Anda di halaman 1dari 6

about:blank

crime&justice
INTERNATIONAL
November/December 2006

Volume 22 Number 95

Worldwide News and Trends

Russian P

technology
traPWire

Preventing Terrorism
by R. Daniel Botsch and Michael T. Maness
Special to CJI

It

has become commonplace to declare that the world has changed since the attacks of

September 11th. We are all acutely aware of the new security challenges and threats we face from terror- ism across the globe. Yet, our approach to protecting high-value targets has not signicantly changed with the times. We adhere to the traditional approach to counterterrorist security the world over, which is to harden the target. Build bigger and thicker walls, install fencing and delta barriers, station armed guards at con- spicuous locations, check all vehicles and personnel entering the facility, etc. This approach, often referred to as gates, guns and guards, may mitigate the consequences of an attack, but it will do little to prevent the attack from occurring. The successful attacks on Khobar Towers in 1996 and on the U.S. embassies in Kenya and Tanza- nia in 1998 demonstrated that terrorists can devise ingenious methods to overcome the best of physical security. This is a highly troubling situation, given that we continue to invest heavily in the three Gs. The central weakness of this approach is that physical security is typically designed to protect against the actual attack. By focusing on stopping the attack once it is launched, however, we are attempting to counter the terrorist at his point of maximum strength and, conversely, at our moment of maximum vulnerability. This choice, whether by default or design, plays into the

1 of 6

8/25/12 7:19 AM

about:blank

hands of the attackers and cedes a signicant advantage to them.

R. Daniel Botsch is a Vice President at Abraxas Applications and the leader of the TrapWire program. Prior to joining Abraxas in 2002, Mr. Botsch managed a business intelligence unit that monitored political, economic, security, and market dynamics for a Global 100 energy company based in London. Mr. Botsch also served 11 years as an intelligence analyst at the Central Intelligence Agency and holds an MBA from the University of Chicago. Michael T. Maness is the Director of Counterterrorism Services at Abraxas Applications. Mr. Maness joined Abraxas Applications following service with the Central Intelligence Agency where he directed counterterrorism and security operations in the Middle- East, the Balkans and Europe. As a senior operations officer and eld operations manager, he was instrumental in combating alQaedas operational units in the immediate wake of 9/11.
The terrorists create this advantage through meticulous preparation, more specically through the practice of extensive pre-attack surveillance of the intended target. Long before the attack is launched (in some cases years before) the terrorists will case the target site(s) to collect intelligence in impressive detail. Additionally, they will often case multiple targets in search of an exploitable vulnerability at a chosen site before moving on to the attack stage. For example, prior to the attack on Khobar Towers, a 3-person surveillance cell from Saudi Hezbollah cased the target site on 40 separate occasions over a period of at least 18 months. They also cased the U.S. Em- bassy in Riyadh, the U.S. Con- sulate in Dhahran, and a local market used by the service- men housed at Khobar Towers. Similar activities preceded the attacksontheAlfredP.Murrah Federal Building in Oklahoma City (1995), the U.S. embassies in Kenya and Tanzania (1998), and, more recently, the attacks on the commuter trains in Ma- drid (March, 2004), on the U.S. Consulate in Jeddah, Saudi Arabia (December, 2004), as well as the London subway attacks (July, 2005). It is likely that hundreds of surveillance operations were conducted during the months leading up to these events. The public release in July 2004 of information on al-Qaeda surveillance operations in the U.S. provides a glimpse of the types of information collected by terrorists. In 2001, al-Qaeda operatives cased the IMF and World Bank buildings in Washington, D.C.; the global headquarters of Prudential Financial, Inc. in Newark, New Jersey; and the New York Stock Exchange and Citigroup headquar- ters in New York City. Their surveillance reports included hundreds of photographs of the targets; estimates of the square footage of glass at one of the high rise towers; details on site security mea- sures and ways in which they could be defeated; descriptions of employee badges and the lanyards they hang on; maps of outdoor smoking areas used by the target sites employees; the work habits of security guards; and much more. It is clear from the information collected that these terrorists had visited the sites on numerous occasions, taking photographs, querying guards and employees, counting the number of persons and vehicles entering a site, and even entering the buildings to probe security. Yet the knowledge
continued on page 40

Oklahoma City Bombing

Crime & Justice International November/December 2006


39

2 of 6

8/25/12 7:19 AM

about:blank

technology
continued from page 39

that these surveillance operations were underway did not come from the security personnel protecting these buildings. All of this information was discovered on al-Qaeda computers after a raid on one of the groups safe houses in Pakistan. While this preparatory activity increases the effectiveness of the terrorists on the day of the attack, it also represents their pri- mary vulnerability. To collect the information needed to carry out a successful attack, the terrorists must approach their targets on multiple occasions and for extended time periods. During these casings, their activities can be detected by security personnel and others at the target facility in the normal course of their duty. In fact, it is often determined in post-attack investigations that the terrorists indeed were observed while planning their attacks, but no one was able to connect the dots in a manner that allowed for attack prevention. This problem has been the focus of our company, Abraxas Applications, for the last three years. Abraxas was formed by former senior U.S. intelligence officers shortly after the attacks of September 11. While much of its work is in the national security realm, the company also offers products and services targeting the private sector security and intelligence market. In the spring of 2003, Abraxas assembled a team with extensive experience in the areas of counterterrorism, surveillance and surveillance detection operations, and intelligence analysis to create a system capable of detecting the terrorists pre-attack activities and thereby provide advanced warning of pending attacks. The objective was to offer civilian facilities the type of surveillance detection and counterter- rorism capabilities found today at high-threat U.S. government sites, only without the signicant cost associated with those programs. The system this group devised is called TrapWireTM, and it prom- ises to provide information on precisely which facilities are being targeted for attack and by whom, as well as valuable insight as to when the attack will occur and against which facility vulnerability. TrapWire does this by providing a structured format for reporting on suspicious activity near a facility. The structured reporting format instills a level of discipline on collectors and facilitates data mining. Suspicious activity reports from all facilities on the TrapWire network are aggregated in a central database and run through a rules engine that searches for patterns indicative of terrorist surveillance operations and other attack preparations. The strength of TrapWire is the simplicity of the collection for- mats, combined with the sophistication of its rules engine. TrapWire collectors can enter suspicious activity reporting, or what TrapWire terms events, into the system in approximately 60 seconds. The structured data input mechanism enables collectors to quickly iden- tify the location and time of the event, the surveillance activity, the suspected surveillants behavior, and a description of any individual or vehicle involved. TrapWire is integrated with a sites existing video surveillance system, which allows for the easy attachment of video clips of the suspicious activity to the event report. Once the event is entered into the database, the TrapWire rules engine analyzes
Crater caused by the detonation of car bomb at Khobar Towers, inset.

40

Crime & Justice International November/December 2006

3 of 6

8/25/12 7:19 AM

about:blank

each aspect of the report and compares it to all previously-col- lected reporting across the entire TrapWire network. Any patterns detected links among individuals, vehicles or activities will be reported back to each affected facility. This information can also be shared with law enforcement organizations, enabling them to begin investigations into the suspected surveillance cell. The effectiveness of the TrapWire system is dramatically in- creased through the sharing of suspicious activity reporting. The terrorist modus operandi for planning an attack begins with the leadership tasking the surveillance cell to nd a suitable target for

technology
port facility in the Miami region on 9 October at 9:43 am. However, no one outside this facility will receive any information on possible vulnerabilities or other security issues at this site. The facility in question will receive additional information, including which facility vulnerability was under surveillance, from which location, etc. Also note that the facility is referred to as a port facility in the Miami region. Each facility can decide for itself how it will be described. It is important, however, that information be provided indicating the target type and region. This allows other facilities on the network and law enforcement authorities to gain insight as to the sector or region targeted by the terrorists. Ultimately, each facility on the network will decide for itself how widely its information will be shared. With regard to information- sharing policies, the network will operate on a reciprocal basis. The TrapWire system comes with training in terrorist surveillance practices that teaches security personnel, and other potential collectors, how a terrorist organization, or criminal group, conducts surveillance operations. If possible, the training is done at the site to be protected. This allows Abraxas to incorporate the environment surrounding the facility into the training by providing realistic scenarios on how the facilitys neighborhood will be used against it by the terrorists. As a result, the trainees are sensitized to the best locations from which to case their facility, the best times of day to surveil, probable deterrents to the terrorists, and other factors effecting such operations. This training vastly improves the quality of reporting and the probability that surveillance activity will be detected. Refresher courses for col- lectors will be available in computer-based modules later this year. TrapWire is a signicant step toward changing our approach to counterterrorism security in the post-9/11 world. This system moves beyond physical security to provide greater situational and environmental awareness. More importantly, it provides the intelli- gence needed to change the balance of forces between the terrorists and site security personnel. Those protecting critical infrastructure and other high-value sites can now turn the tables on the attack- ers by exploiting the terrorists vulnerability. They can incorporate some of the best practices developed by U.S. government facilities in high-threat areas to prevent attacks on their people and assets. Combining TrapWire with existing security infrastructure security personnel, video systems, access control systems, etc. will shift the advantage to those on the defense and dramatically increase the return on investment of existing security infrastructure. This can be done by refocusing our security resources from protecting against what will happen on the day of the attack, the defenders point of maximum vulnerability, to targeting the terrorists during their pre-attack surveillance operations, the terrorists point of maximum vulnerability. attack. The leaders may

4 of 6

8/25/12 7:19 AM

about:blank

regarding the target type (U.S. government building, chemical facility, etc.) and/or the targets geographic location (Washington D.C., New York City, etc.). The surveillance cell will then begin to canvass the targets in what is known as the Target Assessment phase of the surveillance surveillants were doing Financial, Inc. and other nancial targets in 2001. The probability of their casing activity being detected at each site would largely de- pend on the professionalism of the surveillants and the observation skills of the security personnel protecting the targets. However, it is a mathematical certainty that the probability of detection can be signicantly increased through the sharing of information. For example, suppose that the terrorists case eight facilities in an effort to nd a target with a suitable vulnerability. Let us also assume that the probability of detection of surveillance activity is 10% at each facility. If the eight facilities operate in isolation, the probability of detection stays at 10%. However, if the facilities share their threat data, the probability of detection increases to 57%. Moreover, once the surveillance cell is detected and the information is communicated across the network of eight facilities, the prob- ability of detection increases again as security personnel now have descriptions of the individuals and vehicles involved in the casing operations, any associated video clips, as well as information on the timing and focus of their activities. In essence, we now know who they are, at least by sight, and their modus operandi. The sharing of security-related information requires a change in our traditional way of doing business. Information on security, vulner- abilities, and threats are considered sensitive and/or proprietary, and usuallyforverygoodreason. However,inbuildingTrapWire,Abraxas included several features designed to overcome the reluctance to sharing security information. First, the system only shares informa- tion on threats to the facility. The type of threat report shared across the network would include the following type of data: A white male, early thirties, medium build, 511 62, brown hair, clean shaven, wearing sun glasses was seen videotaping the vehicle entrance to a provide guidance to the surveillance team

Cameras: In the... corners of the (facility), at each there is a round opaque (black) tinted camera in the ceiling. This is the kind that can rotate inside and look in any direction whilst the person that it is focused on is unaware that all eyes are on him. Apparently, they are not the long-range type and are obviously looking mostly at what may be coming in and out...Outside there is only one visible one. ... facing completely downwards, peering at what appears to be a staff entrance.
Excerpt from a Terrorist Casing Report

cycle. This is probably what the al-Qaeda against the headquarters of Prudential

5 of 6

8/25/12 7:19 AM

about:blank

Crime & Justice International November/December 2006


41

6 of 6

8/25/12 7:19 AM