Making the Case for Surveillance Detection

By David L. Johnson, CDEP, DABCHS, CHS-V

The Increasing Threat of Homegrown Terrorists

Someone once told me that the more things change, the more they stay the same.  I guess that statement is true to some extent.  As I’m watching the world of terrorism continue to evolve, observe the growing phenomenon of “homegrown terrorists,” and the advent of the new internet based Inspire magazine allegedly published by al-Qa’ida on the Arabian Peninsula (AQAP), those of us in the security, law enforcement, and military communities need to be as proactive as we can.

According to the Council on Foreign Relations, [1] terrorists are increasing their use of the internet as a means of communicating with each other – and the rest of the world.  Western governments have intensified surveillance of such sites but their prosecution of site operators is hampered by concerns over civil liberties, the Internet’s inherent anonymity, legal constraints, and other factors.

“The internet is a powerful tool for terrorists, who use online message boards and chat rooms to share information, coordinate attacks, spread propaganda, raise funds, and recruit, experts say.  According to Haifa University’s Gabriel Weimann, whose research on the subject is widely cited, the number of terrorist (web) sites increased exponentially over the last decade – – from less than 100 to more than 4,800 two years ago.  The numbers can be somewhat misleading, however.  In the case of al-Qa’ida,, hundreds of sister sites have been promulgated but only a handful are considered active, experts say. Nonetheless, analysts do see a clear proliferation trend.” [2]

What’s changing is the ease of anonymous and global communication, the ability to recruit, motivate, and train homegrown terrorists, and further exploitation of vulnerabilities in our open and free society by those who seek to do us great harm.

What remains the same is the need to develop our collective ability to conduct, and use, surveillance detection. Actually, the need for surveillance detection is the same as it has been for years, although some consider it to be a relatively new concept.  What’s different today, however, is the level of need for it – there is a definite need for its expanded growth and use.  In fact, the need for us to get better at conducting it and do it more often is of paramount importance.

A Range of Risk

As a retired US Army Criminal Investigator and a dignitary and executive protection practitioner for some 31 years now, I know there are three ways a protectee can become a victim of a crime.  In the context of what protection professionals do; assassination and kidnapping, causing injury, and even causing embarrassment are the crimes we must protect against.  Deterring those “crimes” is what is what we do in this profession.  It’s important to realize too, that it doesn’t matter if these crimes are committed by a terrorist, a stalker, or a mentally deranged individual with a motive no sensible person can understand or rationalize.  Motive is irrelevant, the effect is the same.

So how does one become the victim of one of these crimes?  There are three ways:

  1. Being specifically targeted – an individual or group targets a specific individual or entity.
  2. Being a target of opportunity either by:
    1. Meeting a specific profile.  For example: a white male driving an American-made SUV on the streets of Bagdad, Iraq.
    2. Being immediately recognizable as an individual of considerable target value during a chance encounter with people using these tactics.
  3. Being an innocent bystander – in an area where and when an act of terrorism is committed, but not specifically targeted under conditions 1 or 2, above.

Now, there’s something interesting about all of that from the surveillance detection perspective, the conditions under which these three types of crimes can occur have distinctive characteristics:

  1. In order to accomplish an attack on a specific target, the attacker(s) must be in place at a time before their intended victim arrives, or meet the target at a time and place that the attacker knows their victim will be.  The victim must be time and place predictable to the attacker(s) or the plan fails.  In the case of celebrities and political figures, this is can sometimes be accomplished simply by reading press releases or a newspaper.  In most cases, however, gathering this information is not that easy and necessitates conducting surveillance.  A common predictor of time and place are the target’s patterns. Determining those patterns, and the development of associated information, is the purpose of that surveillance activity. Either way, the attacker(s) now know when they have to be in a particular place at a particular time in order to carry out their attack against their intended victim.  Examples of this kind of scenario are the attempted assassination of General Frederick Kroesen, and the successful kidnapping and subsequent murder of Hans Martin Schleyer in West Germany in the late 70’s and early 80’s by the terrorist organization then known as the Red Army Faction.   The assassination of President John F. Kennedy also fits this scenario. There are many other case studies that could be cited here.
  2. Attackers seeking targets of opportunity must first develop a profile of their intended victim and then set up at a location that suits their needs.  They then conduct surveillance waiting for someone who meets their profile to enter their area of operations.  When that happens they can then initiate their attack.  One example of an opportunity attack is a crime commonly encountered in Mexico called “express kidnapping.”  A tourist flags down a taxi. The taxi driver is a criminal looking for customer victims who fit his profile –tourists with fat wallets and ATM cards.  The taxi driver kidnaps his fare, takes them to an ATM machine once before midnight, and forces them withdraw the maximum daily amount of funds.  The taxi driver holds his victim until after midnight at which time he takes his mark once more to an ATM to make another withdrawal.  This method enables the criminal taxi driver to get two days worth of funds from the victim’s bank account. After that, generally the victim is released.  Both the scenarios described above are purely crimes of opportunity.
  3. An innocent bystander, getting caught in the middle of a violent situation directed at someone else and becoming a victim of the crime is a situation that, generally, has arisen out of one of the first two scenarios – and where surveillance has been conducted.  Whether that crime was one of specific targeting, or opportunity, is of no matter.  One of the most notable examples of this type of incident is the assassination of Egypt’s President Anwar Sadat in 1981 while he was a reviewing a military parade.  While this act was clearly a specifically targeted assassination attack directed at President Sadat, others in this reviewing stand, all of whom were invited guests, were killed or wounded.  In addition to President Sadat, six others were killed in that attack.  The wounded included the Belgian Ambassador to Egypt, the Cuban Ambassador to Egypt, the First Secretary of the Australian Embassy, and three American servicemen.  All of the killed and the wounded were innocent bystanders caught in the middle of a planned, targeted attack directed at President Sadat.

It’s critically important to recognize that no matter which of these three scenarios you may potentially encounter as a victim, surveillance has been conducted by the bad guys.  If it’s the first, the attackers will use surveillance to identify a planned, future event, at which the target of their attack will be present.  If it’s the second scenario, the attackers will utilize surveillance techniques to identify potential victims who fit their profile.  If it is the third, they’ve already conducted their surveillance and are now carrying out their plan.  If you get caught in one of those events, you’d definitely be at the wrong place at the wrong time.

Basic Avoidance

In response to all of this, various theories, philosophies, tactics, techniques, and procedures for dealing with these threats have been developed over the years. As I review some of ways to minimize risk, I’m going to work in reverse order of the preceding list; working from the easiest thing to counter to the hardest.

Avoidance can be used to reduce the potential of becoming a bystander victim of a terrorist act.  Westerners might avoid frequenting places where other Westerners congregate.  For example, avoiding for a while the Marriott Hotel in Jakarta, Indonesia might be a sensible idea since that hotel has been bombed twice; once in 2003 and again in 2009.  Avoid large crowds and gatherings, and know the dates that are important to terrorist organizations.  Avoid hanging out with folks who may be bullet magnets whenever possible, and at all times, attempt to dress and act as unobtrusively as possible.

To reduce the potential of becoming a victim of a crime of opportunity, once again, as much as possible, avoid the kinds of behavior that make attack easier.  Avoid routes where opportunity crimes are easy or common.  Avoid “bad” parts of the towns and cities.  Stay up-to-date on US State Department Travel Advisories and other alert sources, and only use taxis recommended by a hotel’s concierge, especially in Mexico.

Maintain a low profile as much a possible, and try to fly under the radar so to speak.  Leave expensive jewelry and other “bling” at home or in the hotel safe. Try not to overtly advertise “American” in certain locations.  Keep tight control of itinerary information and use trusted, vetted resources whenever possible.

They key to avoid being victimized as a targeted individual, is to think like a target.  People can make a potentially fatal error by thinking that they are not an “important” enough personality, to be a target.  Just the opposite could be the case: Not being an “important” personality could make them a target – a “softer” target that a group or organization can use effectively to advance their agenda.  Sometimes, the mere fact of being employed by a company that has been targeted, and living in a particular area – whether in a cloistered compound or amongst the population at large – is enough to make someone a desirable target.  Simple things like varying travel routes and times, as much as possible, make it difficult for someone to develop predictable time and place information.  Why do these things?  Because before an attacker can carry out their plan, they need to know, in advance, where and when their target will be there so they can pre-deploy their forces in preparation for the attack.

The Targeted Attack Planning Process

There is however, another protective measure that can help avoid all of these attack scenarios: surveillance detection.  An individual can do this on their own or employ a trained, dedicated Surveillance Detection Team.

There are two reasons why an individual needs to become familiar with using surveillance detection techniques if living or working in an environment where this is a prudent activity.  First, history indicates that surveillance in one form or another has been conducted on every single victim of a “targeted” attack – all of them with no exceptions!  Again, that is because the target of this type of attack must be time and place predictable to the attackers.  Second, there are eight phases common in all planned, targeted terrorist attacks.   

  • Phase One: Initial Target Selection.  Within a terrorist’s operating area there are often many people or facilities that, if attacked, will provide them with the kind of media exposure or other attributes they may be seeking to achieve their agenda.  Often, terrorists will make a list of potential suitable targets that can be assessed to determine which targets are of the highest value and offer the greatest probability of successful attack execution.
  • Phase Two: Surveillance.  Conducted to learn all there is to know about the potential target.  If the target is an individual, they look at routines, security awareness, amount of security present, routes, and myriad other things that will help them plan their attack.  If the target is a facility, they identify and evaluate security issues – perhaps even conducting penetration testing – identify avenues of approach, and the various vulnerabilities that can be exploited.  They try to identify all the information necessary to determine what it will take to successfully attack that person or location and what kind of attack has the best chance of success.
  • Phase Three: Final Target Selection. “OK, we’ll move forward with the plan to conduct a    _______________ type of attack against _______________ (individual or facility). This is where they decide who or what they will attack and how they will conduct their attack.
  • Phase Four: Planning. The attack plan is made, resources are gathered, the bomb is built.  Whatever they think they need to be successful in their endeavor is pulled together, produced, or prepared.  In the case of assassination or kidnapping, they often rehearse the attack plan so they can get good at it.
  • Phase Five: Final Surveillance.  Terrorists can be rather paranoid and are often very thorough in their efforts.  Though not always done, there is a definite tendency to go back out and do surveillance one more time just to make sure that nothing has changed and that their plan will still work.
  • Phase Six: Deployment.  They are ready to go and all is in order.  Their attacking force will head to the facility or to a pre-planned destination, often a rally point, to make final arrangements for carrying out the attack.  If the target is an individual, they go where he or she is time and place predictable.
  • Phase Seven: Target Arrival.  This step is not necessary when attacking facilities; the attackers will move from the deployment phase to the attack phase.  However, when attacking people, they must confirm that their target has arrived at the expected – and predicted – time and place.
    • A member of their team may be assigned the task of Target ID – verify that the target has arrived at the site and that all is well in the environment.  If that is the case, they signal all is well to the attacking force and the attack begins.  If all is not well, for example the intended victim has changed their security posture by adding security agents or there are police in the area, the signal is given to call off the attack (in cases where suicide modus operandi are not in play and sometimes even if they are), and the attack is deferred to another day.
  • Phase Eight: Attack.  The plan is executed.

During at least five of these phases; Initial Surveillance, Final Surveillance, Deployment, and Target Arrival and Target ID there is the potential to detect surveillance, and possibly even the terrorist operatives themselves, Through proper training and awareness, an individual or a protection team can use surveillance detection techniques to discover if the individual has been targeted, and also to provide a higher level of security.  It’s entirely possible that by using surveillance detection techniques, an individual (or in my profession, my principal) might gain advance knowledge that they have become:

a)     A potential specifically targeted victim; or,

b)     That activity consistent with surveillance and crimes committed against targets of opportunities is present in the immediate environment; or,

c)     A potential innocent bystander victim by recognizing that one of the five times there is potential to detect surveillance or deployment is occurring.  Right that instant.

In all of these circumstances, for most people, the first natural reaction will be to look down and say, “Feet – don’t fail me now!”  Candidly, in some cases, that’s the worst thing to do.  The proper action will be dictated by the circumstance.  Early in the process – the first Phases – there are other options available.  But in the later Phases, that’s exactly the proper action!

The Risk of Doing Nothing

Inspire Magazine and various other Internet recruitment efforts are actually inspiring the growth of the terrorist phenomenon.  Terrorism isn’t going away any time soon and plain, everyday criminals, even psychologically deranged individuals, are now using tactics once solely reserved for terrorist organizations.  All of them are using surveillance methodology, even including penetration testing.  Surveillance Detection methodology needs to move more to the forefront of proactive security efforts so security professionals can become even more capable and successful at identifying and stopping attacks before they happen.  Identifying activity consistent with the conduct of surveillance, coupled with ongoing protective intelligence gathering that can lead to effective investigations that can stop a terrorist operation in its tracks.

If you don’t use, or have not been trained at, Surveillance Detection, and the information in this article doesn’t persuade you to use it or seek training, then maybe the following tidbit of information will help.  Sometime around the year 2000, the Manchester Metropolitan Police in England raided and searched a suspected al-Qa’ida member’s home.  During that search, they discovered a “training manual” in a computer file described as “the military series” related to “The Declaration of Jihad.”   Sections of it were released during a trial in New York related to the US Embassy Bombings in Africa.

In the beginning of this manual, under a section called “Principles of Military Organization” the following information is presented:

“Military Organization has three main principles without which it cannot be established:

  1. Military Organization commander and advisory council
  2. The soldiers (individual members)
  3. A clearly defined strategy

Military Organization Requirements:

The Military Organization dictates a number of requirements to assist it in confrontation and endurance.  These are:

  1. Forged documents and counterfeit currency
  2. Apartments and hiding places
  3. Communications means
  4. Transportation means
  5. Information [3]
  6. Arms and ammunition
  7. Transport”

Sounds like there was a budding Sun Tzu writing this manual but it is all correct – though I know not why they mention transportation twice.

But I’ll give you three guesses about how they develop and obtain information.  Yep, you’re right – one of the ways they advocate gaining information necessary to carry out their nefarious plans is through conducting surveillance.  They also advocate reading open source material and recruiting informants or spies but that’s not the subject of this article.  Surveillance Detection is the subject, and as I read those parts of this “training manual” that I could get my hands on, I noted that there were approximately 4,097 words in 251 paragraphs of that document that were devoted to the conduct of surveillance and surveillance detection efforts.  Yep, you read that right – they too, use surveillance detection.

Serious players in this world also use dedicated, separately deployed, security elements to guard their surveillance operatives.  If you’re out there without proper training in surveillance detection and don’t know about that kind of thing and how it works, guess what?  You’re more than likely about to become a target of opportunity yourself.

Now I’m going to make just one last pitch at selling this concept of surveillance detection to members of the security, law enforcement, and military communities (and to potential victims of these crimes everywhere).  This is a skill base that has BROAD application.  Drug dealers are using both surveillance and surveillance detection.  So are people hi-jacking cars, conducting insurance frauds, picking pockets, robbing convenience stores, and a whole host of other crimes these days.

And if you really want to get good at this start studying the modus operandi used by the criminals you are targeting with surveillance detection efforts.  Learn how they do what it is they do.  That way, you will greatly enhance your effectiveness in applying surveillance detection in protective security.

If, while doing this surveillance detection thing you encounter terrorist surveillance, and develop enough information through your actions to initiate a formal criminal investigation that results in the identification and arrest of plotters, you’ll probably not become a public hero.  Likely as not, you’ll remain in the background and quietly continue to do your thing.  But I can promise you this:  uncovering one of their plots in this manner hurts a whole lot less than discovering you’ve become the victim of their crime when you arrive on the “X” of their kill zone and have to execute an Attack on Principal Drill, or your very best anti-ambush techniques.  That much is for sure!

[1] (,
[2] Terrorists on the Internet – Council on Foreign Relations, January 8, 2009.
[3] Bold Italics added for emphasis by the author

David L. Johnson is President of ITG® Consulting Services. He has over 30 years of experience in providing executive and personal security services in both the US military and private sector on a global scale. He is the author of ADVANCE: The Guide For Conducting A Protective Security Advance.  Contact him at [email protected]


Image courtesy of Graphics Mouse @

Print Friendly, PDF & Email


  1. Dave,

    Great article. SD is one of the most useful tools at our disposal within the industry, but sadly it is also one of the most under utilized.


  2. Dave
    I have been a practitioner of Surveillance Detection and Counter-Surveillance in a variety of overseas and domestic environments and I totally agree with your emphasis on this methodology and on being pro-active. Your article clearly meshes the fundamental theories of personal security which can be applied world-wide. Tom

  3. Walter, Clearly our society is bemicong more accepting of video surveillance systems. This is most likely because the application is bemicong so widespread. From stoplight enforcement to the schools our kids attend, video surveillance is a part of our daily lives in America. We have nowhere near the level of use seen in the UK or some other countries, but it is a trend that will continue to grow. As long as retailers have clear guidelines on the application and shot placement, respect the laws and expectations of privacy, there should be no apprehension in continuing to enhance video systems. As a matter of fact, it could be argued that there is a growing expectation of retailer’s ability to produce video evidence upon demand. All the “CSI” type shows are creating a growing expectation that if anything happens, it will be recorded. Retailers should consider this growing expectation when designing and improving systems for their stores.As for the use in identifying and preventing terrorism, video along with a host of other investigative tools and techniques will need to be expanded and accepted to really make a difference. We will have to get comfortable with the perceived loss of privacy to gain real security. A trade I am more than willing to make. Thanks for the post!

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.