Thursday, September 19, 2013

Security Weekly: Preventive Security and the Washington Navy Yard Attack , September 19, 2013

By Paul Floyd

Much of the investigation into the deadly Sept. 16 shooting at the Washington Navy Yard will focus on the background of shooter Aaron Alexis to uncover any missed red flags that could have prevented the attack.

Alexis brought at least one firearm onto the post, which serves as a home for the chief of naval operations and various other command headquarters throughout the Navy and Marine Corps, and opened fire, ultimately wounding eight and killing 12 before being shot down by responding security personnel. The death toll makes this incident the second-deadliest military installation shooting in U.S. history after the Fort Hood shooting perpetrated by U.S. Army Maj. Nidal Malik Hasan in 2009.

In a city overlaid with multiple law enforcement agencies and overlapping jurisdictions, the FBI quickly assumed the lead in the investigation, taking the case away from the U.S. Naval Criminal Investigative Service. This suggests terrorism was suspected and has not been entirely ruled out, even though initial evidence points to this being a case of workplace violence coupled with mental illness; much effort will be expended to determine if Alexis was influenced by or acted under the direction of another person and whether others assisted him.

Preventive and Screening Security

Preventive security, such as security clearances and background checks, are only small pieces of the overall security framework that must be in place to prevent these types of attacks. In general, this can be broken down into three categories: preventive and screening security measures that filter and flag potential issues; security procedures and infrastructure that identify and contain an immediate security threat while alerting security personnel; and reactionary procedures to protect those within the facility while enabling follow-on forces to close in on and deal with the threat. Implementing all three effectively requires significant funds, training and constant updates. While ideally this would prevent all attacks, in reality no system is perfect given limited resources and human fallibility.

Alexis was a former naval reservist as well as an IT subcontractor for HP Enterprise Services, a job that gave him access to any facility to which he was assigned. To get the job, he would have needed a Secret-level clearance, which requires a background check. A Secret clearance can be gained via national agency checks, through an investigation into employment and residential history, criminal records and credit reports that looks for major red flags such as illegal drug use, previously revoked clearances or severe financial irregularities or indebtedness. This level of clearance also involves very limited street work, such as field interviews of family members and friends. This constitutes the bulk of the preventive security and screening that most people undergo to obtain a Secret-level clearance. As we have written, the system that allots clearances has many flaws. At its base, the system is very formulaic and rigid. It only catches indicators if they are divulged by the prospective employee or are documented by law enforcement. Security clearances are also not updated often enough to catch sudden changes in behavior, and the sheer volume of requests for clearances and clearance updates -- which number in the tens of thousands annually -- pushes many of the agencies and/or subcontractors conducting these investigations into doing the absolute minimum to keep up with demand.

Alexis received his Secret clearance during his years as a naval reservist from 2007 to 2011. This level of clearance lasts for 10 years before an update investigation is carried out. His clearance remained active after he left the military and applied to work at HP, where another security contractor ran a cursory background check using only public records -- which are often incomplete. This background check apparently did not uncover or bring proper attention to Alexis' series of firearms-related incidents, including arrests, which should have prompted a deeper investigation.

Alexis also reportedly was receiving treatment for possible mental illness at Veterans Affairs hospitals. If such treatment had come to light, it could have disqualified him from holding a clearance. But medical confidentiality laws usually protect this type of information. Disclosing it would require hospital personnel to notify the appropriate authorities, something that usually can only be done if the patient makes a direct, credible threat against himself or others, or if a mental health official were to declare him mentally incompetent.

In the end, thick layers of bureaucracy allowed Alexis to slip through the system.

Security Procedures and Infrastructure

Most military bases are softer targets than they initially appear. Their perimeter security infrastructure and procedures are designed to deter or catch people completely unrelated to the post from gaining access. This is usually done through perimeter fences and controlled access gates that use a combination of identification by a military common access card -- a standard government identification card shared by all federal and military personnel -- and vehicle screening. The thoroughness of these checks is determined by the force protection level and can be adjusted accordingly to perceived threats. Installations on the post that are sensitive will have redundant and sometimes additional layers of security.

Both the Washington Navy Yard shooting and the Fort Hood shooting demonstrate two shortcomings in these security procedures. The security checks are vulnerable to people already cleared to be in the system and on the post. As a contractor, Alexis had a common access card and it would have been perfectly normal to have him moving throughout the base as an IT professional. It would be unusual for anyone to have his person or equipment searched, so concealing a firearm would not have been difficult. His freedom of movement allowed him ample opportunity to do preoperational surveillance.

Furthermore, most bases or specific installations on these bases are not designed to withstand a direct assault from an armed assailant. Security desks, checkpoints or kiosks staffed by a handful of lightly armed security personnel are very common for individual buildings or gates. This makes them vulnerable to an attacker who can produce proper identification before suddenly opening fire. In gaining access to the Washington Navy Yard, Alexis was able to easily drive through gate security due to his common access card. With that same card he was able to gain access to his targeted building and quickly kill the initial security guard controlling access.

Facilities must be purpose-built from the ground up to be secure against direct assaults. Certain embassies located in high-threat regions of the world meet this standard. Usually this involves several concentric layers of security, ballistic barriers for security personnel and mantrap architecture that immediately restricts the movement of intruders in case of an alarm. Bases in the United States were simply not built with this in mind, and it would be prohibitively expensive to harden every single one. Moreover, these bases have several thousand employees and residents, and are in essence small cities unto themselves. Creating security procedures akin to hardened embassy security would place unrealistic restrictions on the thousands of personnel who flow in and out of the base each day.

Reaction Procedures

The last part of general security is the reaction to these incidents, where each second is critical. The Washington Navy Yard shooting reaction was the most successful of the three general categories of security. The ongoing threat of active shooters in the United States has led to a slow and steady revolution in how law enforcement, military and civilians responding to these situations are trained to react. It has become common for most municipalities and government installations to have specially designated active shooter response teams at the ready.

Lower-level initial responders are now being taught to aggressively close with and engage active shooters or at least isolate them from as many victims as possible (as opposed to setting up broad perimeters and waiting on higher-end units to arrive while attackers rampage). Additionally, government programs, workplaces and schools are teaching their employees and students how to respond to shootings as non-combatants with the Run, Hide, Fight technique or something comparable. At the Washington Navy Yard, it took armed personnel less than eight minutes to engage Alexis after he fired the first shot.

Major U.S. cities have established protocols to cope with sudden attacks. They focus resources such as additional law enforcement and military along with medical personnel that can contain and isolate the affected area while treating casualties. In the wake of the Washington Navy Yard shooting and the Boston Marathon bombing, we have also seen greater protection of key infrastructure and potential follow-on attack sites (in case there are multiple teams of attackers). Some good examples of such places are airports, bridges and nearby schools. Cities also communicate to citizens to shelter in place in an effort to deny attackers more victims and provide freedom of movement for responders.

Successfully protecting any given facility requires a balanced approach to security. Too much reliance on any one approach will ultimately prove unsuccessful. It is also simply impossible to secure all potential soft targets completely, since resources are limited and convenience and practical functioning must be balanced against security concerns. As the investigation proceeds, specific shortcomings will be identified and realistic solutions will hopefully be applied across the board. But there is no panacea that will stop all security threats, especially if the attacker is a current or previous employee. Ultimately it is still the citizen who is the last line of defense against tragedies such as the Washington Navy Yard shooting.

Preventive Security and the Washington Navy Yard Attack Copyright STRATFOR.COM

No comments:

Post a Comment