Analysis in Combat: The Deployed Threat Finance Analyst

The author wishes to thank David Blum (Stanford University) for his comments and suggestions on earlier versions of this article.


This paper traces a narrative behind small wars research that has yet to be developed fully within the community yet demands attention: the role of the deployed intelligence analyst, billeted to support the command staff or a specific task force in theater with analysis and course of action recommendations. Focusing specifically on the threat finance analyst (a subset discipline with the intelligence analysis community), the author follows the history of threat finance analysis from the post-9/11 call for intelligence reform up through the creation and operation of the Iraq Threat Finance Cell and the Afghan Threat Finance Cell in Baghdad and Bagram/Kabul, respectively. The paper captures key bureaucratic and analytical challenges for the deployed threat finance analyst and the larger community of deployed all-source intelligence analysts as they continue to support operators within the small wars community.


In the wake of September 11, 2001, the Council on Foreign Relations (CFR) stood up an independent task force to investigate U.S. efforts to disrupt terrorist financing. The task force found that the U.S. national security community at the time was woefully unprepared to understand and attack adequately terrorist finance networks, noting among other failures the lack of coordination among the several national security agencies. Since then, there has been an exponential growth in the attention that the U.S. intelligence community has paid to global terrorist finance networks. Today all the major intelligence and law enforcement agencies maintain a specific counter-threat finance mission, defined in this article as the identification and degradation of financial networks used by militant groups. The position of “threat finance analyst” is now a fixture among the bureaucracy of intelligence analysts.

While in many ways this growth has only compounded the problems that the CFR identified – specifically with regard to coordination among agencies – the creation of the Iraq Threat Finance Cell (ITFC) (2005 – 2010) and subsequently the Afghan Threat Finance Cell (ATFC) (2008 – present) represent, whether deliberately or not, the successful implementation of many of the task force’s recommendations. These threat finance cells (TFCs) are interagency organizations, co-led by the Department of Defense and the Department of the Treasury (and in the case of the ATFC, headed by the Drug Enforcement Administration), wherein several U.S. national security agencies are represented through analysts deployed to combat zones and detailed to support the cells. The ITFC was headquartered in Baghdad with liaison officers spread throughout Iraq and the ATFC is currently headquartered in Kabul with similar liaison officers across Afghanistan.

This article begins with a brief history on the institutional development of the deployed threat finance analyst before providing a critical review of the unique combination of qualitative and quantitative methods that grew within the TFCs. Prior to the wars in Iraq and Afghanistan, never in such large numbers were civilian analysts (such as those within the TFCs) deployed to combat zones. The compressed distance between collections and analysis and analysis and operations created a new set of methodological opportunities and challenges for intelligence analysts – this article attempts to address critically those opportunities and challenges as experienced by threat finance analysts in the field.

To date Small Wars Journal has taken the lead in providing a forum for critical discourse on what works and what does not when COIN in the classroom transitions to COIN on the battlefield. This, I think we can all agree, has made the community of COIN practitioners more informed and better prepared for the next fight. But behind COIN outside the wire is COIN as practiced in spreadsheets, slide presentations and link charts on the FOBs across Iraq and Afghanistan. We too have our challenges in transitioning theory into practice, and while no doubt the narrative is less thrilling, the influence of deployed intelligence analysts and the viability (or lack thereof) of their course of action recommendations to command staff equally need to be captured in forums such as the Small Wars Journal for the very same reasons – to produce more informed, better prepared COIN analysts for their next deployment, wherever that may be.

The Creation of the TFCs

At around the same time the CFR report was published, the Bush Administration released the 2002 National Security Strategy (NSS), which equally recognized the significance of the counter-threat finance mission within the Global War on Terror (GWOT). The 2002 NSS provided added emphasis and visibility for targeting the financial networks of terrorists. “To defeat this threat [of terrorism],” the 2002 NSS reads, “we must make use of every tool in our arsenal – military power, better homeland defenses, law enforcement, intelligence, and vigorous efforts to cut off terrorist financing.” Later the document goes into greater detail:

The United States will continue to work with our allies to disrupt the financing of terrorism. We will identify and block the sources of funding for terrorism, freeze the assets of terrorists and those who support them, deny terrorists access to the international financial system, protect legitimate charities from being abused by terrorists, and prevent the movement of terrorists’ assets through alternative financial networks.

The 2002 NSS sparked significant restructuring within the Department of Defense (DoD) and the Department of Treasury (DoT) with respect to the war on terrorism in general and threat finance in particular. Within the DoD, the Special Operations Command (SOCOM) was named the lead coordination organization for GWOT, which included the military pursuit of terrorist finance networks. The DoT, whose counter-terrorism role until this time was mainly relegated to countering money laundering, created an entirely new organization within the department, the Office of Terrorism and Financial Intelligence (TFI), led by an undersecretary for intelligence. In the first few years following the 2002 NSS, DoD and the DoT would pursue their own objectives with minimal interaction between one another, but over time those two tracks would meet in an interagency endeavor known as the ITFC and later lead to the ATFC.

Institutionalizing Threat Finance Analysis

As the DoD’s GWOT lead, SOCOM was specifically required to synchronize (among other priorities) “efforts across the military to finds ways to choke off funding to terrorists,” according to Lieutenant General David Fridovich, an Army commander within the command at the time. Under this new role, the geographic commands were now required to submit to SOCOM their plans for executing GWOT’s newly outlined priorities. While prior to the GWOT, counter-threat finance analysts existed in small, unorganized pockets across the geographic commands, SOCOM cemented the concept and ensured its continued development.

Meanwhile DoT was taking its own initiatives in meeting the challenge outlined in the 2002 NSS. The biggest development immediately following 9/11 that gave Treasury a direct authority in countering terrorist financing was President Bush’s approval of Executive Order 13224, Blocking Property and Prohibiting Transactions With Persons Who Commit, Threaten To Commit, or Support Terrorism, which authorized the U.S. to seize the assets of terrorist groups and supporters of terrorist groups outside the U.S. Through E.O. 13224 the U.S. gained access to terrorist assets beyond its borders by forcing foreign bank cooperation (the U.S. threatened to block a foreign bank’s access to U.S. markets and financial institutions if it did not cooperate with the U.S. directive).

In 2004 Treasury created the Office of Terrorism and Financial Intelligence (TFI) as an umbrella organization for consolidating the various units within the department that had been working on threat finance related issues (such as, for instance, the Office of Foreign Asset Control, which has direct responsibility for proposing E.O. 13224 recommendations to the president). A key office set up under the TFI was the Office of Intelligence and Analysis (OIA), responsible for supporting the TFI with “expert analysis and intelligence production on financial and other support networks for terrorist groups, proliferators, and other key national security threats.” Today OIA serves as the home for most intelligence analysis within the DoT but is perhaps more widely known for becoming the primary human resource for Treasury’s analytical support to the ITFC and the ATFC.

The Deployed Threat Finance Analyst

In late 2005, the National Security Council called for the creation of an interagency cell based in Baghdad with a mission to “enhance the collection, analysis, and dissemination of timely and relevant financial intelligence to combat the insurgency” – the Iraq Threat Finance Cell (ITFC). The ITFC would build off the success of an existing intelligence group within CENTCOM known as the Threat Finance Exploitation Unit (TFEU) and be co-led by a CENTCOM colonel and a DoT OIA civilian but critically, staffed by intelligence analysts not only from OIA and CENTCOM but from the Defense Intelligence Agency (DIA), the Central Intelligence Agency (CIA), and eventually agents from the Federal Bureau of Investigations (FBI), the Secret Service, Immigrations and Customs Enforcement (ICE), and the Internal Revenue Service (IRS). Over the course of its roughly 5 year tenure in Iraq, the cell peaked at over 30 individuals and had three main priorities: increase the depth and breadth of intelligence collection on financial issues; process that intelligence to provide course of action recommendations to military commanders; and increase capacity with the Government of Iraq to handle counter-threat finance initiatives on its own.

By late 2008, U.S. national security priorities began to shift from Iraq to Afghanistan as the situation in the former improved while in the latter it became worse. What had been known as the “Other War” was now beginning to draw significant intelligence analysis resources from analysts rotating out – permanently – from Iraq. Gen. Petraeus at this time had moved from commander in Iraq to commander of CENTCOM writ large and saw as one of his priorities the establishment of a threat finance cell in Afghanistan akin to the ITFC. When he was asked at a House of Representatives hearing in April of 2009 to comment on how forces in Afghanistan were combating threat finance networks, he responded that the key would be getting the Afghan Threat Finance Cell set up because of the ITFC’s success in Iraq. And in a hearing also in the House around that same time, Lt. Gen. Fridovich from SOCOM shared a similar perspective, noting that due to the successes of the ITFC – specifically the way in which the cell was able to fuse multiple forms of intelligence together for military operators – “we are now eagerly participating in the establishment of the Afghanistan Threat Finance Cell.”

Unlike the ITFC, the ATFC would be led by a special agent within the Drug Enforcement Administration (DEA) – a nod to the fact that threat finance issues in Afghanistan were inextricably linked to the narcotics industry – with DoT and CENTCOM in deputy positions in charge of the intelligence and operations divisions, respectively. Further, the ATFC’s guiding principle from the start would be a focus on capacity building with the Afghan government, a priority for the ITFC that came too late in the game. The ATFC continues to operate in Afghanistan today.

Analytical Challenges within the TFCs

To understand the methodological challenges facing analysts within the ITFC and ATFC, it is necessary to set the concept of the “deployed civilian intelligence analyst” within the context of Baghdad in 2006 when the ITFC began to hit its stride. As is now well documented, levels of violence in Iraq in 2006 forced a re-examination of U.S. strategy in the country under the auspices of the Iraq Study Group. Of the several recommendations within the group’s final report, the section that would become the most famous focused on the need for significantly more troops in Iraq on a temporary basis – the so-called “surge.”

While Small Wars Journal has dissected the myths and realities of the surge concept from just about every angle, the remaining piece of the puzzle that has yet to be addressed critically is the parallel (though less covered) call for a surge in analytical support. The influx of civilian intelligence analysts into Baghdad from 2007 onwards and into Bagram and Kandahar from 2009 onwards placed traditionally Beltway- or Tampa-based intelligence analysts much closer to intelligence collection efforts on the one hand and kinetic and non-kinetic military operations on the other, and as such these analysts found themselves in positions of much greater influence. With that increased influence came increased responsibility and accountability – to state it bluntly, briefing a series of slides to a flag officer was no longer an end in itself (the traditional metric of success); rather, it was the first step in a process that could very quickly lead to action. Concepts that to date had remained largely theoretically – from using social network analysis metrics to fracture an insurgent network to generating measures of effectiveness to determine post-operation success – began to be tested and to some degree, validated (or equally likely, rejected).

As it specifically regards the TFCs, these challenges can best be divided into three categories: intelligence collection; intelligence analysis; and course of action recommendation.

Challenges and gains in influencing intelligence collection

One of the unique benefits of the TFCs was the mixture of analysts with federal agents, the latter of which with significant previous interrogations experience. Particularly in the earlier stages of the wars, military interrogators had very little actual interrogation experience when they entered into Iraq or Afghanistan. Compounding the lack of experience was the weak detainee-to-interrogator ratio, meaning much of the potentially valuable information to be found in Baghdad or Bagram went unexploited.

Within the TFCs, an analyst could identify a detainee of interest and within 24-48 hours a TFC agent, a TFC interpreter, the analyst and the detainee would be in the booth together. Placing the analyst in the booth with the agent allowed for real-time course corrections in intelligence collection. Where under the traditional collection requirements process an analyst would need to submit a list of questions that the non-subject matter expert interrogator would then ask a detainee, under the TFC system the analyst re-directed the agent in real time to push the detainee on a previously unanticipated theme within the interrogation (e.g. an off-hand remark about the detainee complaining that his wages were not paid on time, which in itself could lead to a greater understanding of motivational vulnerabilities within a cell). Placing the analyst in the booth also provided him or her with an unprecedented window into local life – highly skewed but nevertheless valuable cultural intelligence.

An additional benefit was the ability for analysts to exert considerable influence over all types of intelligence collection – HUMINT, yes, but more importantly MASINT (measures and signature intelligence), SIGINT (signals intelligence) and IMINT (imagery intelligence) capabilities that advanced rapidly over the course of the wars. Leveraging these latter three platforms was often the difference in making TFC recommendations “actionable” – the ability to provide detail down to a level in which the analyst’s work could easily be transitioned into an actual operation. Admittedly, TFC use of these “other” INTs (i.e. beyond HUMINT) was highly idiosyncratic – some analysts grasped the concepts and their potential applications very quickly, others seemed lost in the technical lexicon – and as such future development of the TFC model should consider practical training in these platforms.

The TFCs also proved to be particularly adept at document exploitation (DOCEX) – drawing value from media picked up in the field. For example, TFC agents accompanying U.S. troops on a hawala office raid would seize forensic data such as financial ledgers, which TFC analysts could then process in a matter of days due to in-house TFC interpreters/translators. Benjamin Bahney (who was detailed to the ITFC in 2008 and 2009 while at RAND) along with several of his RAND colleagues affirmed the value of DOCEX in their open source analysis of Al Qaeda financial ledgers. Their analysis shows how in-depth exploitation of financial data can increase our understanding of an organization’s decision-making hierarchy and vulnerable sources of revenue and expenditure, but most importantly, Bahney et al. make a strong case for the relationship between an organization’s financial health and its ability to conduct attacks – validation of the need for threat finance analysts as originally proposed by the CFR back in the wake of 9/11.

A clear intelligence challenge for threat finance analysts was in convincing traditional HUMINT collection requirement officers that detailed intelligence on insurgent processes was more (or at least equally) valuable than intelligence on individual personalities. With the advent of so-called “manhunting” within both Iraq and Afghanistan came an over-emphasis on collecting intelligence that focused on “actionable” information – names, physical descriptions, and living locations. While no doubt valuable for the targeting process (e.g. F3EA), a prerequisite to targeting the vulnerabilities within a network is, quite obviously, understanding how that network functions. Compounding the problem was the fact that most “systems-oriented” collection requirements focused on small arms smuggling or improvised explosive device (IED) development, not sources and methods of financial support. TFC analysts spent considerable effort – with mixed results – in submitting formal intelligence collection requirements and intelligence evaluations to reorient priorities toward financial processes and logistic chains (i.e. systems) that would ultimately allow analysts to target threat finance networks more efficiently.

Fusing quantitative and qualitative approaches

The TFCs broke new ground in testing and evaluating at the time largely theoretical approaches to analyzing insurgent networks. Traditional intelligence analysis in Iraq and Afghanistan was highly qualitative and loosely structured: analysts read through raw intelligence on a given topic in order to author an intelligence assessment, build a brief or create a target package. Traditional analysts may have been familiar with graphical tools like i2’s Analyst Notebook (an intelligence community staple) but only as a way to database information visually. A vocal but small community within the TFCs with more quantitative backgrounds pushed the cells to incorporate new methods in social network analysis (SNA), multi-objective decision analysis (MODA), and influence network modeling (INM), with varying levels of success.

Social network analysis (SNA) became the preferred method for identifying network vulnerabilities – whether those networks were based on individual relationships or the flow of financial sources within an illicit organization. Metrics like “betweenness centrality” or “degree centrality” indicated individuals that served as bridges between cells or individuals deeply connected within a cell, each of which promoted discussions on associated targeting philosophies (do we target for information, i.e. intelligence collection, or target for removal, i.e. capture?). Measures of connectivity and flow were, somewhat controversially, used to forecast the extent of network fracture and reduction of available cash that would follow should a node be removed (e.g. an individual or a front company).

Inserting multi-objective decision analysis (MODA) techniques into daily intelligence analysis was perhaps the most successful application of quantitative methods within the TFCs. Leveraging private sector methods for assessing alternative decision paths (e.g. which product is more marketable, A, B or C?), TFC analysts designed a series of explicit hierarchies or trees in order to, for instance, prioritize financial targets within an insurgent group or prioritize hawala offices within an informal money exchange network. By explicitly defining “importance” as a function, for instance, of fund-raising success, accounting knowledge, laundering abilities, etc., and evaluating each target across these categories via a fixed scale (e.g. high, medium, low), positions taken by the TFC were defensible for their consistency and tractability (i.e. action officers could very easily see why one target or approach was deemed more significant than another).

Influence network modeling (INM) provided analysts with a means to articulate their beliefs regarding how sensitive certain variables were to changes in other variables, and to extrapolate systematically the probability that possible future scenarios would follow from courses of action under consideration. For example, an assessment of corruption at a given border crossing in Afghanistan may start with the desired future scenario of a “successfully functioning border crossing,” and be broken down into a series of successively more specific contributing uncertainties. The INM methodology might find that the “successfully functioning border crossing” is most sensitive to one such uncertainty – e.g. the wages of the Afghan Border Police – because they were so low as to not afford basic living standards for a typical family, providing a clear incentive for bribe-taking.

Ultimately all of these modeling approaches were successful because they offered an explicit, “structured analytic technique” to an otherwise largely qualitative problem (to borrow a phrase from veteran CIA analyst Richards Heuer). In other words, they were methods for making sense of messy problems. Though the development of these analytic methods no doubt predated the wars in Iraq and Afghanistan, the TFCs provided a welcoming laboratory environment to put them into practice in real-time, sensitizing the military and interagency communities to their value. However, validation of these previously unproven techniques was not without difficulty, suffering from the high operations tempo of being a deployed analyst with an action-oriented customer. Under ideal conditions, when a TFC analyst recommended a particular hawala office for kinetic targeting due, for instance, to a series of social network analysis metrics, following the kinetic operations (e.g. closure of the office), the analyst would confirm that the network’s fracture, as hypothesized beforehand, actually occurred. In reality, this was almost never possible due to time constraints.

Generating course of action recommendations

For TFC analysts in Iraq and Afghanistan, the traditional intelligence assessment was only step one in a process that ultimately led to some form of action, kinetic or non-kinetic. In this sense TFC analysts found themselves closer to the operations side of the wars than previously experienced and as such were required to transition assessments into course of action recommendations. Two challenges quickly emerged in taking on this new responsibility: recognizing that inaction is as important as action; and when to recommend kinetic force over non-kinetic force (or the reverse). Both challenges were closely related.

The greatest debate within the TFCs revolved around course of action recommendations for hawalas – informal money exchange networks typical in the Middle East and South Asia. Quantitative and qualitative analyses would often point to hawala brokers as critical nodes within an insurgent group’s network, which initially led to kinetic courses of action – quite literally, kicking down the door of the hawala office and shutting down the operation. Such an approach proved to be highly controversial and underscores a key point of friction between counter-threat finance analysis and traditional COIN analysis that has yet to be fully explored. While there might have been little doubt to a particular hawala office’s involvement in an illicit network, the fact remained that the vast majority of the hawalador’s business was likely legitimate and relied upon by the region’s populace. Shutting down a hawala node may temporarily degrade the financial network of an insurgent group (good) but at the cost of upsetting an entire village (bad).

In terms of non-kinetic operations, the TFCs tended to focus heavily on E.O. 13224, the aforementioned executive order that allowed the U.S. to seize the assets of terrorist and/or insurgent groups. Reliance on E.O. 13224 was a natural extension of the TFCs’ institutional connection to the DoT, but the value of an E.O. 13224 designation continues to be debated. Specifically, E.O. 13224’s “punch” is relegated to militant groups (and their supporters) that use formal channels of banking. Designating an insurgent group that draws most of its financing from informal taxes on the populace and/or local businesses (e.g. narcotics in Afghanistan) would not result in the ultimate aim of the executive order – to recover significant quantities of cash and therefore degrade the group’s financial operations.

Proponents of E.O. 13224 will claim that there is secondary value in the “name and shame” association of being designated, but this too is questionable. Insurgent groups derive a component of their legitimacy from the level of importance the enemy places on their existence. When in 2009 the U.S. government designated Kata’ib Hizballah under E.O. 13224, the group was described in the State Department’s press release as “a radical Shia Islamist group with an anti-Western establishment and jihadist ideology…responsible for numerous violent terrorist attacks since 2007, including improvised explosive device bombings, rocket propelled grenade attacks, and sniper operations.” Such a statement might sound “shameful” to a U.S. citizen but to an Iraqi it might resonate loudly and actually increase the group’s local legitimacy.


The imperative to deploy civilian analysts to combat zones is quickly diminishing. The mistake at risk is to assume the concept of the TFC is equally becoming irrelevant as the U.S. national security community looks beyond Iraq and Afghanistan. Though the TFCs represent a fraction of the deployed civilian analyst population, within that fraction great progress has been made in influencing intelligence collections, in fusing quantitative and qualitative methods for solving complex, multifaceted problems, and in becoming more active in recommending courses of action on the battlefield. While the battlefield will change – perhaps, for instance, to drug cartels in Latin America, or insurgent groups in North Africa – the concept of a small, forward-deployed interagency cell that on an operational level combines analysts with agents, collectors and interpreters, and on an analytic level combines qualitative and quantitative approaches, is a concept worth replicating across the spectrum of U.S. national security challenges. This article begins to make the case for that replication by unfolding the role (and significance) of the deployed threat finance analyst to date. The next steps in evaluating the concept of the deployed civilian analyst are threefold:

First, to capture more completely the advances of the TFCs so that they may be replicated. How exactly can an analyst use influence network modeling or multi-objective decision analysis in his or her daily routine? How exactly does one evaluate the costs and benefits of recommending an individual as a target for capture as opposed to a target for collection?

Second, to dig deeper into the application of quantitative methods with an aim for assessing the validity of these approaches. Can we truly predict network fracture via social network analysis algorithms? What are some of the assumptions of quantitative approaches that military commanders may be unwilling to accept?

Third, to widen the aperture. While the TFCs represent a convenient microcosm for studying both the intellectual and bureaucratic challenges of deploying analysts to a combat zone, particularly against a subject matter focus of increasing importance, the TFCs were but a part of a much larger community centered in Baghdad, Bagram, Kabul and Kandahar. Capturing the successes and failures of IED analysts as they built and targeted logistic networks of insurgent groups in Iraq or the successes and failures of command and control (C2) analysts as they struggled to identify key leaders within a sea of shadow governors in Afghanistan are all equally critical.

All in all capturing the challenges and institutionalizing the successful approaches associated with analysts in combat zones will lead to better, more informed analysts overall, whether in CONUS or OCONUS, and therefore ultimately lead to more informed operators and operations, wherever they may be.



Your rating: None


Mr. Conway-

Great article and a great discussion. I did some work with ITFC in 2008 and was actually referred to this article by the person who was the DoD Co-Lead at the time. I have a few questions and comments but would rather keep that discussion offline for now. Could you provide an email address that I can contact you at?



LS375: you can reach me at


Great stuff. Mr. Conway’s piece helps fill noticeable gaps -- not just in understanding the role of TFCs. He also highlights the roles and challenges of deployed intel analysts, and in how much the “2nd oldest profession” has changed during the last decade of war. The nature of conflicts in Iraq, AfPak and a global CT campaign have put great pressures on analysts and collectors of all stripes (both mil and gov), and on traditional intel models and processes. These pressures include:

• Rapid changes in environment
• Constantly morphing threat
• Highly dynamic operations
• New technologies
• A new generation of practitioners and customers

The intelligence field has been morphing as a result, frequently into previously unknown forms (TFCs being just one example). Traditional concepts of what intelligence is, how it is gathered and produced, and what role intel professionals should play, have been largely eclipsed since 9/11. To keep up, new constructs/models need to be advanced. For example, it’s interesting to see Conway’s reference to Find, Fix, Finish, Exploit, Assess (F3EA) but nary a mention of the classic “intelligence cycle”. (He’s not the only one. Is that 1950s-era construct still relevant?)

So what would be the components of a new model for intel? I maintain speed is one of the new model's defining characteristics. Many ongoing changes in the intel world are about how rapidly intelligence can be collected, processed, exploited, analyzed and delivered. The speed of intel has had to keep pace with the speed of operations and decision-making, and the speed of a highly adaptable adversary.

Any number of books, studies and articles discuss streamlining technical intelligence collection and data processing (flowing from ISR platforms for example). But few touch on speeding up analysis, the submitting of requirements, and the consequent decision-making process. Conway does that here in several ways. Any thoughts?


Ajax, your mention of speed as a key component of any new model of intel reminded me of the many times I faced the dilemma of how to submit an intel requirement. Of course I was always encouraged by my supervisors to leverage the formal apparatus (HCRs/AHRs/TSCRs for HUMINT, INs for SIGINT, etc, and formal evals), but the formal apparatus is slow. It takes a lot of time to prepare the necessary requirement or eval, to get it approved by line and collection management, and then submitted, not to mention time to be fulfilled. How tempting it always was to leverage my informal network with whom I already had some credibility and just send an email! So much easier, so much faster on the front end, and so much faster on the back end. (The answer was generally to do both -- send an email up front and follow it up with something formal that was searchable, trackable, and accountable.) The lesson, I believe, is that we need to look for ways to turn the formal collections apparatus into something that has the ease and speed of email. This, in turn, can help speed of the intelligence cycle to more closely match military optempo.

Also, when the churn really kicks off, even email doesn't keep up. In CPs and sitrooms working dynamic problems sets, this stuff happens at the 'speed-of-chat'.


Yeah, that's a very common experience. In 2004, I had a short discussion with the senior 06 in charge of collection mgt for MNFI. He put into words what I'd been thinking for years, i.e. "the collection management system is broke, hard broke."

Since then, I haven't seen anything to dissuade me of that, although I know many people are trying and many $$$ being spent to fix it. A wicked problem if one ever existed...

There are exceptions, but just as you say, its almost always faster to use the 'bro-net' which also tends to give you better, more current information anyway. And once the sierra really starts hitting the fan, there's not much time for submitting formal reqs. That's a big indictment against the centralized CM model.

This is why Conway's description of how the TFCs interact w collectors is particularly relevant. The dynamic he describes is crucial to speeding up the cycle. And when that happens, intel and ops really start driving each other in a rapid manner. In fact, the old lines between the '3' and the '2' quickly blur -- which I see as another facet of new-model intel. The tight integration of analysts, collectors, planners, operators and commanders/decisionmakers.


Great thread here. In the most well-oiled, well-integrated cells -- i.e. those tasked with targeting -- your analysts are sitting in the same room as your linguists, and your gators are an IM or short walk away. Speed is the name of the game, as you note Ajax, and it leads to follow-on targets that are picked up before they even recognize that the playing field has changed. There are some issues with this (e.g. there is always the danger of a ladder-style approach to targeting that a step in the wrong direction takes you down a totally irrelevant rabbit hole) but when all is said and done, these sorts of cells have it right.

The challenge (I think) is in getting the same speed, the same team dynamic (where everyone plays their part and trusts each other to be the best at what they do) in a more conventional setting. Is it possible? Not sure. The politics are way more intense, the stabbing in the back more frequent...FUOPS is, in my opinion, 99% consensus building and 1% good analysis. Obviously that split needs to be more balanced.

Not to keep harping back to some other points I've had in comments below, but I think part of the problem, quite frankly, is too many staff elements. When I think back to MNF-I/MNC-I, walking around Liberty or Slayer or Al-Faw, the number of O-6s / O-5s seemed seriously excessive and as such, the territoriality was obvious. The ITFC was always navigating through the MNF-I / MNC-I tribes, sometimes successfully, sometimes not so much. The JTFs, on the hand, have a sense of professionalism to them that stands out so clearly and I think part of that is the fact they are smaller, working on a expectation of trust with less gatekeeping as opposed to an expectation that 'you don't know what you're doing' and therefore more gatekeeping. Did the JTFs have some inner-tribal disputes? Sure, but instead of the "deal with it, its part of the game" reaction, which was the impression I got within Slayer/Al-Faw, the JTF reaction is/was sharper: a same-day flight out on a rotator back to CONUS.

The focus on threat finance analysis is expected to be but part of an effort to undermine the center-of-gravity of an adversary. When looking at large and diverse organizations - a view that can even extend to assessing a decentralized mass movement that only seems to function as an organization - the center-of-gravity becomes a unified collection of critical capabilities. Political, military, economic, social, infrastructure and informational capabilities (PMESII) collectively can provide strength in a formidable adversary and the finances that support those economic capabilities may be but one part.

A deployed analyst tasked with the study of any portion of an adversary, whether that analyst focuses on threat finance activities or other segments of the enterprise, is naturally going to benefit from the minimal flash-to-bang reflex. In effect, the deployed analyst is merely shortening the distance around the proverbial OODA (Observe, Orient, Decide, Act) “loop” by eliminating hemispheric distance and time zone obstacles. The risk to the deployed analyst, however, is in becoming disassociated from subject-matter expertise and in-depth analysis efforts that - on the surface - may only seem wrong when faced with the high-paced, high-pressure and first-person perspectives found while being on the pointy-end of the warfighting spear. Heuer similarly cautioned his readers on the analytic pitfalls of “chasing shiny.”

The several tools and analytic methodologies cited in this article are based upon data that, via one of a myriad of different procedures, came from a source of some type, was organized and stored for later retrieval. Such data is often “pigeon holed” into a database most frequently by someone other than the initial data collector and this can lead to analysis errors. Specifically with regards to blind use of quantitative methodologies, this practice can also produce a false sense of certainty in the analytic result - a double fault. The deployed analyst, again - whether the focus is threat finance or something else, has a better opportunity to populate those databases more accurately than an analyst “in the rear.” This point, I think, was not emphasized in the article but is extremely important to point out.

I suspect that the narrow focus of this article on the virtues of a deployed threat finance analyst can - and should - be expanded to the larger analytic effort. The ability of analysts to accurately populate databases principally because they are “closer” to the source and are also the ultimate users of that data (and thus have a stake in the quality of the data captured) may be one benefit. The other may be the analytic self-correction afforded by short response cycles between analysis and action only found “at the front.” Regardless, the concept of a deployed analyst is an outstanding structural improvement to previous business models found in other conflicts we have engaged in.

Thanks for your comments, Issac_Davis. Agree that there is always a "chasing shiny" pitfall -- one of the downsides to being closer to the action is the "need to please" (e.g. the action arms) predicament, especially when an analyst feels threatened that his/her traction with an action arm will be diminished if he/she disagrees with a particular COA or assessment (a sad reality to the cutthroat bureaucratic politics of Bagram, Baghdad, etc.).

I can recall deployed analysts justifying their positions to not-nearly-as-convinced CONUS-based brethren via VTC because "you just don't understand what its like out here." Those sorts of statements make me cringe -- I think a valuable "way out" is through the reachback model in which deploying analysts represent a larger team back in CONUS that assists in more strategic tasking. Upon finishing his/her deployment, the analyst then returns to the CONUS team and swaps out with another. This way the more "forest-oriented" analysts back in CONUS can call out the "tree-oriented" deployed analyst when the team gets the "you don't understand this" cop out.


I think it's worth discussing the extent to which the presumed successes of the ITFC and ATFC were a direct result of their being located in Baghdad and Bagram respectively. The author offers three arguments in the affirmative: (1) Baghdad and Bagram are uniquely close to the outposts where detainees are held to enable agent/analyst/translator teams ready and ad hoc access (at most a helo ride away); (2) being co-located with the HUMINT/SIGINT/MASINT/IMINT collection management entities allows analysts to better participate in and "drive" that process; (3) being located in Baghdad and Bagram allows analysts to work at the military's optempo, which is necessary to effectively support combat operations.

(1) is hard to refute. No matter how well plugged-in a CONUS-based analytic team is, or even a team based at a "safer" forward location in CENTCOM AO such as Al Udeid AFB or Camp As Saliyah, there will always be significant constraints on the ability of analysts and agents to get face-time with detainees. Even supposing that Beltway-based agencies have money to blow sending analysts and agents half way around the world to interrogate someone, the time needed to plan and approve the travel, and the travel itself, would make it unlikely that the interrogation could meaningfully fill any operational requirements.

However I'm not so sure that (2) and (3) are iron-clad. Although it might require making some infrastructure as well as culture changes, I don't see why Beltway analysts necessarily cannot drive the collections process in the manner that deployed analysts can or cannot work at a war zone optempo.
Infrastructure-wise, it would necessitate adding large amounts of secure network bandwidth both in theater and in CONUS, enough to permit individual analysts and collectors to video teleconference with one another whenever and wherever they felt it necessary. Culture-wise, it would necessitate allocating Beltway analysts to work for specific deployed headquarters', and finding ways for those analysts to meet their deployed customers, to build trust, and ultimately to accept working 12 or 16 hour days as the customer demands.

I don't mean to argue that the TFC concept should be killed and immediately replaced with Beltway-based entities, but rather with the proper ground-work laid, I'm not convinced its critical that they necessarily be located in the war zone. The changes would be difficult (culture changes especially), but if its found to be possible to locate a TFC in CONUS and still enable to to effectively support combat operations, there is potentially a lot of cost savings. For Western Hemisphere operations in particular, where (1) might be feasible from CONUS and where where US military ground forces are not [yet] engaged in regular operations, this sort of arrangement deserves attention and discussion.

Comments much appreciated, dmblum. Let me respond first to #3 and then #2.

Folding in neatly with the military optempo is, I think, very possible from CONUS -- particularly when ops are run at night, which meshes up the time difference very neatly. The challenge -- which I see as a highly bureaucratic one -- is in getting 'purchase' with the action arms. Lets assume that there is no difference in quality of analysis between a CONUS or OCONUS based analyst (bear with me for a moment) -- if the action arms were willing to listen to Beltway or Tampa based COA recommendations, then analysts could easily work out of these locales. But you and I both know that 50% of getting a "COA recommendation" turned into an executed COA is personal relationships, consensus building, etc., which quite frankly is not unique to the US gov and is not necessarily a bad thing. Analysts closer to action arms are also more accountable -- the difference between getting chewed out in the JOC vs. via VTC. And building consensus is important -- if WO or LT or LTC gatekeepers are holding you back from getting to the CO, maybe there is a good reason for that. When I reflect with hindsight on some of the biggest bureaucratic hurdles I had to cross in theatre, I now recognize very good reasons for pushback on some of my COA recs that at the time I found infuriating.

Regarding #2, again I think there is a bureaucratic element here but unlike in #3, I think it is wholly solvable and totally inexcusable. Particularly early on in the 'analytic surges' (I'm thinking Baghdad 2007), as you well know one of the immeasurable values of being deployed was increased ability to task or redirect assets across the INTs -- purchase you simply couldn't get back in CONUS. That is changing of course, but there is a still a highly idiosyncratic element to getting what you need from your colleagues in other agencies. The only reason for this, as far as I can tell, is that (as you note), trust is easier to build in theatre than in the Beltway. Forgive me for getting a little off-topic here, but I think this goes to a larger point about security clearances, stovepipes, over-tasking, etc. -- one of the values of the TFC model, I think, is that less can be more. I think you could shrink the overall intel analyst community significantly if there was more inter-agency trust -- I think the TFCs show the power of that trust(as do the JTFs).

Your point about the value of the gatekeepers is interesting. While working in CONUS, I recall listening to division heads and liaison officers doing everything in their power to get their analytic products in front of COs, bypassing the gatekeepers by any means available. I also recall one instance where a 4-star who had just received a brief from one of my colleagues responded, "Why am I listening to this? Go brief my J2."

If rear-based TFCs are going to succeed, it will be because individual analysts (or teams of quant/qual analysts, as you have advocated) are assigned to support PARTICULAR deployed HQs. They would have to respect the same gatekeepers as the guys downrange respect. They'd be part of the team -- and the HQ would have to ACCEPT them as part of the team and grant them the same level of trust as they would analysts standing in front of them. True, if they screw up, they'd catch flack via VTC and not in the flesh, and that distance might diminish the effect. Maybe the psychological hurdles to the construct that I'm describing are insurmountable, but I doubt it. I think it all comes back to changing the culture.

I've never been to Creech AFB in Nevada, but I've often wondered how the pilots there who fly Preds and Reapers in AF manage to stay in the loop? I believe the answer is a combination of massive bandwidth and culture. They need to have an expeditionary mindset, work expeditionary hours, and be accepted as members of the team by the technicians who maintain the aircraft, by the sensor operators, and by the guys on the ground whom they support. (What happens if they go to Vegas on the weekend? Do they lose the mindset? The trust?) And speaking of the Pred sensor operators, here is an example of a team of intel collectors and analysts who are CONUS based and yet are trusted very highly and viewed as members of the team.

I agree with you 100% that getting "purchase" from the action arm is currently quite difficult for intel analysts in CONUS, I agree with you that this credibility is critical for analysts to effectively support combat operations, and I don't have a solution to the problem. But I'm not willing to characterize this problem as anything other than a cultural one. Immediately after I returned to CONUS from my CENTCOM deployments, I still had some credibility with the deployed staff at which I'd worked. Then I took some leave, guys rotated out, and several weeks down the road I was just another Beltway analyst. Maybe the answer is the deployed analyst / CONUS-reachback model (where analysts on the reachback team rotate through a deployed staff but remain on the team after they return) that you mentioned in your response to isaac_davis.

I like the UAV analogy -- it is a good example of cultural integration from afar (not to mentioned the bandwidth issue...bandwidth is, of course, item #1 on any analyst's wish list).

It seems like we both agree that the institutional credibility hurdle can be jumped if the deployed HQ makes it clear to subordinates that the CONUS-based crew is 'part of the team'. The JTFs probably do this the best (regarding analysts, as opposed to UAV pilots...) but it all begins with a deployment to the HQ as a detail. I think it helps that the level of 'sink or swim' at the JTFs is pretty high (as opposed to other cells) -- if they don't like you, they (a) send you home early or (b) make it clear to your CONUS boss that they don't want you again. This way the performers truly gain a "preferred status" which grants them the buy-in. They can do this because unlike a lot of other deployed cells, the JTFs more or less get to pick their details...while the other cells are often just happy to get anyone. I think a lot of that supply-demand is driven on the analyst side -- analysts like supporting JTFs because they (a) listen to analyst recommendations and (b) the results are observable in real time. I think you would see the curve shift toward cells that support move conventional forces if the buy-in was the same. Speaking personally, after a while the HVI targeting COA gets boring and the well-read analyst becomes increasingly more aware of the fact that the enduring, long term problems in a theatre like AFG, Iraq, SEAsia, North Africa, Arab Peninsula, etc. cannot be solved with HVI targeting.

Great article by Mr. Conway. He does an in-depth discussion on the difficulties of countering threat finance. He discusses the difficulties in targeting these networks and more importantly understanding the networks and the implications of targeting them. Most importantly, Mr. Conway lays a foundation to build a CTF capability beyond Iraq and Afghanistan. This article is already making its way around the Western Hemisphere community with discussions being generated on how we manage the CTF project against the FARC in Colombia and the drug networks associated with the Mexican cartel. Great article for a solid foundation by Mr. Conway.

Very excited to see the connection drawn here to SOUTHCOM priorities, kdturner -- this is certainly an area where I see great opportunity for the TFC model to be replicated: narco networks in the Americas are challenges with heavy threat finance components best solved with a combo of federal agents, military, intel orgs, and host country partners...sounds like a ripe opportunity for a forward-deployed inter-agency cell that pairs analysts with operators.

Now we just need a WO4 willing to sign some orders...

Excellent article with many possible discussion threads! We shall assume for the sake of discussion that the threats identified in the article represent VITAL national security interests (would be fairly short otherwise). The techniques addressed by the author represent an order-of-magnitude advancement in at least two ways: 1) Significantly more advanced network targeting methodology than whack-a-mole usually employed; 2) Elevates the quality, integrity, and repeatability of the analysis that sustains the targeting cycle.

How would the techniques and organizations cited by the author be successfully adapted to "unrestricted warfare?" (With apologies to the PLA--not!)

Ultimately it is all about resources--which are now severely constrained at the national level. The article leads the reader to believe that this methodology yields a much more effective and efficient targeting cycle at the theater level. Can this be conclusively demonstrated?

Thanks for your comments, Anyarp. It is ultimately about resources, in many ways, and you're right that resources at the national level are severely constrained. This is why, similar to my response to dmblum, I'm becoming increasingly supportive of a "less analysts, more trust" way forward for the IC. The volume of 'qualitative' analysts that shy at anything remotely quantitative is frightening (of course equally frightening are the quants who fail to grasp the qual elements of a problem). The best bang, in my experience, is pairing up quants with quals --- what I short hand as 'qualitative value, quantitative rigor'. I believe very strongly that we could steamline the existing intel analyst community (which is massive) by pairing quants with quals and emboldening these teams with increased access to the full spectrum of INTs (i.e. trust) -- from the very technical INTs to the on-the-ground human collectors.