Kudos to the CIA and its intelligence partners for foiling the latest Al Qaida bomb plot out of Yemen.  It appears the explosive device destined for a U.S.-bound flight was an improvement over previous models like the one used by Abdulmutallab aka the Underwear Bomber in December 2009.  The lead azide detonator is more reliable.  Being devoid of metal obviously makes this IED that much harder for screeners to find.  It would seem the al Asiri lab is making headway.

That terrorists are improving their methods and adjusting their attack strategies in step with ourimprovements to security methods and technology is surely no surprise.

Some public and media responses to this news event are disconcerting:

Reporter “There could be other bombers out there.”  Could?  There are surely many other bombers aching for the chance to hit the West, training and plotting as you read this.

A traveler interviewed by a reporter stated “we aren’t going anywhere near Yemen, so we‘re OK.”  A bomb can be infiltrated onto an aircraft in Yemen and detonated by a passenger terrorist flying to destinations across the globe.  Proximity to Yemen is so not the issue.

Once master bomb-maker al Asiri is stopped, the threat will abate.  Not if he is training a new crop of bomb makers.

The bomb never got on a plane, the terrorists accomplished nothing, so why make such a big deal out of this?  The government is trying to fuel panic to justify security expenditures.  It’s just politics.  While I’m sure there’s always a political angle, I’m likewise sure that there is a viable terrorist threat.  I haven’t heard an Al Qaida representative say “OK, you win.  We’ll stop now.”

CNN provides nice coverage here:

http://edition.cnn.com/2012/05/08/world/al-qaeda-evolving-strategy/?hpt=hp_t1

Tourists come to Tel Aviv, also known as “The City that Never Sleeps” to enjoy its beaches and cafes, its museums, funky architecture, vibrant culture and night life.  At the same time, Israel is a tiny country, with no shortage of enemies, often a target.  Israelis may well be fun loving and irreverent, but they take security very seriously.  There, homeland security is not theoretical but rather existential.  And thus Israel has earned the unfortunate distinction of being amongst the world’s best when it comes to security.

What better place, then, to learn about using a threat-oriented security approach than in Tel Aviv?  That is exactly what you can do this fall, by joining Chameleon’s Homeland Security Laboratory seminar, November 4-10.  Participants will study concepts and methods in the classroom, and will learn how to construct threat-oriented security based on adversarial methods.  Next step?  Test what they’ve learned in the field.  Part of the beauty of these basic principles are that they are applicable to any secured environment.  Attendees return home with an effective and useful toolkit, and an exceptional understanding of what it takes to make it happen.

If we were to sit around and brain storm ideas on how to terrorize a given country, someone might come up with a plot that involved imbedding malware in IT and electrical components sold to enemy defense contractors or governmental agencies.  Whether the notion arrives as part of such a session, or out of the pages of recent history, thinking like the enemy is the only reasonable way to proactively strategize against a viable and potentially devastating attack.

What I may never understand is why

we are so slow to defend against this Trojan Horse-esque MO.  The U.S. GAO last week issued a report in which it identified risks associated with global supply chain procurement of IT equipment and software by some federal agencies.  Stricter procedures and measures must be implemented given the risk potential of this particular threat.  A strike to the technological heart of our critical infrastructure would obviously be crippling.

Not that it was necessarily virgin ground, but some would say that Stuxnet cleared the source code path for more attackers to engage in cyber warfare.  Whether that particular piece of malware is a milestone or not, defense against it cannot come fast enough for me.

In preparation for the 1972 Summer Olympic Games in Munich, organizers asked Dr. Georg Sieber, a police psychologist, to sketch out the possible scenarios that would jeopardize the safety of the Olympic Games and to prepare requisite security training.  Sieber identified twenty-six highly detailed scenarios, which ran the gamut from hijacked jets, remote controlled bombs and smuggled arms.  In his method, he extrapolated from his study of the most notorious terrorists of that era, including the IRA, PLO, ETA and the Baader-Meinhof gang.

His scenario Number 21 went something like this:

At 05:00, a dozen armed Palestinian terrorists will scale the six-foot high perimeter fence of the Olympic village and make their way to the building that houses the Israeli delegation.  They will kill a few of the hostages they take and demand the release of prisoners from Israeli jails as well as a plane on which to escape.

At the time, this threat assessment scenario was dismissed as preposterous.  As it happened, the attack and massacre of the Israeli athletes on September 5^th occurred almost precisely as Dr. Sieber predicted.  Was Sieber psychic?  Ah, no.  I would say that he was simply analyzing the situation from the point of view of the potential aggressors as part of a proactive defense strategy.

Many factors informed the security decision processes that resulted in this disaster and the failed rescue attempt that followed.  Prominent among them was the German desire to obliterate the memory of Hitler’s 1936 Olympics.  A pessimistic, doomsday prediction and the security in place to prevent it, would just drag down the mood they wanted to promote.

Especially when it comes to security, why does wishful thinking so often trump diabolical reality?  Why do we shoot the messenger?  It’s the enemy, the terrorists, suicide bombers, crazed and desperate dictators whose scenarios we have to deal with, whether we like it or not.  We can’t successfully defend ourselves by picking and choosing those enemy tactics with which we are most comfortable.

For many years now, Chameleon Associates has provided training and consultation on how to identify external adversaries, on how to mitigate attempts to defeat physical security access or a security screening process.  But when you think about it, all bets are off and physical security is rendered benign in the face of internal threat.  This is the reason why effort, resources and training should also be put into how a company’s or agency’s human resources, including contractors, are screened.

Predictive Profiling is an excellent security tool for both for pre employment screening and for screening an existing employee base.  How is this accomplished?  In the hiring process, just as in terrorist mitigation, look for indicators from an applicant’s background, application, resume and interview.  Some would argue that a background check is good enough.  I think not.  A background check reflects only past, known, criminal behavior and provides neither a full picture of a person nor of their intent.  What’s more, the more sophisticated the adversary, the less likely he or she has a criminal background, anyway.

Periodic screening of current personnel including contactors is also important and something for which Predictive Profiling is very useful.  The goal is to identify indicators that relate to vulnerability to recruitment, the possibility of already having been recruited, of conflicting allegiances, and so on.

Internal threats can range from espionage – stealing information, employees, assets or co opting company strategic plans, to conducting terrorist and criminal activities from within.  Examples of such ‘inside jobs’ abound but the Hassan shooting at Fort Hood comes to mind.  The hotel bombings in Jakarta in 2009 were accomplished with the critical help of a florist with shops on the premises.  Another example is the largest diamond theft ever – the robbery that took place at Schiphol in 2005, which according to police, could not have been pulled off without connections to the inside.  The robbers gained access to a KLM secure area, and knew precisely when, where and how to hijack  a truck carrying over a hundred million dollars worth of diamonds.

Let’s not barricade the front door while leaving the back door unlatched.

A client of ours, a Security Training Supervisor at a federal financial institution in the Midwest, called to chat.  They have been using Chameleon’s Predictive Profiling Online course as part of their curriculum for about a year now, and he called to tell me how pleased he is with the program.

Tell me more, I begged.

This is what he liked:

• The course information is taught using actual events and real situations via videos or in abundant reference materials.  The students aren’t given purely hypothetical scenarios but real ones that help drive home the point that there are real threats out there.  The supplementary background newspaper and magazine articles and videos place the ideas in a real life context which helps bring the ideas home for the students.

• This emphasis on the need for increasing threat awareness, and the way the course breaks down the reasons, helps shift his security personnel mentality away from “it won’t happen here” to a more proactive attitude.

• The security methods provided in the course are from a security-driven point of view, rather than a law enforcement one.  Many members of his staff come from a policing background and while they are terrific, there are important differences in approach that are carefully explained in the course.

• The Predictive Profiling course challenges assumptions and culture-driven stereotypes, making for a more realistic view of the threat.

Feel free to contact me with your own comments about Predictive Profiling Online.  You haven’t seen it?  Check out the demo at the bottom of this page link.  It’s always nice to hear good things but also important to get feedback on how we can continue to improve the course.

A story I heard from a client the other day confirms the simple power of security questioning as a really effective tool.  I’d like to share it with you.

A security officer who works for a large U.S. company had taken our Predictive Profiling and Security Questioning course.  Let’s call him Mike.  Mike was working the access control checkpoint at their main headquarters where both a metal detector and screening machine are in place.  These are located in a large lobby with a good deal of people traffic and activity.

A visitor to the facility approached to be screened and was flagged by the operator as having a questionable object in their bag.  Mike was asked to come over to help and he began by questioning the person.  Mike had in mind to try and identify any weakness in the person’s cover story via questioning.  It went something like this:

Mike:      Good afternoon sir.  May I ask you the purpose of your visit here today?

Visitor:   I am here to submit a job application

Mike:      What position are you applying for?

Visitor:   Mmm…I saw an ad in the paper that you are hiring.

Mike:      Yes, but for what position?

Visitor:   I thought you had to come here to see the job listings.

Mike:      No, that is not the case, we only publicize specific job openings. In which paper publication did you see this ad?

Visitor:   Ah …. [stuttering and stumbling]

Mike then decided to move the visitor to a different corner of the lobby while having another member of his security team watch to see who in turn might be watching The Visitor.  Mike walked the guy slowly to the other side of the room and sure enough, Mike’s spotter detected a cohort.

It turns out that the company Vice President of Security had arranged a red team of the facility where a fake visitor would try to infiltrate a (fake) explosive device in order to test the checkpoint security.  Management was surprised but very pleased to see how quickly their security officers got to the heart of the matter.  The red team was defeated.  Mike was a hero.  Questioning as a simple, flexible and effective security tool was reaffirmed.  Good going, Mike.

This month, some five years after his abduction by Hamas terrorists, Israeli soldier Gilad Shalit was released in exchange for 1,027 Palestinian prisoners.  Commentators from outside Israel are trying to puzzle out why Israel agreed to this swap.  Why was this lone soldier so important?  Some bloggers hypothesized that Shalit must come from a very powerful family.  (In fact, the Shalits are nondescript middle class folks from a tiny rural town.)  Generally, it makes little sense to many observers why a low ranking soldier would be exchanged for such a disproportionate number of convicted murderers.

In the context of national security, it really seems a dumb move.  Amongst the 1,000 released prisoners was the likes of confessed killer Mona Awana.   January 2001, in the guise of an American tourist, she succeeded in seducing a 16 year old Israeli high school student via online chat.  He met her in Jerusalem for what he thought would be a romantic dinner.  He and Awana instead drove to a location prearranged with the Palestinian gunmen who shot and killed him.  Also amongst the thousand released were convicted terrorists directly involved in the planning and execution of attacks in Israel that resulted in hundreds of civilian deaths.

Some people think that such exchanges set a bad precedent and that now Hamas and other terrorist organizations will kidnap more soldiers.  But the threat of such kidnapping hasn’t changed, it’s always on the agenda and I am certain that IDF vigilance against it is unchanged as a result of Shalit’s release.

Other folks interpret the exchange to mean that Israel calculates the human value of an Israeli soldier to Palestinian prisoners as 1:1,000.  As if Israel has a superiority complex.  But really, don’t you imagine that Israel would have preferred a 1:1 exchange?  The number is the product of negotiations where the Palestinians were going for the highest figure they could get.

The IDF is a conscripted army.  Prime Minister Netanyahu’s son is on active duty in the IDF.  Netanyahu’s brother was killed on a mission to save kidnapped Israelis in Entebbe.  For most Israelis, Gilad Shalit could be anyone’s son, brother, boyfriend.  One Israeli reporter ended his daily newscast over the last five years with a recitation of how many days Shalit had been in captivity.  In Israel, a small country, both the threat of annihilation and the soldiers tasked with defending against annihilation – are quite personal.  While there are differences of opinion within Israel on the subject, the majority of Israelis support the exchange while acknowledging that their communities are less secure for it.  For them, there was simply no other choice.

Since 9/11, the role of law enforcement has shifted with ever larger numbers of officers now working in counter terrorism.  Over 1,000 NYPD officers are engaged in CT; and 700 officers of the LAPD work directly in CT.  The effort includes community outreach to (for example) Muslim populations to develop positive ties and establish communication and trust.  The CT effort also involves the gathering, analysis and dissemination of intelligence.  CT HUMINT is an efficient and effective addition to the job description of law enforcement officers who are already working on the streets and intimately familiar with their communities.  Homeland Security is a national effort made better when played out locally.

COMINT and SIGINT offer amazing resources but sometimes no intelligence is as critical as that obtained via human interaction.  Having law enforcement take on this role naturally involves a job description adjustment that in turn requires new training.   A modified set of skills is needed for a law enforcement officer to be able to identify targets within an appropriate context.  What’s more, in order to recruit and cultivate sources, a HUMINT operator working on any level needs to understand the culture, politics and practices of the target community.  But perhaps the most important tool in the kit is being able to skillfully develop personal relationships.  Good HUMINT can’t be dictated.  It doesn’t arrive in a neat package.  It is up to the officers in the field to develop the excellent communication and observation skills needed to bring well corroborated, actionable intel to the table.  It is not easy but it is critical to our broader success in the war on terrorism.

Chat Downs is the term used to describe the TSA’s latest behavioral detection procedures currently being tested at Boston Logan and Detroit Metro airports. ‘Chat Down’ has a nice ring to it.  When done correctly, this kind of purposeful questioning should indeed be as casual and friendly as a chat.

Up until recently at the TSA, behavioral assessment was conducted by a Behavioral Detection Officer (BDO) looking for observable physical signs whether it be a facial twitch or an unusually sweaty body.  The chat takes assessment to a new and I think more effective level.

In a procedure similar to that of El Al Airlines, the TSA document checker asks passengers questions before they move on to the screening checkpoint.  The questioning takes on average 30 to 40 seconds. Those passengers who refuse to chat are assigned to undergo additional security measures.

The reason a verbal assessment trumps the observational one is that it can go in any direction the officer chooses to take it.  The chat is a versatile skill and an excellent offensive tool.  There are dozens of behavioral signs to look out for but there are an infinite variety of questions and topical directions to which a good questioner can go.

Since mid August, BDOs at the TSA have engaged over 130,000 passengers at Logan in this conversational screening effort.  One of the more vocal criticisms of this technique is that it would just take too long.  Yet, according to the TSA, it seems that overall wait times have not increased as a result of this program.  What’s more, suspicious behavior that came to light as a result of a chat led to over 10 criminal arrests.

Catching a terrorist among millions of travelers is a daunting task.  Questioning is a tool used successfully in many countries.  Why not add it to the TSA arsenal?  In any event, I for one would rather have a chat with a TSA officer rather than get frisked.