Thomas J. Hayden Jr
Transcript of Thomas J. Hayden Jr
Capstone Project
Fire IntelligenceData Evaluation
Project
“While our information sharing capabilities have improvedsignificantly, substantial obstacles remain. We must continue to
break down information barriers among federal, state, local, andtribal partners and the private sector.”
-2007 National Strategy for Homeland Security
i
ABSTRACT
This project examines the use of and perceived
value of intelligence in the fire service, a relatively new,
post 9/11 phenomena. The project will attempt to determine
if fire service executives are receiving intelligence
related material and try to measure the value of the
information. This will be accomplished by analyzing
previously issued fire related intelligence products against
the proposed Fire Service Intelligence Questions. The
proposed Fire Service Intelligence questions were developed
as a result of a practitioners’ workshop held in September
of 2012. This was the first cohesive attempt by the fire
service to identify intelligence requirements for
intelligence collectors and was a result of long standing
tension over what the fire service intelligence needs were
and how the information would be used. A mixed methodology
of product evaluations and qualitative interviews was used
to determine the score of the product and determine the
corresponding value of the products.
ii
TABLE OF CONTENTS1.0 Introduction..............................................82.0 Research Questions.......................................103.0 Literature Review........................................114.0 Methodology..............................................164.1 Data Collection Tool...............................204.2 Fire Service Baseline Intelligence Questions.......234.3 Classification.....................................264.4 Scoring............................................274.5 Evaluated Products.................................284.5.1 District of Columbia Fire/EMS Department........294.5.2 Washington Regional Threat and Analysis Center (WRTAC)...............................................304.5.3 Other...........................................31
4.6 Content Classification of products.................314.7 Limitations........................................32
5.0 Analysis and Discussion..................................345.1 HSEC-1 Cyber Attacks and Exploitation..............345.2 HSEC-2 Disasters...................................365.3 HSEC-3 Illicit Alien Operations....................385.4 HSEC-4 Illicit Commercial Operations...............415.5 HSEC-5 Illicit Drug Operations.....................435.6 HSEC-6 Public Health Hazards.......................455.7 HSEC-7 State Sponsored Operations..................485.8 HSEC-8 Terrorist Operations........................495.9 HSEC-9 Transnational Violent Crimes................515.10 HSEC-10 Weapons Proliferation......................525.11 Situational Awareness Products.....................55
6.0 Results of HSEC Intelligence Questions Analysis..........576.1 HSEC-X.1: Threats to the U.S. homeland and national security interests......................................576.2 HSEC-X.2: Adversaries..............................586.3 HSEC-X.3: Suspicious activities and behaviors......586.4 HSEC-X.4: Knowledge elicitation by adversaries.....596.5 HSEC-X.5: Motivations, indicators, and plans of adversaries.............................................596.6 HSEC-X.6: Locations and targets of adversary operations..............................................596.7 HSEC-X.7: Assets of adversaries....................60
iii
6.8 HSEC-X.8: Methods, capabilities, and activities of adversaries.............................................606.9 HSEC-X.9: Homeland security countermeasures........616.10 HSEC-X.10: Incidents...............................61
7.0 Summary..................................................628.0 Recommendations..........................................649.0 Conclusions..............................................6810.0 Bibliography.............................................70
Appendix A:........................................FIGURES74
Appendix B:.....INTELLIGENCE QUESTIONS AVERAGE BY HSEC TOPIC 78Appendix C:.............................DATA SPREADSHEETS
82
LIST OF FIGURES
FigurePage
Figure 1: HSEC-1 Scoring Overview.......................74Figure 2: HSEC-8 Terrorist Operations...................75Figure 3: HSEC-9 Transnational and Organized Crimes.....75Figure 4: Weapons Proliferation.........................75Figure 5: HSEC Topics by Percentage.....................76Figure 6: Situational Awareness Products................77
LIST OF TABLES
TablePage
Table 1: Methodology Differences........................19Table 2: Fire Service Intelligence Priorities...........22Table 3: HSEC 6 Modified Scoring Matrix.................47Table 4: HSEC-10 Modified Scoring Matrix................55
iv
Appendix A: Introduction
Since the events of 9/11 a clear consensus has emerged
in the intelligence and public safety communities about the
need to share intelligence. This fact is self-evident by the
staggering losses of public safety personnel in the attacks
of 9/11 when 343 members of the Fire Department of New York
City lost their lives; as well as 75 New York City Police
Department and Port Authority Police officers. In the decade
since 9/11 progress has been made and several program and
initiatives aimed at information sharing have been launched.
However, the question remains as to whether or not non law
enforcement first responder personnel, especially fire and
rescue personnel are receiving timely actionable
intelligence.
The importance of access to this type of information
cannot be understated. One only needs to look at the early
moments of the 9/11 tragedy, when pilots in a New York City
Police Department helicopter observed signs indicating that
the tower might collapse but that information was never
6
passed to the Fire Department commanders on the scene, to
see the value of information sharing.
There are several different levels of information
sharing mechanisms available to the fire service today that
were not shared or in existence prior to 9/11. The federal
government issues a series of bulletins requiring different
levels of security clearances and access that many fire
service leaders or their delegates receive daily. These
bulletins tend to focus on recent events or emerging threats
that could impact response protocols. Many of these products
are driven by open source information and condensed by
intelligence analysts. State and local governments have also
set up organizations that produce their own products which
emphasize events relevant to that particular location. The
goal of these products is to raise “situational awareness”
in the response community regarding emerging and continuing
threats.
In major metropolitan areas, informal information is
exchanged frequently between representatives of federal law
enforcement and intelligence agencies with first responders.
7
These informal arrangements often produce more actionable
intelligence than the official products but are highly
dependent on trust and preexisting relationships between the
two players.
As mentioned above, there are a significant number of
intelligence products available to the response community in
the post 9/11 world, but is there a value to these products
beyond raising “situational awareness”? The volume of
information received exceeds the available time and
attention span of fire service leaders in the normal day to
day setting. It requires analysis and condensation by
analysts familiar with fire department operations and
concerns to be consolidated into a brief summary of the
information. Few fire service organizations have the
staffing or expertise to conduct this function? The phrase
“actionable intelligence” is frequently bantered about in
the public safety community but what is the definition of
actionable intelligence and is it universally accepted by
the majority of fire service leaders?
8
The intelligence community is often cloaked in secret
and traditionally reluctant to share information with non-
intelligence entities for fear of compromising the
information or its source. Many large metropolitan fire
service organizations have taken steps to ensure the
appropriate number of personnel have been successfully
vetted to receive secure information. However, the question
remains as to whether or not this has resulted in the actual
exchange of useful intelligence?
Given the inherent roadblocks and the degree of
separation between the fire service and formal intelligence
communities, is it realistic to expect timely, actionable
information prior to an incident? Does the lifecycle of an
attack preclude this exchange from being realistic? Has the
fire service adopted or modified operations as a result of
information received?
Appendix B: Research Questions
This project seeks to answer the following questions:
• Is information sharing occurring and is the information
being shared with Fire Executives of value?
9
• What is the value of the information previously
received in comparison to the requirements listed in
Fire Service Intelligence Questions?
• Which of the needs are being sufficiently met and do
any gaps still exist?
Because the integration of the fire service into the
intelligence function is so new is the reason some of these
questions need to be explored in greater detail. The budget
to fund these programs is now being scrutinized more than
ever before but there is no matrix that effectively
qualifies the value of these programs if in fact they are
valuable.
Local responders will always be the first to arrive at
any incident and their actions will set the stage for the
outcome of the incident. Programs should support their
safety and preparedness to address the challenges of
terrorism and provide them with useful information. Early
actionable intelligence is a vital part of this equation.
Actionable intelligence is, in effect, the ability to
prepare for threats before they occur or become incidents.
10
This ability to prepare helps ensure for the best possible
outcome for the responders and the public.
Appendix C: Literature Review
Because the concept of use of intelligence by the fire
service is a post 9/11 initiative, there is not a wide body
of existing research on the subject. Much of the available
information is from either government publications or thesis
papers written by practitioners. A review of the available
data does seem to suggest that common themes are beginning
to emerge and were identified in several of the papers.
What we do know is that there is a consensus among the
policy makers, the intelligence community, and the American
fire service to include the fire service in the intelligence
function; however, there is some confusion as to what
extent. The impetus for this movement rose from the ashes of
9/11. There was almost immediate recognition of requirements
for intelligence by the fire service and other non law
enforcement public safety agencies to enhance response
capability and for personnel safety. This is well documented
11
by Richardson (2010), Gonzales (2010), and Donnelly (2010),
as well as; referenced in several of the government reports.
The review of the literature revealed that several key
concepts or main factors are beginning to emerge. The
program was first instituted in large urban areas by
inserting personnel from the fire service into existing
intelligence operations. It was soon realized that a unified
standardization was required for the effort to be both
successful and functional. Heirston (2010) and Gonzalez
(2010) identified similar models of training needed by fire
service personnel to function as intelligence analysis.
Richardson (2010) drew from his experiences in New York to
further refine the requirements and capabilities needed
produce actionable information. A recent report published by
DHS, “Fire Service Integration for Fusion Centers” (April
2010), explains how intelligence and information are now
important elements to support fire service preparedness for
response and recovery missions. This document outlines
enhancements to state and urban area fusion center targeting
capabilities to allow for greater input and use of
12
intelligence by the fire service. Moreover, this document
outlines strategic objectives for the establishment of a
national network of fire service organizations that share
information and intelligence.
The literature review discovered several existing
theories on the fire service intelligence enterprise
including the dissemination of information, organization and
structure, and intelligence led mitigation.
The dissemination of information, both from the
intelligence source to the fire service and from the fire
service to the intelligence source emerges as a common theme
in much of the literature. Gonzalez states “until the fire
service acknowledges the criticality of participation in
gathering and disseminating information within the fire
service and the necessity to engage in collaborative efforts
with non-traditional partners, EFOs won’t recognize that
their actions contribute to the larger homeland security
mission” (Gonzales 2010). She goes further to endorse that “
national guidance documents on folding counterterrorism
strategies into fire departments’ policies, procedures and
13
operating guidelines” in a reference to the above mentioned
DHS report.
But simply sharing information by itself does not suffice
unless “for the information sharing process to be
meaningful, a mutual understanding must exist between the
intelligence/law enforcement communities and the fire
service that there is value added in this relationship,
which is evolving because of the work being done through
numerous federal, state, and local efforts (Richardson).
What this effort should look like is also evolving.
Heirston took the approach of comparing and contrasting the
information sharing activities of the New York City Fire
Department’s Terrorism and Disaster Preparedness Strategy
(FDNY Strategy), the U.S. Fire Service Intelligence
Enterprise draft concept plan, the UK’s Civil Contingencies
Act of 2004 (CCA) and current ad hoc U.S. fire service
information-sharing activities. He recommends several
modifications and addendums to the current National
Information Sharing Plan to incorporate his findings
14
Intelligence led mitigation uses the intelligence cycle
as a building block but expands it in a way that is
applicable to public safety agencies. Intelligence led
mitigation “seeks to set appropriate tasking priorities for
the collection of basic data, process that data into an easy
useable format, analyze it to create situational awareness
through intelligence products that support tactical,
operational and strategic needs, then disseminate those
products to customers who provide feedback on what
additional or new intelligence requirements remain. The
cycle begins anew as new requirements are again balanced
against command guidance, operational needs, and resource
constraints” (Donnelly, Townsend, Sullivan & Monahan, 2010)
There remain several inconsistencies or other
shortcomings in our knowledge and understanding of fire
based intelligence. While much work has occurred on the
topic many avenues are still either partially or fully
unexplored. There is concern on the part of several
researchers regarding civil liberty implications of having
firefighters act as agents for the intelligence community
15
(Heirston, Gonzalez 2010). None of the researchers have been
able to fully quantify or qualify the value of information
sharing. The reliance on federal funding to place fire
service personnel in non- traditional roles (such as
intelligence) has been mentioned but not fully explored.
What would the impact of a significant decrease in available
resources have on this effort? Finally, up to this point,
this effort has been primarily focused on large metropolitan
areas, presumably because of their inclusion and access to
UASI funding. Is there a need to expand the effort to
smaller cities and what is the cost benefit rational?
Despite the advancements and strides made in the field
during a relatively short period much of the work remains
unexplored. The concentration of fire intelligence
practitioners in large areas is understandable given the
risks and vulnerabilities that major cities face from a
terrorist related event. These area’s have departments of
sufficient size to allow a small detail of personnel to be
assigned to ancillary functions (like intelligence) while
not affecting the core competency of the agency (fire/rescue
16
response). These areas also usually have an existing
intelligence infrastructure of some form such as a fusion
center which provides an easy path for integration of non-
traditional partners. However, the question remains on what
is the return of investment. Is the leadership of the fire
organization receiving timely, specific, actionable
information or are they only receiving a conglomeration of
open source products that contribute to their overall
situational awareness. This answer requires further testing
and will be the focus of this project.
There currently exists scant evidence of any specific
event or incident that required the leadership to take
direct action against a threat. What evidence that might
exist is limited, inconclusive, or shrouded in secrecy.
There could be number of possible reasons for this. One
possible scenario is that the exact confluence of events has
not occurred in such a way that the fire service leader
would have been either notified in advance or forced to take
action. Many of the plots covered in the media are
interdicted by law enforcement in the planning stage and the
17
perpetrators are apprehended before any real danger exists.
Another possible explanation is that the targeted recipient
either lacked the proper clearance to receive the
information or didn’t have an existing infrastructure of
mechanism to receive the information
This subject calls for further study because the
integration of the fire service into the intelligence
function requires a significant commitment of resources
personnel and funding. This pressure is being applied at a
time when local funding is impacted by the economy and
federal funding cut backs are rumored to be on the horizon.
In order for the partnership to continue there needs to be a
clear understanding of the desired outcomes.
The value of the proposed study is that it will attempt
to qualify the benefit of strategic intelligence for the
fire service. Significant work has taken place by others to
lay the groundwork and build the infrastructure but the
outcomes are still difficult to measure and qualify. This
study will focus on providing a measurement to test the
questions and to identify any gaps in information. In the
18
process, it will attempt to identify any commonalities that
appear to be impeding or restricting the flow of the desired
information.
The expected sampling size was not conducive to a
quantitative approach except for some possible mixing of
methodology to be determined. A qualitative approach seems
more appropriate for use and allows for further follow-ups
to revisit emerging patterns from the initial survey or
questionnaire.
Appendix D: Methodology
This research project will attempts to capture and
evaluate the amount and value of intelligence that the fire
service receives from the intelligence community using
previously produced products from the District of Columbia
Fire/EMS Department . The concept of the fire service as an
intelligence partner is a relatively new phenomena (post 9-
11) that has not been fully implemented throughout the
country but increasingly is being recognized as a vital
component of the fire service homeland security mission.
Previous research has indicated that those departments most
19
active in this initiative are located in areas that are
considered to be at high risk for attack such as Washington
DC and New York City. The majority of fire service
organizations embracing the intelligence function appear to
align with area’s classified as Urban Area Security
Initiative (UASI) eligible locations. Many of these UASI
funded stakeholders were participants in the Fire Service
Intelligence and Information Needs workshop and helped to
identify the order of priority for fire service intelligence
topics. The majority of state and local agencies reported
the desire to receive a greater amount of information and
intelligence concerning terrorism (Joval, 2012). UASI
eligible locations understandably perceive a higher risk of
attack. This finding in itself is not surprising. Joval
identified that there is a positive relationship between
perceived risks, jurisdictional size, funding, and
preparedness activities.
There are several methodologies’ that can capture the
answer to the above question. In this project, one of the
main considerations was time and distance. The 64 UASI areas
20
are geographically spread out across the continental United
States. It would not have been practical to conduct all face
to face interviews by reason of the cost and amount of time.
A limitation was that the actual amount of intelligence
exchange taking place has not been fully quantified. There
is no existing metric that has been found which is able to
comparatively identify this benchmark until now. While there
has been recent development in respect to the target
capabilities list for fire intelligence published by DHS and
a response by the fire service in the form of the proposed
Fire Service Intelligence Questions draft, there is
currently no standard structure for a fire intelligence
function that has been tested and validated. The range of
available resourced varies from jurisdiction to jurisdiction
based on funding, perceived threat and leadership
commitment.
This project lends itself to an inductive approach
because so much is unknown and the data source stream is not
well defined. The inductive approach starts with general
observations and then works towards a general conclusion
21
(Walliman). The deductive approach is closely associated
with the If…/Then… model of research. This is not an
appropriate approach for this project because the scoring is
at the discretion of the researcher and is not repeatable in
a general sense.
There is considerable debate among researchers about
the different types of research methodology. The qualitative
method relies on interaction with the subject and
conclusions can be influenced by the researchers’
perception. The quantitative method revolves around facts
and figures and seeks a defined, replicable result. The
mixed method allows for elements of both, qualitative and
quantitative to be used in a project. In determining the
methodology to be used the nature and scope must be
considered. This project was not well defined and somewhat
fluid as it had never been attempted before. As it
progressed, the path crossed between qualitative methods and
quantitative methods leading to a mixed method result.
Qualitative research aims to provide a complete
detailed description. It involves analysis of data such
22
as words. It is appropriate when the researcher only has
a rough idea of he or she is seeking. Many researchers
recommend a qualitative approach during the early phases
of a research project when discovery is still occurring.
This allows the research design to emerge as the
direction of the project becomes clearer. This is
exactly what occurred during the process.
Qualitative methodology immerses the researcher in
the subject matter. It is time consuming and provides a
greater context for the “Why” part of the research. This
occurs because much of the data collection relies on
interviews, participant observations, and other
interactive research techniques as opposed to a
collection of defined facts and figures. It allows for
the interpretation of events by the subject
The quantitative methodology is used to develop a
statistical model by using numbers that can be classified
and counted. This method is appropriate for when the
researcher knows clearly what he or she is looking for. A
hypothesis is formed in advance and the tools used to
23
collect the data are carefully pre-determined. Research is
collected in the form of numbers and statistics. The
objective of a quantitative analysis is to provide precise
measurements and analysis of the subject (Neil 2007).
Surveys and questionnaires are often used as instruments of
data collection. The scope of quantitative methodology is to
provide prediction, and causal explanations.
When one compares and contrasts the differences between
the two methodologies it becomes clearer that quantitative
is more appropriate for a known data set that can be used to
extract information and manipulate variables. Qualitative
appears to be more suited for when not very much is known
about the subject or the sample size is relatively small.
The table below provided by Walliman helps the reader
to understand these differences:
Table 1: Methodology Differences
Research with Subjects(Quantitative)
Research with Informants(Qualitative)
1. What do I know about a problem that will allow meto formulate and test a hypothesis?
1. What do my informants know about their culture that I can discover?
24
2. What concepts can I useto test this hypothesis?
2. What concepts do my informantsuse to classify their experiences?
3. How can I operationallydefine these concepts?
3. How do my informants define these concepts?
4. What scientific theory can explain the data?
4. What folk theory do my informants use to explain their experience?
5. How can I interpret theresults and report them inthe language of my colleagues?
5. How can I translate the cultural knowledge of my informants into a cultural description my colleagues will understand?
Research with Subjects (Quantitative) Research with
Informants (Qualitative)
Because this project relied on the principal
researcher providing a grade based on his experience and
subject matter expertise, it was felt that the project
did not lend itself to the quantitative method even
though it contains a statistical component. In addition,
the data set would have to be followed up with either
telephone or face to face interviews in order to grasp
the contextual content of their responses. These
interviews would be less structured and allow the
respondent to expand and elaborate on their individual
25
responses in order to fully capture the information.
Hence, the interview approach seems to be more
appropriate for a qualitative assessment. Given the
conflict between the two methods it becomes clear that a
mixed methodology is the appropriate choice for this
project.
Mixed Methodology is a design that incorporates
both qualitative and quantitative methods in all stages
of the study (Tashakkori & Teddlie, 2003). This strategy
has been gaining favor with researchers recently. The
benefit of a mixed method methodology is that it allows
the researcher to gain a clearer picture and provide for
more adequate explanations. Another advantage of using
the mixed method is that it is easier to move from
quantitative to qualitative which fits the proposed
model of this project perfectly. At the same time, one
of the disadvantages of mixed method, with respect to
the influence of cultural, bias is negated by the fact
that there is no cultural component to the project. The
fire service is a culture unto itself with its own set
26
of values and beliefs shared across jurisdictional
boundaries. It may not be a culture in the formal sense
of the term but certainly within the profession there is
a belief that a unique culture exists. All of the
interviewee’s were experienced fire service personnel
directly involved in the intelligence function. The
project was explained to them and all verbally agreed to
participate. They were assured of anonymity so they
would be free and honest with their responses. In select
cases to order to guarantee their anonymity, neither the
personnel nor their agency will be identified.
D.1 Data Collection Tool
In September of 2012, the Fire Service Intelligence &
Information Needs Workshop, facilitated by the U.S. Fire
Administration and attended by fire service personnel from
metropolitan fire departments and fusion centers within 22
states, was held at the National Emergency Training Center
(NETC) in Emmittsburg, Maryland. The purpose was to discuss
the state of the fire service intelligence enterprise. The
27
goals of the workshop were to standardize what the
intelligence needs and questions of the fire service and
facilitate the communication of fire service intelligence
questions to analysts within the intelligence community,
federal agencies, state and major urban area fusion centers,
and state and local public safety intelligence units.
Intelligence producers were often unclear on what
was needed and how the information would be used and
distributed. This confusion was causing tension and
frustration among the fire service intelligence
community who perceived (with a degree of accuracy) that
they were not receiving information of actionable value.
While fire service personnel have a wide range of
intelligence and information needs, the scope was
limited to a core set of questions regarding homeland
security threats, which must be answered by intelligence
analysts in order to support fire service operations and
officer safety. Many of these questions were developed
through the Fire Chief’s Intelligence Working Group in
September 2012
28
From this meeting it was decided that the 10 Homeland
Security (HSEC) Standing Information Needs (SINs)
Intelligence Topics and Information Types would be used as
the core framework for developing the Fire Service
Intelligence Questions in order to facilitate their
alignment with other initiatives which also use the HSEC
Intelligence Topics and Information types for their
organizational structure. The Homeland Security (HSEC)
standing information needs (SINs) describe the full spectrum
of enduring all-threats and all-hazards data and information
needed by intelligence analysts within the HSEC Community of
Interest (the United States Department of Homeland Security
and its federal, state, local, tribal, territorial, and
private sector stakeholders and homeland security partners)
to develop timely, actionable, and relevant intelligence for
their customers.
Prior to the workshop, participants were asked to
prioritize the ten HSEC SINs accordingly by importance and
criticality. The results of the survey were tabulated and
29
the ten items were ranked based on the results. The table
below represents the outcome of this exercise.
Table 2: Fire Service Intelligence Priorities
Ran
k
Level of
ConcernHSEC Intelligence Topic
1
Critical
HSEC 1 – Cyber Attacks and
Exploitation
2 HSEC 6 – Public Health
Hazards
3 HSEC 2 – Disasters
4 HSEC 8 – Terrorist
Operations
5
Important
HSEC 10 – Weapons
Proliferation
6 HSEC 5 – Illicit Drug
Operations
7 HSEC 9 – Transnational
Violent Crimes
8 Relevant HSEC 7 – State-Sponsored
30
Operations
9 HSEC 3 – Illicit Alien
Operations
10 HSEC 4 – Illicit Commercial
Operations
D.2 Fire Service Baseline Intelligence Questions
Each of the topics was assigned 10 distinct baseline
questions designed to provide a comprehensive, in-depth
analysis of the primary intelligence topic. Each of the
baseline questions were supported by three to seven bullet
points to provide guidance on type of information required.
The ten questions are listed below along with a narrative to
help the reader understand the desired scope of information
HSEC-X.1: Threats to the U.S. homeland and national securityinterests
Existence, trends, and status of threats (emergent and
imminent) which could: impact emergency response operations
during an incident; compromise the continuity of normal
31
operations; or endanger the safety of emergency responders
or the public.
HSEC-X.2: Adversaries
Profiles of adversary groups or individuals targeting
or operating within the U.S.; understanding the intentions
and capabilities of adversaries coupled with their U.S.
targets or areas of operation will enable fire service
personnel to understand the spectrum of threats they must
prepare for within their jurisdiction.
HSEC-X.3: Suspicious activities and behaviors
Characteristics of suspicious activities, behaviors,
materials, devices, markings, etc.; understanding and
possessing the ability to quickly recognize suspicious items
will enable fire service personnel to report relevant
observations and take appropriate precautionary measures to
protect emergency responders and the public.
HSEC-X.4: Knowledge elicitation by adversaries
Assessment of adversary research or surveillance of
emergency response operations or insider threats;
understanding adversary elicitation capabilities and
32
activities will enable fire service personnel to take
appropriate operations security measures.
HSEC-X.5: Motivations, indicators, and plans of adversaries
Indicators, warnings, and known or suspected plans of
adversaries targeting or operating within the U.S.; notification
of imminent threats and analysis of emergent adversary operations
will enable fire service personnel to recognize and report
possible threats, and assign resources to effectively respond to
potential incidents
HSEC –X.6: Locations and targets of adversary operations
Adversary targets that could compromise the continuity
of emergency service operations (including by not limited
to):
911 call processing
Radio systems
Dispatch systems
Cell phone systems
Public safety communications systems
Resource databases and vehicle locating systems
Patient databases
33
Critical infrastructure/building databases
Emergency operations centers and systems
Emergency service stations and equipment
HSEC-X.7: Assets of adversaries
Identification and attributes of facilities, systems,
operations, equipment, materials, supplies, and personnel
(including counterfeit emergency service equipment,
supplies, or credentials) owned or controlled by adversaries
targeting or operating within the U.S.; understanding the
assets adversaries possess will enable fire service
personnel to make informed decisions on the appropriate
monitoring devices, response materials, and personal
protective equipment they need to acquire and employ in
order to effectively respond to incidents and protect
emergency responders.
HSEC-X.8: Methods, capabilities, and activities of adversaries
Analysis of methods (tactics, techniques, and
procedures) and known or suspected capabilities of
adversaries targeting or operating within the U.S.;
34
understanding what adversaries are able to do and how they
will likely operate will enable fire service personnel to
develop and exercise the appropriate response protocols and
protective measures to address the most likely and most
dangerous adversary courses of action
HSEC-X.9: Homeland security countermeasures
Evaluation of adversary knowledge or perceptions of the
existence, status, and efficacy of emergency response
capabilities within the U.S., including insider threats
within public safety organizations; understanding
adversaries’ views on the strengths and weaknesses of U.S.
emergency response operations will enable fire service
personnel to anticipate vulnerabilities that adversaries may
attempt to exploit, and take appropriate actions to mitigate
related dangers.
HSEC-X.10: Incidents
Details and assessments of ongoing or past significant
incidents or operations anywhere in the world;
understanding how adversaries operated in the past and how
countermeasures were employed to prevent, protect, mitigate,
35
respond to, and recover from the incidents will enable fire
service personnel to learn from best practices and
strengthen their capabilities for future incidents.
It should be noted that two of the HSEC SINs, HSEC 2-
Disasters and HSEC 6 -Public Health, were only assigned two
sub questions: Threats (x.1) and Incidents (x.10). Sub
questions x.2 through x.7 all address adversary activities
and actions. Since there is no adversary that can be
captured, deterred or interdicted in a disaster or public
health emergency, these sub questions were eliminated from
the two categories
D.3 Classification
The first step of the evaluation process would be to
classify the product by one of the ten HSEC Intelligence
topic categories. In cases where the product contained
multiple topics, the proposed methodology was each topic
would be classified and scored individually according to the
intelligence sub questions for that topic. This became a
frequent occurrence because many of the products contained
36
more than one topic. This will be discussed further in the
situational awareness product section which discusses the
data set.
There are several reasons for the classification to
occur. The primary reason is to determine which topics occur
the most frequently and which topic don’t receive an
adequate amount of attention. An additional goal will be to
compare the volume of topics to the proposed FSI priorities
listed in table 2 to identify gaps in priority information.
The classification may also help to identify a nexus or
crossover between topics. As an example, we know that
transnational criminal organizations and illicit drug
operations (HSEC-9, HSEC-5) often use violence and weapons
(HSEC-10) in their operations. The classification process
may help to confirm this and indicate a need for revision to
the proposed draft. Finally, it is necessary to first
classify a product in order to determine which sub questions
need to be used for scoring purposes.
37
D.4 Scoring
A Data Collection scoring sheet was developed based on
the 10 question. If a question was addressed to the
satisfaction of the reviewer, it would receive one point
(1). If the question was not addressed in any way, it
received a score of zero (0). If the question was partially
addressed it received a score of a half point (.5). It is
important to note that the .5 score was chosen with the
understanding that (a) the documents were being scored
retroactively to the development of the standard and (b) by
only having one partial option score it removed subjectivity
and reduced bias from the overall score. As an example: one
reviewer might have given a partial score of .2 based on
his/her perspective and experience while another reviewer
may have awarded a .8. It was also felt that given the
paucity of guidance, knowledge and training that the
earliest FSIE practitioners had, that partial credit should
be awarded if any part of the question was addressed. Given
these parameters, the highest possible score would be a 10
(one full point for each of the ten questions) and the
38
lowest possible score would be a 0 (no points awarded for
any of the ten questions. The exceptions to this matrix were
products classified as either HSEC 2-Disasters or HSEC 6-
Public Health which only had only two intelligence questions
for a highest possible score of 2
Having designed the scoring matrix, the next question
to be answered was whether to use a panel to score the data
or should it be done solely by the researcher. A test trial
was conducted using three end users of FSIE products who
were not overly familiar with intelligence topics or
methodology. The research author served as a controller by
evaluating 5 random intelligence products and assigning
numerical scores to them.
The subjects were then briefed on the goal of the
survey and the scoring system. They were also provided with
a brief training session to familiarize them with how to
classify documents according to the 10 HSEC SINs and grade
them by using the 10 intelligence questions. One product was
conducted jointly to allow the evaluators to ask question
and gain insight. The remaining products were evaluated
39
individually be each participant and the final scores were
tabulated. The results indicated that the scoring system
itself worked as designed. However, some reviewer scores
were as much as three points apart, the equivalent to 30% of
the total possible score. A critique of the products with
the evaluators revealed a wide discrepancy in perceptions
based on their professional backgrounds and personal
opinions. This was somewhat surprising given that all of the
evaluators were familiar (in the broadest sense) with FSIE
products and had used them professionally at various times
in their careers. A subsequent trial test was done with a
different but similar set of evaluators and the outcome was
similar. Based on the results of these trial runs it was
decided that the only scores used in the project would be
those compiled by the researcher himself. It was felt that
the variation in scoring was too broad to be used for the
research product and that the results could not be
consistent and repeatable by using a panel approach.
40
D.5 Evaluated Products
The data set evaluated consisted of documents released
by the District of Columbia Fire/EMS Department in an effort
to increase knowledge of evolving terrorism tactics and
techniques and to raise situational awareness Many of the
products were released in response to incidents occurring
around the globe or trends and incidents reported from other
departments within the United States. The data set included
documents from the following sources. The four main products
evaluated were:
D.5.1 District of Columbia Fire/EMS Department
Firewatch- In the fire service a “Fire watch” is a tradition
that extends back to the earliest days of the service when
members were assigned to certain buildings with the
responsibility of keeping alert for incipient fires. The
term is still used today by fire departments that task
building owners with this function when fire protective
systems are not working properly or other hazardous
temporary conditions exist.
41
Beginning in 2007, the District of Columbia Fire/EMS
Department realized that they needed to identify an
appropriate mechanism to disseminate intelligence
information throughout the organization in a cohesive
manner. The aftermath of 9/11 had resulted in the fire
department receiving multiple streams of intelligence and
situational awareness products from a variety of government
agencies and private sources. Many of these products
consisted primarily of suspicious activity reporting with no
analysis or direct nexus to terrorism. Others contained
valuable information concerning weapons and tactics that
potentially would impact emergency service operations and
could be coalesced into a usable form.
At that time the department had a weekly product that
was disseminated to all members titled “Fire watch”. The
Firewatch document was originally intended to provide
members with comprehensive information concerning unusual
conditions or special hazards that might be encountered
during normal firefighting activities and responses. The
department made the decision to change the calculus of its
42
intelligence enterprise and begin using the Firewatch
document as its earliest form of periodic intelligence
products. This product may also be titled as DCFD Intel
Brief.
Monday Report - As the DC FEMS intelligence
activities began to gain sophistication and became
integrated across the NCR intelligence spectrum, the
volume and quality of information received began to
improve. The DC FEMS Homeland Security branch was now
the clearinghouse for this information and (most
importantly) began providing an internal departmental
analysis on possible impacts and response considerations
that the information received posed.
By 2010 it had become apparent that sharing the
Firewatch document was no longer practical. It was
determined that the intelligence document should be issued
separately under a different title. The “Monday Report”
became the primary vehicle for conveyance of homeland
security related subject matter (such as intelligence) and
the Firewatch returned to its original function of providing
43
information pertinent to the core mission of the department,
fire/rescue operations
D.5.2 Washington Regional Threat and Analysis Center
(WRTAC)
WRTAC - The District of Columbia fusion center
known as the Washington Regional Threat and Analysis
Center (WRTAC) began releasing the Weekly Fire and
Emergency Medical Services Intelligence Briefing. This
document consisted of a variety of topics but included a
brief analysis by the local analyst to provide context
relevant to the local user. Until recently, the WRTAC
was staffed by a fire intelligence specialist. This
specialist was intimately familiar with the operational
capabilities of the DCFEMS and was therefore able to
tailor information to specific intelligence requirements
provided by the end user.
D.5.3 Other
There are a small number of other documents
released under the auspices of intelligence. These
included documents from other fire department
44
intelligence units, PowerPoint programs provided to the
department by colleagues and practitioners, memo’s, and
other similar documents. Where possible, they were
labeled to the releasing agency by type.
D.6 Content Classification of products
It quickly became apparent early in the evaluation
phase that the structure of the documents needed to be
identified in order to provide a fair and equitable
analysis, as well, as to be able to identify which format
provided the best product. There were basically three
subsets of products in the data pool. They consisted of
single source documents that were produced by an entity
entirely “in-house”, documents that provided a fire centric
analysis of another agency’s product or multiple similar
externally produced documents, and documents that contained
a multitude of brief descriptions of various topics,
sometimes as many as eight to ten where a hyperlink to more
information was attached. While the original thought was to
evaluate each subject in the document as a standalone entry,
45
a pattern of extremely low scores began to emerge from the
multi-topic documents.
It was determined to add a final category titled
“Situational Awareness” for documents qualified for this
final classification. Multi topic documents were evaluated
using a system that rated the item only to which HSEC
priority it addressed. As an example, a document may have
contained reports of a wildfire in California, a suspicious
package in Ohio, and a car bombing in Iraq. Each of these
headings were classified by the appropriate HSEC priority
without being graded on the ten intelligence questions
assigned to that topic questions
D.7 Limitations
There will be limitations regarding what the data will or
will not reveal. Primarily, the project will not reveal
whether or not geographic differences are represented. As an
example: if the data reveals that most fire intelligence
products are actionable or valuable, this project will not
be able necessarily replicate that finding across
jurisdictional boundaries. The opposite also hold true.
46
Should the results indicate that actionable intelligence
with the information is received; more research will be
needed to quantify the result. There are other limitations
too; among these limitations will be the sample size.
The sample size is significant, but not complete. It is
based on the number of documents provided for analysis. This
project examined 834 examples of fire service intelligence
information. There were 186 primary documents of which 30
were discarded for not containing any nexus to terrorism
(n=156 ). There were also 98 situational awareness documents
consisting of 562 separate entries of intelligence related
items (n-562). Each product required dissection,
classification, and analysis to be included in this project.
Walliman states that a quantitative data set can be
extracted from 20 or more surveys (Walliman 2007). However
the larger the rate of return, the more reliable the
information gained. Given the data set provided, it is
believed that a representative sample has been achieved and
that the information may be extrapolated geographically to
provide an insight to the state of fire service intelligence
47
An additional limitation is that the value of the
intelligence may be subjective to the respondents own
personal perceptions of intelligence. This survey instrument
attempted to negate this by limiting the answer options
available. Data tests involving multiple evaluators scoring
proved to be problematic and were discarded for time and
response reasons
In order to extract the “why?” from the data,
additional questioning may be needed. A telephone interview
with a select number of analysts based on qualitative
methodology was able to help to explain some of the
findings. The construct remained vague for a time until an
initial evaluation was done on the data received.
48
Appendix E: Analysis and Discussion
E.1 HSEC-1 Cyber Attacks and Exploitation
FSIP Rank: 1 FSIP Level of Concern: Critical
Number of Primary Documents: 5
Average Score: 2.1
High Score: 2.5 Low Score: 1.5
Analysis: The FSIE leadership identified Cyber Attacks and
Exploitation as the highest ranked threat yet there were
only five primary source documents in the data pool that
received an average score of 2.1 out of 10. In the
situational Awareness products there were 20 items that
touched on cyber related issues. Of these twenty, thirteen
appeared in documents produced beginning in the second half
of 2011 and continuing to 2013. The seven previous mentions,
the first being in 2008, were more focused on criminality
related cyber dangers such as clicking on email links and
changing passwords.
This is not as unexpected as it might seem. Cyber
related threats in general did not emerge as a concern to
the general public safety community until well after the
threat became a concern to technology and technology related
49
organizations. As awareness of the catastrophic potential of
cyber threats became better known, the fire service began to
understand the ramifications that it could have on
operations, communications, and service delivery models.
The fire service in general is not technologically
driven at the tactical operations level. For most of its
history the goal of the profession has been to deliver water
to extinguish fires. This relies heavily on mechanical
methods such as pumps and engines and manual labor to
advance hose lines into buildings. As the use of technology
has become more widespread and available, the fire service
has adopted it for command and control functions,
communications, and administrative management. Given this
set of facts, the threat posed by cyber attacks is more of a
strategic concern for leadership.
The modern fire service is heavily dependent on
technology for radio systems used to communicate, 911 call
centers, vehicle tracking management for asset allocation,
and personnel management. The NCR area departments have been
exposed to at least two of these system failures which
50
disabled the communications capabilities and the public 911
call centers. A piece of equipment failed in the District of
Columbia in the summer of 2009 causing the radio system used
by both police and fire departments to stop working. This
failure caused a great deal of tension and concern during
the period and led to the development of redundancies and
back systems. In June of 2012 a “derrechio” (a strong
thunderstorm) struck the NCR and left many northern Virginia
911 call centers unable to process emergency requests for
service. This failure was caused by a piece of privately
owned equipment operated by Verizon and led to further
improvements in that system (Yu, 2013).
The danger of a man made or state sponsored cyber event
is that the fix may not come so quickly or easily. One only
needs to look at the attack on Sony by the group “Anonymous”
to see how devastating and difficult to overcome a cyber
attack can be. In the above case, the personal information
of nearly 25 million users (along with an undetermined
number of credit card files) were compromised by a group
with no formal structure and motivated by a personal
51
vendetta against Sony (Schreier, 2011). Extrapolate the
scenario to a state sponsored attack with the goal of
crippling the United States electric grid or even nuisance
attacks with regional disruptions and it is readily apparent
the affect a cyber incident would have on service delivery
of emergency organizations.
E.2 HSEC-2 Disasters
FSIP Rank: 3 FSIP Level of Concern: Critical
Number of Primary Documents: 3
Average Score: 1.5 (Out of possible 2)
High Score: 2 Low Score: 1
Analysis: The category for Disasters is one of two that
contain a modified scoring metric primarily because natural
events are not contributable to an adversary. However,
disaster need not only be natural but can also be as a
result of human error, accidents, failures, and negligence.
Disasters of some degree are encountered by emergency
services on a regular basis across the continental United
States and territories. Given the frequency of these events
52
and the trend to make the state and local intelligence
community focus on an all hazards model, it is surprising to
see how few products were produced during this evaluation
period.
In the situational awareness products, disaster related
items compose only 2.6% of the total data. There are no
clear reasons for the paucity of data given the known threat
for this type of event. In other categories there were cases
of crossover where the data could be possibly misclassified.
As an example, weapons (HSEC-10) were often associated with
other HSEC categories aligned with criminality (such as
drugs, terrorism, and transnational organized crime). A re-
examination of the public health data (HSEC-6) revealed no
cross pollination with the disaster related items.
The findings are also surprising given the fire
service’s natural alignment with the Federal Emergency
Management Agency (FEMA). Since both organizations focus on
planning, response, and recovery activities it was expected
that disaster related products would make up a significant
portion of the overall data evaluated. Many of the
53
capabilities, resources, and skill sets needed to respond to
a disaster related event can be cross walked into a
terrorist attack. While there may be a degree of tactical
variation, a collapsed building from a tornado is
fundamentally the same collapsed building caused by a car
bombing. The ability to provide emergency care, triage, and
transport to persons injured by a chemical related
industrial accident only varies slightly from those needed
for an intentional act of the same scope and magnitude.
The findings do not mean that this type of “lessons
learned” knowledge is not occurring. Trade publications and
conferences frequently feature Incident Commanders and
responders from these events who report out on the strengths
and weaknesses of the responding agency’s response actions.
FEMA regularly offers a variety of training products related
to disaster response. Homeland Security Exercise and
Evaluation Program (HSEEP) funded exercises consistently
focus on disaster based scenarios. Currently, the knowledge
and information learned during Hurricane Sandy by first
responders in the New York City area is being disseminated
54
throughout the nation. The question then becomes: Is this
type of knowledge intelligence or information? The “ HSEC-
X.9: Homeland security countermeasures” question contains a
clause stating: the strengths and weaknesses of U.S. emergency response
operations will enable fire service personnel to anticipate vulnerabilities that
adversaries may attempt to exploit, and take appropriate actions to mitigate
related dangers.
Prior to Hurricane Sandy the fire department in
Wildwood New Jersey procured two New Jersey National Guard
“Low Boy” type tractor trailers designed to haul heavy
equipment. This action was taken based on prior incidents
where hurricanes had flooded the seaside community making
roads impassable. Fire Apparatus was loaded onto the
trailers and (during the hurricane) taken to the scene on
the back of the trucks. This allowed the fire apparatus to
arrive and function from the higher plane of the trailer.
Shouldn’t Hurricane Sandy have been considered an adversary
within the context of disasters and, if so, are actions such
as the above incident examples of countermeasures within the
context of intelligence question x.9 (countermeasures)?
55
Because of the small data set evaluated this question
remains unanswered; however, a similar pattern emerges in
the public health analysis with a larger data pool and it
provides support for the contention that the answer is
affirmative.
The creators of the Fire Service Intelligence Questions
document listed disasters as a critical priority. They
provided 8 sub-category questions within the HSEC 2 primary
questions to address the intelligence requirements. Although
the products evaluated scored consistently and significantly
higher that many of the other categories, the lack of data
inclusion is a glaring deficiency that warrants further
review. No graph has been provided due to the low number of
questions for this topic.
E.3 HSEC-3 Illicit Alien Operations
FSIP Rank: 9 FSIP Level of Concern: Relevant
Number of Primary Documents: 0
Average Score: N/A
High Score: N/A Low Score: N/A
56
Analysis: No documents focused primarily on were observed in
the data set. Even more surprisingly, none were noted in any
of the situational awareness products. This may as a result
of an oversight, a lack of access to this type of
intelligence, or a reflection of the low priority as
evidenced by the FSIP ranking. It is also very probable
based on observations, that much of the information
regarding illicit alien operations is being captured in
other areas such as weapons, transnational criminal
organizations, or drug related items. The lack of data
deserves attention and scrutiny for three primary reasons:
The relationship between illicit alien operations and
terrorism
The relationship between illicit alien operations and
gangs (particularly MS-13)
The large population of foreign born persons living in
the NCR.
The relationship between illicit alien operations and
terrorism is well established. An illegal alien has
participated in every major terrorist plot perpetrated
57
against the United States by foreign terrorists since
1993(Vernon, 2002). Furthermore, immediately following the
attack on the World Trade Center in 2001, federal law
enforcement agencies reacted by rounding up illegal aliens
that were suspected of having ties to terrorism. One of the
very first steps taken by the Federal Bureau of
Investigation (FBI) in evaluating the detainees was to
determine their immigration status. If the detainee was
living in the United States illegally, he or she was
arrested and held for further review by the FBI. If the FBI
deemed the detainee to be of "no interest," in reference to
possible connections with terrorism, the detainee was
released into the custody of the INS to assess the merits of
deportation. The fact that federal investigators instantly
turned to illegal immigrants as the most effective way to
identify possible links to terrorism is significant. (Graham
2004).
In the Washington metropolitan area, the gang Mara
Salvatrucha better known as MS-13 is well established. They
are a transnational criminal gang that originated in Los
58
Angeles and has spread to other parts of the country. In the
NCR they can be found in Washington, D.C. , Fairfax County,
Virginia, Montgomery County, Maryland, and Prince George's
County, Maryland with an estimated membership of more than
10,000.
According to a 2004 Washington Times article, MS-13
is actively involved in alien, drug and weapons smuggling.
More troublesome is that Adnan G. El Shukrijumah, a key al
Qaeda cell leader for whom the U.S. government has offered a
$5 million reward, was spotted in July of 2004 in Honduras
meeting with leaders of the Mara Salvatrucha gang
(Washington Times, 2004). El Shukrijumah was later
implicated in a plot uncovered in September 2009 and
targeted New York City’s subway system. He remains at large.
Given the smuggling infrastructure that MS-13 has in place
it is easy to understand why terrorist organizations would
seek to gain an alliance with them.
The NCR is home to a diverse group of foreign born
persons which totals approximately 13% of the population and
significant number are here illegally. While most are
59
hardworking productive members of society, not all are here
to live the American dream. Others might be sympathetic to
terrorist motivations and propaganda to the point where they
may self-radicalize. The Fire/EMS responders are uniquely
positioned to gain access to this community and information
by virtue of their daily activities. They enter residences
and businesses everyday as part of their response duties.
Solid intelligence information helps with situational
awareness and can lead to actionable intelligence. Fire
responders are generally more welcome and better received
than law enforcement responders. This allows the fire
service to build trust in the community and leads to better
relationships with the community residents. A. Chen has
researched the issue and proposes that alienation may
perhaps be a better term than radicalization to explain the
transformation of a person into an extremist. He notes that
“a particularly unfortunate consequence of the ill-formed
government response has been the erosion of trust between
Arab and Muslim communities and law enforcement. By
"alienating" Arab and Muslim Americans, law enforcement lost
60
a vital asset in the war on terrorism. Research confirms
that the government's major successes in apprehending
terrorists have come from international intelligence
activities, including the British government's foiling of a
terrorist plot in summer 2006 (precipitated by a tip from an
insider of the Arab British community), and law enforcement
cooperation with oppressed communities (Chen,2010)”. While
Chen’s research was focused primarily on Arab and Muslim
Americans, the construct can be applied on a broader basis
to encompass a large segment of the foreign born population
in the NCR. The fire service positioned well to either
identify some of these individuals by chance encounter or,
by developing trust among a population prone to distrust
government, gain access to information of value. Since there
is no data, no graph is provided
E.4 HSEC-4 Illicit Commercial Operations
FSIP Rank: 10 FSIP Level of Concern: Relevant
Number of Primary Documents: 6
Average Score: 3.1
High Score: 4.5 Low Score: 1
61
Analysis: Illicit Commercial Operations are those which pose
a risk to public safety due to the nature of the commodity,
the impact on emergency services, or the criminal,
terrorist, or state actors involved. While there is a
general understanding among analysts of the threat posed,
there appears to be a lack of understanding on the scope and
purpose of the evaluative criteria. This may be partially as
a result of the low frequency of events qualifying as
illicit commercial operations as indicated by the low
priority ranking assigned.
The threats posed by this category can be internal such
as organized theft of fire department fuel supplies or
trafficking in stolen uniform items, or external such as the
fuel theft from a Nigerian pipeline In the Nigerian case,
the apparatus to divert the fuel eventually caused the line
to fracture and the resulting explosion killed over one
hundred people (Murdock, 2012). To gain a better perspective
of the issue an evaluation of the sub question scores is
useful. Sub-category 4.1 focuses on the threat to Homeland
and National security interests. Five of the six evaluated
62
products received a zero in this area meaning that none of
the products could successfully articulate what the specific
threat was. The activity documented clearly posed a danger
to responder and public safety but fell short of being a
bona fide homeland security threat. Likewise sub-categories
4.2,4.4,4.5, and 4.7 all focus on characteristics of the
adversaries involved in the threat but the majority of the
products failed to identify either the adversary of any
attributes. The products did receive higher scores in sub
categories 4.4, 4.6, and 4.10 which addressed the
motivations of the actors, the locations of the incidents,
and the incident information. Part of the issue may be that
these events are being approached and evaluated from a
terrorism perspective but lack true terrorist indicators.
Similar results were found in the situational awareness
products where only four items that qualified under this
category were encountered. Many of these mentions addressed
lost or stolen vehicles containing flammable or otherwise
hazardous cargo. Unfortunately, other that a brief
description of the event no other information was provided.
63
It should be considered that while illicit commercial
operations can be part of a terrorist nexus, they can just
as likely be part of a criminal enterprise for financial
gain that lacks any homeland security threat value. In fact,
several products that may have been potentially classified
under this category were discarded because there was no
conceivable nexus to terrorism. As an example, there was a
very well written brief regarding copper theft from
commercial and utility properties that was not processed for
the above reason.
The differentiation between criminal acts and terrorist
acts was briefly noted in this and the illicit alien
analysis. The pattern also emerges in the drug trafficking
and transnational crime evaluations.
E.5 HSEC-5 Illicit Drug Operations
FSIP Rank: 6 FSIP Level of Concern: Important
Number of Primary Documents: 2
Average Score: 2
High Score: 2 Low Score: 2
64
Analysis: Only two primary products concerning drug
operations were present, however 9 incidents were included
in the situational awareness products. Many of these focused
on the illicit production of methamphetamine and may
partially explain why there were so few primary documents.
In many areas of the country the manufacture of
methamphetamine is pervasive and has resulted in numerous
incidents that fire/ems personnel have had to respond to.
The chemicals and chemical processes involved are frequently
flammable or even explosive resulting in death or injury to
the producers and exposing first responders to hazards. The
NCR hasn’t experienced this level of manufacturing activity
to date for reasons that are not abundantly clear given the
ease of production and the diversity of locations that meth
labs have been uncovered in. That is not to say that there
are no labs in the area because they do exist. In October of
2010, three students were arrested at Georgetown University
and charged with operating a meth lab in their dormitory and
in April 2012 a resident of the trendy Adams Morgan
neighborhood was arrested on similar charges.
65
The lack of products concerning illicit drug operations
is less troubling than it may seem at first glance. Fire/EMS
responders are well aware of the types of drugs available in
their response area and where they are located by virtue of
emergency medical responses. An informal query of personnel
assigned to drug infested areas on a regular basis may very
well reveal that they are capable of answering the majority
of the intelligence questions for HSEC-5. However, what they
possess is local knowledge and what is needed is the
perspective from “10,000 feet” given the relationship
between drugs and terrorist.
According to a 2004 Congressional report, drugs and
terrorism are connected in five ways:
Supplying cash
Creating chaos and instability
Supporting corruption
Providing “cover” and sustaining common
infrastructures for illicit activity
Competing for law enforcement and intelligence
attention (Klieman, 2004).
66
There are two primary points where the FSIQ intersect with
drug/terrorism nexus: supplying cash and common
infrastructure. The majority of the ten intelligence
questions can be answered by focusing on where the cash is
at the distribution point and the infrastructure that allows
all illicit commodities to traverse from one point to
another. There is a great fear that (according to Klieman)
“the interests of ideology-driven terrorists and money-
driven drug traders will converge” which will allow
terrorist to use existing illicit transportation
infrastructure to move weapons, personnel, and perhaps even
WMD material into the United States. No graph is provided
due to the low number of primary documents.
E.6 HSEC-6 Public Health Hazards
FSIP Rank: 2 FSIP Level of Concern: Critical
Number of Primary Documents: 7
Average Score: N/A (Out of possible 2)
High Score: 2 Low Score: 1.5
Analysis: Similar to HSEC-2 (Disasters), Public Health
Hazards contains a modified scoring metric. There are only
67
two primary question categories for this classification:
6.1-Risks to the US Homeland and 6.10-Incidents. Threats
considered public health hazards can include: infectious
diseases, health and medical risks resulting from incidents
or illicit activities, or environmental health threats
(FSIQ, 2012). The fire service is frequently a major factor
in any public health incident as a result of its emergency
medical care and transport capabilities. Given the
relationship between public health agencies and the fire
service, it come as no surprise that there were 7 primary
documents and 63 items in the situational awareness products
concerning public health. Public health was the second
ranked HSEC intelligence topic in the situational awareness
products behind terrorism.
Public Health hazards received consistently higher
scores that the majority of intelligence topics. In fact, it
became clear early in the assessment phase that the quality
of the information produced could not accurately be credited
using a 2 point system consisting of only 6.1-Risks to the
US Homeland and 6.10-Incidents. This phenomenon was also
68
observed in the analysis on disasters. The public health
products often contained valuable and comprehensive
information concerning methods, capabilities, and activities
of the adversaries (X.8), and countermeasures (X.9). This
assumes that one considers a public health threat in an
adversarial context. It should be noted that many of the
sub-categories to the two main intelligence questions
contain wording similar to the omitted questions and it may
have been the intent of the document creator to capture this
information within the confines of 6.1 and 6.10; however,
the consistent qualitative value of the information
evaluated provides strong evidence for the need to expand
the HSEC 6 questions.
To test this conclusion, the researcher began
assigning values of one (1) to the above mentioned
questions. This yielded two distinct scores, one score
consisted of the overall average for all the HSEC-6 primary
products and one score consisted of the overall average for
only those products which included information relevant to
the two questions. The scores are displayed below:
69
Table 3: HSEC 6 Modified Scoring MatrixIntelligence Question Overall Average Average of inclusive
documentsHSEC 6.8 .42 .75HSEC 6.9 .38 .7
These scores are a significant finding when you
consider the average score of 6.1 (Threat to the Homeland)
was .95 and that 6.10 (Incidents) was .9. Using a revised
four (4) point scale as opposed to the published two (2)
point scale, the average point per category for public
health hazards becomes .85. This score would qualify as the
highest average score of any topic
These higher end scores reflect a comfort level and
understanding among analysts with public health issues.
Analysts are successfully able to deconflict multiple
products and provide an agency specific product that is
timely and meets or (in this case) exceeds the information
sought in the intelligence question and sub-categories. Much
of this can be attributed to the fact that emergency
70
services organizations are frequently the operational and
response component of public health agencies and as such,
frequently participate in planning, preparedness, and
training exercises alongside their public health
counterparts. The importance of this joint training is noted
in an article by Christopher Nelson and others who state
“Public Health Emergency Preparedness is not a steady state;
it requires continuous improvement, including frequent
testing of plans through drills and exercises and the
formulation and execution of corrective action plans
(Nelson, Lurie & Wasseman, 2007). We must also consider the
fact that public health intelligence analysts are becoming
more common place in State and local fusion centers. Their
expertise, focus, and knowledge may be helping to drive the
higher scores. In the case of the data set used for this
project, during at least part of the time period the WRTAC
has a PH analyst assigned to it. That and the H1N1 outbreak
in 2009 may have contributed to the higher scores.
A value added benefit of a strong public health
analytical ability is that it helps to increase the
71
resiliency of emergency response organizations. Public
health emergencies can stress response organizations by
affecting members both on and off duty as well as their
families. Unlike a terrorist attack which is usually a short
duration event, a public health threat such as an epidemic
can last weeks and even months. It can also affect a large
geographical area impacting the ability of emergency
response organizations to provide or receive mutual aide.
Understanding the path and mechanism of contagion can help
analysts provide countermeasures to help slow the spread and
mitigate the impact of the event. The strong relationship
between public health organizations and emergency services
increases the flow of intelligence to responders before and
during the event.
E.7 HSEC-7 State Sponsored Operations
FSIP Rank: 8 FSIP Level of Concern: Relevant
Number of Primary Documents: 2
Average Score: 6.5
High Score: 8.5 Low Score: 4.5
72
Analysis: State sponsored operations consisted of only two
documents so it is difficult to make an accurate assessment
of the FSIQ’s effectiveness in exploiting this category. The
lack of documents could be attributed to the overall lack of
threat during the time period evaluated. This is unfortunate
given the current state of world affairs where both Iran and
North Korea have significantly increased the amount of
rhetoric and propaganda. There is concern that either of
these two (or other state actors with nefarious intentions)
could engage the multitude of terrorist and criminal
organizations willing to act as their proxy.
The U.S. State Department considers Iran “the
world’s most active state sponsor of terrorism,
providing weapons, funding, training, and support
numerous terrorist organizations (Bruno, 2012). A recent
example of Iranian state sponsored terrorism occurred in
our own backyard: In October 2011, Washington accused
the Quds Force of plotting to assassinate the Saudi
ambassador to the United States, and plotting to bomb
73
the Israeli Embassy in Washington and the Saudi and
Israeli Embassies in Argentina (Savage & Shane, 2011)
A primary concern with the potential impact of
state sponsored terrorism is access to WMD materials and
weapons. The Iranians know that any attack on the United
States would result in swift and severe retaliation.
This serves as deterrence and provides a check and
balance against their ambitions. While Iran may not
resort to using a WMD attack or launching a nuclear
missile at the continental United States, it may be so
inclined to provide one of its proxies with the weapon
or equipment. State sponsorship of terrorism occurs when
governments provide supplies, training, and other forms
of support to non-state terrorist organizations. One of
the most valuable types of this support is the provision
of safe haven or physical basing for the terrorists'
organization (Terrorism, 2012).
E.8 HSEC-8 Terrorist Operations
FSIP Rank: 4 FSIP Level of Concern: Critical
Number of Primary Documents: 89
74
Average Score: 5.7
High Score: 10 Low Score: 0
Analysis: There were 89 primary products which were
categorized as HSEC-8 “Terrorist Operations”. The volume of
products is not in itself surprising considering that the
origin of the fire service intelligence enterprise can be
traced back directly to the events of 9/11 and the ensuing
effort to prevent another attack from occurring or preparing
for the different threat scenarios.
While the average score of 5.7 may seem low to some it
should be remembered that this effort started off with very
little guidance or training to the earliest analysts and
that information sharing relationships with more mature
intelligence agencies were still being formed. A better
measure of the effectiveness and progress can be observed by
examining the median scores grouped by years. The median
score for products issued prior to 2008 was 2.5. The
majority of these products could be characterized as
situational awareness products and led to the creation of a
separate table because the researcher recognized the lower
75
scores would skew the results. The median score for
documents created post January 2011 was 6.5 (nearly an
entire point higher than the average). This is a significant
finding and affirms the progress that the fire service
intelligence enterprise has made in just a few short years.
It also points to the refinement of the process which will
be further explored in the conclusion
A review of the average score of each intelligence
question reveals that the scores are generally consistent
with the mission of the fire service to prepare, respond,
and mitigate any event. The scores indicate that products
nearly always identified the threat to the homeland and
which group the threat was being attributed to. Suspicious
behaviors and information about the specific incident also
received average scores higher than .6 (out of a possible 1)
meaning that this type of information was consistently being
included in products. Lower scores (defined as less than .5)
were generally found on questions addressing adversary
activities such as plans and assets. This is also not
surprising given that the fire service has little or no
76
responsibility for interdiction activities such as deterring
or detecting plans and that intelligence agencies are
hesitant to reveal any classified information that could be
leaked and alert the targets that they have been detected.
The results from one question are cause for concern.
The average score associated with 8.9 “Homeland Security
Countermeasures” was 5.4. The questions for homeland
security countermeasures included response and recovery
countermeasures, infrastructure countermeasures, and danger
to operations and personnel. These are all legitimate fire
service activities and the score indicates a gap in either
knowledge or training. This is troubling because the fire
service has placed a premium on safe operations since 2004
when the National Fallen Firefighter Foundation launched the
“Everyone Goes Home” safety initiative (NFFF, 2005). In
order evaluate this finding from the perspective of the
improvements noted to the average in the latter years; a
mean test was done on the post 2011 products for this
question. The post 2011 products provided a mean score of 1.
This indicates that the deficiency has corrected itself
77
either accidentally or intentionally and is no longer a gap;
however, the finding is included to ensure that the readers
are aware and cognizant of the subject in the context of
firefighter safety.
E.9 HSEC-9 Transnational Violent Crimes
FSIP Rank: 7 FSIP Level of Concern: Important
Number of Primary Documents: 12
Average Score: 5.04
High Score: 6.5 Low Score: 3
Analysis: The Transnational Violent Crimes priority includes
elements of organized crime, gangs, pirates, outlaw
motorcycle groups, and other criminal enterprises with
global reach. This priority closely intersects with illicit
alien operations, illicit commercial operations, and illicit
drug operations. It is also frequently mentioned in the
weapons proliferation topic.
In comparison to the related topics, transnational
violent crimes received a fairly high score and consisted of
12 primary documents. Most of the documents addressed
domestic activities and incidents proliferated by gang
78
related activity. While it is difficult to gauge the impact
of this topic on the fire service (as opposed to domestic
criminal activity), it is clear that there is an impact on
our national security. The activities of significant
transnational criminal organizations continue to pose an
unusual and extraordinary threat to the national security,
foreign policy, and economy of the United States. This
prompted the President to issue Executive Order 13581 on
July 24, 2011 declaring a national emergency (Executive
order 13581, 2011).
Of greater concern for fire/ems entities is the nexus
between transnational activity and terrorist operations. The
connection has been noted before in the discussion on HSEC-3
and HSEC-5 concerning illicit alien operations and drug
trafficking but bears mentioning again. This hybrid threat
goes well beyond the traditional non-state theory of
constraints activity, such as drug trafficking, money
laundering, and human trafficking, into the potential for
trafficking related to weapons of mass destruction by
79
designated terrorist organizations and their sponsors
(Farah, 2012)
E.10 HSEC-10 Weapons Proliferation
FSIP Rank: 5 FSIP Level of Concern: Important
Number of Primary Documents: 27
Average Score: 4.75
High Score: 9 Low Score: 1.5
Analysis: This topic had the second highest number of
primary products after terrorist operation with 27. The
majority of the subject matter explored primarily weapons of
mass destruction (WMD) such as explosives,
chemical/biological agents, and radiation/nuclear threats.
The high number of products was expected for three reasons:
1. The majority of terrorist events involve explosives of
some configuration ranging from pipe bombs to vehicle
bourn improvised explosive devices.
2. The frequency of incidents involving explosives in the
Iraq and Afghanistan which led to a large volume of
information on tactics, techniques, and countermeasures
being disseminated to emergency response organizations.
80
3. A large gap in knowledge and capabilities existed
regarding chem./bio weapons and rad/nuc devices
Weapons proliferation can significantly impact fire
service organizations. They can cause damage to
infrastructure and result in mass casualties or deaths. The
fire/ems services are usually the primary responder to an
event and are responsible for search and rescue, emergency
medical treatment and transport, extinguishment, and
building stabilization. The majority of these activities
have to be completed prior to law enforcement agencies
conducting investigations and collecting evidence. In order
to ensure responder safety, departments must be aware of the
threats and hazards associated with the various types of
WMD’s and be equipped with the proper sensors and monitors
to identify any substance. They must also ensure that
responders have been issued appropriate personal protective
equipment and wear to allow them to enter a dangerous or
toxic environment to effect rescues of victims.
An examination of the average scores for the
intelligence questions revealed a pattern that is quite
81
similar to what was found in the HSEC-8 Terrorist Operations
questions. Two of the questions 10.1 (Threats) and 10.8
(Methods and Capabilities) had average scores of .81 and .87
respectively. This topic was the only one which had above .8
on two questions. This would indicate that fire service
analysts are doing an excellent job capturing and relaying
general information about WMD weapon threats and technical
information concerning initiation, device construction,
dispersal patterns, and blast effects.
Two issues of possible concern are the overall average
and the score for question 10.10 “Incidents”; however, a
closer examination of the data helps to explain these
scores. While the average score of 4.75 may seem to be low,
this can be attributed to low scores related to adversarial
conduct similar to what was notes in the HSEC-8 “Terrorism”
analysis. The majority of information in these products
deals with the actual operation and effects of the weapons
and not the actions of the perpetrators. Question 10.10
addresses incidents and received an average score of 6.1
which may seem to be inconsistent given the higher scores
82
for 10.1 (Threats) and 10.8 (Methods). A re-examination of
the weapons products indicated that many of them were
focused solely on the weaponry and not necessarily
associated with any particular incident. As an example, one
document discussed radiation dispersal devices in
comprehensive detail including construction, components,
impacts, and response. However, since the document didn’t
reference a specific incident or actor it received an
overall final score of 5.5 (far below the actual value of
the document in the opinion of the researcher. To test these
findings, the average score for only questions related to
the weapons were averaged and the remaining questions
concerning the adversaries were eliminated, below are the
results of this query.
Table 4: HSEC-10 Modified Scoring MatrixQuestion Average
10.1-Threats 0.814
10.3-Suspicious Activities
and behaviors 0.518
83
10.8-Methods and
Capabilities 0.87
10.9-Countermeasures 0.574
Average 0.694
The resulting average of .69 is would translate to an
average score of 6.9 on a 10 point scale, significantly
higher than the overall average of 4.75. Given these
findings, the committee may wish to consider eliminating
adversary questions from the priority similar to the scale
modifications on Disasters and Public Health.
E.11 Situational Awareness Products
FSIP Rank: N/A FSIP Level of Concern: N/A
Number of Primary Documents: 98
Overall Number of Topics Examined: 562
Average Number of HSEC Topic per Product: 4.75
High Number (Topics per primary document): 10
Low Number (Topics per primary document): 2
Analysis: Situational awareness products are defined as
products which contain multiple HSEC topics in one document
and provide relevant, current, and timely information on
topics of interest to the fire service community. They
84
usually contain only basic information about a topic or
incidents and frequently include a link to take the reader
to more information. Our data set averaged 4.75 topics per
product. One document had 10 different topics but others
only had two or three items.
. Early in the project it was discovered that these
product generally did not contain enough content to be
evaluated in the rigorous manner of this undertaking and
that the low scores would affect the results of the
analysis. However, these products are frequently (in some
cases daily) published by emergency management agencies,
fire service intelligence analysts, and fusion centers
across the nation. They are valuable in being able to
provide the leadership with a brief executive summary of
pertinent incidents and provide readers the ability to
further explore incidents of interest with hyperlinks. Most
are based on Open Source Intelligence (OSINT). Open Source
Intelligence can be defined as “unclassified information
that has been deliberately discovered, discriminated,
distilled and disseminated to a select audience in order to
85
address a specific question (Robson, 2009). Because of
their widespread use and popularity, it was felt that an
interesting sidebar to this project would be to classify
them by the primary intelligence topics.
The results of the survey found a pattern of frequency
that was nearly identical to what was discovered in the
primary pool of documents. Terrorist operations items
appeared 251 times meaning HSEC 8 topics comprised 44.6% of
the entries. This was expected considering the producers of
the documents work in organizations whose primary duty is
addressing the implications and impacts of terrorism and
other major impact events. What was surprising is that HSEC-
6 Public Health Hazards had the second highest number of
entries with 63 entries or just over 11%. This could be a
result of the presence of public health analysts in fusion
centers as discussed previously in the HSEC-6 analysis. This
was followed by weapons proliferation at 60 entries or
10.5%. Another finding of interest was that illicit alien
operations didn’t receive any mentions, nor did state
86
sponsored operations. The remainder of the HSEC topics
appeared to be represented in proportion to the primary
documents. A graphic representation of this is available on
the graphs in Appendix 1.
Appendix F: Results of HSEC Intelligence Questions
Analysis
It is useful to examine the outcomes related to the
individual intelligence questions to gain further insight to
why the overall scores computed the way they did. The ten
intelligence questions were designed to be applied uniformly
across the entire spectrum of topics with the previously
noted exceptions for disasters and public health
F.1 HSEC-X.1: Threats to the U.S. homeland and national
security interests
Analysis: This question was examined and graded in the
broadest context to provide the benefit of doubt to the
analysts given that the grade is applied retroactive to the
product. The grade for this question did not mean that an
actual emerging threat to the homeland was being identified
87
(while this particular question was not captured, there were
very few products which indicated any imminent threat) but
that the subject matter could be considered relevant and
timely. Simply put the grading criteria at its most basic
level was “Could it happen here?” If the answer was yes then
the product received a value for X.1.
In general all of the products were successful in
relating the threat to the homeland. The overall average
was .61 with public health receiving the high score of .95.
This finding indicates that analysts are successful in
capturing public health related incidents, events, and
trends that could potentially occur on U.S. soil.
F.2 HSEC-X.2: Adversaries
Analysis: This question focused on who the actors in the
threat are including biographical information, material
support networks, and activities. The average score for this
question was .34. The lack of adversarial information flow
has been discussed in previous sections; as well as,
potential impediments. One fire analyst interviewed believed
88
that clearance issues and information hoarding by
intelligence agencies is the primary cause for the lack of
adversary information. He reported extreme difficulty in
creating and getting approval for redacted products that
could be released as FOUO. He also believed that the shroud
of secrecy was excessive and not necessary for the majority
of the information he sought to disseminate
F.3 HSEC-X.3: Suspicious activities and behaviors
Analysis: This question seeks information and awareness
concerning activities and behaviors that are cause for
concern and can indicate with some predictive capability
operational preparations and planning. The average score for
this question was .47 which at first glance would appear to
be low, however, it should be considered that two topics
(Disasters and Public Health) don’t contain this question
and other topics had a low number of primary topic products.
If one examines the scores for the top three topics with the
most primary documents that contain this question
(Terrorism, weapons, transnational crimes) the score rises
89
to .61. This score would seem to be more consistent with
what the researcher observed while reviewing the products.
Generally, analysts were consistent in specifically
identifying suspicious activities behaviors.
F.4 HSEC-X.4: Knowledge elicitation by adversaries
Analysis: The FBI defines elicitation as “The strategic use
of conversation to extract information from people without
giving them the feeling they are being interrogated” (FBI,
n/d). This question received an average score of .24. As
previously discussed in the topic evaluations, information
about adversarial techniques, methods and behaviors
continues to be elusive for fire service analysts. It should
be noted, however, that several products directed at the
fire service concerning elicitation were observed during the
evaluative phase. This indicates that analysts are cognitive
of the issue and have attempted to address it by providing
products to the operational personnel to raise situational
awareness of the subject.
90
F.5 HSEC-X.5: Motivations, indicators, and plans of
adversaries
Analysis: This question seeks information on adversary
targets that could compromise the continuity of emergency
service operations. The average score was .31 which confirms
again the problem analysts are having in obtaining relevant
adversary information. Analysts are definitely aware overall
of the need for this information and where the information
has been provided to them, generally receive adequate scores
for this topic question. However, a large number of products
did not receive any points for this question which suggests
that they are not receiving the data.
F.6 HSEC-X.6: Locations and targets of adversary operations
Analysis: This question is self explanatory and received an
average score of .46. What should be noted here is that as
the questions move away from whom and when the adversary’s
attention is focused on to what (locations and
infrastructure) the adversaries may attack, the trend line
begins to improve. The Washington Metropolitan area has
91
numerous iconic and government buildings that could be
considered premium targets. There is no secrecy surrounding
this fact and our adversaries have openly admitted their
desires to attack here.
These same locations are also considered high risk to
the fire service because of their value and sometimes heavy
occupant load. Local response agencies have extensive
information regarding the infrastructure and hazards in
these locations and that information is updated regularly.
The structures face as much threat from fires or other all
hazard responses as they do from the HSEC topics, therefore,
analysts have access to sufficient information.
F.7 HSEC-X.7: Assets of adversaries
Analysis: This question addresses general assets and
specifies government assets such as uniforms, equipment, and
human intelligence sources that adversaries may have access
to. The overall average for this question was .14 which
indicates little if any information flow is occurring. This
may be a result of investigative security, lack of
92
clearances, or a failure of intelligence agencies to
understand the need for the fire service to have the
information.
F.8 HSEC-X.8: Methods, capabilities, and activities of
adversaries
Analysis: This question focuses on tactics, techniques of
adversaries and received an average score of .58. The
tactics and techniques of an attack will impact fire/ems
response directly and are a prime consideration for
operational planning. Again we see the trend line improve as
the questions move away from whom to how. It should be noted
that the averages for the ten topics are being impacted by
the zero (0) received for HSEC-3 Illicit Alien Operations.
In this case, if we discard the zero for HSEC-3 the average
score rises to .72, which implies that this information is
getting into products regularly and comprehensively.
F.9 HSEC-X.9: Homeland security countermeasures
Analysis: This question received an average score of .23.
This is a cause of great concern and was briefly discussed
93
in the HSEC-8 Terrorist Operations analysis. While many of
the sub-questions request information concerning subjects
that may be considered law enforcement sensitive (LES), two
of the sub-questions:
Response and recovery countermeasures
Dangers to homeland security operations and personnel
These directly address responder safety and operations which
should have ensured a significantly higher score. It
should also be noted that HSEC-6 Public Health Hazards
does not contain this question but the primary documents
were found to contain a significant amount of information
that would have been classified as countermeasures as was
discussed in the analysis for that topic
F.10 HSEC-X.10: Incidents
Analysis: Incidents received a rating of .63. This finding
was expected as many of the products originated as a result
of attempted of successful operations. If we again discard
the zero for Alien operations the score rises to .7
94
One area of concern was noted. The score for cyber
related incidents was .1. This is consistent with the other
low scores for the remaining nine intelligence questions.
Given that cyber related incidents have been labeled as the
highest priority, the gap between the average and the cyber
score is significant. This will be discussed further in the
conclusions
Appendix G: Summary
This project required the examination of 834 examples
of fire service intelligence information. In answer to the
research question, the conclusion is that yes, intelligence
information is being passed down to fire service analysts.
However, most of the information passed and disseminated
focuses primarily on the terrorist and associated activities
with a criminal nexus (such as weapons proliferation) that
impact fire and EMS response operations. While the products
have matured and been refined over the course of the years
the goal of actionable intelligence is still elusive and
substantive gaps of information still exist.
95
The proposed Fire Service Intelligence Questions
document has shown itself to be a valuable tool in two
primary ways:
Providing intelligence producers and collectors with
the intelligence requirements for the fire service
Providing fire service intelligence analysts with a
guideline or template to use when creating intelligence
products to ensure that the products are comprehensive
and inclusive of the information needs.
An examination of the time period that the product was
produced helps the reader understand the maturation process
with greater clarity. During the 2007-2008 period the
majority of products could be considered as situational
awareness products or were generated as a result of
suspicious activity reporting. There was some degree of
analysis but little information to analyze. In 2008 the
products begin to include links to DHS material which
provided for a “deeper dive” but still lacked local
analysis. 2009-2010 saw the emergence of public health
issues primarily as a result of the H1N1 outbreak. Other
96
items were directed more towards hazardous material response
operations and the majority of criminal and drug related
items addressed the growing concern with clandestine
methamphetamine laboratories (primarily elsewhere). From
2011 on a paradigm shift emerged where the local products
began to include the DHS intelligence products, specifically
those produced by the DHS Office of Intelligence and
Analysis (I&A). These products contained a local analysis
which usually included referring the reader to the
department’s related standard operating guidelines,
potential targets, and a much greater body of information
than the predecessor documents.
The products that received the highest score usually
had two commonalities
The documents were produced beginning in 2010 and
thereafter
The documents were fused with DHS or other federal
product.
In fact, nearly every document that received a grade of 7 or
greater met this criteria. The DHS documents normally
97
included answers to many of the intelligence questions and
the local analysis provided context and a local
perspective.
Analysts in the trenches still report a great deal of
tension and frustration with the process of transferring
information to non- traditional intelligence partners.
Efforts to redact sensitive data are often time consuming
and require approvals from too many different agencies with
competing agenda’s. Law enforcement agencies routinely
classify documents as LES even when they are collated from
open source products.
It should also be noted that a score on the lower end
did not necessarily indicate a weak or deficient product.
Rather it indicated that the product was not wide-ranging or
inclusive of enough questions to garner a higher score. Many
of the products provided an outstanding analysis that was
narrowly focused.
Appendix H: Recommendations
1. HSEC-1 - Cyber Attacks and Exploitation – The working
group should evaluate if cyber reporting has increased
98
since 2012. Additional training for analysts must be
provided for them to understand the technical processes
and ramifications of nefarious cyber activity.
Cyber security is generally accepted to be the most
critical and prevalent security threat present today at any
level. As such, many information managers are well versed
and active in ensuring that organizational information
systems are resilient and equipped with redundancies. If
this topic is considered to be the top priority by the FSIE
much work needs to be done. This may be a case of
information silos built up between the organization’s
information technology division and the intelligence
division. Departments should start their search for
solutions by reaching inward to their own information
technology assets.
2. HSEC-2 – Disasters- The working group should examine
the under representation of disasters and consider
increasing the number of intelligence questions
Information concerning disasters was seriously
deficient in the data pool. The creators of the Fire Service
99
Intelligence Questions document listed disasters as a
critical priority yet very few primary documents were
encountered. The documents that were reviewed received high
scores, which indicate that they were well rounded. The
current trend for intelligence and fusion centers at the
state and local level is an all-hazards approach and
rightfully so given the frequency of these events.
3. HSEC- 3 – Illicit Alien Operations – The working group
should determine if the lack of inclusiveness is
geographic based or replicated elsewhere and examine
whether intelligence sources are sufficient.
Given the relationship between other criminal topics
and Alien Operations, analysts need access to this type of
information to “connect the dots”. DHS CBP assets and
relationships may needed to be expanded and exploited to
gain better insights
4. HSEC- 4 – Illicit Commercial OperationsHSEC -5 - Illicit Drug Operations,
HSEC -9 – Transnational Domestic and Organized Crimes
100
The working group should consider merging the three
above topics into a single category under HSEC-9.
There is a general lack of information specifically
related to HSEC 4&5. Much of the information reviewed
focuses primarily on hazard material management and response
and includes little if any adversary information. This begs
the question: Is this intelligence or hazardous material
based situational awareness? There is also significant cross
over since HSEC 4&5 often are associated with organized
criminal enterprises on some level.
5. HSEC-6 – Public Health Hazards - The working group
should examine the under representation of Public
Health Hazards and consider increasing the number of
intelligence questions
Similar to disasters, Public Health Hazards (the 2nd
highest priority) is under represented and contained a well
rounded body of information for questions that are not
included. Please review the topic analysis for a further
rational.
101
6. HSEC-10 – Weapons Proliferation- The working group
should consider removing the adversarial questions from
the priority similar to the scale modifications on
Disasters and Public Health.
As noted in the topic analysis, many of the HSEC-10
products addressed technical and response
considerations. While adversary content is valuable if
available, in most cases it will only slightly alter
response protocols. The emphasis on the danger of the
weaponry itself is proper and far more valuable
7. Training- The working group should partner with other
concerned parties such as the IAFC, USFA, or NFPA to
develop a tiered analyst training program.
Currently there is not an organized training program
for personnel performing the function of a fire service
analyst. Many of the personnel currently functioning in this
capacity are experienced members of their department who
either get promoted out of the position or quickly reach
retirement eligibility and leave. Most fire department
102
functions such as fire officer or fire inspector have a
corresponding certification program to ensure competencies
are met. The fire intelligence officer should be included
also.
8. Continuing Education Training- The working group should
determine what type of continuing education is
available to analysts to increase and maintain their
skill set
As we have seen with cyber security, threats are
continuously changing and evolving. It is imperative that
analysts be given access to updated, current, and relevant
information in order to provide products of value to the
intelligence consumer
9. Intelligence Question X.9- Homeland security
countermeasures- The working group should examine the
low indicators associated with this question and
recommend corrective action.
As discussed in the question analysis section.
Information about countermeasures impacts not only
operational planning and response; but also, personnel
103
and responder safety. Stand- off distances, PPE, and
other safety related information should be emphasized on
all products.
10. Clearances- The working group should examine the
clearance processes and seek ways to increase access to
information.
While not necessarily part of the scope of this
project, interviews with the analysts reveal a constant
pervasive frustration with this subject and strongly feel
that the issue is impeding the flow of information that is
valuable and timely.
11. Situational Awareness Products - The working group
should develop a separate standard for situational
awareness products to deconflict intelligence and
information.
Situational Awareness products have a valuable place in
the fire service intelligence enterprise. They provide the
consumer with the opportunity to quickly examine multiple
topics and usually provide access to a supplemental source
of information. However, the format is not robust enough to
104
include the span of information required by the FSIQ
document. There appears to be confusion on the part of
analysts as to the differences between intelligence and
information.
12. Strategic and Policy Oversight- The working group
should use the FSIQ document as a starting point in
developing strategic and policy documents
Having identified the intelligence requirements, the
working group should expand the scope of its activities to
include: “what we do with it “and “how we manage it”. There
appears that there are few if any guidelines or standards
for this area
13. Product Content- The working group should advocate
a layered approach to products including DHS
intelligence products when available.
As noted in the summary, the most recent products that
were attached to federal products received significantly
higher scores that stand alone products for the same period.
Because the DHS intelligence apparatus is so vast,
105
exploiting its products allows the analyst to focus on local
analysis to provide context.
14. Continuity and Sustainability- The working group
should dialogue with the National Fire Service
organizations and Homeland Security Agencies to ensure
that the Fire Service Intelligence Enterprise is
properly funded and recognized.
The current initiative is significantly funded
nationwide with homeland security grant funding. There is a
concern that the initiative would be susceptible to cuts in
federal funding. If one wondered why the data pool from 2012
was significantly smaller than 2011, it is because the
analyst responsible for the products was detailed to a
different assignment and funding to backfill the position
wasn’t available. If a city that contains as many high value
targets as Washington DC has difficulty funding these
positions, how hard must it be for smaller, less high
profile agencies to participate?
106
Appendix I: Conclusions
Despite facing many obstacles, both internal and
external, the FSIE has made great strides since its violent
birth on 9-11. A review of the products from the early
origins to the most recent products clearly shows a
maturation and sophistication in content and analysis. The
proposed Fire Service Intelligence Questions document will
further advance this effort and bring a sorely needed
uniformity to the endeavor. It will also provide guidance
and direction to those who will follow the original pioneers
as they advance in rank or retire.
That’s not to say that the document is perfect and
without flaw because there is always room for improvement.
To be valid and relevant, the document must remain living
and flexible.
I have every confidence in those committed in this
endeavor today. I have spoken to many people in preparing
this document, some who I have known and some who I have
recently become acquainted with, and am struck by their
dedication commitment and passion for the FSIE. It is my
107
hope that in some small way that this project will
contribute to this effort. Threats are constantly changing
and new threats emerge. Technology continues to improve and
provide us with both opportunities and challenges. We must
be ready to face both.
108
Appendix J: Bibliography
Alitzer, L. (2012). Survey research: A summary of best
practices. Retrieved from
http://www.ethics.org/resource/survey-research-summary-
best-practices
Al Qaeda seeks tie to local gangs. (2004, Sept 28).
Washington Times. Retrieved from
http://www.washingtontimes.com/news/2004/sep/28/20040928-
123346-3928r/
Borsch, C. (2011, October). Best practices for survey
research. Retrieved from
https://docs.google.com/viewer?
a=v&pid=gmail&attid=0.1&thid=137d7f673a615
8a5&mt=application/pdf&url=https://mail.google.com/mail
/u/0/?
ui=2&ik=aec305fb18&view=att&th=137d7f673a6158a5&attid=0
.1&disp=safe&zw&sig=AHIEtbTmA2iENnccUvHT6Th1p-
nMF0WsXg&pli=1
Bruno, G. (n.d.). State sponsors: Iran. (2011). Council on
Foreign Relations, Retrieved from
http://www.cfr.org/iran/state-sponsors-iran/p9362
109
Chen, M. (2010). Alienated: A reworking of the
radicalization thesis after september 11. The American
University Journal of Gender, Social Policy & the Law, 18.3, 411-427.
Retrieved from
http://search.proquest.com.proxygw.wrlc.org/docview/928
957230/abstract?accountid=11243
Donnelly, J., Townsend, K., Sullivan, J., & Monahan, T.
(2010). “Intelligence-led mitigation”. Journal of
Homeland Security and Emergency Management, 7(1)
Elicitation techniques. (n.d.). Retrieved from
http://www.fbi.gov/about-us/investigate/counterintellig
ence/elicitation-techniques
Executive order 13581--blocking property of transnational criminal
organizations. (2011, July 25). Retrieved from
http://www.whitehouse.gov/the-press-office/2011/07/25/e
xecutive-order-blocking-property-transnational-
criminal-organizations
Farah, D. US Army War College, Strategic Studies Institute.
(2012). Transnational organized crime, terrorism, and criminalized
states in latin america: An emerging tier-one national security priority.
Retrieved from website:
110
http://www.strategicstudiesinstitute.army.mil/pubs/disp
lay.cfm?pubid=1117
FY 2012 homeland security grant program (hsgp). (2012, April
09). Retrieved from
http://www.fema.gov/government/grant/hsgp/
Graham, C. (2004). Defeating an invisible enemy: The western
superpowers' efforts to combat terrorism by fighting
illegal immigration. Transnat'l L. & Contemp. Problemss, 281,
285-289. Retrieved from
http://heinonline.org.proxygw.wrlc.org/HOL/Page?
handle=hein.journals/
tlcp14&collection=journals&page=281
Gonzales, R. (2010). Transforming executive fire officers –
A paradigm shift to meet the intelligence needs of the
21st century fire service (Master’s thesis, NAVAL Post
Graduate School)
Heirston, B. (2010). Firefighters and information sharing:
Smart Practice or Bad Idea? Homeland Security Affairs, VI
(2), Retrieved from WWW.HSAJ.ORG
111
Joval, R. (2012). State fusion centers; their effectiveness in information
sharing and intelligence analysis. El Paso: LFB Scholarly
Publishing LLC.
Kleiman, M. Library of Congress, CRS Report for Congress.
(2004). Illicit drugs and the terrorist threat: Causal Links and
Implications for Domestic Drug Control Policy. Retrieved from
website: http://www.fas.org/irp/crs/RL32334.pdf
LaFranchi, H. (2012, October 12). MS-13 gang labeled
transnational criminal group, a first for US street
gang. Christian Science Monitor. p. N.PAG.
Migration policy institute. (2013). Retrieved from
http://www.migrationinformation.org/datahub/acscensus.c
fm
Murdock, H. (2012, July 12). Nearly 100 killed in Nigeria fuel
explosion, fire. Retrieved from
http://www.voanews.com/content/nigerian_gas_truck_explo
sions_kills_dozens/1403624.html
Nelson, C., Lurie, N., & Wasseman, J. (2007).
Conceptualizing and defining public health emergency
preparedness. American Journal of Publi, 97, 11-13. Retrieved
from
http://www.ncbi.nlm.nih.gov/pmc/articles/PMC1854988/
112
Neill, J. (2007, February). Qualitative versus Quantitative
research: Key Points in a Classic Debate. Retrieved
from
http://www.wilderdom.com/research/QualitativeVersusQuan
titativeResearch.html
Qualtrics, Inc. (2011). About surveys. Retrieved from:
http://www.aboutsurveys.com/category/survey- benefits/
Randol, M. Congressional Research Service, Department of
Homeland Security. (2009). Intelligence enterprise:
Operational overview (R40602). Washington DC:
Robson, T. (2009). A burning need to know; the use of open source
intelligence in the fire service. (Master's thesis, Naval Post
Graduate School).
Richardson, T. (2010). Identifying best practices in the dissemination of
intelligence to first responders in the fire and EMS services.
Unpublished manuscript, Naval Post Graduate School,
Monterey, California.
Schreier, J. (2011, May 05). Sony hacked again; 25 million
entertainment users’ info at risk. WIRED, Retrieved
113
from http://www.wired.com/gamelife/2011/05/sony-online-
entertainment-hack/
Seigle, D. (n.d.). The assumptions of qualitative designs.
Retrieved from
http://www.gifted.uconn.edu/siegle/research/Qualitative/qual
quan.htm
Savage, C., & Shane, S. (2011, Oct 11). Iranians accused of
a plot to kill Saudis’ u.s. envoy. The new york times.
Retrieved from http://www.nytimes.com/2011/10/12/us/us-
accuses-iranians-of-plotting-to-kill-saudi-envoy.html?
hp&_r=1&
State sponsored terrorism. (n.d.). Retrieved from
http://www.terrorism-research.com/state/
Tashakkori , A., & Teddlie, C. (2003). Handbook of mixed
methods in the social and behavioral research Thousand
Oaks, California: Sage Publications.
United States Department of Justice, DHS. (2010). Fire
service integration for fusion centers
114
Walliman, N. (2011). Research methods. New York, N.Y:
Routledge
Yu, R. (2013, Jan 10). FCC blames phone companies for
derrechio 911 outages. USA today. Retrieved from
http://www.usatoday.com/story/money/2013/01/09/fcc-
derecho-911-outage/1821695/
115
Appendix K: FIGURES
1.1: Threats to the U.S. homeland and
national security
interests; Series1;
0.600000000000001
1.2: Adversaries; Series1; 0.3
1.3: Suspicious activities
and behaviors;
Series1; 0.2
1.4: Knowledge
elicitation by
adversaries; Series1; 0.1
1.5: Motivations, indicators, and plans of adversaries; Series1; 0.1
1.6: Locations and targets of adversary
operations; Series1; 0.2
1.7: Assets of
adversaries; Series1; 0
1.8: Methods, capabilities,
and activities of adversaries; Series1; 0.3
1.9: Homeland security
countermeasures; Series1;
0.2
1.10: Incidents;
Series1; 0.1
HSEC-1 Cyber Attacks and Exploitation
Figure 1: HSEC-1 Scoring Overview
HSEC-8 Terrorist Operations
Series1
116
Figure 2: HSEC-8 Terrorist Operations
HSEC-9 Transnational and Organized Crimes
Series1
Figure 3: HSEC-9 Transnational and Organized Crimes
HSEC -10 Weapons Proliferation
117
Figure 4: Weapons Proliferation
HSEC 1 – Cyber Attacks and Exploitation ; Series1; 5; 3%
HSEC 6 – Public Health Hazards ; Series1; 10;
6%HSEC 2 – Disasters ;
Series1; 3; 2%
HSEC 8 – Terrorist Operations; Series1;
89; 58%
HSEC 10 – Weapons Proliferation ; Series1; 27; 18%
HSEC 5 – Illicit Drug Operations; Series1;
1; 1%
HSEC 9 – Transnational Violent Crimes ; Series1; 12; 8%
HSEC 7 – State-Sponsored Operations; Series1; 2;
1%
HSEC 4 – Illicit Commercial Operations;
Series1; 5; 3%
HSEC Topics by Percentage
HSEC 1 – Cyber Attacks and Exploitation
HSEC 6 – Public Health Hazards
HSEC 2 – Disasters HSEC 8 – Terrorist Operations
HSEC 10 – Weapons Proliferation
HSEC 5 – Illicit Drug Operations
HSEC 9 – Transnational Violent Crimes
HSEC 7 – State-Sponsored Operations
HSEC 3 – Illicit Alien Operations
HSEC 4 – Illicit Commercial Operations
Figure 5: HSEC Topics by Percentage
118
HSEC 1 – Cyber Attacks and Exploitation ; Series1; 20; 4%
HSEC 6 – Public Health Hazards ; Series1; 63; 13%
HSEC 2 – Disasters ; Series1; 12; 3%
HSEC 8 – Terrorist Operations; Series1;
251; 54%
HSEC 10 – Weapons Proliferation ; Series1;
60; 13%
HSEC 5 – Illicit Drug Operations; Series1; 9; 2%
HSEC 9 – Transnational Violent Crimes ; Series1; 49; 10%
HSEC 4 – Illicit Commercial Operations;
Series1; 4; 1%
Situational Awareness Products by PercentageHSEC 1 – Cyber Attacks and Exploitation
HSEC 6 – Public Health Hazards
HSEC 2 – Disasters HSEC 8 – Terrorist Operations
HSEC 10 – Weapons Proliferation
HSEC 5 – Illicit Drug Operations
HSEC 9 – Transnational Violent Crimes
HSEC 7 – State-Sponsored Operations
HSEC 3 – Illicit Alien Operations
HSEC 4 – Illicit Commercial Operations
Figure 6: Situational Awareness Products
119
Appendix L: INTELLIGENCE QUESTIONS AVERAGE BY HSEC TOPIC
X.1Average
HSEC 1 – Cyber Attacks and Exploitation 0.6HSEC 6 – Public Health Hazards 0.95HSEC 2 – Disasters 0.66HSEC 8 – Terrorist Operations 0.76HSEC 10 – Weapons Proliferation 0.81HSEC 5 – Illicit Drug Operations 0.5HSEC 9 – Transnational Violent Crimes 0.5HSEC 7 – State-Sponsored Operations 0.5HSEC 3 – Illicit Alien Operations 0HSEC 4 – Illicit Commercial Operations 0.83Overall Average 0.611X.2HSEC 1 – Cyber Attacks and Exploitation 0.3HSEC 6 – Public Health Hazards n/aHSEC 2 – Disasters n/aHSEC 8 – Terrorist Operations 0.63HSEC 10 – Weapons Proliferation 0.33HSEC 5 – Illicit Drug Operations 0HSEC 9 – Transnational Violent Crimes 0.45HSEC 7 – State-Sponsored Operations 1HSEC 3 – Illicit Alien Operations 0HSEC 4 – Illicit Commercial Operations 0.083Average 0.3491
120
25X.3HSEC 1 – Cyber Attacks and Exploitation 0.2HSEC 6 – Public Health Hazards n/aHSEC 2 – Disasters n/aHSEC 8 – Terrorist Operations 0.629HSEC 10 – Weapons Proliferation 0.7HSEC 5 – Illicit Drug Operations 0.5HSEC 9 – Transnational Violent Crimes 0.51HSEC 7 – State-Sponsored Operations 0.5HSEC 3 – Illicit Alien Operations 0HSEC 4 – Illicit Commercial Operations 0.75
Average0.4736
25
X.4HSEC 1 – Cyber Attacks and Exploitation 0.1HSEC 6 – Public Health Hazards N/AHSEC 2 – Disasters N/AHSEC 8 – Terrorist Operations 0.34HSEC 10 – Weapons Proliferation 0.11HSEC 5 – Illicit Drug Operations 0HSEC 9 – Transnational Violent Crimes 0.08HSEC 7 – State-Sponsored Operations 0.5HSEC 3 – Illicit Alien Operations 0HSEC 4 – Illicit Commercial Operations 0.83Average 0.245
121
X.5HSEC 1 – Cyber Attacks and Exploitation 0.1HSEC 6 – Public Health Hazards n/aHSEC 2 – Disasters n/aHSEC 8 – Terrorist Operations 0.48HSEC 10 – Weapons Proliferation 0.35HSEC 5 – Illicit Drug Operations 0HSEC 9 – Transnational Violent Crimes 0.5HSEC 7 – State-Sponsored Operations 1HSEC 3 – Illicit Alien Operations 0HSEC 4 – Illicit Commercial Operations 0.083
Average0.3141
25
X.6HSEC 1 – Cyber Attacks and Exploitation 0.2HSEC 6 – Public Health Hazards n/aHSEC 2 – Disasters n/aHSEC 8 – Terrorist Operations 0.66HSEC 10 – Weapons Proliferation 0.29HSEC 5 – Illicit Drug Operations 0.5HSEC 9 – Transnational Violent Crimes 0.58HSEC 7 – State-Sponsored Operations 1HSEC 3 – Illicit Alien Operations 0HSEC 4 – Illicit Commercial Operations 0.5
Average0.4662
5
122
X.7HSEC 1 – Cyber Attacks and Exploitation 0HSEC 6 – Public Health Hazards n/aHSEC 2 – Disasters n/aHSEC 8 – Terrorist Operations 0.34HSEC 10 – Weapons Proliferation 0.27HSEC 5 – Illicit Drug Operations 0HSEC 9 – Transnational Violent Crimes 0.25HSEC 7 – State-Sponsored Operations 0.25HSEC 3 – Illicit Alien Operations 0HSEC 4 – Illicit Commercial Operations 0.08
Average0.1487
5
X.8HSEC 1 – Cyber Attacks and Exploitation 0.3HSEC 6 – Public Health Hazards n/aHSEC 2 – Disasters n/aHSEC 8 – Terrorist Operations 0.66HSEC 10 – Weapons Proliferation 0.87HSEC 5 – Illicit Drug Operations 0.5HSEC 9 – Transnational Violent Crimes 0.66HSEC 7 – State-Sponsored Operations 1HSEC 3 – Illicit Alien Operations 0HSEC 4 – Illicit Commercial Operations 0.66
Average0.5812
5
X.9
123
HSEC 1 – Cyber Attacks and Exploitation 0.2HSEC 6 – Public Health Hazards n/aHSEC 2 – Disasters n/aHSEC 8 – Terrorist Operations 0.54HSEC 10 – Weapons Proliferation 0.57HSEC 5 – Illicit Drug Operations 0HSEC 9 – Transnational Violent Crimes 0.37HSEC 7 – State-Sponsored Operations 0HSEC 3 – Illicit Alien Operations 0HSEC 4 – Illicit Commercial Operations 0.16Average 0.23
124
X.10HSEC 1 – Cyber Attacks and Exploitation 0.1HSEC 6 – Public Health Hazards 0.9HSEC 2 – Disasters 0.83HSEC 8 – Terrorist Operations 0.63HSEC 10 – Weapons Proliferation 0.61HSEC 5 – Illicit Drug Operations 0.66HSEC 9 – Transnational Violent Crimes 0.91HSEC 7 – State-Sponsored Operations 1HSEC 3 – Illicit Alien Operations n/aHSEC 4 – Illicit Commercial Operations 0.66Average 0.7
125