Wednesday, August 02, 2006

When security isn't secure...

From Strategic Forecasting, Inc:

Corporate Security: The Technology Crutch
By Fred Burton

The Jewish Federation of Greater Seattle was the scene of a fatal shooting on July 28: One woman was killed and five were wounded by an apparent "lone wolf" gunman. The man arrested and charged in the incident, Naveed Afzal Haq, is an American of Pakistani descent who claimed to have acted because he was "angry at Israel." An act of violence targeting Jews in the United States as a result of the conflict in the Middle East was predictable. But aside from the human tragedy, one of the most troubling aspects of the shooting is that it occurred at a facility that had addressed safety considerations in the past.

The Jewish Federation of Greater Seattle uses cipher locks to restrict unauthorized access, external security gates, bullet-resistant windows and closed circuit television (CCTV) cameras that provide video coverage of the front lobby. Not surprisingly, employees believed themselves to be safe.

However, it is not uncommon for buildings or offices employing good physical security measures to become backdrops for workplace violence or domestic terrorism. Physical security is important, but it does not automatically transform a "soft" target into a "hard" target. In fact, physical security measures may become a kind of psychological crutch that induces a false sense of security or even complacency -- attitudes that add to, rather than reduce, one's vulnerabilities.

Defeating the System

Like any man-made constructs, physical security measures -- CCTV coverage, metal detectors, cipher locks and so forth -- have finite utility. They serve a valuable purpose in institutional security programs, but an effective security program cannot be limited to these. The technology cannot think or evaluate. It is static and can be observed, learned and even fooled. Also, because some systems frequently produce false alarms, warnings in real danger situations may be brushed aside. Given these shortcomings, it is quite possible for anyone planning an act of violence to map out, quantify and then defeat or bypass physical security devices.

However, elaborate planning is not always necessary. Consider the common scenario of a worker on a smoke break who props open an otherwise locked door with a rock or trash can as an example of "internal defeat" for security measures. Physical security devices require human interaction to be effective. An alarm is useless if no one responds to it, or if it is not turned on; a lock is ineffective if it is not locked.

CCTV cameras are used extensively in corporate office buildings and manufacturing centers, but any corporate security manager will tell you that in reality, they are far more useful in terms of investigating a theft or act of violence after the fact than in preventing one. This was amply illustrated in the London bombings last July; authorities were able to pull up CCTV footage of the bombers afterward, but the cameras by definition could not identify suspicious activity or key in on the bombers before they killed. Even businesses or government sites that have established elaborate command centers for monitoring CCTV coverage have found that security personnel can monitor only a limited number of screens effectively -- and only for a short time before boredom or distraction sets in.

And despite the use of software that helps to detect motion in sensitive areas, it is not possible for a single person to effectively monitor all the CCTV feeds from a typical corporate office building -- let alone an entire corporate campus -- for eight or 10 hours at a stretch.

Likewise, access control devices are great when they are monitored but can be easily defeated if they are not. Tailgating -- that is, following someone else through the door of a "secure" facility -- is very common in corporate America. This tactic is used frequently by thieves -- who make it a point to blend into the environment -- in gaining access to office buildings, where they steal computers and other valuables. In some cases, brazen tailgater thieves have been able to steal tens of thousands of dollars worth of equipment -- sometimes in one haul, sometimes by hitting the same targets repeatedly over time.

In case of the Jewish Federation, tailgating was used to gain access -- though reports have conflicted as to whether the suspect rushed through the door after an employee used her code to open it, or whether he held a gun to a young girl's head and forced her to open the door for him.

Aggressive tailgating has been used in other shootings as well: In February, a former postal worker in Goleta, Calif., followed another vehicle through the gates of a mail distribution center. Once in the parking lot, she got out of her car and shot three employees -- then took an ID card from one of her victims, using it to enter the building and continue her rampage. Though the woman in that case had insider knowledge about the distribution of physical security systems, this information can be gained by outsiders as well, using preoperational surveillance.

For instance, it is clear from the surveillance that al Qaeda suspects ran on several financial buildings in the United States that they took great interest in documenting details of the security measures that were in place -- including access control, security procedures and guard coverage and schedules.

In reality, all "attack cycles" -- even those used by lone-wolf assailants -- follow the same general steps. All criminals -- whether stalkers, thieves, lone wolves or militant groups -- engage in preoperational surveillance, but the length of this phase naturally varies depending on the actor and the circumstances; a purse snatcher might case a potential target for a few seconds while a kidnapping crew might conduct surveillance of a potential target for weeks.

The degree of surveillance tradecraft -- from very clumsy to highly sophisticated -- also will vary widely, depending on the training and street skill the operative possesses. Perhaps the most crucial point to be made about preoperational surveillance is that it is the phase when someone with hostile intentions is most apt to be detected -- and the point in the attack cycle when potential violence can be most easily disrupted or prevented.

But detecting the signs of preoperational surveillance is a uniquely human ability; it requires both cognition and intuition -- analysis, "gut feelings" and rapid responses -- for which technology is no substitute.

Heating Up the Environment

No matter what kinds of physical security measures may be in place for a building, office or other facilities, they are far less likely to be effective if a potential assailant feels free to conduct preoperational surveillance. The more at ease someone feels as they set about identifying the physical security systems and procedures in place, the higher the odds they will find ways to beat the system.

A truly "hard" target is one that couples access controls and cameras with an aggressive, alert attitude and awareness. An effective security program is proactive -- looking outward to where most real threats are lurking -- rather than inward, where the only choice is to react once an attack has begun to unfold. One very effective way to do this is to utilize countersurveillance as an element of a facility's (or executive protection) security plan.

Countersurveillance programs operate on a handful of principles -- for example, the concept of vantage points or "perches" and how they can be used by someone conducting surveillance. If "perches" around one's facility are identified and activities at those sites are monitored, potential assailants will be less able to conduct pre-operational surveillance at will -- and it is quite possible that attacks can be prevented.

Another technique that professionals use is "heating up perches" -- or directing attention from visible security assets there (for example, having roving guards drive past it periodically). The point of these and other security techniques is to make anyone who might be planning a crime to feel uncomfortable during the preoperational surveillance phase. If he or she believes they have been "burned" (or caught in the act) of surveillance -- even if they have not been -- they are likely to seek out an "easier" target, unless there is a compelling reason they are drawn to attack a specific person or facility.

Grassroots Awareness

Some companies have employed surveillance detection programs with great success. Programs employing specially trained, plain-clothes operatives have identified hostile surveillance by militant groups and prevented attacks. They also have helped companies in spotting and intercepting mentally disturbed people, sex offenders and others, such as "tailgating" building thieves and car thieves.

Uniformed guards who have been trained in surveillance detection for counterterrorism purposes also have proven skilled at detecting and catching criminals. However, corporate security officers and the uniformed guard force have only so many eyes and can be in only so many places at once.

Thus, proactive security programs also teach the importance of fostering broad security awareness among employees. The training should not leave workers scared or paranoid -- just more observant. They need to be trained to look for people who are out of place and who could be potential surveillants or criminals. They also need to be mindful of people who might be attempting to tailgate into a facility. Most importantly, employees need to know what to do if they see something suspicious and who to call to report it.

As a part of security training, companies should instruct workers on procedures to follow if a shooter enters the building. These "shooter" drills should be practiced regularly -- just like a fire, tornado or earthquake drill.

The Odds

The law of averages indicates that in all probability, most office buildings or companies will never fall victim to a terrorist attack or workplace violence. However, we strongly believe that the Israel-Hezbollah conflict is likely to spark more attacks like the one in Seattle -- and that a few scattered targets in the United States will be affected. Obviously, predicting precise locales or targets is impossible from a distance, but certain classes of likely targets can be identified -- such as Israeli diplomatic targets, high-profile organizations that are connected to Israel, prominent Jewish citizens, Jewish-owned businesses, community organizations and religious sites.

By the same token, retaliatory violence -- possibly targeting Muslim groups or mosques -- cannot be ruled out. For either group, we advise putting countermeasures into place, drafting emergency action plans and rehearsing react drills. As we have noted previously, organizations and businesses tend to increase their funding for security measures in the wake of attacks like that in Seattle. As more attention is devoted to security budgets, considered attention to the effectiveness of specific measures and the value of proactive security training possibly will follow.

Send questions or comments on this article to analysis@stratfor.com.

Wrap...

No comments: