourtharea isolated by the panel and requiring urgent attention is the confUsion that exists in the Community around how to handle US Persons data. This aecounted for numerous missed opportunities relating to Aulaqi and Hasail'--'both US Persons-and for these types of cases represents a problem approximating in seriomness the shortfalls we document on information technology. (U)
We saw a surprising level of disagreement, even among experienced experts, on whether current authorities allow intelligence collectors, analys~ and law enforcement pet'sODllel to seamlessly track terrorists who communicate with US Persons or who land on US soil and thus acquire US
Person status. Officers in varioiJ& agencies expressed everything from unease to worry about inadvertent mistakes to fear of professional rebuke if they strayed outside existing guidelines. In many cases, the panel sensed that officers bad the authority they needed but were erring on the side of caution-a subtle form of risk aversion. (U)
Given the increased threats to the US homeland in the last year, including an increasing number originating here or involving US Persons, it takes little imagination to grasp how the next terrorist surprise could be the result of confusion or excessive caution about how to manage this issue. (U)
To sUitUIUZI'ize our recommendatitms in this area:

- The ODNI and the Department of Justice must come together to help
the Community updllte, hai'IJtonize, simplib, t:UUl, where necessary,
modih procedures for dealing with US Pe1'S011S data.
- The ODNJ, working closely with the Department of Justice, mllSI meet
a need for Slllntlartlized, continual, Com11111nity-wide training on how to
address US Pei"Som issllt!$, ltl.lilldng swe that agencies are aware of,
(lltd~ thilr liSe *ofiexis61;g* ~rlties that are deaigned to
botll *pnJtect* p~
imd ctnltibel'tkN wf;ile emzblin.g coHection.
xiv TOP SEGRET!lt!GS.'Sfi.'ORGONINer~ ~ l<b )(?)(E) I

- Such training lliUI guidtmce must focus on working-leveliUUilysts and
collectors-those who have to make decisions rapidly on the front
lines-where delay or confusion can open up vulnerabilities or lead to
lost oppm111nities.
- The Commllllity should engage key foreign liaison partners to develop
plans to ensure collection in a way that is aggressive and timely but
consistent with any protections for US Persons. (U)

## What More?

The recommendations in the above four areas cover most of what the DNI
asked the panel to address in its first two tasks. Most of this can be accomplished .within individual agencies or under existing DNI authorities.

In thjnkmg about the tJiirtt task-what might the Community do beyond theSe things and what migtft hew terrorist threats look like-the panel considered sevenu .. :blue sky" ideas and tried to probe beyond current wisdom about the ilatnr"e of the threat (U)
Brietlyldeveloped .in the text are some ideas along those lines, including how we might accelerate the development of improved information teclmology through a "Manhattan Project" approach; how we might make increased use of''matrix" management techniques to erase some of the seams in the ~rism community~ how we might build a "Name Trace Centtat" to work that problem end to. end; how the Intelligence Community's role in the visa issuance process could be expanded; and how the Community might further leverage the expertise of organizations such as State's Bureau of Intelligence and Research and Homeland Security's Office Intelligence and Analysis. (U)
Accomplishing most of these in a direct and efficient manner would involve substantial disruptions and probably would strain DNI authorities as currently formulated and exercised. (U)
Looking to the issue of how terrorism is evolving, the panel absorbed some sobering messages from the experts it separately convened from inside and outside the Intelligence Community. The key ideas that emerged strengthened the panel's conviction that the Community must prepare for more challenging days ahead. According to these experts, among the things the United States must anticipate are:

-
- A growing need to focus more intently on the people and networks that
enable disaffected individuals such as Abdubnutallab or Aulaqi to
become operational.
- The need for a well-developed model of the radicalization process from
which the Community can derive indicators of an individual's propensity
to adopt violent tactics. We have a strategic template for understanding
foreign-based threats. We do not have a widely understood one for the
homeland. (SIIN)
While we have concentrated our review on the Intelligence Community, the panel comes away convinced that preventing the next Abdulmutallablike attempt~ any counterterrorism effort more broadly-requires focusing on more than just the Intelligence Conununity: law enforcement, airport security, the policy community, foreign partners, and even 1he private sector need to address the systemic weaknesses that made Fort Hood and the 25 December incidents possible. At 1he risk of falling back on a cliche, we are reminded of the axiom that a chain is only as strong as its weakest link. Improved collection will not matter without sound analysis. Sound analysis will not matter without a robust watchlisting system. A robust watchlisting system will not matter without effective airport screening technology. Better screening technology will not matter without skilled screeners. There are multiple variations one could make on this chain of events, such as the vital role of foreign screeners at airports abroad-but all would reinforce 1he same point: the Intelligence Community is only one of several layers of our homeland security defense.

(U)
To finally defeat terrorism requires at least three things: destroying the leadership, denying it safehaven, and changing the myriad conditions that give rise to the phenomenon. The Intelligence Community can carry much of the burden on the fust two-but very little on the *third.* (U)
Finally, constancy of support for, and policy regarding, the Intelligence Community is crucial. While intelligence stands apart from politics, policy
(b){?)(E)
toWard. it is forged. in a political environment We cannot emphasize
enough that the pendalwn swings and ebbing and flowing of support is an obstacle tO mission perforrnanOe. NCTC, for example, was slated to lose roughly 35 positio~ prior to Christmas. The post-Christmas reaction to Flight253 has ea$ed tlleDUJber ofwatchlisting nominations to skyrocket; warning bas beCome so common that the Community risks creating its own "sigiiaJs-to-noise" problem. We have seen the same pendulum swings on the collection side, where agencies-acutely aware of past controversies--have erred on the side of caution, sometimes unnecessarily slowing the dissemination of valuable intelligence. The Community's Congressional overseers have a vital role to play in helping to stabilize counterterrorism policies and keep them on a steady course.

(U)

## Contents

page
Executive Summary (U)
Scope Note (U)
xix
What Happened? (U)
1
The Shootings at Fort Hood, Texas, 5 November 2009 (U)
1
Anwar al-Aulaqi's Dual Roles-Inspiring and Planning 3
Homeland Attacks"(St~W)
Fort Hood: Red Herrings and Conventional Wisdom (U) 5
The Attempted Bombing ofNW 253, 25 December 2009 (U)
6
Strategic Warning and Threats to the Homeland (U)
8
NW 253: Red Herrings and Conventional Wisdom (U)
10
Some Preliminary Thoughts on Learning from These Incidents (U)
11
Missed Opportunities: The Context and the Consequences (U)
12
Should Abdulmutallab Have Been Prevented From Boarding
19
Northwest Flight 253? (U)
Analysis and Recommendations on the Way Ahead (U)
20
Internal Processes that Help Find Terrorists in the Data (U)
IT Could Do It: An Opportunity to Revolutionize the
Community's Watchlisting Practices (U)
Information Technology: Managing the Signals-to-Noise Volume (U) 25
Is Information Sharing a Problem? (U)
29
Clearing the Way for Properly Sharing US Person Information (U)
32
Abdulmutallab, Hasan, and Radicalization (U)
36
Blue Sky Ideas (U)
37
Expert Perspectives: The View from "Insiders" and "Outsiders" (U)
38
Some Closing Thoughts (U)
39
Appendix
A.
Consolidated List ofintelligence Community Review Panel
40
Recommendations (U)
B.
Successes: Creating New Challenges for the Intelligence Community 46
C.
Methodological Recommendations for Information Technology (U)
47
D.
Analytic Responsibilities for Counterterrorism Analysis (U)
48
E.
White House Directives for Corrective Actions (U)
51
F.
The Community Response to the Fort Hood and NW 253 Incidents (U) 55
G.
Acronyms and Abbreviations (U)
57
20
23
Scope Note (U)
On 15 January2010, Dennis C. Blair, Director ofNational Intelligence,
established the Intelligence Community Review Panel (ICRP) to explore
the role and performance of the Intelligence Community leading up to and
immediately following the November. 2009 shootings at Fort Hood, Texas,
and the attempted bombiiig ofNorthwest Flight 253 on 25 December.
Specifically, the DNI charged the review group with three tasks:

- providing a detailed factual recotmting of those events, to include what
information was available to the Community and what was done with it;
- providing a review of what went wrong in the Intelligence Community's
performance and assessing the various recommendations and corrective
actions that other review groups have already put forward for discussion/
- and offering an assessment of improvements that other review groups
may have overlooked and that we judge could reduce the likelihood of
future incidents such as Fort Hood and Flight 253. (U//FOUO)
Between 15 January 2010 and 15 April2010, panel members and staff revi,ewed hundreds of documents related to the incidents, ranging from raw intelligence to finished intelligence production and postmortem assessments conducted by multiple organizations. Members and staff conducted roughly 70 interviews, meetings, and roundtable discussions with approximately 300 key decision makers, program managers, officers, and agents from components in the Office of the Director of National Intelligence (ODNI), the National Counterterrorism Center (NCTC), the Centr<tl Intelligence Agency.(CIA), including its Counterterrorism Center
(CTC), the Defense Intelligence Agency's (DIA) Joint Intelligence Task Force-Counterterrorism (JITF-CT), the Federal Bureau of Investigation
(FBI), the National Security Agency (NSA), the Department of Homeland Security (DHS), the Office of the Undersecretary of Defense for Intelligence, and the National Security Council. We do not identify officers by name or title in this report unless it is essential to the credibility of our judgments. Many of the meetings included follow-up requests for information.

- We shared our draft of the factual recounting of events leading up to Fort
Hood and 25 December with senior officers at CTC, NCTC, FBI, and

NSA, and solicited reactions and factual corrections. Any remaining errors are our own.

- To refine and challenge our thinking, we consulted two groups of
cxperts.--<>ne internal and one external to the Intelligence Communityto speculate on what terrorists might consider next, and how the
intelligence and law enforcement communities can anticipate those
challenges. We incorporated some of their ideas in formulating our
recommendations.
- Finally, we brought in four external experts to review the draft and offer
comments on its logic, clarity, and recommendations. (U)
Despite our best efforts, our work remains incomplete: new information continues to arrive that refines, clarifies, or challenges our understanding of both events. We had limited access to some materials related to the Fort Hood incident, some of which undoubtedly would affect our judgments;
agencies and departments varied highly in the level of detail they provided;
and we had only 90 days to research and draft this report.

- W c focused more on the 25 December incident because the implications
and responsibilities ofthe Intelligence Community were greater than in
the case of Fort Hood and because both the Department of Defense
(DoD) and the FBI had commissioned outside reviews concerning Fort
Hood. Where possible, we relied on information gathered for these and
other studies, such as the ODNI 30-day review.
- FBI Headquarters asked us not to interview field agents because the
Army team responsible for prosecuting Hasan indicated that these agents
are possible witnesses in the military prosecution.
- Similarly, we were unable to obtain the restricted annex of the DoD
Independent Review Group's report on the Fort Hood Incident,
referenced in media reports discussing derogatory information on Hasan
that was not included in his official DoD personnel filcs.3 (UHFOUO?
It is very important to note that what follows is written in the spirit of critical, objective self-evaluation that has characterized the Intelligence Community. Our posture is one of assessing these events dispassionately and clinically, fully aware that the shortcomings are not typical of the Intelligence Community's counterterrorism performance. Our aim is simple: to develop a clear-eyed, independent understanding of what we need to improve in order to make the Community's performance even l<b)(?)(E) I
better. And the ultimate objective we must all share is to make the adversary's task harder. (U)
Panel members were the Honorable John McLaughlin, former Deputy Director of Central Intelligence; Mr. Dale Watson, former Executive Assistant Director for Counterterrorism and Counterintellligence at the FBI, and the first FBI deputy director at the CIA's Counterterrorism Center; Dr. Peter Weinberger, a senior scientist at Google and a member of NSA's external advisory board; and Mr. Alexander Joel, an attorney serving as Civil Liberties Protection Officer in the Office of the Director of National Intelligence.

- Staff members were four senior officers with experience in the CIA's
National Clandestine Service (NCS), Directorate of Intelligence, and
Counterterrorism Center; the National Counterterrorism Center; and the
Office of the Director ofNational Intelligence. (U)
Report to the Director ofNJttio,nal InteBigence on tke Fort HoOd and Northwest Fligbt 253 Inddents On 5 November 2009, Army Major N'ldal ,f1asaD
opened fire at Fort Hood, killing 13 military personnel and wounding Or ilijuri.ng 43 militaty ~
civilian pe1'SODDel before being incapacita1ed by police and taken into militaiy custody.4 Seven weeks later, Nigerian Umar Farouk Abdulmutanab boaided Northwest Airlines Flight 253 departing Amsterdam bound for DetrOit, Mi~gan. Abdmmntallab tried to ignite an explosive device as the plane neared Detroit, but did not fully detonate the explt>sive. ~lte was quickly subdued by fellow passengers and taken into custody upon landing. (U)
What. foll()WS .aze tactual account$ OfWlaatthe intelligence and law enforcem.ent ~ties aid in the nmup to these events~ These are not~
to be exhaustive. These accounts highlight, based~
. available data, what the Community knew; when and how it knew it, and where the Community night have bad an opportuni~ to affect the coo.tse of.CVQ~ts. {U)
This assessment was prepared for the Director . .QfNational Intelligence by the Intelligence Community Review Panel. (U)
.

b For additional detail on the facts and circumStances leadiitg up to the shootings at Fort Hood. see the DoD, FBI. and ODNI Preliminary Review of Intelligence Olll!i Intelligence.~ on Niddl Malik HfJStlliPrlor ftJ lhe Fort Hood *Shoot.,* submitted to tbe White House on
30 November 2009, the DoD West-Clark report..

Protecting the, Force. *Lessons from P:ortllood,* and the forthcoming Iq)01't by Judge Webster~ who~ kading an independent reView oftbe FBI's acti.tins With respect to

## Top Seoretj/Fig&Iswjorcon/T40Forn.. L<B)(?)(E) I Top Seorel'Iihcs/Sift'Oftcohinofofltn.. J(B)(7)(E) I

On 27 May, the W~n Field Qffice replied to SanDiego'sJanuaryEC. 10 WFO'sreviewof~
source, FBI, and DoD d.atabases.bad prodUced no derogatory information on :ffirsan. In fact, they discovered that Hasan bad been promoted to ougor ten days preViously and was conducting .msead ~
Islamic beliefs' impact on views of mititaty servke in Iraq and Afghanistan-research thadlasan's supervisors had praised as having "extraordinary potential to inform natic,mal policy and military strategy."
TOPSEORETI/tiGS/S~OONINOFORt'~ l<b)(7)(E) I
TOP **RCI'ti!Ti/HCS#St/IORCON/t40FORN** ~~

(b)( 1)
(b)(3)
(b )(7)(E)
FBI
entire
page

TOP SECRET!JHGSAiii~RGONINOFORN/-
j(b)(7)(E) I
~
~e father said that he was concerned his son .. bad fallen under the influence ofUDSpecified religious extremists;"' had become
"active in the college mosque" while studying in London; and that his son planned to "commit his life to *dawa,"* or proselytizing. Abdulmutallab's family also assessed that Umar Farouk was .. a victim of inexperience and naivety and influenced to join groups who would be willing to engage in illegal acts in the name of religion.  (SIMeS 1'0CINF)
The father did not explicitly associate his son with terrorism and provided no names of the religious extremists. 28 The father noted that intelligence l<b )(?)(E) I

- As we discuss elsewhere, the draft intelligence
report was not disseminated until after the incident
on 25 December. (lii lfoWCSIIOCMF)
place a 'look out' for Umar Farouk Abdulmutallab in the State Department Consular Class System," the State Department's visa database.33 The Embassy, in tum, sent a Visas Viper cable addressed to State!INR, NCTC, FBI, and DHS-notifying them about Abdulmutallab's possible ties to extremists.

- State Department's Visas Viper cable prompted
NCTC to create a record for Abdulmutallab in
NCTC's Terrorist Information Datamart
Environment (TIDE).
-
searched the State
Department's visa and immigration databases, but
because the State officer misspelled
"Abdulmutallab," did not use a name variant search
iool, and did not search on his passport number, the
search did not flag that Abdulmutallab held an
. active-US visa,.which could-have~sed ofticers.to
focus more on him. 34
- Recognition that Abdulmutallab held a US visa
would not, however, have automatically triggered a
specific procedural step, such as placement on the
No Fly or Selectee list.
,...,.,,(b-,...)(=7,...,)(E"""'")--,I

## Top S&Gre'F.'Irs6#8Llforoon#Nofarniiii (B )(?)(E)

Scbiphol Airport in Amsterdam. Dutch authorities pulled him aside for secondary screening because of immigration concerns; TSA officers whom we interviewed *said* that Abdulmutallab revealed no signs of nervousness during the screening; ailport screeners x-rayed his carry-on luggage and directed him tbrough a standard metal detector without incident. Passengers seated near Abdulmutallab later
"FOP **SEeR1'1/HeSISif/ORCONJMOPORN** ~ l<b )(?)(E) I
told US inv~gators that he demonstrated no unusual behavior until the incident.

- As the :fijgbt ~
landing. Abdul.mutallab tried to
ignite a ~ly
detonated explosive; the device
did not ignite PIQPetly, and Umar Farouk was
subdued by other~ The ~ligence
Comnnmity learned during subsequent debriefmgs
that Abdulmutallab had received unspecified
traiJ;1ing from explosives ~
Jlnahim }Iasan
~.Who bad been connected to the attempted
ass~ination ofSaudi Minister oflnteritit Pririee
Mobamined bin Nayif. Asiri bad provided
Abdulmutallab with modified pants and sYringes,
with the goal of taking down an aircraft over us~..,..,..,.-,
54 m,'~
- The Stale Deportment's *miBBpel/mgQj"* ~lab.,;~~~a~
AbdnlmntaDabreceiveda~USvislinJtme~W-..
~1:0.
.   .
i1
,,
'
- Abdulmutollab sailed through airpf1 *scretm:ing.* 58 Abl~~
authorities in~.
W'Do WCIII'eeoDec:Rl1~1tJ
detector and lBs cmy--on blgage W8S X~
statc-of-tho-artaixpott~.~'IWllld Jlae ec.:lekld
on Abduhnut:aDab's body~
- TheUS~.dfdriot~IIRJI~~.
Amsterdam. ~
9 CusbDS andDosder ~
(CsP)
compared it againSt a~lookiug:lbr.~ -
included Abdulinutallab .. Fatthef~oft:t..
on the State ~s
va. VtpircQ~e, wltkh is
to interview Abdukm:nallab 11p0n am\'al

(b)(1) (b)(3)
(b)(?)(E)
FBI
(b )(1)
(b)(3)
NSA
(b )(1)
(b)(3)
NSA
(b)( 1)
(b)(3)
CIA

## Some Preliminary Thoughts On Learning From These Incidents (U)

In assessing the events recounted above, the panel believes it is important to keep in mind the following three points. (U)
First, there is no recipe for *perfection.* Terrorists will not stop trying to penetrate our defenses, and some are going to get through. The American public, elected leaders, and Intelligence Community officers are understandably uncomfortable with that idea, but it is an unavoidable reality-one that should be communicated to the American people. The task of identifYing and screening terrorists who may seek to travel to the United States is a daunting one, and illustrates the signals-to-noise challenge. More than
1.2 million travelers try to enter the United States by air, land, and sea every day. Consider the scope of the air travel problem: passengers enter from 245
airports on more than 1 ,600 flights each day; TSA
officers screen 1.8 million travelers entering and departing US airports across the country each day. 64
No amount of collection, no aggregation of data, and no level of information technology will guarantee the government detects and prevents all terrorists from making it onto US-bound aircraft or into the United States.

- Worse yet, the United States is dealing with a
nimble adversary that constantly adjusts to exploit
any weak link in the homeland security system.
Better US collection capabilities prompt terrorists to
adopt newer and more exotic forms of
communications; more invasive airport screening
technologies prompt terrorist to seek new ways to
evade screening-such as entering through
countries where patdowns are taboo-or alternative
modes of entry, such as by sea or by land. Every
US success is a learning opportunity for terrorists.
- Individuals already inside the United States, who
decide to use violence to pursue the aims of foreign
terrorist groups, pose another threat with unique
challenges to detection and preventionparticularly if they limit travel abroad and
communication with known terrorist groups. If we
are to identifY .. homegrown extremists," we must develop new methods to detect threats in the homeland, consistent with our laws and respect for civil liberties, and enlist the support of all Americans. Here, too, there are no guarantees.

(CI~
Second, information overload has made the signal-tonoise challenge even harder in recent years. The intelligence, homeland security, and law enforcement communities are swimming in data and often armed with outdated information technology; more analysts are needed to cover some of the nation's most critical national security challenges. Our recommendations address these areas, together with changes in work processes that must accompany them. The Community must recognize, however, that additional resources and better technology-while necessary and welcome--are no panacea. More information will always be available to be analyzed and correlated. These changes can only reduce--not eliminate--risk. (U)
Third, in assessing the events leading up to both incidents, and in considering any set of changes to the counterterrorism community, it is important to remember that choices will entail tradeojJs-ftScal, bureaucratic, and *so on.* Ultimately, where to draw the line on those issues is a political decision, but the entire Washington community should understand that choices will have potentially unpopular-and almost certainly unintended-consequences.

- Surging analysts to cover an emerging threat means
moving analysts off other !>Nnnnt"
- Easing standards to place more suspected terrorists
on the No Fly/Selectee lists carries clear tradeoffs,
such as a likely surge in false positives. Allowing
collectors to nominate suspected terrorists on partial
names-increasing the likelihood of detecting their
travel-risks compromising collection programs
when individuals are linked with aliases used only in their covert communications, while better information sharing with foreign governments or the airline industry inCt'eases the risk of compromising sensitive information.

- Requiring the airline industry to do more to support
the Intelligence Community-such as sharing
passenger lists earlier than 30 minutes before
takeotf-cottld require earlier check-in times for
travelers, undoubtedly an unpopular move. 65
Requiring that airline companies tilfonn the US
Government whenever an individual on the No-Fly
List tries to purchase a ticket probably would meet
with complaints that.the US Government is
imposing eostly additional bmdens on the industry.
- Instituting a minimum waiting period to acquire a
US visa, which would give State Department and
the Community more time to research suspicious
applicants, would undoubtedly prompt complaints
and perhaps even in-kind retaliation from some
foreign governments. (S/INF)

## Missed Opportunities: The Context Ud The Cousequeoces (U)

As the panel reflected on these events; we wete acutely a'Wal"e that hindsight always brings greater clarity. We also readily concede tbatourjudgments are in some ways provisional, because new information wi11 probably emerge in the coming months. We learned this lesson in
(b )(1)
(b)(3)
NSA

- These events did not occur in a vacuum; the
operational tempo and workflow for the Intelligence
Community were heavy and sustained throughout
2009 and in the lead-up to both incidents. Both
cases had novel aspects not previously seen by the
Intelligence Gommunity; the 25 December incident
was the first attack against the homeland by an al-
Qa'ida affiliate.

- Nonetheless, the intelligence reporting that could
have led the Community to identifY Umar Farou.k as
a potential terrorist threat before 25 December
merited greater scrutiny-although Intelligence
Community follow-up actions would not have
necessarily have kept him off the ajrplane.
- Causes of these "missed opportunities" ranged :from
human error to poor decisionmaking; heavy work
volume; an occasional lack of individual
inquisitiveness or understanding about who was
responsible for driving an issue through to its
resolution; ambiguous roles and responsibilities; a
lack of understanding of key databases; and
information technology systems that do little to help
officers and agents find and correlate key bits of
reporting amidst a sea of data. (TSNSI/~)

During our review, Ml' were consistently impressed
by the pttce, scope, breadth, and depth of the
Community's counte'*"orism efforts throughout
21HJ9, IIIIJY of which produced 1llllhle SllCCesses. -
During ~period, analysts were tracking

net<nng nrultiple requests for briefings; producing a steady stream of current production; participating in daily teleconferences with collectors, policymakers, and the law enforcement community; and providing analysis and support following the June shootings at a US military h NCTC's Homeland Year in *Review for 2009* noted,
"SuccessfuJ attacks, disrupted plots, and arrests ofSwmi extremists in the US in 2009 reached their most significant level since 2001." (St/N.F)
recruiting center in Little Rock, Arkansas.fm We discuss further some of the successes we encountered in the course of our review, and ways in which success can create new challenges for the Community, in Appendix B. (Tlilt/WCS.LSJm.W)
In addition to these other pressures, counterterrorism d officers were working with enonnous data flows:

compressed timeframe, unlike the methods of
~~;:-~~~g~;~ bv tQa'ida ~~~?}(E)
It is thus too simple to call this a "connect the dots"
problem-a metaphor that strips away context and trivializes the challenge counterterrorism officers face in dealing with massive volumes of data The 25
December case in particular is more akin to what scholar Roberta Wohlstetter in her classic study of Pearl Harbor called the "signals to noise" problem. 68
In short, the fragmentary clues about Umar Farouk's plans--the "signals"-were deeply submerged in a vast pool of intelligence reporting-thousands of messages a day, the ''noise." The task then, and the North Star guiding this panel's efforts, has been the question of how to raise such alanning "signals" from a body of noise that is growing rapidly as technology enables both the creation of more data and the Intelligence Community's ability to collect it.

(S//NF)
But even allowing for a challenging "signals to noise" ratio, the panel could not avoitlconcluding that the body of reporting related to the 25
December case deserw!il greater attention than it received. To be sure, hindsight separates the
"
fro re
-
"
..

f...

-
~.

..

was not surprising given that Nigeria is the world's eighth most populous country. That context is essential. ff'sf/Sf/INF)
What moved the panel to the view that this case should have stood out priorities, information overload; cun1bersome technical tools-all were factors that help explain why many of these reports were not actively pursued.

''Stovepiping" of accounts, however, was not-these reports were sufficient to raise red flags for analysts covering AQAP operatives, AQAP use of foreigners, AQAP travel plans, or *AQAP* threats against the homeland. We highlight below the opportunities for this case to_ surfuce:

##

- Sorting out reasons why these reports did not
receive more attention led us to conclude that either
they were submerged in a heavy volume of
reporting or simply reinforced analysts' concerns
about the threat posed by Aulaqi and AQAP to
targets inside Yemell--"-a danger to which the
Intelligence Community already was alert and
acting on.
The panel identified one report that should have prompted roiJltst pursuit by the Jnte/ligence Comlltll1lity and cotdd have led to identifiCation of Umar Farouk Abdulmutallab as a potential threat before 25 December. But-emblematic of the challenges facing counterterrorism officers-this report included no biographic data for the unnamed associate who, in retrospect, almost certainly is identifiable with Umar Farouk Abdulmutallab .

- We cannot rule out that there were efforts to pursue
this thread that the panel did not uncover. But we
were unable to document any follow-up. Short of a
scrub of known AQAP operatives or an intensive
l<b)(?)(E) I
The panel reecqgaizes that these recitatiOns aion&-in which we isolate reports and lay them out seriallymakes detection and warning of terrorism sound easier than it is. We have no illusion that this neat overview approximates in any way the real world of the Community's counterterrorism analysts and law enforcement counterparts. But we do think it was possible to make these connections. In much of what we recommend, we discuss strategies intended to make that more *likely* to occur in the world of heavy reporting voli:unes, competing demands, and high operational tempo that terrorism analysts actually occupy. (U/t.FQUOJ
There were several missed opporllmities'that coldd have increosed the odds of detecting AITdulmliiiZilab or *Hasan.* The causes of the missteps ranged from human error to inadequate information technology, inefficient processes, unclear roles and responsibilities, and an occasional lack of individual inquisitiveness.

December, prevented officers
from piecing together two key reports.

- State Department's errant name trace did not
reveal thst Ahdulmutallab had an active US visa,
which could have raised the Community's attention.
Moreqver, no one apparently noticed that
~lab's
passport from several years earlier
indieamd that he had a pending visa ~on
in
2008.
.
In both Cfl#S, the intzdeqllllCY ojinjonntllion technology for aggregating lllul correkiilng the t'fikmnt.,..,mtg wa *strlldng.* To be sure. much of the ~tlmt.~
bal'e causedUmar Farouk and Hasan ttl riSe above the t1rousands of pieces of raw in~
was available in one da.ta'set or tmotlier; ~focused seare~tes-such as o1r #U~
Farouk"mid "NlgCria"-would have'~
1ihe
~to a manapble number. Bt;ttef,
~teehaology could have helped
~fur liuman errors, time,pressufes.lteavy WWoad.l)rmmtcooUngs.

inCTC andNCTC~1he
pro~ofdatabases and the tim~g
riafm:e oi~
and searching eacll one.; JITF
pCrStmnel~in WFO, for example, baa to worlc: with
nearly two dozen separate databases-iooluding
one using an antiquated DOS-based system.
- This prompted CIA to change how it disseminates
intelligence, which we detail later in this report.
- We found that counterterrorism offtcerS from
multiple agencies had widely varying degrees of
familiarity with watchlisting terminology and
processes in their own agency, let alone the greater
enterprise, which translated into uncertainty over
who had responsibility for ensuring that a suspected
terrorist was placed on a watchlist .
# ,....,(B-)-(7-)( __ E_)_,,

(b)(7)(E)
To sa~
o11Tcq11dllsiom tmlldssetl
opporlltwitin.in *t-e* ~
cQSf!S:

- The pace, scope, depth, tmd Intensity of the
Comnnmity's wtirkloild in ~~ ran-ap tD both
events pliqed a rtJie iii olficerS not tretdihg the
reportbtg with the sense of lll'gency it ilesNved;
- Jnadeqatlie info1"11Ultion teclmology did not help
anlllpls iltltl *agents.* ~'and
COI'I'fllate
releMnt~eltherfleCallsetlle~
was liariell.in a!ietl tl/dtztaor sprellll among a
nmze of ,mc9nnecteil titltiiJmses;
- A.se(iesof~.~;/i'fnt,,._,~ ltJ
uncktzrIJilllleir~1llill~n
~.liretmttlttlt:kej~w~n
diil1$treabh people who migllt hawpieced them together or t1d8d on them;

(b )(1)
(b)(3)
ODNI
CIA
NSA

(b )(1)
(b)(3)
ODNI
CIA

## . An~Is Add, Jleeommeadatifts'Oa Li .. (W8,F ~(U)

As part of the panel's secolld tasJr. *:~asked to OOJD.'flt'eDt.ontnewrieus ~
tml.tthe Jntelligem;e ~~
iseoftsi~
d as wen as those~lirtbeseDate~~
on Intdligence(SSq)andvarious ~t organimions--mid fu ofter~
~ofonr.own.. We$) soful.}y itwa:re thattherewillalwaysberi~o'f~~
such as those at FortHOod arid threiatS to a~
.

securily; no set.of~OBS,:~iffufly
.iDlplememed, will.el~ SUCh ~::$ill.

.

:We bel~~many.ofdtese'~ will
increase theatlds that us and foreign~
can stop similar .incidents. 90
.
.
We found tbat~~ bave "gone1nsehoof" on
these ~and areitnpiemenllittg~ ~igned
tolimit~k~- Weare~
aware. that SS'Webave studieathe~ ~
eoilsidet'ed~ a test Of ..
agencies ana~"()l)Nl-~tbe ~tling .
simultaneoU$11 . We thUs eQJle1tidetf.tfiaf QUI'
oompamtiveali~._inl~~Y
across these im"tiatiVes and ~Which
O'Jies'descne addcd~s 8n4~no~ ~
there may be gaps.
'We thetef~m~~ soolyasmall
segmeatofthe~tm:ditec;~~s
currently under~.
mrevlewiug~after:-
. acti0n J;epOrt,s ofimli'VidUal ~et~ihnu, we
iEJcntiiied m.ore:thim IQ(;} separate pro~
Commuhlty-wide, Some ~ifictO mdividiuil
organizations--so~ comment~ on~
that.
struck us as mi:)st J'Slevmtt Weals<) flag~ .
proposa~s that struck l1s as. UnwiSe mmtmeois of
time, energy, and~
- Some ofaur reool'il!J)et!'dat~ are~
and IOng-
tenn-enchmy~~'~~
 .others areimtt'~~ teChnicat~lllftl~~!c;
but struck us as important enough to merit attention.
 We a:re~on moving targets; scme
~are
already Ullderwty.
- We also nWiZe that some of our xecommen4atiol!IS
are nottle\ilr. In part,~ flag those issues for that
very~: yearsofinteragency discussiensand
~~not
produced ac,tion, evon es ~
 ~.~continues. (U#.FOU~
l)isti11iag ijJe ~
metors OOIJlPlieat:ini ~
ped'~ t&aDmageable11Wllber, we'J()Cl:med our
~~ibm'
key arc., ailofwhich
w~
at ..
to one degree or an.otber m the cases of
.~~
or).bdwnmtallab:.
.~:'More dlidelltilltermtl,pnJeeSSeS tbat,}lelp
'.analysts locate, retrieve, -~~lml
~iutel~
anewbusines&~s
roc how the Conummity uses 1bat intelligence once
it has been~
~Aa~Udlnology~that
~~than
cootributesto.tbe.~
nois'c~,welmVt~y~.
A~~oflabortbat~
~~-tiW~~tllteS'()n
l:lm:ets te a:~tasi;amd Plays to the
~~eofvari(msommmiity
pat1:nelS;
. ~~~~
~euftlm)Uiidi'QgUS
~-.
raagfugftottl eollectingto ~
storing. and Sharing this intelligence. (ti/IFOOO)
~~
tltat Help Fm'dT~FJriStsttn tile Dafa Barty mom: reVi~ We identified Several problems
tbat.~the Commtmity'sabilitytotmd the

tenOiis'tj~m the: available data. There are $VO
~tothisprobtem: ~-~c
~.that adfeet the Con:.nmul'ity's.~ to
~.c~ibfohmtion,aml~
mtefti~ ts pmtedtogetber to support 'the
watchlistiag process. The. ftll"Illel' changes are
~lt" ..
Ie; the 1titCr requfre cba:ngiDg how
intelligence officers conceptualize and leverage the watchlisting process. (U)
Many of the problems we identified early were similar to those other review groups have no1ed.

Among the earliest judgments we reached:

## (B )(1) (B)(3) Cia ~Lligence~ -Must Be Disseminated More Rapidly,

- NSA field dissemination lists need to be updated;
- State Department visa searches must be more
rigorous and technologically sophisticated;
- NCS names traces must be conducted in all-source
databases. (Uf!FOUO)
We were heartened to learn that agencies have already made headway on virtually all of these issues.

- The Director of CIA has already ordered that all
NCS countertetrorism-related field reports be
disseminated within 48 hours of receipt, and NSA

## Lissejmimltion Lists (B)(1) (B)(3) Nsa ~Es -----91

- State Department has addressed processes for
conducting name traces. State Department oould
have searched on Abdulmutallab's passport number, which would have been more precise than a tnmsli:teration of a foreign name, and could have used a "fuzzy logic .. function that could haVe corrected for the typographical error, but. did not.

In response, State Department has instructed its o:ffieers to search the Consular Consolidated Database using the "fuzzy logic" function, include all CUIIent and past visa information on the Visas Viper cable, and conduct searches Q.n passport numbers. If implemented, these:measmes will increase the odds that known or suspected terrorists will be detected earlier in the visa application
9'....,.,., process. - v:;;,_/i ... i1
..... ,"--
We offer several additional recommendations as the Community moves forward in improving the seacch for terrorist identities. 93

- Some of the steps outlined above should be
expanded furougbout the ~unity. All agencies
should promptly diSseminate counterte:r"lorism
reporting, update their dissemination lists on a
regular basis, and conduct name traces against all of
their holdings. Dissemination lists for
counterterrorism-related intelligence and. State
Department Visas Viper cables also should be
updated on a regular basis to ensure that collectors
in the field receive reports germane to their area of
respons1bility .
- We recommend 1bat agencies examine whether
complicated dissenii'llation codes can be
stan.da:rdiized or simplified. The roliting error of the
~a
predictable COllseCpie:llce of
having such detailed dissemination codes.
- ~
search for terrorist identities should be
conducted against all holdings available to that
agency.
- A ''fuzzy logic" tool that automatically formats and
searches variant spellings and renderings of foreign
names, should be available and used in name traces.
- "Discoverability" should be part of the process. In
practiCe, this means that if an all-source search
against a name or identity leads to information
(such as a phone number) to which the searohing officer does not have normal access, a notation will direct the officer to a point of contact who can grant access to that information.

- Officers performing identity searches should be
trained to look for partial names, along with salient
points such as the person's location, affiliations,
passport~ schooling. or travel,.....,-details that
can further narrow the search and identity an
individual. -tG',LNP)
The second half of improving the search for terrorist identities centers on the equally important issue of watchlisting-how analysts use and collate the raw reporting to identity a potential terrorist and prevent him from entering the United States. Watchlisting procedures clearly have improved over the years.

Prior to 9/11, the US Government maintained 13
separate watchlists; today there is one. Since 9/11, multiple agencies transferred information from their systems into TIDE. In no way do we mean to detract from the progress to date. (U/7POU6)-
Still, the panel believes that *the* watchl~ing process needs. *adjustment.* The Comnnmity's understanding of watchlisdng is inconsistent, between and often within organizations. The natui'e of watehlisting-an end-to-end process spanning multiple units and organizations-has led to a segmentation and redundancy to an extent that ensures that no single individual or entity has full responSibility for a particular nomination. We saw this dynamic .

glaringly in the case of Abdulmut:aliab. It is Only a matter of time before similar instances occur.

(U,t,'F~
In short, *indivl* ~~even when performing their tasks efficiently and energetically, take a fairly narrow view of *their roles.* Evecyone works vt:cy bard at it, but we were struck by the uncertainty about roles, responsibilities,. and procedures. Within the NCS, we found uncertainty among officers dealing with the Abdulmutallab case about. the steps in the watchlisting process, limited awareness of what analytic efforts were required to search and tie together information to fonnulate a watchlist request, and what CTC Watchlistii.tg officers would do with the request; CTC Watchlisting officers assume area division officers have already searched for derogatoiy information and made pertinent associations before submitting the nomination, and that the job of ere Watchlisting was to format nomination packages for passage to NcrC
Watchlisting. NCTC Watchlisting officers, in tum.

stressed that their primaty role is entering data into TIDE and forwarding nominations from the feeder oiganizations, because they relied on nominating agencies to have done the all-source analysis. TSC
officers rely mainly on the strength of the nominations as they receive them. (U//FOUO)
Closely related is the ambiguity surrounding TIDE.

TIDE is the US Government's central repositocy of identities for known and suspected international terrorists; ImDY in the Intelligence Community-and, based on press reporting, in Congress-believe that TIDE is the place where the intelligence and law enforcement communities can easily search for and piece together bits of terrorism-related information.

In practice, however, TIDE is not that database.

TIDE as it currently exists ~s largely a eompilation of individuais who have been considered for watchlisting; individuals who fall below that threshold but who may nonetheless merit concern are not necessarily included. TIDE is not uaed as a dynamic tool that analysts populate with fragmentary intelligence to build, identity, and shape a dossier on a sUSpeCted terrorist. (UI/FOUO)
With that in mind. we offer several recommendations.

- The criteria and threshold for watchlisting need
greater *clarity.* Throughout our interviews we
heard thatdiffefrent agenciesuse differing
int~
of the criteria forwatchl,istiihg
n~.
94 Regardless of~,~~hold
for derogatory information eventually settles, the Intelligence Community needs a single set of transparent guidelines that enables analysts to determine whether and when they may nominate a suspected terrorist. We agree with SSCI that TIDE
administrators should accept nominations based on

- We. endorse the White House recommendation that
partial names; terrorists rarely use full, true names in their clandestine connnunications.

- We also caution agai!Jst criteria that become too
NCTC develop a records enhancement capability
that can build, locate, and track derogatory
information on all *intlividuals* in Tll)E~:process
already,rmderway.
- W atchlisting efforts should be streamlined and the
specifiC and *caveat-laden.* If past experience is any
guide, attempts to lend greater precision and add
nuance only open the door to greater~
when inherently subjectivejudgments me at plJ~.y. 95
r.Mngs *redirected* Agencies sucll as CIA
haw:e large .staffs whose primary duties are

| (b)(    |
|---------|
| (b)(3)  |
| NSA     |

-
As SSCI recently observed, the staQdalds ta place
an individual on a watcblist are simply too
complicated. 96
data entry;and processing before fol'W8I'ding the nomination to 1he NCfC Wa~ting staft Similarly, the primacy dUties of the }'fCTC'
Wawhiisting staff are to enmr ~~'~be data

- The Community needs to establish greater clority
.Deiore ~the
nomination to TSC. oar
interviews showed that such ~has given

on roles and *responsibilities,* making clear that the
nominating agency should see the nomination
through from start to finish. Ncrc plays a
particularly important role tracking suspected
terrorists who fall into. the amorphous categocy that
crosses between foreign and domestic jurisdictions.
each organization a sense. that otheiS;~ doing
more than they actually did. Reducing $0me of tbis
duplication couid make availahle resources that
could be redirected to other important watchlisting
wti~wroa:sr~~.IT
improvements can simplify this process.
oar mterlocutom often told us tDat: the ~~Wen Jl9tpliirii'Yaml'f~ ~*
present state ofU in the relevaafparts oftlhe~Co
.. unumtJ>-~emhtJt~l!ftisietH~~tT
could be doing:.....tb.is is true . But ooosider 'Miat woUld ja.ve~~if~l'f'~~~-cU')
1he Community to assist with nominations fer watddisting:



- A system with the sophistieated entity resolution capabilities oouldautomatieany .build'8m\i~TmE
dossiers based on data available to NCTC.


- An algorithm could give these dossiers p.relimiuaey"score~t~tlle~'of~~
criteria, taking into account presence ofdle necessay~(iil'l~ dllteo~ ete:hatf~cOf
associated derogatory (i.e . membership in a temmst ~).
' "'
- These computer-generated doSsiers would flow to the watchtisting aoaiysts for processing. with the relevmt
biographic and probable derogatory data bigb1igbted. AB new infOmlation came in, the~
would
highlight it in the dossiers pushed to the analysts.
- While we cannot be sur:e without expetimentation, we think it likely that ovm time the algorithms also could
be trailled to identitY the probable watchtisting criteria. tbst the dt:Jssier fits. {S#NF)
...,..,(b-)( __
7,...,.,)(E""'")--,j

- Analysts need to use 11DE as a primary repository
of intelligence rather than merely as a step in the
watchlisting process. In focusing on placing
suspected terrorists on the No Fly list, the
Community appears to have missed opportunities to
use TIDE as a powerful tool for aggregating all
derogatory and identity reporting on suspeered
terrorists; we recommend that NCTC take ~lead
in a Community-wide training progi'8Jn to help 'all
agencies understand the purpose of TIDE,
been fed into other watchliSt databases. The fragmentary nature of counterterrorism reporting makes it imperative that analysts lean forward in populating TIDE with derogatory and partial identity intelligence rather than waiting to assemble a comprehensive intelligence package that meets all of the criteria for No Fly status.

- The Community needs a standardized training
program on the specif:cs of *watchlisting.* We have
seen some. review groups claill1 that the 25
December incident proves a need for centralized
analytic tradecraft training, but in our view a more
pressing n~e
clearly related to the Flight 253
incident-is a common and~
understanding of the watchlisting process. IfTSC
remains the final voice in the No Fly/Selectee
decision, it should be the lead agency to direct such
a training effort. so that its standards are clear to all
nominators. (:!1/M')
To Slllfl1tftlriz. tlll1' recommentlotiom, the Commtmity shollhl:

)-
Use 1111-soiii'Ce hol4ings for searcltes on terrorist
identities; let1ert1tfe techMiogy such flS "fu;::zy
logk" fOr lfll1tfe wuilmts, *and* ~disctwertibillt"
tllwtlUltVes when there is relevant information
in lllltJtlrerlocation; train oflkers to use all the
Sil&nt details tltllt Cllllfii17'0W IM search and
identih im lndividllaL
)-
Clarify the criterillfor waichlisting in a way tlult
does not become excessivezy specific, OltDOilS,
and legalistic.
};;>
EsttdJJish a t1'tlining program that will J1"ff"itk
greater cltnity on the purpose of TIDE, the roks
and respun.sibiliti of agencies that may
popu/Gte it, and how TIDE }its into the larger
watchlisting process.
};;>
Instruct analysts to populate TIDE with partial
derogatory information---mtJking TIDE "the
place to build a dossier" -rather tlum tl'eflting it
flS a library of completed watc11/ist nomintdions.
(CtiNF)

## Information Technology: Managing The Signalsto-Noise Volome

Inadequate information technology runs through both the Fort Hood and the NW Flight 253 narratives, particularly the inability of IT systems to he)p analysts locate relevant reporting in a sea of fragmentary data or to correct for seemingly uWro:r human errors. The Intelligenee Community's IT
tools-wbicb generally lag several years behind those of private industry, and even f.artherbebind tDosc available to home users-did not help io1e1Ji8ence officers and agents correlate data that could have increased the probability of Abdulnmttalab and Hasan rising above the noise. Indeed, the incidents highlighted what we assess are the two main technological problems facing counterterrorism offiCers:

- Limited visibility and accessibility of
counterterrorism data that are distributed across
multiple, discrete databases and *systems.* NCfC
analysts, for example, have access to more than 28
separate databases and systems, each of whicho for
the most part, has a separate log-on. This means
analysts have to search. each.~ separarely
before trying to identify connections among their
results.
- Search capabilities do not allow foil exploitation of
existing data. In most cases, users must know in advance what to look for using Boolean searches to find terms in individual reports as they are received by the Community. This approach is intolerant of even simple mistakes in the queries and does not enable questions like: list everyone that is potentially affiliated with AQAP and bas a passport or visa that would permit entty to the United States or UK. (SI/1'W)
In our view, these shortcomings are the result of a fundamental problem in the Community's approach to IT -there is no accepted and comprehensive, Community-wide strategy. The Intelligence Community lacks a common vision of a desired end state, a common understanding of the potential benefits, and a coherent Community-wide strategy for development and acquisition.

- Continuing the CUJT\mt course willbecome even
more problematic as tbe amount of data increases
and almost certainly ensures additional incidents in
whiclt.~~Con.ummity~
..
aftel~ &1 it\bad access f()cfaf.a~.have
enabled detection and PotentiallY dist:UI)tion of an
attack.
- As the preparations for attacks are concealed more
and more effectively, the planning periods decrease,
and terrorists adopt new modes of attack improved
information technology will be vital. The existing
processes, policies, and operations will not suffice.
~)..
We propose three sets of recommendations-near;., mid-, and long-term-that seek to enable fuster adoption throughout the Community ofiT solutions that will reduce our reliance on human beings'
inherently limited ability to sift and correlate vast amounts of data in their heads. Our recommendations range from incrementally upgrading existing applications to fundamentally reimagining the Intelligence Community's IT infrastructure; many can be accomplished in parallel.

- These recommendations are intended to serve only
as a starting point. IT is a moving target, but
waiting and debating in search of a comprehensive,
perfect solution is dangerous; the importa[lt thing is
to get started.
- When implementing these recommendations or
taking any other steps to enhance the Community's
IT infrastructure, it will be important to adhere to
four key methodological principles: invest in
computing capacity ahead of need, embed
developers with users, adopt a modular approach
based on separation of applications, data, and
infrastructure, and experiment. Details of our
proposed methodology for implementing these
recommendations are found in Appendix C. (S/INF}
We assess agencies' desire and need to protect some of their information will be the primary obstacle to implementing these recommendations, but this barrier is surmountable if policy, tecluiology, and operations can co-evolve. Technologists need to demonstrate capabilities that instill confidence that access can be limited to authorized users, thereby addressing the concerns underpinning current information rna
..

(b)( 1)
(b)(3)
CIA
shows that assessments of this tradeoff can change as new technologies are introduced.

- Many of the people we interviewed assessed that
policy on handling US Persons data,97 1aw
enforcement data, and sensitive source data was
limiting the Intelligence Community's ability to
aggregate and exploit available data, especially
information pertaining to critical domestic-foreign
nexus issues.
- There is no perfect solution to the risk/benefit
tradeoff on enabling correlation of data from the

## J(B)(?)(E) I

Community's most sensitive sources, but the counterintelligence calculus on terrorism data should be looked at through the prism of risk entailed in the event a terrorist act is not detected.

(S/~W)
Moving Forward on *Information Technology.* Our recommendations fall into three categories: near-term changes with limited resource implications, intermediate changes that require more time or resources, and longer-term efforts that we view as essential for the Intelligence Community to at least match capabilities already widely available outside the Community.

- Many of our recommendations are not novel.
Several have been discussed for decades, and some
already are underway.~M We emphasize them here
because we view them as essential for the
Community to increase the likelihood that the right
"signals" emerge from the "noise."
- For our recommendations to be effective, they need
to be followed with particular urgency and fidelity
by the four Intelligence Community entities with
the broadest responsibilities for counterterrorism-
CIA, FBI, NCTC, and NSA. There are no
organizational barriers to these four agencies to
collaborate to improve their ability to exploit data
that they already share. (U/fFOUO)
In the near term, the Intelligence Community must address the problem-as evidenced in both incidents-that many officers do not know what data they are accessing, what other relevant data exists, or how to exploit it.

- Greatly increase online documentation related to
datasets by, for example, tagging and registering
them. This information should be easily accessible
and include what data are available, how to get
access, who has access, and tips from experienced
users.
- Enable authorized users to access and use all-source
data and applications from anywhere and at
anytime, except when reasonably prohibited by
security concerns. The 25 December incident
highlighted that officers in the field sometimes are best positioned to separate signal from noise.

- Search capabilities should default to the use of
fuzzy logic. Had this been the case in November,
the State Department's Visas Viper cable, despite
the misspelling, would have prompted discovery of
Abdulmutallab's active US visa.
- Embed IT specialists in fast-moving analytic and
operational groups to handie simple support
requests immediately_ The Community should not
continue to allow mundane IT problems to interfere
with its mission.

## - (B)(1) (B)(3) Cia

In the midterm, but sooner rather than *later,* the Intelligence Community must enable persistent search, exploit query logs, attach analytic insights to data, facilitate continuous IT improvements, and bridge the data divide-while building toward the long-term vision: To do this, the Community must:

- Augment current search capabilities with usercontrolled alerting services that would flag
incoming traffic
- Enable officers across the Community to see who
else has looked at a given intelligence report and to
electronically attach informal insights and view comments by others. This may have enabled broader discussion among analysts interested in a Nigerian affiliated with AQAP or in Hasan and Aulaqi.

- Embed developers with users to provide continuous
improvements to mission applications. This would
foster innovation by giving developers-who can
imagine what technology can deliver-a better
understanding of end-users' requirements.
- Incorporate application programming interfaces
(APis) into all existing programs so that they can be
accessed, as appropriate, through other programs.
This would, policy permitting, enable officers to
access multiple databases, across multiple
networks, through a single software interface.
- Incorporate into new and existing programs the
capability

## Odni

In the long term, we make three recommendations to help ensure the Intelligence Community provides its counterterrorism officers with state-of-the-art capabilities for search and correlation. Several technical leaders in the Community are working on ideas similar to or consistent with these; we offer our perspective to encourage and help shape these efforts.

(U)
First, enable a federated and cross-domain search.

This would be a minimal step toward modernizing the Community's search capabilities and ameliorating some of the problems posed by the proliferation of databases across networks. Developers would place a thin layer over existing databases that would provide a single point of entry to query-through an API-
each database to which they are authorized access.

This would minimize the extent to which officers must remember where to search for what data and simplifY officers' synthesis of the results. (U)
Second, separate applications from data and infrastructure. This would enable authorized intelligence officers to access and use any data, anytime, from any workplace, with any tool, except as policy prohibits it. The most important initial step is to establish the virtual equivalent of the nowcommon Community badge: a common way of identifying individuals and their access permissions together with tagging of the data to deseribe the rights needed to access it.

- We endorse the joint effort of various. agencies,
-
working through their chief infonnation.ofijcers, to
build toward a common IT infrastructure and
identify common data services, such u those for
collaboration, access, discovery, audit, processing,
and storage;
- A common infrastructure for all data would have
many advantages, including enabling the use of
sophisticated search algorithms such as those used
on the Internet, instead of the outdated Boolean
searches currently used on most Intelligence
Community systems. Another benefit would. be the
capability to allow. a user to file all relevant data on
one interface. rather than on a. system-by-system
basis. (U/IF()U()}
Thitd, build computing clouds and data centerswhich will enable dispersed, enterprise data sharing and processing-as the basis for the Community's IT
infrastructure. The resultant computing capacity will allow "data to .talk to data," identify relationships, produce results that analysts now have to put together by hand, and do it before an officer has even thought to make an inquiry: Routine use of this kind of processing almost certainly would have helped identify Abdulmutallab for watchlisting.

- Additional advantages of a cloud-based approach
include lower overall costs, greater tlexibility in the
use of resources, ease of maintemmce, and easier
portability ofinnovations. Private-sector
technology leaders such as.Microsoft, Amazon, and
Google build their systems using clouds.
- As the Intelligence Community moves toward the
cloud, it will need to adopt-at the Commllllity
level-hardware, operating systems, and networks.
All new systems shoUld be expected to use this
common base. (S/~)
l<b )(?)(E) I
We also endorse two current initiatives that are necessary precursors for the Intelligence Community to move toward cloud computing:

- We believe investment in the U Cloud Pilot, which
will facilitate enterprise data processing and
storage. is critical to modernizing the Community's
use of information technologies.

## Our R~ In This Llretiiite Lfftldi Llld1'E Coiilplextht:Melsewhere Tmd *11Es1St* ~ Norteiltekss, .18 $Llltt1Lfll'Rize:

-
In *the* lrelfrtenn, tllke the stqs dettzilelllliHJ:ve to
mslll't! tlud cormterterrorism o.flicers
understand all of the data llVIIilllble to lhe11111nd
have the tools to access what alrelldy existswhen they need it and where they need it.
-
In the mitltenn, augment capabilities to get
nrore out of the tlatll with tools thllt allow
ojJicers to leam llfOI"e from the data thml what it
presents on *the* surf~who has seen it, what
others think of it or have done with it, what
11elated tlatll is avaihlble, and how it rellltes to
historical reporting.
)-
In the ..
tmn,.111f1Ve beyond an II1'Cititectwe
tlutt ~
 *lletnily* on human~
toone
in which "datil can talk to dattJ--sg.t/iat
relationships embedded ;, coltiJile:x datasets are
brtlught to the sll1'j(lce in ways that IIUJW! the
tmlllyst's starting point further down the field
and closer to discovery of an adversary's plans
and intentions.
)-
~t/JeseolljectiPeson a "CTQShIHisi& The
pattelis eo~
tlrtit tlehsy will assui'e that
llliJre lJ1(ulr Fal'tntlcs get throlig/1:; (UI!PfRJ(JJ
Various review groups and agency-specific lDCil1DS have concludal tkat isfuJ:mation sbafili&. was neta
significant factor contributing to the incidems. at Fort Hood aad oo 25 ~we aereewahtbat<bmad
conclusion .. Some issues that sucf8Gcd, ~
~
tiedtodle'hm'flueU~!S ~ilreiideat.merit follow-up to detmmine~theseisfraes. impede the ~orism:mWon:


- FAA officers said that analysts there 'have~ aecess to FIB ttm:at ~
lind'JRJ8eceai&11'DB .
because FAA is not part9f'lhe JnteHigeseeCb'unmmlty.w

.
.
- TSA officials nok!d that a Jaokof~
stiaringwith C()QI;lfepatts.,_may limit~Hb~
cannot share threat~ to ll1ab its Gase fof implementiDg~ ob custly-

countermeasures. QI~
Going forward, the Community must *make* ~hs on inj"ormadon sltoringptilicy ani/its implementation to reap the benefits ofiltjomtQiion *technology* . . Polity must be. ~tot!II!IIWe~
users to access and use all-sourcedatam4~oos ftom ~audat~~
reasonably prohibited by security oo.eems.

- Intelligence Community Directive SOl, Discovery and~
or Retrieval ~:Milia
the
Intelligence Community, codifies~ for discovery aad shariaa ofdata. 'Iltese~l!ll~
authorized Comm'UDityusers to ~reilemmtdata inotiet.~~~~~-
abead:y have access-find a p001t oftoatadierequest ~~ ~it~
l&yathe~
~ .
groundwork for implementing ourlbCt*ti&M!Jdatkms on~~

- The Community should develop an integrated approach to~
sharing with US pCmmcateadties.
outside the Intelligence Community, i.e., "non. Title SO organizatioBs. n :atbts sJready are~,
but 1D1
integrated approach would help clarify what information the CoQunonitY- aca$S fromn.oa'r6 so
organizations, and wbat fhose~'ed in return trom theQwnummty.


- Procedures for sharing information on US Pwaons must be clarfJied !J1I(l *better* quia~. We~.~
at length in a separate section. The Community cannot rea1i7e the~
ormt0Jlfl'ilion.~tb
assist the cotmterter:rorism :rirlssion~c~ these issues. (UJff'E)YO}

    .
l<b )(?)(E) I
Closing the Structural Seams in tbe lntelligeaee CommoDity's Counterterrorism Mission We ob~ed a third set of problems related to the roles and responsibilities of the Conummity's counterterrorism efforts. We began this review with the view that the redundancies in the Community's counterterrorism efforts represent healthy competition and that "lanes in the road"
issues in no way directly contributed to the Fort Hood or 25 December incidents. Officers we interviewed consistently said that turf considerations and bureaucratic overlap did not play a direct role either incident. (UHfOOO+-
There is no way for the panel to produce a definitive assessment on that point, but there are grounds for skepticism. The panel is concerned that the overlap between CTC and NCTC extends beyond healthy competition and that the turf battles, duplications, and clashes are a drain on the resources and creative energy of both organizations. This is concerning in part because both organizations stressed to the panel that they did not have enough resources to cover all issues at the level they deserve. Moreover, given the labor intensive nature of counterterrorism work. any wasted energy only exacerbates the "signals to noise" problem-which could hamper the Community's ability to detect and prevent the next Abdulmutallab-like attack. The panel believes, therefore, that there is still wOik to be done in sorting out the mission ofthese two. important organizations. (U/IFO~
Create a formal division oflabor that plays to the dear strengths of each organization. From the moment NCTC was codified m the 2004
lntelligenee Reform and ~errorism Prevention Act
(IRTP A}--:tran:sfonning the threat orientatim of its predecessor, the Terrorist Threat Integration Center, into the primary responsibility for the analysis of terrorism-it was inevitable that there would be problems of deconfliction between it and CIA's CTC. given that the analytic portions of the two organizations have so much overlap in their missions and draw to a large extent on the same limited talent pool. The panel discussed the implications of merging the analytic function of these two entities but concluded each has distinct, essential missions that require emphasisdetecting and identifYing threats to the homeland and supporting counterterrorism operations abroad.

(U/ff'OUO)
Over the years, much effort has gone into formally codifying the .. lanes in the road" for each to follow, and we cannot improve on the DNI
directive of 7 April2Q 10 (see Appendix D), which embodies many of the views we expressed in the course of our discussions with NCTC, CIA, and the DNI. Clarifying these roles and responsibilities will. we think, improve mission performance, reduce bureaucratic conflict, and avoid reforms that could be counterproductive. In the end, it must fall to leadership and management to marshal the talents of their people and the mandates of their organizations in ways that are mutually reinforcing and that close whatever gaps open up in our counterterrorism coverage.

- NCTC's relationships with FBI and DHS,
legislative authorities, and tie-in to the homeland
make it the natural lead for tracking and warning
of all foreign threats with the potential to reach
US soil.
- CTC, on the other hand. is the natural lead on
terrorist operations abroad. particularly involving
support for operators and collectors. {&'~
It appears that much of the tension between the two organizations centers on issues related to the President's Daily Brief (PDB)-everything from who takes the lead to what is said in the articles.

The panel believes it is not necessary to implement the cbqe proposed in the ODNI's
"Counterterrorism Review Master Action Plan: 6
Month~-" This reeommendstbat "NCTC
leads PDB plamling process" on counterterrorismrelated stories. The PDB is already a Communitywide publication, and ODNI officers on the PDB
leadership team already have the authority to task agencies to track and write about specific issues.

We think that exercising current authorities could achieve the same goal-integrated analytic coverage-with considerably less disruption and bureaucratic layering. {SIINF)
We are skeptical of any division of labor that divides counterterrorism responsibilities exclusively along "tactical" and "strategic" lines.

Terrorist organizations do not function that way, nor do analysis and collection. It is impossible to perform tactical analysis without an understanding of strategic goals, and it is impossible to understand an organization's strategy without a grasp of how and why it conducts specific operations. (Sf~lF)
Dramatically increase the focus on threats to the homeland. As we observed the segmented nature of following terrorists bound for the homeland-and the associated problem with bureaucratic handoff as the threat moves from the foreign to domestic realm-we became firmly convinced of the need for a unit that would lead the Community in tracking all threat reporting that hinted at an attack against the homeland. While all agencies should focus on threats to the homeland as their greatest priority, one organization needs to have sole responsibility for tracking, warning, and coordinating the Community's response to an threats with the potential to reach US soil. We think NCTC is a natural fit for this role.

(UHFOUO)
For this reason, we strongly endorse NCTC's concept of a "pursuit group." The goal ofthis group, as we understand it based on the DNI's recent memo,
101 would be to provide analytic and analysis-driven insight and tasking for follow-on collection to establish the underlying basis and provide additional information useful to thwarting the plot. As that group develops its concept of operations, we offer five recommendations:

- It must emphasize primarily threats with the
potential to reach the homeland, avoiding the
natural temptation to fall back into the
traditional, more familiar terrain offocusing mainly on threats overseas;
- The organization must place a particularly heavy
emphasis on areas where we have limited or
emerging coverage;
- It must deconflict and coordinate its pursuit of
targets with other Community components so that multiple units are not duplicating the efforts
of another;
l<b)(?)(E) I

- It should develop a coherent set of indicators that
will help identify when terrorist groups
- Its metric of success should be tapping the full
range of US government capabilities to identify
and disrupt plots--not traditional metrics such as
production of finished intelligence. (Cf/Nf')
Increase "jointness" within the
counterterrorism community. No mission in the
Intelligence Community is more important than
preventing terrorist attacks inside the United
States; it requires seamless collaboration, from
collectors in the field to consular sections, airport
screeners, law enforcement and intelligence
officers, and policymakers. (U)
Yet the process is still too fragmented and segregated. In our review of the Abdulmutallab and Hasan cases, we noted that contacts and information flow between agencies were often uncertain, frequently based on personal connections and individual initiative rather than institutional arrangements. To cite only a few examples, CTC, NCTC and NSA officers often commented on the central role of TSC.

Watchlisting officers explained that the normal process required time to move a nomination through to a TSC decision, but when the situation required rapid action, telephone calls to personal contacts at TSC could expedite the process, taking hours rather than days. Embeddedness ofNSA
and CIA officers at TSC, and vice versa, has been uneven. Similarly, embedding more TSA officers in those agencies could facilitate the process of delivering downgraded tearlines pertaining to aviation threats.

- Increase the nwnber and frequency of personnel
rotations between CTC and NCTC-not just
among line analysts, but among senior managers,
as well. These should be mandatory and take
place with regular periodicity. We suspect these
moves would foster collaboration as each side
views the lanes in the road issue while driving on
the opposite side of the road.

## L(B )(?)(E) I

- We agree with the West-Clark review of the Fort
Hood incident, which noted the need for greater
collaboration betWeen FBI and DoD; there also
were no counterintelligence officers from the
Department of the Army, CIA's
Counterintelligence Center, or the DNI's
National Counterintelligence Center supporting
either the Washington or the San Diego J1TF. 102
- "Jointness" can also be pursued as a performance
objective at the individual level. As a small step
toward developing a culture of collaboration. an
explicit performance objective for all CTC and
NCTC analysts shonld be to conduct one joint
project per reporting cycle with their primary
counterparts from the other organization.
Officers should be evaluated specifically on
whether they meet that objective. '(O'~W)
To summarize our recommendations:

);>
Organizatiqna/ responsibilities should *play* to .
the compartllive lldvantage of etlCh
otganiz.ation. In practice, this mesns thllt
NCTC's relatlunships with FBI and JJHS, its
legislative alilkorilies, and its, tie-in to the
homeltmd make it the 1Ullllrtd lead on 1111
threms with the potential to reach US soiL
CTC, on the other hand, is the lfllllrtlllefld
on terrorist operations abroad, jJarlicularly
involving sUpport for operators anti
collectors. Focusing on this approach would,
we suspect, reduce the time-consuming tilT,{
disputes over PDB authorship.
~ Wherever InteHigence Community ktzders
draw the "lanes in the 1'0ild,., some
component must focus tirelessly and
exclusively on folltnving 1111 repOrting that
involves threats to *the* us~
Tltis
needs to be a primary focus of NCTC,s new
pursuit groilp, as it deve/opsfragmenklry
data that raise concerns abolit tem iSm but
lack specijiclly.
~ To improve seamlessness thT'OIIghout the
intelligence and law enforcement
communide$, agencies should increase the
rotation of offrcers among these
organizations. (CifNil).
Clearing the Way for Properly Sharing US
Person Information Throughout our interviews, we were impressed with the great care taken by the Community to protect inferma.tion about US Persons. m toJ We noted. however. that US Persons issues manifested themselves in several ways in these cases.

- Sharing US Person information with foreign
partners, and tasking them to
- Intelligence officers in both the 25 December
and the Hasan cases worked hard to stay within
authorized guic:ielilll~
In general, we noticed a strong belief among collectors and analysts that restrictions on collecting, disseminating, accessing. and analyzing data on US Persons impede, mission performance.

A high-level NCTC official listed enhanced authorities related to US Persons as the nn11nher-
We also saw a surprising level of disagreementeven among experienced practitioners-on whether current US Person authorities allow intelligence officers to accomplish their missions, or whether new legal authorities are needed.

(b)( 1) (b)(3)
NSA
TOJI ecRI!'ffiHCSIS~~OONINOFORtt **...** j(b)(7)(E) I

- Similarly, NSA officers noted that if they were
swveiling a suspected terrorist overseas whom
they thought to be a non-US Person. and they
later learned that he was a US Person. they had
to cease coliection while they sought separate
court authorimtion to re-ini.tiate collection,
resnlting in another collection gap.
Panel members with deep experience on FISA and related matters provided a different perspective.

They believe that current authorities, when clarified and fully leveraged, should enable the government to accomplish its counterterrorism mission.

- For example, they believe that the Community's
current authorities enabled the government to
adequately swveil US Persons globally and
suspected terrorists inside the United Statesand to share lawfully collected telephone
numbers in shared databases--'-while also
protecting privacy and civillibexties.
- The experience of these panel members leads us
to believe that the government must develop
more efficient processes to make effective use of
existing authorities, especially ones that focus on
- In general, the law and the Community's
governing Executive Order (EO 12333) provide
the government with the operating room to be
effective; most of the burdensome steps appear
to be internal to the government's implementing
procedures-which could cause the collection
gaps and other issues described to us.
- Fixing these procedures is not solely the
responsibility of any single agency or of the
DNI. This requires the Department of Justice
continuously to engage with the DNI, both to
calibrate on an ongoing basis how to craft the
procedures so that they clearly and
straightforwardly implement the Community's
governing legal requirements, and to provide
assurance that when the Community complies
with those procedures, it is following the law.
~'INfL
We believe that the Community's culture of carefully protecting US Person infonnation is vital for earning and maintaining the trust of the American people and of oversight bodies. The Community must have that trust so that it can make the most of existing authorities-and obtain new ones as needed-to counter a rapidly evolving terrorist threat.

- Indeed, we believe that in that light, it is all the
more important to streamline and clarify policies
and procedures-to ensure they are being used to
protect privacy and civil liberties interests and
implement legal requirements, rather than to
serve other purposes.
- To be an effective part of the intelligence
mission--and not be an "impediment"-policies
and procedures must be focused, clear, easy-tounderstand, and consistent across agencies where
feasible. We believe much work lies ahead to
achieve that tsHN*-)
Callectively, these US Persans issues can and must be addressed *in the near term.* Some involve closing the breach between the perceptions and realities of current US authorities; others entail changing internal procedures of individual agencies. All involve focused leadership frem the DNI, in concert with the Department *:of* Justice.

We understand that this important work has already begun (see Appendix B). (U)
We see a need to simplify, harmonize, update, and modify the Community's procedures tela:ting to US Persons. We also see a clear need for standardized, continual Community-wide training and guidance on how to address US Person issues.

- The goal of such efforts is twofold: First, to
make use of the Intelligence Community's
authorities to the full extent intended, so that the
Community can more efficiently manage the
information in its possession and correlate data
as envisioned by the IT recommendations.
Second, to help intelligence officers better
understand what they need to do to collect and
share inforination with confidence that their
actions are consistent with legal and privacy
requirements.
- It is especially important that these efforts focus
on working-level analysts and collectors who are
most directly affected by US Persons
considerations, to dispel any misperceptions, and
to elicit areas where training, guidance, and
updated procedures could facilitate intelligence
operations while still protecting privacy and civil
liberties interests. For example, working-level
officers should be provided a consistent, clear,
authoritative-and preferably online-:gu.ide,
with the assurance that following it provides a
"safe harbor" on US Persons issues. (U)
We also recommend that the DNI establish a Community-wide, inter-disciplinary process for determining whether new authorities may be needed, on emerging issues, such as radicalization, new technological developments, and new fonns of terrorist communication. The goal would be to provide clarity and confidence to operators and analysts so that they know how conduct their missions in a way that properly protects privacy

## To~:

and legal interests, clearing the way for decisive action.

- If, as we suspect, terrorist means of
);;>
Protecting US Person injormtztion is vital for
IICCOiflp/iShJng the intelligena ltli8slon; t/u!
raks ftJI' doing so IIUISt - foctiSell, dear,
eflSY-to-lllltlerstimll, *and* ~IICI'Oss
agencies wMre feaible.
communication increase in sophistication and
self-radicalization inside the United States
becomes a more pressing concern, it will be
increasingly urgent to regularly bring together
analysts, collectors, and attorneys to discuss
whether current authorities and guidance are
keeping pace with the evolving nature of the
terrorist threat
);;>
The DNIIIUISt, in concert with DOJ, IIJad a
CUIIUIUUiity-wide effort to pro11i4e Wining
and gllitlance on 1JS Person polldes and
procedures, and to sbnplib, strl!llllne,
updote, tmd haTIIIOnize them where feasible,
with t1U! gOIII of providing Co,munity
oper1110rS and amdysts the confidence they
need to do tbei7 jobs knowing tlult they are
properly protecting privacy and complying
with the lllw.
);;>
The Commlmity should engage with liaison
services to cltlri,h and stret1mline its
procethiTeS *for* pr~
coiJecting tllnd
sharing US Person infomuzlion.
- Regarding working with liaison partners, we
recommend all agencies actively engage key
liaison partners to develop plans to ensure
collection in a way that is consistent with any
protections for US Persons. The Community
will benefit from a review of procedures for
sharing with liaison services when it has
authority to collect on US Persons and is ~
liaison assistance in such cooperation.
- Our recommendation in this area is an expansion
of sscrs sensible guidance that NSA should
conduct such an effort with its foreign partners.
(S!,N)-
);;>
The DNI should establish tm interdisciplinllry process for providing guidance
tmd clarity on emerging issues rehzting to US
Persons, sach a radictll4otUJn, new
teclmologies, and new forms of
commutriclltion. fS.{LNPJ

## A~Jrdw~Bi .. Llab,Baao, And~ (U)

Despite the IJl8DY dif'fCnmces ~
~.~ ineKkmts,
104 a common thread through both of them was what the Inte~ COdrnnm1ty~~~~n During ournwicW, we came away 'With four recommendations related to ttns is&Oe. (U#F()GO)
First, the Community shoutdaeedemteits eftDrts to Ul1derstand ~.~
This is a~:MDgthe areas from wbicll intenigence SU1:ptise CWspriag in tbe abseaee of a template to iDfmm the. ~s collection and~
a point~ byeutside exports. While the,Conmiunity basi~
mitiAWves to study radicalization overseas. its <:flbrts to understand homegrowa, ra6:aliDtion are more nascent.

Developing a. grasp. of the iSsue may.~.., types ofex:pertiseand ~.~the Community. as the Un.i=d .s.t;es piOVides a.~
aotf.'~cavironmeut for ~iDtion. It will also requite.ll robust understanding o( and~
ft>r. ~~and liberties. "(C'INF)
Seeoud, we agree witA tllie ~-ctm8Ulied who recomnteBded that the Community.$hatpcn itsfeeus on reeruiters'and~~ how~~
mdicalize(tbttJugh gtOups, in prisons, aD tbC\'IDtemet). :and

howtiley'~a'~~~to~Opemtional. Assame.amftyst5pointedoattt>~"Sdf"
!1ldicalization maybe a misnOmer.~- AbdlUtm:rtaUab ~
~
byradit:als-Aulraqi"inbeth
cases. but to differing exn:ms-e.nd:by the IntCmet..wbich will ptqan ~role
mradi~'<Ol.ae
future.

- The Community also must cleve1op methods: for detectmg~lized individuals or "lone wolve$'" who may
not have attended tefrorist trammg camps t>r Dlay be ~Outside the di1ect comtDaDd and eontroi' of
organized groups. The Community,~ faces a signals-to-noise chellenge with such individuals
overseas, and must find ways tO~
such indMduals inside the United States while respecting civil
rights andlibcrtiC$-t!lld ~-eDiiSting the support of'loeaJ COJDBtU11it:ies. ~
Third, the lessonS leatadtrotn ~damdWal~ andsel~efUS~
Hasan-shotildbe ~-~into~
and US Govemmtmt persoDIJCII<:potieies, which are typieal)y ~To~'~state-~spying.

- When government employees are involved. bri1lging co~
pl!Ofessionals into the investigative
process early can signifiamtly inorease the probabitity ofdemcting at-risk individuals."
- As in other counterintelligcmee cases (Ames, Hanssen).. the Hasan episode underscores the importance of
documenting and maintaining in an individual's permanent record"all relevant information about his or her
performance. 1o5 {1/Nf)
Finally, we believe it is vital to properly align orgaaizational responsibilities rolated to radicalization with each agency's strengths and authorities. Ncrc. FBI, and DHS must play their respective parts in close collaboration with one another. FBI's unique stnmgtbs include robust legal authorities and direct experience investigating domestic and intemationalterrorism inside the United States; those ofNCTC include a.aalyzing radicalization. bridging the foreign/domestic divilk; and aceessing intelligence ftom across the Commuu.ity.

DHS is uniquely positioned to focus on aualysis zelevant to~
vulnmabitities and domestic protective measures; aggregating data uniquely available to DHS for use by the counterterrorism community;
and working with state, local, trihal, and private-sector customers. We recommend that the Community reassess its assignment of radicalizatmn..~ ~
amoag these key orga:aimtions to ensure that they are bringing to bear their Ullique stlcDgtbs and authorities onlhis critical issue. (S{/Nf)

## Blue Sky Ideas (U)

The foregoing recommendations cover much of what the panel was asked to address. We have focused on recommendations that, wbile difficult. are still achievable within an individual agency or with DNI
lead authority. Consistent with the third task assigned to the Review Panel, we offer several additional "blue sky" recommendations-ideas that we have not seen surfaced by other review groups and that would entail more radical changes. These ideas are deliberately provocative, and more disruptive to personnel resources and organizational structures, requiring more study before attempting.

- A Manhattan Project for *information* techn~~Jogy
and *sharing.* To break the gridlock and the everelusive search for the perfect IT architecture, we propose the chief information officers from the key intelligence agencies-along with their budgetsbe pulled together into one unit with the goal of implementing a common infrastucture across the Intelligence Community. The Commmtity has been wrestling with data-sharing adjustments for years with scant progress.

one way to lev1~re

| (b     |
|--------|
| (b)(3) |
| CIA    |

strengths of CTC and NCfC while reducing redundancy. A matrixed group can consist of analysts from CIA, NCfC, DIA, FBI, and NSA, who sit side-by-side with collectors and operators from the NCS, DoD, and NGA, all worlcing under a This model works best targeting specific issues involving a blmry line between domestic and foreign components and where there are relatively few analysts in relation to the workload. Using the matrix model also reduces redundancies related to dual publications, representation at interagency meetings, and responses to taskings.

j(b )(?)(E)

- ~the
e;xpertise of INR *antli)HS/I&A.* In
our discussions of the Intelligence CQmmunity' s
counterterrorism efforts, we heard only few
refemtees to the State Department's Bunlall of
Intelligence and Research and DHS's Office of
Intelligence and Analysis as key playem. An
institutional division of labor, in whi-. INR. and
DHSII&A have lead responsibility on some regil)D
or aspect of terrorism. could tap their expertise and
increase efficiency in the Intelligence Community.
DHSII&A, for example, is uniquely positioned to
assess US vulnerabilities-infrastructure,
telecommunications and energy grids, and
information-sharing gaps between national and
local law enforcement.
- ExpmuJ the Intelligence Community's role in the
visa is~t~tmce *proce8$.* DHS could play~
esgecially important role in the visa issuance
process. Prev'enting terrorists from entering the us
ho~
is a top national security C0l1tem, so it
makes little sense to place the visa issUaDoe process in the bands only offoreign service oflit;em. This responsibility should belong in the homeland security apparatus. If the suggestion is too burdensome for DHS, then consideration ought to be given to ensuring that all visa issuances reqUire Community concurrence or are passed~ the Community for ex.amination.

- Bllildaco~
*"~'hace
Cmtml. " Identity information is currently pocketed across the Intelligence Cotnmunjty in various databases, meaning ll() ooe QftieeE in any agency can successfully access it. To remedy this, create a single unit, staffed by coontedeuerism
~s,from thro~ut the ~ty cleared for access to an relevant SOlli'CCS, responsible for countertefrorlsm-related name traces. Names traces would be conducted against holdings of all intelligence and law enforcement databases.

(S/tm)

## Expert Perspectives: The View From "Insiders" And "'Utsiders" (U)

We convened two expert roundtable sessions, one internal and ~ne external, to stimulate our tbinlcing about the Intelligence Community's postme to address issues beyond those surfaced during our review. The internal group of experts focused on threats that could sutprise the Commumty and threats ofwhich it is cognizant but not prepared to address.

Among their key concerns were:

-

## (B)( 1)

pane~s thiltking by driving hoe several key points.

AIIWng the111:
We asked the external group to address how the terrorist threat to the United States is changing; what terrorists could do to surprise the Intelligence Community or elude US colDltermeasures; what more the United States could do to protect itself; and to identify aspects of the terrorist problem that the United States is not focusing on, but should
(U/~~
Those experts emphasized the following issues:

- The terrorist threat is heterogeneous-there is no
longer a single "they," if there ever was;
- There are inherent difficulties in obtaining the key,
plot-"specific information that would allow the Intelligence Comomnity to pull a thread that would Ul100Ver a plot. As a result, the Community will not always succeed-a terrorist will eventually get through US defenses;

- Tradeoffs must be made-within and outside the
Community-that have real consequences, such as
those between civil liberties and increasmg the
number of people on watchlists;
- Ahnost ~foreign threat to the homeland that
the United States has thwartedwas uncovered
because of foreign travel or communication; we are
too dependent on these and need to develop and
refine new detection strategies;
- The Intelligence Community shoUld focus more on
the key people and networks that enable disaffected
individuals such as Hasan or Abdulmuta.llab to
become operational, i.e., Aulaqi-like figures that
inspire, enable, or recruit;
- The Community requires a well-developed model
of~ tadiclllization process fi'om which it can
ded\.te.~.~individuaJ.s~ity to
adoptevrhlent~ We have Jl-e~'tlte
for~~~'tllt-~ We d'onot
bave one fur thehoD1eland. (U/JFOUO)
To siiiiUITize, these two gTOIIJIS adtkd to the

- The increasing rugeney of homelllnd-reltded
threats--and the need for a more sustrdned, crossagency focus on this set of issues.
- The increasing heterogeneity of the terrorist
phenomenon, and therefore the growing clulllenge
of detectiQn and disruption.
- The fragility of many ofthe collection techniques
that help account for the Community's success so
far.
- The lilcelihood that terrorists will continue to
behave in "learning" nrode-ad}IISting their
methods of operation, whethu successful or not,
in response to what they see us doing. (SfiNF)

## Some Closing Thoughts (U)

Constancy of support for the Intelligence Community is *crucial.* Intelligence stands apart from politics, but policy toward intelligence is formulated in a political environment We cannot emphasize enough that the pendulum swings and ebbing and flowing of support is an obstacle to mission performance. NCTC, for example, was slated to lose roughly 35 positions prior to 25 December. The post-Christmas reaction to Flight 253 has caused watchlisting nominations to skyrocket; warning has become so common that the Community risks creating its own signals-to-noise problem. We have seen the same pendulum swings on the collection side, where agencies---acutely aware of controversies since 9/11-have erred on the side of caution, sometimes unnecessarily, slowing the dissemination of valuable intelligence. The Community's Congressional overseers have a vital role to play in helping to stabilize counterterrorism policies and keep them on a steady course. (U)
While we have limited our review to the Intelligence Community, we come away convinced that strengthening the United States' ability to prevent the next Fort Hood or 25 December-like attempt requires focusing on more than just the Intelligence Community: law enforcement, airport security, the policy community, foreign. partners, and even the private sector need to address the systemic issues that made the Fort Hood and 25 December incidents possible. At the risk of falling back on a cliche, we are reminded of the axiom that a chain is only as strong as its weakest link. Improved collection will not matter without sound analysis. Sound analysis will not matter without a robust watchlisting system.

A robnst watchlisting system will not matter without effective airport screening technology. Better screening technology will not matter without skilled screeners. There are multiple variations one could make on this chain of events, such as the vital role of foreign screeners at airports abroad-but all would reinforce the same point: the Intelligence Community is only one of several layers ofhomeland defense.

(U)
To fmally defeat terrorism requires at least three things: destroying the leadership, denying it safehaven, and changing the myriad conditions that give rise to the phenomenon. The Intelligence Community can carry much of the burden on the first two-but very little on *the third.* (U)

## Appendix A Consolidated List Of Intelligence Community Review Panel Recommendations (U) Build Internal Processes That Help Find Terrorists In The Data (U)

All agencies should .

- Disseminate counterterrorism reporting promptly. - Update, standardize, and simplifY their dissemination lists and codes on a regular basis.
- Search for terrorist identities against all of their available data holdings.
- Use technology such as "fuzzy logic" for name variants and incorporate "discoverability" that advises when
there is relevant information in another location.
- Train officers performing identity searches to look for partial names, along with salient points such as the
person's location, affiliations, passport numbers, schooling, or travel--details that can further narrow the
search and identifY an individual:fS/~
The DNI should .

- ClarifY the criteria and threshold for watchlisting. The Community needs a single set of transparent
guidelines that enables analysts to determine whether and when they may nominate a suspected terrorist. We
caution against criteria that become too specific and caveat-laden.
- Establish greater clarity on watchlisting roles and responsibilities. Delineate roles that play to each agency's
particular strengths and authorities, and make clear that the nominating agency should see a nomination
through from start to finish.
- Streamline watchlisting efforts and redirect the resulting savings. Reduce the duplication resulting from
multiple agencies processing nominations and redirect the resources toward other pressing duties such as
records enhancement. IT improvements can help simplifY this process.
- Ensure analysts use TIDE as a primary repository of intelligence rather than as a step in the watchlisting
process. The Community appears to be missing an opportunity to populate TIDE with fragmentary
intelligence to build, identify, and shape dossiers on suspected terrorists. NCTC should lead a Community-
wide training program to help agencies understand the pmpose of TIDE, its holdings, and criteaa for entry into TIDE.

- Institute a Community-wide training program. to ensure a common and transparent understanding of the
watchlisting process. If TSC remains the final voice in the No Fly/Selectee decision, it should lead ~h a
training effort, so that its standards are clear to all nominators ~Sl!blE)
We also emklrse

- SSCI's recommendation that TIDE administrators accept nominations based on partial names. Terrorists
rarely use full, true names in their clandestine communications.
- The White House's recommendation that NCfC develop a records-enhancement capability to build, locate,
and track derogatory information on all individuals in TIDE: (S/INF)

## Develop Information Technology That Helps Separate Signals From Noise (U)

In tlu! near term, all agencies should

- Greatly increase online documentation related to datasets to show what data are available, how to get access,
who has access, and to provide tips from experienced users.
- Enable authorized users to access and use all-source data and applications from any workplace and at any
time, except when reasonably prohibited by security concerns. The 25 December incident highlighted that
officers in the field sometimes are best positioned to separate signal from noise.
- Ensure that search capabilities default to the use of fuzzy logic. This would include the automatic
incorporation of variant spellings and renderings of foreign names.
- Embed IT specialists in fast-moving analytic and operational groups to handle simp~ support requests
immediately. The Community should not continue to allow mundane IT problems to interfere with its
mission.iCh'J'Wj
In tlte midterm, all agencies should .

- Augment current search capabilities with user-controlled alerting services that flag incoming traffic. and
automatically correlate it with existing reporting.
- Enable officers to see who else has looked at a given intelligence report and to el~nically attach informal
insights and view comments by others. Such a capability may have enabled bro&der discussion among
officers interested in a Nigerian affiliated with AQAP or in Hasan and Aulaqi.
l<b)(?)(E) I

- Embed developers with users to provide continual improvements to mission applications and give developers
a better understanding of end-users' requirements.
- Incorporate application programming interfaces (APis) into all existing programs so that they can be
accessed, as appropriate, through other programs. This would. policy permitting, enable officers to access
multiple databases, across multiple networks, through a single software interface.
- Incorporate into new and existing programs the capability
In the long term, the DNI should

- Enable a federated and cross-domain ~hacross all of the Comnnmity's holdings. Developers would
place a thin layer over existing databases that would provide users a single point of entry to query each
database they are authorized to access.
- Establish the virtual equivalent ofthe Community identification badge: a common way of identifYing
individuals and their access pennissions together with tagging of the data to descdbe the rights needed to
access it. This is a key step toward building a shared network: and common approach to sharing data and
toward enabling authorized intelligence officers to access and use any data, anytime, from any workplace,
with any tool, except as prohibited by policy.
- Build computing clouds and data centers as the basis for the Intelligence Community's information
technology infrastructure. As the Conummity moves toward the cloud, it will need to adopt-at the
Community level-hardware, operating systems, and networks. All new systems should be expected to use
this common base.
- Adhere to fow- key methodological principles-invest in computing capacity ahead of need; embed
developers with users; adopt a modular approach based on separation of applications, data, and
infrastructure; and experiment-when implementing any changes to the Community's information
technology. (See Appendix C.) (S-/INF)
We endorse

- The I2 Cloud Pilot, which will facilitate entetprise data processing and storage and is critical to modernizing
the Community's use of information technologies.
-
- The joint effort of various agencies, working through their chief information officers, to buildtoward a
common IT infrastructure and identifY common data services, such as those for collaboration, access,
discovery, audit, processing, and storage.

## Close The Structural Seams In The Counterterrorism Mission (U)

The DNI should

- Dramatically increase the focus on threats to the homeland While all agencies should focus on threats to the
homeland as their greatest priority, one organizAtion needs to have sole responsibility for tracking, warning,
and coordinating the Community's response to all threats with the potential to reach US soil We think
NCTC is a natural fit for this role. (U)
NCTC's Pursuit Group should ..

- Focus primarily on threats with the potential to reach the homeland, avoiding the natural temptation to fall
back into the traditional, more familiar terrain of focusing mainly on threats overseas.
- Coordinate and deconflict its pursuit of targets with other Community components so that multiple units are
not duplicating the efforts of one another.
- Emphasize areas where the Intelligence Community has limited or emerging coverage.
- Measure success as tapping the full range of US government capabilities to identifY and disrupt plots-not
by tracking traditional metrics such as production of finished intelligence. '(/fN*1
CIA and NCTC should

- Increase the number and frequency of personnel rotations between CTC and NCTC-not just among line
analysts, but among senior managers, as well. These should be mandatory and take place with regular
periodicity.
- Institute, for all officers, explicit individual performance objectives.geared towardjointness and
collaboration with the other organization. (U)
All agencies should

- Encourage rotations and embed their officers in other agencies to improve seamlessness operations
throughout the counterterrorism community. (U)
We endorse

- The DNI's directive on 7 April to formally assign responsibility for the counterterrorism mission, which
embodies many of the views we have expressed in the course of our review. In the end, it must fall to
leadership and management to marshal the talents of their people and the mandates of their organizations in
ways that are mutually reinforcing and that close whatever gaps open up in our COWlterterrorism coverage.
- The West-Clark panel's recommendations that seek to increase collaboration between FBI and DoD and
between FBI and the counterintelligence community. (S//NP)
We do not endorse

- Structural changes suggested by other groups that do not address the root causes of the tension between
organizations and may actually complicate the relationship. These include ODNI's recommendation that
NCTC lead the PDB planning process on counterterrorism-related stories. We think that exercising current
authorities could achieve the same goal-integrated analytic coverage-with less disruption and bureaucratic
layering.
- Any division of labor that divides counterterrorism responsibilities exclusively along "tactical" and
"strategic" lines. Terrorist organizations do not function that way, nor do analysis and collection. (SffNF)

## Clearing Tbe Way For Properly Sharing Us Person Information (U)

The DNI should worlc with the Deptutment of Justice to ...

- Simplify, harmonize, update, and modify the Community's procedures relating to US Persons.
- Establish a Community-wide, interdisciplinary process for developing guidance and training related to US
Persons authorities and procedures and for determining whether new authorities may be needed on emerging
issues, such as radicalization, new technological developments, and new forms of terrorist communication.
The goal would be to provide clarity and confidence to operators and analysts so that they know how
conduct their missions in a way that properly protects privacy and legal interests.
- Institute standardized, continual Community-wide training and guidance on handling US Persons issues. It
is especially important that this training and guidance focus on worlcing-level analysts and collectors who are
most directly affected by US Persons considerations. (StiNE)
The DNJ should work with the Ccnnmunity to

- Accelerate the Intelligence Community's efforts to understand homegrown radicalixAtion. This is among the
areas from which intelligence surprise could spring in the absence of a template to inform the Community's
collection and analysis.
- Slwpen the Community's focus on recruiters and enablers, how disaffected individuals radicalize, and how
they influence an individual's efforts to become operational.
- Develop methods for aetecting radicalized individuals or "lone wolves" who may not have attended terrorist
training camps or may be operating outside the direct command and control of organized groups.
- Incorporate into counterintelligence and US Government personnel policies-which are typically designed to
detect traditional state-versus-state spying-the lessons learned from studying the radicalization and selfradicalization of US Persons, such as Hasan. (Sifl~
AU agencies should

- Engage key liaison partners to review procedures and develop plans to ensure collection in a way that is
consistent with protections for US Persons. (G1/Nf)

## We Endorse

- SSCrs recommendation that NSA should actively engage key liaison partners to develop plans to ensure
collection in a way that is consistent with any protections for US Persons. (1/N.lY-

## Appendixb Successes: Creating New Challenges For Tbe Intelligence Community (U)

In the comse of our work, we came acress many examples of intelligence success OCC1nTing contemporaneously with the two events we assess-in collection, sharing, analysis, integration, technology, and innovation. Examples include:

- The counterterrorism community was disrupting
plots at home while putting unprecedented
pressure on al-Qa'ida abroad.
- The Intelligence Community bad collected key
intelligence in both incidents. We also found
that the Community is sharing infonnation
broadly. Indeed, despite concerns about sharing
sensitive data. sevexal closely held databases are
available to counterterrorism analysts at NCTC.
More work remains to be done-such as
implementing the "discovery" principles
embodied in Intelligence Community Directive
501. These accomplishments in collection,
sharing, and access created opportunities for key
analysts to bring together the critical pieces of
intelligence in each case.
- In the Hasan case, the San Diego JITF
recognized the significance of two e-mail
communications out of many others-they
picked a signal out from the noise--and engaged
in an individualized analysis following retrieval
of available DoD records. In the Flight 253 case,
analysts provided strategic warning about the
threat AQAP posed to the homeland, as well as
about the type of explosive used by
Abdulmutallab.
- There are promising IT tools and data
repositories at various-ncies
that have wide-
ranging capabilities.

(b )(1)
(b)(3)
CIA
At least ooe of these is deployed at NCTC and works across multiple datasets using a common access control standard. Moreover, the ODNI's U Pilot models aspects of these capabilities and demonstrates several of the qualities we describe in our recommendations.

- As exemplified by this study and by similar
efforts undertaken by others, the Intelligence
Community is a learning organization that is
unafraid to look at itself with a self-critical eye,
and to take corrective actions. Reviews of this
type should, we believe, be a routine part of
intelligence work, particularly when surprises
occur. The Community must remember that as it
learns from the past, so too, do the terrorists.
iSI.mJ
While the Community should reward-and learn from-these successes, it must also recognize that these successes create new challenges for the Community. Collection successes can increase the amount of data to be reviewed by analysts, as can increased information sharing, leading to more
"noise" in the system. Moreover, sustained success against existing terrorist groups-attacking their safe havens, leadership structures, known operational methods--can lead counterterrorism elements to redouble efforts on successful strategies, constraining resources and time devoted to new threats. From an IT perspective, analysts who have experienced success using familiar tools may be reluctant to adopt new ones. And successful technology within one agency must now be rapidly shared across the Community-it is not enough to have "pockets of excellence." (U)

## Appendixc Methodological Recommendations For Information Technology (U)

We recommend that any Intelligence Community efforts to improve its information technology capabilities adhere to the following four methodological tenets. (U)
First, invest in computing capacity ahead of need The Intelligence Community needs an environment to experiment and pilot innovations using real data, without ~rificing current capabilities. We judge the opportunity cost of not investing in capacity greatly outweighs the direct cost. The panel encountered ageneral belief that computing is expensive. It is not-particularly when examined through the risk management optic of the costs associated with a successful terrorist attack in the United States. (U)
Second, embed developers to enable continuous improvements to *applicatiom.* The most successful developments result from a loop where competent developers get continuous feedback from users and frequently improve the system.

This also provides informed input for improvements to the ''back-end" systems, which process the data before the users sublnit a query.

The usual approach of building systems using contracts with up-front requirements has a mediocre record-intelligence officers do not know what is technologically feasible and the technologists lack exposure to the work practices and problem sets that would enable them to offer up innovative solutions. (U)
Third, adopt a modular approach based on separating applications, data, and infrastructure.

The Intelligence Community's fragmented approach to IT has enabled. each fiefdom to build end-to-end systems without reference to any common elements--i.e., infrastructure, such as access control or filing applications. This is antithetical to implementing one unit's innovation throughout the enterprise.

- Instead, applications and services should be built
on top of common components such as user
identification, authentication, and access control,
or widgets for froat-ends.
- The Intelligence Community nmst separate data,
security. and other basic services from analytic
tools and frombackend processing tQ enable
sharing of innovation within and between
Community elements. (U)
Fourth, experiment, and enable experiments with both technology and *policy.* Getting to common infrastructure services requires making decisions among plausible alternatives. One approach is to pick alternatives and try them. In short, the Community needs to be able to test, toss out, and deploy new capabilities and policies at a pace far closer to that of the private sector. This would be one of the greateSt benefits of investing now to expand raw computing power.

- This is consistent with the goals of the I2 Cloud
Pilo~ which will facilitate enterprise data
processing and storage.
- In general, innovation needs experimentation,
and improvements in handling large amounts of
data need flexible computing resources for
experimenting and evaluating.
- Pilots and experimentation ought to be applied to
palicies as well, enabling exploration of the
unintended consequences of introducing both
new policies and technologies. (U)
AppeadixD Analytic Responsibilltles for Counterterrorism Aaalysis (U)
MEMORANDUMFOR:
EXCOM
SUBJECT: (U) Analytic Responsibilities for Counterterrorism Analysis in the U.S. IDtelligence Community REFERENCE: DNI Approved Lanes in the Road: Guiding Principles and Terms of Reference for Counterterrorism Analysis, I 5 March 2006
(U/IFOU~ Background and **purpose:** Multiple organizations in the US IC have responsibilities for a wide range of counterterrorism analysis, including strategic assessments, tactical pursuit of leads, targeting analysis for direct support to operations., and warning of tactical and strategic terrorism threats and trends. The analysis and published products of these organizations sometimes overlap. This redundancy is appropriate for important subjects, but without direetion it can lead to gaps in coverage at key points. This memorandum establishes the responsibilities and accountability of leaders of major organizations with counterterrorism analytic missions. Leaders of those organizations identified in this memo are accountable for the performance of the missions below.

## (U/Jfoy~ Definitions:

a.

Strategic analysis and warning: General descriptions of terrorist organi.zatioDS, including leadership, capabilities, intentions, and relationships. Analysis of emerging or changing terrorist.

movements, capabilities, and trends. Warning to the operational departments and agencies of the standing threats these organizations pose to American interests at home and abroad.

b. Tactical warning: Notification to the appropriate operational departments and agencies that planning of a terrorist plot is underway. To the extent possible. this warning should identify which organization is planning the attack, what the range of targets might be, and give as precise timeline as is possible given the available reporting. Tactical warning will J8I'Cly be specific but should be more than a recitation of general intent, and will include both available details and assessment.

c. Pursuit: Following tactical warning, analytic and analysis.:.driven insight and tasking for followon collection to establish the underlying basis and provide additional information useful to thwarting the plot.

(U/f.FOUO) **ResponsibHities:** Each organization within the IC with a significant counterterrorism analytic effort is expected to work seamlessly with its counterparts. drawing on the specific strengths and advantages of partners, but is also expected to place particular emphasis on those missions they are uniquely positioned to conduct. Those unique strengths include NCTC's ability to span domestic and foreign developments and its broad information accesses. CIA/OTA's collocation with the operational elements of CIA and HUMINT expertise, FBI's domestic authorities and accesses, DIA 's integrated support to DoD decision makers and deployed forces for offensive and defensive operations, DHS's responsibilities to support state and local organizations, NSA's SIGINT and NGA's geospatial analytical expertise are all key contributors to strategic and tactical warning. All analytical organizations will contribute to the full range of terrorism analysis, but the assignments below ensure that prinmy responsibilities are identified.


(U) The following responsibUities for analysis are specifically assigned:

## ! Sj/Nf) Nctc

-
Responsible for strategic analysis and tactical warning of the full range of terrorist organizations with an
overseas nexus, with a special focus on homeland threat.
-
Responsible for tracking all tactical warnings issued by the IC, and for ensuring that one analytical
organization is assigned primary responsibility for pursuit of each warning until action is completed or the
warning is cancelled.
-
Responsible for conducting pursuit of specitic~ ~-

## Fs#Nf) Cia

-
Responsible for strategic analysis and tactical warning of the full range of overseas terrorist organizations
with a particular emphasis on supporting departmental covert action and other overseas counterterrorism
operations.
0

-
Responsible for targeting and pursuit activities capitalizing on its unique HUMINT- and HUMINT-
derived collection access, in full collaboration with NCTC's pursuit effort and as coordinated by NCTC.

## (S/&!Bdia

-
Responsible for strategic analysis and tactical warning to support DoD principals and deployed units, with
a focus on threats to DoD forces, installation. and personnel worldwide and support to DoD operations.
-
Responsible for pursuit activities to enable tactical warning of plots against military forces, as coordinated
byNCTC.
must coordinate operations with NCfC. Rather, it refers to NCTC's mandate to ensure that one analytical organization is assigned primary responsibility for pursuit of each warning until action is completed or the warning is cancelled. (U)

## Fs/Fnf) Fbi

-
Responsible for strategic analysis and tactical warning of terrorist activities with a domestic nexus and
homegrown and domestic extremism, and supporting FBI operational activities.
-
Responsible for pursuit activities with a domestic nexus, as coordinated by NCTC.

## (S#Nf)Dhs

-
Responsible for strategic analysis and tactical warning of terrorist activities with a domestic nexus, and
homegrown and domestic extremism, and for analysis relevant to infrastructure protection, domestic
protective measures, and support to state and local, tribal, and private sector entities.

## (8/Inf) Nsa - (B)( 1 ) (B)(3) Nsa Fsiinanga

-
Responsible for supporting all overseas (and, as appropriate, domestic) terrorism analysis and operations
with all available Geospatial Intelligence.
Dennis C. Blair, signed 7 April2010

## Appendhe White House Directives For Corrective Actions (U)

This appendix lists corrective actions compiled from two key memoranda issued by the White House:

- Attempted Terrorist Attack on December 25, 2009: Intelligence, Screening, and Watchlisting System
Corrective Actions, 7 January 2010
- Inventory of Files Related to Fort Hood *Shooting,* 26 January 2010 (U)

## Directives Regardibg The Attempted Bombing Ofnw 253 (U)

Department of State Review visa issuance and revocation criteria and processes, with special emphasis on counterterrorism concerns; detennine bow technology enhancements can facilitate and strengthen visa-related busifless processes. (U)
Department of Homelond Security Aggressively pursue enhanced screening teclmology, protocols, and procedures, especially in regar4 to aviation and other transportation sectors, consistent with privacy rights and civil liberties; strengthen international partnerships and coordination on aviation security issues. (U)
Develop recommendations on long-term law enforeement requirements for aviation security in coordination with the Department of Jastice. (U)
Director of Nfllionallntelligence Immediately reaffirm and clarify roles and responsibilities of the counterterrorism analytic components of the Intelligence Community in synchronizing, correlating, and analyzing .all somces of intelligence related to terrorism. (U)
Accelerate information technology enhancements, to include knowledge disc{)very, database integration, crossdatabase searches, and the ability to correlate biographic infonnation with terrorism-related intelligence. (U)
Take further steps to enhance the rigor and raise the standard of tradecraft of intelligence analysis, especially analysis designed to uncover and prevent terrorist plots. (U)
Ensure resources are properly aligned with issues highlighted in strategic warning analysis. (U)
CentrtlllnteiiJgence Agency Issue guidance aimed at ensuring the timely distribution of intelligence reports. (U)
Strengthen procedures related to how watchlisting information is entered. reviewed, searched, analyzed, and acted upon. (U)
Federal Bureau of lnvestiglltion/Terrorist Screening Center Conduct a thorough review of Terrorist Screening Database holdings and ascertain current visa status of all
"known and suspected terrorists," beginning with the No Fly list. (U)
Develop recommendations on whether adjustments are needed to the watchlisting Nominations Guidance, including bi.bgrapbic and derogatory criteria for inclusion in the Terrorist Identities Datamart Environment and Terrorist Screening Database, as well as the subset Selectee and No Fly lists. (U)
Natiotud Coullterlerrorism Center Establish and resource appropriately a process to prioritize and to pursue thoroughly and exhaustively terrorism threat threads, to include the identification of appropriate follow-up action by the intelligence, law enforcement, and homeland security communities. (U)
Establish a dedicated capability responsible for enhancing record infonnation on possible terrorists in the Terrorist Identities Datamart Environment for watchlisting purposes. (U)
Natiotud Security Agency Develop and being implementation of a training course to enhance analysts' awareness ofwatchlisting processes and procedures in partnership with National Counterterrorism Center and the Terrorist Screening Center. (U)
Natlollll Security Staff Initiate an interagency policy process to review the systemic failures leading to the attempted terror attack on December 25, 2009, in order to rnalre needed policy adjustments and to clarify roles and responsibilities within the counterterrorism community. (U)
Initiate an interagency review of the watchlisting process, including business processes, procedures, and criteria for watchlisting, and the interoperability and sufficiency of supporting information technology systems.

(U)

## Direetives Regarding Tile Shootiags At Fort Hood (U)

Federal Blll't!au of Investigation and Depanment of Defense Institute refined information sharing procedures to ensure that FBI-developed. counterterrorism mvestigations or assessments involving military members, DoD civilian personnel. or others known to have access to military installations are provided to the Defense Intelligence Agency's Defense Counterintelligence and HUMINT Center in Washington; DC. (U)
Initiate a single new agreement to subsume and update the separate Memoranda of Understanding governing information sharing between DoD and the FBI. (U)
Deptlrtment of Defense Survey all DoD detailees serving in FBI JTfFs to determine their awarenessof, training for, and aecess to relevant FBI FISA-related databases. (U)
Review policies and procedures concerning assignment of detailees to FBI organizations., to include professional qualifications and placement, in relation to DoD and FBI needs. (U)
Fedend Bure~~u oflnveatigalion Develop a policy requiring communications between persons known to be in law enforcement, DoD personnel, and individuals holding security clearances and certain designated agents of foreign powers to be evaluated at the FBI Headquarters level to determine whether such information constitutes foreign intelligence that canrand-,"'7---==:-:----, shouldbedisseminatedtotheemployerofthecommunicant (U)
ote: per FBI, paragraphs are classified RET

## (B)( 1) (B)(3) (B)(7)(E) Fbi

Enhance training of the FBI workforce to ensure that: (I), all and al d
!, II
:_
t U
I
I
J
ioj.,;. .t:
I t t -
! fi~"'J~ ~! I C and can apply the policy
" d (2) all agents and analysts on task forces, particularly those on detail from other agencies, understand and, if appropriate, have access to all FBI databases that contain data needed to successfully accomplish their assigned mission.~

## (B)( 1) (B)(3) (B )(7)(E) Fbi

Director of National Intelligence Lead an interagency review of information systems in the Intelligence Community to ensure that they provide adequate community-wide access to optimize information sharing. (U)
Lead an intemgency evaluation of whether expertise and training pertaining to dissemination of intelligence is sufficient across the Intelligence Community. (U)

## Fort Hood: Additional Reviews Ordered (U)

Department of Defense Drawing upon the lessons learned from this study, as well as the recently completed review by former Army Secretary Togo West and former Admiral Vernon Clark, assess and determine whether additional revisions to policies and regulations governing the identification and reporting of suspicious behavior are appropriate. (U)
Natiollll Collllterterrorism Center Lead an interagency review of the FBI's recommendation to designate center intelligence collection platforms as .. strategic" to trigger additional levels of review, including by other agencies such as the National Security Agency and the Central Intelligence Agency. In the course of this review, NCTC and FBI acknowledged that further discussions would be required to determine how this should be done, and the President requests that these discussions commence as soon as possible. (U)
Lead an interagency review ofFBI's recommendation to ensure that all agents and analysts conducting counterterrorism investigations are sensitive to the signs that a person is, or may be, using the Internet to become self-radicalized. The President believes additional study is required to identify the potential signs of violent radicalization before training prograzm are designed and implemented pursuant to this recommendation. This review should also look at whether other government agencies, outside of the IC and law enforcement, could benefit from such training if it can be developed. (U)
Director of Nfltiollllnte/ligence Conduct a broader study of the approach by the IC to analyze and exploit FISA-derived information to identify any impediments or gaps in the current approach. assess the appropriateness of resource allocations~ and propose any necessary solntions to ensure the t:nOSt clfective analysis of that information. Where we operate under a "division oflabot" approach in reviewing. analyzing, and exploiting raw FISA-derived information that is lawfully shared with more than one agency 1.JD,der existing '!lrt orders, we must ensure that the dissemination standards used' by those agencies are appropriately tailOred to meet the needs of others. .

Therefore, the dissemination policies of agencies responsible for analyzing raw FISA inf'Ormlttion shotild also be reviewed to ensure that they adequately serve the needs of other components of the IC and the US
Government (U)

## Appendixf Tke Community Response To The Fort Hood And Nw 253 Incidents (U)

The Community responded quicldy to .both incidents. Our general impression is that the Community has taken seriously the need to learn lessons from these incidents, and to institute significant corrections, although we did note that perspectives and approaches varied across the Conmnmity.P Although further actions are needed, as outlined in our recommendations, the Community does have important steps underway. Some of these corrective measures include:

- Clarification, Realignment, and Deconjlictwn of Counterterrorism Roles and *Responsibilities.* The DNI bas
reassigned analytic counterterrorism responsibilities, which, as we discuss elsewhere, is an important step
forward. He also established and hosts biweekly counterterrorism meetings among the top leaders ofDHS,
CIA. FBI, NCTC and NSA to ensure proper' alignment of counterterrorism resources. We suggest further
steps in our recommendations.
- The Pursuit *Group.* NCTC bas established the "Pursuit Group" to pursue terrorism threat threads and
identify appropriate follow-up action by the intelligence, law enforcement, and homeland security
communities. This is a promising initiative.
- NCTC, TIDE and *Watchlisting.* NCTC bas surged resources to address data and systems issues with TIDE
and NCTC watchlisting support, including creating a record enhancement capability for TIDE records,
increasing the pace of watchlisting nominations, and implementing technical enhancements. Moreover, the
Community bas worked with TSC to revise watchlisting protocols. We make additional recommendations
for TIDE and watchlisting.
- Information Technology and *Data.* Near-term enhancements and integration initiatives have been proposed
that will address significant tactical needs. The 12 pilot will also till important gaps we have identified.
More work needs to be done, as outlined by our IT recommendations.
- *US Persons Issues.* The ODNI is leading an effort to identify and address issues relating to treatment of
information about US Persons, and will consult with the Department of Justice. We discuss these issues in
our recommendations.
- Information Sharing and !CD *501.* The ODNI is in the initial phases of implementing lCD 50 I to accelerate
information sharing within the Intelligence Community. Much work lies ahead on this important initiative.
P We were not able to conduct detailed assessments-we bad difficulty collating infonnation across agencies, and the information we collected Showed that measures were evolving during our review, were in planning stages, or called for future work. (U)

- *Radicalization.* NCTC, FBI, and DHS are at various stages of addressing different aspects of
.. radicalization," focusing on homegrown violent extremism (in its nascent stages).
- *Agency-Specific Actions.* Agencies have implemented various measures to address problems they identified. (b )(3)
~
note: per FBI, this paragraph is classified SECRET
TOP SECRET//UCS/S~ONJNeFORNJIIII j(b)(?)(E) I

Defense Criminal Investigative Service
Department of Homeland Security
DHS Office of Intelligence and Analysis
Defense Intelligence Agency

DCIS
DHS DHS/IA
DIA DoD
DoJ
DSD
DWS
EC
FAA
FBI
FISA
GCHQ
HUMINT
ICRP
ITR
INR
IT
JTIF
NCIS
NCS
NCTC
NGA
N1E
NSA
NW253
OTA

~t
of Justice
Australia Defence Signals Directorate
FBI Data Warehouse System
FBI Electronic Communication
Federal Aviation Administration
Federal Bureau of Investigation
Foreign Intelligence Surveillance Act
UK Government Communications Headquarters
Human Intelligence
Intelligence Community Review Panel
Intelligence Information Report
Department of State Bureau of Intelligence and Research
Information Technology
Joint Terrorism Task Force
Naval Criminal Investigative Service
National Clandestine Service
National Counterterrorism Center
National Geospatial Intelligence Agency
National Intelligence Estimate
National Security Agency
Northwest Airlines Flight 253
CIA Office of Terrorism Analysis
President's Daily Briefing

# (B )(7)(E)

FBI Terrorist Screening Center United Arab Emirates United Kingdom United States FBI Washington Field Office (U)
1 Rob Margetta, "Former 9/11 Commissiotren;:,.Qbatha Mu5t Back DNI," CQ.com, 26 Januacy201:(). "(u) ',
2 Consistent with the mandate of the RevieW Palrel~ we do not focus our roriclusions and, rero:mmendati011s on specific individuals. For that reason, we use the , pronoun "he" throu~out the report. ~avoid;si'Qgf~g out specific individuals, and do not name itic
officers who may .at some point be witn~ina criminal trial against Major Hasan. We alSo trY to strike a balance between not identifying specific individUals who spoke frankly while still providing the~ a.

sense of the organization that providedi ~
6l:fil~i>n or had action on a specific issue. (U)


3 Protecting the Force: Lessons from *FoJ"'* HOO!i~rt
~fthe DoD Independent_R~~iew, t.O.~'~}. (U)
..
Megan McCloskey, "CiVIhan pohce officer acted quickly to help subdue alleged gunman," Stars and Stripes (Mideast Edition), 8 November 2009. (U)
5 [Open Source I WASHINGTON POST ctRAS
ID:OW5666743l I 200802271 (U) I CIRAS ID:
OW56667431)
6 Hasan raised the same issues he pr-esented in his emails to Aulaqi in a June 2007 research paper, "lbe Koranic World View as it Relates to Muslims m the US
Military," on file with the panel. Hasan cited the example of Sergeant Hasan Akbar's killing of fellow US
soldiers to underscore the internal conflict faced by Muslim soldiers serving in the US military and that Hasan's paper goes on to say that Muslim soldiers who perceive the US military to be advancing the cause of
''American hegemony" rather than justice have "turned against fellow troops" and argued for the US mj]jtary to assign Muslim soldiers to religiously acceptable positions to avoid ''the potential for adverse events."
TOP SEORE'fHHOSfSI~~OONINOFORN.-
j(b )(?)(E) I
10 The agent bad been assigned the lead by his supervisor on 27 Februacy, but because of his workload he did not work on the case until27 May. Discretionary leads are generally required to be completed within 90
days of assignment. (S/INF)
t I [FBIS I GMP20090610479002120090810 I
(U/~ I CIRAS ID: FB5941323]
12 According to the FBI, neither they nor their UK
counterparts were able to corrobomte these claims.

(TS/fSIIfP'W). (S/,~W)
39 [Other 1 National Commission on Terrorist Attacks Upon the United States, The 9111 Commission Report. I
20041 (U) I CIRAS ID:]
4 Countmerrorism Mission Management, FY201 0
Counterterrorism Production Guidance, January 2010.

fSffNi7 The publication date was January 2010
although the contents had been drafted befOre th~ 25
December incident (U)
41 "Top Frontbumerintelligence Issl1eS." September
2009. TOP 8~itE'fh'HCSISi
GfFK!feROOl't/N()F{)ffit. (SIMF3
42 NIE MI'I2007-02HC. Memorandum to the Halders of NIE 2007-02HC, The Terrorist Threat to the US

## (B)(7)(E) Fbi (B)( 1) (B)(3) Cia (B)(3) Nsa (B)(7)(E) Fbi (B)(3) Nsa

needs fewer dots," Washington Post, p. A21. (0)
49 Russell Goldman and Huma Khan, ''TimelinC of terror: Clues in Bomber Umar Faroo.k Abduhnutallab's Past," ABCNews.com, 3'0 December 2009. (U}.  .

so DJ~. Grady, Politics: Why HeadS ~
R.<iJtll TheAt'tantic.oom, 8 January 2010. (U)

51 Eric L~
E* Schmitt,~ .Mart~~
"Review of Jet l30mb Shows Mote Mis$1'Jd.~~~
New York Times; 18 January201~p. At.~
52 Mike Allen, "CIA also knew about suspect,"
Politico.com, 29 Decenmer 2009. (U)
.

53 Similarly, the State Department V1$8S Vtpet cabte of
20 November noted only "lnfonnation at post soggersts subject may be involved with Y emeni-based extremists." (U/~
54 Jordy Yager, "Lawmakers press forwani with n:views of intel failures after Christmas attack," TheHill.com, 24
January 2010. (U)
55 Joseph Curl, "Counterterrorism chief: Officials 'didn't unclerstand' intel," Washington Times, 9 Jmru.ary2010, p. A l; "Bight Years later," New Y ode TtmeS, 8 Jammry
2010,. P. A26; and Greg Miller, "Costly eti01S in probe of failedjet airliner blast detailed." Los Angeles Times,
21 JaAuary 2010, p. AI; Brian Ross and Kirit R.adia,
"Northwest 253: Obama Blasts Intelligenee Failures as Evidence ofMissed Signals Mounts." ABQiews.com.

29 December 20Q9; and Jennifer Sims and Bob Gallucci,
"Why . . . - .

sharing cp't aiwasllll!f=lll5~.

w .
:~~aJanuary20lO,p. At9 .. tt1)
~ In any event, the Intelligence~ typieally does not mcoitor purchases of airline tickets worldwide.

Wfim Starks, "Malc:iaithem talk," CQ..com; II January
2010. (U)
.

58 Gregory Tn:verton, ''T~wiH.~~oa again." Los Angek!s.'Times, 19 Januat! 211:t~ pi Al3.

T~
Writes:l~Jat "Siitlply sinifiltghUn ..

migbt have d~ne $e job." . (ll)
59 Sebli~Stian~ "U:s~ lea:mett - tel'l'    on ahiine
' - .. . .

.

. .

.

. . .. . Ill tgellGC.

.

attack~wltie heW8sen route.'" Los .tm&e{es
Times, 7 *]8llU8JY* 2010. (U)
- ..

60 Frances Townsend, "No one connected flie. dots. on terror plot;'~ (;NN.com, )(J I>eceJnQer WlO; ,(U)
61 "Yement :flWU,US.Yemerti CitiZenTamgMore Operational ROle in Al-Qa'ida Groupt"(~NCTC
Online. 5 May~
'('f'Dp-
Seuit:ti~JhmFO'R:N1- ~
62 Mimi Hall; 'Ubama.orders security~
T~. 8 ~
2DfO, P AI. (U)
63 NIEMa200'1-02HC. ~trifie~

NIE 2007-02HC, The Terrorist Threaf.lli ...

Homeland tfSMiCSI/Si'-6Jf'OfKJ1Rf(
'
(stfl'~f)
64 TSA interviewees noted that the number '*''rise above 300 depend~ on the season ami the.~ is even higher once priVate airstrips arc included. (MNFT
65 We note that $ome legislators arc alrea4y~g at the idea that unspecified post-Detroit regulations could cause inconveniences that represent a "disservice to the traveling public. See Kara Rowland 8lld Nicholas K.ralev, "Obama pledges changes on security?"
Washington *Times.* 6 January 2010, p. A.L..!,U).

66 CTC and NCTC produced mon: than ~B
articles

in2000 in.additronJo~-~-.~ .. -...~>'h.
     . .,
          ":.'
                . ''
                      ,
                        '
                          '
                           ,.~:o&~a._pu.t ..
                                      ' .. ,-~,

8lld ~
~1'15.

-(&1.~
officership with respect to the alleged perpetrator.

These individuals failed to demonstrate that officership is the essence of being a member of the military Erofession, regardless of the officer's specialty." (U)
6 Other officers in the FBI WFO, including the WFO
supervisor, did know about the database, but the supervisor did not recommend to the DCIS agent that he
88 Terrorist Screening Center, "Protocol Regarding Terrorist Nominations: Guidance Regarding Application of the Minimum Substantive Derogatory Criteria for Accepting Nominations to the Terrorist Screening Database," February 2009. (U/~
89 For example, during this approximate timeframe, TSC rejected a broad range ofNCTC "No Fly" requests even those
(S7'J'Nft-
90 We focus more on the 25 December incident because the implications and responsibilities of the Intelligence Community are greater than in the case of Fort Hood.

(U)
91 Memorandum from CIA Director Panetta to DNl Blair, "Readdressal of teporting in the Wake of j(b)(?)(E) I
92 Senate Select Committee on Intelligence, "Report on the Attempted Terrorist Attack on Northwest Airlines Flight 253," t.'T~tmcst~Iitoe
'fHF), 16 March
94 For example, not provide enough derogatory information on Abdulmutallab's extremist links to justifY submitting the information to TIDE. Using the exact same information with the same level of derogatory reporting, however, Department of State officers prepared a Visas Viper report that ensured that the information on Abdulmutallab was entered into CLASS, thereby creating a record in TIDE.-tSh'NI<t
95 To take a few examples, Homeland Security Presidential Directive-6 notes that watchlisting is appropriate for "known or appropriately suspected"
terrorists to be watchlisted, while TSC guidelines justifY
watchlisting if the intelligence supports a ''rationale inference." NCTC guidelines notes that watchlisting requires "reasonable suspicion" and that the individual be "operationally capable." In our view, language such as this gives the appearance of making the criteria ostensibly more schematic and asceptic, but "Mlich actually make it more subjective. ~
96 Senate Select Committee on Intelligence, "Report on the Attempted Terrorist Attack on Northwest Airlines Flight 253," (T~t/t'ICS"/5J:OC/
t*}, 16 March

(b )(1)
(b)(3)
(b)(7)(E)
FBI

20 lO. (SI'J'MP)
97 US Persons issues are discussed in detail beginning on
t':ge32. (U)
8 The FBI, for example, is working toward its Next
Generation Analytic Environment (NGAE). The NGAE
initiative represents the FBI's vision for utilizing
technology to further the FBI's ability to correlate and
share terrorism-related intelligence. As a first step, the
FBI has identified the principal repositories of data
within the FBI and is in the process of developing a
cross-database search capability. The long-term

objective is to develop an architectural fiamework that one day might permit the FBI to ingest and share information across the Intelligence Community. (U)
99 "FAA Intelligence Review for NW 253 Bombing Attempt and Subsequent AQAP 1'hreaa,"

## (B)( 1) (B)(3) Cia

"Analytic Responsibilities for Colll'lterterrorism Analysis in the US Intelligence Cotnmunity". EIS
00284. 1 Aprii2010.~/Mf)-
102 The lack of FBI-DOD collab<mrtion-i)Srticularly the shortfalls on Serviee 1epr.esentation to the ITIF-was noted in Protectihg the Force: Lessons from Fort Hood
(Report of the DoD Independent Review, 2010). (U)
103 The Commlll'lity's rolesfor coHecting. reta:ining, and disseminating US Person infonnation are laid out in Executive Order 12333 and in procedures that implement that Order for each Intelligence Community element, as approved by the Attorney General and the head of the Community element. in consultation with the DNI. (U)
104 A primary difference is the role Aulaqi, who directed Abdulmutallab's attack but appears to have mainly played an

for Hasan.

## (B)( 1) (B)(3) (B)(7){E) Fbi

The publicly released version of the DOD
independent review group's report assessed that the relevant DoD personnel policies wer:e aenerany adequate and attrilmtea the omissioos to Hasan's supervisors, who "failed to apply appropriatejudgmmt and standards of offieership." The det:aiied findings and recommendations related to this matter can be fOlll'ld in the restricted annex of the report, which DoD declined to share with us. (U)