National Counterterrorism Center: Annex of Statistical Information

Office of the Coordinator for Counterterrorism
Office of the Coordinator for Counterterrorism
March 20, 2009

Developing Statistical Information

Consistent with its statutory mission to serve as the United States government's knowledge bank on international terrorism, the National Counterterrorism Center (NCTC) is providing the Department of State with required statistical information to assist in the satisfaction of its reporting requirements under Section 2656f of title 22 of the US Code (USC). The statistical information included in this Annex to the 2008 Country Reports on Terrorism is drawn from the data NCTC maintains on the website.

Section 2656f(b) of Title 22 of the USC requires the State Department to include in its annual report on terrorism "to the extent practicable, complete statistical information on the number of individuals, including United States citizens and dual nationals, killed, injured, or kidnapped by each terrorist group during the preceding calendar year." While NCTC keeps statistics on the annual number of incidents of "terrorism," its ability to track the specific groups responsible for each incident involving killings, kidnappings, and injuries is significantly limited by the availability of reliable open source information, particularly for events involving small numbers of casualties. Moreover, specific details about victims, damage, perpetrators, and other incident elements are frequently not fully reported in open source information.

  • The statistical material in this report, therefore, is drawn from the incidents of "terrorism" that occurred in 2008 as reported in open sources information, which is the most comprehensive body of information available to NCTC for compiling data that it can provide to satisfy the above-referenced statistical requirements.

In deriving its figures for incidents of terrorism, NCTC in 2005 adopted the definition of "terrorism" that appears in the 22 USC § 2656f(d)(2), i.e., "premeditated, politically motivated violence perpetrated against noncombatant targets by subnational groups or clandestine agents."

  • Through 2004 NCTC compiled statistical data on the basis of a more limited methodology tied to the definition of “international terrorism,” which is also contained in 22 USC § 2656f.
  • Because of the change in methodology, the NCTC data is only comparable starting with the 2005 calendar year data, the highlights of which are contained in the 2005 Country Reports on Terrorism.
  • Subject to changes in reporting statutes, NCTC anticipates that future statistics provided by it will continue to be tied to the broader definition of “terrorism."

To record and update attack records, NCTC has continued to post information in the repository for the US government's database on terror attacks, the Worldwide Incidents Tracking System (WITS) that was unveiled in 2005. A data management system with a more comprehensive dataset than those used in years prior to 2004, WITS is accessible on the NCTC website at for the public to have an open and transparent view of the NCTC data. NCTC will ensure that the data posted to the website is updated as often as necessary by regularly posting information about new or prior attacks.

Considerations for Interpreting the Data

Tracking and analyzing terrorist incidents can help us understand some important characteristics about terrorism, including the geographic distribution of attacks and information about the perpetrators, their victims, and other details. Year-to-year changes in the gross number of attacks across the globe, however, may tell us little about the international community's effectiveness either for preventing these incidents, or for reducing the capacity of terrorists to advance their agenda through violence against the innocent.

NCTC cautions against placing too much emphasis on the use of attack data to gauge success or failure against the forces of terrorism. Furthermore, NCTC does not believe that a simple comparison of the total number of attacks from year to year provides a meaningful measure.

  • Tallying attack data necessarily involves relying exclusively on frequently incomplete and ambiguous information—information for these statistics is not derived from federal government collection programs created or operated specifically to obtain attack data. The quality, accuracy, and volume of open source reporting can vary greatly from country to country. As a result, determining whether an attack meets the NCTC criteria for a terror attack is often difficult and highly subjective. This is particularly true if the attack does not involve mass casualties because detailed information is not typically available on these events since they are not usually subject to heavy media coverage. Furthermore, in the parts of the world where there is little press coverage and little non-governmental organization presence, terror attacks go unreported.
  • Attack tallies exclusively do not provide a complete picture of the magnitude or seriousness of the terrorism challenge confronting a country or region. For example, the fact that 50 percent of the attacks in the NCTC database involve no loss of life would be only one factor for assessing the danger of terrorism globally. Moreover, different factors weigh more heavily than others in assessing the dangers posed by terrorism. For example, an attack that kills 100 civilians is likely to be considered more alarming than an attack that damages a pipeline but harms no one; however, each attack is simply tallied as one incident.
  • Counting protocols are necessary and inevitably require judgment calls that may have an impact on results. For example, NCTC protocols dictate that events identified as simultaneous and coordinated would be recorded as one attack, as would be secondary attacks that targeted first responders. For instance, on the morning of August 17, 2005, there were approximately 450 small bomb attacks in Bangladesh1, and because they were coordinated according to a central plan, NCTC counted them as a single event. Other valid counting protocols would register these attacks as 450 separate attacks.
  • Analyzing attack data from year to year to identify patterns and notable deviations or trends in the data is problematic, and may not be meaningful in some cases. The availability, quality, and depth of open source reporting vary making it hard to isolate whether a rise or fall of a particular data element from one year to the next is due to an increase or decrease of this open source reporting or whether actual events are behind the change in the data.

Despite these limitations, WITS can be a valuable tool for facilitating empirical research on terrorism.

Methodology Utilized to Compile NCTC’s Database of Terrorist Incidents

The data provided in WITS consists of incidents that meet the statutory criteria for terrorism as defined in Title 22 of the US Code § 2656f(d)(2) which states terrorism is “premeditated, politically motivated violence perpetrated against noncombatant targets by subnational groups or clandestine agents. Determination of what constitutes a terrorist act, however, can be complex: information is often incomplete, fact patterns may be open to interpretation, and perpetrators' intent is rarely clear. Moreover, information may become available over time, changing initial judgments about attacks. Users of this database should therefore recognize that reasonable people may differ on whether a particular attack actually constitutes terrorism or some other form of political violence. NCTC has made every effort to limit the degree of subjectivity involved in the judgments and, in the interests of transparency, has adopted a set of counting rules that are delineated below.

Terrorists must have initiated and executed the attack for it to be included in the database; failed or foiled attacks, as well as hoaxes, are not included in the database. Additionally, consistent with reports from previous years, spontaneous hate crimes without intent to cause mass casualties and genocidal events are not included in the database.

Determining when perpetrators have targeted noncombatants can also be difficult. Military personnel and assets outside war zones and war-like settings pose one challenge to the noncombatant provision of the definition, while police under military command and control, and organized groups of armed civilians inside war zones and war-like settings pose another challenge. NCTC developed a combatant matrix which details the various areas of war-like settings, and the common actors such as military police, militias, soldiers, and other combatant-like actors. The analysts use the matrix in complex cases to determine when an act targeting combatant-like actors should be included in WITS. The combatant matrix is adjusted as the circumstances in world conflicts change or evolve. The distinction between terrorism and insurgency in Iraq was especially challenging in previous years, as Iraqis participated in both the Sunni terrorist networks as well as the former-regime-elements insurgency, targeting both civilians and combatants and often affecting both populaces. Therefore, combatants may be included as victims in some attacks when their presence was incidental to an attack aimed at noncombatants, and some attacks may be deemed terrorism when it recklessly affects combatants.

The WITS database contains a field that allows analysts to categorize an incident by "event type." Event types are coded in the database as the following: armed attack, arson/firebombing, assassination, assault, barricade/hostage, bombing, CBRN, crime, firebombing, hijacking, hoax, kidnapping, near miss/non-attack, other, theft, unknown, and vandalism. While some incidents can clearly be coded using this taxonomy, other kinds of attacks are more difficult to define. When it can be determined, incidents that involve multiple types of attacks are coded with multiple event types. Incidents involving mortars, rocket-propelled grenades, and missiles generally fall under armed attack, although improvised explosive devices (IED) fall under bombing including vehicle-borne IEDs (VBIED). VBIEDs include any IED built into or made a part of a vehicle including cars, trucks, bicycles, and motorcycles. Suicide events are also captured, but the perpetrator must have died in the attack for the event type “suicide” to be included.

The WITS database categorizes victims of an incident. Civilians, business, students, military, and police are some of the several dozen victims types captured in WITS. Additionally, the nationalities are recorded in WITS where open source reports such information. The methodology presumes most victims to be local nationals unless otherwise reported in the press.

In the cases of Iraq and Afghanistan, it is particularly difficult to gather comprehensive information about all attacks and to distinguish terrorism from the numerous other forms of violence, including crime and sectarian violence. During the past twelve months, analysts have noted a decline in open source reporting in some provinces in Afghanistan that have deteriorating security. Thus, WITS has limited attack information for these provinces. We note, however, that because of the difficulty in gathering data on Iraq and Afghanistan, the dataset undoubtedly undercounts the number of attacks in these two countries.

In an effort to provide greater granularity and analytic service, in 2007 NCTC introduced to the database the concept of "targeting characteristics." The purpose was to capture, where possible, the underlying motivating factors for attacks. Victims and facilities are coded, so as to enable searching for violence against specific targets-Westerners, Christians, and other groups targeted because of their cultural, ethnic, or religious identities. The intent of this field is not to identify all victims who happened to be Muslims, Christians, etc., but rather to identify victims who appeared to be targeted because they were Muslims, Christians, etc.

Traditionally, NCTC only attributed attacks to perpetrators when a claim of responsibility was made or if reporting indicated a belief that a particular perpetrator was responsible. Fundamentally, only those groups that have already been designated as foreign terrorist organizations by the State Department; that have themselves claimed responsibility for terrorist actions or status as a terrorist group; or that have been repeatedly and reliably suspected of involvement in specific terrorist activities are included in WITS. As noted, we often get neither piece of information, and as a result many of the attacks list an unknown perpetrator; for instance in 2007 over 60 percent of all attacks were listed as unknown perpetrators. Where we had information, we provided a confidence level of likely, plausible or unlikely. In an effort to improve analytic capability, and at the request of a panel of outside academics, NCTC added a new confidence level in the 2008 data that is associated with perpetrators to assist researchers. The new value is “Inferred.”

In instances where available information provides neither a claim of responsibility nor a belief that a particular perpetrator was responsible, NCTC may now infer a perpetrator. Such inferences are based on an evaluation of the characteristics of the attack and other factors, such as whether only one group is active in a particular region. In cases where the attack characteristics match the modus operandi of a single group, or a group is known to be the only one operating in the region, for example, an inference is made that associates a group with the attack. If desired, these inferences may be filtered out of the result set by excluding the confidence level of “Inferred” in the Advanced Search facility of WITS as shown below.


Date: 03/20/2009 Description: National Counterterrorism Center graphic of confidence level of 'Inferred' in the Advanced Search facility of WITS. State Dept Photo

Thus far, this data value is being utilized largely for the inference of “Sunni extremist” attacks in some countries and only applies to the 2008 data. Such an inference is based upon specific parts of the country in which the attack occurred, the attack method used, or both factors.

NOTE: Users must be aware that such an analytic reference has not been applied to earlier years and as such queries must be carefully constructed to avoid fallacious conclusions about the change in the number of attack conducted by Sunni extremists. If users do not wish to use this additional analytic reference they can maintain consistency across time-series data by filtering out the value as described above. Moreover, perpetrator characteristics may change over time. For instance, the Chechen rebels were previously categorized as secular/political, but are now categorized Sunni extremists because they declared themselves to be the Islamic Emirate of the Caucuses in October of 2007 and claimed attacks under this name.

To be of more analytic service, the database also enables greater granularity with respect to the impact of attacks. Killed, wounded, and kidnapped figures are provided. Kidnapped victims who were later killed are counted as killed; and kidnapped victims either liberated or still in captivity are counted as kidnapped. Any attack hitting a facility is now coded with a damage estimate of Light ($1 to $500 thousand), Moderate ($500 thousand to $20 million), or Heavy (over $20 million). While it is inherently difficult to make damage assessments for attacks in different countries with different economic circumstances, these estimates allow users to garner a general sense of the overall level of attacks.

Because terrorism is a tactic, used on many fronts, by diverse perpetrators in different circumstances and with different aims, NCTC cautions against using attack data alone to gauge success against the forces of terrorism. NCTC does not believe that a simple comparison of the total number of attacks from year to year provides a meaningful metric, for the following reasons:

  • We continue to refine our counting rules as the study of terrorism evolves. Interaction with academics and outside terrorism experts convinces us that there will never be a "bright red line" around terrorist attacks, but instead the definition of terrorism will always be a point of thoughtful debate. This evolution in our methodology for counting attacks is reflected in WITS and means that some types of year to year comparisons may be misleading.
  • A quarter of the attacks in the database actually involve no loss of life whatsoever; while an attack against a pipeline and a VBIED attack that kills 100 civilians each count as one attack in the database, such a comparison hardly seems meaningful.
  • The nature of this exercise necessarily involves incomplete and ambiguous information. The motivation behind attacks, particularly those that do not involve mass casualties can be particularly difficult to discern.
  • As additional sources of information are found and as more information becomes available from remote parts of the globe we will continue to enrich the database. In the case of 2005, for example, incidents in Nepal grew dramatically; this data can't be meaningfully compared to 2004 because it is clear that attacks on civilians were occurring at a substantially higher rate than was reflected in previous years' accounting.
  • Finally, the very approach to counting attacks could skew results; for instance, in the morning of 17 August 2005 there were about 450 small bomb attacks in Bangladesh.2 WITS counted these as one incident because we judged the individual attacks to all be part of a larger coordinated attack; an argument could be made that these were 450 separate attacks.

In summary, tracking attacks against civilians and noncombatants can help us understand important trends related to the nature of the attacks, where they are occurring, victims, and perpetrators. However, year-to-year changes in the gross number of attacks across the globe may tell us nothing about the effectiveness of the international community in preventing attacks, reducing the capacity of extremists to wage war, or preventing extremists from advancing their agenda through violence against the innocent.

Incidents of Terrorism Worldwide*

  2005 2006 2007 2008
Attacks worldwide 11,157 14,545 14,506 11,770
Attacks resulting in death, injury, or kidnapping of at least 1 person 8,025 11,311 11,123 8.438
Attacks resulting in the death of at least one individual 5,127 7,428 7,255 5,067
Attacks resulting in the death of zero individuals 6,030 7,117 7,251 6,703
Attacks resulting in the death of only one individual 2,880 4,139 3,994 2,889
Attacks resulting in the death of at least 10 individuals 226 293 353 235
Attacks resulting in the injury of at least one individual 3,842 5,796 6,256 4,888
Attacks resulting in the kidnapping of at least one individual 1,475 1,733 1,459 1,125



People killed, injured or kidnapped as a result of terrorism 74,280 74,709 71,608 54,747
People worldwide killed as a result of terrorism 14,560 20,468 22,508 15,765
People worldwide injured as a result of terrorism 24,875 38,386 44,118 34,124
People worldwide kidnapped as a result of terrorism 34,845 15,855 4,982 4,858


Incidents of Terrorism in Iraq and Afghanistan

  2005 2006 2007 2008
Terrorist attacks in Iraq 3,467 6,631 6,210 3,258
Attacks resulting in at least 1 death, injury, or kidnapping 2,837 6,028 5,573 2,902
People killed, injured, or kidnapped as a result of terrorism 20,722 38,878 44,012 19,083




People killed, injured or kidnapped as a result of terrorism 74,280 74,709 71,608 54,747
People worldwide killed as a result of terrorism 14,560 20,468 22,508 15,765
People worldwide injured as a result of terrorism 24,875 38,386 44,118 34,124
People worldwide kidnapped as a result of terrorism 34,845 15,855 4,982 4,858


NCTC Observations Related to Terrorist Incidents Statistical Material

Approximately 11,800 terrorist attacks occurred in various countries during 2008, resulting in over 54,000 deaths, injuries, and kidnappings. Compared to 2007, attacks decreased by 2,700, or 18 percent, in 2008 while deaths due to terrorism decreased by 6,700, or 30 percent. As was the case last year, the largest number of reported terrorist attacks occurred in the Near East, but unlike previous years, South Asia had the greater number of fatalities. These two regions also were the locations for 75 percent of the 235 high-casualty attacks (those that killed 10 or more people) in 2008.

  • Of the 11,770 reported attacks, about 4,600, or nearly 40 percent, occurred in the Near East where approximately 5,500 fatalities, or 35 percent of the worldwide total, were reported for 2008. Attacks in Iraq continued the decline ongoing since August of 2007.
  • Another 35 percent of the attacks occurred in South Asia with Afghanistan and Pakistan registering increased attacks. Attacks in Pakistan more than doubled in 2008.
  • Violence against noncombatants in Africa, particularly related to fatalities associated with turmoil in the Somalia and the Democratic Republic of the Congo, rose 140 percent in 2008, totaling about 2,200 fatalities in comparison to approximately 900 fatalities for 2007.
  • The number of reported attacks in 2008 fell in the Western Hemisphere by about 25 percent, and in East Asia and the Pacific by 30 percent.

Terrorist use of kidnappings for ransom increased significantly in 2008. The number of kidnappings in South Asia during 2008 rose by 45 percent, although kidnappings worldwide remained about the same. The number of kidnappings in Pakistan rose sharply by 340 percent, and in Afghanistan by about 100 percent, while in India the number rose by 30 percent.


The perpetrators of over 7,000 attacks, or over 60 percent, in 2008 could not be determined from open source information. Of the remaining incidents, as many as 150 various subnational groups—many of them well-known foreign terrorist organizations—or clandestine agents were connected to an attack in various ways, including as a claimant, as the accused, and as the confirmed perpetrator. In most instances, open source reporting contains little confirmed or corroborating information that identifies the organizations or individuals responsible for a terrorist attack. In many reports, attackers are alleged to be tied to local or well-known terrorist groups but there is little subsequent reporting that verifies these connections. Moreover, pinpointing attackers becomes even more difficult as extremist groups splinter or merge with others, make false claims, or deny allegations.

  • According to open source reports, the Taliban, more than any other group, claimed credit for the largest number of attacks and the highest fatality totals.
  • In contrast, al-Shabaab al-Islamiya [Muslim Youth Movement] was the group with the seventh highest total of claimed attacks but was the second deadliest group.

No terrorist attack occurred last year that approached the sophistication of planning and preparations that were characteristic of the 9/11 attacks, the Mumbai attacks—although not the first of such style attacks—however, remind us that terrorists can carry out deadly attacks using less sophisticated tactics. Reporting points to a steadfast al-Qa'ida that is planning attacks in northwest Pakistan, and was able to expand its propaganda campaign through new audio releases in 2008 to invigorate supporters, win converts, and gain recruits while its al-Qa’ida in Iraq associates and other linked groups carried out several successful attacks. The following were according to open sources:

  • The al-Qa’ida Organization in Islamic Maghreb (AQIM) attacked a police academy in Les Issers, Algeria, killing 43 and wounding another 45 people3; and
  • Al-Qa’ida in Yemen claimed responsibility for an attack at the US Embassy in Sanaa that killed 10 and wounded another 3.4

Types of Attacks

As was the case in 2007, most attacks in 2008 were perpetrated by terrorists applying conventional fighting methods such as armed attacks, bombings, and kidnappings. Terrorists continued their practice of coordinated attacks that included secondary attacks on first responders at attack sites, and they continued to reconfigure weapons and other materials to create improvised explosive devices.

  • According to open sources, the Taliban claimed responsibility for a food poisoning attack on a provincial headquarters in Nurestan, Afghanistan that sickened 261 government employees and police.5
  • Suicide attacks declined from 525 in 2007 to 404 in 2008. This is largely due to declining violence in Iraq.
  • Attacks in Iraq, Afghanistan and Pakistan accounted for about 55 percent of attacks.
  • Attacks by female suicide bombers accounted for about almost 9 percent of all suicide attacks worldwide, and for 15 percent of all suicide attacks in Iraq.
  • 2008 witnessed an attack by an American suicide bomber in Somalia.

Victims and Targets of Attacks

As has been the case since 2005, substantial numbers of victims of terrorist attacks in 2008 were Muslim.

  • Almost 50,000 individuals worldwide were either killed or injured by terrorist attacks in 2008. Based upon a combination of reporting and demographic analysis of the countries involved, well over 50 percent of the victims were Muslims, and most were victims of attacks in Iraq, Pakistan, and Afghanistan.

Open source reporting identifies approximately 65 percent of the almost 50,000 killed or injured victims of terror as simply civilians, and therefore actual tallies of significant types of victims cannot be specifically determined. However, the reporting does yield some insights about the demographics of these victims.

  • Children remained disproportionately affected by terrorism, with a 10 percent rise in the number of child victims in 2008 while overall numbers declined.
  • Diplomatic officials also saw a rise in the number of attempts against them and a large increase in victims from 12 victims in 2007 to 47 in 2008.

An Academic’s Perspective on Open Source Event Data

In the last two decades there have been more than a dozen attempts to build open source event data bases on terrorism. A major drawback of these data collections is that they have traditionally excluded domestic terrorist attacks—even though analysts have long suspected that domestic attacks greatly outnumber international ones. Both the Worldwide Incidents Tracking System (WITS), collected by the National Counterterrorism Center (NCTC), and the Global Terrorism Database (GTD), collected by the National Consortium for the Study of Terrorism and Responses to Terrorism (START) at the University of Maryland, have tackled this problem. Now that we are beginning to have access to more comprehensive terrorism event databases, it is possible to think constructively about ways to further improve their quality. I recommend the following three: validation studies, case control methods, and geo-spatial analysis. First, as event data improves new avenues for validating it become feasible. For example, it is now possible to compare WITS to GTD and other event databases or to examine how media-related measures like newspapers per capita effect open source coverage. In some cases, it is also possible to compare event data to police or court data. Second, a limitation of event databases is that they include attacks that happened but provide no baseline for attacks that could have happened but did not. Advances here could be made by borrowing “case control methods” from medical research. For example, to understand suicide attacks it is useful to have information not only on the specific locations of attacks, but on case controls of similar locations that have not been targeted. And finally, the spatial dimensions of comprehensive event data bases like WITS and GTD have barely been explored. The NCTC should be applauded for substantially improving the government’s publicly available data on terrorism and for seeking feedback from the research community. As psychologist Donald Campbell has pointed out, there is nothing that moves knowledge ahead faster than a “disputatious community of truth seekers.”

—Gary LaFree, University of Maryland
March 18, 2009

The full letter of Dr. LaFree is available in the 2008 NCTC Report on Terrorism, available via the Internet at

* In all cases limited to attacks targeting noncombatants. 2005 to 2007 numbers were updated since last year’s publication on the Worldwide Incidents Tracking System at

1 Ibid., “ICN 200809075.”
2 Ibid., “ICN 200809446.”
3 Ibid., “ICN 200809457.”
4 Ibid., “ICN 200574834.”
5 “ICN 200574834.” Online posting. Worldwide Incidents Tracking System. Last updated, 12/31/2008. National Counterterrorism Center. 3/20/2009