Looking for Anomalies in All the Wrong Places

Methods & Process, Military, Peace Intelligence, Technologies, Threats

Online Story
Online Story

By Lieutenant Mark Munson, U.S. Navy

U.S. Naval Institute Proceedings
July 2009 Vol. 135/7/1,277

What does maritime domain awareness mean, and does it represent a flawed analytic agenda?

A pillar of the new maritime strategy, A Cooperative Strategy for 21st Century Seapower, published by the Navy, Marine Corps, and Coast Guard in October 2007, is an “increased commitment to advance maritime domain awareness” (MDA).1 It is unclear, however, whether the lessons the Navy has learned in almost a decade of operations prosecuted in support of the global war on terrorism, or the current manifestations of terrorism and illicit behavior at sea, are reflected in the prominence played by MDA in the maritime strategy.

The national and Navy plans to achieve MDA are predicated on the assumption that automated systems can identify terrorists, pirates, or other illicit actors such as smugglers by passively detecting “anomalous” or unusual behavior, an assumption unsupported by any review of the events of the recent past. In the post-Cold War maritime environment, terrorism and other illicit activities have instead been conducted by those who conform to accepted norms of maritime activity precisely by not doing anything that can be described as uncommon or unexpected. An MDA plan focused on finding anomalies will be good for little more than identifying unusual (yet probably explainable) ship movements, ignoring smaller craft and elements of maritime behavior conducted on land, thus not providing the deep understanding of maritime activity necessary to both provide sufficient warning and drive future operations, especially against nonmilitary targets.

Both the National Plan to Achieve Maritime Domain Awareness and the Navy Maritime Domain Awareness Concept define MDA in broad and unobjectionable terms. They describe MDA as “the effective understanding of anything associated with the maritime domain that could impact the security, safety, economy, or environment of the United States.”2 This vision of a “multilayered, multi-domain picture that links the identity, location, known patterns and present activity of ships, cargo, people, and hazards within and adjacent to the maritime domain” is an affirmation of exactly the kind of all-source analysis that forms the bedrock of what Naval Intelligence believes it has provided to the Fleet throughout its history.3 MDA is ideally not “just vessel tracking,” “just intelligence,” or “just more sensors,” but an attempt to gain a truly comprehensive understanding of what is happening at sea, a task much more daunting than simply monitoring tracks on a display.4

Ship-centric Focus

Unfortunately, the details of the national and Navy MDA plans reveal a course of action not well suited to achieve this ambition, and instead provide the framework for what amounts to the implementation of a platform-centric ship tracking system, rather than a system that provides a broad and deep comprehension of activity at sea. According to the Navy's MDA concept, it will be achieved through “Maritime Change Detection,” a process defined as “the identification of anomalies from established trends and patterns.”5 The assumptions of this anomaly-focused form of MDA are misguided, however, because this anomalous behavior at sea (especially when defined solely in the context of vessel movements) is not necessarily suspicious or even important, particularly if what the system has defined as a trend or pattern does not serve as an accurate or explanatory model of maritime behavior.

Despite claims that it is not “just vessel tracking,” the Navy's MDA concept is clearly ship-centric, due to its repeated assertions that identifying anomalous behavior will be the critical element in developing actionable intelligence capable of targeting maritime terrorists or other illicit activity. Claiming that “forensic analysis has discovered that most terrorist activity is preceded by criminal events or aberrant behavior,” the MDA concept calls for “correlating seemingly unrelated criminal activity with anomalous maritime behavior” through “continuous assessment of the maritime domain and automated tools that alert commanders when suspicious items are uncovered.”6

The fundamental flaw with this premise is the assumption that maritime terrorism or other illicit maritime activities are correlated with suspicious, illegal, or unusual behavior. A review of recent maritime terrorist acts demonstrates that this is clearly untrue. The boat used to attack the USS Cole (DDG-67) in Yemen in October 2000 was bought (not stolen) in the Saudi port of Jizan.7 The “most destructive act of terrorism in maritime history,” the bombing of Superferry 14 in the Philippines in 2004, was conducted by a passenger who concealed the explosives in a television he brought aboard.8 Better security and safety practices on board Filipino ferries may have prevented that attack (or saved lives), but there was nothing anomalous about how the attack happened. Until they turned to ram the structures, there was nothing particularly unusual about the boats that attempted to strike the Al Basra and Khor al Amaya oil terminals in April 2004, killing three U.S. servicemen in the Persian Gulf.

In November 2002, al Qaeda-affiliated terrorists used small boats to escape after attempting to shoot down an Israeli airliner and destroying a hotel near Mombasa, Kenya. Such travel was not at all unusual in a region where small craft are commonly used to move along the East African coast.9 Loai Saqa, a Syrian associate of Abu Musab Zarqawi, was arrested by Turkish authorities in August 2005 while reportedly planning to attack Israeli cruise ships. The Turks were led to Saqa not through unusual maritime behavior, but because of an explosion and chemical fire in an apartment where attack preparations were being conducted.10 All accounts of the interrogations of the lone surviving gunman from the November 2008 attacks in Mumbai, India, indicate that the attackers traveled on board at least two vessels from Pakistan to Mumbai, hijacking at least one of them along the way.11 It is unclear, however, whether even a perfect, NORAD-like system for maritime traffic control would have detected that the routes used by those ships to transport the attackers to India were somehow anomalous.

Anomalies fail as an effective indicator or predictor of other forms of illicit maritime activity as well. For example, widespread smuggling of fuel has taken place in the northern Persian Gulf since the 2003 Coalition invasion of Iraq, with “an estimated 1,000 tons of diesel fuel per day” being smuggled on board Iraqi vessels during 2006.12 Meanwhile, according to the Office of the United Nations High Commissioner for Refugees, at least 43,500 Africans were smuggled across the Gulf of Aden to Yemen in 2008, an increase from 29,500 in 2007.13 Are illicit activities such as these two examples actually anomalous if they are also normal in the sense that they occur daily and in large numbers? Would the algorithms and systems currently being devised as part of the Navy and Coast Guard's MDA efforts provide advanced warning of these activities?

Ignoring the Variables

A system using anomalous or unusual vessel movements to identify suspicious behavior is inherently skewed, and misses out on many of the most important aspects of commercial maritime behavior. There are numerous reasons, for example, that a ship calling at a port where it had never previously visited would not be suspicious, including new ownership, new management, an emergency, engineering casualty, service to a new port, the particular cargo it is carrying, etc. Multiple scenarios are plausible for a maritime terrorist event in which the crew of a ship could be completely unaware that illicit cargo is on board. By focusing analytic effort on where a ship moves, one ignores many other variables that may provide better indicators of a potential illicit event. The ability of intelligence analysts to answer a broader set of questions and explain a vessel's behavior (including that of its cargo, crew, or passengers at a particular time) in the context of commercial maritime practices is much more important than being able to point out that a particular ship has never called at Djibouti or Singapore before. A ship is simply a tool. Making her movements the decisive variable in an anomaly-detecting algorithm will ensure that analysts miss out on truly important data.

Models that try to identify other anomalies, such as unusual passengers or cargo, may prove to be more useful than one analyzing vessel movements. But even those approaches have weaknesses, as author William Langeweische notes in his description of a new generation of illicit maritime actors capable of using “the methods and operational techniques of the shipowners,” in order “to escape the forces of order not by running away, but by complying with the laws and regulations in order to move about freely and to hide in plain sight.”14

The notion that systems will be able to detect unusual or suspicious maritime behavior automatically, and provide the cue to bring in human analytic power to solve the maritime intelligence problems of the future, is seductive. Yet while that idea has some merit, the MDA concept instead lays out a process focusing primarily on one element of maritime behavior. That element, vessel movement anomaly detection, has proved irrelevant in terms of providing indicators before most recent examples of maritime terrorism.

Statistical analysis can be a powerful tool, and the Navy should be making a greater effort both to use it and expand its potential applications for solving new problems. Making anomaly detection the primary analytic workhorse, however, will ensure that indicators of future maritime terrorism will be missed, and if not accompanied by a significant investment in training and hiring people truly knowledgeable in the maritime realm, will contribute toward the atrophy of that knowledge and expertise.

The new maritime strategy and maritime domain awareness concept have the right goal-a Navy, working hand-in-hand with the other Sea Services and interagency partners, maximizing its ability to collect data and truly understand what is happening at sea around the globe. The manner in which these documents call the Navy to accomplish these goals are very narrow and not particularly insightful, however. If implemented, the Navy of the future will have the computing power to sift through mounds of vessel movement data. However, that Navy may not have analysts who deeply comprehend how the maritime world works (particularly its commercial component), or the ability to leverage the unprecedented collection opportunities of the future to enhance that understanding.

1. A Cooperative Strategy for 21st Century Seapower, October 2007, http://www.navy.mil/maritime/MaritimeStrategy.pdf.

2. National Strategy for Maritime Security: National Plan to Achieve Maritime Domain Awareness, October 2005, http://www.uscg.mil/hq/cg5/docs/MDA%20Plan%20Oct05-3.pdf (accessed 8 July 2008).

3. Navy Maritime Domain Awareness Concept, 29 May 2007, http://www.navy.mil/navydata/cno/Navy_Maritime_Domain_Awareness_Concept_FINAL_2007.pdf (accessed 8 July 2008).

4. Ibid.

5. Ibid.

6. Ibid.

7. James Risen and Raymond Bonner, “A Nation Challenged: Fatal Attack; Officials Say Bomber of the Cole was in Yemeni Custody Earlier,” The New York Times, 7 December 2001, http://query.nytimes.com/gst/fullpage.html-res=9C0CE5D7133CF934A35751C1A9679C8B63&sec=&spon=&pagewanted=all (accessed 25 June 2008).

8. Peter Chalk, The Maritime Dimension of International Security: Terrorism, Piracy, and Challenges for the United States (RAND Corporation, 2008), 51.

9. Counter-Terrorism in Somalia: Losing Hearts and Minds? (Nairobi/Brussels: International Crisis Group, 2005), 9.

10. Amberin Zaman, “Syrian Charged in Plot to Attack Israeli Ships; The suspected Al Qaeda militant planned to use a speedboat filled with explosives, a Turkish court alleges. The Jewish state will lift travel alert,” Los Angeles Times, 12 August 2005, http://www.proquest.com (accessed 25 June 2008).

11. Geeta Anand, Matthew Rosenberg, Yaroslav Trofimov, and Zahid Hussain, “India Names Mumbai Mastermind,” The Wall Street Journal, 3 December 2008, http://online.wsj.com/article/SB122823715860872789.html (accessed 11 January 2009).

12. Terence B. Moran, “Port of Umm Qasr: Challenges and Opportunities,” U.S. Naval Institute Proceedings, 1 July 2006, 72-74, http://www.proquest.com/ (accessed 21 February 2008).

13. “Gulf of Aden: 20 Die as Smugglers Force Migrants Overboard,” UNHCR Briefing Notes, 2 December 2008, http://www.unhcr.org/news/NEWS/49351e202.html.

14. William Langewiesche, The Outlaw Sea: A World of Freedom, Chaos, and Crime (New York: North Point Press, 2004), p. 7.

Lieutenant Munson currently serves as the intelligence officer at Naval Special Warfare Group Four, at Little Creek, Virginia. He has previously served on board the USS Essex (LHD-2), and at the Office of Naval Intelligence. He received a M.A. in security studies in Middle East Affairs from the Naval Postgraduate School.


Click on Map to read or download:

U.S Naval Value in the 21st Century

24/7 Pile-On, M4IS2[1] Hub, & Peace From the Sea

by Robert David STEELE Vivas

January 2008

[1] M4IS2: Multinational, Multi-Agency, Multi-Disciplinary, Multi-Domain (M4) Information-Sharing and Sense-Making (IS2).  Originally a Swedish concept, it has been enhanced by the Earth Intelligence Network, a 501c3.
Commandant of the Marine Corps
Commandant of the Marine Corps
Click on portrait to read General Gray's “Global Intelligence Challenge in the 1990's” as published in American Intelligence Journal (Winter 1989-1990).

Financial Liberty at Risk-728x90