On Threat Information Sharing within the Protection Community
In the protection industry, the topic of threat information sharing has not entered many of our industry dialogues, which is overdue. Although information sharing is no easy task for our organizations, we cannot ignore the fact many potential threat actors we investigate may target multiple public figures over time. Therefore, it makes sense to consider sharing our investigative insights with the broader community, which will likely encounter this same potential threat actor – giving our colleagues broader visibility of threats, saving them investigative resources, and potentially saving lives.
Richard Pittenger, an experienced intelligence analyst with the New Jersey State Police, who has been supporting protective operations for more than 13 years, contributed the following article. Ontic agrees with Mr. Pittenger that threat information sharing has great potential to improve the community, and that idea influences the way we design our products.
As increasingly violent political rhetoric, death threats, ricin/anthrax/powder letters, and explosive devices become the new normal, the need for interagency sharing of protective intelligence – the collection, analysis, and dissemination of potential threats to protectees – has become more significant. The protection community has countless stories of threats to a protectee that were not shared with everyone who needed to know. Those reports of continued stovepiping are anecdotal, but the threat intelligence gaps are real, highlighting a problem with the information-sharing environment across all sectors – federal, state, local, and corporate agencies of the protection community.
Some agencies within the protection community, both public and private, are better at sharing resources to investigate a threat to their protectee than others, but few are inclined to rapidly broadcast the original threat within the broader protection community. In fact, some agencies are reluctant to acknowledge a threat even after media reporting of the suspect’s conviction. This seems counter-intuitive based on the number of threat actors who threaten multiple protectees.
The best indicator of an impending attack is suspicious behavior toward the target, rather than threatening communications. However, subjects are more likely to conduct problematic approaches if they send multiple inappropriate communications to their target; use multiple methods (calls, emails, letters, etc.) to communicate; or have multiple contacts with other public figures. Risk assessment research has found limited relationships between aggressive language and approach behavior [Reference 1].
Cesar Altieri Sayoc Jr. (age 56) and William Clyde Allen III (age 39), are two recent examples of malicious actors targeting multiple protectees.
In October 2018, the FBI arrested Sayoc in Florida for mailing at least 15 potentially explosive packages to numerous protectees, including current and former politicians as well as government and business executives. None of the devices detonated and no addressees actually received packages because mail screening intercepted most packages.
Further investigation revealed Sayoc had a history of telephonic and social media threats. He also had a list of more than 100 potential package recipients [Reference 2].
Also in October, the FBI arrested Allen in Utah for mailing envelopes with a granular substance to POTUS, the US Secretary of Defense, the Chief of Naval Operations, the Air Force Secretary, the FBI Director, and the CIA Director. The substance initially tested positive for ricin. Allen subsequently admitted mailing the envelopes, claiming he also sent letters to the US Attorney General, Queen Elizabeth II, and Russian President Vladimir Putin.
Allen’s criminal activity included a threat to kill then-POTUS Barack Obama in 2015. The FBI Weapons of Mass Destruction Directorate subsequently disseminated an alert to raise awareness regarding the ricin-threat letters, noting the possibility of additional letters in circulation, but it is not clear everyone in the protection community received the alert.
Considering the threat was specific to high-profile protectees, the community needs to foster more immediate internal communication of such threats.
History has numerous examples of problematic approachers who transferred their focus from one protectee to another. Some subjects base their target selection on accessibility. For them, the act, rather than the target, is what matters.
1988: David Russell, who got within 40-feet of VPOTUS George H.W. Bush with a gun, previously stalked Kentucky Governor Martha Layne Collins and then-US Senator Al Gore (TN) with a knife [Reference 3].
1981: John Hinckley Jr., who shot then-POTUS Ronald Reagan, previously stalked then-POTUS Jimmy Carter at a political rally [Reference 4].
1972: Arthur Bremer, who shot Alabama Governor and presidential candidate George Wallace at a rally, previously stalked then-POTUS Richard Nixon [Reference 5].
1969: Chet Young, who shot William Lennon, father of the Lennon Sisters, after stalking his daughters for seven years, had previously been arrested by the US Secret Service for threatening to kill then-POTUS Lyndon Johnson [Reference 6].
These examples of malicious actors targeting multiple protectees or transferring their focus should prompt the protection community to proactively expand the interagency threat information sharing among local, state, federal, and corporate agencies.
Consider that an extremist who threatens a corporation’s C-Suite is likely to threaten other C-Suites involved in similar activity and the relevant federal agency’s leadership. The initial and any subsequent threats to protectees should be – but frequently are not – shared with the protection community to increase situational awareness among the relevant protection details.
Increased threat information sharing will also fill numerous intelligence gaps, leading to more informed behavior-based assessments of the threats to protectees. This will support the details’ immediate needs, promote situational awareness, and help prevent targeted violence. Protective intelligence analysts cannot conduct a truly objective, behavior-based threat assessment, if they are not aware of potential threats.
Information sharing can also improve surveillance detection by sharing and comparing any observed patterns or anomalies. Without interagency threat information sharing, it is difficult to know when the same malicious actor or vehicle has been encountered surveilling different protectees or sites. Surveillance detection is far less effective without databasing, sharing, and analyzing observation reports over time [Reference 7].
Additionally, threat information sharing can reduce inefficiencies, redundancies, and intelligence gaps resulting from protection agencies assessing and investigating threats independently rather than collaboratively. No single agency, regardless of size, capability, or dedication of its personnel, can resolve the protection community’s multi-protectee threats on its own. However, collaborative information sharing will positively affect the protection community, providing a foundation for long-term planning with a comprehensive common operating picture of relevant threats and incidents [Reference 8].
Certainly, there are potential obstacles. For interagency threat information sharing to succeed, the agencies involved must perceive it as appropriate and beneficial. Protectees and agencies require privacy, and no one wants to compromise a protective investigation. Protection leaders must overcome such institutional hurdles and commit their entities to collaborative ventures.
For some agencies, both public and private, interagency information sharing will require a cultural shift, which can be challenging. Agencies with different ways of doing things have different perspectives and different areas of expertise, but collaboration can be beneficial if done effectively. It can produce greater efficiency, improve the quality and quantity of information, and minimize damage from reduced funding [Reference 9].
No one within the protection community wants to breach a protectee’s confidentiality by divulging personal information or potentially embarrassing them, but it is important to learn from the last unwanted outcome and to thwart the next one before it happens. Who has not watched videos of unfortunate protectee incidents to learn from them?
Protective Intelligence Exchange
Following the 1998 shooting of two US Capitol Police officers by a subject known to other law enforcement agencies, the USSS created the Protective Intelligence Exchange (PIX) to facilitate information sharing among law enforcement agencies with protective responsibilities. PIX is a pointer database of names and identifiers of subjects who pose a potential threat to a protectee. PIX users can conduct name checks to determine whether a subject of protective interest is known to another agency. When a match occurs, PIX provides contact information for the investigating agency, which can provide additional information. For more information, including law enforcement access, contact email@example.com.
To help fill the threat intelligence gap, the New Jersey State Police’s Regional Operations & Intelligence Center (ROIC), the State’s multi-agency fusion center, produces Protection Issues, a monthly report of threats to protectees, incidents, court rulings, relevant training, and other operational topics, predominantly based on open sources. Recipients include federal, state, local, and corporate members of the executive protection community, as well as members of the capitol security, judicial security, diplomatic security, and threat assessment communities.
Protection Issues, which focuses on threats to high profile government and corporate protectees, has received favorable reviews, but by no means is it the only solution. The information compiled is not comprehensive – it rarely reports threats to celebrities and others without details – but it is one step toward protection community information sharing.
In addition, the ROIC has produced stand-alone reports regarding larger protection concerns. In 2016, “Inspire Threats to US Executives” described al-Qaeda in the Arabian Peninsula’s efforts to promote the assassination of high profile American financial figures, business executives, and entrepreneurs, noting that such attacks (however unlikely) would likely be vulnerable to detection during the planning stages of the attack cycle. The report encourages public and private sector personnel to integrate their protection operations by leveraging their fusion center liaison officers, increasing their suspicious activity reporting, and taking proactive steps to reduce their protectees’ personally identifiable information available online.
The monthly and ad hoc reports, which are for official use only (FOUO), are available to anyone within the protection community. Subscribers also receive reports by other agencies with information relevant to the protection community as warranted. To subscribe, email your name and agency/company information, along with a brief description of your role in the protection community to ROICProtectiveIntel@gw.njsp.org.
State Fusion Centers
The protection community should also take advantage of their state fusion centers, an initiative borne out of the September 11th attacks. Every state has a multi-agency fusion center, where law enforcement, homeland security, emergency management, and private sector security collaborate on threat, crime, and hazard intelligence. Fusion centers are focal points for the collection, analysis, and dissemination of threat-related information, such as suspicious activity reports and federal intelligence. This enables federal, state, local, and private sector partners to better protect their communities from emerging and evolving threats [Reference 10].
Readers may recall that the counterterrorism community heard similar calls for increased threat information sharing more than a decade ago. The Final Report of the National Commission on Terrorist Attacks Upon the United States, also known as the 9/11 Commission Report, has numerous references to the lack of information sharing, noting that the government has access to a vast amount of information, but it has a weak system for processing and using it. Information sharing is a common phrase in the report, especially in the recommendations, highlighting that “need to know” should be replaced by “need to share.”
No agency can solve all its threats on its own. Since problematic approachers often target multiple protectees, coming to the attention of multiple protection details, threat information sharing is incredibly important to the protection community and should be part of its best practices. As the protection community navigates the new normal of more volatile threats, PIX, Protection Issues, fusion centers, and future threat intelligence initiatives must fill the threat intelligence gaps with improved information sharing. Proactive interagency threat information sharing opens the lines of communication, allowing for better, more accurate threat assessments and trend analyses. This will provide decision-makers at all levels of the protection community with better situational awareness and a common understanding of the operating environment. Once informed, decision-makers can affect their environment through improved strategic, operational, and tactical initiatives.
About the Author
Richard Pittenger, a New Jersey State Police intelligence analyst at the ROIC, has been supporting executive protection for more than 13 years. Before joining the State Police, he had investigative assignments in the United States and overseas. Readers can contact Rich, a member of the Association of Threat Assessment Professionals, via ROICProtectiveIntel@gw.njsp.org.
(1) USSS Anti-Terrorism Conference, Hamilton, NJ, 7/18/17; National Academy of Sciences, “Approaching and Attacking Public Figures: A Contemporary Analysis of Communications and Behavior,” J. Reid Meloy, 2011; Criminal Justice and Behavior, V38, No, 11, “Problematic Approach of Legislators,” A. Marquez & M. Scalora, 2011; American Psychological Association, Journal of Threat Assessment and Management, Vol. 1, No. 3, 188 – 202, “Threats, Approach Behavior, and Violent Recidivism Among Offenders Who Harass Canadian Justice Officials,” A. Eke, R. Meloy, et al, 2014; Behavioral Sciences and the Law, “Written content indicators of problematic approach behavior toward political officials,” 284 – 301, K. Schoeneman, et. al, 2011.
(2) New York Post, “Explosive device found in mailbox of George Soros’ home,” 10/22/18, “Bombs sent to Obama, Clinton; explosives scare at CNN,” 10/24/18, and “Suspicious package sent to Robert De Niro’s NYC restaurant,” 10/25/18; New York Times, “Hillary Clinton, Barack Obama and CNN Offices Are Sent Pipe Bombs,” 10/24/18, “Investigation Into Pipe Bombs Turns Toward Florida as More Trump Critics Are Targeted,” 10/25/18; Miami Herald, “Suspicious package at U.S. Rep. Debbie Wasserman Schultz’s office taken by bomb squad,” 10/24/18; Twitter, @stick631, 10/24/18; NBC News, “Explosive device sent to CNN featured parody ISIS flag, 'Get 'Er Done' inscription,” 10/24/18; NBC New York, “Some Suspected Mail Bombs Were Not Capable of Exploding, Others Yet to Be Analyzed, Officials Say,” 10/25/18 and “Pipe Bomb Suspect Waives Extradition, Had Long List of Potential Targets: Source,” 10/29/18; New York Times, “Outspoken Trump Supporter in Florida Charged in Attempted Bombing Spree,” and “Living in a Van Plastered With Hate, Bombing Suspect Was Filled With Right-Wing Rage,” 10/26/18; CNN, “Pipe bomb suspect Cesar Sayoc due in court,” 10/29/18; Wired, “Mail Bomb Suspect Cesar Sayoc Used Twitter to Threaten Targets,” 10/26/18; PA Homepage, “Spokesman: Texas Rep. O'Rourke got threats from bomb suspect,” 10/31/18.
(3) Regnery Publishing, “Hunting the President,” M. Ayton, 2014
(4) Gavin de Becker Center for the Study and Reduction of Violence, “Just 2 Seconds,” G. de Becker, T. Taylor, J. Marquart, 2008
(5) Gavin de Becker Center for the Study and Reduction of Violence, “Just 2 Seconds,” G. de Becker, T. Taylor, J. Marquart, 2008
(6) Gavin de Becker Center for the Study and Reduction of Violence, “Just 2 Seconds,” G. de Becker, T. Taylor, J. Marquart, 2008
(7) Stratfor, Security Weekly, “Savopoulos: A Case Study in Protective Intelligence,” 6/4/15
(8) NJ State Police, “Practical Guide to Intelligence-led Policing,” September 2006
(9) PowerDMS, “Interagency Collaboration in Law Enforcement,” 12/7/17
(10) DHS, “National Network of Fusion Centers Fact Sheet,” 8/14/18
About Protective Intelligence
Protective Intelligence is our medium for understanding not only threat matrix and risk level, but also trends, problems, solutions, as well as ideas to support the mission of protective security professionals. The speed by which we can send and receive information, and the amount of information we need to evaluate, has eliminated problems in some areas and exponentially compounded problems in others. Our team seeks to address issues stemming from these problem areas, offering next-level analyses and proven solutions with an eye toward the future.
Who We Are
Our content contributors come from organizations involved in protective intelligence research, corporate executive protection, threat assessment investigations, and related security intelligence fields. This project, ProtectiveIntelligence.com, is sponsored by the founding members of Ontic Technologies. Like our readers, our team has a deep understanding of the daily requirements of protective intelligence initiatives, and as such, we intend to make the process more dynamic and efficient so as an industry, we can all achieve our shared objectives.