The old adage "necessity is the mother of invention" is never truer than when it comes to crime. I spent most of last week in Chicago attending the annual ASIS International Global Security Exchange, chatting to colleagues old and new about the particular challenges they face. In doing so, something struck me: Whether it's criminals, militants, corporate spies or activist groups, every threat is adaptive and creative. And then the flip side of this realization also occurred to me: By nature, security people and the programs they create tend to be rigid and inflexible. After all, many security leaders come out of the military or law enforcement (or both, like me). And even those from different backgrounds tend to pick up many of the cultural traits of such institutions by working with and for people who have.
The security departments at companies around the world are models of structure, but while these institutions boast organization, they often lack flexibility — a trait their adversaries often possess in spades. That's why a bit of flexibility in the department, as well as the ability to anticipate the threats that are coming, are critical to countering a resourceful enemy.
It's by no means universal, but by and large, people who come from law enforcement and military backgrounds tend to thrive on structure and organization. They often don't deal well with ambiguity, and like most humans, they're typically resistant to change. Now, to be fair, corporate security departments don't get to "play by their own rules," unlike their antagonists. They have no choice but to follow corporate standards and industry guidelines and operate within the restrictions of civil and criminal law. That's why inflexibility can put security programs at a significant disadvantage when the adversary is adaptive. In the end, if security departments are to stay ahead of the game, they need to plan for the threat that's likely to come, rather than just react to the last attack.
There's no doubting the incredible flexibility and creativity of criminals — and the more profit at stake, the greater the creativity on the part of lawbreakers. This is especially true for drug smugglers, who have played a game of cat and mouse with security forces for decades. They have had to adapt their smuggling modes, methods and even routes in response to law enforcement. Such smugglers use a array of methods to move their drugs by air, sea, ground or even under the ground, camouflaging their goods in many different forms. But other criminals, too, are equally resourceful and ingenious. Consider the array of skimmers and shimmers that criminals have developed to place on ATMs and other credit card slots to steal owner information. Likewise, some cargo theft crews have developed sophisticated electronic countersurveillance capabilities and deployed scanners to detect and remove GPS trackers concealed in high-value cargo shipments. And some groups will use GPS jammers to block the signal just in case they happen to miss some trackers.
Industrial spies have also demonstrated the wherewithal to employ different approaches to obtain the information they require. This can take the form of conducting a black bag job — which can be as old-fashioned as picking a lock to gain entry — when a phishing or hacking campaign fails, or recruiting a company insider with access to the information. These corporate spies and those who recruit and handle them have also shown the ability to adjust their tradecraft to counter changes to security policies and procedures. For evidence, look no further than the two agents who were recruited in Apple's autonomous vehicle division. After Apple discovered the first agent had been downloading sensitive information onto a thumb drive through a USB port, they disabled the USB ports on their machines. This forced the second agent to adapt by taking photos of sensitive documents on his computer monitor with a cellphone.
There's no doubting the incredible flexibility and creativity of criminals — and the more profit at stake, the greater the creativity on the part of lawbreakers.
Militant groups also have a history of being opportunistic and flexible, and perhaps nothing illustrates this better than the history of attacks against aircraft. At one time or another, Marxists, Palestinians, anti-Castro Cubans, Colombian cartels, Sikhs, jihadists and even North Korean and Libyan intelligence officers have all hijacked or blown up airplanes. From barometric switches and E-cells to suicide shoes and underwear bombs, those wishing to attack planes have employed an array of tactics to camouflage and activate their deadly devices. In planning for 9/11, al Qaeda studied the airline security screening system and looked for ways to exploit weaknesses. On the morning of Sept. 11, 2001, the jihadists duly hijacked four aircraft using box cutters, because security regulations permitted passengers to board with such tools at the time. And speaking on last week's 18th anniversary of the 9/11 attacks, al Qaeda leader Ayman al-Zawahiri exhorted followers to conduct attacks against U.S. and Western interests. "Be inventive and creative in your methods," he added.
There's also been a great deal of adaptation in the activist world. Over the past decade, some have expanded their direct-action activities beyond just a certain targeted company to pressure financial institutions, suppliers, customers and others who conduct business with the firm in question. They also seek to apply an array of different direct-action tactics to keep security at their targets off balance, dropping banners, forcing lockdowns at corporate headquarters or shareholder meetings, picketing the home of a company executive and the like.
Countering Adaptive and Opportunistic Opponents
Like any threat, the first step in countering an opponent is recognizing that the problem exists and then taking steps to address it. In this case, that means understanding that potential malefactors are both adaptive and creative and that security programs, policies and procedures must become flexible enough that officials can nimbly anticipate and respond to an ever-shifting threat. But merely adjusting security in the wake of an attack is not enough. Security directors must anticipate the next battle instead of remaining fixated on the last one. This requires identifying threat trends so security departments can take proactive steps to head off potential assailants or, at a minimum, mitigate the threat instead of merely responding to an attack in progress or one that has already occurred.
The best way to recognize such threat trends is to focus carefully on the malefactors' tactics and tradecraft. At Stratfor, we refer to this as focusing on the "how" — something that is especially important since a variety of actors can adopt the tactics that others are using. Focusing on the how, instead of the "who," ensures that profiling does not create a myopia that blinds security departments to the signs of an impending attack. This is something that we've primarily discussed in the past in relation to terrorism, but the principle is equally relevant to criminals, corporate spies and activists.
Focusing on the "how," instead of the "who," ensures that profiling does not create a myopia that blinds security departments to the signs of an impending attack.
Focusing on tactics and tradecraft permits one to observe trends and make a forecast of the threats to come. It's a lesson airport security would have been well to learn in 2009, after an ostensibly repentant jihadist came to ask then-Saudi Deputy Interior Minister Prince Mohammed bin Nayef for amnesty in August 2009, only to detonate an explosive device hidden in his rectal cavity. The attack failed to assassinate the prince, but al Qaeda did see the value in the concept, successfully smuggling explosives onto a Detroit-bound flight in December 2009 in a passenger's underwear. The act narrowly failed — but not because airport security had recognized where terrorist tradecraft was trending.
Another key to defeating resourceful would-be assailants is to deny them the ability to conduct surveillance at will. Giving opponents free rein to observe security equipment, procedures and personnel grants them a significant advantage in planning their attack. One effective way of doing so is to train security personnel to recognize signs of hostile surveillance and take action to mitigate it. There are also some very good technical tools that use closed circuit TV systems to alert security teams to possible surveillance in key areas — areas where surveillance operatives must be to monitor activity at a certain site. This helps the department become proactive, rather than just have a system that records activity for review after an incident.
The strictures of corporate procedures and the law will never offer security personnel the maximum flexibility to counter an ever resourceful adversary. But anticipating how the next attack is likely to come and putting proactive programs into place — rather than waiting for a reprisal of the last assault — are key if departments are to remain a step ahead of the competition. Anything less is closing the stable door after the horse has bolted.