THE LOST PRINCIPLES OF SECURITY

Overlooked Fundamentals for Effective Counter-Terrorist Preparations

Understanding the differences

A good way to understanding the correct concept of security is by comparing it with safety. Since also dictionaries are describing each of both terms by using the other, it is important to point out that they are not both sides of the same coin. For all practical purposes, security and safety are fundamentally different and we are setting ourselves up for future calamities if we keep using those terms interchangeably.

By applying safety measures we protect our body from known dangers to which we expose ourselves voluntarily. If you go out mountain climbing, you will don a harness and a helmet. You can adjust your protection to the levels of danger you plan to subject yourself. By staying at home you will never get hit by a falling rock, but you could still be attacked by a determined – not rock – but burglar, despite extensive security measures. Here is an example from a workplace: We could have an inherently dangerous job, perhaps in a nuclear plant; however, following carefully and consistently all safety-rules would still allow us to work all day long in a relaxed and well-protected environment. Yes, accidents still may happen; but they would not be caused by a vicious attack of a revengeful robotic arm, but by our own errors and neglect. Essentially, safety is about drawing a yellow line on the floor and as long as we do not cross, we shall stay safe. On the other hand, you could still become a victim inside the safety-zone if you would be stabbed with a knife by a deranged colleague on the shop floor. Would you then still consider your workplace as secure?

The most elementary fact is that our basic security status is determined by the rest of the population. By applying security measures, we need to consider not only the unpredictable factors of human nature and character, but also the social layers and under-currents of every community. Money can buy safety, in fact total safety, but all the tea of China cannot buy you security – any level of security. Say, you could manage to bribe every possible terrorist commander and crime-lord; you will still have no control over other unknown fermenting threats and newly bred criminals. National governments always tried to “buy” their security through economic or military assistance. We are all contemporary witnesses to the questionable results or sheer futility of such strategies.

During my more than 25 years of work in the field of counter-terrorism I came across too many ill-conceived security arrangements. Most of those protective set-ups were initiated after the results of certain threat-level assessments and translated into simple color- or numbers-based “alert systems” (i.e.: threat-levels white, orange, red; or “Defcon” 1,2,3,4, etc.). Those “traffic-light” alerts may be easy to communicate, but represent a problematic simplification. They may work for certain bureaucratic protocols, but cannot instruct front-line personnel to take specific actions in fluid situations. I often wondered: if terrorist threats cannot be read like the gauges on the control-panel of a nuclear plant (to cite my former workplace example), why would one take measures which could only defeat ill-tempered bits of machinery, but not the complex and volatile minds of human extremists? By attempting to provide security, we are more often than not taking insufficient account of the determination and ingenuity of the mind. If you are up against humans, safety-style measures are ineffective.

For sure, every security system designed by man can be defeated by some other smarter and more experienced brains; however, the next proposition is: why does this happen so often against elaborately designed, sophisticated and technologically superior security measures? You will find the explanation and some solutions in the next chapters.

The concept of action vs re-action

Action always beat reaction. To prove it, ask someone to hold a crisp and straightened banknote by one of the smaller edges, with the note hanging between the open “V” of the thumb and forefinger of your strong hand. When the other person lets go off the note, you will find it near impossible to catch it with your thumb and forefinger – even you try to prepare yourself for the moment. After playing this for a little while, the time will come when you will be catching the note more frequently because your brain learns and re-programs the reflexes. The same phenomenon plays out in the field of security, where the good guys try to “catch the banknotes” dropped by the criminals.

As an entirely “human product”, security is a dynamic entity and as volatile and diverse as the community in which we seek protection. Security is governed by a sheer infinitive number of variables, which in turn may change entirely just by shifting location for only a few miles. You cannot pack security into your briefcase and take it along to a trip. Protectors of aircraft, sea-going vessels or overseas facilities of multinational corporations have developed a greater sensitivity towards security threats, as the factors of extremely variable locations give them a higher awareness of changing risks. Security protection for stationary facilities, such as buildings and manufacturing plants often concentrate on potential threats from the surrounding areas and the familiarity of a long-term neighborhood makes the protectors more prone to complacency. How can we protect location-bound facilities? If action regularly beats re-action, how can we go from being a sitting duck to being prepared and ready for the “dropping banknote”? Before we can come up with answers, we need to look at a couple of other realities.

Preventive measures cannot be taken from within a “target”

Since the beginning of warfare there was never a fortification of note which has not been breached by attacking forces, even if it may have taken several years. The problem always was (and still is) that “defense” is supposed to be only one of many possible tactical options. However, behind barricades, you are limited to defensive measures only. This also means that you can only re-act to actions imposed upon you. Every successful attack exists of 2 main elements: force and surprise. The surprise-part aims to take away your chance to organize and to scramble counter-measures. This becomes even harder when the weakest elements of your security are encountering overwhelming force.

Let us imagine: you are in charge of security for a major shopping- and entertainment center, complete with a hotel, restaurants, cinema and a children’s play park. How will you be defending your complex “fortress”? Your first attention will go to dealing with the mundane, such as thieves and pickpockets, punks and hooligans, graffiti artists and lost children. Probably you will put in place similar measures as other premium property owners did around you; CCTV cameras and people with radios and wires in their ears. Since you don’t want to set up screening gates at all entrances and cannot check every shopping bag in a mall, or even ID thousands of customers, you are resigned to “intervention” when trouble shows up; to re-act and defend. After all you don’t really expect a terrorist attack bomb-threat.

The problem with most of those protective practices is that they are born out of a prevailing average understanding of the local security situation. Many of those protections are based on common assumptions – and often include wishful thinking, along those lines: there was never a terrorist attack in this town / Why should we be targeted? / Our corporate profile or activities are not controversial or offend anyone / There are more “juicier” potential targets out there. None of those arguments are substantial and should not allow you to lower your guard. The whole point of a terror-attack lies in the shock to its victims, who believed “it could never happen here”. It is not important what you believe can, or should, or should not happen; important is what your potential adversaries are thinking. Ignorance and arrogance were always a popular reason for defeat.

So, what can you do from within your facility? Firstly, what you can never do is to discourage a determined, intelligent extremist with a mission. A financially motivated thief will always choose the softest target – he graves the cash, not the publicity. Terrorists, however, need to make a spectacle and the conquest of a harder target could mean even greater glory. Even though, their objective is to create death and mayhem, terrorists do have a rational, practical side when it comes to planning their bloody actions. Ironically, greater chaos requires more careful planning and coordination. That means detailed evaluation and “casing” of possible targets. [I strongly advise against fake security equipment or “dummies”, such as CCTV camera-housings, without functioning internal parts. Serious criminals are familiar with such widespread cost-saving habits and will make sure whether your equipment functions properly and if it can affect their plans].

With carefully designed counter-surveillance techniques you will be able to detect persons who were assigned to check out your facility. You need to train and deploy suitable personnel who are capable in profiling; to correctly use the data obtained and to collect relevant intelligence in cooperation with the authorities as an ongoing process. Advance knowledge will strip the assailants, at least partially, of one of their most important means – the element of surprise. Further security considerations should include the layout plans of your facility. Similarly, as the fire-safety measures and escape-routes demanded by your local authorities, you may think about subtle architectural changes to allow potential rescue-commandos better access to critical areas. With careful planning and case studies of the dynamics of past terrorist attacks, one could draw assailants into certain preferred areas of your property, where their actions can be better contained or neutralized. Security personnel can be trained and motivated, so that they represent a pro-active and dependable factor, rather than just being 200-pound obstacles.

Textbook approaches and political correctness vs chaos

We are now ready to discuss answers to the question as to why so many terrorist attacks defeat elaborately arranged security so frequently and in some cases so easily. Most protectors fall into the “textbook-trap”. Security manuals or textbooks are written in order to formulize a set of procedures, thought to be widely practiced or commonly accepted by most peers in that genre. The primary government agencies, with input from the general law-enforcement community, the military and in some cases major private security-related firms formulate their SOPs (Standard Operational Procedures), rules and guidelines. They describe “standard methods” regarding subjects such as VIP – and object protection, dealing with IEDs (Improvised Explosive Devices), hostage-rescue, re-taking of hijacked targets, firearms training, investigative techniques etc.

Firstly, one must understand that the critical policy-elements of those manuals are rarely authored by operators or frontline personnel. In order to receive approval from the political hierarchy, senior commanders need to ensure that all operational procedures and training curricula reflect departmental policies. Operating outside the manual bears the risks of being ostracized for violating regulations, even though the operation or measures proved to have been effective. Whilst the principle of covering one’s backside is widely understood; what really makes a “standard” manual against terrorism largely ineffective is the ignorance of its political censors and its inflexible, bureaucratic and presumptuous approach.

In textbooks, every element must take account of our legal principles, prevailing social sensitivities, such as gender, physical abilities and individual rights of their personnel. In short, they must stand the test of political correctness, no matter how special those “Special Forces” may be. (Whether the Western governments’ security agencies of the ‘50s would not be more effective in combating today’s terrorism, even with the lack of our technological advances, could be subject of an interesting debate). The key operating elements of terrorism are chaos, shock, audacity and utter contempt for the adversary.

In combination, these elements, if successfully realized, will produce the headline messages needed to support the causes of the Perpetrators. Formulized security-protocols are mostly ineffective against deliberate chaos and do not prepare for total shock and surprise. Textbooks commonly prescribe measures which can be managed, controlled and packaged in neat reports. Every disastrous incident, every shocking experience is being turned into a “watershed in the field of security” and leads to the re-writing of manuals and SOPs. However, with every new edition they are being re-written into irrelevance.

The chaos of terrorist attacks does not equal “irrationality” and “randomness”. It only looks that way to the uninitiated. Chaos is shocking and meaningless to those who work out of the structured and organized world of government agencies and larger corporations. Besides its seeming unpredictability and senselessness, another facet of “chaos” is its nature to require a much larger force for containment, than its own proportions would suggest. (When you observe a riot, with a small group of hooligans breaking out to smash up a vehicle, then dashing off in all directions, you will notice that It takes a much larger number of officers trying to catch the perpetrators; usually ending up with a very small number of arrests).

Chaos can be met successfully, not only by careful analysis of the extremists’ past tactics, but by studying their entire concept, goals and modus operandi and by getting into their mindset. The more your combined security measures resemble one “inflexible and dumb mechanical apparatus”, which reflects textbook assumptions and only acts on pre-programmed indicators, the least effective it will be against determined and smart criminals. The first step is, to ensure that equipment is always being used supplementary to your own human resources. Your protective measures should focus on the ability, flexibility, intelligence and training of the security staff’s actions. You need small and nimble teams of motivated individuals who can think on their feet and with apparently unpredictable schedules. Every team-member must receive the same comprehensive training, so he/she can act independently and without the need to seek approval from a supervisor, if necessary. In short: security personnel who are not just trained to salute every “woman with a Porsche and a poodle”, but reliable manpower that can be call upon for multiple tasks.

Should you follow the agency-role models?

The government’s major “alphabet agencies” (FBI, CIA, NSA, DEA, ATF, etc.), as well as the military’s counter-terrorist commandos have the immense resources in manpower and material to potentially win the war against terrorism. The reasons why those organizations are frequently being defeated by the bad guys lie in their inability to deviate from the textbooks and their need for political conformity and expediency. The predictable formats they employ have always been the Achilles-heel of all disciplined services who had to fight scattered groups of armed rebels, since the existence of organized governments. Private organizations have the freedom and independence to develop their own security programs against terrorist threats. It will be more effective for your business to do your own research and analyses of existing dogmas from available security manuals and privately published textbooks; then write your own in-house SOPs, instructions and training manuals. You could have it developed with the participation from independent counter-terrorist specialists.

Another point is the agencies’ teaching and training methods which breed rank-consciousness and blind faith in orders from above. The primary security agencies grew from small nimble departments, which were made-up of highly talented and selected elite officers into large, complex juggernauts. Over the last few years most of them have been further beefed-up to increase their capacities. Unfortunately, their bureaucracies increased over-proportionally and made them prone to becoming political pawns (much like the ATF during the Clinton administration). The large size of an agency also means lower personnel standards; quantity before quality in order to fill planned positions. To my own opinion, today’s foremost counter-terrorist agencies, incl. SAS, GSG9 and GIGN are now shadows of their former self; hamstrung by their new complexity, political management, changing policies, inter-agency rivalries and competency struggles. These problems translated into performance lapses, which even plague the gold-standard commandos of the Israelis. As an example, their VIP protection unit did not come off too well during the 1995 assassination of Yitzhak Rabin (the gunman was caught by bystanders few moments later).

Most private organizations tend to source their security staff from retired law-enforcement officers or former military personnel. Applicants with those backgrounds need to be screened under consideration of my above observations. If they pass your basic selection criteria, they still need additional training. In most cases more than you may think.

Afterthoughts

Terrorist attacks, particularly the threat of explosives can hardly be prevented by a private organization. But, companies could be much better prepared to mitigate casualties, property damage and the after-effects. When the dust has settled and the media, the relatives of the victims, the lawyers and insurance adjusters descent on your corporate headquarters, you will know that you, as the security-in-charge did all that possibly could be done – and a bit more than any of the bystanders would reasonably expect.

Besides the fact that you saved lives and huge costs for your company, you also could notch up a general victory against terrorism, by depriving the extremists of a major part of their intended goal: catastrophic destruction of lives and property.

You stayed ahead of the terrorists. However, after the failed attack on your facilities, the security manuals and textbooks of the other potential targets will again be re-written and published into irrelevancy.

Col. Thomas Bovet

Hong Kong, April 2009

Advertisement