By William F. Flynn
Since the attacks on September 11, 2001, and certainly following the coordinated shooting and bombing attacks in Mumbai, India, in November 2008, the Department of Homeland Security (DHS) and the FBI have worked closely with local law enforcement and the owners and operators of shopping malls, stadiums, arenas, and other large venues frequented by the public to enhance their security, given the intent and capability of violent extremists to strike locations where ordinary people engage in commerce, transportation, and entertainment.
Much progress has been made in the past 14 years and many of the challenges exposed by 9/11—particularly the lack of coordination among all levels of government and the private sector—have been or are being overcome. Notwithstanding these successes, the tactics used in the attacks in Paris last week require a recommitment in the homeland to heightening our vigilance of potential attacks. This must be done without curtailing our civil liberties and keeping us from enjoying places of public gathering.
With this recommitment to vigilance in mind, what are the tactics, techniques and procedures used in the Paris attacks from which we can draw applicable lessons in the United States going forward?
The self-proclaimed Islamic State, using savvy social-media techniques and encrypted communication, has traditionally targeted the West by inspiring homegrown extremists to conduct relatively low-tech assaults against law enforcement and the military. The tragedy in Paris, which apparently involved extremists who traveled to Syria for pernicious reasons, is a game-changer from this approach.
The attacks present new challenges for private security and first responders. Specifically, Paris highlights a much more complex and coordinated assault involving heavily armed teams with improvised explosive devices (IEDs). Also of concern in these attacks is the terrorists’ use of suicide vests—at the soccer stadium, theater and during the subsequent police raid in the Saint Denis section of Paris—and the explosives they contained.
The attackers used triacetone triperoxide (TATP), a homemade explosive made from readily available precursor materials for their suicide vests. TATP has been used in several terrorist attacks around the world, but this type of explosive device would not lend itself to be constructed far in advance of its use due to the fact that it cannot be easily stored, and therefore, it would have to be constructed close to the timeline for the attack. TATP is difficult to work with, and the large quantity and the fact that the devices functioned as designed, indicates a professional bomb-maker or someone that was well trained to construct these devices. Accordingly, the ability to deftly work with and deploy these explosives presents a challenge that U.S. governmental organizations and private sector partners—particularly those owning and operating mass gathering venues—must work together to address.
It is also important to note that Paris highlighted the stark differences between security at sports stadiums and music venues. A pair of suicide bombers that targeted the 80,000 fans at the Stade de France during a soccer match were prevented from entering the stadium by security and were ultimately only able to kill one person, in addition to themselves. By sharp contrast, the attackers who struck Le Bataclan, where 1,500 people were gathered for a concert, were able to get inside the venue with firearms and IEDs and ultimately kill 89 people and seriously wound hundreds. While there is no perfect security plan and we must not allow fear to deter us from enjoying our public spaces, Paris demonstrated that properly trained and threat-focused security can mitigate the consequences of an attack.
These evolving tactics, the growing number of homegrown violent extremists fueled by social media, and the unpredictable external plotting of the Islamic State requires a re-examination of security and response protocols for a much broader range of commercial venues here in the United States.
William Flynn is the former Deputy Assistant Secretary for Infrastructure Protection at the U.S. Department of Homeland Security. He is presently a Senior Fellow at the George Washington University Center for Cyber & Homeland Security and President of GARDA Risk Management, LLC, where he advises government and industry on security risk.