UNDERSTANDING HOSTILE RECONNAISSANCE A GOOD PRACTICE GUIDE JULY 2010 Handling instructions While this guidance does not carry a protective marking, it is recommended that, due to some of its content, it is only distributed on a need-to-know basis within an organisation, including to contractors. Those familiar with CPNI's Information Exchanges should note that this is a similar concept to AMBER on the Traffic Light Protocol for handling information. More information on this can be found on CPNI’s Extranet. Disclaimer Reference to any specific commercial product, process or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI. The views and opinions of authors expressed within this document shall not be used for advertising or product endorsement purposes. To the fullest extent permitted by law, CPNI accepts no liability for any loss or damage (whether direct, indirect or consequential and including, but not limited to, loss of profits or anticipated profits, loss of data, business or goodwill) incurred by any person and howsoever caused arising from or connected with any error or omission in this document or from any person acting, omitting to act or refraining from acting upon, or otherwise using, the information contained in this document or its references. You should make your own judgement as regards use of this document and seek independent professional advice on your particular circumstances. Contents Introduction 2 The threat 4 The use of open source material and other methods in hostile reconnaissance 5 Hostile reconnaissance and attacker requirements 6 Identifying and countering hostile reconnaissance 10 Analysis of hostile reconnaissance incidents 11 Security questioning 16 Reporting incidents 20 Appendix 1 – Suspicious behaviour codes 23 Appendix 2 – Summary of behaviour codes and risks 25 Appendix 3 – What to report 26 Appendix 4 – Further advice 28 Appendix 5 – Initiating a surveillance detection programme 30 Getting started 31 Surveillance detection area categories 34 The surveillance detection specialist 36 Types of surveillance 39 Operational environment 41 Carrying out surveillance detection 43 Smaller scale security programmes 47 Conclusions and recommendations 49 1 Introduction Centre for the Protection of National Infrastructure The Centre for the Protection of National Infrastructure (CPNI) is the government authority that provides advice on protecting the country’s essential services, facilities and networks from terrorism and other threats. The National Infrastructure Nine different sectors form what is known as the national infrastructure. These provide the services which support everyday life: Communications Finance Health Emergency Services Food Transport Energy Government Water CPNI provides security guidance, training and research from a physical, information and personnel security perspective. It aims specifically to reduce the vulnerabilities within these sectors, with particular emphasis on the most critical elements. Loss or disruption to any of these could cause severe economic or social consequences or even loss of life. In addition to the nine sectors above, CPNI also provides similar advice to organisations engaged in planning and running the London 2012 Olympics. The aim of this guidance This guidance is to inform security managers within the critical national infrastructure (CNI) about the issue of hostile reconnaissance, to explain the research that has gone into analysing previous hostile reconnaissance incidents and to then outline how appropriate advice and techniques can be applied within their own environments. It is understood that criminals and terrorists will use open sources, such as the internet, to conduct elements of their reconnaissance on a target, but it is likely that at least some kind of physical surveillance will be needed to supplement this. For example, the 7 July 2005 bombers carried out a ‘dry run’ a week or so before their actual attack. This guidance therefore concentrates on this element of attack planning only. The final appendix of this guidance offers security managers a stand alone document to help them set up a surveillance detection programme. For those that already utilise such techniques, the guidance will help reinforce messages and practices available to security departments. It is recognised that the formation of a dedicated surveillance detection team may be beyond the scope of some organisations. Nevertheless, security managers may find the advice on 2 the various elements of attack planning, identifying and countering hostile reconnaissance, questioning and reporting useful and these issues are equally applicable to more conventional security forces. Whatever regime is introduced, security managers should be mindful of the law and the impact their security officer’s actions may have on the area around their facilities. There have been articles in the media about over zealous security officials and police officers stopping photographers and tourists, sometimes under seemingly spurious grounds. This guidance will use the term reconnaissance when referring to the act carried out by criminals and surveillance when referring to the detection of said reconnaissance by security personnel. Research This report was written in association with surveillance expert Mike Cannon and supplemented by interviews with a number of specialists, including officers from police Fairway, NaCTSO and NPOIU 1 units. This has been complemented by analysis of the hostile reconnaissance data held on the National ACPO TAM 2 Fairway database. 1 Further information on these units can be in Appendix 4 The Association of Chief Police Officers (Terrorism and Allied Matters) (ACPO TAM) deals with terrorism, extremism and associated issues and has provided assistance in writing this guidance. 2 3 The threat Terrorism The UK faces a range of threats to its security. There is a serious and sustained threat from international terrorism to the UK and UK interests overseas. As of May 2010, the current threat level in the UK is assessed as SEVERE, which means an attack is highly likely. The most significant terrorist threat comes from Al Qaida, its associated networks and its supporters. Irish-related terrorism continues to pose a threat. Dissident republican terrorist groups, who have rejected the Good Friday Agreement of April 1998, continue to mount attacks in Northern Ireland and still aspire to mount attacks in Great Britain. Espionage The threat from espionage against the UK did not end with the collapse of Soviet communism in the early 1990s. Several countries are actively seeking British information and material to advance their own military, technological, political and economic programmes. 3 Domestic extremism Domestic extremism is most commonly associated with 'single-issue' protests, such as animal rights, environmentalism or anti-globalisation. Crime and public disorder linked to extreme left or right wing political campaigns is also considered domestic extremism. The majority of people involved in animal rights, environmentalism and other campaigns are peaceful protesters and never considered 'extremist'. The term only applies to individuals or groups whose activities go outside the normal democratic process and engage in crime and disorder. 4 Crime There are a variety of criminal activities that may affect different organisations within the CNI. This may include armed robbery, counterfeiting, fraud, identity crime, intellectual property crime, kidnapping and vehicle crime. 5 Terminology Rather than repeatedly naming each of the above threats, this guidance will use the generic word ‘criminal’ when referring to those individuals and groups carrying out hostile reconnaissance. Unless otherwise specified, the techniques and behaviours described will be common to the above groups. 3 More information on terrorism and espionage can found at www.cpni.gov.uk/Threat/summary-221.aspx More information on domestic extremism can be found at www.netcu.org.uk 5 More information on organised crime can be found at www.soca.gov.uk/threats 4 4 The use of open source material and other methods in hostile reconnaissance The internet The use of the Internet by terrorists is widely acknowledged, particularly using it to promote messages and distribute statements (such as those issued by Al Qaida and its affiliates through a network of websites). Less well understood is how terrorists, criminals and protestors also use the internet to inform their attack planning and profile building. For example, information that can easily be obtained from corporate websites, personal profiles on social networking sites, online maps or the electoral roll can serve as valuable targeting information. Other techniques Terrorists and criminals may also attempt to gather useful information about a target by using insiders in a particular organisation or bribing those with access to particular details. Discarded waste can also reveal a wealth of targeting information, such as financial statements and receipts. The latter can be particularly useful in helping to build a pattern of life in respect to the target’s interests and routine. Physical reconnaissance Barry Dickinson In 2004, Barry Dickinson, who worked for the DVLA, was jailed for five months for providing animal rights protestors with the addresses of people connected to a facility that was breeding animals for testing purposes. The protestors supplemented their (physical) hostile reconnaissance of their target site with the information gathered from Dickinson to carry out a series of attacks on several homes. While all such practices are established tactics within the reconnaissance process a successful attack also needs the level of detail that can only be provided by viewing the target in person to ensure there are no hidden surprises and get a ‘feel’ for the environment. The following guidance deals exclusively with physical reconnaissance being carried out against a target. Advice on protecting individuals and businesses against identity theft can be found at a number of websites including: www.identitytheft.org.uk www.cifas.org.uk/default.asp?edit_id=561-56 www.nactso.gov.uk/documents/secure-in-the-knowledge.pdf 5 Hostile reconnaissance and attacker requirements Hostile reconnaissance Hostile reconnaissance is the purposeful observation of people, places, vehicles and locations to collect information to inform the planning of a hostile act against a specific target. All criminal acts require intelligence about their targets and their environments in order to identify the best method and time of attack. The information gained from conducting physical reconnaissance of the target will inform all stages of attack planning – from the selection of one target from a number of options, through to the exit routes that the perpetrators intend to use following an attack. Though significant intelligence can be gathered from open sources or the local knowledge of cells, sympathisers and associates (see previous chapter), some of the most critical details for an attack can only be obtained from the close, physical observation of the target’s routines, procedures, electronic and physical security, lighting, access routes and assembly points. Dhiren Barot Dhiren Barot was sentenced to jail in November 2006 for pleading guilty to conspiracy to murder people through bombings in the UK and USA. Barot, a convert to Islam, had received extensive terrorist training in Pakistan and stated he wanted to carry out an attack on the scale of 2004 Madrid bombings. He developed a number of plots, including one to detonate three limousines, packed with gas cylinders and explosives, next to or under targets in the UK and another to construct and explode ‘dirty bombs.’ In order to prepare for his attacks, he conducted extensive research, using open sources and extensive reconnaissance against his targets. These included a number of high-profile hotels in London as well as three of its biggest rail stations. His reconnaissance also included filming of various locations in the USA, including: the International Monetary Fund and World Bank buildings; the New York Stock Exchange and the Citigroup buildings, in New York. This filming was notable for his concentration on entrances, security cameras, barriers and the movement of guards. In April 2001, he also filmed the World Trade Center and he can be heard, on film, making the sound of an explosion. Prosecutors in the UK said it was unlikely Barot had knowledge of the September 11 2001 terrorist attacks, but it did demonstrate a more than unhealthy and violent interest in attacks on iconic buildings.” 6 Al Qaeda itself has estimated that open source information can meet 80% of its specialised needs 6 with the remaining 20% obtained by other means, such as the use of insiders or hostile reconnaissance. Hostile reconnaissance techniques The type of reconnaissance conducted depends on the capability of those carrying it out, the environment and the existing security arrangements protecting it. Methods used entail: Static positions that use the environment around the target to blend in without attracting attention (such as cafes, benches, parks, bus stops, car parks). Static reconnaissance is potentially difficult to identify or counter because of the everyday situations they make use of. Stationary vehicles are often used and it can often prove difficult for causal observers to even see the occupants, especially in poor light or if it is fitted with tinted windows (though these can also attract attention to a vehicle). Foot reconnaissance is one of the most common methods, allowing close observation of a target and its security arrangements, apparatus or internal layout. Where possible it involves entering a facility for a seemingly innocent purpose in order to study security routines. Disguises such as acting as a street vendor, contractor, surveyor or tourist can also enable the criminal to conduct prolonged static or mobile reconnaissance without arousing attention. Sunglasses, motorcycle helmets or hooded tops are frequently used to hide the appearance of individuals (although such props can attract more suspicion, especially if used out of context such as a heavy coat on a warm day). In some instances disguises have involved the use of stolen official vehicles, uniforms and identities (or imitations) to facilitate close reconnaissance 7 . Technical reconnaissance using cameras and other equipment, which can be performed from distance or up close by smaller cameras hidden in bags or coats. Hostile reconnaissance within the attack cycle Criminals will go through a number of steps when planning their attacks and hostile reconnaissance is but one element of these. Understanding these and how they relate to each other may help when instigating new security measures. Marking Environmental campaigners Prior to the Great Climate Swoop in 2009 at Ratcliffe on Soar Power Station, activists conducted meticulous reconnaissance. They took numerous photographs and made detailed notes of aspects of security and layout. They were then posted on the internet. Criminals will identify several potential targets before deciding which would be the most realistic and attainable. The final choice of a target could be based on the information obtained through open sources, which is confirmed or updated by reconnaissance on the ground. The selected target will be one which the criminals have assessed as offering the highest probable success rate. 6 7 Taken from the so-called ‘Al Qaeda manual’ that was recovered during a police raid of an Islamist group in Manchester. Operation CAMION in Appendix 4, page 30 7 Insiders Even if an insider is able to provide some, or all, tactical intelligence on a protective environment, it is likely that criminals still need to conduct some form of reconnaissance to validate existing intelligence and familiarise the attack team with the target. Positive target identification is paramount, particularly in cases involving attacks or actions against specific individuals such as an assassination or Tiger kidnap 8 . Reconnaissance ‘delegation’ Everything of relevance to the attack needs to be observed and reported to other accomplices. It is during this intelligence gathering, by visual reconnaissance, that perpetrators can be at their most vulnerable - any criminals that are identified and watched can unwittingly lead the authorities to other members within their group As such, criminals may sometimes delegate tasks to amateurs or new members to their organisation so that the more experienced members can avoid early detection – running the risk that less experienced individuals may make mistakes that are easier to detect. Training aids The Al Qaeda’s manual: "Military Studies in the Jihad against the Tyrants" 9 not only instructs operatives planning an attack to conduct reconnaissance, it also points out the type of information that should be gathered. Basic internet searches and a number of other publications also offer a plethora of guidance and tips on conducting reconnaissance. While certain basic skills and concepts can be learned by reading, applying that information to a real-world situation, particularly in the vicinity of a protected environment, can be difficult. This is especially true when the application requires subtle and complex skills that are difficult to master. The behaviours necessary to master reconnaissance tradecraft are not intuitive, and can frequently run counter to human nature. Most criminal groups are unable to give their members the level of training to overcome this and as a result, poor tradecraft has been an Achilles’ heel in hostile reconnaissance operations. However, security departments should not assume that this will always be the case and instead, should the criminals will be proficient, experienced, subtle and professional until proven otherwise. Planning The next step for the criminal is to plan the attack, bringing together all the accumulated information. ‘Tooling up’ involves gathering all the necessary tools and means for a successful execution of the planned attack. This includes obtaining the explosives, weapons, equipment and human operators that will be used to achieve the objective. 8 Tiger kidnapping relates to when abductions are used as part of a wider crime. For example, a person known to the victim is held hostage until the victim undertakes the demands of the kidnappers. 9 http://www.au.af.mil/au/awc/awcgate/terrorism/alqaida_manual/manualpart1_1.pdf 8 Rehearsing Rehearsing is the stage for acquiring knowledge in handling the tools, equipment and practicing the methods to be used in order to help ensure that nothing goes wrong. Execution and getaway The execution is where the criminals deploy their attack team and actually perpetrate their act. Typically, the criminals will infiltrate their chosen locations, set-up their support positions and check communications. As long as there are no unforeseen complications and the decision is to press on and attack, the assailant will need to wait for the elected time or hang on for the target to enter the appropriate zone. Attacks are typically swift, taking minutes if not seconds to accomplish. Despite the type of attack/act planned, if a criminal team reaches the execution phase, they are most likely to succeed. The threat mitigation efforts therefore, have to focus on the terrorist activities which come before the execution. Only at those stages will we have the opportunity to deter and prevent terrorism or violent criminal acts. When an escape plan is required, the attackers will be well planned and prepared with assistance from other group members. 9 Identifying and countering hostile reconnaissance Importance of detection Whilst physical security measures (such as CCTV) and the presence of security personnel can provide a visible deterrent, they will not always prevent attacks from happening. A determined criminal will still look for vulnerabilities within the existing security systems and routines. Reconnaissance detection is the art of correctly identifying the behaviours that suggest acts of hostile reconnaissance are being undertaken. Being able to recognise reconnaissance as it is taking place will not only allow appropriate pre-emptive action to be taken but might also lead to follow-up investigations and, hopefully, arrests. Even if disrupting genuine reconnaissance fails to gain precise intelligence of the possible attack - the ‘what’, ‘why’, ‘when’, ‘who’, ‘where’ and ‘how’ – it could still deny perpetrators the element of surprise. An effective detection programme extends the rings of conventional security measures, widening the security “radar beam” from the immediate surroundings out to the medium and even long range distance. The intention being to detect the criminals while they are: Mumbai attacks Accounts from survivors of the Mumbai attacks of November 2008 note that the terrorists were familiar with the city had maps of the targeted hotels. Indian authorities reported that in February 2008, a man arrested in northern India was found to have drawings of various sites in Mumbai, several of which were targeted in the attack. Questioning of the sole surviving terrorist revealed that the plot organisers provided maps and images of targets. Gathering information in initial target selection phase; Collecting information during a pre-attack reconnaissance; Pulling together information during a rehearsal stage. Security personnel need to understand what hostile reconnaissance looks like and how to identify it as it occurs. Personal experience, judgement and gut feeling play an important role, but analysis of previous incidents has provided a number of indicators which should assist future judgements about whether security personnel should approach individual(s) they have observed and/or report the incident to the police. 10 Analysis of hostile reconnaissance incidents Introduction Security personnel need to understand what hostile reconnaissance looks like and how to identify it when it occurs. While experience, personal judgement and gut feeling play an important role in the ability to recognise and counter hostile reconnaissance, analysis of previous incidents has provided a number of indicators which should assist in making future judgements about whether security personnel should speak to the individual(s) they have observed and/or report the incident to the police. Ethnicity Nicky Reilly Security personnel should avoid trying to identify hostile reconnaissance on the basis of ethnicity. Supposing that a particular ethnic group presents a higher threat will result in ignorance of other groups who may also pose a threat. This is operationally wrong and knowledge from previous incidents does not support this view. A criminal should be characterised by their actions and not their ethnic background. In 2008, Nicky Reilly, a white Muslim convert attempted to detonate a device in a restaurant in Exeter. The device detonated prematurely and he was the only person injured. Analysis of Operation Lightning data Operation Lightning is the police initiative for gathering information on suspected hostile reconnaissance. CPNI has analysed cases to evaluate the usefulness of behavioural indicators for detecting hostile reconnaissance. Reilly did not fit what many might perceive as an ‘average’ suicide bomber. He is white, suffers from Asperger’s Syndrome and has a mental age of 10. It is unlikely many people would have identified him as a threat when he approached his target. A qualitative analysis 10 was completed on a sample of cases recorded in the Operation Lightning database over a three year period (2006 to 2009). Subject matter experts from the police’s SO15 identified a subset of the cases (84 cases from over 6,200) as significantly more likely to be hostile reconnaissance and these are referred to as ‘confirmed’ cases within this guidance. The remaining cases are referred to as ‘unconfirmed’, where they may still have been instances of hostile reconnaissance, but there is less confidence in the assessment. A sample of 100 unconfirmed cases was randomly selected by CPNI as a comparison group to be used as a baseline that, when matched with the confirmed cases, could help identify when an incident was more likely to be hostile reconnaissance. The data for the confirmed and unconfirmed cases was analysed separately and two sets of behaviour codes were generated; behaviours that were suspicious and those that may help 10 Analysis of descriptive data such as text 11 allay suspicion (non-suspicious). These are summarised in the tables below and are described in more detail in Appendix 1. These codes were generated by reviewing the descriptive record for each case (the 84 confirmed 100 unconfirmed cases) and assigning codes to behaviours that could be regarded as of the same type. Descriptions for each of the codes were then refined throughout the analysis to make sure that they continued to be relevant to all details they had been applied to. The confirmed cases generated a set of 16 suspicious behaviours. These were derived from either ‘stand-off’ pre-contact observations of a person’s behaviours or use of a vehicle, or as a result of direct contact with the individual(s) after their behaviour had raised suspicions (post-contact). SUSPICIOUS BEHAVIOURS No Behaviour (pre-contact) Enters a restricted or sensitive area without authorisation or cause 1 2 Makes observations from a restricted or sensitive area 3 Takes measurements 4 Draws diagrams or takes notes 5 Takes suspicious photos 6 Takes suspicious video footage 7 Pays attention to existing security measures, access areas, or sensitive sites 8 Anti-surveillance efforts Tests existing security measures 9 No Behaviour (pre-contact: vehicle) 10 Abandons or parks vehicle in a restricted/sensitive area or inappropriately 11 Drives vehicle in an unusual form 12 Uses vehicle that makes trace/identification of occupants more difficult No Behaviour (post contact) 13 Questions about security procedures 14 Provides implausible or no account for behaviour 15 Carries suspicious material or items 16 Appears to comply with, but actually defies, security request The unconfirmed cases generated a set of non-suspicious behaviours (codes 17-22) which in the absence of suspicious behaviours (as listed above) might suggest that the activity is less likely to be hostile reconnaissance. 12 NON-SUSPICIOUS BEHAVIOURS No Behaviour (pre-contact) 17 Takes photos that are not suspicious 18 Takes video footage that is not suspicious 19 Provides plausible account for behaviour 20 Provides hostile response 21 Questions security about non-sensitive issues 22 Carries non-suspicious material/items Behavioural, circumstantial and contextual information The behaviours were generated by reviewing the descriptive record for each case (both confirmed and unconfirmed) and assigning codes to specific details within the text. The same codes were assigned to behaviours that could be regarded as of the same type. The descriptions for the codes were refined throughout the analysis to make sure that they continued to be relevant to all details they had been applied to. After the codes were generated each case was scored against them (whether they were present ‘1’ or absent ‘0’). As expected some of the suspicious behaviours (codes 1-16) also applied to the unconfirmed cases because some of these cases may still be hostile reconnaissance. A quantitative analysis 11 was used to understand the relationship between the confirmed and unconfirmed cases. This analysis included the scores for the behaviour codes as well as additional circumstantial and contextual information recorded in the database: Day of the incident Time of day Location type Whether a vehicle was identified Method of recording (photo camera, video camera if applicable) Number of people involved in the incident Person details for the people involved (age, gender and ethnicity). The analysis showed that specific behavioural, circumstantial and contextual information could be useful when making judgements about suspicious activity. The following factors were identified as being more likely to indicate hostile reconnaissance when suspicious activity had been observed: Two or more suspicious pre-contact behaviours (codes 1-12) Providing an implausible account for their behaviour (code 14) Behaviours that involved a security response where the individual(s) asked questions about security procedures (code 13; security questioning is also discussed in further 11 Analysis of data that can be expressed numerically 13 detail on page 15) or the individual(s) appeared to comply with the security request but then defied this shortly afterwards (code 16) Absence of non-suspicious behaviours (codes 17-22) The incident occurred during quieter times of day (during the evening/night or early morning) The location related to infrastructure (such as roads, bridges), foreign government buildings, utilities sites or police services Note: suspicious behaviours were observed in a variety of other locations (such as visitor sites, airports, railway stations, underground transport) but were common for both confirmed and unconfirmed cases; these locations are therefore of interest but attention should be paid to the presence of additional suspicious behaviour indicators, as well as the context and circumstances, to increase confidence in any assessment A vehicle was identified Three or more people were involved (also the more people engaged in suspicious behaviour the more likely the case was confirmed). Note: It should not be assumed that recording equipment (such as photographic and video devices) will always be used; many of the confirmed cases did not involve the use of such equipment. Where recording equipment is found, attention should be paid to additional suspicious behaviour indicators, as well as the context and circumstances There were not any significant findings that related to day of the week or person details (age, gender and ethnicity). The process of countering hostile reconnaissance The analysis of the Operation Lightning data can be used to raise awareness of hostile reconnaissance amongst security personnel and assist them when making judgements about suspicious incidents. An important message from the research was that the better indicators of hostile reconnaissance were established through contact and discussion with the individual(s). No single pre-contact suspicious behaviour was a significant indicator (although there were more likely to be two or more pre-contact behaviours for the confirmed cases). 14 Countering hostile reconnaissance could therefore be considered as including three stages: Stage one: Observe behaviour Stage two: Resolution conversation Stage three: Escalation The first stage involves observing for specific suspicious behaviours and situational risk factors such as those summarised in Appendix 2 (behaviours 1-12; these are also described in more detail in Appendix 1). The second stage is a targeted conversation to resolve suspicions individuals. Consideration could be given to the post-contact behaviours in Appendix 1 (behaviours 13-16). Following this conversation, the third stage is for a decision to be made around whether to allow the individual to continue or inform the police. 15 Security questioning Background The analysis conducted on the Operation Lightning data has established that one of the key indicators of hostile reconnaissance occurs after the hostile actor has been stopped by security personnel. In such cases, those being questioned will typically not have a ready, credible reason for being in the location they are in or behaving the way they are. Security questioning is an exchange of questions and answers with a view to detecting, validating or refuting suspicious indicators. The objective of this line of questioning should be to: identify suspicion indicators and/or disprove suspicion indicators; get an overall feel for the person being questioned authenticate information given by the person. Authentication will be based on the potential for suspicion to occur and on corroborating information. Environmental protesters In 2008, two people were reported to be acting suspiciously near Gladstone Dock in Liverpool. Ports police found a man and woman taking photographs of a building. Questioning failed to satisfy the officers so a subsequent search of their car led to the discovery of maps of the dockyard that had been annotated, along with Greenpeace literature. Checks on the subjects revealed that they were environmental activists. Their camera also contained photographs believed to have been taken at another port. A few months later a woman asked to be allowed to enter a dockyard at Avonmouth, Bristol because she said she was a photographer and wanted to take photographs of some of the cranes on site. However the woman did not have a camera on her and when searched, was revealed to be wearing a Greenpeace badge hidden under her coat. Greenpeace has targeted a number of docks that handle GM crops or make use of biofuels. This following advice is applicable to both uniformed guards and also plainclothes surveillance detection specialists who, for whatever reason, need to become overt. Customer orientated engagement Any approach and questioning by security staff should be conducted in a helpful, nonthreatening tone, based upon the belief that not everyone who is suspicious is threatening and is entitled to be treated courteously and with respect, for example “can I be of assistance?” or “do you need help with directions?” These questions are service oriented to the public at large but may still deter the criminal. Engaging a criminal in conversation, regardless how passive, places them in a situation where their cover story could be exposed. 16 It is important, not to jump to conclusions based on an observed suspicious activity. Suspicion is a common occurrence that needs to be mitigated through refutation, such as trying to prove the suspicion wrong and not validating it with an assumption of guilt. Suspect risk assessment Before questioning anyone acting suspicious, security teams should make a quick risk assessment of the situation, preferably from a safe distance so that the individual(s) remain unaware that they are under suspicion. By doing so the security officer can gather information gained from nonverbal clues and cues, such as a person’s overall appearance and assess the risk to, colleagues and members of the public, before and once the interview actually begins. Part of what to look for or assess during the initial security evaluation would involve: Unusual attire/clothing for the environment Unusual body language Seeing if the person is on their own or part of a group Identifying the method of transport the person arrived in Assessing the person’s familiarity with their environment Assessing the person’s personal effects Considering the age and physical ability of the person Gaining collaboration tips The security official should politely introduce themselves as security and explain to the person why they’re being spoken to. Explain the questions are intended to ensure the security and safety of the area. Security officials are providing a service, so they should be respectful and polite. If they irritate the person because they are uncivil and ill-mannered, they will be less cooperative. Use the right level of verbal communication to make the person feel comfortable. A security official’s attire creates a positive impact on the person. If a uniformed guard is not dressed neatly it is likely to convey lack of professionalism and authority. Occasionally the interviewee may feel that they are being asked irrelevant questions. In this situation it should be explained that all the questions are meant to help keep the person and the operational environment safe. Do not ask intimate questions. Do not ask questions to merely satisfy inquisitiveness. Do not become emotional with the answers that are received, regardless of whether they are humorous, insulting or annoying; Ask questions loud and clear enough for the person to hear but without bystanders overhearing. Personal image and professionalism can be enhanced by using the right tone of voice; Effective communications requires an awareness of the cultural norms and sensitivities, such as: eye contact, gestures, physical/personal space, tone of voice and the subject matter all have a bearing. 17 Security questioning do’s and don’ts Do not presume anything. Deal with the refutation of suspicion indicators first. It is more efficient to determine suspicion indicators from the outset. It is advantageous to establish early if the potential threat warrants further inquiries. Ask one question at a time and keep them short, concise, clear and to the point. Ask open-ended questions (what/why/how/who type questions). Ensure the person is given plenty of opportunity to speak and let them fill in the spaces in the conversation. Hearing a person speak offers important clues and information about who they are, how they feel, what they are thinking. Maintain a consistent and smooth line of questioning and ask follow-up questions based on the answers received. Avoid changing tack until the issue that is of concern is completely settled to satisfaction. Do not take notes as this allows the interviewer to focus and create a friendlier and less threatening situation. If a second person is present, they should record the conversation in writing. Do not disclose any intentions or the detected suspicion indicators. This is particularly important if a terrorist/criminal is probing security methods. It is best to approach the question of suspicion indicators indirectly. If an interviewee is showing considerable difficulty in refuting a suspicion indicator, it may require more directness and openness about their behaviour. Although it’s best not to reveal the suspicion indicator(s); if a way cannot /be found, it is better to ask a direct question(s) and resolve the issue than not. The person should feel he/she is being listened to, but do not divulge what in particular is of interest. In the event of discrepancies, repeat the question but phrase it in a completely different way. Do not be overbearing when dealing with people - questions are only to screen for a potential threat not necessarily accuse individuals of a crime. A customer service approach works best as, after all, security questioning is about retrieving information. Who to call in the event of the detection of hostile reconnaissance In the event of hostile reconnaissance activity being detected, it is important that procedures exist so that staff know who to report it too. If there is a fear that the hostile reconnaissance may be related to imminent threat to life or property, the police should be contacted via the 999 emergency telephone number. If this threat does not exist, then the Anti-terrorist hotline should be called on 0800 789 321. Regardless of where the call is made, the operators of the hotline will immediately contact the caller’s local police force who will deal with the incident. Since it is unlikely that the caller will know what motive the individual(s) carrying out the hostile reconnaissance have, the Anti-terrorist hotline should always be called. If upon 18 investigation of the incident, it can be established that the perpetrators are not linked to terrorism, the police will be able to pass the information to the relevant unit. In some instances, an employer will establish links with their local police station and may be provided with a dedicated contact number to call in the event of hostile reconnaissance. The benefit of this is that an employer can develop good links with their local force and the police will have a better understand of the employer’s facilities and any potential threats it may face. This may not be possible for all employers, but it is good practice to have a close working relationship with the local police. Barriers to reporting suspicions In some instances, security personnel can be reluctant to report suspicious behaviour, even if they do feel it is out of the ordinary. Typical barriers can include: embarrassment not being treated seriously in the past feeling that nothing will be done seen as being racist not wanting to get involved It is important that security managers impress on their security personnel the need to overcome these barriers. It is better to report legitimate concerns, even if they do eventually turn out not to be actual criminal activity. The potential repercussions of no action being taken could be severe. 19 Reporting incidents Report writing The goal of any observation is to be able to accurately report it to colleagues, management, police and area security personnel. The observer should be able to identify and describe both person and vehicle, so that third parties can imagine or recreate a general picture of the individual or vehicle described. This requires training in observation and memory retention, in order to accurately recall descriptions and activities. Reporting observations There are certain rules that should be followed when preparing a report such as: Always be honest. Do not invent or over-exaggerate sighting(s); Do not make assumptions; Personal opinions regarding a criminal’s purpose, activities or intentions can be included but must be clearly stated as such; Do not write reports to please supervisors or managers, report only the facts as seen. SALUTE A handy mnemonic for remembering key details when writing a report is SALUTE. This stands for: Situation: Who or what the surveillance team was performing surveillance detection on; and if there is a specific reason, if none then simply report as routine; Activity: Type of task: Red Area, surveillance detection route, static or mobile position; Location: Where exactly, does the operation take place? Is it in a Red Area or Surveillance Detection Point? Unit: Who is making the observation, team members, shifts; Time: Time and date of the specific incident being reported, including start and finish of a task and movements; Equipment: Any specific equipment the surveillance detection member used for surveillance detection such as a specific camera. Remembering Observations When trying to remember and describe a person after an observation use the following key words: Gender Race Age 20 Hair colour Weight Build Height Special features (this may include scars, tattoos, disabilities, unusual gait, pockmarks). Clothing is only important when describing a suspect person to another team member as an observation/event in unfolding, as clothes can be quickly and easily changed. Pay attention to inner clothes worn under the outer layer and at the shoes or trousers, as they are rarely changed. Unless an organisation has a policy of doing so, the security officers should be encouraged not to attempt to use terminology they may have heard elsewhere, such as the police IC codes that are used for ethnicity. This will only serve to cause confusion to those who are not familiar with them. Vehicle descriptions When trying to remember and describe a vehicle after an observation use the following key words: Type Colour Size Year Number of doors Sunroof Registration number Type of aerial Distinguishing marks or features Number of occupants Weighted down Direction of travel Evidential trail and evidence storage If materials are collected or CCTV footage taken, there may be a need to treat them evidentially and store them appropriately. The following points should be observed: Evidence should be bagged and marked (using appropriate sealed bags) The integrity of the evidential trail must be maintained Evidence to be securely stored for the appropriate time and packaged correctly. If stored incorrectly the evidence could degrade or the material may become hazardous 21 When destroying evidence it must be witnessed, recorded and carried out in accordance with the Heath and Safety at Work Act 12 Ensure records of meetings and instructions pertaining to operations or patrols are kept in case they are requested in subsequent court proceedings. Data protection As well as evidential concerns, any materials collected or information gained from questioning needs to be handled and stored correctly. The Data Protection Act stipulates that anyone that handles personal information – that is any information that relates to an individual that can be identified by that information; or from that and other information that is possessed by the security department – is to comply with a number of principles. The Act demands that any collected personal information is: Fairly and lawfully processed Processed for limited purposes Adequate, relevant and not excessive Accurate and up to date Not kept for longer than is necessary Processed in line with your rights Secure Not transferred to other countries without adequate protection Furthermore, the Act provides individuals with certain rights, including the right to find out what personal information is being held about them. None of these requirements stop organisations collecting data on individuals believed to be carrying out hostile reconnaissance. The Act does however, impose some conditions, as listed above, and security managers should be mindful of this when developing methods of storing the information gathered by their personnel. 12 www.statutelaw.gov.uk/legResults.aspx?LegType=All+Legislation&title=health+and+safety+at+work+etc+act+&Year=1974& searchEnacted=0&extentMatchOnly=0&confersPower=0&blanketAmendment=0&TYPE=QS&NavFrom=0&activeTextDocId=13 16700&PageNumber=1&SortAlpha=0 22 Appendix 1 – Suspicious behaviour codes No Behaviour (pre-contact) Description 1 Enters a restricted or sensitive area without authorisation or cause Attempts to enter or enters a restricted area without authorisation or enters a sensitive area (close to a restricted area or point of interest) without apparent cause 2 Makes observations from a restricted or sensitive area Makes observations from a restricted or sensitive area (close to a restricted area, near a security fence, from the roof of a building/bushes, where security judgements can be made) 3 Takes measurements Takes measurements (counts footsteps or measures perimeters/distances) 4 Draws diagrams or takes notes Draws diagrams or takes notes (building plans, location of security cameras/security personnel, security shift changes, security vulnerabilities) Takes suspicious photos Takes photos with no apparent aesthetic value (camera angles, security equipment, security/police vehicles, building entrances, car parks), covertly, from an unusual/suspicious location or of a sensitive area 6 Takes suspicious video footage Takes video footage with no apparent aesthetic value (camera angles, security equipment, security/police vehicles, building entrances, car parks), covertly, from an unusual/suspicious location or of a sensitive area 7 Pays attention to existing security measures, access areas or sensitive sites Pays attention to existing security measures (CCTV cameras, security personnel, police officers), building or site access or of sensitive sites 8 Anti-surveillance efforts Appears to use anti-surveillance techniques (doubles back, changes appearance) 9 Tests existing security measures Engages in test of existing security measures (tests access, abandons suspicious item such as bag, box, package) 5 No Behaviour (vehicle) Description 10 Abandons or parks vehicle in a restricted or sensitive area or inappropriately Abandons or parks vehicle in a restricted or sensitive area or inappropriately (across two parking bays, blocks car park entrance/exit) 11 Drives vehicle in an unusual form Appears to drive vehicle in an usual form (drives noticeably slowly or unsteadily, around the same route repeatedly, from location at speed or departs when approached by security personnel/Police) 12 Uses vehicle that makes trace/identification of occupants more difficult Uses vehicle that is not registered to the individual (identified as a taxi, rental/hire vehicle) or that has modifications (blacked out windows, tinted windows) 23 No Behaviour (post-contact) Description 13 Questions about security procedures Engages security personnel in questions about sensitive subjects (shift patterns/hours, firearms, general security information) 14 Provides implausible or no account for behaviour Provides account for behaviour that is implausible (does not reflect circumstances, provides contradictory or evasive responses to questions) or provides no account for behaviour (does not answer questions) 15 Carries suspicious material or items Carries photos or video footage of sensitive sites, carries a large quantity of photos/video footage on camera or other suspicious material 16 Appears to comply with but actually defies security request Initially complies with request by security to stop behaviour but continues behaviour shortly after Non-suspicious behaviour codes No Behaviour Description 17 Takes photos that are not suspicious Takes or has taken photos that are not suspicious (clearly tourist pictures) or appears to take suspicious photos but no evidence on camera 18 Takes video footage that is not suspicious Takes or has taken video footage that is not suspicious (clearly tourist footage) or appears to take suspicious footage but no evidence on camera 19 Provides plausible account for behaviour Provides account for behaviour that is plausible (could reflect circumstances) 20 Provides hostile response Provides hostile response to security personnel/police or member of public (refuses to show video footage, is aggressive, noticeably stares) 21 Questions security about non-sensitive issues Engages security personnel in questions focussing on non-sensitive subjects 22 Carries non-suspicious material/items Carries material/items that are not suspicious (documents, laptop) 24 Appendix 2 – Summary of behaviours & risk factors This summary has been developed for security managers to pass to security personnel. It comprises the findings from the analysis of the Operation Lightning data, which includes a simplified version of the table in Appendix 1. Security personnel should be reminded that they are also looking for unusual behaviours, that is, anything that is outside the norm or does not seem right under normal conditions. Suspicious Behaviours No Behaviour (pre-contact) 1 Enters a restricted or sensitive area without authorisation or cause 2 Makes observations from a restricted or sensitive area 3 Takes measurements 4 Draws diagrams or takes notes 5 Takes suspicious photos 6 Takes suspicious video footage 7 Pays attention to existing security measures, access areas or sensitive sites 8 Anti-surveillance efforts 9 Tests existing security measures No Behaviour (pre-contact: vehicle) 10 Abandons or parks vehicle in a restricted/sensitive area or inappropriately 11 Drives vehicle in an unusual form 12 Uses vehicle that makes trace/identification of occupants more difficult No Behaviour (post contact) 13 Questions about security procedures 14 Provides implausible or no account for behaviour 15 Carries suspicious material or items 16 Appears to comply with but actually defies security request Situational Risk Factors (increase the risk of hostile reconnaissance) 2+ suspicious pre-contact behaviours Post-contact behaviours 13, 14 and 16 Absence of non-suspicious behaviours (17-22) Quieter times of day (evening, night or early morning) Location relates to infrastructure, foreign government building, utilities or police service Vehicle is identified Use of recording equipment (such as photographic and video devices) is no more likely 3+ people are involved Appendix 3 – What to report Useful information to collate Following a hostile reconnaissance event, the following information will prove useful to the police. This list is not exhaustive, but includes the following: SALUTE A handy mnemonic for remembering key details is SALUTE. This stands for: Situation: Who or what the surveillance team was performing surveillance detection on; and if there is a specific reason, if none then simply report as routine; Activity: Type of task: Red Area, surveillance detection route, static or mobile position; Location: Where exactly, does the operation take place? Is it in a Red Area or Surveillance Detection Point? Unit: Who is making the observation, team members, shifts; Time: Time and date of the specific incident being reported, including start and finish of a task and movements made; Equipment: Any specific equipment the surveillance detection member used for surveillance detection such as a specific camera. Person descriptions Gender Race Age Hair colour Weight Build Height Special features (this may include scars, tattoos, disabilities, unusual gait, pockmarks). Clothing is only important when describing a suspect person to another team member as an observation/event in unfolding, as clothes can be quickly and easily changed. Pay attention to inner clothes worn under the outer layer and at the shoes or trousers, as they are rarely changed. Unless an organisation has a policy of doing so, the security officers should be encouraged not to attempt to use terminology they may have heard elsewhere, such as the police IC codes that are used for ethnicity. This will only serve to cause confusion to those that are not familiar with them. 26 Vehicle descriptions When trying to remember and describe a vehicle after an observation use the following key words: Type Colour Size Year Number of doors Sunroof Registration number Type of aerial Distinguishing marks or features Number of occupants Weighted down Direction of travel Other Forms of identity, including driving licenses, passports, utility bills, bank statements, work ID, student ID Mobile phone numbers Travel documents Unusually large amounts of money Maps Drawings If they possess a camera and they are willing to show any images on it, any unusual pictures, such as people, security equipment or personnel, entrances, vehicle check points or loading bays. 27 Appendix 4 – Further advice Fairway Fairway's remit is to detect, deter or disrupt terrorist activity and has particular responsibility for three operations - Lightning (hostile reconnaissance), Camion (potential vehicle borne improvised explosive devices by the use of liveried vehicles), and Trammel (the use of forged documents). Operation Lightning Operation Lightning aims to identify terrorists carrying out hostile reconnaissance at, or near prominent or potentially vulnerable structures or buildings - including the Critical National Infrastructure and crowded places such as shopping centres, sports arenas and nightclubs. Operation Camion This has the aim of identifying individuals engaged in the theft or misuse of vehicles that support international terrorist groups. The types of vehicles which are of concern are: Vehicles containing hazardous materials Emergency service vehicles Military vehicles which would not attract suspicion Any other liveried vehicle that might be allowed access to sensitive or vulnerable premises because of their appearance. Operation Trammel Operation Trammel targets the use by terrorists of forged or fraudulent documents to facilitate their travel or to assist them in their attack preparation. Operation Fairway DVD This DVD has the aim of raising awareness about the work of Fairway. It does not carry any protective marking and is intended to be shown to the law enforcement and military community, the security and retail industry, and local authority employees. However, it may not be used for public broadcast without the prior permission of the SO15 Counter Terrorism Command. Operation Langley DVD This DVD was commissioned by the City of London Police following its investigation into a case of suspected hostile reconnaissance in July 2008. It gives an overview of the case and circumstances of the arrest. It also features some of the seized footage of the reconnaissance undertaken by the suspect. The DVD is marked as 'Restricted' since it contains some sensitive information about the case, individuals concerned and the rationale for non-prosecution under the Terrorism Act. The DVD is intended for briefing of police officers and staff, to raise their awareness of 28 potential hostile reconnaissance. The reconnaissance footage may be used for wider briefing of relevant members of the private sector who are trusted partners. For more information on either DVD, contact Fairway at: [email protected] NaCTSO Advice on business security measures can be obtained from the National Counter Terrorism Security Office (NaCTSO), a specialist police organisation. 13 Dedicated Counter Terrorism Security Advisers (CTSAs) are located in each of the UK's regional police forces. They provide protective and counter terrorism security advice and training to support businesses and reduce vulnerability to terrorist threats. The advice they provide takes into account both conventional and non-conventional terrorist techniques. The CTSAs work closely with other police forces throughout the country, government departments and other agencies. NaCTSO have also developed a scenario-based training exercise, “Project ARGUS”, aimed at high street businesses and delivered by local CTSAs. Events are aimed at providing businesses with valuable counter terrorism advice on protective security, resilience and hostile reconnaissance in light of the current terrorist threat. They do this by taking businesses through a simulated terrorist attack, which prompts discussion to identify the measures they can take to prevent, handle and recover from a terrorist attack. The event is free to businesses. Project Griffin Project Griffin 14 is a police-private industry initiative to accredit security personnel in identified locations by their attendance at a one day course in order to improve their skills and knowledge levels in relation to counter terrorism activity. NPOIU The National Public Order Intelligence Unit collects intelligence on domestic extremist issues. However, employers are unlikely to deal with this unit; instead, their point of contact will be the National Extremist Tactical Coordination Unit (NETCU), which provides information and guidance to government and industry on domestic extremism. 13 14 www.nactso.gov.uk/ www.projectgriffin.org.uk 29 Appendix 5 Initiating a surveillance detection programme 30 Getting started Introduction This appendix is aimed at those organisations that are considering whether to implant a dedicated surveillance detection programme and/or introduce dedicated surveillance specialists. General points Surveillance detection is a term which refers to certain skills, utilised to detect and confirm the presence of hostile reconnaissance. In the context of a protected environment counter surveillance is the term used to observe hostile reconnaissance once detection has been confirmed. Before deciding to implement a surveillance detection programme there are a number of factors to consider if the project is to be efficient and economically viable. The implementation of a comprehensive surveillance detection programme needs to be based on threat and risk. In on order to justify recommending the formation of a comprehensive surveillance detection programme, the following questions need to be considered. Are there current threats against the protected environment from terrorist organisations, organised crime (such as Tiger kidnap), extremists groups or other individuals? Are there specific reasons, either politically or financially, that are likely to make an organisation’s protected environment a possible target of terrorism, organised crime or protest in the near future? If the answer to either of these is yes, then there is a sound reason to start implementing a surveillance detection programme. Threat assessment The next step is for the security manager to conduct a threat assessment. First it is necessary to identify and assess the threat from those groups, organisations or persons which might pose a threat. Questions to consider may include the following: Is it a known or unknown group/organisation/individual posing the threats? Is there any intelligence about any prior incidents they may have committed or their capabilities? Are they domestic or international? How do they pose threats and what kind of threats are they? Is it at the level of vandalism, sabotage, injury, lethal or indiscriminate threats and attacks? Do the attacks in the past follow the same modus operandi or are the methods changing or the severity escalating? What could a potential attacker know about key locations within a given protected environment, target’s routes, residences, frequently visited locations? The security manager should then go on to identify possible attack sites and vulnerable areas around their sites and along key routes. Issues to consider when assessing include: 31 Are current security measures sufficient? Do they provide criminals with cover and concealment? Are there good surveillance points? Does the site offer the attacker the ability to control its potential target? Are there clear fields of fire or places to hide or place an IED? 15 Are there good escape routes? What are the repercussions if an attack was successful? Are there business continuity plans in place? In consultation with the police a security manager should aim to manage the sites that offer the criminals the best options for hostile reconnaissance and attack. They should either consider changing routines or implement surveillance detection at those sites. Procedures Once this process is complete it is time to consider the formal implementation of a surveillance detection programme. Further questions/issues will need answering before a proposal can be submitted. What funds are available for a surveillance detection programme? Who will be responsible for the surveillance detection programme? Who will plan and devise the surveillance detection programme? When will the programme start and for how long will the programme continue? What surveillance detection will be conducted, static, mobile, technical or mixture? Where will surveillance detection take place? When will surveillance detection be conducted, 24/7 or only on specific days and at given times? Who will conduct the surveillance detection, security officers and/or in conjunction with surveillance detection specialists? If surveillance detection specialists are to be introduced, how many will be needed? If surveillance detection specialists are to be phased in, what type of expertise or backgrounds are needed? Are there any specific demographics desired from the surveillance detection team? How will the surveillance detection expertise and motivations be maintained? How will surveillance detection team learn from other security personnel’s experiences? How will the surveillance detection programme and specialists evolve with experience? How will the surveillance detection team observe, report, store, and disseminate data? How will descriptions of people and vehicles be collected and analysed? How will responses to discovery of surveillance be determined? How will an emergency response plan be determined? How often will red teaming occur (see below)? 15 Improvised explosive device 32 Why is surveillance detection being used? Knowing why is important in order to maintain the focus of the surveillance detection effort. Understanding these issues, coupled with clear operational requirements, will be key to ensuring the success of a surveillance detection programme. The only divergence from this process is if strong suspicions exist that hostile reconnaissance is taking place or the threat level is elevated. In these circumstances surveillance detection must be implemented or augmented (if basic surveillance detection is already in place) immediately. However the crucial questions (listed above) should be addressed and assessed as soon as possible thereafter to ensure an enduring and successful programme. Surveillance detection personnel It is important that all security personnel receive some form of surveillance detection training. However, it is preferable, if resources allow, for a dedicated team of specialists to be formed to focus entirely on surveillance detection. Surveillance detection specialists should operate covertly in support of their uniformed colleagues. The size of a surveillance detection team should be based on the risk/threat assessment and the security budget available. Keeping the contract or in-house security team separate from the surveillance detection specialists provides more overlapping security. Periodic and random red teaming should form an integral part of the surveillance detection operation. Red teaming Red teaming is the act of carrying out a simulation against a particular target in order to evaluate preparedness and help develop strategies. Red teaming will encompass all phases necessary for the planning and executing of a terrorist attack and/or violent criminal act. The red teaming outcome should allow a security manager to identify those enemy methods that are possible from the many likely scenarios. New enemy threats and methods constantly need to be evaluated using red teaming. Therefore the process of red teaming, assessment, designing and revamping procedures, integrating practices and training must be re-occurring and constant. Red teaming is followed by an assessment to convey those suspicious indicators that are derived from the methods uncovered during the red teaming stage. The evaluation must also include a human and technology security comparison, to ascertain which application would be more effective for a specific area. Finally the assessment phase should also consist of an appraisal of the existing security strategy and practices in mitigating threats and addressing the needs for detection, determination and deployment. 33 Surveillance detection area categories Building portals Any building portals such as windows or doors are important because criminals tend to initially focus on them when conducting hostile reconnaissance. A kidnapper will initially try to watch their victim as they arrive in order to ascertain which entrance is used, then watch windows to see where the victim goes and when they depart the building. Thieves targeting a business may focus their reconnaissance on other building portals, such as rear windows or skylights through which they hope to gain surreptitious entry after business hours. Terrorists who are intent on bombing the protected environment may initially focus their reconnaissance on the entrance to an underground car park, loading/unloading bay or other key entry point. Likely hostile reconnaissance areas A thorough vulnerability assessment of a protected environment not only identifies a facility’s weak areas/spots (which may be exploited), it can also help to narrow down probable hostile reconnaissance locations. Regardless of the adversary or nature of the proposed attack, vulnerable areas/spots will attract reconnaissance by criminals. To this end the concentration of hostile reconnaissance interest will be centred in and around vulnerable areas/spots where attacks, strikes, breaches or kidnaps are planned. Hostile reconnaissance use of cover or blending in As previously mentioned, those criminals conducting hostile reconnaissance will aim to blend in with the local environment so as not to arouse suspicion. They will naturally gravitate towards locations where people with the same demographics gather, as this will help them to blend in better into local surroundings. Where to concentrate surveillance detection Surveillance detection needs to focus on the areas where hostile reconnaissance is most likely to be carried out. These areas can be divided into three categories; in order of importance: Red, Amber and Green. Surveillance detection operations should focus primarily on Red, then Amber, followed be Green Areas. The Green area should only be covered if there is enough surveillance detection manpower to give complete cover of the Red Areas. However, surveillance detection patrols should, if possible, be planned in a way that the surveillance detection specialists route to and from the protected environment go via the Green and Amber Areas, when coming on/off duty. The surveillance detection base or office should be separate from the environment the surveillance detection specialists are working in, otherwise it is possible their cover will be blown the moment they enter/exit their facility or meet with people they are protecting. Red areas Red areas offer the most fertile ground from a surveillance detection perspective. They will afford those carrying out the hostile reconnaissance the best opportunity to gather targeting information on a protected environment as well as portal(s) and areas of vulnerability. As a 34 result, those carrying out hostile reconnaissance spend most of their time in Red Areas, making them especially vulnerable to detection. Commence by locating the Red areas and then pinpoint the best surveillance or vantage points within the area that provides line of sight of the protected environment. These surveillance or vantage points are referred to as Surveillance Points. Then locate the best Surveillance Detection Points with a view of the Surveillance Points. It is from these that those carrying out hostile reconnaissance are more likely to be observed. Amber areas Amber areas form probable areas of vulnerability where a foot or mobile target (such as a high risk employee) together with hostile surveillance operatives are likely to transit through or spend time in. This area offers the second alternative to locating hostile surveillance. Amber areas often include operational areas, such as the routes a target takes to and from work or locations which a target likes to frequent after work hours. Alternatively hostile reconnaissance might use part of an Amber area as part of an indirect stakeout for a foot or mobile target leaving the protected environment. If a target’s anticipated point of exit/portal can not be watched (due to a heavy security presence or terrain, such as trees) hostile reconnaissance may resort to covering routes leading away from the point of departure, or indirect surveillance. As before it is important to locate likely Surveillance Points (or stakeout locations in this case) and identify nearby Surveillance Detection Points from which to observe these Surveillance Points. Green areas Green areas are those which those conducting hostile reconnaissance may use as part of their route in/out from an operational/protected environment. Alternatively it may entail areas where hostile reconnaissance could spend time, in respect to communicating with one another, planning, resting or eating between observations. As previously stated, there is no need to focus on Green areas unless there is sufficient surveillance detection to give complete coverage of the Red areas. Nevertheless identify likely Surveillance Points (or probable rest areas) and corresponding Surveillance Detection Points. 35 The surveillance detection specialist Requirements The surveillance detection specialist should have both training and an understanding of surveillance detection procedures. They must possess good observation skills and have a keen eye for detail. Ideally they should also have an interest in the threats that they face and remain current with local and international affairs. To stay alert and focused during long hours of observations, in all weather conditions, they should have the physical and mental disposition suited for the job. The kinds of qualities that will ensure a team member’s personal success within the surveillance detection team are: professionalism; team spirit; flexibility; leadership; memory retention and observation skills. The above key skills are affected by: time passed since observation of an incident; physical condition of the surveillance detection specialist; psychological makeup of the surveillance detection specialist; mindset towards people, behaviour, culture and any prejudice; attitude towards locations, positions and complacency. Whilst patrolling, the surveillance detection specialist should always act in accordance with their cover and observe the correct protocols, as the operational area dictates. As surveillance detection specialist there is no place for security postures and mannerisms otherwise their covert role will quickly be undermined. Once an undercover asset is exposed, its value diminishes. They should assume that someone could be observing the area looking for possible signs of undercover security. Basic surveillance skills In order to be able to implement surveillance detection procedures security personnel must possess an understanding of surveillance requirements. There are certain personal skills that are useful for either reconnaissance or surveillance detection. These basic skills, outlined below, lend weight to appointing dedicated surveillance detection specialists. Preparation Good driving skills 36 Photographic training Navigation Memory retention Lack of an obvious military or security bearing Integrity Thoroughness Report writing. Surveillance detection specialist’s appearance Attire is an important factor. To introduce as many unknowns as possible (to help “unbalance” a potential attacker), surveillance detection specialists should not wear uniforms of any description. Clothing styles and colours must be inconspicuous and (as importantly) varied among the team, so as not to give a uniform appearance. Sharp or contrasting colours should be avoided as they draw unnecessary attention. Aim to be the “grey man/woman”. Dressing down is easier than dressing up (though of course if the specialist is working in an area where smarter clothes are the norm, they should also dress accordingly). The clothes worn should be comfortable and functional, loose fitting with pockets to conceal equipment. Shoes should be dark and not too flashy and preferably not name/logo marked unless that is the common trend in the operational environment. Official type shoes or boots that give off a security appearance should not be worn. Disguises and props Operating environments can be unpredictable and require surveillance detection specialists to blend in and handle a variety of situations and surroundings. In some scenarios, it may be appropriate to make use of disguises and props, such as cleaning or maintenance staff, to facilitate quick changes of appearance. General surveillance detection equipment In addition to props and a variety of clothing to help blend in, the equipment outlined below may (depending on the working environment) prove useful: Cameras Binoculars Two-way encrypted radios with covert harnesses and wireless earpieces; Mobile phone for communications back-up and for admin type conversations; Whistle for helping to draw attention Means of identification, such as an ID card or a bespoke baseball cap with security markings (though this should be hidden away till needed) Torch Navigation aids such as vehicle Sat Nav, small button compass and local map. Voice recording device to help note information. 37 Operational cover When conducting surveillance detection, surveillance detection specialists should, wherever possible, maintain an operational segregation from their colleagues in uniform, police and organisation employees. As a surveillance detection specialist, they should not be seen talking to anyone associated with the protected environment, as it may blow their cover. An operational cover is the explanation the surveillance detection specialist uses when in the operational area. A cover could be many things, depending on the natural cover the operational area provides. A heavy trafficked city business area might not need a specific cover, whereas in more sparsely populated areas, a surveillance detection specialist is likely to need a reason for being in the vicinity. 38 Types of surveillance Methods Surveillance detection methods mirror the techniques used by hostile reconnaissance operatives. These include: Static surveillance Observation from cafés, restaurants, benches, parks, bus stops or bushes Can also consist of solely technical surveillance, such as cameras or audio. Foot surveillance Walking behind, in front or past a person A window reflection can be used to obtain views to the rear or across a street without, turning and thus making it obvious that the surveillance detection specialist is looking Window reflections are also particularly useful when crossing a street as they give a mirror view to the rear, which will help to observe people or vehicles to the rear It is important to resist the natural desire to look around too much when on foot. Normal pedestrians do not walk around scrutinizing their surroundings It is best to cross streets at an angle as it allows for glancing backwards without making it obvious If it is suspected that the hostile surveillance is carrying out counter surveillance, the surveillance detection officer should attempt to avert meeting their gaze. It is harder for the human brain to remember and describe a face, if there has not been eye contact. Mobile surveillance Driving behind, in front or past a person The use of a bicycle, motorcycle and/or vehicle provides ideal support to a foot surveillance detection patrol. Mobile assets also allow for larger geographical areas to be covered, together with a faster response The use of vehicle mirrors helps with observations to the rear and side, which is useful when parked or mobile; A vehicle offers ideal storage for a variety of clothing, props and other surveillance detection equipment. Technical surveillance The use of motion sensors or vehicle tracking devices. 39 Defensive surveillance The use of fixed CCTV cameras is limited in that they only provide an image of a fixed location Cameras fitted with pan, tilt, zoom capability facilitate offensive surveillance by allowing observation out and away from a fixed point/area. Surveillance limitations With the exception of vehicle tracking devices all types of surveillance require a clear line of sight to the target, this can present a weakness. Other factors that have a limiting effect on surveillance are: Operational environment security awareness and whether the target carries out countersurveillance Ground, type of terrain and environment Open or closed target perimeter, view of the facility and entry/exit points Erratic routines, patterns, schedules and lifestyles of at-risk employees Third party awareness, rural versus urban, Neighbourhood Watch schemes. 40 Operational environment Operational environment Rural areas are one of the most difficult environments to operate in due to their usually close knit communities, where people know each other. To operate in a rural area will require a good pre-planned cover story complemented by appropriate clothing. Coordinating with other team members will ensure that cover stories and appearances do not contradict. Urban areas are easier to operate in, as it is easier to blend in or disappear in a crowd, busy street or shop where fewer people pay attention to strangers. People may even feel personally threatened by (if they detect) covert surveillance, as they often will assume it is directed at them. This is particularly common with people who have previous criminal convictions. Surveillance detection vs. counter surveillance operations Clear and unambiguous Standing Operating Procedures (SOPs) must be in place with regards to the recommended actions, when overt and covert surveillance detection officers detect hostile reconnaissance. As a guide covert surveillance detection specialists should not, whenever possible, intercept/stop a suspect. This is done in order to protect operational covers and the identities of covert officers. Creating uncertainties by not exposing covert team members will keep criminals guessing as to the extent of the undercover security. This in turn acts as deterrence and as a result hardens a protected environment. When hostile reconnaissance is detected by a surveillance detection specialist, it is generally advisable to report the observation to management or a control centre and commence counter-surveillance immediately. Depending on the situation and the risk assessment at the time, any follow-up overt action is generally best left to uniformed colleagues or the police. However, there will be occasions when it is necessary for the covert officer to become overt and engage those individuals conducting hostile reconnaissance. This may be when there is no uniformed officer to take over or the person carrying out hostile reconnaissance needs to be stopped immediately. As such, an organisation’s SOPs should reflect this eventuality. Three key factors of surveillance detection Hostile surveillance is best detected by observing three significant actions: Location Correlation Mistakes 41 Location The surveillance detection specialist should look for any suspicious signs in their operational environment. They need to be looking for anything that seems out of place within the location, normal behaviour, time, day or season. The absence of anticipated actions/reactions to an event should also raise suspicions. Usually people behave naturally and according to the environment; otherwise they are likely to raise suspicion and consideration. A good sense of what is normal and what is unusual could be more important than any other type of security precaution that may be taken. The more familiar the surveillance detection operative is with their operational environment the easier it is to spot unusual activity. Correlation The surveillance detection specialist needs to look for any actions in the environment, which correlate with the opening/closing or other significant times/periods of the protected environment and the arrival/departure of high risk individuals. The surveillance detection specialist also needs to look for those individuals that make gestures that could be a signal for other, unseen hostile reconnaissance operative(s), or persons writing down information, looking at their watch, repeat visits, testing of physical security measures, taking seemingly innocent photos, or moving from their position, in correlation with activities at the facility. Indicators to look out for include persons or vehicles “shooting off”, after the departure of an employee or vehicle(s) from the protected environment, or unfamiliar vehicles and people arriving shortly after staff or vehicles have arrived at the facility. Mistakes Things to look out for include individuals attempting to conceal their actions, such as communicating into a microphone, or taking concealed photographs. Another indicator might be individuals attempting to hide their faces, when walking past a protected environment, when security is in the locality or high risk employees are walking/driving past. 42 Carrying out surveillance detection Performing surveillance detection How often the Red, Amber and Green Areas are subjected to surveillance detection patrols, through the use of specialists or security officers as well as the use of CCTV should be constantly reviewed. Factors which may have a bearing include: current terrorist Threat Level, specific threats pertaining to the protected environment and/or member of staff, tenant, visiting dignitaries, special events or neighbours. Ultimately the frequency of surveillance detection will to a large extent also be dependant and hinge on the staffing levels and availability of security personnel on any given day. Ideally, surveillance detection specialists should perform surveillance detection in pairs. This does not mean that the surveillance detection pair has to have the same cover story or be together. They need to work as a pair to provide mutual support to each other and to effectively cover their operational area. Surveillance Points should be allocated within an assigned area to individual surveillance detection specialists. Once these Surveillance Points have been checked and cleared, one partner should then overlap the Surveillance Points that their colleague observed earlier. They will either confirm all clear to HQ or request further surveillance detection of the assigned Surveillance Point or area, if suspicious activities are observed. The aim should be to: delegate organise observe report overlap confirm. Surveillance detection specialists should not spend time in a Surveillance Point unless the place offers good physical cover. When observing a Surveillance Point it is essential that the surveillance detection specialist stays out of the line of sight between the Surveillance Point and the protected environment or foot/mobile target. In this way it is harder for the hostile reconnaissance operative(s) to notice the surveillance detection specialist. Surveillance detection specialists must be meticulous and keep focused on the task at hand. They need to concentrate their observations on Surveillance Points whilst keeping an eye on their partner. The surveillance detection specialist should always plan or create a reason for their surveillance detection patrols through any given area. In this way the surveillance detection specialist provides an outward appearance of normal behaviour as well as leaving themselves well placed to conduct brief observations from the various venues visited. They should avoid the use of radios with accompanying wire earpiece or “earplugs/ear hangers” (even for mobile telephones) if possible. They are perceived as being security 43 related and will quickly result in the compromise of surveillance detection specialists. Perception is often reality. Covert radios (which are less bulky than the average two-way radios commonly in use in security) are vital. Radios should be encrypted and fitted with a covert “rig” for transiting and receiving. A small wireless earpiece (which is difficult to see once inserted in the ear) is also a crucially important component. Mobile phones should only be used as a back-up to covert communications. A non-suspicious method of communications through the use of visual physical signals should form an additional support system. What to look for When performing surveillance detection there are a number of indicators to look out for. These are covered in more detail in Appendix 1 and 2, to summarise, they might include: Profile: What do the suspicious persons look like Signature: What are they doing that looks out of place or context with the surroundings? This is the most important factor as it is their actions and not their appearance which inevitably exposes them as hostile reconnaissance. Uniformity: The person(s) appears similar, in respect to dress, age or gender to previous suspicious sightings. Terrorist, extremists and criminals are often from the same background and interest groups. Behaviour: Obviously staring at the protected environment; trying to conceal cameras; coming together - hostile reconnaissance operatives who have been operating individually or in teams meeting outside of the immediate operational area to share information. Time, Environment, Distance and Demeanour (TEDD) TEDD can be used to illustrate some of the principles used to identify hostile surveillance. If someone is seen repeatedly over Time, in different Environments and over Distance, or is someone who displays unusual Demeanour, it is possible to assume that the individual is engaged in something nefarious. Hostile reconnaissance operatives, who exhibit poor demeanour, meaning they act unnaturally, can look bluntly suspicious. Having no visible reason for being in a specific location or doing what they are doing can also appear dubious. Sometimes they exhibit almost imperceptible behaviour that can be sensed more than observed. The mistakes made while conducting hostile reconnaissance can be quite easy to spot as long as someone is looking for them. If no one is looking, however, hostile reconnaissance is reasonably easy. This is why terrorist groups have been able to get away with conducting reconnaissance for so long using operatives who generally practice poor tradecraft. Denying opportunities for hostile reconnaissance Denying criminals an opportunity to observe a protected environment directly, due to the activity of both overt and covert surveillance detection activity will effectively push hostile reconnaissance further away. It encourages hostile reconnaissance to switch to a less demanding target where security personnel are less aware. If the criminal’s objective is a foot or mobile target (rather than the protected environment) such as a kidnap, they may persevere. However, without line-of-sight of the target it will generate uncertainty. Security protocols can manipulate hostile reconnaissance by “heating up” particular Surveillance Points by positioning overt security in the form of static officers, CCTV or roaming 44 patrols. This will encourage hostile reconnaissance to move away from these designated areas or Surveillance Points and possibly towards other position(s) where covert surveillance detection is concentrated. It is also possible to control some of what is seen by effectively denying hostile reconnaissance its view, through the use of tinted windows, blinds, screening on sections of fencing. It may also be possible to manipulate hostile surveillance to be exposed while attempting to watch a portal that is deliberately left open to their view. Force multiplier An effective way to develop, enhance and boost the surveillance detection coverage of a protected environment is to proactively cultivate relations with immediate neighbours. For example, if nearby shop or café owners can be encouraged to report anything which is deemed as odd, untoward or strange, it would significantly increase the probability of hostile reconnaissance being detected. To promote and advance this concept it is recommended that overt security supervisors are allocated specific businesses which afford views of the protected environment. The aim would be to declare the protected environment’s interest in being notified of any activity or behaviour thought to be suspicious. It may be wise to inform local beat officers or neighbouring security teams before introducing the initiative of “befriending” local businesses. It is necessary to factor in industry counterparts’ perspective to avoid duplication and ensure the project is coordinated from the outset, as the police and/or neighbouring security teams may have a similar system in place already. Surveillance detection survey The overall purpose of a surveillance detection survey is to provide a comprehensive analysis of where a protected environment is vulnerable to hostile surveillance. The aim is to identify both the Surveillance Points and Surveillance Detection Points within the Red, Amber and Green Areas. Surveillance Points and Surveillance Detection Points should be allocated unique colours and numbers, with regards to the particular Area which they are located in, such as: Red Surveillance Point 1, Red Surveillance Detection Point 2. Additionally, it is helpful to include a system for referring to buildings, portals, particular street junctions, nearby landmarks. This is usually best achieved by using number coloured stick-on spots, which can be easily placed on maps to indicate specific locations. Once the team is familiar with the system, and in due course has memorised the key spots, it facilitates fast, efficient and to some degree secure communications as the spot system will be meaningless to an unauthorised observer. Summary of Priorities Prior to deploying on surveillance detection, officers need to complete the following tasks to ensure their success: Receive individual/team tasks as directed by the supervisor. If the area is unfamiliar, complete surveillance detection survey of target or protected environment, associated locations, areas and routes. Identify buildings, areas and people who are exposed to risk. Assess the seriousness of the threat and probable methods of attack and locations. 45 Manage the risks by providing surveillance detection cover of the assets at risk. Operational briefings and debriefs Brief the overall security manager on all surveillance detection plans, either daily or weekly, or as the situation demands. Without planning the surveillance detection operations quickly lose their edge and observations become less frequent with time. Remain flexible and ready to improvise, according to situations, threats and concerns. Execute the plan as agreed but always be ready to adapt. Rehearsals always pay dividends on the ground. Always conduct a thorough debrief before going off-duty; update databases, load photographs, complete reports/log and brief managers with respect to significant observations. Before going off duty make sure that replacement specialists/officers are briefed before beginning their own shift. 46 Smaller scale security programmes Introduction It is recognised that not all employers will have the staffing, resources or time to set up a dedicated surveillance detection team and/or plan for every eventuality. Nevertheless, there are lessons that security managers at even the smallest of organisations can draw from and then apply to their own sites. First steps Once a decision has been made that additional measures are required, a security manager needs to understand what threats their organisation faces and to consider what resources and measures can be used to counter them. Security managers should consider which areas of their sites are the most sensitive or need the most protection, such as entrance points, loading bays and car parks and task security personnel accordingly. Some organisations may face limitations on where they can move security personnel or position cameras, but the key is to understand the nature of the threat and to work within the constraints of the local surroundings. For example, in some cases, it may be appropriate to work with other nearby organisations, such as on an industrial estate or a high street, in order to build up a wider picture of any unusual behaviour. If a surveillance detection team is impractical, then conventional security personnel need be encouraged to consider the issue of hostile reconnaissance and to be given guidance in what to look for and how to deal with it. While the use of uniforms or insignia may give them a more overt presence, their knowledge of the environment in which they work should mean they are more likely to pick up unusual behaviour. Better training for security personnel is the simplest and most effective way of deterring hostile reconnaissance and for improving morale. Staff that are alert and are confident in both their own abilities and the knowledge they will be supported by management when properly conducting their duties are more likely to notice unusual behaviour. Security team leaders need to be experienced, well trained and have the ability to deal with personnel issues. If they are seen as being motivated and approachable, security personnel will be more willing to approach them with concerns about things they have observed. A simple method of reinforcing this is to conduct regular briefings and to reward, even just with verbal praise, good reporting. CCTV Many organisations make use of some form of CCTV. For some, this may be the only method of detecting unusual behaviour, for others, it will be part of a wider security package. While CCTV offers some deterrent capability, its use is limited if the images are not actually watched or if operators who are viewing do not know what to look for. The lessons in what behaviours to look for, as has been discussed earlier (Identifying and countering hostile reconnaissance), are equally applicable for CCTV operators as they are for surveillance detection personnel 47 and if unusual behaviour is detected, an organisation should have procedures in place to direct security personnel to the area of concern. Any use of CCTV must be done so in accordance with the law. Further information can be found here: www.cpni.gov.uk/ProtectingYourAssets/cctv.aspx www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/ico_cctvf inal_2301.pdf Additional measures Other methods that can be used to detect hostile reconnaissance may include providing training to non-security personnel on what to look out for. Front of house staff, such as receptionists, are likely to be attuned to unusual behaviour and should be instructed on what to do if they suspect hostile reconnaissance. It may be worthwhile talking to other organisations or groups that are situated in or near a site. For example, this might mean shop keepers or newspaper vendors, or in the case of an airport or station, aircraft or train spotters. These people will be familiar with a particular site or ‘patch’ and may also see things that are out of the norm. Building up a friendly relationship with such groups may offer a cheap way of expanding visual coverage of a particular area. Organisations should consider what information they place on their public facing websites. Information that may add those conducting hostile reconnaissance, such as floor plans or images of staff passes, should be considered for removal and subtle measures, about the types of security in place or measures that visitors may have to go through, may help dissuade those who intend to cause harm. Some companies supply various technological measures to detection hostile reconnaissance. Specialist solutions, in particular, should be based on a thorough assessment of security needs- not least because an organisation might otherwise invest in equipment that is ineffective, unnecessary and expensive. When deciding on introducing technical measures, it may be worthwhile to contact a CTSA or CPNI representative through the local police force at the start of the process. As well as advising on physical security, they can direct to professional bodies that regulate and oversee reputable suppliers. Senior management need to be made aware of any threats that an organisation may face and they must sign off on and abide by any security measures. If they are not seen as doing so, staff, including security personnel may begin to question the necessity of their duties and morale may slacken. 48 Conclusions and recommendations Detecting hostile reconnaissance Surveillance detection is one of the most important and cost effective defences against countering criminality, extremism and terrorism at a tactical level. Considering the most common pre-incident indicator is hostile reconnaissance, raising awareness of the threat and appropriate counter-measures contribute immeasurably to any security regime. Detailed intelligence, in respect to when and where terrorists, criminals and extremists might strike is rare. The detection of hostile reconnaissance will therefore provide the crucial early warning that a protected environment is being targeted, permitting appropriate preemptive actions to be taken. A professional surveillance detection protocol necessitates planning, securing expenditure, recruiting a team, training, surveying the protected environment for hostile reconnaissance and surveillance detection perspectives, implementation of procedures and policies, practice, mastery, on-going training and red teaming. Any form of surveillance detection effort, regardless how negligible, should be encouraged. However, a little knowledge coupled with inadequate surveillance detection measures can be counterproductive. It is not uncommon for security personnel to delude themselves into believing that they have effective processes in place to recognise hostile reconnaissance early, when the reality is somewhat different. The analysis of the Operation Lightning data should provide surveillance detection specialists with some reassurance. Some prospective surveillance detection specialists may have difficulty shedding their security, police or military mannerisms. This has to be worked on and monitored by management as security type traits can undermine covert surveillance detection. The surveillance detection team should preferably be a mixture of different genders, age groups and backgrounds. The more uniform the surveillance detection team’s appearance the easier it will be for hostile reconnaissance to detect them. Covert surveillance detection demands self-discipline from every team member, in order to fulfil critical observations, without close supervision, day after day. If an incident should unexpectedly occur, surveillance detection specialists may be ideally placed to observe the criminal team. With their above average observation skills, a surveillance detection specialist(s) will be highly useful in the post incident investigation. Notwithstanding specific SOPs for a given protected environment, surveillance detection specialists may well be positioned to follow the fleeing criminals, increasing the likelihood of a successful police interception. For security personnel making the shift in thinking towards countering hostile reconnaissance is vitally important and is the basis for success in threat mitigation. The answer is to think in terms of threat and not only risk, to accept that threat is infinite and intangible, and that it must therefore be approached from the point of view of the perpetrators and specifically their methods of operation. 49
© Copyright 2025 Paperzz