The FBI Charlotte SWAT team conducts a training exercise in North Carolina during the summer of 2019. (FBI photo)

These Indicators Could Be Warning Signs of the Next Attack

A common theme in security planning is working toward a state of preparedness to be in a position to help reduce or mitigate the risk of a hostile event from a number of all-hazards threats. Part of this process is recognition of the indicators that may signal that a threat may be targeting a specific person or location, or that an individual may be on the path toward hostile activity. With the recent number of hostile events, specifically active shooter incidents, now is a perfect time to remind all organizations about the importance of not only having a reporting process in place in which employees can highlight these suspicious activities, but also to train employees to recognize these behaviors.

There are several different ways in which attackers reveal indicators in either their actions or behaviors that may give insight into things that may happen. There are challenges and questions about whether these indicators lead to an attack or whether they are protected actions, but these indicators are actions or behaviors that another person could reasonably believe are not normal activity. In either event, having a formalized security plan that focuses on the threat, as well as building information sharing relationships and training employees, can help prepare organizations to both identify suspicious behaviors and report concerns appropriately. All these actions can help move an organization to being proactive versus reactive and toward an overall state of preparedness.

Hostile events have continued to dominate the physical security space over the past year and they have routinely been the subject of public- and private-sector reporting. In almost every instance, part of the mitigation strategy to reduce risk is placing an emphasis on the importance of being alert and aware for signs and indictors to identify suspicious behaviors or actions, and to report concerns to a supervisor or law enforcement. This message has been promoted by federal agencies through the DHS “See Something, Say Something” campaign, which encourages each organization to adopt a similar approach internally. DHS even designated Sept. 25 as National “If You See Something, Say Something” Awareness Day. “By designating a day to the campaign, the Department hopes to highlight the importance of suspicious activity reporting. Informed, alert communities play a critical role in keeping our nation safe.”

This program has been successful with several threats and incidents mitigated by individuals who have reported suspicious behaviors, sometimes involving people closest to them. Some of these include:

  • Earlier this month, a mass shooting was averted after Fort Worth police received a call from a father who reported his own son. The father said that his 27-year-old son wanted to buy guns and go on a rampage and wanted to kill many people in something that was similar to the Midland-Odessa shooting at the end of August.
  • In August 2019, North Carolina police arrested a High Point University (N.C.) student “who admitted to planning a mass shooting” at the school. The 19-year-old was charged with “two felony counts of having a gun on campus and an additional count for making threats of mass violence… after a classmate reported him.” The man allegedly had ammunition and two firearms in his dorm room, had been plotting the shooting since December and had studied previous shootings, including the 2015 church shooting in Charleston, S.C.
  • Also this August, a California hotel worker may have prevented a mass shooting after the worker reported a disgruntled colleague who had threatened to shoot staff and guests.
  • In December 2018, Texas police arrested an armed man “who allegedly said he was on his way to a nearby church to fulfill ‘a prophecy.’” The incident started when a woman called to report an armed man wearing a surgical face mask and tactical-style clothing. When responding officers arrived, he was “oddly dressed” and claimed he was heading to a nearby church to carry out an undisclosed prophecy.
  • In February 2018, an 18-year-old was arrested after his grandmother found a journal detailing plans to shoothis classmates at a high school in Everett, Wash. When officers responded to the house, they “were shown excerpts of the journal and were told the grandson had a semiautomatic rifle stored in a guitar case.”

These are just some of the many instances of individuals reporting suspicious behaviors and activities. “Law enforcement authorities nationwide reported a spike in tips from concerned relatives, friends and co-workers about people who appear bent on carrying out the next mass shooting.”

Understanding and recognizing the variety of hostile event indicators is the foundation of prevention: what they are, what they mean to the respective organization, and how they can be seen within the business. Indicators are predictors of unfavorable events that can adversely impact organizations – they monitor changes in the levels of risk exposure and can contribute to the early warning signs that enable organizations to report risks, prevent crises and mitigate them in time. In simpler terms, hostile event indicators are behaviors that are not what could be construed as normal behaviors. In and around the workplace, are there individuals or activities that stand out, or may cause someone to question who they are, what they are doing, and why they might be doing it?

Questioning behaviors out of the norm is a good starting point, and coupled with additional resources, such as the DHS “Recognize The Signs Of Terrorism-Related Suspicious Activity” infographic, can further help individuals and organizations:

  • Expressed or Implied Threat. Threatening to commit a crime that could harm or kill people or damage a facility, infrastructure, or secured site. Without question, these types of threats need to be taken seriously. One example that highlights the risk of not reporting is in the Aurora, Ill., shooting in February 2019 in which an attacker told a co-worker earlier that he would kill people if he got terminated; however, the co-worker thought the comment was an off-the-wall expression and not real.
  • Breach/Attempted Intrusion. Attempts to enter a restricted area or impersonating authorized personnel.
  • Recruiting/Financing. Funding suspicious or criminal activity or recruiting people to participate in illegal activity.
  • Surveillance. A prolonged interest in or taking pictures/videos of personnel, facilities, security features, or infrastructure in an unusual or covert manner. Last week, a New Jersey man was indicted on charges he supported Hezbollah by scouting possible targets for an attack. These targets included locations in New York City (New York Stock Exchange, UN headquarters, the Statue of Liberty, Rockefeller Center and local airports, tunnels and bridges), Washington D.C. (the U.S. Capitol and Lincoln Memorial, and Boston (Fenway Park and the Prudential Center).
  • Acquisition of Expertise. Seeking out or gaining skills or knowledge on a specific topic, i.e. facility security, military tactics, or flying an aircraft.
  • Sabotage/Tampering/Vandalism. Damaging or destroying part of a facility, infrastructure, or secured site. Some of these types of incidents may seem minor in nature but they signal that there is interest in the location. In instances of vandalism, it could be an indicator of a larger hate-based threat in the area that may escalate or be demonstrated in other type of threats.
  • Theft/Loss/Diversion. Stealing or diverting items, i.e., uniforms or badges, that belong to a facility or secured site.
  • Eliciting Information. Questioning personnel beyond mere curiosity about an event, facility, or operations. This indicator gets tricky because it can be difficult to distinguish between someone who may be interested in an individual’s job and someone who is trying to elicit information for nefarious purposes. Referencing back to the baseline of behaviors that might be considered out of bounds or not normal, a stranger taking undue attention in your line of work and what you do, or asking questions that may cross the line when dealing with sensitive topics, may be indicative of an individual working in the target selection and initial surveillance phases of the Hostile Events Attack Cycle (HEAC). The information they can glean from an unsuspecting employee may help them develop their plan.
  • Materials Acquisition/Storage. Acquisition and/or storage of unusual materials such as cell phones, radio controllers, or toxic materials.
  • Testing or Probing of Security. Investigating or testing a facility’s security or IT systems to assess the strength or weakness of the target.
  • Misrepresentation. Presenting false information or misusing documents to conceal possible illegal activity.
  • Weapons Collection/Storage. Collection or discovery of unusual amounts of weapons including explosives, chemicals, or other destructive materials.
  • Aviation Activity. Operating or interfering with the operation of an aircraft that poses a threat of harm to people and property. Drones are one such indicator in this category. Drone activity can constitute harassment, or surveillance. Operators can use drone activity to test response times and learn about security and defenses that may be used by a target location. And in certain locations, drone activity would be unusual. A drone in a residential area might not be as significant as a drone in an industrial or downtown location. It would appear out of place and not something that would normally occur, and therefore should be reported.
  • Cyberattack. Disrupting or compromising an organization’s information technology systems. When discussing blended threats, cyber incidents or activity could be a precursor or the start of a larger attack.
  • Sector-specific Incident. Actions that raise concern to specific sectors (e.g., commercial facilities, or a subsector such as lodging or public assembly) with regard to their personnel, facilities, systems, or functions.

In addition to these suspicious activities, there are also individual behaviors that friends, family, co-workers and associates may be able to recognize that could point to signs of trouble. Using the principle of acts that would not be considered normal as a foundation, some potential warning signs that may lead to a Pathway to Violence in interactions with others may include those listed below. These indicators are important to understand because they recognize behaviors that could highlight issues within an individual that could result in a triggering event. These events are issues that could push an individual over the proverbial line. They could develop into grievances between the individual and a potential target. According to the FBI’s “A Study of Pre-Attack Behaviors of Active Shooters in the United States Between 2000 and 2013,” on average, each active shooter in the time period displayed 4 to 5 concerning behaviors that were observable to others – the most frequent ones were related to the shooter’s mental health, problematic interpersonal interactions, and leakage of violent intent.

One of the key resources for all organizations is the DHS Security of Soft Targets and Crowded Places Resource Guide. This guide “provides an easy to use method to quickly find information on a wide range of free capabilities that can be incorporated into the security practices of organizations of all sizes.” In addition to identifying suspicious behaviors, the guide addresses security screening procedures to include bag checks, protecting against unmanned aircraft systems (i.e., drones), bomb threats, and hostile events to include active shooter situations. The guide provides helpful links to training materials and instruction, aids and tools, as well as videos and websites for reference.

Referring back to the HEAC, these indicators can signal a couple different things:

  1. These indicators may point to an attacker in a specific phase of their planning and preparedness of an attack. During various parts of the planning, an attacker may be vulnerable to exposure in order to learn more about the target. For example, an indicator may signal that the attacker is doing pre-attack work, i.e., target selection and surveillance, and reporting this suspicious behavior may disrupt that attack.
  2. Reportable behaviors are just one small part of a puzzle. While first line defenders may observe a behavior, the larger organization may be aware of threats against their location based on coordination with local law enforcement, government partners, or fusion centers. This piece of information may help build out the larger puzzle/threat.

These are just some of the indicators that could signal a suspicious event. Context matters in these situations; however, it is important individuals do not try to rationalize or “explain away” an event, or think that someone else may report it. As noted above, identifying suspicious incidents or behaviors may be a prelude to a hostile event. Following the HEAC process, surveillance activities can signal a potential target, while individuals’ behaviors could signal an issue with a potential attacker that could lead to an active shooter situation. One common indicator is the warning signs that emerge in the days and weeks leading up to the shootings – for example, “many shooters taking to social media to vent outrage at whatever is troubling them.”

But there is a risk with increased awareness as well, especially when looking at individual behaviors. Within the U.S., the Constitution protects the rights to free speech and to bear arms, so while actions may be concerning to some people, they may not actually represent an impending attack. Further, with so many social media platforms, it is unrealistic to expect law enforcement to be able to see everything. This is where the added context and the whole picture needs to be put together by organizations. The foundation remains within an organization’s policies, processes and procedures to not only respond to a threat but help in identifying that threat. Within those processes is having a process to report suspicious incidents or behaviors, for appropriate intervention. This means that organizations help establish the conditions and processes that can work toward ensuring the safety of you and your colleagues. DHS’s pathway to violence looks at:

  • Being aware of drastic changes in attitude toward others.
  • Taking note of any escalations in behavior.
  • Providing any information that may help facilitate intervention and mitigate potential risks.

It’s a collective effort; prevention is not and cannot be a passive process.

  • Formalize the Security and Incident Response Plan. It’s important that all employees and emergency responders, internal and external to an organization, have a copy of and an understanding of emergency plans.
  • Establish a reporting process. Part of that security plan is ensuring employees know what to do should they identify suspicious activities. As noted by DHS, “contact your supervisor or your human resources department to alert them of potential dangers and enable them to mitigate any emerging risks.” And if that isn’t possible, then individuals should report to local law enforcement or the FBI.
  • Know the Threat. Incumbent upon knowing the threat is developing information sharing relationships internally and externally. Security organizations should ensure that all employees are aware of the potential threats so they can be prepared in the event of an incident. Externally, information sharing exchanges about threats and threat tactics between organizations will ensure better preparedness and development of plans.
  • Training / Rehearsals / Exercises. Once the plan is in place, it needs to be communicated down to every employee, discussed during training events, and rehearsed through drills and other exercises.
  • Employ Random Active Measures. As it relates to hostile events, Random Active Measures are actions that are enacted “randomly” to throw off the HEAC process. They introduce an element of uncertainty for the attacker. Some examples include 100 percent ID Card and bag check, changing guard force over time, adding pop-up barriers or new traffic patterns, roving security patrols through parking lots or throughout the external parts of the building, or vehicle inspections.
(Visited 29 times, 3 visits today)

David Pounder is the Director, Threat and Risk Analysis at Gate 15 and serves as an Information Security Officer for a leading financial organization. He advises on both physical and cyber security issues, and specializes in counterterrorism, force protection, and counterintelligence efforts.

Leave a Reply

Latest from Counterterrorism

SIGN UP NOW for FREE News & Analysis on topics of your choice across homeland security!

BEYOND POLITICS.  IT'S ABOUT THE MISSION. 

Go to Top
Malcare WordPress Security