Jay C. Davis, Ph.D., is National Security Fellow at the Center for Global Security Research at Lawrence Livermore National Laboratory. Prior to that, he served as the founding Director of the Defense Threat Reduction Agency of the Department of Defense.

Introduction

Attribution, with the accompanying possibility of prosecution or retribution, may be one of our greatest deterrent tools, hence a vital and compelling component of our defense against terrorism. It is presumed that in a WMD event we are dealing with an event that causes a large loss of life or economic cost, that has as its principal aim a loss of public confidence in the government, and that produces a large social and political demand for retribution at the earliest possible time. Exclusion, the opposite of attribution, is equally important in the furor and highly charged politics that would follow such an event. Wherever the word attribution appears in this discussion, the reader should also ask whether exclusion could be achieved by the same or similar means. This article addresses two issues: what capabilities are required for attribution or exclusion, and what operational or organizational concepts would help convince the world audience of our proof, an essential step to major action on our part. My personal interest in this difficult subject began more than a decade ago. In 1990, Hans Mark gave a speech at Livermore defining the problems that would arise from the unattributed use of a nuclear weapon in a terrorist act. He pointed out at the time that such an event was now even more likely because the relaxation of tension between the United States and the Soviet Union made it unlikely that a single weapon would produce a strategic exchange between the powers. He also speculated that use could occur in the rise of ethnic or “tribal” antagonism that was inevitable as a result of the failing Communist states’ loss of control over their subject populations. His concern and prediction were prescient, and the risks he identified have only increased in the years since.

I begin with the full set of WMD events and then focus on those that pose the greatest difficulties with regard to attribution. We commonly list nuclear, chemical, biological, radiological, and large conventional explosive attacks as the set of WMD events. I wish to exclude chemical, radiological, and large explosive events from consideration for several reasons. First, no matter how large the impact, there is actually a locus for the crime scene. There is also certainty that evidence will be preserved that can be treated in a manner commonly understood by current investigatory processes and agencies. The American public and the portions of the world community we may be likely to convince in any case will understand the processes that are used to attribute the event because previous events have been dealt with in public in courts of law. The two remaining cases, nuclear and biological, are more difficult for several reasons. In the nuclear case, the event itself may have completely obliterated the crime scene as well as the collateral evidence that identifies who and how. The materials and techniques used for attribution may involve both classified methods and information that (at present) have had neither domestic nor international exposure and no validation in any public manner. In the case of biological attack, we may in fact not know where the crime scene really was. The data we collect may come at a great distance from the original scene of the crime in both space and time, and we may have only inferential evidence of the act itself. It is useful to recognize the striking similarities between cyber-attacks and their consequences and those of biological attacks—that is—infectivity, propagation, action at a distance, etc.

Organizing Principles

My principal mentor in military matters, General Larry Welch, taught me that the military looks for the solution to a problem in three areas: doctrine, operations, and technology. One must always be aware of (and often seek) trades across these three boundaries. This sequence is a powerful way to structure a solution to the attribution problem or, perhaps more correctly, to structure the activities that might lead to a solution to the attribution problem.

Doctrinal Issues

Two fundamental issues arise before an event: What do we choose to reveal of our capabilities for attribution, and with whom do we partner in the activity? In the nuclear case, the tools that we have developed that might support attribution (databases, nuclear explosion detection and localization, sample acquisition and measurement techniques, and computational tools for modeling the many coupled nuclear reactions in a nuclear explosion) were developed as part of classified activities of our nuclear weapons programs and intelligence activities. Some will remain classified under the rules of the Atomic Energy Act, some should remain classified to deny knowledge to those who would try to spoof or defeat our abilities, and some can be and have been divulged. Interestingly, the logical partners whose vouching would lend credence to public attribution activity—the P5 members of the Security Council of the United Nations and the declared weapons states—include former enemies against whom such tools were directed during the Cold War. We will need to evaluate the benefit and risk in sharing information and intention before the fact to establish international credibility. I do not pretend that this discussion will be easy, but it will be easier before an event than during or after.

In the biological case, there is classified information on agents and weaponization techniques employed by various states, but it is interesting that the techniques for attribution that will be credible with the public are already in the hands of the public health and agricultural communities and research establishments worldwide. These communities have not always thought of attribution leading to prosecution or retribution, as opposed to diagnosis and treatment of disease. It will require a major change in the scientific and philosophical viewpoints of these communities to get them to accept the new and different goal of attribution and its associated ideas of accusation without interfering with their public health missions. The natural desire to push out all information to aid in treatment is in direct contrast with the desire to preserve evidence in a form suitable for indictment and trial on the part of police and other investigative bodies. Additionally, the ethos of the international community in which they share data has—to date—discouraged any obvious coupling to security or investigatory organizations. This latter situation is not bad, but rather a well-justified operational style that must be honored and accommodated.

Finally, for all cases, we must decide who actually will make up the community that makes the attribution decision, how they are to be prepared and exercised, and what branch points exist in the decision process. One important issue to be addressed before the event is whether we would pursue information and attribution in a manner that would preclude prosecution as opposed to retribution. The possibility of the choice between a judicial remedy or a military remedy, and the quality and weight of data, processes, and need for speed in the two cases, again must be discussed before the event to avoid nasty surprises or internal confrontations during the event.

Operational Preparation

Before an event occurs, we need to take several important steps. One is to establish and train the organizations that will actually execute the attribution process. This can begin only by setting out a notional timeline for each event, looking at the data and tools to be brought to bear, determining what we can currently accomplish, and deciding how we will test and practice. We need to write down the most optimistic timeline and then see whether investments in operational capability (for example, sample identification, acquisition, and transport), technology (integrated databases, precalculated signatures, newer or faster measurement tools), or intelligence (capability matrices for likely malevolent actors) will usefully shorten that timeline. Skip Burkle of Johns Hopkins has observed that we must “trespass” across multiple organizational lines to do this effectively. We must be willing to exhaustively study previous cases from other threat areas to critique ourselves and find possible improvements. As an example, careful study of the cyber-community’s solution of multiple events involving viruses, worms, and Trojan horses will help the biomedical community in its attempts to unravel incidents of infectious disease. The difficult question is who has the power and compulsion to cause these two communities to work together—and to divulge these vulnerabilities they each consider sensitive or, worse, embarrassing.

An immensely important deliverable at this stage is frank and honest education of the political decision makers who sit above the operational and technological communities that will execute the data acquisition and assessment for the nation. Scientists must be prepared to interpret and communicate the results and their meaning effectively to national decision makers. I call this matter “expectations management.” It is vitally important to explain what we can do with existing tools, what improvements might be possible with modifications in operations or technology (without appearing to be organizationally or individually self-serving) and what the “best likely state of the art” will be. In the case of a large-scale WMD event, confident exclusion of actors may be as important as attribution to the real culprit. In general, attribution will be relative and subject to interpretation, except in rare circumstances. The possibility of confident exclusion may be the motivator for sharing of information and techniques that would not be made available in other circumstances. One can imagine Russian–U.S. collaboration in attribution forensics as a matter of confidence building and stability enhancement that would be vitally important should there actually be an unattributed nuclear detonation or act of biological terrorism somewhere in the world.

Finally, as we learned in scenario play in the last administration, preparing to communicate to the public is an essential step in operational preparation. Should an unfamiliar and horrifying event happen, establishing the government’s control of the issue in the positive sense and assuring the population of its competence is a very important deliverable. A frank narration of the steps and likely schedule of attribution will be a vital part of reestablishing public confidence and dealing with the desire for instant gratification through vengeance. Expectations management, and making clear that these events have been anticipated and prepared for, is vital. Knowing what to narrate of the progress, or lack of progress, in attribution will be an important issue to decide before an event occurs. Determining who is to be the national spokesman for the process is vital for clarity and consistency of message. An examination of government statements in the first few days of the anthrax event of autumn 2001 will give a good example of how the information and issue should not be managed. A far better style to emulate is that of that the National Transportation Safety Board in explaining the process, progress, and results of its investigations of major airline crashes or that of Mayor Rudi Giuliani in the face of uncertainty after September 11.

The last important component of training and resourcing these capabilities is to decide with how many events we are likely to be dealing and plan accordingly. Should a second event occur, we should be neither surprised nor caught with all resources devoted to the first event. Only the unpleasant experience of tabletops and playing the terrorist equivalent of war games will imbed this important reflex in decision makers. Essential in this training is creation of a common approach to dealing with events of differing kinds. It is of little value to have one concept of operations for nuclear events and a separate one for biological ones. Though the drivers, time lines, and actors may be different, the approach to investigation, analysis, possible attribution, and communication needs to be the same for both cases.

A major difficulty of counterterrorism in general is that it is no one’s first job, and almost no one’s second job. We in fact have many of the technical and operational tools we need, but they have not been focused on the issue of terrorism and its associated forensics and attribution needs along event timelines. These tools may not easily reconfigure across organizational and authority boundaries. The need to turn these tools to a new application may involve issues of authority, competition with existing missions and operational constructs, or the simple—but most difficult—need to think in a new way. There will be unprecedented need for consistency in the quality of analysis and output across agency lines. All must work to a common—and commonly understood—standard.

What then are the tools we can bring to bear—from detection of the event to analysis for attribution?

Technologies for the Nuclear Case

If the nuclear event is large enough, or not muffled by the overburden of a building, it will be seen by the nuclear detectors that ride on some U.S. satellites. We will have some sense of the scale of the event and perhaps a notion of the sophistication of the device, and we will certainly know where to go to acquire samples. It is not clear at present that these detectors trigger a forensic process. Once on the scene, samples of debris from the explosion can be acquired for analysis in the field or returned to established and trained laboratories for analysis. However, the authority to access the site will need to be established with those operating the consequence management activities—and at a time of frantic humanitarian, social, and political activity. The standard techniques of mass spectrometry and possibly gamma spectroscopy can be used to determine the original isotopics of the nuclear fuel, the efficiency of the fuel burn in the detonation, and possibly other information such as materials in the device itself. All of these capabilities have been developed to assess the performance of our own weapons and to infer the designs of weapons of others. These tools have never been exercised against a device of unknown origin, nor to ask the typical forensic question “Was it in a car or a truck?” If we can make forensic determinations, the result of the device characterization could then be compared to the databases of known weapons materials, credible capabilities, and the likely sophistication of possible weapons states or actors. One could then attempt to associate the inferred device with a credible actor. The speed and confidence of such an association depends on the extent to which the problem has been worked before the event by modeling and the extent to which the individuals selected to make the attribution decision have been practiced—and have full exposure to all the relevant information. Our ability to model this problem at a level not possible during the years of nuclear testing is greatly enhanced by the computational capabilities developed in the Advanced Strategic Computing Initiative of the Stockpile Stewardship Program. We will need to model and compute reactions and processes not important for device design or performance but vital for unraveling forensic evidence and leading to attribution.

The problem is sufficiently daunting that no confident statement can be made at present about the likelihood of success. The good news is that during my tenure as Director of the Defense Threat Reduction Agency, we actually were able to establish a program to work this problem. All three labs of the National Nuclear Security Agency are involved in the technical assessment, as are the relevant components of the Intelligence Community. I would expect to have a quantitative assessment of the difficulty of this problem within a year or so. It is as important to make clear what we cannot do as it is to assert what we can do. Once the limits of our national capabilities are clear, we may consider sharing the program with other nations as a way of improving our access to databases and information as well as increasing the perception worldwide that any answer given is honest. What is clear is that the present actors and expertise for nuclear attribution are within the national security components of government and will continue to reside there.

Technologies for the Biological Case

The biological case could not be more different. The event will most likely present itself in dozens of doctors’ offices and hospitals over an extended period and be detected by the medical surveillance processes of the public health care system. The footprint of disease occurrence that results from epidemiological work may allow inference of the locus and means of dispersal of the agent, providing useful leads for the forensic process. The agent itself can be isolated from patients and its genetic makeup compared to naturally occurring strains that may suggest a point of origin or modified strains that were created in known biological warfare programs—or, unpleasantly, the analysis may identify a strain not previously seen. The strategies to do this have evolved in the forensics community with human DNA forensics. A confounding factor is that some bacteria and viruses are naturally genetically modified as they pass through their hosts, putting a high premium on recovery of the original material if at all possible.

If we are able to recover samples of the original agent itself, its non-biological properties may be valuable in identifying the potential actor. Lessons of this sort were being learned in real time in the anthrax investigation. Just as with the nuclear case, however, credible identification or understanding of the weapon does not necessarily identify the perpetrator. The same steps in preparing an attribution panel to make associations or determinations against the full set of databases are essential.

What is very different in this case is the opportunity to work in a more public fashion, potentially with much higher credibility on the world scene. All of the analytical tools to be used exist in the unclassified world, in fact originate in it, and the necessary expertise is there as well. The databases of natural agents are openly available to a large and credible expert population that is international. Even restricted information obtained by intelligence processes (for example, knowledge of engineered pathogens or modified agents or weaponization techniques of suspected Biological Weapons Convention violators) could be divulged to an expert panel under the confidentiality that protects information to be used in a trial. The rules for secrecy in these matters have more flexibility and a more pragmatic origin that those associated with nuclear weapons. Opportunities for establishing an international panel to make the attribution decision are large in this case and should be exploited from the very beginning.

Recommendations

It is clear that while the problem of attribution of a WMD event will be difficult, the problem is at least amenable to a structured approach. Preparation before the event in terms of organization, cross-discipline communication, training, and exercise will pay huge dividends after the event, both in terms of ability to identify the bad actor and in terms of establishing public trust in the process. To move forward to create both the actual capabilities required and the deterrence effects desired, I have specific recommendations:

1. Establish unambiguous ownership of the forensic responsibility with the Federal Bureau of Investigation. As the Bureau has the responsibility for both counterterrorism and investigation of WMD events within the United States, this should not be contentious. The information and technical capabilities developed by other agencies should be focused on supporting the Bureau’s needs and should conform to its protocols. Budgetary authority can lie within the agencies where the technical and operational capabilities reside, but it should be made clear that an integrated program is required. The support of the FBI by multiple agencies in the Salt Lake City Olympics provides a recent successful model that could be further developed and applied. Time spent hammering out the memoranda of understanding and protocols before the event is time saved after the event.
2. Establish oversight and attribution panels for both the nuclear and biological forensics efforts. These panels should include the technical experts who are capable of both technical and operational review of the attribution programs run in support of the FBI. The panels would have the knowledge and international prestige to vouch for any attribution determination that they make. For status and authority, the panels should be presidential appointments. It may be as important for these panels to be able to say that no attribution determination can be made as to say that one can. Also, the panel members should have access to all relevant information. These panels should report to the Director of the FBI to assure that the programs have adequate visibility and access.
3. The technical and operational aspects of nuclear forensics will lie within the government. For the biological case, a conscious decision should be made—in advance—to structure the program so that industry and academia, internationally if possible, have at least a 50% role in analysis and interpretation of any samples handled. Given the national and international reaction to the events of September 11, I doubt that there will be resistance on the part of either the biological or medical communities to participation in forensic matters.
4. Once the oversight panels have been established, their initial effort should be to create the operational timelines that are possible today for the forensic and attribution process. Practice exercises should be run against these timelines to assess the analysis and interpretation steps and to evaluate research investments that would either shorten the timelines or increase our confidence in the result. Budgets for these activities will lie within the supporting agencies, but the panels should have input on priorities for investment and the portfolio mix.
5. Having created the programs and having given them national focus and endorsement, we must begin the discussions internally and externally about whom we would invite to be our partners. A useful starting place for an examination of lessons learned would be an assessment of the processes and results of forensic measurements performed in support of the UN Special Commission inspections in Iraq.
6. Legal issues are unexamined in this discussion. We are learning lessons in real time on these matters as we develop theories for detention and prosecution of those removed from Afghanistan and those we will eventually extradite (or try to extradite) from other nations for their complicity in the events of September 11. An examination of “theories for prosecution” should be undertaken by the legal community in parallel with our doctrinal, operational, and technological examination of attribution. As the World Court becomes the likely venue for international dealing with such matters—it is hard to imagine another forum—and as we apparently continue to separate ourselves from its processes and norms, this examination becomes all the more critical. This comment is not political, but bluntly pragmatic.

As a technologist and operator, I keep a standing mental list of the five hardest technical problems of which I am aware. Nuclear forensics and biological forensics each make that list. There is no assurance that we can work backwards from the effects of these horrific events to uniquely determine a perpetrator. What is clear is that it is wholly unacceptable not to invest the resources and effort to know what is possible and to clearly communicate that possibility to those in government who will have the awesome responsibilities of decision making after such an event. What I suggest is a process that can lead us to knowledge of what is possible, and a way to structure our work so that we will have the largest possible credibility if we must attempt this daunting task.

Acknowledgements

I wish to acknowledge discussions over the years with friends who have contributed to my awareness and understanding of this problem. My mentor Hans Mark receives great credit for sensitizing me to this problem over a decade ago. I hope my efforts since then have rewarded him for his insight and stimulation. John Hamre gets great credit for listening to my concerns about this matter and for endorsing my request for resources to tackle it while we were both at the Department of Defense. Carl Poppe, Alan Mode, Randy Murch, and Skip Burkle have all provided operational and technical insights as well as encouragement as I have struggled to structure my thinking. Finally, I wish to express my appreciation to my colleagues at the Defense Threat Reduction Agency and at Livermore, Los Alamos, and Sandia for following me down this dark and foreboding path. They have all contributed to my understanding but bear no responsibility for my conclusions or recommendations. Those fall on my head alone.