Since the horrific attacks of September 11, 2001, law enforcement and security professionals have been inundated with bulletins, directives and warnings urging increased vigilance and heightened awareness. Unfortunately, there has been little put forth regarding exactly what it is that those on the front lines of the war on terrorism should be vigilant for and aware of. In fact, there is even quite a bit of confusion regarding the very terms that we use to define our efforts to deter, detect and defeat future attacks.

Despite a tendency on the part of the media, self-proclaimed “experts” and even some security practitioners, the terms anti-terrorism and counterterrorism are not interchangeable. And while there should be no mistaking the fact that these two elements are equally critical to the success of more broadly defined terrorism counteraction plans, it is equally important to recognize that the focus of each is vastly different. Anti-terrorism can best be described as defensive measures taken to reduce a potential target’s vulnerability to terrorism related activity or attack while counterterrorism encompasses offensive measures taken to interdict or respond to a terrorist act. While the former is proactive and the latter, for the most part, reactive it should be noted that certain aspects of a comprehensive terrorism counteraction program, such as intelligence gathering and analysis, are equally vital to the planning and executing of anti-terrorism as well as counter-terrorism operations.

In terms of anti-terrorism operations access to timely intelligence is both a strategic and tactical imperative. Without an objective and reasonable assessment of a particular group or cell’s resources and capabilities the task of defining possible or probable targets, which is the cornerstone of effective threat detection operations, becomes infinitely more difficult. One of the key’s to maintaining objectivity is recognizing the fact that while there is no such thing as an impossible attack scenario certain types of attacks are considerably more difficult to plan and coordinate than others. Even within the realm of modern terrorism where groups such as al-Qaeda have no external constituency to answer to for their actions and the goal is simply to generate the highest number of casualties, the realities of finance, logistics, transportation and coordination dictate the planning and operational focus of the terrorist. And while the intelligence gathering process as it relates to international terrorist organizations and operations is a subject worthy of it’s own article, or perhaps more accurately a series of articles, it must be noted that with the advent of the internet and the world wide web the majority of law enforcement, military and security personnel have the potential to access more raw intelligence than ever before. With so much information so readily available the long standing challenge of transforming that raw information into useful intelligence in a timely manner is greatly magnified. Now more than ever, it’s all too easy for the less experienced practitioner to become overwhelmed by the sheer volume of potentially useful information thus leading to oversights and miscues in the earliest stages of threat detection planning. Absent a full blown intelligence gathering and analysis program first line supervisors and personnel need to focus their efforts on the rudimentary elements of operational intelligence gathering, starting with the analysis of past events in order to provide insight into the terrorist’s possible future course of action.

History is indeed one of the great predictors of future events, particularly with concern to terrorism. Having said that it is also important to understand that, in this day and age, past incidents are just one indicator of a group or cell’s intentions and while the value of past incidents in predicting future attacks can not be dismissed it should not be overstated either. The wisdom in this restrained approach is exemplified by the al-Qaeda terror network’s recent string of attacks around the world. Given these successes, it is apparent that the level of training and depth of knowledge this loosely knit group has gained through its’ past attacks affords both the larger and subordinate groups enormous operational flexibility, from the target selection and attack planning phases through the execution phase. For those fighting the war against terrorism at the tactical level, particularly those that are forced out of necessity to rely on their own efforts to gather intelligence, countering this flexibility requires a shift in the focus of intelligence gathering and analysis from the execution of the attack itself – the end result if you will – to the strategies and tactics used by the terrorist to identify potential targets, determine the targets vulnerability and then plan the attack. The reasoning behind this is quite simple. Regardless of what form the attack takes, be it a vehicle-borne improvised explosive device (VBIED) detonated in a suicide attack or a direct assault against a “soft” target carried out by a small team armed with automatic weapons and hand grenades, there will be some attack related activity in and around the target prior to the actual launching of the attack. So the goal of any ad hoc intelligence gathering and analysis efforts should be to identify the types of activity that have preceded previous attacks so that subsequent anti-terrorism security operations can be focused on detecting similar patterns of activity in and around likely or potential targets.

For instance, an analysis of the 1998 attacks on the U.S. Embassies in Nairobi, Kenya and Dar Es Salaam, Tanzania shows that the weapon of choice was a VBIED. But, in terms of developing a workable anti-terrorism strategy, is this information particularly useful? No, the fact that trucks laden with explosives were driven within close proximity to the buildings and detonated is accurate but is not, in reference to preventing future attacks, all that useful. The time and fiscal constraints that are part and parcel of even the most ambitious anti-terrorism programs dictates this fact. Clearly, the task of trying to differentiate between trucks that may have been purchased, leased or rented for legitimate reasons and those that might have been acquired for a more sinister use is far too resource intensive to be undertaken with any degree of success. However, the knowledge that in the weeks leading up to the attack, the US Embassy in Nairobi, Kenya received a series of bomb threats coupled with the fact that just days before the attack a local citizen reported seeing a man, apparently accompanied by two “bodyguards”, videotaping the main gate of the Embassy compound holds tremendous value. This sort of intelligence is particularly useful when, as is often the case, there are not enough resources to adequately cover every potential target and a decision must be made as to where those limited assets should be deployed. In order to better illustrate this point we need only to imagine a theoretical city or county where there are five or six legitimate terrorist targets and only enough resources to provide additional security coverage at just one of those locations at any given time. Now let’s say that one of those targets has received two bomb threats in the past four weeks, despite the fact that there hasn’t been a bomb threat received at any of these locations as far back as anyone can remember. Using known pre-incident activity as a benchmark, in this case the use of false bomb threats to gauge the reaction of the security force and to gather intelligence concerning the overall response, the answer as to where those additional security measures are needed the most becomes readily apparent. And if the goal is to not only prevent the attack but to identify the attackers and apprehend them before an attack can be launched on any of those five or six targets then those additional measures must include personnel trained to detect indications that the target may be under surveillance for the purposes of planning an attack.

The most common pre-incident indicator is physical surveillance in and around a potential target for the purpose of analyzing and evaluating vulnerability to a given type of attack. In order to develop the knowledge, skills and ability to recognize pre-incident indicators the threat detection operative must view the potential target from a different perspective. Those engaged in this sort of anti-terrorism operation must step back from their role as protector and begin to think like an attacker, to look at a potential target in terms of weaknesses or flaws in the security measures and procedures as opposed to the strengths. While this seems fairly straightforward it can be quite a challenge for those that have acted in traditional protection roles for any length of time because it requires one to assume an antagonistic view and concentrate on finding flaw with measures that may have, until recent events proved otherwise, seemed to be quite effective. The crucial first step in developing and maintaining the attacker’s perspective is to recognize and appreciate the fact that no attack begins on the day it actually happens nor does the attack commence at the first layer of defense be it a fence line, concrete vehicle barrier or a perimeter security patrol. Instead, as history has shown us time and again, the attack commences long before it makes the headlines and well beyond the confines of the existing protective boundary created by traditional security measures. Therefore, threat detection operations must be approached with the expectation that these are long term propositions will yield the best results over an extended period of time. And perhaps more importantly, the threat detection effort must be focused on and concentrated within those areas both within and outside the protective boundary which may afford the attacker an opportunity to gather vital intelligence unhindered. The upside to all of this is that, based on their collective past experience, terrorist’s are often predisposed to approach intelligence gathering with the notion that most potential targets are particularly vulnerable to surveillance, and therefore may not be overly concerned with the risk of detection. This, of course, works to the advantage of the threat detection operative. Generally speaking, the intelligence requirements for effective attack planning intelligence encompass the design and construction of the target, the daily activity in and around the target, and the nature and extent of existing security measures. Within those broader requirements, threat specificity will dictate exactly what information is vital to the planning process.

As mentioned earlier, those locations or points that afford the attacker the best opportunity to gather the necessary intelligence are found in an area that no only encompasses the protective boundary of the target but extends further beyond as well. This area that can best be described as the standoff footprint. Defining the standoff footprint of any potential target is a process that begins with an objective analysis of the target as if one were planning an attack, any attack, and then identifying the intelligence requirements of the attackers. Once the intel requirements have been established the analysis continues with the identification of where and how this intelligence might be gathered. It is important to recognize that some intelligence can be gathered by an attacker without ever venturing near the standoff footprint. In fact, physical surveillance may not commence until a fair amount of intelligence is already on hand. Just as the internet and World Wide Web provide us with access to a wealth of raw information it should be noted that it offers the same benefit to terrorists. Those security professionals that have embraced both the concept of intelligence gathering via technological means such as the internet as well as the concept of threat detection as an effective anti-terrorism tool must recognize the double edge nature of the beast and make it a point to determine the availability of and accessibility to information regarding a potential target on an ongoing basis.

Knowing what information an attacker may already have allows us to gain an understanding of what information may still be needed to plan a successful attack. Moving forward from this point requires the operative to quite literally step back from the target, to venture out into the standoff footprint and conduct his or her own intelligence gathering operations using the same sort of physical surveillance tactics and techniques that an attacker would. Throughout this active phase of the definition process the need to accurately document when, where and how the intelligence was gathered can not be overstated. When properly conducted and thoroughly documented the end product is an accurate depiction of the standoff footprint, the overall area, and specific points or locations within that area, where terrorists are most likely to execute their pre-incident intelligence gathering and physical surveillance of the target. The standoff footprint can be further refined by superimposing previously gathered intelligence regarding specific types of attacks and the exact nature, extent and type of activity that the attack planners engaged in before selecting their targets and launching the attacks in question.

For example, if the most likely form of attack is determined to be a VBIED placed within close proximity to the target then there are certain factors that will drive the planning process and, in turn, the intelligence requirements. Quite naturally, these intelligence requirements will dictate the type of pre-incident activity that will take place within the standoff footprint. In this instance, armed with the understanding that it is possible to calculate the placement of the device so that the overpressure, or shockwave, is twice as powerful at the exact point that it strikes the target, this activity would include an unusual interest in vehicle entrances, individuals pacing off the distance between the curb and the building façade at several locations around the facility. In this scenario, another indicator would also be the placement of trucks within close proximity to the facility, perhaps even at the location calculated to cause the maximum amount of damage with a bomb of that size. This tactic will allow the attacker’s to observe and gauge the response by security or law enforcement personnel to an unattended vehicle at that location. Even greater cause for concern is the fact that this sort of activity might also signal that the attackers have transitioned from planning to rehearsal - the final stage before executing the attack. All of which highlights the fact that, in light of current circumstances, threat detection tactics should be incorporated in standard response protocols as well. (see sidebar, Anatomy of a Flawed Response)

Once the standoff footprint has been defined threat detection operations can be initiated, but not before procedures for reporting and cataloging pertinent information have been put in place. Here again, the advent of technology, this time in the form of readily available database software such as Lotus dbase or Microsoft Access offers a fairly simple solution to the challenge of transforming valuable, but raw, information into useful intelligence in a timely manner. By creating a threat detection database using an off the shelf database program it is possible to analyze and compare the latest information collected in the field with previously gathered data almost instantaneously. The net effect of reducing the time it takes to identify suspicious patterns of activity is an increase in the time afforded to implement an effective response to such activity. The keys to selecting an off the shelf software package and developing a working database are simplicity and compatibility. The program itself should allow for any number of customized fields and provide some pre-formatted templates upon which a threat detection database can be created. In addition, the software should be fully compatible with the operating system installed on both the desktop and portable computers currently in use by the agency, department or unit. As far as the actual databases are concerned, available data fields must be searchable both individually and in multiples. Fields should be created for vehicles, individuals and locations, physical descriptions and type of activity that was observed or reported. Creating and refining this sort of database requires some time and effort as well as training, all of which must be taken into consideration when selecting the software.

Once the infrastructure is in place operations can be initiated. As the operations are rolled out some issues may arise as to the timing of the operations. One of the most common issues pertains to timing or exactly what timeframe should these operations be conducted within. The answer revolves around the type or types of attacks that are most likely to be launched against a particular target. The majority of attacks are likely to occur when the most damage can be done and the most casualties can be created. But there is no getting around the fact that the attacker’s will perform a significant portion of their intelligence gathering and physical surveillance in the same timeframe that they plan on launching their attack. Coincidentally, this is the time when normal activity levels are typically at their highest levels and unto itself this offers the attackers a degree of anonymity as they go about their business of gathering intelligence. That is not to say that some of this activity won’t talk place during off hours, just that there exists a need on the part of the attacker’s to have a full understanding of what the target might look like at the time of the attack and what challenges must be met in order to successfully launch a strike against that target. More than anything else, this highlights the need to key on activity that does not fit with the normal activity in and around the target. Using a crowded theme park as an example, it would not be unusual to see a man with digital still or video camera capturing images of his kids enjoying their visit to “Wally World”. What may be unusual would be two males, both equipped with digital cameras focusing their efforts on videotaping the entrances and ticket or the security office and alternate exits; especially if they weren’t accompanied by any children.

Ultimately, in order for threat detection operations to be successful and productive there needs to be a shift away from the flawed rationale that “it can’t happen here”. That sort of erroneous thinking contributed, to a certain extent, to the vulnerabilities that terrorists were able to exploit on September 11th. When thinking in terms of threat detection it is necessary to keep in mind that, as mentioned earlier, terrorist cells must address a myriad of financial, logistical and transportation issues in order to successfully carry out there plans. The material, the vehicles and the money needed to execute their plan will in all likelihood come from somewhere beyond the immediate vicinity of the target. This has proven to be the case with numerous terrorist attacks to include those that were unsuccessful. The VBIED used in the 1993 attack on the World Trade Center was assembled in Jersey City, New Jersey, the device used in Oklahoma City was assembled in Junction City, Kansas and if an as yet unidentified terrorist cell is determined to rein terror upon a city by releasing a large quantity of “methyl ethyl death” into the subway system, they aren’t likely to steal the material from that city. Instead it is quite likely that they will plan and execute the first stage of the attack, acquiring a tanker full of “methyl ethyl death” in some outlying town or rural area where the material is either produced or travels through on the way to its legitimate destination. The question is whether or not your agency, department or unit has committed the time, energy and resources to needed to detect the attack in the planning stages, long before it makes the headlines.

Sidebar – Anatomy of a Flawed Attack

The following is a depiction of an actual event.
At approximately 1900 hours on Saturday August 9th, 2003, a Police Department in suburban New Jersey received a report of an altercation between a man and a woman outside a popular restaurant located adjacent to a large mall. It is important to note that on this night, as is the case on any given Saturday night, there was a 90 minute wait to be seated for dinner at the restaurant. The dining room, bar and outside seating area were filled to capacity and there was a crowd of thirty to forty people in the entrance foyer and on the sidewalk in front of the establishment.

While the police were en route, a silver convertible pulled up to the curb directly in front of the restaurant and was left standing with its hazard warning lights activated. The patrons waiting outside, having been distracted by the verbal confrontation unfolding within their midst, would later report that they could not recall who had left the car there.

The first vehicle to arrive belonged to the mall security department. The driver of this vehicle pulled directly in front of the gray convertible. Just a few seconds later the first Police Officer arrived on the scene. He pulled his car to the curb directly behind the unattended silver convertible. By this time the couple that had been arguing had already calmed down and immediately began downplaying the incident when questioned by the first officer on the scene. In quick succession six more officers arrived in four additional vehicles. By now, the curb on either side of the silver car was lined with police cars (see diagram 1). The contingent of Police Officers included one Lieutenant and two Sergeants, nearly the entire command structure for that shift.

At about this same time the bystanders and the Police Officers, all of whom were standing on he curb to the right rear of the unattended silver convertible, began noticing a burning smell coming from the silver car. While the Police Officers stood around the vehicle, quite literally smoking and joking, a mall security officer was dispatched into the restaurant to announce that the car would be towed if it was not move immediately.

The driver of the car returned a few moments later, got in it and drove off. In this instance the silver car did not represent a threat to the patrons or Police Officers assembled in and around the restaurant, a fact that became clear only after the driver returned to the vehicle and drive off.

In situations such as this where the situation, environment and circumstances viewed as a whole indicate that there may be a threat, the response should be configured to reflect the potential threat. As soon as the first car arrived upon the scene the officer should’ve notified all responding units of the previously unreported potential threat. The bulk of the responding units would then deploy in accordance with revised protocols to locations that established a rather large perimeter around the potential threat while maintaining close enough proximity to the first officer to provide support should it be required (see diagram 2). As soon as the immediate situation (i.e. the altercation) is resolved the mall security force and the Police Officers should focus their undivided attention on those areas where someone could be watching, gauging and documenting the response – or watching to determine the exact moment when the device will have the most devastating impact and then detonating it remotely.

About the Author
Joseph Autera is a former NCO in the United State Army. His tenure in the private sector includes work as an independent consultant as well as having served as Director of Security for a prominent multinational technology concern. Mr. Autera has directed, planned and participated in threat detection operations in South and Central America, the Middle East and Far East.

He is the founder and Chief Executive Officer of SECON Incorporated, a security consulting and training firm located in Metuchen, New Jersey. His clients include some of the most recognized names in the defense, technology and general aviation industries.

In addition, Mr. Autera is the President of Tony Scotti’s Vehicle Dynamics Institute, which provides defensive/evasive driving as well as threat detection training programs, to law enforcement, military and corporate security personnel.

Any and all reprints and redistributions of this article are strictly prohibited without the expressed written consent of the Author. Please direct questions or comments about this site to the webmaster@securitydriver.com. Copyright © 1999-2004. SecurityDriver.Com.  All rights reserved.