In March 2000, the presence of suspected terrorists and eventual hijackers Khalid al-Midhar and Nawaf al-Hazmi in the US was known by the CIA, but not communicated to the FBI until 23 August 2001. In spring and early summer 2001, the CIA had observed increased terrorist activity in the Persian Gulf and Europe. In July 2001, on the basis of his investigation of a Middle Eastern flight-school student who had contact with Abu Zubeida, a known major al-Qaeda figure, a special agent in the FBI's Phoenix field office had sent a memorandum to headquarters in Washington recommending that the Bureau investigate the possibility that Islamic terrorist suspects were enrolling in flight schools. This was judged too costly in terms of manpower, and the implied potential threat was never brought to the attention of the White House. A 24 August 2001 CIA cable to the Immigration and Naturalization Service (INS) warned that al-Midhar and al-Hazmi should be put on the terrorist watch list. Although the INS informed the CIA and the FBI that they had already been admitted into the US and the FBI was unable to track them down, neither the inter-agency Counter-terrorism Security Group within the National Security Council nor the White House itself was informed. They turned out to be two of the 11 September hijackers. Also in August 2001, the FBI's Minneapolis field office determined from French intelligence that Zacarias Moussaoui, who had been arrested after seeking flight-simulator instruction, was an Islamic extremist, but headquarters blocked the field office's application for approval under the Foreign Intelligence Surveillance Act (FISA) to examine his laptop computer, which would have revealed his enrolment in a flight school that a known al-Qaeda operative had also attended.² And on 10 September, the National Security Agency had intercepted a highly ominous communication between two Arabic speakers (one said that 'the match is about to begin', the other that 'tomorrow is zero hour'); the intercept was not translated until 12 September.

Even before the New York and Washington attacks, al-Qaeda had hit or intended to hit soft targets overseas, but preferred targeting American assets such as the US embassies in East Africa, an American hotel in Jordan that serviced mainly Americans, the USS Cole in Aden, and, in thwarted operations, the USS The Sullivans, US airliners over the Pacific and the US embassies in Paris and Rome. After 11 September, al-Qaeda and its local followers expanded their target set to include assets of Western allies and Christians or Jews of varied provenance: the Australian, British and Israeli as well as the US embassies in Singapore; Pakistani Christians; German tourists in Tunisia; French submarine engineers in Pakistan; and the October 2002 bombing in Bali, Indonesia that killed 202 civilians, including 88 Australian tourists and a smaller number of Europeans and Americans. In November 2002, in an audiotape believed to have been made by Osama bin Laden, he expressly indicated that Australia, Canada, France, Germany, Israel, Italy and the United Kingdom were targets. The Bali attack, and revelations that Jemaah Islamiah, al-Qaeda's local affiliate, also intended to target international schoolchildren in Indonesia, make it clear that al-Qaeda also regarded Southeast Asia as a particularly fertile 'field of jihad'.³ The November 2002 al-Qaeda attacks on Israeli tourists in Kenya affirmed East Africa's place on the list.

Al-Qaeda's more flexible targeting is also doubtless a function of the group's loss of command-and-control and central planning capabilities as a result of the coalition's defeat of the Taliban, al-Qaeda's former hosts in Afghanistan. On one hand, it is now necessary for the group to exploit local affiliates to a greater extent than before. On the other hand, the group has fully metastasised. Unencumbered by a territorial base that would make a convenient cruise-missile target, al-Qaeda is now less susceptible to counter-terrorism measures than it was before 11 September. While it develops new angles of approach to mass-casualty terrorism in the US, and Palestinian terrorists (so far unconnected to al-Qaeda) draw blood in Israel, al-Qaeda can content itself that groups it supports or those that are inspired by its message or worldview can carry out high-payoff operations over a wider geographical range, exploiting countries with weak law-enforcement and intelligence institutions. A target is likely to be judged satisfactory as long as it fully symbolises the group's non-negotiable enmity to Christians, Jews and apostate Muslims.

Bureaucratic mission changes - even when accomplished – will not relieve the US law-enforcement and intelligence community of the need to maintain a constant state of alert and to pursue terrorist suspects aggressively. Within two months of 11 September, US authorities detained over 1,000 suspects and charged about 100 in connection with the investigation of the 11 September atrocities. The composition of that group provided an early sign of the difficulty of getting a grip on al-Qaeda. On 28 November 2001, US Attorney-General John Ashcroft released the names of 93 of the charged suspects, the specific charges brought against them and factual support for those charges. Only eleven suspects, whose names were withheld, were then considered to have connections to al-Qaeda. While most of the crimes with which they were charged were minor (e.g., illegal gun ownership, document fraud) and not intrinsically related to terrorism, each person did appear to have some connection – sometimes attenuated and possibly unwitting – to an illegal organisation.⁵ For instance, Vicente Pierre, imprisoned on weapons charges, was linked to a New York-based radical Islamic group with Pakistani roots called al-Fuqra ('the impoverished' in Arabic). In turn, the FBI believes al-Fuqra is responsible for several bombings and murders, that some of its members were among Wall Street Journal reporter Daniel Pearl's killers and that it has links to al-Qaeda.⁶ Kenys Galicia, a legal Salvadoran immigrant who worked as a secretary in a Falls Church, Virginia law office and for a fee falsely notarised documents that enabled several of the 11 September hijackers to obtain driver's licences, is arguably a more significant detainee precisely because of her ignorant venality. Her case shows how easy it was for a few Muslim terrorists on temporary visas to establish documentary credentials that facilitated their infiltration of American society.

It is equally significant that another 548 parties were being held only for immigration violations, premised ultimately on their etlmicity or national origin – in other words, non-US citizenship. Many were released soon after their arrest. Thus, the post-11 September law-enforcement experience in the US involved some 'overkill' with respect to non-citizens simply because there is more data available on them than on American citizens. By the same token, it is likely that fewer US citizens have been arrested than should have been. Federal authorities keep no records of foreign travel by US citizens and resident aliens. This is largely on account of the regulatory firewall erected between foreign and domestic intelligence in the 1990s, enshrined in FISA, which requires a showing of probable cause that a target of surveillance is merely a foreign agent (as opposed to a criminal) for judicial authorisation (i.e., a warrant) to conduct surveillance on a non-US citizen for intelligence-gathering purposes, but curtails the disclosure of any information thereby obtained to law-enforcement officers with arrest powers.

Small wonder, then, that as of early 2003 the US had captured only two 'American Taliban': John Walker Lindh and Yasser Esam Hamdi, who was born in Louisiana but spent most of his life in Saudi Arabia. Nine Americans had trained at the Haqqania Islamic religious boarding school, or madrassa, run by the Taliban and al-Qaeda in Pakistan's Northwest Frontier Province. Lindh received military instruction at a training camp in Pakistan run by Harakat al-Mujahideen and later at the al-Farooq camp in Afghanistan operated by al-Qaeda. As of April 2003, Lindh, Hamdi and would-be 'dirty' bomber José Padilla were the only arrested US citizens known to have trained in terrorist camps in Afghanistan or Pakistan. None of them appeared on official federal databases. A former FBI counter-terrorism agent estimated that between 1,000 and 2,000 aspiring jihadists departed the US for South Asia in the 1990s, and Pakistani authorities credited that estimate and added that about 400 recruits who trained in terrorist camps came from the US. Given that there are thousands of madrassas in Pakistan and Afghanistan and until Operation Enduring Freedom there were dozens of training camps in Afghanistan, it is a fair inference that more US citizens were radicalised in those places.⁷ US law-enforcement officials note that there is no well-organised indigenous jihad movement in the US, and that many US-based jihadists fought for causes – like Chechen separatism or Muslim human rights in Bosnia – that were not intrinsically anti-American or global in scope. But given al-Qaeda's flexibility and improvisational flair, these observations are not directly apposite to assessing its overall threat. The point is that there are Muslims in the US of whom a significant number are likely to be ideologically aligned with al-Qaeda and therefore abjectly anti-American and presumptively dangerous.

In its post-Afghanistan mode, al-Qaeda could provide mere spiritual inspiration or actual operational assistance to such people – or both. The USA PATRIOT Act, passed in October 2001, substantially dismantles the regulatory barrier between domestic and foreign intelligence collection erected in the 1970s, expanding the range of information that FISA surveillance can cover and easing its dissemination among federal, state and local law-enforcement agencies. Due to political pressure from left-wing liberals and right-wing libertarians, the legislation was less intrusive than expected. The contents of e-mails, for instance, are still off-limits. While the USA PATRIOT Act has produced greater government access to more information about US citizens and non-citizens alike, the residual prohibitions on access to communications content and the notorious discrepancy between intelligence collection and processing capabilities has led the government towards some radical solutions. One of the more celebrated – and notorious – was the Defense Advanced Research Project Agency (DARPA)'s Total Information Awareness (TIA) research programme. The TIA programme aimed to cover a number of different areas. The most controversial one was geared to implementing state-of-the-art supercomputing and data-mining capabilities to enable the government to identify terrorists by detecting patterns of activity based on recorded information commercially or otherwise publicly recorded (travel, telecommunications, credit-card purchases, web-surfing, e-mail, etc.) and track their movements in near-real time.

TIA's framework for exploiting this transactional information came under heavy fire in Congress and from elements of the political left and right, on grounds that it would impermissibly infringe on individual privacy and civil liberties. Some degree of privacy protection, however, was built into the system. The computer programme employed would initially exclude names and other personal data from the transactions that it captured. If a suspicious transaction or series of transactions were detected, the names and personal details of those involved could be obtained only if a judge or other legal authority approved an application, by the intelligence analyst seeking that information, that showed sufficient justification for its disclosure. TIA would almost certainly have improved intelligence warning and counter-terrorism enforcement. But, even assuming a high degree of accuracy, anything less than 100% would also have meant numerous unwarranted invasions of privacy and a smaller number of unfair investigations and perhaps prosecutions. In January 2003, the Senate voted to halt the TIA programme, and the following September shut down DARPA's Information Awareness Office, which had developed the programme.

Although it is a virtual certainty that there are potential al-Qaeda-linked terrorists – both foreign and homegrown – on US soil, in the near-term the US probably will not be able to rely on leading-edge information technology to protect the American homeland. Thus, despite American declarations about putting in place a vulnerability-based system, the system that is actually evolving is only a very rough approximation thereof.⁸ It appears to embody two de facto priorities, both involving 'forward' measures designed to push out the effective US border.

First, there are more stringent immigration controls to deny terrorists access to US territory. With increasingly incisive passenger profiling; better links among the databases of different law-enforcement agencies; strict federal registration requirements for males over 15, mainly from Muslim countries, on visitor, student or business visas; readier deportation of illegal immigrants; and closer monitoring of all foreign students on special visas, significant advances in filtering out those with terrorist intent have occurred. The DHS, which now has ultimate authority over who is issued a visa, in August 2003 quietly opened two law-enforcement offices in Saudi Arabia to investigate visa applicants suspected of links with al-Qaeda or affiliated groups. Other such offices are planned throughout the Muslim world.⁹ The institution of these offices will presumably ease both the political and the administrative burden on State Department consular officers responsible for processing legitimate applications.

The US–Canada border is more porous than the southern, US–Mexico border, and remains of special concern. In an accord signed on 3 December 2001, the US agreed to integrate Canadian officials into its new Foreign Terrorist Tracking Task Force, to develop joint units to assess information on incoming passengers; and to increase immigration-control personnel assigned to Canada. US and Canadian multi-agency special law-enforcement teams to track terrorists and combat organised crime were also expanded. There are about 650,000 Muslims living in Canada, and they constitute a substantially higher proportion of the total population than they do in the US. American registration requirements have further impelled hundreds of illegal immigrants to the US to seek refuge in Canada by claiming asylum there. While Canada's refugee approval rate of 57% is only marginally higher than the United States' 54%, asylum applicants pending a decision on their applications are permitted to remain free in Canada but usually detained in the US.¹⁰ Canadian police, despite being granted broader powers of preventive arrest after 11 September, have used them sparingly and are still more inclined to opt for surveillance over detention. This approach may be defensible. The Canadian Security Intelligence Service has said that it generates superior intelligence about al-Qaeda's modus operandi, which it shares with US authorities. But a surveillance-oriented approach to law enforcement makes sense only if complemented by a thoroughgoing and effective vulnerabilities-based approach to homeland security in general.¹¹

The second priority is security in international commerce, to deny terrorists access to WMD and other implements that would facilitate mass-casualty attacks. Given the global sweep of the US economy – the volume of US international trade, in terms of dollars and containers, doubled between 1990 and 2001 and will double again between 2001 and 2005 – bilateral and multilateral cooperation in the implementation of forward measures is required to meet US homeland security needs. The US Coast Guard has established a 'Maritime Domain Awareness' programme, whereby agencies and private industry pool information on inbound ships, cargos, crews and passengers from multiple jurisdictions. Furthermore, Washington has enlisted the help of European, Asian and Middle Eastern trading partners to attain 'point-of-origin' cargo security. Under its Container Security Initiative (CSI), the US Customs Service is deploying specially trained officials at major ports worldwide to monitor shipping manifests and inspect cargo bound for the US, and will ultimately cover 70% of the 5.7 million containers shipped annually...