Recognising threat - the importance of pre-incident surveillance

The attacks in Paris on 13th November and London on 7/7 show the planning and preparation spent by terrorists and other groups in gathering information to assist with the target selection and operational planning. Any thought that these events occur by chance or on a whim should be banished.

There is generally a set modus operandi employed in the planning and execution of an attack or serious crime, regardless of the target. These will differ group by group and whilst some may be crude, the majority are professional in nature and military in their precision. A key element is acquiring as much information and intelligence as possible, through open and covert means. This process will entail thorough studies of the building, site, facility, area plans, maps, satellite imagery, websites… followed by surveillance on the ground. The March 11, 2004, when 10 bombs exploded on four packed commuter trains in Madrid in the morning rush hour, killing 191 people, were executed after approximately twelve months of planning, reconnaissance and surveillance.

The majority of competitive intelligence is legitimately available. Al Qaeda estimates this to be 80% of their specialised needs. The remaining 20% can be obtained from unsuspecting employees, divulging valuable information off-site, or through ineffective security policies and procedures allowing information to be gathered covertly. The more information denied through effective pre-employment screening, physical, electronic and information security policies and procedures, the greater reliance on reconnaissance and surveillance.

Pre-Incident surveillance is an essential prerequisite to any terrorist attack, kidnap, assassination or robbery. To maximise the likelihood of success, a target must be placed under surveillance to assess and evaluate security arrangements and identify vulnerabilities. As a result the most common pre-incident indicator involves physical surveillance in and around a potential target, to assess and evaluate vulnerabilities to a given type of attack. The attacks of September 11th 2001, in New York were conceived in the late 1990’s and only executed after many dry runs or evaluation flights!

Firstly an attacker will need to establish the most suitable location(s) and method which afford the best opportunity to gather intelligence. At times it may not be possible for a potential attacker to avoid being seen, however not being noticed is vital. A variety of props and disguises may be used to help blend in and avoid attracting attention. To allow closer access to a target terrorists have in the past commandeered or stolen official vehicles, uniforms and identities or designed imitations to facilitate targeting and attacks. This was illustrated in the December 2002 suicide attack on the Chechen Government Headquarters in Grozny, in which 83 people were killed and 200 injured.

Part of the intelligence gathering process against may include bomb threats to gauge security reaction and overall response. Prior to the 1998 attack on U.S. Embassy in Nairobi, which claimed the lives of 213 and injured 5,023, a series of bomb threats was received before the attack. Surveillance in this particular case commenced 5 years earlier.

Even if an insider were to provide some or all of the tactical intelligence, it would still necessitate some form of surveillance. This surveillance will validate the intelligence and allow the attack team to familiarise themselves with the target which is paramount, particularly in cases involving kidnap, assassination or infrastructure critical point attack. Suicide attacks are no exception. Success is dependant on secrecy, essential to the planning and execution of the mission, thorough reconnaissance and surveillance, to select the appropriate target and identify weaknesses and extensive rehearsals or “dry runs” to ensure stealth and speed. Suicide bombers do not wish to die in vain but achieve their ultimate goal of inflicting maximum casualties, the product of good planning, preparation and reconnaissance.

We need to remember that the more sophisticated the terrorist or criminal becomes the more preparation is required. This is the key to their success!

Pre-incident surveillance and targeting can be hampered by a number of measures including such as: good access control to sensitive or critical areas, frequent checks of specific points where terrorists or criminals may conduct surveillance, extensive use of CCTV and not forming patterns, in respect to high worth individuals or movement of high value goods. The best time to spot and thwart any attack or action is during the pre-incident surveillance and reconnaissance phase.

An effective means by which to counter the threat of pre-incident surveillance is to understand how it is conducted and how best to detect it. Security awareness is rarely enough to detect pre-incident surveillance, if conducted with a level of professionalism.

Staff induction training should embrace pre-incident surveillance awareness training, to tap into this often under-utilised and underestimated technique, in an effort to detect hostile surveillance. Employees with responsibilities for security management and individuals deemed in a higher risk group: due to their position, status, frequency of overseas travel should receive practical anti- and counter surveillance training, to gain a greater understanding of how to detect hostile surveillance.

Anti- and counter-surveillance training offers an effective and cost efficient means by which to counteract the threat of pre-incident surveillance.

A local threat database, ideally linked to a regional system should form an integral part of the security programme, helping to transform valuable, but raw, information into useful intelligence, in a timely manner. Creating a database allows for analysis and comparison with previously gathered data, almost instantaneously. Furthermore, it reduces the time it takes to identify suspicious patterns, thus affording more time to implement an effective response.

Pre-incident surveillance awareness and routinely employing anti- and counter-surveillance techniques will dramatically increase the likelihood of early detection and thus timely warning of a planned attack or action against an individual, site, residence, transport system… Recognising pre-incident surveillance buys time to review threat levels and security arrangements and allows counter measures to be initiated to either eliminate or reduce the risk to an acceptable level.

UPDATED Nov 2015 (Submitted article)

Continuity Forum Comment  

In UK in particular there are some great resources available to organisations to help build capability to identify pre-surrveillance activities. Most Police Forces across the UK have regular workshops and can advise directly.  For more information please contact your local police station and ask for the Counter Terrorism Security Adviser (CTSA).  In addition there are other resources available nationally and the National Counter Terrorism Security Office and the Continuity Forum regularly run specialist workshops on a range of CT matters. If you would like to know more please contact us directly. If you see anything suspicious though always call 999 first!


The National Counter Terrorism Security Office coordinates the activities of local police force Counter Terrorism Security Advisers (CTSA's), who deliver guidance on designing out vehicle borne terrorism and protecting a wide range of assets including, 'crowded places'