The TSA basically concurred with most of the IG’s findings and has promised to improve.  But let’s take a look at the basis for the SPOT program, its raison d’être.  How does its role fit into supporting the overall mission of the TSA?  Although identifying and assessing certain behaviors is one important element of a threat assessment, it is not the whole enchilada.  Not by far.

Means of Aggression vs Intent

The focus today of the TSA on the whole remains on finding the means of aggression: the knife, gun or bomb.  Looking for means is very, very difficult; ask a professional screener how hard it is to find a professionally concealed weapon of mass destruction in a suitcase.  Success in that is as much to do with luck than anything else.

Intent, on the other hand, is about an individual’s story as it is reflected in his documentation, his identity, and demeanor, how he answers questions and how he fits into the situational context.  Intent connects to how the adversary intends to fulfill his plan, to his methods of operation.  Had we been looking for intent instead of means, the 9/11 attacks might have been thwarted.  It is not just about behavior.  A twitch, nervousness, sweating can be attributed to all manner of human psychology and emotion.  The SPOT program has ferreted out many deceptive travelers trying to hide that they were engaged in criminal or immoral behavior.  But it is not enough.

Just as having regulations in place is not the same as having a threat mitigation methodology in place.  None of the regulations: restricting liquids, requiring that shoes be removed, body scans, none are threat oriented.  These rules only affect the 99.9% of passengers who are innocent travelers.  These rules have no impact on the bad guys who if they are any good at all, can easily find a way to get around the rules.  He won’t put the explosive in his shoe but rather in his socks.  He’ll pretend to be a pilot, wearing an easily obtained uniform and waving a fake badge as he breezes by.  He’ll become a frequent flyer.  He’ll use a mule who is less than 12 years old or more than 65 years old.

The whole system is built on fundamentally wrong thinking and simply lacks a cohesive methodology.  We are today at risk because the aviation security system is not countering adversarial methods as its overriding Mission.  It’s a hodge podge  Security personnel should instead be trained and given license make cognitive assessments and decisions. These would not based on a static list or on a whim but on solid guidelines for identifying indicators and determining if the indicator points to malicious intent.  The answer to improving things does not require increased budget or buying yet more technology, we have enough.  But it absolutely requires that we shift from looking for means to looking for intent.  Should intent be discovered, only then, if warranted, do we look for means.

Einstein said “No problem can be solved from the same level of consciousness that created it.  We must learn to see the world anew.”  Yet, TSA operations are basically unchanged from that which was in place before its birth, before 9/11.  Conceptually, we have the same system today that we did when the airlines were in charge of security, except that screeners may enjoy better employee benefits and there is more technology is in use, and there is less accountability for performance than there was when the outfit was private and not governmental.

The first half of 2013 has been busy at Chameleon.

PRODUCT REVIEW  We have received a glowing review in the ASIS International Security Management magazine on our Security Questioning 101, online course. Please link here to read the full review.

SCHOOL SECURITY ASSESSMENTS  Since the tragic shooting at Newtown, CT, twenty independent schools have turned to us for security assessments.  School administrators, faculty and parents are all included in our process which results in a customized, threat-oriented assessment detailing the security issues we uncover along with suggested solutions for the short, mid and long term.

SOUTH AMERICA  We have increased operations this year in South America.  Chameleon is providing specialized training for elite executive protection units in various Latin countries.  Due to an uptick in violence and crime in certain areas, we have also been conducting security assessments for high net worth individuals.  We cover these clients’ domestic and corporate environments, online presence as well as travel precautions and protocols.

INSIDER THREAT  COURSE   Our newest seminar: Countering Insider Threat has been well received at various locations in the U.S. and in Europe.  Attendees have given the course a thumbs up and seem to particularly enjoy the interactive exercises that are part of this unique and intense training.

ONLINE COURSES IN FRENCH AND SPANISH  We have been busy translating.  Later this year, our online courses will be available en français and español to expand our global reach.  Stay tuned for updates, s’il vous plait.

SECURITY QUALITY ASSURANCE  We have now begun to provide security quality assurance services for several of our clients.  Many organizations are frustrated with their guard services contractor’s performance.  They have come to the unfortunate realization that their security company is no more than a manpower company.  They find that the “security” part of the security guard service is missing.  That’s where Chameleon comes in to the picture as an independent entity, providing training, red teaming, testing, oversight and overall security quality assurance.

BEHIND THE SCENES OF ISRAEL’S HLS AND SECURITY OPS  Last, but certainly not least, we have set a date for our annual security seminar in Israel October 5-12, 2013.  This intense week is probably our most popular course.  Link here to read the full itinerary, get info about accommodations and registration.

Even a highly trained professional is stymied when the mission is missing.  Sure the chef could wing it, but he doesn’t know the clientele, is unfamiliar with the local produce, and is unapprised as to what has worked, and not worked, in the past.

In this analogy, a security officer is not unlike a chef.  And an SSOP (Security Standard Operating Procedures) is not unlike a menu.

Mind you, the SOP we have in mind is not just: make sure the doors are locked when you take your 22:00 tour.  That direction does not a mission make.  Too often, a security officer’s job may risk being limited to clerical and administrative tasks.  Yes, the security officer will do his detex tour.  He will make sure that his patrols are done on time.  Should something come up he will dutifully observe and report.  But that kind of SOP falls far short of being a proactive protocol that really secures a location or assets against adversaries.  It lacks threat-orientation and is essentially a laundry list of duties fulfilled in a vacuum.

Optimally, an SOP should reflect a mission which is related directly to potential security threats to a specific environment.  It is an active document that is modified as new intelligence comes in.  It demands of officers that they assert themselves by actively being aware of their environment and looking for indicators of problems – rather than waiting for a problem to arrive on their doorstep.  For a security officer to be good, he needs to be well trained.  But even a highly skilled guard is lost without an effective SOP.  A thoughtful, concise and threat-oriented SOP is the recipe for real security.

In the case of security services, having good people is even more critical.  The protection of lives and assets lies directly in their hands.  Although choosing the right person for a job is important, subsequent training is absolutely critical.  Without effective training, even the right people will not do a good job.  And with effective training, even weak workers can come up to speed.  Above all, when an employee really knows the mission, is well trained and empowered to act, expects to be tested and appreciates that testing will improve his skills … this is a highly motivating combination.  Nobody is satisfied with being mediocre at their job.  Raising the bar while giving an officer the tools to succeed improves both job performance and satisfaction.

It’s not enough to tell a guard “observe and report.”  He needs to be familiar with the explicit threats to the environment he is protecting.  In that specific context, what would be suspicious?  If he needs to approach someone, how should he engage them?  What should he say and why?  What is the best way to pose the questions?

Well trained guards with a sense of purpose and confidence in their abilities are happier guards.  The result is that turnover rates are reduced.  Clients see and appreciate the difference.  The bottom line improves.  There are a lot of security companies out there vying for business.  Offering a superior product – in the form of a highly trained security officer – is a fantastic way to beat out the competition and build a positive reputation in the marketplace.

The Israeli approach to security across venues is based on a logical, threat-oriented methodology.  Emphasis is placed on the human element conducting threat assessment in the context of suspicion indicators.  Israeli security personnel are well trained and constantly tested to insure quality performance.  For this and more, the opportunity to speak openly and at length with the crème de la crème of security professionals is invaluable. It’s the obvious destination for learning new tricks of the trade.

Students who take Chameleon’s seminars leave Israel with effective tools that they can share and knowledge they can disseminate, back home.  Many techniques represent a cost savings and surprisingly to some, improved customer service.  New training energizes an organization and does offer a return on investment.  In addition, attendees profit from networking opportunities.  And let’s face it, it’s an exciting and fun week.

For more information about Behind the Scenes of Israeli Security Ops: full itinerary, hotel, clearance and other information, please link here. http://chameleonassociates.com/SeminarTour13/index.php

In 1945, the Russians gave U.S. Ambassador Harriman a gift of an intricately carved wood replica of the Great Seal of the United States.  This goodwill gesture was delivered by school children.  The seal was displayed in his office in Moscow for seven years until 1952, when an electronic countermeasures sweep discovered that the seal was bugged.  The CIA, which was initially confounded by the workings of the device, dubbed it The Thing. It had no power or active electrical components.  Eventually it was determined that a radio signal on the correct frequency would activate the small device, remotely, a technology that made it very difficult to detect.  Léon Theremin, a Russian inventor who created this first electronic listening device, was highly awarded by his country for his achievement.

Later in 1960, Ambassador Lodge revealed the device at a session of the United Nations (see picture) to expose Russia’s spy agenda and counter that country’s complaints about U-2 plane espionage.

Whether on a national scale, or in the public or private sectors, eavesdropping can reap huge benefits for the perpetrator.  Technological innovation has exploded since The Thing was debuted.  Digital media in the form of telephone and data transmissions, email, texting and computer activity make the pond in which eavesdroppers fish more like an ocean.  Eavesdropping technology has likewise advanced, rendering spying relatively easy and inexpensive.

I wonder how many of our readers who have commissioned an electronic sweep, actually found a bug?  Although the statistics as to how often spying succeeds in catching a big fish, are low, the risks are very high indeed.  Just think of the kinds of conversations that take place across the globe in board and conference rooms where strategy is designed and critical decisions taken.

Making cyber and electronic sweeps a part of a comprehensive security system makes sense.  It’s not paranoia, it’s prudent.

Springfield, MA holds the dubious distinction of offering the cheapest supply of heroin in the U.S.  It is a poor, crime-ridden community plagued by gang violence.  But a fresh program has been underway there that adopts counter-insurgency methods used against terrorists in Afghanistan to be deployed in community oriented policing (COPS) on the local Springfield streets.

Previously, residents lacked trust in and therefore did not engage with law enforcement. By not calling in police when a crime took place, they were passively supporting the criminals.  It was common to see a gang member riding a motorcycle, an AK47 hanging off their back.  In a way, the situation was not unlike that of a third world warzone.  Taking advantage of a community that is failing economically and politically fragile is a tactic common to both criminals and terrorists, alike.  The Arab world, not surprisingly, has a word for leverage-able civil unrest and chaos:  “Fawda.”

The new approach was the brainchild of Massachusetts State Trooper Mike Catone, a military veteran who had deployed in a counter insurgency unit. In military fashion, a mission action plan was developed, a special unit carefully vetted and thoroughly trained was then embedded into the community.  The overarching goal was through charm, brute strength and perseverance to establish trust and develop a spirit of collaboration with residents.  Once positive relationships were established, and trust achieved, the law abiding citizens who are after all in the majority were working with the PD to fight crime, together.  The program’s success is measured in part by the spike in calls to the police about incidents and a flood of tips.

A weekly “local elders” meeting is held in Springfield which mimics those held with village elders in Afghanistan.  Representatives from across the community share information and collectively problem solve.  Data from the intelligence brought in from all collectors is then mapped by university students involved in the program.  The data plotting enables police to identify the criminal network hubs, force out leaders and break criminal links.

Counter insurgency has had a poor track record in Afghanistan and well, everywhere.  Hanging out in a native village, counter insurgency forces are at best tolerated as big, white Christian conquerors.  There, they straddle an awkward divide between being warriors and community social workers.  They will never constitute a real, accepted part of those communities.  In towns like Springfield, however, they are an authentic part of the picture.  Although  in this instance the term “counter insurgent” is a misnomer, these tactics have a better chance of success in countering gang-related and other crime on a local level than they did in Afghanistan.

See the CBS Sixty Minutes story here:

(And to think we were worried about West Nile virus!)

Aldrich Ames, arrested in 1994 for spying that resulted in the death of ten CIA agents, passed two polygraph tests while working for The Company.  Ana Montez passed the polygraph test she was given when she first joined the DIA.  Once it was revealed that she was a spy for Cuba, polygraphs were used as part of her interrogation.

Polygraphs are readily available but not commonly used.  In places where the polygraph is not part of regular assessment procedures, there is a stigma associated with giving such a test.  The implication in those instances is that the subject is not to be trusted or is potentially guilty.

Some folks are naturally anxious; their nervousness can lead to false positives.  Guilt grabbers are prone to feel guilty just at the mere thought of doing something wrong, skewing test results.

But how do people who do have something to hide manage to beat a lie detector test?

The polygraph tests for autonomic arousal.  It assumes that emotional response will result in physiological changes in blood pressure, pulse rate, perspiration/skin conductance, muscle movement and respiratory conditions.  A pretest is conducted by the operator to review the subject’s medical history and identify possible skewing factors like arrhythmia or a breathing irregularity.

Operators ask three kinds of questions: relevant, irrelevant and control, in order to establish a baseline.  Relevant questions might include What is your name? And Have you ever eaten a French fry?  Relevant questions are the important ones like Did you steal the car?  Did you leak the information to the press?  Control questions are compared to the relevant ones and ask something about which most people would say yes, although they may well be uncomfortable with the honest answer. For example, Have you ever cheated in a game?

The operator’s skill in crafting questions and assessing the person as the test unfolds is key to the test’s success.  It can be a game of cat and mouse.  A test taker will try to beat the machine by regulating his emotions and related biological response.  He might try to foil the machine by using antiperspirant on hands, forehead, nose and underarms before taking a test.  Here the idea is to constrict the sweat glands that galvanometers register as a sign of lying.  He might keep his answers to “yes” and “no” and avoid making explanations or getting into details that could tip the scale.  A test taker might also try to establish a positive rapport up front with the operator to create cognitive dissonance in the operator’s mind.  Gosh, he’s such a nice guy he could never do this horrible deed.  It’s probably easier to beat the operator than it is the machine.

There are many different kinds of lies: white lies “no, you really do look good  in that dress;” lies to protect someone else “My brother was with me that evening;” lies for fun “I dated George Clooney when I lived in Italy and was working as a model;” malicious lies “I had nothing to do with the murder.”  A good liar will be able to deliver any misinformation with uniform detachment.

Of course, just as a lie detector test is infallible, so too are the methods that might be employed to try to beat the system.

So what do you think…?

Whether the attack goes beyond evil aspiration to action is another matter.  We have been just plain lucky that widespread evil intent has not been more successful over the past decade as it was to horrific effect in Boston, yesterday.

It is odd to me that the public or the media need to wait to be told that the blasts were perpetrated by terrorists – either a group or a lone wolf.  It is somehow odd that the president needs to officially proclaim that the attack was indeed terrorism.  That there could be a split second doubt in anyone’s mind as to the nature of the event reveals a fear of acknowledgment.  An avoidance of the realities we currently face.

For an example of how we resist reality, take the July 4^th, 2002 attack at Los Angeles International Airport where Hesham Mohamed Hadayet, armed with two guns and a hunting knife, started shooting travelers at a ticket counter.  That he chose to do this on Independence Day was not coincidental.  That he chose to kill people at the El Al Airlines ticket counter was likewise not coincidental but no doubt a factor that limited fatalities to two people.  The armed El Al security agent moved quickly to neutralize him.  Authorities claimed at the time that this was an isolated incident.  It took a year before the FBI and DOJ officially concluded that Hadayet was trying to make a political statement in favor of the Palestinians and that he was a terrorist bent on becoming a martyr.  It was not an isolated incident.

In the decade since 9/11, the roster of terrorist events – many unsuccessful or still in the planning stages but nonetheless – is in fact lengthy: Ft Hood, the Times Square bomb, Seattle Jewish Federation, the Portland Christmas Tree guy, Aurora Cinema, the Underwear Bomber and so many more.  And that is just in the U.S.; worldwide incidents number in the thousands.

Chameleon website traffic statistics skyrocketed today, as did general requests and inquiries.  Clients who had been sitting on proposals chose today to call and say, hey let’s move forward with the program.  But what is different today than last week?  I don’t believe we can afford to be reactive.

Here’s another kind of reactive that I just don’t understand: in response to the Boston bombings, police were put on high alert all over the place.  It was ‘all hands on deck.’  For what?  Absent solid intelligence of a widespread plot that includes Southern California, why should the Boston Marathon bombing serve as a stimulus to a response in, say, San Diego?  It is an embarrassing, knee jerk reaction that does not serve us well.

So often, students at Chameleon trainings lament that although the proactive threat mitigation methods we outline seem great, their company’s management won’t go ahead unless something big happens.  But something big is already happening.  In New York.  In Washington, DC.  In Los Angeles, CA.  In Portland, OR.  In Fort Hood, TX.  And in a city near you.