Case Study: The London Bridge Attack and the Challenge of Detection
Share
Case Study: The London Bridge Attack and the Challenge of Detection
1.0 Introduction: An Attack in Plain Sight
On the evening of June 3, 2017, three men—Khuram Butt, Rachid Redouane, and Youssef Zaghba—drove a hired van into pedestrians on London Bridge before launching a frenzied knife attack in the nearby Borough Market. The assault lasted just eight minutes and resulted in 11 deaths: eight members of the public and the three attackers, who were shot dead by police. A further 45 people were hospitalized.
The purpose of this case study is to go beyond the headlines and use this incident to illustrate the immense, real-world challenges that intelligence and counter-terrorism (CT) agencies face in a free society. It seeks to answer a critical question that emerged in the aftermath of the attack: "How could an attack be carried out when the lead attacker was already the subject of an active MI5 investigation?"
To understand the answer, we must first appreciate the operational environment in which UK security services operate.
2.0 The Operational Context: A High-Tempo Threat Environment
The London Bridge incident was a specific type of assault known as a Marauding Terrorist Attack (MTA). This style of attack is defined by its speed, violence, and the attackers' goal of maximizing casualties in a short period.
Marauding Terrorist Attacks (MTAs) are fast-moving, violent attacks where assailants move through a location aiming to find and kill or injure as many people as possible. Most deaths occur within the first few minutes, before police are able to respond.
The attackers' use of a vehicle followed by a rapid, mobile knife assault on civilians in Borough Market is a textbook example of this attack methodology, designed to inflict maximum casualties before an effective police response can be mounted.
This attack did not occur in a vacuum. Since August 2014, the UK's national threat level from international terrorism had been consistently assessed as 'SEVERE', a rating established by the Joint Terrorism Analysis Centre (JTAC) which meant an attack was "highly likely."
• The UK Terrorism Threat Levels:
◦ LOW - an attack is highly unlikely
◦ MODERATE - an attack is possible but not likely
◦ SUBSTANTIAL - an attack is likely
◦ SEVERE - an attack is highly likely
◦ CRITICAL - an attack is highly likely in the near future
Against this backdrop, the security service MI5 was managing an enormous volume of potential threats. At the time of the 2017 attacks, MI5 had approximately 3,000 active Subjects of Interest (SOIs) under investigation, and a "closed" pool of over 20,000 individuals previously investigated. These figures represent a dynamic pool of individuals, not a static list, requiring a constant, high-stakes calculus of risk assessment and resource allocation. It is physically impossible to apply intensive, 24/7 surveillance to even a fraction of the 3,000 active SOIs, making the prioritization of intelligence and resources a central, daily challenge.
Against this backdrop of constant threat and finite resources, the intelligence profiles of the three London Bridge attackers reveal a stark contrast between the 'known' and the 'unknown'.
3.0 The Attackers: A Study in Intelligence Gaps
A high-level review of the three attackers reveals the significant gaps that can exist in an intelligence picture, even when one conspirator is on the radar.
|
Attacker
|
Pre-Attack Status
|
Key Intelligence Fact
|
|
Khuram Butt
|
Active MI5 Subject of Interest (SOI)
|
Principal subject of a live investigation ("Operation HAWTHORN") for nearly two years.
|
|
Rachid Redouane
|
Unknown to MI5/Police
|
Known only as a peripheral, social associate of Butt named "Rashid".
|
|
Youssef Zaghba
|
Unknown to MI5/Police
|
Subject of a missed international intelligence inquiry from Italian authorities.
|
3.1 The Known Subject: Khuram Butt
Khuram Butt was the only attacker under active investigation. In mid-2015, MI5 opened "Operation HAWTHORN" after receiving intelligence suggesting he "aspired to conduct an attack in the UK." This operation faced several key challenges that are common in counter-terrorism work.
• Prioritization Grade: The investigation was graded P2H, a serious designation signifying "high risk extremist activity linked to attack planning." A subsequent lone actor triage assessment concluded that Butt represented a MEDIUM risk due to his "strong intent but weak capability."
• Resource Constraints: The investigation into Butt was suspended twice. The first suspension occurred in the wake of the November 2015 Paris attacks and the second just prior to the March 2017 Westminster attack. On both occasions, resources were redirected to a large number of highest-priority (P1) investigations, demonstrating the direct, cascading impact of one terrorist event on the capacity to investigate others.
• Concealed Planning: Despite being the subject of a priority investigation for nearly two years, the operation "did not reveal the plans of Khuram Butt and his two co-conspirators." This demonstrates that even with sustained attention, a determined individual can maintain operational security and hide their true intent.
3.2 The Unknown Network: Rachid Redouane and Youssef Zaghba
Unlike Butt, his two accomplices were effectively invisible to UK intelligence agencies, highlighting the difficulty of identifying a complete terrorist cell.
Rachid Redouane was known to MI5 only as "Rashid," a "peripheral and social associate" of Khuram Butt. He was never a Subject of Interest and was not under any form of investigation. He existed in the background, his role as a co-conspirator completely hidden.
Youssef Zaghba represents a missed opportunity in international intelligence sharing. In March 2016, Italian authorities had flagged him after he stated he was a "terrorist" at Bologna Airport. However, the alert they placed on a European warning list used a marker for "serious crime." This administrative error had a direct impact on threat visibility; while a "serious crime" marker might be noted by border staff, the correct "national security risk" marker would have triggered an automatic, immediate alert to MI5 and CT Policing. Furthermore, when the Italian authorities sent a direct inquiry about Zaghba to MI5 in June 2016, MI5 has no record of responding.
The contrasting intelligence pictures of the attackers perfectly illustrate the core difficulties of modern counter-terrorism.
4.0 Key Lessons: The Unpalatable Reality of Counter-Terrorism
The events leading to the London Bridge attack distill into three unpalatable realities of modern counter-terrorism. These are not excuses for failure, but explanations of the systemic challenges faced by security services.
1. The Challenge of Prioritization With thousands of individuals of concern, agencies must constantly make difficult decisions about where to focus limited resources—investigators, surveillance teams, and analysts. The decision to suspend the investigation into Khuram Butt to focus on more immediate, P1-level threats is a prime example of this reality. Every resource allocated to one case is a resource not allocated to another.
2. The Limits of Investigation Even when an individual is identified as a priority threat and is under active investigation, they may still be able to successfully conceal their attack planning. This is a fundamental limitation of intelligence work in a free society where citizens cannot be monitored constantly and indefinitely. A formal review of the 2017 attacks concluded:
3. The Difficulty of Identifying Networks Uncovering an entire terror cell is exceptionally difficult, particularly when only one member is known. Redouane and Zaghba were in Butt's orbit but were never identified as co-conspirators, showing how easily accomplices can remain in the shadows. Without specific intelligence linking them to threatening activity, they appeared to be just two more individuals among the thousands connected to a Subject of Interest.
These challenges underscore a fundamental truth about the nature of intelligence work in a democratic society.
5.0 Conclusion: Imperfect Intelligence in a Free Society
While internal reviews of the London Bridge attack identified learning points and opportunities for improvement, the case demonstrates that there is no infallible system for preventing all attacks. The reality is that intelligence is rarely complete. It consists of fragments and partial insights that must be pieced together to form a coherent picture. As the Director General of MI5 described it:
"They are constantly making tough professional judgments based on fragments of intelligence: pin pricks of light against a dark and shifting canvas."
It is also crucial to view this incident within the broader context of counter-terrorism successes. In the four years leading up to the report on these attacks, MI5 and Counter-Terrorism Policing had successfully thwarted 20 Islamist terror plots. This demonstrates that the system, while not perfect, is highly effective.
The answer to the question "How could this happen?" is therefore not a story of a single, simple failure. It is a complex illustration of the unavoidable realities of counter-terrorism in a free society. The attack was made possible by the convergence of the challenges detailed in this study: the operational security of a determined attacker, the difficulty of identifying covert accomplices, and the stark necessity of prioritizing finite resources against a threat numbering in the thousands.