By Matthew Miller, Caleb Campbell, and Leslie Gardner, San Diego Law Enforcement Coordination Center, San Diego, California
ajor incidents are events that have an extreme impact on an organization. They play an important role in determining how effective law enforcement agencies operate, and preparation for such events has a significant role in reducing the risk to society and restoring the public’s confidence in law enforcement.
Law enforcement will increasingly find themselves in situations of surprise, responding to events that have many layers of complexity, and working with paradoxes where regular planning and training mechanism might lead to a “stove-piped” response. Police organizations are operating in a highly dynamic environment that is precipitously changing and branded by uncertainty. Decision making in this uncertain environment requires creative tactics and creative thinking.
With this in mind, Police Chief presents two different approaches to major incidents by authors who have studied and/or implemented solutions to major incidents. The following article discusses the use of Red Teaming as a strategy when planning for major incidents.
he San Diego Law Enforcement Coordination Center (SD-LECC) is a Department of Homeland Security–recognized fusion center and a member of the California State Threat Assessment System (STAS). It comprises numerous agencies that collaborate to provide resources, expertise, and information to local, state, and federal partners. The SD-LECC offers a variety of services, including analysis and generation of intelligence products and intelligence briefings, investigative case support, and de-confliction for law enforcement operations. This article discusses the process of developing Red Team tabletop exercises for the center and how the process and results benefited both the fusion center and participants, while also improving awareness of potential threats among public safety and security personnel throughout the region.
Evaluating the Benefits of Red Teaming
The SD-LECC continuously evaluates new and innovative ways to address home land security issues. Within this process, the center determined there would be value in using Red Team techniques. “[R]ed [T]eaming involves thinking or acting like a terrorist in an effort, for example, to identify security weaknesses and potential targets. Red Teaming can be used in either analytical exercises or field-level exercises.”1 The old adage of “training for the last war” can easily be applied to the realm of homeland security. Underestimating one group’s capabilities and over emphasizing a different group’s threat due to historical precedents leads to a reactive rather than proactive posture. As a result, historical failures to identify threats within the proper context have led to successful and unexpected attacks. Red Teaming challenges preconceived ideas resulting from solely evaluating historical precedents and allows for the development of new, proactive ways to consider issues or threats.
The Red Team concept has allowed the SD-LECC to use an old technique and apply it in a new way in a regional homeland security environment through a series of tabletop exercises. When the SD-LECC planning team began looking at Red Team techniques, the team was unsure as to which of the numerous definitions of Red Team would meet its needs. The center’s goal was to develop a means to challenge assumptions and to discover potential regional indicators, warnings, and targets in a non-traditional manner. The center was not looking to infiltrate the regional critical infrastructure sites, nor did it want a force-on-force tabletop war-game. Rather, the center wanted to gather street-level insights and experience related to threats and compare them with the list of indicators and warnings drafted in think tank–style intelligence centers far from the local jurisdiction.
If a terrorist incident occurs or is interdicted, officials spend months trying to identify methods to stop that type of attack in the future, which is a reactive response. The SD-LECC wanted to look for proactive analyses of indicators and warnings. It was in this search for alternative analyses that the idea of a Red Team tabletop exercise emerged. Red Team exercises provide numerous benefits for fusion centers and partner agencies by providing participants with opportunities to take on the ideology of threat actors to evaluate reasoning and logistics behind plots and attacks. This type of threat emulation promotes a type of asymmetric thinking not required in routine daily work.
More important, a series of Red Team tabletop exercises provides benefits to the fusion center, thereby assisting the fusion center’s entire area of responsibility. The participants playing the roles of threat actors can provide a large collection of tactics, techniques, and procedures that are recorded during the exercise. The opportunity to interview a terrorist prior to an attack at a regional, fusion center level is not possible. However, in the case of a homegrown violent extremist (HVE) for example, local Terrorism Liaison Officers (TLOs) and Infrastructure Liaison Officers (ILOs) possess a similar knowledge base. HVEs, by definition, are not foreign-trained professional terrorists. HVEs, such as the Boston Bombers, had local knowledge and access to Internet resources such as the jihadist periodical Inspire. Although they are on the opposite end of the spectrum, TLOs and ILOs look at these same resources in their roles as law enforcement and security management personnel. The same assumption applies to other domestic actors, such as a “lone wolf” or cyber threat groups. Red Team exercises can provide the SD-LECC Strategic Intelligence and Critical Infrastructure planning team with data to compare against any current regional assumptions.
For example, a threat assessment sent to the fusion center from a federal partner may describe the threat posed by the Animal Liberation Front (ALF) to biotech companies with a standard list of indicators and warnings applicable to anywhere in the United States. Through the course of a Red Team exercise involving an ALF domestic terrorist attack, patrol officers would use their knowledge to provide information specific to the fusion center’s area of responsibility. The fusion center would then be able to identify potential local targets, tactics, and attack methods that were previously unknown to the fusion center staff. Conversely, it is possible that the Red Team exercise would show that there are no likely ALF targets in the region.
Arguably, the most valuable benefit of a fusion center’s Red Team exercise is the post-analysis back brief. This provides the lessons learned and analysis to local public safety officials and their respective executive leadership. The lessons learned, provided in the form of an intelligence briefing, enable those who did not participate in the exercise to access the knowledge gained from the post-exercise analysis. Additionally, an executive-level briefing explaining the concept of the Red Team and the corresponding region-specific lessons learned enables law enforcement leadership to possess a greater understanding of potential threats in the region so that they can better task scarce resources to more viable threats in their area of responsibility.
Development of the SD-LECC’s First Red Team Exercise
With the vast benefits of using Red Team techniques in a fusion center setting apparent, the SD-LECC planning team’s next step was to develop the plans for a Red Team exercise. The exercise needed to begin with a presentation introducing Red Team techniques and a general overview of the threat actor or actors’ attack processes and culminate in a Red Team tabletop exercise. The SD-LECC’s existing programs enabled the exercise to succeed through the collaborative effort between the TLO program, the ILO program, and the Strategic Intelligence Team.
The SD-LECC TLO program provides basic terrorism-related awareness training to law enforcement officers, firefighters, state investigators, federal agents, military investigative or security services, or anyone working closely with the public safety and homeland security community. The SD-LECC ILO program provides similar training to critical infrastructure operators in the region. The TLOs and ILOs, although not experts in terrorism, attend meetings and receive terrorism awareness training. TLOs and ILOs also educate others within their agencies or corporations, thereby enhancing situational awareness, early warning, and operational preparedness. The planning team decided that the TLOs and ILOs would act as the threat actors for the Red Team exercise.
The SD-LECC Strategic Intelligence Team regularly generates intelligence products, provides briefings on current threats and trends, and serves as a contact to coordinate the flow of information within the San Diego region and throughout the nation. This team would develop and conduct the exercise, including serving as facilitators. They would then evaluate and present the results after the exercise.
Designing the Red Team Exercise
For the development of the exercise, the planning team needed to contemplate what threats to emulate for this new type of exercise. For the first SD-LECC Red Team exercise in 2012, the planning team decided to address the lone wolf threat.
A number of factors went into identifying the “lone wolf” as the threat for the first Red Team exercise. The lone wolf has been a difficult type of attack to identify or interdict. A true lone wolf will not produce as many indicators or warnings as an organized team of terrorists attempting to coordinate logistics and conduct an attack. Many reports regarding lone wolf activities or events contain long lists of potential indicators, many of which include common activities or activities that would be difficult to view. The SD-LECC’s goal was to identify potential indicators and targets specific to the San Diego region.
After deciding to choose the lone wolf as the threat type for the exercise, the planning team had to determine the scope for this type of alternative analysis method. A look at historical attacks and continuing discussions within the SD-LECC Strategic Intelligence Team led to advocates for multiple ideological perspectives from which a “lone wolf” can emerge. With the term lone wolf potentially encompassing any extremist ideology, it needed to be divided into different categories. As a result, the planning team determined that the exercise would include three different lone wolf ideologies:
Single-Issue Extremist: The single-issue extremist has a very strong belief about one issue that pushes him or her to act violently against any individuals or groups with opposing viewpoints. Extremists in this category could include animal rights extremists, environmental rights extremists, and abortion rights extremists. A San Diego example of this type of extremism is the 206-unit condominium complex that burned in 2003. The Environmental Liberation Front (ELF) claimed responsibility for the $50 million fire with a 12-foot banner at the site that read “If you build it—we will burn it.”2
Anti-Government Extremist: There are a range of anti-government extremists, from those who believe in the absolute illegitimacy or lack of necessity of the government to those who are vehemently opposed to a particular politician or political party. A significant recent example of this type of extremist was the car bomb and shooting spree of Anders Behring Breivik in Norway. In 2011, this lone wolf was responsible for twin attacks that resulted in the deaths of 77 individuals.3
Islamic Extremist: This individual, possibly a convert, is self-radicalized through Internet postings and online publications from groups like al Qaeda and al Qaeda associates. The most dramatic example of a self-radicalized Islamic extremist is Major Nidal Hasan, a gunman who killed 13 U.S. soldiers and wounded 30 others at Fort Hood, Texas, in 2009.4
The planning team also needed to determine the size and setup of the exercise. Considering the size of the facility and the feasibility of managing a large group of people, the planning team determined that the best layout would include six teams, each containing seven to eight TLOs or ILOs and an analyst planning team member acting as a facilitator. Two groups acted as single-issue extremists, two groups as anti-government extremists, and the final two groups as Islamic extremists. This enabled different groups to determine target selection, logistics, and attacks with different ideological perspectives.
The exercise was broken into sections according to the attack cycle and logistics of preparation. These sections included determining whether to include any other people in the plot, how they would finance their operations, from where necessary materials would be obtained, transportation to and from the attack site, ways to evade law enforcement, and what local targets the participants would choose to attack. Throughout the exercise, a PowerPoint presentation featured questions to guide the conversation at each table, and the facilitators encouraged TLOs and ILOs to continue thinking within their ideology, using their knowledge from jobs as public safety officials and security managers to find ways to fulfill logistical needs and commit an attack. Each section had a set time limit to ensure that the conversations stayed on track and the exercise was completed in a timely manner. As with all exercises, the event ended with a brief after-action discussion between the participants and facilitators.
The success and positive feedback from the Lone Wolf Red Team Exercise led to the development of a second Red Team exercise focused on threats to mass transit. Both of these Red Team exercises increased situational awareness among participants. The back briefs that followed provided public safety personnel, security managers, and agency executives with a better understanding of potential threats to the region. The entire process enlightened the fusion center to many different perspectives that may have not been otherwise obtained.
The Future of Red Teaming at the SD-LECC
Red Team exercises greatly benefit the individuals and organizations involved. The participants benefit from spending a day thinking about a problem from threat actors’ perspectives, which provides them with some insights that can help in their day-to-day work. For the fusion center, the collected discussion points provided an entirely new data set for analysis and comparison with the homeland security community’s previously held assumptions about trends, tactics, and targets. All of this is done with a local perspective and provides a broader overview of potential attack ideas that can serve as localized indicators and warnings. Both the lone wolf and mass transit Red Team exercises have been successful for the participants, the analytic staff, and the recipients of the after-action intelligence briefings. As a result, the series of Red Team exercises at the SD-LECC continues with a cyber Red Team in late 2013. ♦
1Michael K. Meehan, “Red Teaming for Law Enforcement,” The Police Chief 74, no. 2 (February 2007): 22–28.
2Pauline Repard, “Militants Say They Set $50 Million Condo Blaze: Earth Liberation Front Posts Claim on Web Site,” The San Diego Union-Tribune, September 9, 2003, http://legacy.utsandiego.com/news/metro/20030909-9999_1m9elf.html (accessed November 2012).
3Mark Lewis and Sarah Lyall, “Norway Mass Killer Gets the Maximum: 21 Years,” New York Times, August 24, 2012, http://www.nytimes.com/2012/08/25/world/europe/anders-behring-breivik-murder-trial.html (accessed October 31, 2013).
4Billy Kenber, “Nidal Hasan Sentenced to Death for Fort Hood Shooting Rampage,” Washington Post, August 28, 2013, http://articles.washingtonpost.com/2013-08-28/world/41525767_1_nidal-hasan-death-sentence-2009-shooting-rampage (accessed October 31, 2013).
Leslie Gardner, Director San Diego Law Enforcement Coordination Center
Please cite as:
Matthew Miller, “Red Teaming for Fusion Centers,” The Police Chief 80 (December 2013): 70–72.