Lessons Learned from the Paris and Brussels Terrorist Attacks

© Geert Vanden Wijngaert, AP, USAToday.com, March 23, 2016

On March 22, 2016, Brussels was rocked by two devastating terrorist bombings. In the first, two suicide bombers detonated powerful explosives at the Brussels airport and in the second, a third terrorist detonated a suicide bomb on a metro train at the Molenbeek subway station. At least 31 people were killed and hundreds were injured. The resulting fear and shockwaves resonated throughout the European Union (EU) and the civilized world. Shortly after the bombings, the Islamic State of Iraq and the Levant (ISIL) claimed responsibility for the attack. Like all of these atrocities, ISIL, al-Qaeda and similar terrorist groups enjoy a short-term victory.

As awful as these events are, the evidentiary trail left behind affords law enforcement and intelligence agencies a unique short window of opportunity to disrupt other terrorist plots, identify and disrupt the terrorist support network and to follow the evidentiary trail back to other operatives and the masterminds. The police and intelligence response to the Brussels attacks was immediate and intense. As was the case in Paris in November 2015—where police in Paris, Belgium and other EU countries carried out raids and arrests—numerous raids and arrests have taken place throughout Belgium and other parts of the EU in response to the Belgium attacks. In Paris, an individual involved was arrested, and it was determined he was planning an imminent attack. In Germany, an individual was arrested who received a telephone message from one of the Brussels terrorists that the attack was taking place. In Italy, an individual was arrested who made false documents for the terrorist network in Brussels.

What has alarmingly emerged is that the terror network responsible for the Brussels attack was also responsible for the Paris attack. The network included returning foreign fighters and homegrown violent extremists. As was learned after the Paris attack, the planning for the attack took place in Belgium. Salah Abdeslam grew up in the Molenbeek section of Belgium. Abdeslam was one of the Paris attackers and handled much of the logistics for the Paris attack. Abdeslam escaped from Paris and spent four months hiding in plain sight in Molenbeek. Abdeslam was arrested following a series of raids in the Molenbeek area a few days before the Brussels attacks on March 22.

Najim Laachraoui, one of the suicide bombers at the Belgium airport, was also one of the network’s bomb makers. In addition to building the Brussels bombs, Laachraoui’s DNA was found on two of the bomb vests used in the Paris attack. His computer was found after his suicide attack. He left a message saying that he felt law enforcement was closing in on him and he would not go to jail. Laachraoui was in a safe house with Abdeslam just prior to Abdeslam’s arrest. Also determined from Laachraoui’s laptop, the original attack date was planned for March 28. It was moved up to March 22 following Abdeslam’s arrest. Laachraoui was a bomb maker and good bomb makers are extremely valuable to terrorist networks. An interesting question to ask is: Had Abdeslam not been arrested and had the attack taken place as scheduled on the 28, would Laachraoui have been a suicide bomber, or would he have lived on to continue making bombs?

Since the Brussels bombings, Belgian law enforcement and intelligence services have been harshly criticized for not identifying the terrorist network sooner and for not linking it to the Paris attacks. Belgium has been an incubator for Islamic jihadists for a long period of time due to many factors including the law, social and ethnical divides, the number of law enforcement agencies in Brussels and the lack of adequate information sharing.

Western intelligence officials believe as many as 400 foreign fighters from the EU have returned to the EU from Syria and Iraq. There is a great deal of concern about the number of cells and operatives quietly functioning throughout the EU. Many intelligence officials believe that as ISIL continues to lose territory in Syria and Iraq, they will conduct more attacks in the EU. Intelligence officials are attempting to determine how many ISIL cells or networks are operating in the EU.

Looking Back at Paris with a View Toward Brussels

Finance and communication are the two biggest vulnerabilities facing terrorist organizations. Both can be traced and used to link terrorist operatives together. They can also be used by law enforcement as a proactive tactical mechanism to disrupt or prevent terrorist activities.

Paris was a larger scale attack than the Brussels bombings. Paris required a greater degree of planning and logistical coordination and support. Investigations determined that at least some of the funding for the attack was provided by ISIL. Investigations also determined that the attackers used prepaid cards as a payment mechanism. The use of prepaid cards provided the terrorists with a form of anonymity. As the Brussels investigation unfolds, it will be interesting to see if the attackers and the support network received funds from ISIL or other sources. It will also be interesting to see to what extent prepaid cards or other payment mechanisms were used. It is also likely that the Paris and Brussels operations were partially self-funded through cell member job earnings, government entitlement funds and/or criminal activity.

One important investigative finding in Paris was that the attackers had a cache of cellphones at their disposal. They activated burner phones shortly before their attack. This ensured that law enforcement and intelligence monitoring would not be likely. A second finding regarding communications was that some of the attackers used cellphones belonging to victims. Again, this ensured that law enforcement and intelligence monitoring was not likely. It was also determined that the attack mastermind, Abdelhamid Abaaoud,  participated in the attack. After participating in one of the café shootings, the investigation determined that Abaaoud was observed in front of the Bataclan theater. Abaaoud was reportedly on a cellphone speaking to the suicide attackers inside the theater. He was probably providing logistical information regarding police responders. In Brussels, the subway suicide bomber made a cellphone call to a network member in Germany advising the attack was taking place. This call was traced, which resulted in the arrest of the network member in Germany. It will be interesting to see what other telephone communication patterns were followed in Brussels.

According to a 60 Minutes report on March 13, 2016, regarding the encryption debate between Apple and the FBI, French Prosecutor François Molins told Leslie Stahl it was likely that the Paris terrorists used encrypted texting apps as a communications mechanism. Rob Wainwright, head of Interpol, would not elaborate but indicated that encryption probably played a role in the Paris attacks. The significance of this is that law enforcement cannot monitor encrypted messages. It will be interesting to see if the Brussels investigation can determine if and to what extent encryption was used by the terrorists involved.

Lessons Learned from Paris and Brussels

  • The threat of returning foreign fighters to Western countries is a significant problem.
  • The terrorist networks of returning fighters and homegrown violent extremists are more organized and insulated than previously thought.
  • Many of the foreign fighters from Europe who joined ISIL have criminal records.
  • Attacks like those in Paris and Brussels require significant pre-planning magnifying the importance of situational awareness.
  • The threat of ISIL-directed attacks by returning foreign fighters and/or homegrown violent extremists is more acute in the EU than in the U.S.
  • The adaptability of terrorists to mitigate the vulnerability of communications through the use of burner phones, victim cellphones and encryption, presents a significant challenge to law enforcement and intelligence agencies and their ability to disrupt terrorist activities.

The Challenge of Encryption

Terrorists have discovered and embraced encryption. The issue on encryption being exploited by terrorists is an issue of significant concern. Unfortunately, encryption providers do not share that concern. On one hand, they choose to be self-righteous and espouse customer right to privacy and information security considerations as justification to not cooperate with law enforcement to access encrypted information. On the other hand, the same communications providers choose to be willfully blind about knowing who their customers are. Communications providers should not have it both ways. If they are going to insist on the right to privacy and security, they should be accountable to know who they are dealing with, particularly when it comes to terrorists who are to likely exploit encryption in furtherance of terrorist activity.

Applying Lessons Learned to Financial Institutions

First and foremost, since terrorists are overcoming the vulnerability of communications, it becomes more incumbent that we exploit their financial vulnerabilities. The starting point for this is within financial institutions, where financial intelligence resides. Unlike communications companies, financial institutions are required to know their customers. This is a responsibility that financial institution anti-money laundering (AML) and fraud professionals take very seriously. Financial institution AML and fraud professionals are extremely dedicated to identifying and reporting suspicious activity, especially if it could be related to terrorism.

There is a great deal of consensus that the EU will encounter more ISIL directed attacks by returning foreign fighters and their network of homegrown violent extremists. Similar attacks by returning foreign fighters are less likely to occur in the U.S. However, the U.S. is quite concerned about self-generated attacks by homegrown violent extremists influenced by ISIL.

Depending on the size and capacity of a financial institution, all financial institutions should establish, within their framework, a Strategic and Tactical Response (STR) team to respond to events such as terrorist attacks. It is essential that STR teams understand the terrorist problem and general terrorist funding flows; that they follow media and selective intelligence reporting to identify methods of operations and emerging trends on a daily basis; and that they obtain specialized training to better identify financial intelligence and respond to terrorist events.

From an AML and fraud compliance perspective, it is important to understand the three terrorist funding streams, which are:

  1. Funding that flows to the terrorist organization to sustain their operations
  2. Funding that flows from the terrorist organization through facilitators to support terrorist operations such as the Paris and Brussels attacks
  3. Funding that flows from the facilitators to the operatives such as the networks that conduct the pre-attack surveillances, provide the logistical support and pay for the attack

With respect to the specific threat posed by foreign fighters and homegrown violent extremists, the STR team, through understanding, assessment and training, should develop profiles consistent with the personal characteristics attributed to known foreign fighters (both leaving and returning) and to individuals known to be homegrown violent extremists. This could allow the STR to develop proactive monitoring capabilities and more urgent reactive mechanisms when events occur and negative news might generate name alerts.

STR teams should establish contact with the Joint Terrorism Task Force(s) (JTTF) in the jurisdiction(s) where the financial institution operates, as well as with the Terrorist Financing Operations Section (TFOS) at FBI Headquarters. Establishing and maturing this type of public-private partnership will result in more efficient and effective communications and information sharing at times of critical events.


When successful terrorist attacks are directed by a terrorist organization like ISIL, the organization reaps a short-term victory. However, the overwhelming national and international response to these events will ultimately lead to the long-term defeat of ISIL and other terrorist organizations. The combination of public resolve, and effective law enforcement, intelligence, sanctions, military and diplomatic response channels, coupled with private sector support, especially through financial intelligence sharing, will serve to hasten the defeat of the ISILs of the world.

Dennis M. Lormel, CAMS, internationally recognized CTF expert, president & CEO, DML Associates LLC, Lansdowne, VA, USA, dlormel@dmlassocllc.com

Leave a Reply