The Proactive Tool of Protective Intelligence

Nov 7, 2007 | 18:38 GMT

Security Weekly

By Fred Burton and Scott Stewart On Nov. 4, 46-year-old Spanish businessman Edelmiro Manuel Pérez Merelles was freed from captivity after being held for nearly two weeks by kidnappers who grabbed him from his vehicle in the Mexico City metropolitan area. The fact that a kidnapping occurred in Mexico is not at all unusual. What is unusual is the enormous press coverage the case received, largely because of the audacity and brutality of the attackers. Pérez Merelles was snatched from his car Oct. 22 after a gang of heavily armed assailants blocked his vehicle and, in full view of witnesses, killed his bodyguard/driver, delivering a coup de grâce shot to the back of his head. The abductors then shoved the driver's body into the trunk of Pérez Merelles' car, which was later found abandoned. After the abduction, when the family balked at the exorbitant amount of ransom demanded by the kidnappers, the criminals reportedly upped the ante by sending two of Pérez Merelles' fingers to his family. A ransom finally was paid and Pérez Merelles was released in good health, though sans the fingers. In a world in which militants and criminals appear increasingly sophisticated and brutal, this case highlights the need for protective intelligence (PI) to augment traditional security measures.

Action versus Reaction

As any football player knows, action is always faster than reaction. That principle provides offensive players with a slight edge over their opponents on the defense, because the offensive players know the snap count that will signal the beginning of the play. Now, some crafty defensive players will anticipate or jump the snap to get an advantage over the offensive players, but that anticipation is an action in itself and not a true reaction. This same principle of action and reaction is applicable to security operations. For example, when members of an abduction team launch an assault against a target's vehicle, they have the advantage of tactical surprise over the target and any security personnel protecting the target. This advantage can be magnified significantly if the target lacks the proper mindset and freezes in response to the attack. Even highly trained security officers who have been schooled in attack recognition and in responding under pressure to attacks against their principal are at a disadvantage once an attack is launched. This is because, in addition to having the element of tactical surprise, the assailants also have conducted surveillance and have planned their attack. Therefore, they presumably have come prepared — with the number of assailants and the right weaponry — to overcome any security assets in place. Simply put, the criminals will not attack unless they believe they have the advantage. Not all attacks succeed, of course. Sometimes the attackers will botch the attempt, and sometimes security personnel are good enough — or lucky enough — to regain the initiative and fight off the attack or otherwise escape. In general, however, once an attack is launched, the attackers have the advantage over the defender, who not only is reacting, but also is simultaneously attempting to identify the source, location and direction of the attack and assess the number of assailants and their armament. Furthermore, if a gang is brazen enough to conduct a serious crime such as kidnapping for ransom, which carries stiff penalties in most countries, chances are the same group is capable of committing homicide during the crime. So, using the kidnapping example, the gang will account for the presence of any security officers in its planning and will devise a way to neutralize those officers — as the attackers neutralized the bodyguard in the Pérez Merelles abduction. Even if the target is traveling in an armored vehicle, the attackers will plan a way to immobilize it, breach the armor and get to their victim. In a kidnapping scenario, once the target's vehicle is stopped or disabled, the assailants can place an explosive device on top of it, forcing the occupants to open the door or risk death — a tactic witnessed several times in Latin America — or they can use hand tools to pry it open like a can of sardines if given enough time. Since most armored vehicles use the car's factory-installed door-lock system, techniques used by car thieves, such as using master keys or punching out the locks, also can be used effectively against an immobilized armored vehicle. This same principle applies to physical security measures at buildings. Measures such as badge readers, closed-circuit TV coverage, metal detectors, cipher locks and so forth are an important part of any security plan — though they have finite utility. In many cases assailants have mapped out, quantified and then defeated or bypassed physical security devices. Physical security devices require human interaction and a proactive security program to optimize their effectiveness. Armed guards, armored vehicles and physical security devices can all be valuable tools, but they can be defeated by attackers who have planned an attack and then put it into play at the time and place of their choosing. Clearly, a way is needed to deny attackers the advantage of striking when and where they choose or, even better, to stop an attack before it can be launched. In other words, security officers must play on the action side of the action/reaction equation. That is where PI comes in.

Protective Intelligence

In simple terms, PI is the process used to identify and assess threats. A well-designed PI program will have a number of distinct and crucial components or functions, but the most important of these are countersurveillance, investigations and analysis. The first function, countersurveillance, serves as the eyes and ears of the PI team. As noted above, kidnapping gangs conduct extensive preoperational surveillance. But all criminals — stalkers, thieves, lone wolves, militant groups, etc. — engage in some degree of preoperational surveillance, though the length of this surveillance will vary depending on the actor and the circumstances. A purse-snatcher might case a potential target for a few seconds, while a kidnapping gang might conduct surveillance of a potential target for weeks. The degree of surveillance tradecraft — from very clumsy to highly sophisticated — also will widely vary, depending on the operatives' training and street skills. It is while conducting this surveillance that someone with hostile intentions is most apt to be detected, making this the point in the attack cycle that potential violence can most easily be disrupted or prevented. This is what makes countersurveillance such a valuable proactive tool. Although countersurveillance teams are valuable, they cannot operate in a vacuum. They need to be part of a larger PI program that includes the analytical and investigative functions. Investigations and analysis are two closely related yet distinct components that can help to focus the countersurveillance operations on the most likely or most vulnerable targets, help analyze the observations of the countersurveillance team and investigate any suspicious individuals observed. Without an analytical function, it is difficult for countersurveillance operatives to note when the same person or vehicle has been encountered on different shifts or at different sites. In fact, countersurveillance operations are far less valuable when they are conducted without databasing or analyzing what the countersurveillance teams observe over time and distance. Investigations also are important. Most often, something that appears unusual to a countersurveillance operative has a logical and harmless explanation, though it is difficult to make that determination without an investigative unit to follow-up on red flags. The investigative and analytical functions also are crucial in assessing communications from mentally disturbed individuals, for tracking the activities of activist or extremist groups and for attempting to identify and assess individuals who make anonymous threats via telephone or mail. Mentally disturbed individuals have long posed a substantial (and still underestimated) threat to both prominent people and average citizens in the United States. In fact, mentally disturbed individuals have killed far more prominent people (including President James Garfield, Bobby Kennedy and John Lennon) than militants have in terrorist attacks. Furthermore, nearly all of those who have committed attacks have self-identified or otherwise come to the attention of authorities before the attack was carried out. Because of this, PI teams ensure that no mentally disturbed person is summarily dismissed as a "harmless nut" until he or she has been thoroughly investigated and his or her communications carefully analyzed and databased. Databasing is crucial because it allows the tenor of correspondence from a mentally disturbed individual to be monitored over time and compared with earlier missives in order to identify signs of a deteriorating mental state or a developing intent to commit violence. PI teams will often consult mental health professionals in such cases to assist with psycholinguistic and psychological evaluations. Not all threats from the mentally disturbed come from outside a company or organization, however. Although the common perception following a workplace incident is that the employee "just snapped," in most cases the factors leading to the violent outburst have been building up for a long time and the assailant has made detailed plans. Because of this, workplace or school shootings seldom occur randomly. In most cases, the perpetrator has a targeted a specific individual or set of individuals that the shooter believes is responsible for his plight. Therefore, PI teams also will work closely with human-resources managers and employee mental health programs to try to identify early on those employees who have the potential to commit acts of workplace violence. In workplace settings as well as other potential threat areas, PI operatives also can aid other security officers by providing them with the photographs and descriptions of any person identified as a potential problem. The person identified as the potential target also can be briefed and the information shared with that person's administrative assistants, family members and household staff. Another crucial function of a PI team is to "red team," or to look at the security program from the outside and help identify vulnerabilities. Most security looks from the inside out, but PI provides the ability to look from the outside in. In the executive protection realm, this can include an analysis of the principal's schedule and transportation routes in order to determine the most vulnerable times and places. Countersurveillance or even overt security assets can then be focused on these crucial locations. Red teams also sometimes perform cyberstalker research. That is, they study a potential target through a criminal or mentally disturbed person's eyes — attempting to obtain as much open-source and public record information on that target as possible in order to begin a surveillance operation. Such a project helps to determine what sensitive information is available regarding a particular target and highlights how that information could be used by a criminal planning an attack. Red teams also will attempt to invade a facility in order to test access control or to conduct surveillance on the operations in an effort to identify vantage points (or "perches") that would most likely be used by someone surveilling the facility. Once the perches around one's facility are identified, activities at those sites can be monitored, making it more difficult for assailants to conduct preoperational surveillance at will. One other advantage to PI operations is that, being amorphous by nature, they are far more difficult for a potential assailant to detect than are traditional security measures. Even if one PI operative is detected — regardless of whether the team has identified its targets — the surveillers' anxiety will increase because they likely will not know whether the person they encounter is a countersurveillance operative. This combination of countersurveillance, analysis and investigation can be applied in a number of other creative and proactive ways to help keep potential threats off balance and deny them the opportunity to take the initiative. Although a large global corporation or government might require a large PI team, these core functions can be performed by a skilled, compact team, or even by one person. For example, a person living in a high-threat environment such as Mexico City can acquire the skills to perform his or her own analysis of route and schedule, and can run surveillance detection routes in order to smoke out hostile operations. The details of the Pérez Merelles kidnapping indicate that it was a professionally planned and well-executed operation. Crimes of this caliber do not occur on the spur of the moment, but rather require extensive surveillance, intelligence gathering and planning — the very types of activities that are vulnerable to detection through the proactive tool of PI.

Tell Fred and Scott what you think
Get your own copy