CHAPTER 9
THE KEY CHARACTERISTIC OF HOSTILE SURVEILLANCE detection is that it is proactive. Its goal is to determine if someone has placed your client under surveillance in order to make an attack. While other techniques emphasize rapid responses to a threat, a hostile surveillance detection team will identify groups or individuals who represent a future threat.
Their first step is to determine if hostile surveillance is being conducted and to identify the responsible entity. This is accomplished by understanding what needs to be detected about other actors. How do you distinguish a random person on the street from the criminal or terrorist planning on kidnapping your client? Success in this effort will be served as the surveillance detection team members select the appropriate locations to observe their environment.
There is a common assumption that you can pick out the threatening individuals by noting suspicious behavior on people who did not fit in with the environment. While these can be valid indicators they are associated with non-professionals rather than serious teams that represent a real threat to your protected target. What matters most is correlation to the target. If your protectee moves and an individual in the area moves at the same time, this demonstrates his relationship to your protectee. It is for this reason that surveillance training stresses that you should delay, rather than immediately follow, your target. Any form of observation or communication in conjunction with the target will demonstrate correlation. Your goal is to blur correlation because it can never be completely eliminated unless you completely lose your target. At a minimum, merely observing a target creates correlation, albeit a rather small one. If you get up and follow the target, that would be a more obvious correlation.
There are additional aspects of correlation. One is referred to as correlation over time. If the target is staying at a certain hotel for several days and the operative makes it a point to watch in the lobby each day, that is correlation over time. He doesn’t actually do anything; he is just making sure his target is still in a particular location. If his target is traveling to other cities and the operative goes to those cities to observe, that is correlation over time and distance.
A person conducting surveillance detection will need to see both the operative and the target at the same time to be certain if surveillance is taking place. A common vantage point for surveillance might be a bench in front of the building from which the target operates. Effective surveillance detection requires your presence not on that bench but at a vantage point from which the bench is observed. By observing an operative occupying the vantage point during times the target is active in or around the building, a surveillance detection team can make an accurate assessment of what is happening.
When dealing with professionals, surveillance indicators are usually very subtle. They may be actions which by themselves would have no significance. A member of a hostile surveillance team may use his cell phone to make a note, send a text, or even take a picture. Viewed in isolation, these are mundane acts. The surveillance detection operative can catalog these actions only if he is able to notice them and if he has the capability to note which individuals appear at the locations he is observing. This challenge can be met by, first, identifying the vantage points for each location and, second, by noting the individuals who occupy them. If any of those individuals appear more than once or twice, this will demonstrate that a correlation is taking place.
An individual who was assigned to the office of the defense attaché in the US Embassy in Prague during the Cold War spent his first free day in the city by taking a walking tour. During this time, he took many pictures. It was only later that he observed the same individual in three of those photographs. While his supervisor in the embassy warned him that he would be under surveillance, he gave little thought to this during his free time. In mentioning this later, he was informed that one appearance by the suspicious looking individual was chance, the second appearance was suspicious, and the third appearance constituted proof of surveillance by local security services. It is important to be aware of such activities but it is equally important not to imagine surveillance when none is present. The “rule of three” is generally accepted as a valid indication of the reality of surveillance.
As the hostile surveillance detection team makes these observations, they should ask what it is that the hostile team hopes to accomplish. An excellent examination of this issue was seen in 1978, when former Italian Prime Minister Aldo Moro was kidnapped. He was being driven to work in a two-car motorcade accompanied by five security guards. In planning for this attack, the terrorists conducted surveillance to identify the strengths and weakness of Moro’s security. This enabled the terrorists to evaluate the opportunities for kidnapping the former prime minister as well as the threats they would face.
A brief summary of items that the terrorists studied prior to the attack demonstrates how easy it is to acquire simple information that ensures a successful attack. In very general terms they studied Moro’s pattern of life. Because Moro’s protection team used the same route almost every day, it was possible for the hostile surveillance team to study not only the route but also convoy management. What they saw was that the drivers in this two-vehicle convoy drove too close to each other and tended to tailgate other vehicles as they drove to his office. They studied the location selected for the attack and learned how to blend in. It was a neighborhood in which many airline personnel resided, so four of the terrorists wore Alitalia uniforms as they stood on the roadside apparently waiting for a bus. When terrorists noticed that a flower vendor parked his truck in what was to be the attack site, they slashed his tires that morning so he could not be there and cause complications for their plan. Telephone lines were damaged to create difficulties for anyone phoning for help. Finally, they had escape vehicles in place so they could escape after the attack in which eighty or ninety rounds were fired into Moro’s convoy and all five of his security officers were killed. A total of eleven terrorists were involved in this short operation for which there had been months of planning by the hostile surveillance team. Their surveillance made it possible to spot the weaknesses in Moro’s security and to take advantage of those weaknesses.
An intelligence collection plan must have specific objectives about the types of information needed. The Moro surveillance team wanted to know about the security used by the former prime minister and if they were well trained. Did they vary their protective operations or always use the same plan? Another important factor was to study the types of vehicles used by the Moro security detail. An analysis of convoy security was essential in the effort to identify vulnerabilities. Finally, they watched the Moro household staff to determine if any of them could be enlisted to help.
The performance of the hostile surveillance group will be a function of their level of training. Terrorist training did not become well organized until the 1960s when the Soviet Union began to support groups that could further Soviet worldwide objectives. The European Marxist terrorist groups that were trained by the KGB and East German Stasi were capable of very professional surveillance tradecraft.
The best-known location for this training was the Patrice Lumumba University in Moscow. It was founded in February 1960 as the People’s Friendship University of Russia, and in February 1961 it was renamed in honor of Patrice Lumumba, an African leader recognized for his efforts to promote communism in Africa. Ostensibly organized to support international friendship, the university was known for recruiting and training terrorists throughout the Third World and training them in skills of espionage and terrorism. East Germany’s Stasi and the KGB worked together to provide money, training, and opportunities for members of terrorist groups to develop their skills. There were major training facilities in Dresden and Karl Marx Stadt in East Germany. Soviet training was a global operation and was supplemented by the services of the Romanian Securitate and Cuba’s General Intelligence Directorate.
The knowledge that group acquired was shared worldwide so by the time the Soviet Union collapsed, there were already training camps around the world. With the loss of Soviet support, such sophisticated surveillance became the exception, rather than the norm. As a result of this change, terrorist training was organized on the basis of regional, ethnic, and religious lines. Terrorist weapons became increasingly sophisticated and, as a result, the demand for extensive education became a factor in terrorist operations. Amateurs could not effectively use something like a mercury tilt fuse for a car bomb without specialized training.
Disparities in training and skill levels mean that many groups are not capable of conducting surveillance operations that will generate the needed intelligence. If a group is not assertive enough, they will fail to get important information. If it is too aggressive, it risks being detected. These limited factors can make it easier for a security team to identify hostile surveillance. However, the dedication of terrorist groups means that they can take all the time needed to slowly compile information about their target.
In the end, the skills and resources of the hostile surveillance group is balanced against the skills and resources of the anti-surveillance team. If there is a major disparity in their training, the best trained team is likely to win. The counter surveillance team must stress being covert so the hostile surveillance team does not realize it is present. If it has the skills to remain invisible, it will prevail.
Should the hostile surveillance team fail to observe the counter measures employed against it, they are more likely to make mistakes. On the other hand, if it is aware that it has been observed, its behavior may become erratic. In 2005, terrorists planning a raid on Nalchik in the Kabardino-Balkar Republic realized they had been compromised. Rather than back off, the group launched their attack prematurely and 142 people were killed. If Russian security forces had been sufficiently covert, they could have moved in such a way as to prevent such a devastating assault.
The extensive, well-organized training of security forces provides a degree of comfort. They, however, are held to a higher standard of training. A terrorist group may have two or three members that are skilled, but most of their members are not so well trained. Moreover, they can be selective about their targets and avoid those that are too well protected. The group that killed former Prime Minister Moro initially considered a different Italian politician, but backed off when their preliminary surveillance showed he was much better protected than Moro. Also, the less well-trained terrorist group has no concern about preventing collateral damage and often delights in greater carnage.
Each group will have a core of skilled people who take care of difficult tasks. The loss of these individuals can often destroy a group. This was the situation for the Provisional Irish Republican Army, which sent its less advanced members to do menial tasks such as placing a bomb at the target. This was a cause of problems when the bomb carriers accidently detonated the bombs prematurely. To alleviate this difficulty, the bomb makers began to install safety devices that had to be removed before the bomb would detonate. That, in turn, created another issue because nervous bomb carriers would forget to remove the safety device so the bomb would not detonate.