A Pound of Prevention
When he pulled into town, his was a familiar face to security guards, loading dock employees, and truck-stop waitresses. He was Lyman Faris, the burly, 30-something trucker with the bushy mustache, the Columbus, Ohio, family man with the gleaming smile who drove his rig across the country delivering cargo to businesses and airports.
To a more select audience, however, he was Mohammad Rauf, born in Kashmir in 1969. During breaks from the road over the last several years, Faris had found time to visit Pakistan and Afghanistan, where he met Osama bin Laden, joined the jihad against America, and began working with one of al Qaeda’s top operational leaders, according to court documents filed against him by U.S. authorities.
Communicating with his Middle East terrorist commanders via coded e-mails, Faris helped prepare schemes to bring down the Brooklyn Bridge, obtain ultralight planes for al Qaeda attacks, derail passenger trains, and—according to at least one report—pack a truck with explosives and detonate it at an unspecified location. The plans hit a roadblock during a reconnaissance operation in New York last year, when Faris spotted the tight security surrounding the Brooklyn Bridge. He e-mailed his leaders that “The weather is too hot,” indicating the plot could not succeed because of the bridge’s security and structure. Before he could sabotage a train or explode his truck, Faris was arrested. Last June he pled guilty to two terrorism-related charges.
Government officials have not publicly stated whether Faris has identified any other terrorists at large in the United States, but the message to corporate security managers is clear. Even after 9-11, al Qaeda operatives have proven able to access America’s business and transportation infrastructure. Top officials at the Department of Homeland Security (DHS) won’t discuss specifics, but the department’s bottom-line message is stark. United States business and industry is being targeted, says Robert Liscouski, the DHS Assistant Secretary for Infrastructure Protection. He adds that executives in private industry “absolutely need to be worried about it at the physical and cyber levels.”
Moreover, according to Liscouski, DHS is now pushing what some call a “paradigm shift” in the government’s homeland security strategy. Since 9-11, much of the public focus has been on disaster recovery and mitigation, reducing the impact of terrorism, and responding effectively once blood has been shed. Federal assistance programs have spent billions to help state and local first responders react to weapons-of-mass-destruction attacks. Government agencies and corporations have invested heavily in blast-mitigation and recovery plans.
Liscouski says that DHS is now emphasizing prevention. “It’s more cost-effective to prevent than it is to recover,” he says. Liscouski and others at DHS estimate that “the national mind-set” is now focused 70 percent on responding to terrorism and just 30 percent on preventing it. Liscouski wants that ratio reversed.
So what should security managers be doing? They should develop a program designed to detect, prevent, and respond to a terrorist attack. Such a program would consist of threat assessments and countersurveillance, formalized intelligence sharing and information protection, awareness of and response to “indications and warnings,” efforts to secure the supply-chain, and attention to nonsecurity staff training. (And, of course, they will have to gain senior management support for all of these efforts.) While most companies will never face a terrorist attack, many of these preparations will also improve security against more common threats such as criminals and disgruntled employees.
Threat evaluation. The first step in counterterrorism is no different than the first step in any other type of security: a threat evaluation. Sometimes called “facility characterization” or “target value assessment,” this process entails determining who would want to attack the company and why. It starts with analysis of the organization, its people, and its facility to assess whether any of these elements might be seen as social, cultural, or economic icons whose destruction would serve terrorist goals. (Typically, this analysis would be part of a facility’s comprehensive “all-hazards” vulnerability and risk assessment and disaster recovery plan, which covers both man-made and natural threats.)
But focusing on protecting one’s own operation is not enough. Security professionals need to factor in an “exploitation of infrastructure” attack, whereby terrorists attempt to use a victim organization’s assets to strike another target. For example, security personnel at chemical plants must not only protect their own facilities from attack but must also ensure that their hazardous materials are not stolen for use against others.
Nuclear power plants, airlines, and similar sectors whose assets could be used against other victims have long understood the need for this broader perspective. Now even security professionals at places such as sporting goods companies or credit card firms should take this broader view of threats as well when doing an assessment. Sporting goods companies might sell scuba tanks that could be used in the type of underwater terrorist attack that DHS has warned about, and credit card companies might see their products employed in fraudulent fundraising schemes by terrorists.
Delivery companies and uniform suppliers may not at first have considered themselves terrorist targets. But when doing a threat assessment today they should bear in mind that DHS has warned that foreign terrorist groups have used stolen or imitation official vehicles, uniforms, and identification to conduct operations. Thus shipping companies and uniform sellers are on direct notice that they are helping defend against terrorist incidents. DHS recommends that uniform vendors establish systems to verify the identities of purchasers and that government organizations and companies strip their vehicles of identifying markings before selling or salvaging them.
No one expects the average business to do background checks on all its customers. But just by being aware of potential threats and the tools terrorists seek to acquire, employees might spot suspicious activity and tip off authorities. Several such clues, including tips from flight-school employees, were missed or ignored before 9-11. Federal agencies have now beefed up their analytical capabilities, and today a tip from a concerned business operator might help connect the dots and disrupt a potential attack.
Countersurveillance. In addition to conducting a general threat assessment, companies should be aware that al Qaeda operatives are meticulous, perhaps even obsessive, in their surveillance of potential targets. If companies are on the lookout for signs of that type of surveillance activity, they can be forewarned and can take steps to interrupt the plans for the attack. Such surveillance activity might include note taking or the use of photography or video-recording equipment.
DHS has alerted companies to various signs of al Qaeda surveillance. For example, photos obtained from raids of al Qaeda hideouts have depicted railroad engines and freight cars, and there have been reports of suspicious people videotaping subway stations, tunnels, landmarks, and other elements of infrastructure. These people then flee as police approach.
Another tactic is for an operative to make anonymous threats via telephone and e-mail, then monitor the target’s threat-response procedures. In addition, al Qaeda operatives are trained to disguise themselves as panhandlers, demonstrators, shoe shiners, food or flower vendors, news agents, and street sweepers. They may also be on scooters, bicycles, or other vehicles—and they may carry multiple sets of clothing or identification credentials.
Security officers should be trained to catch surveillance teams in the act, such as by looking for cameras, video recorders, tape recorders, or similar equipment at unlikely locations. They should also be trained and tested on approaching suspicious people and asking standardized questions. By comparing the responses to these questions, security personnel can identify common patterns that may betray organized intelligence gathering and cover stories.
Undercover countersurveillance teams should discreetly and frequently make rounds or loiter in the area posing as bystanders; for example, they might sit in the patio of a next-door coffee shop to watch for signs of enemy surveillance. Other observers might be placed in concealed positions that would not be visible to enemy surveillance teams. Depending on the facility structure and environment, that might mean behind a tinted window in an office or in the tree line at a suburban campus. Staff assigned to these positions should be rotated regularly, lest they feel banished to the periphery or be tempted to shirk their duties when out of sight.
Regular guard patrols should be set up so that routes and times do not fall into a pattern that an attacker could learn and exploit. While CCTV cameras can remain obvious for a deterrent effect, some should be set up to blend into the architecture or otherwise be made covert. Hidden sensors at a facility’s perimeter are also an option.
Security should also “push out the perimeter,” identifying off-site locations from which terrorists could observe or attack. One example of a facility that is doing this is the Port of Beaumont in Texas. Since receiving homeland security training “we have increased the frequency of outside and inside perimeter patrols,” says Jim Norwood, chief of the police department that protects the port. Norwood notes that outside patrols now extend three or four blocks beyond the formal perimeter to ensure that no one approaches the port undetected. “Our personnel are more alert to their surroundings now, and watch for suspicious people outside and inside our facility,” he says.
Intelligence sharing. A formal system to share intelligence must be in place, if possible with compatible reporting and analysis procedures. Businesses representing critical infrastructures can turn to Information Sharing and Analysis Centers (ISACs), which were established by Presidential Directive 63 in 1998. Some industry ISACs have created standardized procedures and reporting mechanisms, while others are lagging behind.
Companies not considered part of the critical infrastructure have many other formal channels for sharing information (see “Shared Intelligence Makes Everyone Smarter” in the January issue of Security Management). But companies also might want to start on a smaller scale, such as by standardizing security incident forms and reports with neighboring companies or other businesses in the same industry.
Another strategy is to require third parties to use certain reporting and analysis procedures as a prerequisite for being awarded a contract. Ideally, these procedures would be compatible with those used by larger information-sharing groups such as ISACs.
Security should take advantage of creative and cost-effective methods of collecting intelligence. For example, business travelers can contribute to the company’s security program, advises John Cross, a former CIA officer and president of SpecTal, LLC, a Virginia company that provides specialized security and intelligence solutions to government agencies and corporations. Many firms require executives to complete a trip report once they get home; such reports normally cover issues such as sales leads and business conditions. Cross recommends that companies require a section on security.
Executives should be trained before they go to note anything relating to safety or security, from suspicions of surveillance to blocked fire exits at their hotel. The security department should collect and analyze these trip reports, integrating them with alerts from external sources such as the Department of State, DHS, and ISACs to discern indications and warnings (discussed later). This data can also help refine security plans and generate useful advice to the next traveling employee. Requiring travelers to report on security also makes them more mindful of their personal safety.
Information protection. Companies should identify key data about their facilities that must be protected. Protective measures include shredding sensitive documents, encrypting radio transmissions, setting and enforcing policies on what employees may discuss outside of the office, and training staff on how to avoid ruses designed to obtain sensitive information such as computer passwords.
Corporate Web sites and brochures are frequently sources of valuable information for terrorists, and this risk should not be overlooked. The infamous “al Qaeda Manual” (located by English police while searching a suspected terrorist’s home) reflects this trove of information. The manual offers detailed instructions on intelligence gathering, including the exploitation of public information on the Internet: “Using this public source openly and without resorting to illegal means, it is possible to gather at least 80 percent of information about the enemy,” according to the manual. Indeed, Faris the truck driver was tasked by al Qaeda to conduct Internet research.
Organizations are thus well advised to scrub their publications and Web sites of proprietary data. “We have examined our Web pages and removed critical information about our infrastructure,” says Norwood of the Beaumont port. Specifically, officers removed a map of the port, diagrams of certain facilities, and photos of key structures.
In addition, after the 9-11 attacks, many government agencies removed what they considered to be sensitive information from their Web sites. The Environment Protection Agency deleted data on chemical reactions and plant response plans for the release of dangerous agents. Many details on nuclear facilities were eliminated from the Nuclear Regulatory Commission’s Web pages. The Department of Transportation removed pipeline information from its site.
While it’s important to provide information to the public, companies should also understand the potential value of the data to attackers and balance disclosure accordingly. In some cases, organizations have moved sensitive data of public importance to on-site reading rooms, preserving the community’s access but cutting off potential foreign adversaries.
I&W. Indications and warnings (I&W) are red flags that signal the potential for an imminent attack. These red flags should trigger a planned response from the company. For example, if an organization detects possible surveillance in the same week that some of its guard uniforms go missing, the security plan might be set to respond with an automatic increase in the security level. I&W could include events far outside the organization’s perimeter, such as a threat to company operations in a foreign country or an industrywide alert from DHS.
DHS’s Threat Advisory System should form a key part of an organization’s indication and warning process. When the national threat is raised from yellow to orange, for example, certain set procedures and enhancements should be implemented. For example, company policy could require such measures as reviewing emergency plans; requesting that staff keep alert for, and report, suspicious activity; increasing the magnitude and frequency of mail and vehicle inspections; increasing patrols; prohibiting parking near critical facilities; installing barriers and checkpoints; extending the security perimeter; increasing coordination and information sharing with neighboring facilities, and requesting increased patrols from local police.
Supply chain. Many companies require ISO certification or other specific quality standards from their suppliers and vendors. But few require vendors to meet security and recovery standards. This is a serious mistake. If a vendor’s uniforms and identification cards are stolen, for example, businesses using that vendor should know. Organizations should familiarize themselves with—and in certain cases even mandate—measures to protect the supply chain, such as using global positioning and tamper-indicating seals to ensure the security of shipments.
The reality of business is that many partners may be small firms with limited security resources or knowledge. Any one company’s security is no stronger than the weakest link in that company’s supply chain. As suggested earlier, businesses may require contractors to meet minimum security requirements, as is common in the defense sector. Also, a company can dispatch security personnel to contractors or potential contractors to check out procedures and practices. Contractors might also be directed to ISACs for best-practice advice. Because of the burden that extra security puts on small businesses, not to mention the competitive disadvantage in which it places these firms, companies should be prepared to pay more for these services if the requirements cause substantial expense to vendors.
Nonsecurity training. Lobbies, loading docks, perimeters, and other physical sites are obvious locations to protect. But the space between employees’ ears may prove to be the most important sector one can secure; staff are either a company’s bulwark or its Achilles heel. The following should be among the key training topics covered:
Awareness training. The toughest lock in the world does no good if left open. The clearest evidence of surveillance provides no benefit if left unreported. The most sensitive information remains no secret if divulged at the local bar.
Security professionals should avail themselves of the eyes and ears of employees by training them on threats and methods of proprietary-information protection. Combined with instruction on basic emergency response and disaster recovery, this general employee training should ideally cover a half day. The other half day can be devoted to management, to provide them with detailed threat briefings and an overview of the company security plan.
Key executives should take part in a tabletop exercise, where they test their knowledge of the plan in a scenario. Tabletop exercises increase the security awareness and buy-in of senior management. They also offer security personnel an opportunity to test the plan and make improvements.
A common error in tabletop exercises is to fail to define clear goals for the exercise, including specific learning objectives. In addition, to be useful, a tabletop exercise must reflect the company’s specific risk profile, with consequences for all major stakeholders. For example, participants can adopt roles as reporters and call the marketing team for information, while others can pretend to be employee spouses and besiege the human resources department with phone calls asking about loved ones.
If possible (competitive concerns might make it unfeasible), the exercise should be overseen by outside observers or controllers. Consultants can be hired for this task, but a more cost-effective method is to borrow colleagues from another company or local law enforcement, then return the favor. The bonus to such a reciprocal arrangement is that staff will likely take home valuable lessons from the other company’s exercise.
One common training problem is finding time in a busy workday. Companies might get around this issue by breaking up training into shorter modules and providing on-site training during shift changes and during other briefings. Security managers should request that departments designate motivated personnel as security/safety team leaders. Training can be focused on these employees with the aim of making them peer advocates and champions of strong security.
A more stringent approach to training would be to include security issues in employee objectives and performance evaluations. Especially for executives, contributing to corporate security should be part of the job description.
Executive travel. Some of the most valuable corporate assets—high-level personnel—routinely make themselves vulnerable by traveling to international locations. “Train your people to make themselves appear less important but more observant,” recommends Cross, the former CIA officer.
His company’s instructors teach many traditional travel security techniques such as dressing to blend into the environment and avoiding shows of ostentation, and they offer lessons from their experience working for intelligence, law enforcement, and military organizations in high-threat environments. Look at everything through the eye of a potential attacker, Cross recommends.
The traveler should consider what actions might provide useful information to an attacker and then avoid those actions. For example, security personnel should ensure that neither corporate executives nor their staff use the company name or their title when making airplane, hotel, or restaurant reservations. Executives should be taught that some traditional perks and status symbols are not worth the price in reduced security.
To detect trademark al Qaeda surveillance, Cross suggests that key employees receive basic countersurveillance training. Familiar tactics for shaking a tail, such as using the reflection in a store window, cutting through a store, or stopping to tie a shoe, are still effective.
But Cross also suggests less traditional methods for traveling executives. “Stop, turn around, and look for eyes,” he advises. “If someone behind you suddenly looks away, pulls up a newspaper, or ducks in a doorway, it may be a sign of surveillance.” More experienced and savvy operatives may not be so obvious, but an alert traveler may encourage a pursuer to find easier prey.
Business travelers should also overcome potential embarrassment about seeming hypercautious. When a traveler suspects foul play, he or she should head to the nearest police officer and relay any concerns. A traveling executive wants a potential tail to know that he or she has been spotted and reported. It makes the traveler a harder target and could deter attack, Cross says.
There’s no question that terrorism-prevention techniques work. Good security around the Brooklyn Bridge helped deter Faris and his al Qaeda cohorts from attacking. Sound intelligence and investigation tactics helped put him behind bars before he could claim any victims. But the very success of “target hardening” at major facilities may prompt terrorists to shift their efforts to less prepared organizations. So the push for ever improving terrorism-prevention programs must continue. And every business has a role to play.
Mark Sauter is chief operations officer at the Chesapeake Innovation Center, an incubator for homeland security-related technology. Ken Holshouser is chief executive officer of the American Institute of Homeland Defense (AIHD), which provides homeland security training and education services. Jim Doane, a retired law enforcement officer, is director of homeland security and criminal justice training at the Lamar Institute of Technology in Texas, a strategic partner of AIHD.