Protective Operations: Countermeasures and Surveillance Detection
Performance Objectives At the conclusion of this training, the student will be able to: 1. Define what protective intelligence is and how it is used to predict and prevent an attack. 2. Identify the protective intelligence functionary. 3. Identify information needs as related to protective intelligence. 4. Define the roles and responsibilities of the protective intelligence team member. 5. Define: surveillance, surveillance detection, counter-surveillance, and anti-surveillance. 6. Identify the objective of adversarial surveillance. 7. Identify the methods of adversarial surveillance. 8. Discuss unpredictability and its application to protective operations. 9. Define a route survey and explain how it is applied to protective operations. 10. Explain what a surveillance detection route is and how it is used in protective operations. 11. Define sweep vehicle and its uses in protective operations. 12. Identify common mistakes in adversarial surveillance. 13. Define “Coopers Colors” and its application to protective operations.
Introduction Protective operations are mission specific to prevent and respond to threats to personnel. By leveraging lessons learned and capitalizing on successes, the goal of providing protection can-and will be realized. The goal of protective operations is to: detect pre-attack planning, prevent the attack from occurring, and to make the attack difficult to effectuate. Proactive tactics and operations are almost always better than reactive measures. Preventing the attack by detecting it in the early stages (pre-operational) or deterring it by presenting a robust and hardened target. It is in the early stages of the attack cycle that an adversary will formulate an initial target list, conduct initial/low-level surveillance, move to final target selection and ultimately onto the attack phase. By maintaining an alert posture and applying effective counter-surveillance measures, it is possible that the adversary will defer to an easier target. This concept is not limited to personnel protection, but to the entire system of proactive protection doctrine.
The graphic to the left illustrates the phases in the attack cycle. It begins with a broad target list; moves to initial target surveillance; progresses to a refined target list; focuses target surveillance on the short-list; onto planning/reversal; and finally to the attack event. By presenting the hardened target, as noted, an adversary may move onto less difficult selections.
I. Goals of Protective Intelligence A. Develop current knowledge of specific threats against the principal. Conduct in-depth research to learn about the principals’ inherent threats and vulnerabilities. B. Establish and maintain daily contact with local, state, national (host-national) law enforcement and intelligence agencies. Early on, establish primary and secondary points of contact. Network and establish contacts. C. Analyze, assess, and apprise the protection team of potential threats based on available intelligence. D. Recognition of pre-attack indicators: 1. Group Specific (Intelligence) 2. Threat Specific (Surveillance) 3. Incident Specific (Recognition) IA. Protective Intelligence Officer A. The Protective Intelligence Officer (sometimes referred to as the PIO) is the primary coordinator. B. Establishes liaison with and manages the intake of threat intelligence. C. Maintains required systems to manage, analyze and control threat intelligence. II. The Intelligence Process A. Intelligence is collected from law enforcement, intelligence sources (informants/agents) and open source. B. Upon receipt, intelligence is sorted by pre-defined intelligence needs and action requirements. C. Intelligence gaps are closed through liaison and source engagement.
D. Regular assessments are provided to the protection team and partners as information needs dictate. E. The process of threat intelligence is a constant. Additional capabilities and information needs may dictate changes in daily operations based on threat reporting or changes in operating environments. III. Information Needs A. At a minimum, the following intelligence needs should be satisfied: 1. Threat Assessment of Principal (Perpetual Process) 2. Open Source Information related to Principal (Perpetual Process) 3. Dynamic Threats (Perpetual Process) 4. Historical Threats to Principal (Archival) 5. Changes in Principal Status (Situational) 6. Daily Principal Assessment (Daily) B. Dependent upon the particular mission or tasking, the following informational needs may develop: 1. Location Threat Assessment (Pre-arrival and daily) 1a. Local Threat Groups (LTG) 1b. Local Health Concerns (LHC) 1c. Local Political Dynamics (LPG) 1d. Historical Threat Review (HTR) 2. Travel Threat Assessment (Pre-departure and daily) 2a. Mode Inherent Threats (MIH) 2b. Mode Historical Threat Review (HTR) 2c. Dynamic Threats (Situational) IV. Functions of Protective Intelligence Officers (PIO) A. Establish contact and daily liaison with all potential sources of information required to provide for the full picture. Sources can include household staff, venue specific employees and related.
B. Ensure information flows both ways. If, in the process of collecting threat intelligence, information of interest to partner agencies is developed, ensure it reaches the right party (in compliance with any applicable restrictions) C. While addressing all information needs to provide for the full picture, ensure priority information needs are addressed with a critical drive. D. Provide regular updates to protective operations team as information is developed. Solicit feedback and identify changing information needs. V. Surveillance As part of the seven-step Attack Cycle, surveillance occurs at least twice. The frequency provides for the opportunity to detect and potentially disrupt an adversaries operation. By knowing why an adversary conducts surveillance and how to detect it, you may influence their decision as to target selection. In most cases, the person conducting pre-operational surveillance will be loosely connected to the operational cell of a group; this provides a break between operators and the person conducting the surveillance. Frequently untrained, their sole purpose is to document and report, frequently through an intermediary or via a dead-drop. Surveillance is conducted to: A. Develop initial target lists. B. Refine target lists. C. Formulate plan and method of attack. D. Identify escape and evasion routes. (if not a suicide attack) E. Identify members of protection team, support personnel and related. By recognizing how surveillance is conducted and why, the members of the detail can reverse that knowledge and engage in counter-surveillance and anti-surveillance measures. These can include engaging in fixed site reverses, shielding aspects, misdirection and subterfuge operations. Remember, surveillance is a critical part of the Attack Cycle. Disrupt surveillance and you may disrupt an attack. It may not be you or the principal under protection that is the target of surveillance; depending on the circumstances, the location or other close principal is the target.
VI. Methods of Surveillance A. Fixed. B. Moving. C. Technical D. Combination E. Progressive Easy type and method of surveillance has its advantages and disadvantages. Depending on the circumstances, some methods are easier to detect than others. For example, the presence of fixed surveillance at the principals’ residence may be easier to note than moving where the adversary employs the use of multiple vehicles. Fixed: the surveillant(s) remain at a fixed location to conduct observation. Presence may be dictated by principal activities. Examples include: adjacent bus stops, taxi stands, street vendors, overwatch buildings, adjoining offices and the like. Moving: any application of movement; foot, automobile, motorcycle, aircraft, etc. Technical: similar to those techniques used in investigative operations; bugs, concealed cameras, wire taps and intercepts. Combination: any combination of methods. Progressive: segmented, overlapping and long-term.
VII. Unpredictability Due to the nature of protective operations and the principles schedule, it can be a challenge to build unpredictability into the routine. The advantage of unpredictability is that it widens the adversaries’ gap of exposure and increases the chance of detection. When possible: A. Alternate Routes. Identify alternate routes and junctures along each route where an alternate route can be taken. This will ensure escape options remain a constant and evasive measures are available, if needed. B. Varied Departure and Arrival Times.
C. Vehicle Changes 1c. Alternates 2c. Subterfuge 3c. Configuration D. Double back E. Destination Secrecy F. Dummy Motorcades G. Alternate Destinations
VIII. Route Security Whenever possible, the designated route should be pre-traveled well in advance of the primary transport and immediately prior to the actual transit. This provides a defined picture of the roadway condition, potential choke-points, area concerns and alternate/escape routes. When conducting the pre-drive, documentation is always advisable. This will provide the primary driver and support drivers an early look at the roadway, its particular features and any nuances therein. While the use of applications such as Google Maps and Street View have found their way into protective operations, they should be used with the caveat that some images are quite dated and features are subject to frequent change. A. Route Analysis and Survey. 1a. from adversaries perspective, identify likely attack points. 2a. identify likely concealment points, 3a. identify likely escape routes. 4a. identify refuge/safe locations. B. Identify Choke Points and Bottlenecks. C. Locate safe havens, places of refuge, hospitals and law enforcement facilities. Highlight these locations on the pre-travel route map and travel itinerary. D. When possible, obtain overheads that illustrate the entire route. Highlight items identified in C.
X. Surveillance Detection Routes (SDR) A. As a means to detect surveillance, the use of a SDR will be used as part of the proactive process of identifying potential surveillance and in presenting a robust target. B. SDR Design. 1b. identify chokepoints. 2b. normal travel actions and behavior. 3b. site/location compatible. 4b. Backup/trailing eyes.
XI. Sweep Vehicle The Sweep or Advance Vehicle is used to detect training or advance route surveillance. Members engaged in sweep activity must remain nondescript and be subtle in their activity. A. Sweep follows detail to identify possible fixed, mobile or progressive surveillance. B. Direct engagement is not advised. C. Communication with primary and intelligence is critical. XII. Common Adversary Surveillance Mistakes Even given that most surveillance is conducted by loosely affiliated members, the conduct of such provides for the opportunity to detect and disrupt. Even professionally conducted surveillance presents some common indicators: A. Coordinated Movements. B. Disguises. C. Communication Equipment. D. Observation/Documentation Equipment. E. Note Taking. F. Unusual interest in protection personnel vice principal. G. Acquisition or attempts to access overwatch positions. H. Possession of principal or detail information (photos, bio’s, etc)
XII. Keys to Detection Paying close attention to people can provide for detection. While those conducting surveillance may change clothing, apply disguises or change vehicles; there may be an opportunity to detect unusual or notable characteristics. A. Replace casual observation with a close attention to detail. B. Establish standards of reference: color, make, model, direction and time. C. Define standard observation, notation and reporting protocol: 1c. Vehicles: a. Year, make and model b. type, size and color c. License d. unique characteristics 2c. People: a. Sex b. Race c. Height d. Build e. Age f. unique characteristics D. Establish a standard format to document and analyze reporting. Through effective analysis, patterns and trends may be detected.
XIII. Cooper Color System Jeff Cooper developed a system tied to set colors to denote condition of alert. Similar to the current system of color codes alerts used by DHS, these colors reflect threat and operating conditions. A. White. Unaware of surroundings. B. Yellow. General awareness. C. Orange. Heightened awareness. D. Red State of action/engaged. E. Black Shock.
Notes: The presence, notation or reference to any copyrighted, trademarked or protected name, title or product is neither an endorsement nor reflection as to any involvement by the respective owners. Any name, title or reference is solely for reference purposes. This product was prepared independently as part of professional development and is not reflective of agency policy, procedure or official opinion. Please direct feedback, questions, or suggestions to Jonathan Greenstein email: firstname.lastname@example.org