Surveillance Detection

A key skill for security and counter-terrorism professionals

History has taught us that certain kinds of activities can indicate terrorist plans are in the works, especially when they occur at or near high profile or sensitive sites, places where high profile individuals reside or work, or where large numbers of people gather like government buildings, military installations, bus or train stations or major public events.  The ability to detect hostile or suspicious activity early in the target selection and planning phase is the primary means of defeating a terrorist or criminal attack.  Thus, surveillance detection (SD) has become critical to successful intelligence collection, counter terrorism and security operations.

Terrorist attacks follow a distinct process referred to as the Terrorist Attack Cycle.  The terrorist attack cycle includes:  Target selection, planning, deployment, escape and exploitation.  Regardless of the type of attack whether it be terrorist such as a bombing or kidnapping or a criminal attack such as a theft there is almost always some amount of preoperational hostile surveillance conducted.  This hostile surveillance is intended to assess a potential target for value, security measures and vulnerabilities and it’s during this phase that terrorists and other attackers are vulnerable to detection.

In general terrorists have relatively poor surveillance skills or tradecraft.  It is this poor surveillance tradecraft that if recognized can provide individuals and organizations with the time needed to involve the proper authorities, avoid an immediate threat and help prevent an attack.

In Surveillance Detection (SD), the acronym T.E.D.D. is often used by the U.S. government to define the principles that can be used to identify surveillance conducted by hostile surveillance and counter intelligence agencies.  T.E.D.D. stands for Time, Environment, Distance and Demeanor.  In other words, if a person sees someone over time, in different environments and over distance or someone who displays poor surveillance tradecraft then that person can assume they are under surveillance.

Time, environment and distance are not applicable when a specific location or mode of public transportation is targeted or in cases of ambush attackers.  Therefore, when talking about hostile surveillance, demeanor is the most critical of the four elements.  Poor demeanor will often help the target or surveillance detection unit identify hostile surveillance.

Demeanor indicators include:  people wearing unsuitable clothing for the weather or environment, people with unusual bulges under their clothing, wires protruding from their clothing, people who are sweating profusely, mumbling to themselves or fidgeting, people who appear to be attempting to avoid security personnel or law enforcement and people who appear out of place.

When attempting to identify hostile surveillance, you must first identify suitable observation points (OP’s) that provide optimal views of critical locations that hostile surveillance would want to watch such as the entrance to the targets residence or office.  Close attention should be paid to vehicles and people that look out of place or are people exhibiting poor surveillance demeanor.

Surveillance detection personnel should conduct a pattern and route analysis to determine where along routes of travel that the target is most predictable and vulnerable.  Route analysis should include identification of choke points.  Choke points are a geographical feature such as a valley, bridge, round a bout or other area where the target must travel and where rapid forward motion and or escape is difficult.  If a choke point provides a position where attackers can freely wait for their targets and have access to a suitable escape route, the choke point becomes a potential attack site.  An ideal countermeasure would be to vary routes and times of travel to avoid exhibiting predictable behavior.

Hostile surveillance operatives will often change their appearance by changing clothes, using hats or wigs and other disguises.  Many times, they will change vehicle plates or even change vehicles.  For this reason, it is important to focus on an individuals facial features, build, mannerisms, gait and identifying marks such as scars and tattoos.  When it comes to vehicles, special attention should be paid to characteristics such as body damage, stickers and other unique characteristics.

There are primarily three types of surveillance related activities; they are surveillance (SV), surveillance detection (SD) and counter surveillance (CS).

Surveillance:  In this case hostile surveillance conducts purposeful observation of people, places and vehicles with the intent of collecting intelligence that can be used in the planning of a hostile action be it criminal or terrorist, against a specific target.  Surveillance can also be used to collect intelligence on a range of potential targets in order to eliminate target options and aid in target selection by identifying a target that satisfies the objective of the attacker.

Surveillance Detection:  Surveillance detection can be conducted by civilians, executives, security personnel, government agencies, law enforcement and the military.  Surveillance detection conducts purposeful observation of people, locations and vehicles with the specific intent of determining if surveillance is being conducted against a specific target.  The focus of surveillance detection is to distinguish types of suspect behavior and other indicators of possible surveillance and report any suspicious behavior or indicators.  The reports are then analyzed and directed to the proper authorities for an appropriate response.  Surveillance detection plans should include a strategy for recording and reporting observations, use of cover and will include a surveillance detection response during routine travel and around any facilities or locations that may be targeted.  Surveillance detection plans should be implemented discretely and abide by local laws and federal laws such as the Foreign Surveillance Intelligence Act (F.I.S.A.).  If hostile surveillance is detected, all relevant details should be reported to the appropriate authorities in a timely manner.  The response to discovery of hostile surveillance will depend on the situation and potential threat at the time of discovery.

Counter Surveillance:  Counter surveillance is often conducted by professionals who are trying to exploit and neutralize hostile surveillance.  Essentially, counter surveillance is an operational measure taken once hostile surveillance has been identified.  Counter surveillance then conducts surveillance of the hostile surveillance in order to gather intelligence that can be used to manipulate, exploit or apprehend the hostile surveillance.  Counter surveillance is normally conducted by intelligence agencies and the military but in today’s global environment more and more security contractors are becoming involved in counter surveillance operations.  Some sophisticated attackers may use counter surveillance as a countermeasure against surveillance detection to increase their operational security.

When conducting surveillance detection, it is important no to cross over into the role of counter surveillance as this can compromise any future counter surveillance operation conducted by the authorities and risks chasing the surveillance into hiding.

Surveillance detection works because it allows the hostile surveillance to feel confident operating in the open because they have no idea anyone is watching them.  If the intelligence collected by surveillance detection warrants further investigation, then the proper authorities can get involved and design a professional counter surveillance operation to exploit or capture the hostile surveillance.

By applying professional surveillance detection to security and counter terror operations we can effectively detect and prevent terrorist attacks in the planning phases, reduce the number of attacks and allow for safer operations in high risk environments.

By:  Jeff Burns