UAE 5. China - Understanding Personal Security and Risk

6. United Kingdom 7. Brazil

8. Australia 9. Singapore 10. South Africa 11. Canada

While you should always be vigilant with regard to your personal information, travel presents a unique and higher risk than when you are

at home. The steps previously outlined in this chapter regarding personal cybersecurity measures while traveling should provide a good measure of protection to your PII. If you are being targeted for identity theft, there will be indicators such as unexplained charges or withdrawals from your bank or credit card accounts (this occurred to me about 10 years ago, in New York City) or a deluge of e-mails or calls soliciting you to make a purchase, you do not get your bills or other mail, merchants refuse your checks, debt collectors call you about debts that are not yours, you find unfamiliar accounts or charges on your credit report, medical providers bill you for services that you did not use, your health plan rejects your legitimate medical claim because the records show you have reached your benefits limit, the Internal Revenue Service notifies you that more than one tax return was filed in your name or that you have income from an employer you do not work for, you get notice that your information was compromised by a data breach at a company where you do business or have an account, or you are arrested for a crime that someone else allegedly committed in your name. You need to act fast—make it a pri- ority. The following are the steps that you should take:

1. Cancel your credit/debit cards. With ATM cards, if you report the loss before someone uses your ATM/debit card, you have zero liability, but your liability increases in other instances.

With credit cards, if you report the loss before your card is used fraudulently, you are not liable; if not, your liability is limited to

$50.

2. Contact the major credit bureaus and initiate a fraud alert. An initial fraud alert is good for 90 days and extendable up to seven years. If someone else tries to set up a new account or take out a loan in your name, you will receive a phone call to confirm that it is you. Advise the credit bureaus that you want a copy of your credit report. Also, solicit additional information or advice that they can give you (Equifax: 1-800-685-1111, http://www .equifax .com; Trans Union: 1-800-916-8800, http://www .transunion .com;

Experian: 1-888-397-3742, http://www.experian.com).

3. If your social security card was in your wallet (and now you know why it never should have been in the first place), call your local social security administration office and explain what happened. They will replace the card for free, but you will have to fill out Form SS-5 and present documentation (Danisewicz, 2013).

4. Contact your bank and other financial/investment institutions.

They should offer to change your accounts, if necessary.

5. Subscribe to a credit monitoring service that monitors your credit and immediately reports significant changes in same, that is, large purchases, unauthorized purchases.

A stolen identity can be a cloak of anonymity for criminals and terrorists and a danger to national security and private citizens alike (Federal Bureau of Investigation, 2016). Identity thieves can use your personal information to open bank accounts or obtain credit cards in your name. Consider taking steps to protect yourself against future identity theft. Visit the Federal Trade Commission’s identity theft center, an excellent site to help you deter, detect, and defend against identity theft.

Collect and save paperwork related to your loss. If an arrest and a con- viction are obtained in the United States, the judge will consider requir- ing the offender to pay you restitution. You may be asked to provide verification of the amount of money that you lost.

REFERENCES

Danisewicz, C., “Travel assistance 101: What to do if your wallet is lost or stolen while traveling,” On Call International, accessed March 12, 2016, http://www.oncallinternational.com/blog/travel-assistance -101-what-to-do-if-your-wallet-is-lost-or-stolen-while-traveling/

(August 2, 2013).

Higgins, K. J., “Korean-speaking cyberspies targeting corporate execs via hotel networks,” Information Week DARK Reading, accessed January 26, 2016, http://www.darkreading.com/vulnerabilities ---threats / advanced-threats/korean-speaking-cyberspies-targeting-corporate -execs-via-hotel-networks/d/d-id/1317361 (October 11, 2014).

Jevtic, A., “11 countries with the highest rate of identity theft in the world,” Insider Monkey, accessed January 26, 2016, http://www .insidermonkey.com/blog/11-countries-with-the-highest-rates-of -identity-theft-in-the-world-351940/ (June 6, 2015).

National Security Agency, “Identity theft and mitigations,” NSA Fact Sheet, https://www.nsa.gov/ia/_files/factsheets/FactSheet_IdentityTheft ThreatAndMitigations_Unclassified.pdf (May, 2014).

Federal Bureau of Investigation, “Identity theft,” The FBI, accessed March 12, 2016, https://www.fbi.gov/about-us/investigate/cyber / identity_theft (March, 2016).

The Week, “Beware China’s ‘honeytrap’ spies,” The Week, accessed March 20, 2016, http://theweek.com/articles/487543/beware-chinas -honeytrap-spies (February 3, 2011).

U.S. Department of Justice, Victims of Identity Theft, Erika Harrell, PhD.

and Lynn Langton, PhD., BJS Statisticians, December 2013, NCJ 243779 (2012).

ENDNOTES 1. Alternatively called the Tapaoux group.

2. Malware is shorthand for malevolent software, and, indeed, that is exactly what it is. It is a broad term that encompasses various forms of hacker exploits such as viruses, worms, Trojan horses, keystroke loggers, rootkits, botnets, and spyware, for example.

3. Botnets are networks made up of remote-controlled computers or bots. These computers have been infected with malware that allows them to be remotely controlled. Some botnets consist of hundreds of thousands—or even millions—of computers. According to a report from Russian-based Kaspersky Labs, botnets—not spam, viruses, or worms—currently pose the biggest threat to the Internet. A report from Symantec came to a similar conclusion.

4. A DDoS attack can be used for several purposes. It can be used for extortion, to shut down a website or an individual’s operation or to continue a business, or for cover for a different more malicious attack—its use in this regard is to distract or delay actions by the target.

169

C h a p t e r 8

Shopping Malls, Sports Stadiums, Theaters, etc.

Soft Targets

INTRODUCTION

You might be browsing the fruit stand at a local market, having a morning cappuccino at a sidewalk café or the hotel restaurant, sunning yourself on a crowded beach or cheering on the local football team in a crowded stadium, or perhaps you have just dropped off your family at the airport, waving goodbye as they move toward the crowded morning check-in counter. Odds are, in ever-increasing frequency, you are innocently plac- ing yourself or your family in the crosshairs of a terrorist attack.

In the five months since the November 15, 2015 Paris, France terrorist attacks that left 498 innocent civilians lying dead or wounded, there have been an estimated 34 or more terrorist incidents worldwide, resulting in 1800 or more casualties, specifically aimed at soft targets (Wikipedia, 2016).¹ A soft target is a location where people congregate in large numbers such as restaurants and cafes, hotels, resorts, theatres or sports stadiums, or the departure area of an airport. It is an area where there is no expectation by the public of a strong security presence.

These kinds of attacks are likely to only increase. ISIS is expanding its reach into the West. While most of the soft target attacks still occur in developing countries in Africa and the Middle East, these operations serve to sharpen the tactical skills and strategies of terrorist planners. As we have seen, sooner or later, these attacks spill outside of the conflict zones in Syria, Libya, Iraq, and Nigeria and with deadly effectiveness explode onto the streets of European cities. Left unchecked, the United States will likely be next.

This threat is very real and growing. In January 2016, Rob Wainwright, the head of Europol, the Hague-based organization that coordinates European Union policing efforts over terrorism and organized crime,

said ISIS had “developed a new combat-style capability to carry out a campaign of large-scale terrorist attacks on a global stage, with a particular focus in Europe” (Willsher and Walker, 2016). Barely two months later, Wainwright’s prediction tragically came true in the twin assaults on the Brussels airport and metro. The armed assault tactics frequently used by Al Shabab to devastating effectiveness on hotels, restaurants, and shopping malls in East Africa are firmly ensconced in the modern Islamic terror tactical playbook. In recent times, these armed assault-style tactics were employed by the terrorist group Lashkar-e- Taiba in the Mumbai, India, attacks on several hotel venues in 2008.

More recently, Al Shabab was responsible for the bloody 2012 attack on the Westgate Mall in Kenya and has since honed the tactic on hotels and restaurants in Mogadishu, Somalia. Islamic extremist terrorists, although only loosely affiliated in separate groups around the world, do pay attention to each other’s successes and replicate what works.

Increasingly, it appears that terrorists’ level of planning for attacks are high, including dry runs before the actual attack. Weapons, ammuni- tion, and explosives can be cached near the target for easy access in advance; there is demonstrated operation and communications security and—ominously—little to no interest in negotiation or keeping live hos- tages. The ISIS cell active in France and Belgium has shown a sophisti- cated level of tactical planning, with the logistics needed to obtain the explosives and the weaponry to execute the attack, and an ability for those who survive to recoup and continue planning further attacks.

Increasingly as soft target venues in large cities are hit, the ability of the police and the military to provide adequate security becomes taxed beyond their capabilities. It is one thing to provide security for iconic, high-profile targets. Maintaining a high level of security visibility on the street can only be sustained for so long. When your enemy shifts to places where people dine, find entertainment, or stay, the list of poten- tial targets becomes endless. The attacks in France and Belgium were both successfully executed despite unprecedented levels of alert by the authorities. It would seem that the security theatre on consisting display of heavily armed police and military throughout a city is no longer a deterrent for terrorists, and that alone is a chilling prospect. It is a false sense of security, at best. When it comes to soft targets, personal security is ultimately your first and last line of defense.

PREPARATION

There are only two specific elements of preparation that you need to pay attention to before going to a soft target location. First is timing. Second is location and layout. With regard to timing—when you plan to go to

the mall or the theatre or an event—keep in mind that there are distinct patterns involved with a terrorist team’s selection of specific soft targets.

One key element is that of timing. Terrorists want to achieve maximum publicity for actions. The denser the crowd, the higher the body count.

They will choose the national holiday, the big event, the peak season.

If you have some control over timing, you can build in an element of security deterrence by choosing time periods for shopping, travel, din- ing, sunbathing, etc., that are off peak or are before/after the morning and evening rush hours. The Westgate Mall attack commenced around lunchtime on a Saturday, when the mall was filled with shoppers. The Brussels airport attack commenced in the morning at the departure area ticket counter when it was certain to be crowded with travelers check- ing in for their flights. The Sousse beach resort attack in Tunis in 2015 occurred in peak tourist season, at noon when the beach was packed with sunbathers on their annual European holiday. To the extent possible, try to mitigate your risks by selecting off-peak season or rush hour travel and activity at the venue to which you are going. Think about avoiding crowded, packed places at Christmas, New Year’s, Ramadan or Eid Al-Fitr, Passover, or Thanksgiving.

Secondly, look specifically at the location and the layout of your destination. The terrorist planning team did precisely the same thing, and you should too. They were planning an attack—you will be planning your escape. Try to obtain the layout of the venue so that you know where the exits are that can be used for an escape and the chokepoints you should avoid. In malls, make note of where the larger department stores are located as they have secondary exits or loading dock areas in back of house. At many resort hotels, the design is low-rise horizontal structures, which offer many access points in and out of the building. Resorts are often open campuses with minimal barriers and multiple access and egress points spread over acres of property, often near expanses of beach, water, jungle, mountainous terrain, and varied geological features. If you are not able study the layout of the venue before you depart, try to find a mall map or a map of the location once you get there and spend some time getting yourself clearly oriented with the exits, the major shopping stores, or the major landmarks within the campus or the venue. In particular, take note of elevator or escalator locations. Mark these areas and—very important—identify alternative ways around them, such as an emergency stairwell. As you proceed through the location when things are normal, always keep an eye out for alternate exits, public phones, WiFi hot spots, restrooms, guard or police stations, information booths, or first aid centers and clinics that in a contingency would provide support. In a resort, knowing where the alternative exits are and where the natural cover is located can be extremely useful knowledge in an assault-style attack.

If you visit a site repeatedly, practice entering and exiting by the safest route, so that you train yourself to it. If you must flee, do not get sucked into fleeing the way you came in just because it is the way you came in or get sucked in the direction that the crowd is moving. Comply with your prior evaluation of the safest exit in the preparation phase, unless a threat gets in the way.

DETECTION

One theme that is consistent throughout after-action reports of terrorist incidents is the survivor’s admission that “something was not right (about the shooter, or the situation), but I dismissed it.” Our instincts are that small voice that whispers in our ear that there is something odd or off about the situation. As mentioned earlier, watch for the absence of familiar and the presence of strangeness. That feeling, more often than not, is momentary and fleeting. However, you should learn to trust your instincts and follow through on them. Things that you should watch for include the following:

• Odd demeanor: Terrorists and criminals are typically not bal- anced human beings. They will often try to fit in in terms of how they are dressed and what they are carrying, but if you are paying attention—something does not fit or add up. At the Sousse beach attack, in Tunisia, the attacker was dressed for the beach, but his Kalishnikov rifle was hidden by a large beach umbrella he was awkwardly carrying. In a crowd of happy tourists on holiday, look for that one who is dressed like a tourist but whose demeanor is decidedly not happy but grim or detached. If he or she is a suicide bomber, they might try to look and act natural, but deep down it is very difficult to contain their anxiety or euphoria. According to a former Israeli intelligence officer, Major Avi Nardia, “You can see it in their face.” That small observation says a lot. An individual about to commit a suicide bombing may display nervousness, profuse sweating, constant scanning for fear of being discovered, or the proverbial thousand-yard stare that one witnesses in soldiers who have been in combat and are still disconnected from utter horror of what they saw. In the suicide attacker’s case, he or she is trying to psychologically disconnect from what they are about to do or may be under the influence of a controlled sub- stance to numb his or her natural sensibilities. It is at this stage where you have the greatest ability to detect a possible attack (Wagner, 2016).

• Heavy, loose fitting apparel that does not make sense for the climate or the venue: It can be used to conceal a suicide vest or belt, or a weapon, or both.

• An unusually heavy backpack or bag.

• An unattended backpack or bag that someone sets down and walks away from: This happened with the Tsarnaev brothers at the Boston Marathon bombing in 2014, where both brothers set down backpacks concealing homemade bombs and walked away.

• A vehicle left parked and abandoned in a no-parking zone.

CONSIDERATIONS ABOUT THE THREAT

Before the twin attacks by al Qaeda on our US embassies in Nairobi, Kenya, and Dar Es Salaam, Tanzania, on August 7, 1998, the standard response protocol for a bomb threat was one designed with a very different adversary and set of tactics in mind. Bearing in mind threat actors of yesteryear that telephoned in bomb threats, presumably having smug- gled in a bomb that was ticking away in the bowels of a building or parking areas, diplomats diligently cleared their desks of working papers and tucked them away in their safes, queued up at the nearest stairwell, and calmly filed out of the building to a waiting area some small distance away from the embassy. All were very deliberate, and all were very time consuming. The terrorists who attacked our embassies then and continue to attack the West today are singularly unconcerned about providing a warning. They might (will not always) praise their deity in a battle cry before activating their suicide vest or pressing the button in the car or the truck. For some kinds of attacks, there is little to no time for a response once the threat is identified.

The point is that as the threat environment has changed, you need to adapt and change with it. Unfortunately, glacially paced change is in the nature of large corporations or governments. Ultimately, following those tragic attacks, new procedures were issued regarding bomb threats that took the tactics of suicide truck bombers into account. The real issue, however, is the fact that the nature of the threat was already well known, yet nothing had changed. It took the shock of a terrible attack to nudge the leviathan that is our bureaucracy toward a new strategy. That in itself is tragic, and bureaucratic intransigence is a major risk factor that should be taken into consideration.

It is important to pay attention to the threat actors and the kinds of tactics they use in this day and age to assess how you will respond to an event. This is especially critical given the kinds of risks we, as individu- als, must face today given the increasingly heavy emphasis by terrorists on soft target venues. Being prepared and alert can go a long way toward

Dalam dokumen Understanding Personal Security and Risk (Halaman 188-200)