The Secrets of Countersurveillance
By Fred Burton
Almost any criminal act, from a purse-snatching to a terrorist bombing, involves some degree of pre-operational surveillance. In fact, one common denominator of all the different potential threats — whether from lone wolves, militant groups, common criminals or the mentally disturbed — is that those planning an operation all monitor their target in advance. However, while pickpockets or purse-snatchers case their victims for perhaps only a few seconds or minutes, a militant organization might conduct detailed surveillance of a target for several weeks or even months.
Regardless of the length of time surveillance is performed, however, the criminal or militant conducting it is exposed, and therefore vulnerable to detection. Because of this, countersurveillance (CS) — the process of detecting and mitigating hostile surveillance — is an important, though often overlooked, element of counterterrorism and security operations. CS is especially important because it is one of the few security measures that allows for threats to be dealt with before they can develop into active attacks.
An effective CS program depends on knowing two "secrets": first, hostile surveillance is vulnerable to detection because those performing it are not always as sophisticated in their tradecraft as commonly perceived; and second, hostile surveillance can be manipulated and the operatives forced into making errors that will reveal their presence.
The First Secret
Various potential assailants use different attack cycles, which vary depending on the nature and objectives of the plotter. For example, the typical six-step terrorist attack cycle does not always apply to a suicide bomber (who is not concerned about escape) or a mentally disturbed stalker (who is not concerned about escape or media exploitation). It is during the early phases of the attack cycle — the target selection and the planning phases — that the plotters conduct their surveillance, though they even can use a surveillance team during the actual attack to signal that the target is approaching the attack zone.
The purpose of pre-operational surveillance is to determine the target's vulnerabilities. Surveillance helps to quantify the target, note possible weaknesses and even to begin to identify potential attack methods. When the target is a person, perhaps targeted for assassination or kidnapping, surveillants will look for patterns of behavior such as the time the target leaves for work, the transportation method and the route taken. They also will take note of the type of security, if any, the target uses. For fixed targets such as buildings, the surveillance will be used to determine physical security measures as well as patterns of behavior within the guard force, if guards are employed. For example, the plotters will look for fences, gates, locks and alarms, but also will look for times when fewer guards are present or when the guards are about to come on or off their shifts. All of this information will then be used to select the best time and location for the attack, the type of attack and the resources needed to execute it.
Since an important objective of pre-operational surveillance is establishing patterns, the operatives will conduct their surveillance several times, often at different times of the day. Additionally, they will follow a mobile target to different environments and in diverse locations. This is when it is important to know the first "secret" of CS: surveillants are vulnerable to detection. In fact, the more surveillance they conduct, the greater the chances are of them being observed. Once that happens, security personnel can be alerted and the entire plan compromised. Additionally, surveillants who themselves are being watched can unwittingly lead intelligence and law enforcement agencies to other members of their organization.
A large and professional surveillance team can use a variety of fixed and mobile assets, including electronic listening devices and operatives on foot, in vehicles and even in aircraft. Such a large team can be extremely difficult for anyone to spot. A massive surveillance operation, however, requires an organization with vast assets and a large number of well-trained operatives. This level of surveillance, therefore, is usually only found at the governmental level, as most militant organizations lack the assets and the number of trained personnel required to mount such an operation. Indeed, most criminal and militant surveillance is conducted by one person, or by a small group of operatives. This means they must place themselves in a position to see the target — and thus be seen — with far more frequency than would be required in a huge surveillance operation. And the more they show their faces, the more vulnerable they are to detection. This vulnerability is amplified if the operatives are not highly trained.
The al Qaeda manual "Military Studies in the Jihad against the Tyrants" and its online training magazines not only instruct operatives planning an attack to conduct surveillance, they also point out the type of information that should be gathered. These documents, however, do not teach jihadist operatives how to go about gathering the required information. In the United States, the Ruckus Society's Scouting Manual provides detailed instructions for conducting surveillance, or "scouting," as the society calls it, on "direct action" targets. Following written instructions, however, does not automatically translate into having skilled surveillance operatives on the street. This is because, while some basic skills and concepts can be learned by reading, applying that information to a real-world situation, particularly in a hostile environment, can be exceedingly difficult. This is especially true when the application requires subtle and complex skills that are difficult to master.
The behaviors necessary to master surveillance tradecraft are not intuitive, and in fact frequently run counter to human nature. Because of this, intelligence and security professionals who work surveillance operations receive in-depth training that includes many hours of heavily critiqued practical exercises, often followed by field training with experienced surveillance operatives.
Most militant groups do not provide this level of training, and as a result, poor tradecraft has long proven to be an Achilles' heel for militants, who typically use a small number of poorly trained operatives to conduct their surveillance operations.
What does "bad" surveillance look like? The U.S. government uses the acronym TEDD to illustrate the principles one can use to identify surveillance. So, a person who sees someone repeatedly over Time, in different Environments and over Distance, or one who displays poor Demeanor can assume he or she is under surveillance. Surveillants who exhibit poor demeanor, meaning they act unnaturally, can look blatantly suspicious, though they also can be lurkers — those who have no reason for being where they are or for doing what they are doing. Sometimes they exhibit almost imperceptible behaviors that the target senses more than observes. Other giveaways include moving when the target moves, communicating when the target moves, avoiding eye contact with the target, making sudden turns or stops, or even using hand signals to communicate with other members of a surveillance team.
The mistakes made while conducting surveillance can be quite easy to catch — as long as someone is looking for them. If no one is looking, however, hostile surveillance is remarkably easy. This is why militant groups have been able to get away with conducting surveillance for so long using bumbling operatives who practice poor tradecraft.
The Second Secret
At the most basic level, CS can be performed by a person who is aware of his or her surroundings and who is watching for people who violate the principles of TEDD. At a more advanced level, the single person can use surveillance detection routes (SDRs) to draw out surveillance. This leads to the second "secret": due to the nature of surveillance, those conducting it can be manipulated and forced to tip their hand.
It is far more difficult to surveil a mobile target than a stationary one, and an SDR is a tool that takes advantage of this difficulty and uses a carefully designed route to flush out surveillance. The SDR is intended to look innocuous from the outside, but is cleverly calculated to evoke certain behaviors from the surveillant.
When members of a highly trained surveillance team recognize that the person they are following is executing an SDR — and therefore is trying to manipulate them — they will frequently take countermeasures suitable to the situation and their mission. This can include dropping off the target and picking up surveillance another day, bypassing the channel, stair-step or other trap the target is using and picking him or her up at another location along their projected route. It can even include "bumper locking" the target or switching to a very overt mode of surveillance to let the target know that his SDR was detected — and not appreciated. Untrained surveillants who have never encountered an SDR, however, frequently can be sucked blindly into such traps.
Though intelligence officers performing an SDR need to look normal from the outside — in effect appear as if they are not running an SDR — people who are acting protectively on their own behalf have no need to be concerned about being perceived as being "provocative" in their surveillance detection efforts. They can use very aggressive elements of the SDR to rapidly determine whether the surveillance they suspect does in fact exist — and if it does, move rapidly to a pre-selected safe-haven.
At a more advanced level is the dedicated CS team, which can be deployed to determine whether a person or facility is under surveillance. This team can use mobile assets, fixed assets or a combination of both. The CS team is essentially tasked to watch for watchers. To do this, team members identify places — "perches" in surveillance jargon — that an operative would need to occupy in order to surveil a potential target. They then watch those perches for signs of hostile surveillance.
CS teams can manipulate surveillance by "heating up" particular perches with static guards or roving patrols, thus forcing the surveillants away from those areas and toward another perch or perches where the CS team can then focus its detection efforts. They also can use overt, uniformed police or guards to stop, question and identify any suspicious person they observe. This can be a particularly effective tactic, as it can cause militants to conclude that the facility they are monitoring is too difficult to attack. Even if the security forces never realized the person was actually conducting surveillance, such an encounter normally will lead the surveillant to assume that he or she has been identified and that the people who stopped him knew exactly what he was doing.
Confrontational techniques can stop a hostile operation dead in its tracks and cause the operatives to focus their hostile efforts elsewhere. These techniques include overt field interviews, overt photography of suspected hostiles, and the highly under-utilized Terry stop, in which a law enforcement officer in the United States can legally stop, interview and frisk a person for weapons if the officer has a reasonable suspicion that criminal activity is afoot, even if the officer's suspicions do not rise to the level of making an arrest.
Also, by denying surveillants perches that are close to the target's point of origin or destination (home or work, for example) a CS team can effectively push hostile surveillance farther and farther away. This injects a great deal ambiguity into the situation and complicates the hostile information-collection effort. For instance, if surveillants do not know what car the target drives, they can easily obtain that information by sitting outside of the person's home and watching what comes out of the garage or driveway. By contrast, surveillants forced to use a perch a mile down the road might have dozens of cars to choose from. CS teams also can conduct more sophisticated SDRs than the lone individual.
In addition, the CS team will keep detailed logs of the people and vehicles it encounters and will database this information along with photos of possible hostiles. This database allows the team to determine whether it has encountered the same person or vehicle repeatedly on different shifts or at different sites. This analytical component of the CS team is essential to the success of the team's efforts, especially when there are multiple shifts working the CS operation or multiple sites are being covered. People also have perishable memories, and databasing ensures that critical information is retained and readily retrievable. CS teams also can conduct more sophisticated SDRs than the lone individual.
Although professional CS teams normally operate in a low-key fashion in order to collect information without changing the behaviors of suspected hostiles, there are exceptions to this rule. When the team believes an attack is imminent or when the risk of allowing a hostile operation to continue undisturbed is unacceptable, for example, team members are likely to break cover and confront hostile surveillants. In cases like these, CS teams have the advantage of surprise. Indeed, materializing out of nowhere to confront the suspected surveillant can be more effective than the arrival of overt security assets.
Well-trained CS teams have an entire arsenal of tricks at their disposal to manipulate and expose hostile surveillance. In this way, they can proactively identify threats early on in the attack cycle — and possibly prevent attacks.