This is the third and final part of an ongoing series focused on the Hostile Events Attack Cycle. To this point, the attacker has gone through the planning and preparation stages necessary to identify a target, visualize the attack, and plan for the immediate aftermath. As we enter the final three phases of the Hostile Events Attack Cycle, the attacker now transitions from visualization to implementation. It begins with Pre-Attack Operations and carries through the execution of the attack.
Pre-Attack Operations. Pre-Attack Operations is one of the less defined and more flexible elements of the Attack Cycle in that the attacker will need to do their pre-attack checks and inspections to ensure all the pieces of the attack are prepared and ready. Additionally, each attacker will start to focus on their own internal preparation in order to get mentally prepared for what is to come. This represents a small but unique vulnerability for alert and aware bystanders who may be able to disrupt potential attacks by being attuned to behavioral changes.
This phase represents the last opportunity for the attacker to review the target, review all the notes and planning considerations, and get all the equipment needed for the attack consolidated in one area. These Pre-Attack Checks (or Pre-Combat Checks or Inspections, using military terminology) are the last chance to check to make sure all the major pieces, or equipment, needed for the successful completion of the attack are accounted for, are functioning, and ready for the attack. This includes individual equipment as well as team equipment, such as vehicles. Some of the checks that attackers will review:
- Weapons accounted for and functioning
- Specialty gear necessary for the attack on hand and working
- Plans reviewed and verified to include individual actions at the target site
- Escape plans reviewed and verified
- Water and food on hand and packed, if necessary
- First aid gear
- Plans reviewed and verified to include individual actions at the target site
- Escape plans reviewed and verified
- Dry run/map rehearsal of actions at the target site
- Vehicles working
- First aid available and packed
- Communications devices working between team members
- Equipment checked and loaded
This check represents the last chance to reinforce details and review the plans and preparation to conduct the attack. It also represents the last chance the target may have to disrupt the attack prior to the attempted conduct. While escape is technically the last phase of the cycle, there are some plans that may end at the attack – as we have seen in some terrorist and active-shooter incidents. As a result, the attacker may recognize the finality of their upcoming actions and decide to take part in activities that they would not normally do. The New Jersey Office of Homeland Security and Preparedness noted that “family members, peers, and close contacts may be the first to notice radical shifts in behavior and attitude, as well as unusual Internet activity.” This was after a family member notified law enforcement of someone’s erratic behavior. The man was arrested and charged with plotting to build a pressure-cooker bomb and detonate it in New York City to “kill as many people as possible” in support of the Islamic State.
The shifts in behavior may also manifest itself in various ways. Some individuals may withdraw, or withdraw further, from their friends and family; others may begin to engage in reckless behavior knowing that their outcome is predetermined; others may look to establishing or re-establishing a connection with religion; others may seek to reconnect with lost friends or family or wrap up personal matters. Some individuals may start giving away cherished personal effects or items to those closest to them without much explanation. These shifts are not necessarily things that may happen abruptly or immediately before the act but can occur over a period of time, with some happening immediately beforehand.
Finally, for some attackers, this Pre-Attack Operations period can create vulnerabilties. Some attackers may get jittery and feel compelled to visit the target location or unnecessarily validate their surveillance with one final run-through. The Nice, France, terrorist drove through the area in the same truck he would use to kill more than 80 people two days later, scrutinizing locations and evaluating the best place to execute his attack, in addition to going through a period of time using drugs and engaging in unusual sexual behavior. This type of suspicious behavior by the attacker created two potential vulnerabilities that may have been pieces of information authorities could have used in a larger puzzle.
The Attack. The attack is the culmination of the Hostile Events Attack Cycle; all the planning and preparations will go into a moment that will define both the attacker and target. Additionally, the success of the attack will be directly tied to the amount of planning and preparations made. Did the attacker understand the security situation? Did the attacker accomplish their goal? Did the attacker do what was necessary to ensure success?
Even with all the planning and preparation, the attack could still go wrong. The New York City subway attack on Dec. 11, 2017, is one such instance. The attacker had a plan, he executed the plan, and yet at the moment of attack the device did not work as expected. While there were some injuries, the attacker suffered the most and additional damage and destruction was averted.
The Escape. Consider some of the below events when thinking about an escape:
- Las Vegas – While there are still questions that may not be answered, it was clear that this was a carefully planned and orchestrated event. What is not completely clear is whether an escape was part of that plan. Initially, there were reports that indicated the attacker may have planned an escape, and to survive for a period of time after the attack. However, the final report from the Las Vegas Metropolitan Police Department never called this out and instead noted the ways in which the attacker blocked the potential path of first responders, which would indicate an escape was unlikely and he planned for a different outcome.
- Somalia truck bombing – On Oct. 14, 2017, at least 358 people were killed and more than 300 hundred were injured in what is one of the worst terrorist attacks in the world over the past several years. A truck laden with military-grade and homemade explosives detonated outside a hotel. The truck was stopped at a security checkpoint and was about to be searched before the driver crashed through the barriers and detonated the vehicle. The target was believed to be the Ministry of Foreign Affairs. For the driver, there most likely was not an escape plan, especially when confronted with an enhanced security measure, but the planners more likely remain in hiding and may never be identified. It is important to point out that while this attack still had devastating impacts, the attack planning may not have anticipated the security checkpoint, and could have potentially caused more destruction if it reached its intended target.
Workplace violence can be represented in two scenarios:
- Maryland office shooting – In October 2017, an employee with a history of workplace violence, angry temperament, and criminal history killed three employees and wounded two others at a small business in Maryland. The investigation suggested that the attacker, perhaps understanding his pending fate, sought out another individual with whom he had quarreled with in the past in Wilmington, Del., before being apprehended in Glasgow, Del., instead of continuing to flee.
- San Bernardino – While not recent, this 2015 attack is an example of a workplace violence/active-shooter scenario that was well-planned and included an escape plan. The investigation into the attack that killed 14 and wounded 22 showed that the attackers had planned various types of attacks as far back as 2011, and it could have been worse if left-behind bombs would have detonated as planned.
Some of the reasons that make an escape a challenge result from the extra coordination and logistics required. An equally important challenge is that an attacker cannot completely plan for the response from first responders, security elements, or eyewitnesses, making any such planning and preparation difficult and time-consuming. An attacker can conceivably have a plan for escape but can’t very easily conduct a rehearsal realistically replicating similar conditions, or events. In the Boston Marathon bombing, the attackers fled the scene with the intent of additional attacks. Ultimately, the attackers carjacked a vehicle and set off a series of events they could not have planned or anticipated, which led to one attacker’s death and the subsequent arrest of the other.
Another immeasurable factor in planning an escape is the adrenaline rush that accompanies an attack. The attacker has just completed an attack and is on an emotional high with a big adrenaline spike. However, if not trained for, the rush can lead to mistakes. According to Psychology Today, “With a big hit of adrenaline, we tend to lose situational awareness. Our brains perceive danger and prepare us for ‘fight or flight.’ We lose our peripheral vision and focus on what is right in front of us. Our brain works to filter out any sound extraneous to the direct threat (auditory exclusion). We hyperventilate or hold our breaths. In some instances, this is exactly what we need to get out of harm’s way, but in many intense situations, we need to be able to think clearly, hear what people around us are saying, breathe deeply to send oxygen to our brains, and act effectively to be able to survive the situation or master the skill we are learning.”
In other attacks, escapes are not part of the plan, or death is viewed as the final escape, and is never a consideration as part of the attack. Depending on the attacker’s moral, ethical, or religious views, death may be viewed as the ultimate achievement in support of their beliefs and cause. And in other situations, such as workplace violence murder-suicides, death may be the escape from events in their life or the event that pre-empted the violence.
Depending on the attack method, prevention can vary. For lone actor attacks and with individuals who are isolated or ostracized within their community, prevention can be extremely difficult. However, there are some common indicators of an individual’s movement towards violent action that can be detected and provide opportunities to frustrate plots and prevent tragedy. According to “Making Prevention a Reality: Identifying, Assessing, and Managing the Threat of Targeted Attacks,” a 2017 FBI analysis, “Each bystander in a person of concern’s sphere represents an opportunity to identify potential warning behaviors.” Behavior supports assessments as to the appropriate level of concern and guides management strategies. While some attacks are thwarted at the “last second,” security personnel, supported by a trained and aware workforce, have the opportunity to detect and interdict plots before they reach the lethal attack phase.
Prevention is not and cannot be a passive process.
Know the Threat. Recognize the threats and their capabilities. Have there been previous attacks on your organization directly, or on similar facilities? What types of capabilities do potential attackers have? What attacks have occurred against other sectors or targets that may be applicable?
Security Briefings/Information Sharing. Incumbent upon knowing the threat is developing information-sharing relationships internally and externally. Security organizations should ensure that all employees are aware of the potential threats so they can be prepared in the event of an incident. Externally, information-sharing exchanges about threats and threat tactics between organizations will ensure better preparedness and development of plans. This should include industry groups, such as Information Sharing and Analysis Centers (ISAC), community security groups, relationships with local fusion centers and law enforcement, and other appropriate formal and informal groups. Reach out to local neighbors and law enforcement to enhance understanding and coordination regarding threats and response.
Threat briefings are an important part of helping employees recognize behavior patterns and should be offered at a regularly scheduled interval. These briefings should not just focus on nation-state sponsored or terrorist-inspired attacks. These should include active-shooter and workplace-violence attacks. Case studies and field studies by law enforcement organizations are excellent training aids to help train employees and alert them to warning signs.
In addition, several existing programs are available to organizations to help prevent these type of attacks; the Department of Homeland Security advocates “If You See Something, Say Something” while the U.S. Army has established a Threat Awareness and Reporting Program. These programs both work to provide training to employees on behaviors as well as to give people an outlet for reporting suspicious behavior. Additional training and references include:
- Indicators of an individual’s movement towards violent action. DHS has developed several sites with useful reference material organizations can access to help inform security awareness efforts including Active Shooter focused sites (see here and here) and a website focused on Countering Violent Extremism and regarding “Hometown Security.”
- Crisis management and communications teams should work together to provide employees and vendors with a “What to Communicate” and “What Not to Communicate” sheet to reduce and minimize threats.
- Reinforce security education and drills. Short, “hip-pocket” overviews that can be taught in limited time windows can remind employees, and especially help part-time or seasonal employees, to focus on the basics, such as identifying and reporting suspicious behavior.
Formalize the Security and Incident Response Plan. One of the critical tasks within these phases lies in the incident response. Based on the threat, and each location, each organization should develop the appropriate plan to protect its people, facilities, and data. Additionally, how will each organization respond to a security incident/attack? It’s important that all employees and emergency responders, internal and external to an organization, have a copy of and an understanding of emergency plans.
Training/Rehearsals/Exercises. Once the plan is in place, it needs to be communicated down to every employee, discussed during training events, and rehearsed through drills and other exercises. Rehearsals and exercises are also effective tools in identifying potential weaknesses in the plan that can be worked out and improved upon.
Organizations should build and rehearse an employee accountability plan. This plan is a low-cost measure that a company can take to ensure they capture one of the critical first steps in incident management and response. Build a plan, examine the plan and recommend changes, conduct occasional accountability drills across the organization, rinse and repeat. This plan should focus on immediate incident response accountability actions, engagement/interactions with first responders, and company procedures and communications regarding unaccounted-for employees.
Employ Random Active Measures. Random Active Measures are actions by security elements that are enacted “randomly” to throw off the cycle. They introduce an element of uncertainty for the attacker. Attackers will surveil during all hours to identify patterns and find the best time to conduct an attack. If this planning is disrupted by random security measures it may throw off planning and cause the attacker to choose another target. Some examples include 100 percent ID card and bag check, changing guard force over time, adding pop-up barriers or new traffic patterns, roving security patrols through parking lots or throughout the external parts of the building, or vehicle inspections.
It is important to note that while implementing all the best security measures and having well-planned training will create an alert and aware organization, some attacks may still be successful or have secondary consequences. This is the enduring challenge for security organizations. However, with forward planning and preparedness, minimizing vulnerabilities and reducing the threat attack areas, organizations can be prepared to detect and respond to these events.