Hostile Reconnaissance
Published 2 November 2020
1. Introduction
Hostile reconnaissance is the term given to the information-gathering phase conducted by those individuals or groups with malicious intent. It is a vital component of the terrorist attack planning process. Terrorism may not, however, be the only threat a site faces. This guidance therefore uses the term ‘hostile’ to refer to the individual or group conducting the reconnaissance.
The Centre for the Protection of National Infrastructure (CPNI) defines hostile reconnaissance as “Purposeful observation with the intention of collecting information to inform the planning of a hostile act against a specific target.” Generally, the more sophisticated the attack, the more complex the attack planning, and consequently the greater the information requirement and reconnaissance need.
The information gathered is typically used by hostiles to assess security and likelihood of detection; to assess vulnerabilities in security and the likelihood of success. Information about a site or event may be gained through online research, conducting on-site visits and where possible, through insider knowledge. The hostile will try to obtain detailed information to sufficiently inform their method of attack and increase the likelihood of success.
Remember:
- You cannot spot a hostile from their appearance, age, ethnicity, gender or clothing. You can however identify and report suspicious behaviour
- Stopping a hostile before they can carry out their plans will ultimately save lives
1.1 Objectives of Hostile Reconnaissance:
- Identify a TARGET
- Discover WEAK SPOTS (vulnerabilities)
- Assess the level and type of SECURITY
- Consider the best METHOD OF ATTACK
- Inform the best TIME to conduct the attack
- Assess the likelihood of SUCCESS
2. How do you identify suspicious behaviour?
You must understand what is normal and ‘every day’. Take time to understand your working environment, your regular commute, your daily routine and the people and activities you see most often. Learn to spot the difference between normal and unusual/suspicious behaviour. Be alert to the threat.
2.1 What kinds of behaviour could be seen as suspicious?
- Is that person really taking a selfie or a photograph of something else?
- Are they loitering in restricted or non-public areas?
- Are they paying significant interest to entrances, exits, CCTV cameras or security features or staff?
- Are they asking unusual questions?
- Are they concealing their faces or in disguise?
It is not just people on foot; vehicles are often used by hostiles planning attacks. Be aware of vehicles parked out of place, abandoned, or a vehicle retracing the same route.
2.2 Challenging and reporting suspicious behaviour
After conducting a dynamic risk assessment: You SHOULD approach a person that has been acting in a suspicious manner and politely ask them to account for their actions.
- Always remember - Stopping a hostile before they can carry out their plans will ultimately save lives
- You cannot spot a hostile from their appearance, age, ethnicity, gender or clothing
- You can identify and report their suspicious behaviour.
2.3 What information do the police need from you?
If you become aware of suspicious activity, you should dial 999 if the person is still on scene and you need an immediate police response.
Providing the following detail is useful:
- When did this happen? An accurate date and time of the incident
- Where did this happen? The venue, address and specific details about the location
- Who did you see? A detailed description of the person and what they were wearing and/or vehicle and direction of travel. The name, date of birth, address, and any phone numbers obtained of the person if they were stopped.
- Why you thought it was suspicious?
- What actions you took at the time?
Remember: it is always better that police are called while the person or vehicle is still at the scene. If the person has left the scene and their route taken is unknown, or a significant period of time has elapsed since the incident, i.e. several hours, then contact the Anti-terrorist hotline on 0800 789321 or report online.
2.4 Security Staff Powers
If part of the suspicious behaviour involves the taking of photographs, understand your powers:
- There is NO power in law to prevent a person from taking a photograph of anything or any person in a public place
- There is NO legal power to require or ask that any images taken are to be deleted
- Security personnel have NO legal power to ask to view images taken
- Security personnel have NO legal power to seize any camera or phone used to take any image
- If police are called, a person CANNOT be detained by security staff awaiting the arrival of police
- Powers to search and seize are ONLY available to a Police Officer
3. Security managers
What are you trying to achieve?
- Deny the hostile the opportunity to gain information.
- Detect the hostile when they are conducting their reconnaissance.
- Deter the hostile by conveying their plans will fail through messaging and the physical demonstration of the effectiveness of your security regime.
This approach will play on their concerns of failure and detection.
The key to disruption comes from understanding the information the hostile needs, where they are going to have to go to get this, and the hostile’s mind-set, i.e. how far they will go to get the information they need. Once this is understood, an organisation can shape its protective security and other resources, such as corporate communications and employee behaviours, to help disrupt hostile reconnaissance.
Remember: Deny + Detect + Deter = Disrupt
3.1 DENY them what they need
Denying the hostile the information they need to fulfil their information requirements is the first step an organisation can take in forcing the hostile to either disregard its site as a target, or by ensuring that they have to undertake further, potentially detectable, reconnaissance, e.g. removing or modifying information from public-facing websites and educating employees on what kind of information hostiles will be looking to use (from their social media accounts, for example).
Denying the hostile the information they need can also mean creating uncertainty and unpredictability about security arrangements at a site. For example, unpredictable timing, type and location of security patrols makes it difficult to assess a pattern of activity that they can exploit with any confidence.
3.2 DETECT and the state of mind of the hostile
Hostiles know they are on site for malicious reasons and that their behaviour might appear out of the norm. This makes them more anxious or paranoid and therefore, potentially susceptible to detection. This natural anxiety can be amplified by communicating and demonstrating an effective range of detection capabilities at the site. Vigilant and engaged security officers with timely and appropriate interventions can be particularly powerful in addition to well-sited CCTV and control rooms with proactive operators looking for suspicious activity.
3.3 DETER: Generating and sustaining deterrence
Deterrence is a vital component of disrupting hostile reconnaissance and for the majority of sites and organisations. It is the main desired effect of their protective security against hostiles.
CPNI defines deterrence as: “The intelligent, co-ordinated promotion of protective security provision to the hostile that results in the perception and/or assessment that the reconnaissance or the attack itself will fail.”
This is about proactively marketing protective security provision, primarily an organisation’s DENY and DETECT capabilities, to the hostile audience. The fact that the hostile is actively seeking information on the security measures at a site can actually be used to deliver that very same deterrence message. If an organisation does not proactively ‘promote’ its DENY and DETECT capabilities to hostiles, then it is missing an opportunity to disrupt hostile reconnaissance. The hostile may visit a site several times both physically and online and it is therefore vital that the tempo of the proactive marketing of protective security messages is maintained. Such messaging needs to be carefully balanced as too much specific security detail could be an aid to attack planning.
Crucially, an organisation should have an excellent employee vigilance and reporting culture that is clearly evident in the immediate reporting of suspicious behaviour and the speedy response of security personnel.
For further information:
Go to the CPNI Understanding Hostile Reconnaissance webpage
3.4 Hostile Reconnaissance Checklist
When an organisation is clear on the nature of the threats it faces and has understood the Deny, Detect, Deter principles, then vulnerability to online and physical hostile reconnaissance can be reduced by considering the following six themes:
- Having a secure online presence
- Operating a robust entry process
- The hostile reconnaissance threat is understood
- There is a strong staff security awareness
- The site operates vigilant and professional security
- There is a deterrence strategy
4. See Check and Notify - SCaN
See, Check and Notify (SCaN) aims to help businesses and organisations maximise safety and security using their existing resources. Your people are your biggest advantage in preventing and tackling a range of threats, including terrorism, criminal activity and protest. SCaN helps ensure that individuals or groups seeking to cause your organisation disruption and / or harm are unable to get the information they need to plan their actions. It also empowers your staff to know what suspicious behaviour to look for, and what to do when they encounter it. Additionally, the skills they learn will help them to provide an enhanced customer experience.
5. Project Servator
Project Servator is a strategic method of policing designed to deter, detect and disrupt a wide range of criminal activity, ranging from pickpocketing and property theft, to terrorism. Project Servator provides a reassuring presence for the public and the communities it serves. Deployments are unpredictable and intelligence-led, arriving unannounced at any time, and lasting for differing amounts of time. They involve uniformed and plain-clothes officers working together with other specially trained officers.
Further information on Project Servator.
6. The insider threat
6.1 What is an ‘Insider?’
Deliberate insider
Obtain employment with the deliberate intent of abusing their access.
Volunteer/self-initiated insider
Obtain employment without deliberate intent to abuse their access, but at some point, personally decide to do so.
Exploited/recruited insider
Obtain employment without deliberate intent to abuse their access, but at some point are exploited or recruited by a third party to do so.
Accidental insider
Staff who by their actions might inadvertently leak information, either because they haven’t received adequate training, or because they have been asked to undertake an action that they don’t recognise as being something they shouldn’t do.
If the hostile is unable to gather the information they require from online or on-site reconnaissance, they may attempt to recruit an insider to help them achieve their aims.
To help mitigate the threat of insiders, a range of personnel security guidance is available from CPNI or your CTSA, based on the following four components:
- Personnel security risk assessment
- Pre-employment screening
- Ongoing personnel security
- Security culture
When applied consistently, personnel security measures not only reduce operational vulnerabilities, they can also help build a hugely beneficial security culture at every level of an organisation.
6.2 Robust personnel security helps organisations to:
- Employ reliable people to minimise the chances of staff becoming unreliable once they have been employed
- Detect suspicious behaviour and resolve security concerns once they emerge
6.3 Examples of ‘insider activity’
- Unauthorised disclosure of sensitive information to a non-entitled third party
- Process corruption (illegitimately altering an internal process or system to achieve a specific, non-authorised objective)
- Facilitation of third party access to an organisation’s assets (including premises, information and people)
- Physical sabotage including theft
- Electronic or IT sabotage