Public safety personnel are often positioned to identify suspicious activity potentially related to terrorism, and in some cases, first responders who have reported this information have helped to disrupt terrorist plans or attacks in the US.
JCAT’S COUNTERTERRORISM GUIDE FOR PUBLIC SAFETY PERSONNEL is designed to assist first responders in:
- RECOGNIZING and REPORTING suspicious activity that may be linked to terrorism, consistent with the Nationwide Suspicious Activity Reporting (SAR) Initiative;
- SPOTTING indicators of mobilization to violence; and,
- RESPONDING to and MITIGATING terrorist attacks.
THE GUIDE IS DERIVED FROM EXISTING UNCLASSIFIED SOURCES. COUNTERTERRORISM PARTNERS = ENHANCED INFORMATION SHARING
JOINT TERRORISM TASK FORCES (JTTFs) serve as the coordinated “action arms” for federal, state, and local government response to terrorism threats in specific US geographic regions. The FBI is the lead agency that oversees JTTFs. The benefits of a JTTF include:
- “One-stop shopping” for law enforcement information or investigation of suspected or real terrorist activities
- Use of a shared intelligence base
- Ability to prosecute cases in the jurisdiction that is most efficient and effective
- Task force member awareness of investigations within a jurisdiction and ability to assist in investigations in other jurisdiction
- Familiarity among agencies, investigators, and managers before a crisis occurs
The mission of a JTTF is to leverage the collective resources of the member agencies for the prevention, preemption, deterrence, and investigation of terrorist acts that affect US interests, to disrupt and prevent terrorist acts, and to apprehend individuals who may commit or plan to commit such acts. To further this mission, a JTTF serves as a means to facilitate information sharing among JTTF members.
FUSION CENTERS are defined as a collaborative effort of two or more agencies that provide resources, expertise, and information to the center with the goal of maximizing the ability to detect, prevent, investigate, and respond to criminal and terrorism activity (Fusion Center Guidelines, August 2006). The fusion centers are owned and operated by state and local governments with support from federal partners. Although fusion centers predate the 9/11 terrorist attacks, the concept gained momentum and was promoted by state and local law enforcement and homeland security officials during post-9/11 discussions as a more effective way to protect their communities.
TERRORIST ATTACK PLANNING CYCLE
Understanding the terrorist attack planning cycle can help first responders and public safety personnel recognize preoperational activities. Terrorists generally plan attacks in observable stages, although specific details, sequencing, and timing can vary greatly and change over time. Preattack surveillance, training, and rehearsals are the stages of the planning cycle that are often observable and can offer opportunities to identify plots and prevent attacks.
As you can see from the graphic of terrorist attack planning cycle attack stages are not linear. Stages include: Broad target consideration, Intelligence gathering and surveillance, training, attack rehersal/dry runs, preattack surveillance, and specific target selection
REPORTING SUSPICIOUS ACTIVITY
“WHETHER A PLAN FOR A TERRORIST ATTACK IS HOMEGROWN OR ORIGINATES OVERSEAS, IMPORTANT KNOWLEDGE THAT MAY FOREWARN OF A FUTURE ATTACK MAY BE DERIVED FROM INFORMATION GATHERED BY STATE, LOCAL, AND TRIBAL GOVERNMENT PERSONNEL IN THE COURSE OF ROUTINE LAW ENFORCEMENT AND OTHER ACTIVITIES.”
INDICATORS OF SUSPICIOUS ACTIVITY
ONE OR MORE OF THESE INDICATORS COULD SIGNAL SUSPICIOUS ACTIVITY, ALTHOUGH EACH SITUATION MUST BE INDEPENDENTLY EVALUATED. WHEN THE BEHAVIOR OR ACTIVITY INVOLVES BEHAVIORS THAT MAY BE LAWFUL OR IS CONSTITUTIONALLY PROTECTED ACTIVITY, THE INVESTIGATING LAW ENFORCEMENT AGENCY WILL CAREFULLY ASSESS THE INFORMATION AND GATHER AS MUCH INFORMATION AS POSSIBLE BEFORE TAKING ANY ACTION, INCLUDING DOCUMENTING AND VALIDATING THE INFORMATION AS TERRORISM-RELATED AND SHARING IT WITH OTHER LAW ENFORCEMENT AGENCIES.
POTENTIAL CRIMINAL OR NONCRIMINAL ACTIVITIES REQUIRING ADDITIONAL INFORMATION DURING INVESTIGATION
- ELICITING INFORMATION: Questioning individuals at a level beyond mere curiosity about particular facets of a facility’s or building’s purpose, operations, security procedures, etc., that would arouse suspicion in a reasonable person.
- TESTING OF SECURITY: Interactions with or challenges to installations, personnel, or systems that reveal physical, personnel, or cyber security capabilities
- Unscheduled deliveries of materials or equipment.
- Unattended or unauthorized vessels or vehicles in unusual or restricted areas.
- Overt testing of security measures or emergency response.
- RECRUITING: Building operations teams and contacts, personnel data, banking data, or travel data.
- OBSERVATION/SURVEILLANCE: Demonstrating unusual attention to facilities, buildings, or infrastructure beyond mere casual or professional (e.g., engineers) interest such that a reasonable person would consider the activity suspicious. Examples include observation through binoculars, taking notes, or attempting to measure distances.
- PHOTOGRAPHY: Taking photos or videos of facilities, buildings, or infrastructure in a questionable manner that would arouse suspicion in a reasonable person. Examples include taking pictures or video of infrequently used access points, personnel performing security functions (patrols, badge/vehicle checking), or security-related equipment (perimeter fencing, security cameras), etc. All reporting should be done within the totality of the circumstances.
- MATERIALS ACQUISITION/STORAGE: Procurement of unusual quantities of possible IED materials, such as cellphones, pagers, fuel, or timers, and/or explosive precursors, such as fertilizers, fuels, or acids, such that a reasonable person would suspect possible criminal activity.
Hidden, disguised, or unusual storage of:
» Laboratory equipment—Bunsen burners, lab stands, and scientific glassware.
» Personal protective equipment—masks, goggles, and gloves.
» Household items—strainers, coffee grinders, and filters.
» Common household chemicals—acetone, peroxide, and sulphuric acid (e.g. drain cleaner).
- Attempted purchase of controlled materials without proper credentials.
- Attempted purchase of controlled or hazardous materials in bulk quantities.
- Presence of potential precursors for chemical or biological agent production.
- Individual has little knowledge of intended purchase items.
- Possession of instructions to create potentially harmful devices, chemicals, or agents.
ACQUISITION OF EXPERTISE OR CAPABILITY: Attempts to obtain or conduct training in security concepts (military weapons or tactics) or other unusual capabilities that would arouse suspicion in a reasonable person.
- Interest in using or modifying technology for uses outside of intended purpose.
WEAPONS DISCOVERY: Discovery of unusual amounts of weapons or explosives that would arouse suspicion in a reasonable person.
- Discovery of homemade explosive precursor, such as fertilizers, strong acids, peroxides, and solvents.
- Discovery of chemical or biological precursors, such as anhydrous ammonia, sulfur, castor beans, acetone, and Epsom salt
- Items found onsite that do not belong or otherwise seem out of place.
- Burn marks or discoloration on walls, doors, ground, and/or floor; presence of unusual odors or liquids.
- Unusual or unpleasant odors, chemical fires, brightly colored stains, or corroded or rusted metal fixtures in otherwise dry and weather-protected environments.
- Chemical burns on hands or body, chemical bleaching of skin or hair.
- Injuries or illness inconsistent with explanation.
SECTOR-SPECIFIC INCIDENT: Actions associated with a characteristic of unique concern to specific sectors (such as the public health sector) with regard to their personnel, facilities, systems, or functions.
BREACH/ATTEMPTED INTRUSION: Unauthorized personnel attempting to enter or actually entering a restricted area or protected site.
- Impersonation of authorized personnel (e.g., police/security, janitor and service repair companies).
- Access badge sharing and “piggy backing” at security gates and doors.
- Seeking additional access to or encountered within restricted or controlled areas.
- Attempting to acquire official vehicles, uniforms, identification, and access cards.
MISREPRESENTATION: Presenting false or misusing insignia, documents, and/or identification to misrepresent one’s affiliation to cover possible illicit activity.
- Refusal to provide all required information when completing paperwork.
- Forged or altered identification.
- Use of fraudulent documents (often referred to as “breeder” documents), which may be used to obtain official documents, including birth/death certificates, drivers licenses, and passports.
THEFT/LOSS/DIVERSION: Stealing or diverting something associated with a facility/infrastructure (e.g., badges, uniforms, identification, emergency vehicles, technology, or documents [classified or unclassified]) that are proprietary to the facility.
- Hazardous materials or controlled substances.
SABOTAGE/TAMPERING/VANDALISM: Damaging, manipulating, or defacing part of a facility/infrastructure or protected site.
CYBER ATTACK: Compromising or attempting to compromise or disrupt an organization’s information technology infrastructure.
EXPRESSED OR IMPLIED THREAT: Communicating a spoken or written threat to damage or compromise a facility/infrastructure.
- Against the US or individuals.
AVIATION ACTIVITY: Operation of an aircraft in a manner that reasonably may be interpreted as suspicious or posing a threat to people or property. This activity may or may not be in violation of Federal Aviation Regulations.
PRECURSORS OF VIOLENT EXTREMISM
AT THE STATE AND LOCAL LEVEL, THE IMPORTANCE OF A WHOLE OF GOVERNMENT APPROACH TO STEMMING HOMEGROWN VIOLENT EXTREMISM, INCLUDES THE LOCAL COMMUNITY AND ITS FIRST RESPONDERS.
Communities are an integral part of the effort to prevent violent extremism and can assist law enforcement in identifying at-risk individuals. Awareness and vigilance are crucial to identify behaviors that can lead to a violent act. Several behaviors, when taken in context, can indicate radicalized individuals are mobilizing—preparing to engage in violence to advance their cause. These behaviors include seeking out training, building capability, and other preparatory behaviors. The below factors drive the mobilization process and may interact to mobilize individuals toward violence. A lack of access to some or all of these factors may cause some individuals to back away from violence or result in individuals changing their plans.
READINESS TO ACT: Individual motivation and intent that keeps the person engaged and moving toward his or her intended goal. Readiness to act can vary across time and be influenced by multiple factors—including personal will and competence, experiences while in training, and motivation gained or lost as a result of established relationships.
OPPORTUNITY: Access to training and resources that provide individuals or groups the chance to take action. This can range from target practice at a local firing range to explosives training with terrorists overseas. Opportunity can also include having available time to engage in violent activities.
CAPABILITY: Training that has prepared an individual to follow through on his or her intentions. The individual’s capability also includes his or her educational training and skill set acquired through life experiences.
TARGETS: Locations that the individual is familiar with because of where he or she lives or works or is interested in because of what they represent, such as supposed economic, political, or military dominance by the West.
- FBI and DHS both maintain web portals which contain Countering Violent Extremism (CVE) training resources, hundreds of the most current CVE training materials, case studies, analytical products, and other resources, including preincident indicators.
For additional information, please visit DHS.GOV (http://www.dhs.gov/topic/countering-violent-extremism), or the FBI-Countering Violent Extremism Office (FBI-CVEO) special interest group on FBI’s Law Enforcement Enterprise Portal (http://www.leo.gov), which house intelligence products, behavioral indicators, academic studies, and behavioral models to aid the understanding of violent extremism.
TERRORIST TACTICS, TECHNIQUES, AND PROCEDURES (TTPS)
THE FOLLOWING LIST, WHILE NOT COMPREHENSIVE, PROVIDES AWARENESS OF SELECT TTPS THAT FIRST RESPONDERS MAY ENCOUNTER AS A PRETEXT TO, IN ADVANCE OF, OR DURING CALLS FOR SERVICE.
USE OF SECONDARY EXPLOSIVE DEVICES TO TARGET FIRST RESPONDERS AND ONLOOKERS:
SECONDARY EXPLOSIVE DEVICE ATTACK TACTICS:
- After an initial attack, terrorists may try to target first responders and onlookers by detonating a second explosive device in or around the anticipated safe area or evacuation locations.
- Terrorists can conduct secondary attacks by infiltrating suicide bombers into crowds of bystanders or by detonating preset bombs remotely through the use of timers, remote triggers, or motion sensors.
- These explosive devices may be concealed in innocuous items of various sizes, such as vehicles, backpacks, garbage cans, mail boxes, and planters.
CONSIDERATIONS FOR THE IDENTIFICATION OF THREATS, EVACUATION OF HAZARDOUS AREAS, AND NOTIFICATION OF THE BOMB SQUAD:
- Secondary devices may be found in any configuration, not limited to the primary attack method.
- Maintain awareness of possible remote initiation or backup timer on any improvised explosive device.
TERRORIST IMPERSONATION OF FIRST RESPONDERS: Use of commandeered or fake Emergency Services Sector (ESS) Items could:
- Be used to gain access to secure sites.
- Be used to conduct a secondary attack.
- Create more victims, including first responders already on scene.
Potentially affect response times and delay genuine emergency responders.
- Allow access for individuals to conduct surveillance or collect information.
SWATTING: Making a hoax 9-1-1 call to draw a response from first responders. Swatting includes spoofing or masking Caller ID information, which is legal, simple to use, and used by many businesses. There are no means available to quickly, accurately, and inexpensively identify swatting calls, so there is little choice but to dispatch resources.
DIVERSION: Tactic used to draw first responders away from the intended primary target of an attack and may be used as part of a complex or multipronged attack:
POSSIBLE INDICATORS OF DIVERSION TACTICS:
- Similar responses or suspicious activities (e.g., hoax devices or bomb threats) in multiple locations throughout the jurisdiction that disperse assets.
- Multiple responses requiring specialized or technical equipment that reduces resources.
- A significant incident or several minor incidents that require a commitment of resources to investigate or mitigate.
- Unusually high number of calls for service or incidence of activities inconsistent with typical patterns within the area of responsibility.
BEST PRACTICES IN PROTECTING FROM DIVERSIONS:
- Establish dispatch policies designed to hold resources in reserve (tiered responses).
- Provide situational updates to first responders to enhance safety.
- Ensure regular notifications to interagency partners and neighboring jurisdictions to provide shared operational picture of possible diversionary attacks.
- Plan and train for identified vulnerabilities.
USE OF STOLEN, CLONED, OR REPURPOSED VEHICLES: Cloned vehicles have been modified to resemble an authentic vehicle, and repurposed vehicles are authentic vehicles that are no longer in official service. These vehicles are typically decommissioned by departments and are publicly available for purchase at auctions or on the Internet:
- The driver or vehicle destination and origin are inconsistent with the company or service being represented.
- The driver is not knowledgeable about the company or its service.
- The driver has no uniform or has one that is inconsistent with the vehicle’s advertised business.
- Vehicle registration and insurance are in named individual instead of company.
- Vehicle make, model, and year may not match company’s current fleet.
- Multiple or conflicting corporate names and logos appear on the same vehicle.
- Visible identifiers, such as phone numbers, license plates, or call numbers that are inconsistent with the vehicle’s operating area or mission.
- The time of day or location of vehicle that is inconsistent with its purpose.
- The vehicle appears to be heavily loaded, possibly beyond capacity.
MEDICAL DISCOVERY OF TERRORIST ACTIVITY AT THE SCENE OF A REQUEST FOR SERVICE: First responder scene size up, when combined with the totality of information received from victims, witnesses, and bystanders, offers the chance to assess whether an incident is potentially related to terrorism. First responders should remain openminded while performing medical and trauma assessments. Hastily or expediently treated injuries may be an indicator of suspicious activity, as those injured may not seek immediate medical care or use efforts to obscure the true nature of the injury.
Trauma assessments: Explosions can result in unique injury patterns involving penetrating wounds, blunt trauma, amputations/avulsions and burns, as well as the possibility of “blast-lung.” Chemical burns from contact will vary depending on the chemical type and length of exposure, while inhalation and ingestion may present a rapid onset of signs and symptoms.
Medical assessments: Small-scale or rudimentary production of biological warfare agents may result in inadvertent human exposures, particularly among poorly trained or novice scientists working with homemade laboratory equipment. Sudden onset of symptoms may assist in determining exposure to chemical or biological agents. Multiple patients with similar chemical/biological exposure symptoms at any incident may be an indicator of suspicious activity and unexpected infections with nonendemic agents without verifiable travel exposure or unusual clusters of cases should prompt further investigation.
POSTBLAST BUILDING ASSESSMENT
- During a postblast building assessment, consider looking for the following:
- Collapse, partial collapse, or building off foundation
- Building/story noticeably leaning
- Severe cracking of walls, obvious severe damage and distress
- Ceilings, light fixtures, or other nonstructural hazards
- HazMat spills
- Stress fracture
- Bulging walls
- Sagging ceilings
- Other hazard present
WARNING: Do not enter any building structure unless fully trained and equipped for postblast hazards.