Initial reports regarding this month’s mass shooting at Marjory Stoneman Douglas High School in Parkland, Fla., cited an ominous potential dynamic that gave counterterrorism experts cause to contemplate whether we were seeing yet another evolution in sophistication of the lone active-shooter. The fact that the school conducted a fire drill earlier in the day and the shooter later activated the fire alarm at the initiation of his attack reminded us of an important anti-terrorism lesson – one that is no less relevant because it may not have been the exact methodology employed by the Parkland shooter. Although it appears that the assailant was not as calculating as the initial reports may have suggested, there are practical lessons and implications that must be proactively addressed to effectively prepare for future attacks.
The Parkland shooter initiated his attack by triggering the school fire alarm system, which initially compelled hundreds of unsuspecting students to expose themselves as more vulnerable by running toward the exits, and the shooter. Whether the shooter understood the specific vulnerabilities presented by the Parkland emergency evacuation procedures or, more likely, based this plan on a general knowledge of how the students would respond,[i] the event demonstrated the often-overlooked challenge that emergency safety and security procedures present. In fact, the irony that security professionals must appreciate is that the very procedures enacted to protect facilities and its occupants during an emergency situation can actually be exploited by a determined and calculating threat actor to render the facility and its occupants even more vulnerable.
A basic understanding of the terrorist attack planning process and how other like-minded threat actors can be expected to approach their objectives provides ample perspective regarding this complicated security challenge.
Sophisticated terrorist organizations execute a relatively consistent attack preparation process that is based largely on the collection of information to maximize the probability of mission success. Terrorist operatives observe potential targets during the planning phase of an operation to determine strengths, weaknesses, and vulnerabilities. During the final stages of preparation, terrorist operatives observe and collect information to finalize attack planning with a detailed focus on specific vulnerabilities that can be effectively exploited to enable the attack. Key to these final preparation efforts are detailed evaluations of security procedures, which may include “tests” and “probes” of security.
As a target surveillance technique, terrorists conduct tests of security at potential target locations to gather data on specific security procedures. Such activities include approaching security control points or moving into sensitive areas to observe security or law enforcement responses. Specific areas of interest to terrorists include how long it takes security or law enforcement to respond to an incident, the number of responding personnel, and the routes taken to a specific location. Probing efforts to test security usually involve a plausible reason for observing the practices and effectiveness of security at a specific point, but they could also include more blatant efforts to penetrate physical security barriers or test the response procedures to assess strengths and weaknesses.
A common method employed by threat actors to test security measures is to prompt a potential target location/facility to initiate security response procedures — commonly by delivering anonymous threats (e.g. telephonic, email threats) — to observe the reaction procedures of security forces and occupying personnel. A basic example of a test of security is the “suspicious package” threat. This scenario involves a readily observable item (i.e. box, briefcase, suitcase) that is left unattended in a suspicious location. In many cases in responding to these situations, security professionals (to include explosive ordinance disposal) conduct the meticulous and deliberate process of neutralizing the potential threat only to find that it was inert/innocuous all along. Too often, the relief and satisfaction of performing a safe and successful neutralization may lead to a tendency to disregard the fact that no one returned during the hours of drama to claim the item, nor was there a feasible explanation for why the item was left unattended in the first place.
Emergency safety and security procedures are planned and executed to minimize the loss of life and resources during a specific emergency situation. As with the example of the response to the “suspicious package,” this dynamic can lead to a single-minded focus that results in “blind spots,” which the calculating adversary can readily exploit. Augmenting these “blind spots” is a tendency to attribute the triggering actions as “prank” calls, emails, or other guises. This perspective represents a minimalist approach into which security professionals cannot allow themselves to fall.
Although the “suspicious package” example is not most relevant to an active-shooter situation, it does demonstrate how taking the seemingly appropriate actions in regard to emergency response can actually be leveraged against the practitioners in the future. The “suspicious package” example reflects the common tendency to narrowly assess emergency reaction exercises purely from the standpoint of how well they followed the plan and how successful they were in accomplishing the immediate objective. In this example, however, the event enables a threat actor to determine how long it takes for the item to be reported to police or security forces, how long it takes these forces to respond, and the specific procedures employed in responding to and addressing the situation. Given this pervasive threat potential, these events should be evaluated from a “worst-case scenario” perspective, with the assumption that the emergency situation was orchestrated as an opportunity for a threat actor to observe and identify vulnerabilities. Only then can the plan benefit from the standpoint of what a calculating adversary observed, how that adversary will take advantage of this intelligence, and how the plan must be adjusted to prevent the adversary from gaining advantage from this knowledge in the future.
Schools and other similar potential active shooter/terrorist targets employ emergency response procedures that are very effective in practice, but simply do not stand up when executed in the face of a knowledgeable, determined, and calculating threat actor. From the mind of an active shooter or terrorist intent on maximizing casualties, areas of interest in observing security/safety response procedures will include chokepoints where large volumes of occupants exit the facility, and other “target rich” locations such as where individuals congregate after evacuating a threatened facility. Post-exercise facility re-entry procedures are another vulnerability of potential threat interest due to a tendency to rush occupants back to work.
There will be many lessons learned from the Parkland school shooting, but one that should not be lost in the clutter of the more obvious debates is a lesson that cannot be relearned too many times. As a standard practice, security managers should ensure that emergency reaction drills/exercises are evaluated from the standpoint of the vulnerabilities that an adversary conducting pre-attack surveillance and planning would observe if present. Even if it is a pre-planned (and even unannounced) emergency exercise such as a fire or bomb threat drill, security managers should assume that potential attackers are observing the measures to identify vulnerabilities for exploitation during a future attack. Particularly when an event is not preplanned and is stimulated from an external source, security managers must be increasingly vigilant in observing the event from the eyes of a calculating and determined adversary. The tendency to write such events off as pranks or system errors is a classic example of underestimating the threat. To the other appropriate extreme, sophisticated security planners will incorporate surveillance detection methodologies during the execution of emergency response procedures as an active threat countermeasure based on an exacting understanding of the terrorist/threat target attack planning process and hostile surveillance techniques.
By evaluating emergency response procedures and exercises from the standpoint of the adversary, security professionals will identify the same vulnerabilities the enemy would. This perspective enables the proactive implementation of threat mitigation procedures to anticipate and prevent the enemy’s actions at specific points of vulnerability. This “red team” approach enables security professionals to evaluate their emergency response procedures through the eyes of the enemy. As a result, for example, informed emergency response plans will proactively deploy armed security personnel to locations such as chokepoints and assembly areas where known vulnerabilities in the previous plan existed.