Bracing for Jihadists from a CSO's perspective

Sept. 18, 2014
An examination of ISIS and how to mitigate the threats posed by the terror group

In an address to the nation last week, President Barack Obama outlined a strategy for degrading and destroying the Islamic State of Iraq and Syria (ISIS), also known as the Islamic State of Iraq and the Levant (ISIL).

In the address, the president noted the possibility of an emerging threat to United States citizens and businesses here at home and overseas. “While we have not yet detected specific plotting against our homeland, ISIS leaders have threatened America and our allies,” he said.

Many observers agree. Stephen Hadley, former national security advisor to President George W. Bush, recently said in an interview with MSNBC: "I think they (ISIS) are very dangerous to the homeland. I think what people are saying is we do not see a specific threat scenario that poses a risk to the homeland today. But this crowd is a serious crowd. For the moment their agenda is mostly regional, but they do threaten our friends and allies and our interests in the region."

Secretary of Defense Chuck Hagel has stated that the U.S. is at war with ISIS and the fight "will not be an easy or brief effort."

It would be a misjudgment for anyone to take ISIS as a standard threat. The emergence of ISIS has created an extremely serious global increase in the terrorist threat level.

In July, an online ISIS post threatened to attack every American embassy with car bombs if the U.S. bombed Iraq. The threat caused all 294 U.S. diplomatic facilities around the world to go to high alert.

Who Is ISIS?

ISIS began life as an Al Qaeda spin off called Al Qaeda in Iraq (AQI). Led by Abu Musab al-Zarqawi, the group attracted non-Iraqi Sunni Muslims and attacked Shia Muslims. AQI was so publicly vicious that Al Qaeda leaders ordered Al Qaeda in Iraq to tone it down. AQI paid no attention.

In 2006, Zarqawi began to behead those they deemed criminals and demanded that Sunni AQI followers follow the strict dictates of sharia law. He died in a U.S. bombing attack in June of 2006. He was replaced by AQI’s current leader, Abu Bakr al-Baghdadi.

Between 2006 and 2011, when U.S. forces left Iraq, AQI’s foreign fighters were joined by many Iraqi Sunnis, and Baghdadi changed the name of the group from AQI to the Islamic State of Iraq or ISI.

ISI waged a violent campaign against Shia Muslims and attracted new fighters — Sunni soldiers in Saddam Hussein’s former army.

With rebellion raging in Syria to the northwest, Baghdadi began to attack Syrian Shia. Syrian President Bashar Assad and many government and military officials are Shia, while the rebels are generally Sunni. Again, Baghdadi changed the name of the group — to the Islamic State of Iraq and Syria or ISIS.

Success on the battlefield has continued to attract new recruits, including many foreigners. Estimates today count over 30,000 ISIS fighters. Of that number, about 12,000 are foreigners, including about 3,000 westerners and perhaps as many as 100 Americans.

ISIS also works at radicalizing and recruiting by using social networks like Twitter and Facebook. Impressionable young people are at risk from this recruiting tactic.

Another characteristic that sets ISIS apart is the desire to create a nation. No other group has expressed an idea like that, but ISIS calls itself an Islamic State. Nation states can declare war on other states and take the fight to them — openly or secretly. This significantly increases the seriousness of the threat posed by ISIS.

Westerners that belong to ISIS worry U.S. government officials. They should worry executives of multinational companies. When the fighting ends in Iraq and Syria, or perhaps even before it ends, any number of westerners may pack up and use their passports to go back home.

When they arrive, how will officials know what side they are on? They could be completely innocent or want to plan a terrorist attack. Governments must develop a system that will enable them to evaluate citizens returning after stays in Syria, Iraq and other Middle East nations.

Then again, some ISIS members may already be here as sleeper agents waiting to be awakened. There is evidence that illegal border crossings have taken place in the Southwest as discarded prayer paraphernalia has been found in the desert near the border with Mexico. They could fit in and stay in the background for extended periods. They will doubtless be very difficult to find.

What Kinds Of Threats Does ISIS Pose?

Potential threats cover a wide range. Some targets aren’t realistic for certain terrorist groups, but ISIS takes a broader view than other groups. They consider virtually any target as reasonable — the more targets and the faster they can get to them, the better. ISIS strategy in Syria and Iraq has emphasized numbers of targets and speed.

As terrorists, they will likely want to push the violence to the highest possible level. From our rational western point-of-view, we find this hard to accept. But ISIL handlers are persuasive people. They will tempt their followers with misguided visions of martyrdom for killing heretics. Some will give in to the temptation.

Martyrs will wear bombs just as they have for years. They will park cars laden with bombs on busy streets. And they may go far beyond the kinds of attacks with which we are familiar.

Not long ago, for instance, a survey of the contents of a laptop computer recovered from an ISIS hideout discovered instructions for building conventional bombs as well as biological weapons, such as weaponized bubonic plague. The author had studied chemistry and physics at the university level. In the instructions, he noted that biological weapons are cheap to build but can cause huge numbers of casualties.

In addition to instructions for making bombs and other weapons, the laptop also contained a fatwa, an official ruling, that allowed and even urged the use of weapons of mass destruction. The key point read, “… it is permissible to use weapons of mass destruction, even if it kills all of them and wipes them and their descendants off the face of the Earth.”

How To Fight ISIS

Overall, ISIS threats have arisen so quickly that government and businesses must take some steps immediately to protect citizens, public interests and private business interests.

Corporations must be aware of insider threats, such as radicalized employees, working with ISIS handlers or alone to carry out some kind of organized electronic or physical assault.

Government agencies and businesses should consider mounting a multi-fold response planned by a committee composed of senior leaders and staffs who are capable of identifying all possible threats. The chief security officer, for instance, may not be current about the threats that may arise from supply chain partners. Purchasing executives may be better equipped to consider those questions. Organizations should draw committee members from a wide group of stakeholders.

As a first step, the committee should undertake a quick threat assessment: To what countries are you and your employees traveling? Where are your domestic and overseas facilities? Where are your supply chain partners located? Check the countries where you do business on the Travel Warnings page hosted by the U.S. Department of State and make travel plans accordingly.

Are your facilities located in countries covered by State Department travel warnings? Give some thought to protecting the people and facilities in countries considered dangerous. Ask tough questions: Is it really necessary to maintain a facility in this country?

Review advisories that you issue to employees traveling to dangerous parts of the globe. Are you providing them with all the information they need in light of current State Department  or other warnings?

Today’s advisories should also include cyber warnings. Secure cyber procedures are increasingly important at home as well as overseas.

A quick review should come first because it is important for organizations at risk to take some preliminary steps to avoid being blindsided. But there is more to do. Next comes a comprehensive review of your people, facilities, policies and programs.

Are your current policies and programs focused on current problems? What needs to be changed and added?  Are organizational security policies effectively being employed by all?

The comprehensive review should also include an updated security assessment of all facilities and policies.

Safety and security today cannot be compartmentalized. No matter how good your policies and security programs, all employees and suppliers must participate. Everyone must understand and adhere to the DHS’ request: when you see something, say something.

Companies must sensitize employees to this new role at orientation and during regular refresher training sessions that provide new information and go over existing policies.

Tools To Help You

The marketplace today offers many tools that can help you prepare your people and facilities to deal with insider threats, security for traveling executives, and cyber and physical security threats.

Consultants, today, can help to ferret out insider threats using cognitive and psychological behavior models. Basically, these models can help to identify individuals, who, for whatever reason, have begun to look at the world differently and are turning to crime, perhaps violent crime, terrorism or some other unstable behavior.

Behavior modeling techniques may have been able to identify an insider threat such as Nidal Malik Hasan, the Army psychiatrist convicted of the 2009 Ft. Hood shooting, before an event erupts.

You can also get help from specialists in executive protection. Of course, if you believe your executives need to travel with armed protection, you should first consider whether such trips are really necessary. Is the return on investment worth the risk and cost? If they are, then retain an experienced professional. This is a job for a trained, experienced specialist.

Better cyber security has grown increasingly important as more and more companies come under attack by domestic and foreign cyber criminals and terrorists.

Cyber threats can arise 24 hours a day and are difficult to detect. Threats include the privacy of customers, denial of service attacks, phishing, the integrity of intellectual property. 

One or many actors can mount cyber attacks. As a security professional dealing with threats, you always have to consider who else might be involved? Who might be flying under the radar?

Along those lines, while it is always important to focus on a current threat, you cannot forget that there are other threats. The Muslim Brotherhood and Al Qaeda have not gone away nor have the drug cartels. ISIS is the most prominent threat but not the only threat.

Physical security technology and other security technologies continue to improve and can be essential to mitigating the threat, but these tools are not a panacea. A risk-managed approach is key to being successful, giving due consideration for return on investment.

In the end, security is no longer a trade. It is a profession that spans physical security technology, cyber technology, psychology and national and international conflicts. Today, the ISIS threat is pushing our profession to yet another level.

About the Authors: As the director of security programs for Global Skills X-change (GSX), co-author Daniel McGarvey consults for government and industry. He is a member of ASIS International and chair of the CSO Leadership Development Committee, Vice-chair of the Defense & Intelligence Council and team lead for analytical development in the Insider Threat Working Group. He is the retired director, Information Protection, Office of the Administrative Assistant to the Secretary of the U.S. Air Force.

Co-author James Shamess, CPP, is president of 5D Pro Solutions LLC, a consulting and services firm focused on developing programs to protect infrastructure, information, operations and people. He is also a member and Security Team Leader for The Spectrum Group which consults with U.S. and foreign companies. A member of ASIS International, he chairs the International Defense and Intelligence Council. Prior to founding 5D, he served as a Brigadier General in the U.S. Air Force as director of Security Forces.

Editor’s Note: For more information on dealing with the threats posed by ISIS and other terror groups, check out the following courses being offered at ASIS 2014 in Atlanta at the end of the month.

The ISIS threat makes this year’s ASIS seminar in Atlanta (Sept. 29 to  Oct. 2) a must this year. We all have weaknesses, and the ASIS seminar can help you address them. If you like, come early and take two new ASIS courses designed to help security directors develop plans to deal with threats such as ISIS. Here’s a brief description of each:

Critical Thinking Skills for Security Solutions
Saturday, September 27-Sunday, September 28

How can security professionals best assess ambiguous situations and solve difficult problems? What thinking techniques help minimize cognitive biases and encourage new insights? How do they think critically about current and future challenges?

Each day security professionals confront real-world threats and dilemmas, often reacting instinctively to uncertainty and conflicting information rather than approaching problems critically and analytically. Structured analytic techniques help professionals frame projects, avoid analytic traps, stimulate creative alternatives, and make arguments more compelling. Understanding and applying basic critical thinking skills and structured analytic methods generate better security solutions, save time over the long run, and build collaborative teams.

This two-day workshop provides practical guidance in applying key critical thinking techniques to security problems ranging from sensitive facilities to insider threats. Learn and practice analytic strategies that improve rigor, avoid mental traps, and communicate clearly with others. Hands-on exercises and case studies teach you how to use logic, analysis, synthesis, creativity, judgment, and systematic approaches to gather, evaluate, and challenge information to effectively form decisions and outcomes. (Register Now $595 member | $695 nonmember | 11 CPEs)

Developing and Implementing an Insider Threat Program
Saturday, September 27–Sunday, September 28

An insider threat arises when anyone with authorized access to the information or assets an organization values most uses that access—either intentionally or unintentionally—to inflict harm to the organization or damage national security. Failing to identify and mitigate the threat can have devastating consequences for your organization’s assets and increase vulnerability to terrorist activity or economic espionage.

This comprehensive program is designed to develop the critical components of an Insider Threat Program using modern analytic techniques and measures. Using a security Return on Investment (ROI) approach, learn how to evolve your current security program into a converged management structure that will identify and deter individuals posing both violent and non-violent threats. Learn the skills and procedures required to identify social-psychological factors critical to shaping a comprehensive insider threat program. Real case studies are used to explain how counterproductive work behavior can reveal early signs of a potential insider threat. The program will examine potential risk indicators and how organizations can best be structured to detect and deter the insider threat.

Working in partnership with GSX and Pherson Associates, ASIS has created these Certificate Courses to address potential workforce competency needs for future security management. Certificate courses follow the rigors of higher education and provide evidence of attainment through assessment or testing. (Register Now? $595 member | $695 nonmember | 11 CPEs)