Security Weekly: Savopoulos: A Case Study in Protective Intelligence, June 4, 2015

By Scott Stewart

In last week's Security Weekly, we discussed the home invasion robbery that resulted in the deaths of American Iron Works CEO Savvas Savopoulos, his wife and 10-year-old son, and their housekeeper. The analysis discussed home invasion robberies in detail and explained steps that can be taken to help avoid or mitigate such crimes. But aside from the efforts that the family itself could have taken, such as practicing situational awareness, surveillance detection and employing sound residential security measures and procedures, there are also protective intelligence measures that the American Iron Works corporate security team should have employed to protect Savopoulos and his family from what was a known threat.

The Known Threat

As noted last week, the man arrested and charged in the Savopoulos murders, Daron Wint, was employed at American Iron Works from 2003-2005 before being fired. But Wint's termination was not his last contact with the company. According to the AP, Wint was arrested outside the headquarters of American Iron Works in 2010. At the time of the incident, he was reportedly armed with a BB pistol and a machete. The weapons charges were reportedly dropped when Wint pleaded guilty to possessing an open container of alcohol. Based on my experience in dealing with angry and mentally disturbed former employees, it would seem very unusual for a person to suddenly develop an unhealthy focus on their former employer after a five-year period of no contact. It is even more unusual to target the company's CEO after 10 years with no other contact.

Because of this, I believe it is highly likely that Wint was a known problem prior to the 2010 incident and had made threatening communications either prior to or after his termination — as well as likely between his firing and when he showed up at the corporate headquarters reportedly armed and intoxicated. It is also probable that he has had communication with American Iron Works, and perhaps even Savopoulos, since the 2010 incident.

If Wint had made prior threats to Savopoulos or others, the American Iron Works corporate security department should have opened a protective intelligence case on him at the time the threats were made. At the very least, they should have opened a protective intelligence case on Wint after his troubling appearance in 2010. I don't know if American Iron Works corporate security opened a protective intelligence case on Wint. It is possible that they did and that he just slipped through the cracks before killing the CEO. But either way, the case provides a good opportunity to talk about the elements of a protective intelligence program and how they can defend against criminals such as Wint.

Defining Protective Intelligence

In simple terms, protective intelligence is a process used to identify, assess and mitigate threats. A well-designed protective intelligence program will have a number of distinct and crucial components or functions, but the most important of these are countersurveillance, investigation, analysis and liaison.

The first function, countersurveillance, serves as the eyes and ears of the protective intelligence team — and the rest of the security team for that matter. As we noted last week, all criminals — assassins, burglars, kidnappers, etc. — engage in some degree of pre-operational surveillance. While conducting this surveillance, someone with hostile intentions is highly vulnerable to detection. This is what makes countersurveillance such a valuable and proactive protective intelligence tool.

While an individual practicing good situational awareness can often spot pre-operational surveillance on his or her own, especially if the surveillant is sloppy, the efforts of a professionally trained countersurveillance team focused on detecting surveillance by a potential target are far more powerful. They can recognize even trained operatives conducting surveillance on a target.

Another advantage of countersurveillance operations is that, being amorphous by nature, they are far more difficult for a potential assailant to detect than are traditional security measures. Even if one countersurveillance operative is detected — regardless of whether the team has identified the hostile actor — the suspect's anxiety will increase because he will have difficulty knowing whether the next person he encounters is a countersurveillance operative. This will cause him to make numerous false positive sightings and hopefully deter him and cause him to redirect to another, easier target.

Analytical and Investigative Functions

Although countersurveillance teams are valuable, they cannot operate in a vacuum. They need to be part of a larger protective intelligence program that includes analytical and investigative functions. Investigations and analysis are two closely related yet distinct components that can help to focus the countersurveillance operations on the most likely or most vulnerable targets, help analyze the observations of the countersurveillance team to spot patterns or anomalies, and investigate any suspicious individuals observed.

Without an analytical function, it is difficult for countersurveillance operatives to note when the same person or vehicle has been encountered on different shifts, at different sites, or over time. In fact, countersurveillance operations are far less effective without databasing and analyzing what the countersurveillance teams observe over time and distance and in different environments.

Investigations also are important. Most often, something that appears unusual to a countersurveillance operative has a logical and harmless explanation, though it is difficult to make that determination without an investigative unit to follow up on any red flags. In fact, many of the suspicious people spotted by countersurveillance teams may not even be targeting the person or facility the team is charged to protect. Countersurveillance and protective intelligence teams I have worked on spotted car thieves, burglars, pedophiles and drug dealers in our areas of operation. None of them were targeting our protectee, but we still reported them to the police.

Other Tools

This brings up the importance of the liaison function. Whether the protective intelligence team is working for the government or in the private sector, it is critical to maintain good contact with the appropriate authorities and with counterparts. When I was with the Diplomatic Security Service working protective intelligence for the secretary of state, I frequently talked with my counterparts at the U.S. Secret Service, the U.S. Capitol Police and the FBI. It was not uncommon for mentally disturbed individuals to send threatening communications to multiple government officials, and quite frequently the people we were investigating were on record with one of those other agencies. Likewise, when I worked in protective intelligence in the private sector, I not only maintained liaison with local, state and federal law enforcement agencies (that would be called on to prosecute the case should someone commit an illegal act against my protectee), I also maintained close liaison with my counterparts in other companies in the area and in my industry.

The investigative and analytical functions of protective intelligence also are crucial in assessing communications from mentally disturbed individuals, for tracking the activities of activist or extremist groups, and for attempting to identify and assess individuals who make anonymous threats by telephone, the Internet or mail. Mentally disturbed individuals have long posed substantial (and still underestimated) threats to prominent people and average citizens alike in the United States. In fact, the mentally disturbed have killed far more prominent people (including President James Garfield, Robert F. Kennedy and John Lennon) than militants have in terrorist attacks. Furthermore, nearly all of those who have committed attacks have self-identified or otherwise come to the attention of the target or authorities before the attack was carried out. Such self-identification frequently has consisted of contacting the target or telling a third person of their intentions.

Because of this, protective intelligence teams ensure that no mentally disturbed person is summarily dismissed as a "harmless nut" until he or she has been thoroughly investigated and their communications carefully analyzed and databased. Databasing is crucial because it allows the tenor of correspondence from a mentally disturbed individual to be monitored over time and compared with earlier missives in order to identify signs of a deteriorating mental state or a developing intent to commit violence. Protective intelligence teams will often consult mental health professionals in such cases to assist with psycholinguistic and psychological evaluations, as well as to develop a profile of an unknown person who makes a threat.

In the Savopoulos case, if Wint had indeed been contacting the company or the CEO, his communications should have been monitored, databased and analyzed. Additional investigation, liaison activity and briefing of the potential targets, their families and staffs could then have been deemed necessary based upon the content of those communications. Unfortunately, in many cases threatening and delusional communications are ignored or simply filed away with no additional action.

Not all threats from criminals or the mentally disturbed come from outside a company or organization, however; current or former members can prove equally dangerous, if not more so. Though the common perception following a workplace incident is that the employee "just snapped," in most cases the factors leading to the violent outburst have been building up for a long time and the assailant has made detailed plans — and given off warning signs. Some of Wint's former co-workers from American Iron Works, for example, have plainly indicated in press interviews that they felt intimidated by Wint's behavior prior to the attack.

Workplace or school shootings, in fact, seldom occur randomly. In most cases, the perpetrator will target a specific person or set of individuals who the shooter believes are to blame for their plight. Therefore, protective intelligence teams also will work closely with human resource managers and employee mental health programs to try to identify early on those employees who have the potential to commit acts of workplace violence. This is the stage where Wint should have been brought to the attention of corporate security and a protective intelligence case opened.

In workplace settings and other potential threat areas, protective intelligence operatives also can aid other security officers by providing them with the photographs and descriptions of any person identified as a potential problem. The person identified as the potential target of the threat also can be briefed and the information shared with their administrative assistants, family members and household staff. Training can be provided to these people to help them practice good situational awareness, and they should be provided with contact numbers in case they spot anything untoward.

Another protective intelligence tool that could have been very helpful in the Savopoulos case is what is known as a duress code, or a seemingly innocuous word or phrase either inserted or withheld from a conversation to alert an outsider about a hostage situation without tipping off the hostage taker that their cover has been blown. Media reports on the case indicate that Savopoulos communicated with several people during the ordeal, likely at the behest of Wint to secure the cash later delivered to the home. Some of these conversations were with Savopoulos' assistant and bank. The family also apparently had some text conversations with their other housekeeper in which they asked her not to come to the house. Had the family and staff been trained to use a duress code, it is very likely that the police could have been notified and responded to the home before the killing. At the very least, security training could have instructed the maid who received the odd messages to report them to the corporate security office.

Protective intelligence teams can also serve a valuable function by acting as a "red team" that simulates the actions of a hostile individual in order to identify vulnerabilities in the security program. Most security looks from the inside out, but a protective intelligence red team provides the opportunity to look from the outside in. In the executive protection realm, this can include an analysis of the principal's schedule and transportation routes in order to determine the times and places where they are most vulnerable. Countersurveillance or even overt security assets can then be focused on these crucial locations and movements. Since the most predictable spots to encounter and begin to stalk a potential target are at the home and office, special attention is provided to those locations.

Red team surveillance can also help identify the vantage points (or "perches") that would most likely be used by a hostile actor surveilling a specific targeted site such as an office or residence. Once the perches around a location are identified, activities at those sites can be monitored, either in a low-key manner or by overtly placing a security presence there, making it more difficult for assailants to conduct pre-operational surveillance without detection.

Protective intelligence can also perform red team activities on the Internet via "cyberstalker" research, that is, by studying a potential target through a criminal or mentally disturbed person's eyes. The researchers attempt to obtain as much open-source and public record information on a target as possible as if they were attempting to begin physically stalking the target. Research has shown that real life criminals frequently do extensive research on their potential targets, especially for more complex crimes like kidnapping, stalking or a home invasion robbery. A cyberstalker project helps to determine what sensitive information is available regarding a particular target and can highlight how a criminal planning an attack could use that information. It can also be helpful in designing security measures or allocating security resources to address such vulnerabilities. Corporate security departments can also subscribe to services that can contact data aggregators and ask them to remove sensitive information encountered during a cyberstalker operation, such as an address or a date of birth. Unfortunately, since data aggregators are continually adding and updating information, such requests must be made repeatedly over time.

This combination of protective intelligence tools can be applied in an almost endless number of other creative and proactive ways to help keep potential threats off balance and deny them the opportunity to take the initiative. Although a large global corporation or government might require a large protective intelligence team, these core functions can be performed by a skilled compact team, or even by one person.

In a world where the grassroots terrorist threat is growing, criminals are becoming increasingly sophisticated, workplace violence continues and mentally disturbed assailants rampage, every corporation needs the tools provided by a protective intelligence program.

 COPYRIGHT:  STRATFOR.COM