When the Front Lines Are Local
It was Friday afternoon at 2:00 p.m. in the autumn of 2003 when two Middle-Eastern-looking men, later identified as Mohammed and Omar, attempted to pass the front desk of a sprawling Jewish Community Center (JCC) in the Midwest. The receptionist stopped them, inquiring about their visit, and asked that they sign the visitors log. In broken English, Mohammed informed the receptionist that they were looking for their friend Amin, who was at the center attending a community-based course on English as a second language (ESL).
When the receptionist called the ESL offices and learned that no one by the name of Amin was or had been there, Mohammed asked to speak with someone from the program. Once on the phone, he told the ESL representative that he and Omar were from Morocco, Mohammed having lived in the United States for several years while Omar was a recent arrival. Both expressed an interest in attending the ESL classes.
After making an appointment for later in the week, the men left the building. The receptionist saw them immediately walk down an outside stairwell and try to enter a back door to the facility’s health club. The receptionist tried to stop them, but a club member who had seen Mohammed and Omar trying to get in opened the door for them.
The receptionist called the health club receptionist, but was again too late, so she notified security. About 40 minutes later, Omar and Mohammed again passed through the reception area and exited the building. Security was notified, and officers ultimately located the subjects at a nearby bus stop. Confronted about their unauthorized access into the facility, the men appeared surprised that their movements had been detected, but maintained that their visit was wholly innocent. Further investigation revealed that Mohammed and Omar had tried to enter a daycare center on the premises and had also been in several other areas of the JCC, including a stairwell leading to a basement maintenance and boiler room area.
The incident illustrates how the front lines in the war on terrorism extend potentially to the front door of any private enterprise. That is the real challenge of homeland security. And for management, the question is how best to prepare the company’s own security teams and other employees to handle this new counterterrorism responsibility. The first step is proper training.
Several initiatives related to homeland security training are underway to help businesses get up to speed. For example, the University of Findlay’s Center for Terrorism Preparedness (CTP), where the authors work, has trained more than 2,000 private security personnel, law enforcement agents, and other first responders since it was launched in mid-1999. In addition, more than 50 Ohio community colleges interested in providing homeland security training have established the Homeland Security Training Alliance. CTP, the State of Ohio, The Ohio State University, state law enforcement, and Ohio emergency agencies are now in the early stages of partnering with these colleges to offer statewide homeland security/antiterrorism training at the colleges.
Given law enforcement’s limited funds for training, the goal is to establish a strategic community/corporate alliance in which a company underwrites the training for its officers (and perhaps for police with whom they work or security officers from other businesses) as a good corporate citizen. Some companies have already done so. For example, Ross Laboratories (a division of Abbott Laboratories of Chicago) of Columbus, Ohio, has hosted antiterrorism training for both security personnel and law enforcement.
Courses. To get a sense of what type of training these programs may include, let’s look at what CTP’s curriculum covers. Costs per student depend on factors such as the type and duration of training. A two-day course on site-surveys for corporate security personnel runs about $450 per student; a one-day course on threat assessment management is about $250. A one-day refresher course on emergency response for first responders costs about $200. Recently, the center provided FATS (interactive simulation training available from Firearm Training Systems, Inc.) training for officers at a major insurance company. A week of training cost about $5,000.
CTP has developed educational and skill-set tracks for law enforcement and security managers that are critical to the operational support of an effective antiterrorism and asset protection plan. The courses relate directly to the six primary critical mission areas outlined in the national strategy for critical infrastructure protection.
Site survey. In a class called “Facility/Site Survey and Documentation,” students learn the basics of scouring a site for vulnerabilities. A university building is used as the facility to be analyzed. From this point, students learn how to develop a vulnerability assessment and investigate the role that vulnerability assessments play as part of an organization’s overall protective strategy to reduce risk.
Specifically, the vulnerability assessment identifies and analyzes the strengths and weaknesses of a physical protection system (the integration of people, procedures, and equipment for the protection of assets or facilities against theft, sabotage, or other malevolent human attacks), or PPS. Course participants are instructed to consider vulnerabilities in light of what they have determined are the highest credible threats.
The results of site surveys provide critical information for first responders. For example, they might contain details on the types of locks a SWAT team would have to breach to enter the facility, where police can take cover in a shootout, where firefighters can find standpipes, and so on.
Threat-assessment management. Terrorists invest extensive time in planning and preparation prior to carrying out an attack. Security personnel at any potential target site need to invest time in looking for signs that terrorist planning is in progress. A course on threat-assessment management (TAM) explains the process of investigative and operational activities designed to identify, assess, and manage persons or groups who pose a threat of targeted violence. TAM can be an effective tool in the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets as part of an integrated systems approach to security. The proper assessment of threats can help a company balance its implementation of protective measures.
For example, in the case involving the Midwestern JCC, staff there might determine through a threat assessment that its greatest concern is attacks from Islamist and right-wing domestic terrorists. An appropriate response to the threat might be closer coordination with law enforcement and the posting of still images of Mohammed and Omar at the front desk, the daycare center, the health club, and other key points. The center might also consider elevating its alert level—its version of increasing from “yellow” to “orange” under the homeland security advisory system, for example—which could include specific measures such as posting more officers. Of course, since the JCC is available to the entire community, security must be balanced with the need to provide a welcoming atmosphere.
CVAM. CTP’s Community Vulnerability Assessment Methodology (CVAM) is a five-day course developed by Sandia National Laboratories and offered under license by CTP to critical infrastructure stakeholders. The CVAM builds on basic vulnerability assessment principles, but it is adapted to address additional community issues, such as interdependencies among critical infrastructure stakeholders.
The objective of the CVAM course is to provide attendees a consistent risk assessment methodology that they can use to evaluate their PPSs. Without this kind of careful assessment, the organization might waste valuable resources on unnecessary protection or, worse yet, fail to provide adequate protection at critical points within the organization.
ATAP. The overview course “Writing an Anti-terrorism Asset Protection Plan” (ATAP), designed for students who have taken courses that cover site surveys and TAM (or who are already well-versed in those processes), assists managers and planners in developing organizational and facility plans for antiterrorism and asset protection. As opposed to emergency operations plans, which are reactive, ATAP plans are designed to be preventive.
ATAP course participants are provided training aids and planning templates to assist them in developing and writing these plans. In most cases, students are security managers who have already written a plan or are working with a plan. The course helps them tweak their plans to adapt to the threat of terrorism.
Planning templates cover all facets of business in which terrorism is a threat, such as overseas travel. But students are instructed to focus on the highest credible threat and undesirable consequences, which they, not the instructors, determine. (The theory is that a plan based on the highest credible threat should also address the vulnerabilities that are exploited by lower threats.) Students are told to examine critical assets, previous incidents at their facility, incidents in the region, and incidents in the industry, among other factors.
For example, when security personnel for an automobile manufacturer took the course, the security manager indicated that the primary threat was to its paint room. Not only would a breach there allow terrorists to gain access to deadly chemicals, but a disruption to the paint supply would halt the assembly line.
Other topics discussed in the class are interdependencies and strategic alliances among the private sector, government, law enforcement, and the military for information sharing; emerging technologies in vulnerability and risk assessment for the protection of critical infrastructure (such as risk assessment methodologies developed by Sandia National Laboratories); principles and protocols of threat-assessment management and the deployment of threat condition response measures; and weapons of mass destruction.
Class discussion has also covered networking facilitators such as Information Sharing Analysis Centers (ISACs). In addition, students learn about local groups such as the Security Management Intelligence Network of Ohio, a mixture of law enforcement and private security personnel who meet quarterly or more frequently as necessary. Also, the Ohio Department of Public Safety and the Ohio Department of Homeland Security have linked up in an intelligence network that will be made available to both the public and private sectors.
First responders. In the First Responder I course, security or law enforcement officers are trained to identify and properly respond to a terrorist incident involving weapons of mass destruction (WMDs). The training, which integrates short lectures with tabletop exercises, is designed to increase the responding officer’s knowledge of the tactics necessary to survive WMD incidents. The course provides students with an in-depth review of the biochemical threat, including the basic preparations, considerations, and precautions that can be taken to effectively manage such incidents. For example, security personnel are trained to employ effective sanitation measures, such as prohibiting eating or drinking in the immediate area of the incident and preventing staff from touching potentially hazardous objects.
Instructors for the United States Border Patrol (USBP), San Diego sector (which contains some 1,300 agents) took this class as part of a “train the trainer” regimen this past year. The 16-hour class started with terrorism awareness and interdiction and ended with information on incendiary, biological, and chemical agents. It was a classroom-only lecture series with the agents taking the material to other USBP agents as an in-service class.
Among other benefits, the class shed light on how terrorists target critical infrastructures and the risks posed to such infrastructures under the USBP jurisdiction, such as generating stations. It also made agents aware of how wide-ranging terrorist targets and techniques can be. Agents learned that some Western fires have been caused by people intentionally dropping flares from helicopters. While there is no evidence that any of these incidents involved terrorism, it pointed up techniques and targets that could be used by extremist groups.
Other principles. Several overarching training principles are reinforced in all classes. These principles, which should be present in any homeland-security training course, include cross-training, performance-based training, and training for proficiency.
Cross-training. Security and law enforcement teams should train with groups or agencies with whom they could be expected to work in a real incident, and all participants should discuss lessons learned. For example, security can cross-train with the safety or HR department for, say, evacuations in the event of a threat of an anthrax incident or bomb threat. This training exercise offers the opportunity to uncover any problems that might arise in a collaborative response, such as conflicting security and safety protocols for evacuations.
Training also helps personnel practice the distinctive response sometimes required for a terrorist incident as opposed to a natural disaster or other incident. For example, an anthrax release through a building’s HVAC system might call for the setup of a safe, upwind medical assessment area where occupants could be taken for observation and evaluation. Other types of evacuation, such as for a fire alarm, wouldn’t have that component.
Performance-based training. As with any security training, individuals and teams training for homeland security should be tested “hands-on,” not just with written tests. All training should be as realistic as possible; in other words, companies should train as they would fight.
Each task must be measured against realistic and challenging standards. For example, CTP trains officers in “shot avoidance” during “simmunition” training, in which water-soluble bullets are used to simulate attacks on trainees. Students must react instantly to get off the line of attack to avoid being shot.
Student or team progress (or lack thereof) must be documented. For example, if the exercise involves a hazmat incident, one element might require an officer to don a Class A (military-grade) hazmat suit within a certain number of minutes.
Security staff should be able to accomplish required tasks in less than ideal conditions and to do it to standard. Thus, the training exercises and tests should throw a few curve balls at trainees. For example, CTP instructors sometimes remove the batteries from radio equipment to simulate communications failure during a training exercise or create weapon malfunctions as part of the training.
Sustaining proficiency. Training should be designed to sustain proficiency. Students are taught that skills, especially team skills, are perishable and must be practiced to be maintained. One example of how this can be done is to work the training into a company’s threat-condition response measures. These measures, borrowed from the military and taught at CTP, are essentially antiterrorism measures tailored to particular threat levels.
Planners and trainers can work drills and skills typically reserved for higher threat-level conditions into the normal everyday working environment as a way of ensuring that staff will be familiar with what they need to do at that higher level even though it is not often implemented. For example, if the threat condition is yellow, staff can periodically practice an “orange” (high risk of attack) measure, such as checking all vehicles and briefcases of people who enter the facility. Of course, specific procedures depend on the type of facility, industry, and other threat factors.
As an added benefit, training can include a component on equipment upkeep. In this manner, maintenance is no longer shunned or delayed, and all team members learn about various systems, rather than having that knowledge reside only with a system specialist. Staff should check such items as fire extinguishers, backup radios, and backup generators. Teaching proper maintenance of hardware should be an ongoing training exercise.
Putting it together. Students must ultimately translate classroom concepts into specific actions at their facilities. In the JCC case, for example, strategies to take back from the classroom are limited by the facility’s low security budget and open nature. Still, staff could increase their antiterrorism posture by incorporating certain principles.
For instance, one preventive measure that could be adopted is conducting security awareness training for staff on how terrorists and other violent people often conduct extensive surveillance. Had more staff been aware that the behavior like that of Mohammed and Omar should be considered suspicious, they might have more successfully deterred the men or more quickly notified law enforcement. It is also worth noting that regular contact and coordination with local police and the FBI would likely make law enforcement particularly responsive to such a call.
A public facility such as the JCC should also consider how visitors can help with security if their awareness is properly raised. For example, signs might be posted in the daycare center, health club, and elsewhere reminding parents and exercisers not to hold the door open for an unknown person. Such a policy is easy to communicate and easy to comply with, and most users will appreciate the concern for their well-being.
In fact, the JCC has adopted some of these measures. It has also bolstered its incident-reporting system, in which every security event or suspicious activity is logged and examined.
Status quo. In a typical class, instructors find that most of the organizations represented by attendees have already developed written plans, but the plans tend to be outdated. Students are given the tools they will need to help these organizations bring their plans up to date to respond to the new threat environment. During this process, the most common stumbling point for students is choosing among the various mathematical equations used to calculate risk; instructors guide them toward the right course of action.
Getting results. Given corporate reluctance to increase spending, students are encouraged to involve stakeholders from the organization in the threat-assessment and risk-assessment processes. Stakeholders are asked to agree on the highest credible threat and to approve or reject current physical protection levels. If current levels are not acceptable, then the security professional can recommend upgrades commensurate with the risk. These upgrades can be spread over three to five years for budgetary reasons.
Students are also taught that they need not reinvent the wheel; if protocols exist for given situations, security should simply incorporate them in their plans. For example, companies need not craft their own evacuation-distance guidelines. Instead, they can benefit from blast-effect studies, which outline minimum evacuation distances for vehicle bombs, conducted by the Bureau of Alcohol, Tobacco, Firearms and Explosives. For instance, the minimum evacuation distance for a passenger van suspected of being loaded with explosives is 2,750 feet.
Not every private company has seen an equal need for such extensive homeland security training. CTP training thus far has mostly been of interest to those in agribusiness, transportation, and the oil and energy sectors. But executives assessing the need for training should remember that on 9-11, terrorists did not exclusively target critical infrastructure; in addition to attacking the Pentagon, they targeted basic businesses in the heart of the U.S. financial district.
It is often said that all politics is local. So it is with terrorism. Though the fight against terrorism stretches around the world, at its core, homeland security is very much a local issue. For that reason, every organization should be thinking about how it can develop its own first-class corps of homeland security officers. And the first step of that long trip is training.
Leonard (Lenny) A. Hall is an adjunct instructor and consultant for the University of Findlay, Center for Terrorism Preparedness. He is also the CEO of Hall & Associates, Inc., an investigation and security consulting firm, with headquarters in Columbus, Ohio. He is a former chairman of the Columbus Chapter of ASIS International. Rick Adrian is co-program manager, law enforcement at the same institution.