Threat Information Sharing Within The Protection Community

Richard Pittenger is an experienced intelligence analyst with the New Jersey State Police. He has been supporting protective operations for more than 13 years and contributed the following article.

In the protection industry, the topic of threat information sharing has not entered many of our industry dialogues, which is overdue. Although information sharing is no easy task for our organizations, we cannot ignore the fact that many potential threat actors we investigate may target multiple public figures over time. Therefore, it makes sense to consider sharing our investigative insights with the broader community. Some targets will likely encounter this same potential threat actor – giving our colleagues broader visibility of threats, saving them investigative resources, and potentially saving lives.

As increasingly violent political rhetoric, death threats, ricin/anthrax/powder letters, and explosive devices become the new normal, the need for interagency sharing of protective intelligence – the collection, analysis, and dissemination of potential threats to protectees – has become more significant. The protection community has countless stories of threats to a protectee that were not shared with everyone who needed to know.

Those reports of continued stovepiping are anecdotal, but the threat intelligence gaps are real, highlighting a problem with the information-sharing environment across all sectors – federal, state, local, and corporate agencies of the protection community.

The Problem

Some agencies within the protection community, both public and private, are better at sharing threat intelligence resources to investigate a threat to their protectee than others, but few are inclined to rapidly broadcast the original threat within the broader protection community. In fact, some agencies are reluctant to acknowledge a threat even after media reporting of the suspect’s conviction. This seems counter-intuitive based on the number of threat actors who threaten multiple protectees.

The best indicator of an impending attack is suspicious behavior toward the target, rather than threatening communications. However, subjects are more likely to conduct problematic approaches if they send multiple inappropriate communications to their target; use multiple methods (calls, emails, letters, etc.) to communicate; or have multiple contacts with other public figures. Risk assessment research has found limited relationships between aggressive language and approach behavior [Reference: USSS Anti-Terrorism Conference].

Historical Examples

Cesar Altieri Sayoc Jr. (age 56) and William Clyde Allen III (age 39), are two recent examples of malicious actors targeting multiple protectees.

• In October 2018, the FBI arrested Sayoc in Florida for mailing at least 15 potentially explosive packages to numerous protectees, including current and former politicians as well as government and business executives. None of the devices detonated and no addressees actually received packages because mail screening intercepted most packages.
  • Further investigation revealed Sayoc had a history of telephonic and social media threats. He also had a list of more than 100 potential package recipients [Reference: New York Post].
• Also in October, the FBI arrested Allen in Utah for mailing envelopes with a granular substance to POTUS, the US Secretary of Defense, the Chief of Naval Operations, the Air Force Secretary, the FBI Director, and the CIA Director. The substance initially tested positive for ricin. Allen subsequently admitted mailing the envelopes, claiming he also sent letters to the US Attorney General, Queen Elizabeth II, and Russian President Vladimir Putin.
  • Allen’s criminal activity included a threat to kill then-POTUS Barack Obama in 2015. The FBI Weapons of Mass Destruction Directorate subsequently disseminated an alert to raise awareness regarding the ricin-threat letters, noting the possibility of additional letters in circulation, but it is not clear everyone in the protection community received the alert.
    • Considering the threat was specific to high-profile protectees, the community needs to foster more immediate internal communication of such threats.

History has numerous examples of problematic approachers who transferred their focus from one protectee to another. Some subjects base their target selection on accessibility. For them, the act, rather than the target, is what matters.

• 1988: David Russell, who got within 40-feet of VPOTUS George H.W. Bush with a gun, previously stalked Kentucky Governor Martha Layne Collins and then-US Senator Al Gore (TN) with a knife [Reference: Regnery Publishing].
• 1981: John Hinckley Jr., who shot then-POTUS Ronald Reagan, previously stalked then-POTUS Jimmy Carter at a political rally [Reference: Gavin de Becker Center for the Study and Reduction of Violence].
• 1972: Arthur Bremer, who shot Alabama Governor and presidential candidate George Wallace at a rally, previously stalked then-POTUS Richard Nixon [Reference: Gavin de Becker Center for the Study and Reduction of Violence].
• 1969: Chet Young, who shot William Lennon, father of the Lennon Sisters, after stalking his daughters for seven years, had previously been arrested by the US Secret Service for threatening to kill then-POTUS Lyndon Johnson [Reference: Gavin de Becker Center for the Study and Reduction of Violence].

These examples of malicious actors targeting multiple protectees or transferring their focus should prompt the protection community to proactively expand the interagency threat information sharing among local, state, federal, and corporate agencies.

The Solution

Consider that an extremist who threatens a corporation’s C-Suite is likely to threaten other C-Suites involved in similar activity and the relevant federal agency’s leadership. The initial and any subsequent threats to protectees should be – but frequently are not – shared with the protection community to increase situational awareness among the relevant protection details.

Increased threat information sharing will also fill numerous intelligence gaps, leading to more informed behavior-based assessments of the threats to protectees. This will support the details’ immediate needs, promote situational awareness, and help prevent targeted violence. Protective intelligence analysts cannot conduct a truly objective, behavior-based threat assessment, if they are not aware of potential threats.

Information sharing can also improve surveillance detection by sharing and comparing any observed patterns or anomalies. Without interagency threat information sharing, it is difficult to know when the same malicious actor or vehicle has been encountered surveilling different protectees or sites. Surveillance detection is far less effective without databasing, sharing, and analyzing observation reports over time [Reference: Stratfor].

Additionally, threat information sharing can reduce inefficiencies, redundancies, and intelligence gaps resulting from protection agencies assessing and investigating threats independently rather than collaboratively. No single agency, regardless of size, capability, or dedication of its personnel, can resolve the protection community’s multi-protectee threats on its own. However, collaborative information sharing will positively affect the protection community, providing a foundation for long-term planning with a comprehensive common operating picture of relevant threats and incidents [Reference: NJ State Police].

Potential Obstacles

Certainly, there are potential obstacles. For interagency threat information sharing to succeed, the agencies involved must perceive it as appropriate and beneficial. Protectees and agencies require privacy, and no one wants to compromise a protective investigation. Protection leaders must overcome such institutional hurdles and commit their entities to collaborative ventures..

For some agencies, both public and private, interagency information sharing will require a cultural shift, which can be challenging. Agencies with different ways of doing things have different perspectives and different areas of expertise, but collaboration can be beneficial if done effectively. It can produce greater efficiency, improve the quality and quantity of information, and minimize damage from reduced funding [Reference: PowerDMS].

No one within the protection community wants to breach a protectee’s confidentiality by divulging personal information or potentially embarrassing them, but it is important to learn from the last unwanted outcome and to thwart the next one before it happens. Who has not watched videos of unfortunate protectee incidents to learn from them?

Protective Intelligence Exchange

Following the 1998 shooting of two US Capitol Police officers by a subject known to other law enforcement agencies, the USSS created the Protective Intelligence Exchange (PIX) to facilitate information sharing among law enforcement agencies with protective responsibilities. PIX is a pointer database of names and identifiers of subjects who pose a potential threat to a protectee.

PIX users can conduct name checks to determine whether a subject of protective interest is known to another agency. When a match occurs, PIX provides contact information for the investigating agency, which can provide additional information. For more information, including law enforcement access, contact pix-team@usss.dhs.gov.

Protection Issues

To help fill the threat intelligence gap, the New Jersey State Police’s Regional Operations & Intelligence Center (ROIC), the State’s multi-agency fusion center, produces Protection Issues, a monthly report of threats to protectees, incidents, court rulings, relevant training, and other operational topics, predominantly based on open sources. Recipients include federal, state, local, and corporate members of the executive protection community, as well as members of the capitol security, judicial security, diplomatic security, and threat assessment communities.

Protection Issues, which focuses on threats to high profile government and corporate protectees, has received favorable reviews, but by no means is it the only solution. The information compiled is not comprehensive – it rarely reports threats to celebrities and others without details – but it is one step toward protection community information sharing.

In addition, the ROIC has produced stand-alone reports regarding larger protection concerns. In 2016, “Inspire Threats to US Executives” described al-Qaeda in the Arabian Peninsula’s efforts to promote the assassination of high profile American financial figures, business executives, and entrepreneurs, noting that such attacks (however unlikely) would likely be vulnerable to detection during the planning stages of the attack cycle.

The report encourages public and private sector personnel to integrate their protection operations by leveraging their fusion center liaison officers, increasing their suspicious activity reporting, and taking proactive steps to reduce their protectees’ personally identifiable information available online.

The monthly and ad hoc reports, which are for official use only (FOUO), are available to anyone within the protection community. Subscribers also receive reports by other agencies with information relevant to the protection community as warranted. To subscribe, email your name and agency/company information, along with a brief description of your role in the protection community to ROICProtectiveIntel@gw.njsp.org.