1 Managing the Threat: An Introduction to Surveillance Detection

The following report was compiled from various unclassified sources including press reports, government websites, OSAC constituent interviews, and U.S Embassy reports. May 12, 2010 EXECUTIVE SUMMARY Pre-operational surveillance is a critical component for every terrorist or criminal attack. Given that the purpose of hostile surveillance is to observe, analyze security measures, patterns, and vulnerabilities of a potential target, surveillance can be the most visible step in the attack planning process. Therefore, surveillance involves the most risk for attackers. Surveillance detection programs are designed to exploit these risks by creating a mechanism to detect pre-operational surveillance, report sightings, and disrupt an attack. This report identifies attacker vulnerabilities during pre-operational surveillance and then focuses on how a surveillance detection program can exploit those vulnerabilities. The full program outlined in this report may not be conducive to all organizations. Parts of the program can be extracted and suited to the needs of each organizations security plan. Before developing a surveillance detection program, organizations should ensure that their program will be in legal accordance with host country laws. HOSTILE SURVEILLANCE Pre-operational surveillance is critical to every attack. Terrorists began conducting pre-operational surveillance over two years before the November 2008 Mumbai attacks took place. The coordinated, multi-target attacks involved detailed planning and long-term hostile surveillance. On multiple occasions the terrorists entered at least one of the Mumbai target locations and posed as a patron. Additionally, terrorists stayed at a hotel that was very close and in the line of sight to the locations they planned to attack. In all, there were at least six surveillance trips to the various attack targets. Terrorists are not the only types of attackers who conduct surveillance. Criminals must also employ surveillance tactics in order to carry out their crimes. In South Africa, home of this years World Cup, criminals have been known to target passengers and tour groups upon arrival at O.R. Tambo International Airport in Johannesburg. Typically, criminals receive word from inside operatives when high value individuals are exiting the airport terminal. The victims are then followed and robbed at gunpoint upon arrival at their residence or hotel. An attackers need for critical information about a target provides an opportunity for organizations to detect and disrupt an attack. Surveillance detection is the process of detecting and reporting suspicious activities. By interdicting through host country legal recourse, organizations can disrupt the attack planning process. Properly executed, surveillance detection may identify suspicious behavior that supports interdiction. Interdiction results in the mitigation or prevention of attacks. Once the actual attack has begun, organizations can do very little other than react.

The brother should draw a diagram of the area, the streets, and the location which is the target of the information gathering. He should describe its shape and characteristics. The drawing should be realistic so that someone who never saw the location could visualize it al-Qa'ida Training Manual

The contents of this unclassified presentation in no way represent the policies, views, or attitudes of the United States Department of State, or the United States Government, except as otherwise noted (e.g., travel advisories, public statements). The report presentation was compiled from various open sources and unclassified embassy reporting. Please note that all OSAC products are for internal U.S. private sector security purposes only. Publishing or otherwise distributing OSAC-derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.

2
THE ATTACK CYCLE A typical attack cycle is comprised of eight stages. Each stage in the attack cycle demonstrates that terrorists and criminals have to take risks to successfully carry out an attack. The white arrows on the diagram to the right indicate opportunities for organizations to detect and interdict a potential attack. Target List - The first phase of the attack cycle is to compile a list of possible targets. Initial Surveillance Phase The second stage of the attack cycle is the preliminary surveillance stage, which may take minutes, weeks, or months, for the target to be selected. Usually, the first group of operatives who survey a facility may not be as sophisticated as operatives later in the process who conduct the attack. This may increase the chances of detecting surveillance early in the cycle. Target Selection Once the target is selected, more strategic operational planning begins, which entails more sophisticated surveillance. Attack Planning During the planning stages of the attack cycle, the attackers will determine the specific attack site and begin to plan the point of approach. Several case studies have demonstrated that a more sophisticated surveillance team may be deployed to collect specific data points to support the attacks specific modus operandi. The attackers may use both fixed and mobile surveillance techniques to plan out a route to execute the operation. All specific details about the area will be accounted for, such as the timing of stoplights, distances from the road to the facility, and security measures in place. Dry Run/Rehearsal The final stages of surveillance may include a dry run to the target. Traditionally, al-Qa'ida has facilitated this phase with a different cell than the attack cell. However, homegrown cells may incorporate this phase into their attack planning phase because they may already be familiar with the targets environment. For instance, ten days prior to the 2005 London tube bombings, terrorists conducted a dry run on the London underground system. Final Phase of Surveillance The final surveillance stage is done more quickly to ensure the targeted person or facility implemented no new deterrence measures. Deployment/Target Identification The attackers are deployed and en-route to the target. Attack This final stage is conducted when the attack is complete. The attack has a high probability of success in the final stage of the assault. Failures at this stage are usually related to mechanics or timing. BEST PRACTICES FOR SURVEILLANCE DETECTION PROGRAMS

The contents of this unclassified presentation in no way represent the policies, views, or attitudes of the United States Department of State, or the United States Government, except as otherwise noted (e.g., travel advisories, public statements). The report presentation was compiled from various open sources and unclassified embassy reporting. Please note that all OSAC products are for internal U.S. private sector security purposes only. Publishing or otherwise distributing OSAC-derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.

3
Before organizations create, build, or enhance a surveillance detection program, they must first assess local laws to ensure that their program is legal under local jurisdiction. Next, organizations should analyze their vulnerability, a critical part of designing a surveillance detection program. The vulnerability analysis should focus on perceived vulnerabilities of a facility, activity, or person; since terrorists and criminals will typically attack at the point they perceive to be the weakest. A Red Zone is a specific surveillance location, which is usually referred to as the operational area. Surveillance is a very site specific activity that relies on an adequate view of a vulnerability and cover for the person conducting the surveillance. The specific site that provides these two elements is referred to as a Red Zone. It is important to note, that organizations should continue to study current trends and tactics implemented by terrorists and criminals. Threats against facilities and personnel are constantly evolving and organizations should continuously identify the possible vulnerabilities that may arise as terrorists and criminals change their tactics. A successful surveillance detection program consists of three main components: Detect - The main objective of a surveillance detection program is to detect and report pre-operational surveillance directed against a facility. Pre-operational surveillance is the data collection phases of the attack cycle and is indicated by the white arrows on the attack cycle diagram. It is critical to have formal procedures to report sightings so action can be taken to interdict. Report - Information-sharing initiatives with host governments are critical to the success of surveillance detection programs. Pre-established methods to report hostile surveillance to local law enforcement are critical for intervention. In addition, it is important to notify authorities of organizations operations to avoid countersurveillance by authorities. Over the years, OSAC constituents have been caught in this precarious situation. Additionally, organizations should make sure that developing a surveillance detection program is legal in the host country. Analyze - Analysis is the backbone of all surveillance detection programs. A critical component of surveillance detection is to analyze and correlate reported data to identify trends, patterns, and repeated sightings. Team Structures There are several different types of team structures organizations can implement to manage their surveillance detection programs. The team structure methods include formal, mobile, and in-country training teams. All three methods can be used simultaneously or independently. Some organizations have designated surveillance detection teams and others train and set up procedures for all employees to be able to detect and report suspicion activities. Setting up surveillance detection teams can be a costly and resource intensive process. Some OSAC constituents have set up formal teams in high threat countries where labor is not as costly, such as Indonesia, Pakistan, and Kuwait. However, basic elements of surveillance detection can be applied across all organizations regardless of their size. Formal Team A formal team consists of a designated surveillance detection program with leadership and oversight, coordination, analysis, and dedicated surveillance detection personnel. A surveillance detection team may sometimes operate at an off-site location and minimizes physical presence at the targeted facility. Procedures are established for the team to detect pre-operation surveillance, record biographical information, report the sightings, and set up methods to provide suspicious incident reporting to local authorities or private guards to interdict. Most formal teams have an off-site coordinator who inputs the information into a database to correlate the sightings. This person also coordinates reports with the individual who has complete oversight, such as the local security manager. Most organizations surveyed, use the same vetting process that they would use for hiring of their local security personnel. Typically, organizations use formal surveillance teams in high threat environments and at crucial infrastructure facilities. The contents of this unclassified presentation in no way represent the policies, views, or attitudes of the United States Department of State, or the United States Government, except as otherwise noted (e.g., travel advisories, public statements). The report presentation was compiled from various open sources and unclassified embassy reporting. Please note that all OSAC products are for internal U.S. private sector security purposes only. Publishing or otherwise distributing OSAC-derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.

Mobile Some organizations also have mobile teams implemented, which can be deployed for short periods of time at facility location. A mobile structure can be very useful in deploying a team on very short notice. However, given their mobility, it may take several weeks to establish a base of operations. Organizations general use a mobile structure to cultivate relationships with the local community in an effort to establish a formal method of reporting. Most organizations report that mobile teams are usually used at facilities were internal staff have reported a spike in sightings. In-country Training The concept of a surveillance detection program should be used among all hired staff. Employees are the first line of defense and should know how to report suspicious behavior. Several organizations have mandatory surveillance detection and counter-surveillance programs set up for employees and family members in high threat regions. In addition, organizations have strategically set up formal methods to detect, report information with employees who have a routine presence outside of the facility, such as maintenance crews, local guards, drivers, and front lobby personnel. Reporting Methods Another important principle for developing a structured surveillance detection program is to define tripwires that identify what actions to take during different types of suspicious or hostile surveillance. A surveillance detection team does not interdict during suspicious incidents; therefore, it is important for the team and supervisors to have well thought out plans of action when a program is created. The following is a few examples of how a surveillance team might react and report to different sightings. Suspicious (Non-Threatening) Activity A non-threatening sighting may include a person loitering in the Red Zone without a justified motive or may simply look out of place. Action: In this sighting the team member should write down physical identification and behaviors take a photo if possible. The information is then reported at a designated time such as shiftchange possible interdiction may be necessary. Hostile Surveillance Indicators A hostile surveillance may include repeated sightings of a suspect in the Red Zone who is paying specific attention to the target. Action: The information should be reported immediately to the coordinator. The coordinator will share the information with the local security manager and decide whether to have local authorities or guard personnel interdict. Overt Surveillance During an overt surveillance, the suspect may be taking photos and/or notes of the facility. The suspect may also be physically determining specific timings of lights, distances, and/or security personnel of the facility to prepare for an attack. Action: Immediately report the sighting to the surveillance coordinator and/or security manager to have host government or guard staff interdict. Imminent Significant Threat A visible attack has been initiated. Action: Implement organizations emergency action plan. Organizations should already have an established emergency number to alert imminent emergency at facility.

The contents of this unclassified presentation in no way represent the policies, views, or attitudes of the United States Department of State, or the United States Government, except as otherwise noted (e.g., travel advisories, public statements). The report presentation was compiled from various open sources and unclassified embassy reporting. Please note that all OSAC products are for internal U.S. private sector security purposes only. Publishing or otherwise distributing OSAC-derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.

5
FURTHER INFORMATION More information on surveillance tactics, trends, and incidents can be found at report links below or by contacting OSACs Global Security Coordinator. Terrorist Tactics: Street Vendors - The Perfect Surveillance Platform India: Possible Surveillance Detected

The contents of this unclassified presentation in no way represent the policies, views, or attitudes of the United States Department of State, or the United States Government, except as otherwise noted (e.g., travel advisories, public statements). The report presentation was compiled from various open sources and unclassified embassy reporting. Please note that all OSAC products are for internal U.S. private sector security purposes only. Publishing or otherwise distributing OSAC-derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.