William H. Adcox, Chief of Police, and Thomas E. Engells, Assistant Chief of Police, The University of Texas at Houston Police Department, Houston, Texas
ritical infrastructure protection is a key element of homeland security. The breadth of critical infrastructure includes key assets and facilities as diverse as hydroelectric dams, petrochemical refineries, national banks, and computer servers. Compounding the security challenge inherent in protecting such a diverse environment is the fact that the vast majority of infrastructure assets are privately owned.
Although progress has been made in both hardening targets and planning the response to a terrorist attack on infrastructure assets, much work is still left to be done. The recently published National Response Plan1 does provide structure and guidance to those planning emergency response, but it is just a starting point in facility security. The reality is that in most cities private security leaders, facility managers, and law enforcement have not formed a mutually supportive relationship. Absent such a relationship, there is a seam in local emergency plans that can be exploited.
Police organizations in the United States are at a strategic crossroads, for the homeland security decisions made now will mold the next generation of public policing. Although the United States is currently at war against terrorism, this is a new form of war that defies effective comparison with any previous national experiences. Evidence that this new war may reach local communities is exemplified by the arrest of six men charged by the FBI for plotting a terrorist attack on Fort Dix, New Jersey. Mohamad Shnewer, one of the accused plotters, stated their intent was “to hit a heavy concentration of soldiers. . . .You hit four, five, or six Humvees and light the whole place [up] and retreat completely without any losses.”2 Police executives are counseled, both formally and informally, to take a more active role in the homeland security effort. These proposed roles range from standardized threat/risk/vulnerability assessments in the local community to proactive participation in joint terrorism task forces.
Regardless of the status of the protective service responsible for the security of the infrastructure asset—public police, private security, or a combination of the two—the traditional reflexive solution of more “guns, gates, and guards” may no longer address the problem of effective facility security. There is a demand, both from within protective services as well as from the public at large, for quality control in the provision of security at these critical infrastructure assets and facilities.
Though considered a given in most discussions on homeland security, it is worthy of restatement: effective homeland security requires an active and dedicated partnership among several groups working toward a common goal. In the case of infrastructure security, the necessary partners include facility management; the staff at the facility itself; facility security staff; and local first responders from law enforcement, emergency medical services, and fire departments. Acceptable infrastructure security cannot be achieved without the active participation of all the partners. In a sense, it is classical crime prevention found in a different setting. And just as in successful crime prevention efforts, this partnership will require continuous maintenance.
Quality control (QC) is a favored practice in managerial control in industrial settings, for it has produced tangible, beneficial results for decades. QC has had considerable success in both heavy industry and manufacturing, but its historical lineage can be traced directly back to the quality measures implemented by the various craft guilds in the Middle Ages. Walter Shewhart effectively championed the application of advanced statistical QC methods at Bell Laboratories in the 1920s,3 and its popularity is based upon modern developments in sampling theory, which has enabled the link between industrial performance and statistical methods.
Yet the enduring value of the QC practices advocated by Shewhart and others goes far beyond innovative data presentation formats and techniques. The actual benefit of successful quality control efforts within policing is in evidence-based policing. One of the earliest advocates of evidence-based policing, Lawrence Sherman, argued that it is time for police to subject their practices to scientific review. He remarked, “Police practices should be based on scientific evidence of what works best.”4 The application of a carefully designed after-action review would produce a practical assessment of what actually works and what does not. Such assessment reports could also directly contribute to the growing body of homeland security knowledge, for example the Lessons Learned in Homeland Security series. Assessments could include descriptions of what works best under certain situations with certain threat profiles and the specific tools and techniques employed within an integrated security system.
Advanced QC practices should also contribute to actual organizational learning. In a recent article, enhancing future performance was found to be a more important purpose for after-action reviews than simply attributing past errors.5
The Red Team Concept
As any system evolves in complexity, the total number of points of weakness within that system multiplies. As electronic security systems now dominate many facility security efforts, the opportunities to successfully breach those security efforts have grown. Although it can be difficult to quantify physical security methods and practices, it is not impossible. Testing security with a red team is one method of organizational learning that can be monitored and controlled to the benefit of both infrastructure facilities and law enforcement agencies.6 The purpose of red team exercises has been defined as “to validate perceived vulnerabilities or weaknesses in the overall security of an installation or facility. In addition, it is designed to test security operations, tactics, equipment, and procedures to see if they are able to mitigate actual or perceived threats.”7
Red teams have been used for several years in both information systems and sensitive physical security environments. However, the red team concept can be traced to the military, which has for several decades tested military theory and operational proficiency by fielding red and blue teams.8 Within a military setting, these exercises can test both the practicality of plans as well as the abilities of field commanders and their subordinate leaders at all levels to successfully overcome chaos. The work of the Army’s Opposing Force (OpFor) at the National Training Center highlights the value of this training method. The OpFor is a small group that has had a remarkable record of operational success against regular Army units of significantly larger size in tactical exercises at the training center. The group’s ongoing success can be attributed to the frequent use of after-action reviews and a commitment to effective group learning methods.
The red team has historically assumed the role of the threat or enemy forces in such exercises. For law enforcement and security purposes, such teams could be composed of internal resources (police officers), external resources (other criminal justice practitioners, military specialists, or contracted specialists), or both. These teams can assess, probe, and attempt to breech the facility security (i.e., the physical and/or electronic security systems) of infrastructure assets. The red team probes and tests the underlying assumptions on which facility security practices are based. Unexpected and asymmetrical attacks on infrastructure highlight both the strengths and the weaknesses of a given facility’s security and, just as important, increase the readiness levels of on-site security efforts to the benefit of the community as a whole. Because the public and the media view physical security as an increasingly important aspect of homeland security, agencies should anticipate outside interest in QC measures.
A major university-based police department opted to explore this red team concept as a QC measure in mid-2005. Balancing the importance of safety against the need for operational security, the department formed a small, select team. This was but one of several responses undertaken to bolster facility security in the post–September 11 era.
A patrol sergeant (the team leader) was selected based upon his operational experience and proven tactical judgment. He was briefed on the conceptual foundations of the red team and was provided with unclassified background materials. He was provided with specific guidance (in the form of operational parameters) on the range of permissible tactics in the planned probes and intrusions of university facilities.
Selection and training are essential steps in any successful exercise. The team leader formed a team of five patrol officers, whose membership was not disclosed to the rest of the department. The team then drilled on intrusion tactics and techniques and reviewed actions permissible in the exercise for more than a month in advance of the first test.
As a contribution to the ongoing homeland security effort, the university maintains current threat/risk/vulnerability assessments of all university facilities. Because of the ongoing media attention given to animal research facilities and biomedical research involving select agents, these facilities became the red team’s initial targets. Targets were selected by senior department leaders and were directly communicated to the team leader.
After target selection, the team began a several-week process that culminated in an actual breach exercise. Under the guidance of the team leader, team members conducted extensive manned and unmanned surveillance of the target. Surveillance restrictions imposed on the team meant that they could use only information available to people who were not involved in law enforcement or facility security.
After a period of surveillance, usually lasting 14 to 21 days, that includes extensive field notes and public information acquisition, a breach exercise is planned and then executed. The breach phase is the most dangerous part of any red team exercise. Specific guidance on use of force and destruction of property must be clearly communicated to and fully understood by all team members. Confusion or uncertainty during the breach phase can result in unnecessary injury and property destruction. Simply put, it’s a reality test: it is understood that any security system would collapse under a larger, overwhelming force, but the purpose of the red team exercise is to determine if the security system will hold against the size and type of threat it was designed to rebuff.
On a date and time established by the team leader, the team initiates the breach. Advance notice of this phase is provided only to the senior department leadership on a need-to-know basis. The line supervisors and commanders are only generally aware that the agency has a red team and that the team is used to test security systems.
An after-action review is provided to the chief of police within seven days of the breach exercise. This draft report includes a narrative outlining both the successes and failures of the exercise. If the team uncovers an egregious security weakness during the surveillance phase, immediate corrective actions are implemented to remediate it. In the breach exercise described here, an unmonitored door leading to a vital functional area of the building, unrelated to the target activity, was discovered during the surveillance phase, so that door was integrated into the building’s security system, and the risk was mitigated.
The after-action review is only the beginning of the assessment of facility security. The crime prevention and technical services sections then address portions of the draft report, seeking explanations for gaps found between the designed security system and actual security practices. Patrol commanders consider other elements of the draft, seeking to learn whether observed patrol practices were found to contribute to or to compromise facility security. These sectional explanations are correlated and become annexes to the final after-action review.
The after-action review routinely prompts a series of corrective actions and enhancements. As with a staff inspection, follow-up activities are as important as the initial findings. On a flexible schedule, agency leadership reexamines the most critical specific deficiencies and records follow-up findings as annexes to the after-action review. The reexamination may justify the commissioning of another red team exercise.
Upon completion of the review report, the agency must decide when and to whom the findings will be reported. Depending on the results of the exercise, the findings may propel major mitigation activities that require a multidisciplinary approach, involving other agencies and unique skills. The dissemination of red team findings creates fundamental security concerns, for the report is a clearly stated set of actions, reactions, and results whose release may place facility security at substantial risk. Legal counsel should be consulted prior to the release of the final report. Before the exercise is even begun, the host agency and the facility managers must agree on the status and distribution of the exercise report.
Using a red team with an after-action review process is an economical and realistic method to test the sufficiency of facility security practices at many infrastructure facilities and key assets. Team members must be properly trained, for these exercises require careful and thorough scripting to minimize the dangers to property and the public. The results of these exercises provide practical QC feedback that can be of value to both protective services and facilities management. If conducted properly, a red team exercise is an innovative way to expand organizational learning while contributing to the community’s overall security.■
1See “National Response Plan,” Department of Homeland Security Web site, December 25, 2006, www.dhs.gov/xprepresp/committees/editorial_0566.shtm, May 14, 2007.
2See “Attack Foiled: Undercover Probe Busts Terror Plot,” FBI Web site, May 8, 2007, www.fbi.gov/page2/may07/ftdix050807.htm, May 14, 2007.
3See W. A. Shewhart, Economic Control of Quality of Manufactured Product (New York: D. Van Nostrand, 1931).
4Lawrence W. Sherman, Evidence-Based Policing, Ideas in American Policing series (Washington, D.C.: Police Foundation, 1998), www.policefoundation.org/pdf/Sherman.pdf, May 14, 2007.
5Marilyn Darling, Charles Parry, and Joseph Moore, “Learning in the Thick of It,” Harvard Business Review 82, no. 7 (July–August 2005): 84–92.
6See Michael K. Meehan, “Red Teaming for Law Enforcement,” The Police Chief 74, no. 2 (February 2007): 22–28, for a discussion of red teaming during the DHS TOPOFF exercises.
7U.S. Naval Facilities Engineering Service Center, 2005, http://portal.navfac.navy.mil/pls/portal/PORTAL.wwv_media.show?p_id=5561120&p_settingssetid=3437681&p_settingssiteid=0&p_siteid=181&p_type=basetext&p_textid=5561121, May 14, 2007.
8Christopher Connell, Homeland Defense and Democratic Liberties: An American Balance in Danger? Carnegie Challenge Papers (New York: Carnegie Corporation of New York, 2002), www.carnegie.org/sub/pubs/homeland.pdf, May 14, 2007.