This is the second article in a three part series about Circles of Security. If you want to read how Circles of Security apply to access control, please check out the first article in this series. But if you just want to read about incident response, feel free to jump right in, and read away.
March 4, 1996. A member of the Hamas terrorist organization detonates a powerful bomb he was carrying outside the Dizengoff mall in the heart Tel Aviv, Israel. The bomb, which also contained nails for shrapnel effect, killed 13 people and wounded 130.
I remember this attack very well. I was a sergeant in the IDF at the time, and I can very clearly recall how horrific it was. The blast was so powerful, and the damage so severe, that some initial reports claimed it was a car-bomb. But I raise this case study not to focus attention on the response to a suicide bombing. That response is obviously very important, but counter-terrorism and investigations, which are mostly handled by law enforcement and government agencies, are not really my field of expertise. I raise it to draw attention to the hostile planning process, and to the incidents that led up to this attack – incidents that can be responded to by private sector security operators, and that if properly responded to, can help prevent an attack.
The point I want to focus on in this case study is that before it took place, the original plan of attack called for the bomb (contained in a backpack) to be left on a busy Tel Aviv street, and to be detonated remotely. Following their hostile planning process, the organization rehearsed this plan a number of times. Each of these rehearsals included a bag that was left on a busy Tel Aviv street, with an advanced surveillance operative covertly observing how people react to the unattended bag. In each case, the advanced surveillance operative noticed that the Israelis on the street were very aware of, and vigilant about, unattended items. People would stay away from the unattended bag and the police would be called to dispose of it soon thereafter. Realizing that this plan would not be an effective means of killing a large number of people, the organization decided to go back to their operational planning step, and change their plan. Rather than leave the bomb on the street, the bag containing the bomb would be carried and detonated by a suicide bomber.
This attack illustrates how the rehearsal step works, and how this step is tied to the advanced surveillance step. It shows the type of logical decision making that can flow out of rehearsals, and serves as a painful lesson on the importance of the Inner and Outer Circle relationship in incident response situations.
Security forces in Tel Aviv were already getting the idea that the suspicious bags were probably part of a rehearsal (because there were so many of them, and in some cases they even contained mock explosives). They knew enough to remain vigilant, but this vigilance only included the Inner Circle (the area where the suspicious bags were). It didn’t include looking at the Outer Circle, and trying to detect, expose and deter the advanced surveillance operatives that were out there. Had the advanced surveillance operatives been exposed, it might have deterred the terrorists from continuing to rehearse and analyze their original plan, and from successfully changing it to make it more effective and deadly.
The important lesson that had been learned from this incident is that whatever happens in the Inner Circle (a suspicious bag, a disruptive person, a bomb threat, etc.) must obviously be handled, but as it’s being handled, you should never turn your back to the Outer Circle. The Inner Circle doesn’t exist in a vacuum – there’s always a larger Outer Circle that surrounds it. No matter how busy or distracted you get by handling what needs to be handled in the Inner Circle, never neglect the Outer Circle.
I’m in no way trying to criticize the responders to the incidents back in 1996. In many ways this is the case which first taught us about the Inner and Outer Circle relationship, and the brave men and women who responded to the hostile rehearsals did the best they could at the time. Hindsight is always 20/20, but let’s not dwell too much on the past. We should look back to learn from what happened, but then turn around, and apply some of our 20/20 vision to the future.
Anyone who’s been involved in, or even just witnessed, a full-on Explosive Ordnance Disposal (EOD) operation would know how fascinating and exciting it is to watch (albeit from a distance). Brave men and women in Advanced Bomb Suits, putting themselves in harm’s way, EOD robots being deployed, projected water disruptors blasting open suspicious items – exciting stuff. But unless you happen to be an EOD operator, you have nothing much to contribute to the Inner Circle after it’s been evacuated. Therefore, try to resist the urge to satisfy your curiosity, and shift at least some of your focus to the Outer Circle – looking for anyone who might be watching, filming or taking notes. Even if your incident response in the Inner Circle was perfect, meaning that an attack plan of the sort you just responded to would not work well, don’t let potential hostile planners calmly assess this, change their plans accordingly and come back next time with something you won’t be able to stop. Detect, expose and if possible, engage anyone out there – suspicious or not. Even if this won’t necessarily lead to an advanced surveillance operative being captured, you can at least cause them to abandon their plan or take it somewhere else.
Another possible scenario which private security operators should take into account is a hostile use of bomb threat phone calls, either for rehearsals or actual attacks. Depending on the situation and the emergency procedures, many organizations decide to evacuate immediately after a bomb threat is issued, and this raises the fear that an armed attacker, who might be waiting outside, would only use the call to flush their intended victims out to them.
With bomb threats, just like with suspicious packages, there’s no way to initially tell if the alarm is real or false, or if it’s an actual attack or a rehearsal. There isn’t even a reason to expect that you’ll necessarily find out if there was or wasn’t any advanced surveillance out there. This means that best hopes aside, you’ll have to consider the worst, and act accordingly.
If the occupants of an entire building are going to be exiting, there’s obviously going to be a need for the security operators on duty to assist with this process. But keep in mind that from a security perspective, an evacuation means that the number one asset of the organization (its people) is going to exit the building – all at once. This means that a crucial security function in an evacuation scenario must be an advance sweep of the building’s exterior (including the Outer Circle), in search of any suspicious item and/or person. Is there anyone or anything out there waiting for the people to come out? Is there anyone farther away (in the Outer Circle) observing this evacuation?
Keep in mind that whatever type of incident you might have on your hands, you have to detect, expose and even engage people who might be out there in a hurry. Time is of the essence, which means you probably won’t be able to be extra subtle or polite about it – not during an actual incident. Reserve your customer service skills for normal activities. You don’t need to lose your mind during an incident – in fact, it’s very important that you remain focused so you can prioritize and execute – but if this means you might also take a firmer tone with people, then so be it – I’ll apologize later, after the incident is resolved.
On a quiet Saturday morning a few years ago, I received a call about a suspicious backpack that was discovered outside one of our high-threat facilities in San Francisco. A brand new, full backpack had been discovered by our security officer on his morning security sweep, and after reporting it to the client, the decision had been made to call the police. By the time I arrived on the scene, SFPD had cordoned off a large radius around the backpack, and the EOD unit was getting ready to deploy. Not only was the Inner Circle being handled, SFPD had completely cleared it. Therefore, the first thing I did when I got there was walk around the entire police perimeter, and using my cellphone, I videoed all the people who were assembling around it to look at the incident. This wasn’t just for the sake of recording people’s images for a potential future investigation, it had an immediate deterrence goal, and I made sure all the people realized exactly what I was doing. The point of this was to send a strong message to a potential bomber or advanced surveillance operative (possibly observing a rehearsal) that they’ve been exposed. The backpack was discovered and safely disposed of, but I wanted to also make sure I sent a strong and direct message to any potential surveillants that might have been out there. If this was a rehearsal, I didn’t want advanced surveillance to safely observe what was going on, and possibly change their plan in order to come back next time with something we can’t stop. If you want to look at us during a serious incident, we’re going to seriously look back at you.
Was there a bomb in the backpack? No. And the two projected water disrupters that ripped that bag apart revealed that fact pretty well. Was it a dry run then? I don’t know, and despite my desire to know, not being a law enforcement or government investigator, there’s no reason to expect that I would necessarily find out. But that doesn’t mean I shouldn’t do my best to discourage a potential hostile entity from taking any follow-up steps.
This might sound odd or counterintuitive, but our lack of knowledge about all the specific details surrounding an incident doesn’t mean we can’t still prevent a future attack. Private security operators have to accept certain legal and operational limitations, but this doesn’t mean we can’t perform crucial Inner and Outer Circle security functions, and these functions become very apparent in situations of incident response.