The Federal Bureau of Investigation's Efforts to Protect the Nation's Seaports
(Redacted and Unclassified)

Audit Report 06-26
March 2006
Office of the Inspector General

Findings and Recommendations

Finding 3: Scope of the Maritime Threat

The FBI has not performed a comprehensive written assessment of the risk of the terrorist threat facing the nation’s 361 seaports, nor did it provide us with any assessment conducted by its intelligence community or law enforcement partners that it has relied upon in developing its maritime counterterrorism strategy. Such an assessment would be important in defining the nature, likelihood, and severity of the maritime threat. It would also allow FBI managers and others to make more informed choices about the resources needed for programs and initiatives aimed not only at combating the threat of terrorism at seaports and the maritime domain in general, but also directed at other critical infrastructures. Since 2003, the FBI has conducted an annual general assessment of the terrorist threat to the United States. As of January 2006, the 2005 assessment was in draft. However, neither the 2004 nor draft 2005 assessment ranked the various tactics and targets of terrorists, so FBI managers could not use the assessments to allocate relative resources to the various initiatives intended to prevent terrorism in these segments, including the maritime domain.

The FBI collects some information that may help it assess the potential scope of the maritime threat, including intelligence collection requirements, the number of disseminated FBI intelligence products, and the number of threats and reports of suspicious activity. The FBI has identified five intelligence collection requirements applicable to the maritime domain. However, it has not monitored its progress in addressing its maritime-related collections requirements. In the 4 years since the 9/11 terrorist attacks, the FBI has disseminated 38 maritime-related intelligence products to its intelligence and law enforcement partners. While the FBI has created the Guardian Threat Tracking System (Guardian) to manage the resolution of threats and suspicious incidents, this system is neither easily searchable nor a useful tool for identifying trends in types of incidents. As a result, during our audit the FBI could not identify the number of maritime-related threats from 2002 to the present.

Comprehensive Assessment of the Threat

The FBI has not performed a comprehensive written assessment of the risk of the terrorist threat facing the United States’ 361 seaports. Senior FBI officials with whom we spoke disagreed about the role of the FBI in assessing the terrorist threat faced by the nation’s seaports. Some said such a threat assessment was the responsibility of the Department of Homeland Security and others said the FBI would conduct such an assessment as the Maritime Liaison Agent program, discussed in Finding 1, matures.

The 9/11 Commission has expressed concern both about the capabilities of the Transportation Security Administration (TSA) to perform comprehensive threat assessments and the need for the intelligence community to produce assessments that can guide the allocation of counterterrorism resources. Specifically, the 9/11 Commission Report discussed the TSA’s failure to develop a strategic plan that analyzes assets, risks, costs, and benefits. In the absence of such a plan, the Commission said it was not convinced that the nation’s transportation security resources are being allocated to the greatest risks, noting that “… opportunities to do harm are as great, or greater, in maritime or surface transportation” than they are in aviation. The Commission recommended that the federal government identify and evaluate the transportation assets that need to be protected and set risk-based priorities for defending those assets.

In 2004 congressional testimony, a 9/11 Commissioner stated that it is important for the intelligence community “to outline the risks, and to identify, to the extent that they can, the capabilities that they see on the part of terrorists. Had that been done prior to 9/11 — had there been a sweep, for example, of all of the intelligence that we had about the intentions and capabilities of terrorists to utilize airplanes as missiles — we could well have configured the way in which we defend ourselves more effectively.”

The Commissioner also cited the need to assess the threat of maritime terrorism, “The same is true with respect to maritime security. We only have to look at the Cole. We know that terrorists, and al Qaeda in particular, have identified maritime avenues for threatening U.S. interests. The question is where do you rank these threats? Our intelligence community is assigned the task of identifying and ranking risk.”

During that same hearing, another 9/11 Commissioner stated, “One of the frustrations in our investigation was as we looked and looked through the various agencies, we found no real overview, no strategic analysis that has been done as to relating the levels of risk from which you could plan and allocate a reasonable proportion of resources.”

Although the FBI does not have a direct role securing seaports — for example, it is not the FBI’s responsibility to ensure ports comply with federal security requirements — the FBI is the lead federal agency for preventing terrorism and responding to terrorist incidents. Because maritime transportation is vulnerable to terrorist attacks, the FBI devotes resources to the maritime domain. However, we believe that the amount of those resources should be threat and risk driven. While there is no clear directive for the FBI to conduct a comprehensive threat and risk assessment of maritime terrorism, we believe the FBI needs such an assessment either conducted by it or another agency in the intelligence community to guide its allocation of resources. During the course of this audit, the FBI did not provide us with any comprehensive assessment of the threat and risk of maritime terrorism or demonstrate to us that it used such an assessment to allocate resources to the maritime domain.

While the FBI has not conducted a comprehensive threat and risk assessment of maritime terrorism or the transportation sector in general, we examined the following FBI intelligence products, plans, and databases that could be used to help inform FBI managers about the level of risk of maritime terrorism and the resources dedicated to it:

  • the FBI’s annual comprehensive terrorism threat assessment, commonly referred to as the national threat assessment;
  • maritime-related FBI intelligence products disseminated to the intelligence community;
  • FBI intelligence collection guidance; and
  • FBI data on terrorist threats and suspicious activity.

National Threat Assessment

In a 2002 audit of the FBI’s counterterrorism program, the OIG found that the FBI had not conducted a comprehensive written assessment of the risk of the terrorist threat facing the United States. The FBI’s efforts to conduct such an assessment, entitled FBI Report on the Terrorist Threat to the United States and A Strategy for Prevention and Response did not: (1) provide information to assist FBI management and other government managers in developing counterterrorism strategies and programs and allocating resources on a priority basis, (2) identify critical intelligence requirements, or (3) make recommendations to any level of FBI management. We noted that the lack of recommendations in the FBI’s report underscored the fact that the report was not an assessment.12 Because the FBI had not completed a systematic written assessment of the most likely terrorism scenarios — taking into account terrorist methods, capabilities, and intent — we expressed concern that it may not have fully identified the specific nature of the threat so that it could focus its attention and resources to prepare adequately and respond effectively. Further, we noted that determining what scenarios are most likely to occur in a comprehensive and more formal manner would better position the FBI to meet its new counterterrorism priority.

Since 2003, the FBI has conducted an annual assessment of the terrorist threat to the United States commonly referred to as the National Threat Assessment (NTA).13 As of December 2005, the 2005 NTA was still in draft. The FBI’s Deputy Assistant Director for Counterterrorism Analysis said the 2005 NTA had not been released because a National Intelligence Estimate with a similar scope was being prepared and the FBI wanted to ensure that the 2005 NTA was closely aligned with that document. However, we reviewed the 2004 and the draft 2005 NTA assessments and found that neither ranked the targets and tactics of terrorists. As a result, FBI managers could not use the assessments to allocate resources among the initiatives aimed at preventing terrorism in various critical infrastructures and segments of the economy, including the maritime domain.

However, the 2004 NTA includes an eight-page assessment of the tactical trends of al Qaeda and other extremists. This section of the assessment addresses five topics, including two specific types of targets: civil aviation and maritime. In addition, it makes the following observations and assessments about three tactical topics:

  • Al Qaeda has shifted its attacks toward less-protected targets, because attacks against these soft targets require less logistical support and greater flexibility in target selection.
  • Terrorists are constantly innovating, finding new ways to circumvent security measures, and build more threatening bombs.
  • Terrorists are tenaciously pursuing chemical, biological, radiological, or nuclear weapons and may attempt to use them against the United States within the next 3 years.

The 2004 NTA’s assessment of al Qaeda’s maritime intent and capability is one of five topics discussed. It notes that al Qaeda has temporarily abstained from maritime attacks, and it attributes the lack of attacks to the arrest of key operatives. Based on suspicious activity reports and the vulnerability of ports, it concludes that al Qaeda will resume its maritime strategy. The NTA names vehicle-born improvised explosive devices as the type of weapon that al Qaeda will most likely use for a maritime attack, and cites maritime facilities, infrastructure, merchant vessels, and warships as the most likely maritime targets. According to the assessment, the second most likely weapon is a bomb used against a cruise ship or ferry. [INFORMATION REDACTED]

The NTA uses a three-tiered classification to rank the threat posed to the United States by known terrorist groups. This classification system allows FBI and other government officials to allocate resources to different groups based on the threat level. [INFORMATION REDACTED]

However, the NTA does not use a similar system to rank tactics or targets. Instead, the FBI uses phrases such as “most favored” and “remains committed to” to describe the likelihood of terrorist use of various tactics. For example, it says that al Qaeda remains committed to using commercial aircraft in future attacks. Unlike the ranking of terrorist groups, FBI managers cannot use the narrative descriptions to compare the relative risk of attack using various tactics. In addition, the narrative descriptions do not discuss all potential terrorist tactics. Because the narrative descriptions of tactics and targets do not allow for a relative comparison, they may not provide a sufficient basis to allow the FBI to allocate resources according to the various terrorist tactics and methods.

Disseminated Intelligence Products

The FBI has three primary intelligence products: intelligence assessments, Intelligence Information Reports (IIR), and intelligence bulletins. Intelligence assessments may be either strategic or tactical. Strategic assessments support FBI-wide programs, plans and strategies or provide information to policy makers. Tactical assessments support FBI cases or operations, or cover specific threats. IIRs contain single-source intelligence that the FBI has not deeply evaluated. Intelligence bulletins are unclassified descriptions of significant developments or trends.

Between FYs 2002-2005, the FBI disseminated a total of 38 intelligence products which, to varying degrees, discussed maritime-related terrorism.14For example, one intelligence bulletin discussed how terrorist groups could use combat divers to attack the United States, while another intelligence bulletin issued by a field office discussed terrorist issues in that field office’s territory and included only data on the number of maritime suspicious incidents it had received in the last month.

Disseminated FBI Intelligence Products that Addressed Maritime
Terrorism, FYs 2002-2005

  2002 2003 2004 2005

Intelligence Assessment





Intelligence Information Report





Intelligence Bulletin










 Source: OIG analysis of FBI data

The Newark and Chicago field offices issued 9 of the 16 intelligence bulletins the FBI provided. While the intelligence bulletins issued by the CTD focused on seaport security and maritime issues, the intelligence bulletins issued by the two field offices were summaries of all terrorism activity that contained limited maritime information, usually the number of maritime-related threats received by the office in the last month. Although the amount of maritime information in these intelligence bulletins was limited, we believe the concept of providing trend data to local law enforcement and intelligence partners is worthwhile because it provides information about the current threat environment. However, we have three concerns about such bulletins.

  • There is no FBI policy requiring field offices to issue regular intelligence summaries to federal, state, and local partners in their territory. The FBI provided intelligence bulletins from only 2 of its 56 field offices and, combined, these intelligence bulletins covered only 5 months. The Newark intelligence bulletins began in April 2005 and appeared to be ongoing at the time of our audit. The Chicago intelligence bulletins appear to have been limited to 2 months in 2004.
  • The frequency and content of the intelligence bulletins varied, and the suspicious incident categories used by each field office also varied. While we recognize that individual field offices may have the need to highlight areas that other field offices do not, we believe that standardized categories would be helpful in allowing FBI managers to compare the activity of different offices. The table below summarizes the differences in frequency and content between the intelligence bulletins produced by the Chicago and Newark field offices.
  • Frequency and Content of Chicago and Newark
    Intelligence Bulletins

      Chicago Newark
    Frequency Monthly Weekly
    Data sources Guardian database FBI intelligence assessments and IIRs; Department of Defense reporting Terrorism Situation Reports, DHS intelligence bulletins and intelligence assessments; Guardian database; and a list of upcoming significant dates
    Suspicious incident categories 8 to 9 types 21 types and 22 geographic areas
    Suspicious incident categories in common Airports/aircraft
    Chicago Transit
    Authority Rail
    Federal facilities
    Government building
    Detailed description of suspicious activities, including status Yes No
     Source: OIG analysis of FBI data

  • It was not clear that the field office intelligence bulletins had been disseminated to the FBI’s maritime partners. For example, the Newark intelligence bulletins included a distribution list, and neither the Coast Guard nor the Area Maritime Security Committee was included on the list.15The FBI must ensure that its intelligence products reach all relevant federal, state, and local law enforcement and intelligence entities.

In our judgment, summary field office intelligence bulletins are a significant opportunity for the FBI’s field offices to share with their partners a snapshot of the local threat environment. We believe each field office should publish summary intelligence bulletins using a standard format that specifies the content, frequency, and distribution of the intelligence bulletins.

Of the 38 maritime-related intelligence products the FBI provided us, 29 (76 percent) dealt solely with maritime terrorism. Of those 29, 55 percent were IIRs. As shown in the following table, IIRs were most likely to cover threats about WMD or terrorist attacks against specific targets or cities. While the intelligence assessments and intelligence bulletins varied in scope, they normally focused on the maritime tactics terrorists may employ. Specifically, 85 percent of these products focused on diving, infiltration, small boat attacks, and mines (including improvised explosive devices). One target, passenger ferries, received substantial attention. Over 80 percent of the intelligence assessments focused on the maritime capabilities of a specific terrorist group. Over one-third of the finished intelligence products focused on just two potential tactics: attacks by scuba divers or combat swimmers and infiltrating the United States by various methods. For example, although terrorists have indicated a strong desire to use a weapon of mass destruction (WMD) and vessels can be used to transport a WMD for detonation in a port or elsewhere, none of the FBI’s finished maritime-related intelligence products assessed the potential use of smuggling a WMD aboard a ship.16

Characteristics of FBI Maritime
Intelligence Products, FYs 2002-2005a

Topic Intelligence Assessments IIRs Intelligence Bulletins Total
Divers 2 2 3 7
Infiltration 2 3 1 6
Improvised explosive devices/mines 2 1 1 4
Small boat attacks 1 1 2 4
Ferries 1 2 1 4
Group-specific 5 1 0 6
WMD 0 6 0 6
Target or target-city specific 3 5 0 8
Data on trend analysis 2 0 0 2
Indicators 2 0 4 6
Requirements 2 0 0 2
Other 0 2 0 2
Source: OIG analysis
Note: (a) The table includes the 29 disseminated FBI intelligence products (6 intelligence assessments, 16 IIRs, and 7 intelligence bulletins) that deal solely with maritime terrorism. Several of these intelligence products had more than one of the characteristics listed in this table, so the sum of the numbers in the columns does not equal the number of intelligence products.

[INFORMATION REDACTED] However, the intelligence bulletins should also provide readers with instructions or points of contact if they observe someone engaging in a suspicious activity.


Intelligence Requirements


We reviewed the FBI’s intelligence collection set for international terrorism to determine the scope of the FBI’s requirements for maritime terrorism. [INFORMATION REDACTED]

Internal Controls for Standing Intelligence Requirements

Currently, the FBI’s Directorate of Intelligence cannot ensure that the FBI’s operational divisions and field offices are addressing the intelligence requirements in the collection sets, so the Directorate of Intelligence cannot determine what progress the FBI has made toward satisfying its maritime-related and other intelligence requirements. Also, the Directorate of Intelligence cannot identify what FBI products meet a certain requirement, so it cannot identify those intelligence products that discuss maritime terrorism. For the FBI’s intelligence analysts to be able to fully analyze the threat of maritime terrorism, they must be able to identify all the relevant information the FBI has gathered on the threat.

The Directorate of Intelligence is aware of this shortcoming and has identified three methods that can ultimately be used to ensure that the FBI’s operational divisions and field offices address the intelligence requirements in the FBI’s collection sets. First, the Directorate of Intelligence is requiring each operational division to present a “battle plan” that shows how it will address the intelligence requirements relevant to its work. Second, the Directorate of Intelligence has begun providing training and guidance on the importance of citing the requirements with which each intelligence product responds. For example, the Field Intelligence Operations Handbook discusses the need for each product to cite an intelligence requirement. Third, the inspections done by the FBI’s Inspection Division will, in the future, assess an office’s contribution to the FBI’s intelligence requirements.

However, according to the section chief of the Directorate of Intelligence’s Intelligence Management Section (IMS), his section has made little progress in implementing these methods or otherwise monitoring what intelligence requirements are being addressed. The Directorate of Intelligence recognizes that the FBI also needs to improve integration of its intelligence requirements, collections, and production. An FBI official said that generally, FBI personnel need to understand what the intelligence requirements are, collect information to meet them, and then ensure that information the FBI collects against its intelligence requirements is reported to the widest audience possible.

The IMS section chief also said his section is responsible for monitoring the FBI’s progress in addressing its intelligence requirements. However, he said that IMS’s capability is limited by three factors: (1) all field office personnel need training on the importance of intelligence requirements and the integrity of the intelligence cycle, (2) information that satisfies intelligence requirements needs to be culled from FD-302 interview records and recordings made under the Foreign Intelligence Surveillance Act of 1978, and (3) reported information (generally IIRs) needs to cite the intelligence requirement.17

Two other issues, staffing and information technology, affect the IMS’s ability to address these three factors. Many units in the IMS have 40-to-50-percent vacancy rates, so the personnel necessary to systematically evaluate intelligence collection against intelligence requirements is not available. In addition, the FBI does not have an information technology tool that allows the IMS to search data collected by the FBI to identify information that meets a given intelligence requirement. Currently, the FBI’s nascent capability to search its data to determine if the information meets a specific intelligence requirement consists of searching: (1) the Automated Case Support (ACS) system for documents or data that might meet a given intelligence requirement, and (2) a stand-alone database of the CTD’s IIRs, by topic, customer, and subject line.

While the international terrorism intelligence collection set included 25 observable events related to the maritime domain, none of the maritime-related intelligence products the FBI disseminated cited the intelligence requirement or indicator. To determine what information the FBI has collected about indicators of maritime terrorism or intelligence requirements with a maritime component, the FBI would have to perform a tedious and time-consuming search of the cumbersome ACS or the CTD’s standalone IIR database.

Ad Hoc Intelligence Requirements

In addition to the standing intelligence requirements, the FBI may receive or initiate ad hoc intelligence requirements. Ad hoc requirements address more immediate needs created by an agency’s tactical operations. For example, after the London subway bombings in July 2005, the FBI received ad hoc intelligence requirements related to those bombings. Regarding maritime terrorism, the FBI has received intelligence requirements from the Office of Naval Intelligence, which asked the FBI to collect intelligence on whether terrorist groups are using maritime methods to transport operatives or contraband. Ad hoc intelligence requirements are communicated to the relevant units and offices within the FBI via EC and the “setting of leads.”18 The IMS is the focal point for ad hoc requirements and is responsible for setting leads for FBI offices to collect information against the requirements. The results of the FBI’s collection efforts in response to ad hoc requirements are reported in IIRs. If a recipient (consumer) of an IIR has questions about its content or has additional ad hoc intelligence requirements, the consumer will contact the author of the IIR directly and address those questions or requirements. The Directorate of Intelligence did not initiate any ad hoc maritime-related intelligence requirements during FY 2005.

To improve the FBI’s intelligence base and ultimately help it identify terrorists within the United States, the FBI’s NJTTF created Operation Tripwire in July 2003. Through Operation Tripwire, the CTD sends local JTTFs tasks or requirements to collect information related to certain entities. The collection requirements are specific to a threat and provide information about who or what can provide the information. For example, one maritime-related Tripwire EC we reviewed directed a field office to contact the executive in charge of a certain line of business at a particular company. According to the NJTTF, the ultimate goal of these tasks is to develop a useful set of indicators for terrorist sleeper cells. The CTD intended for the requirements to have a secondary purpose in assisting field office managers by providing guidance on how to enhance their intelligence base and more accurately define their technical requirements.

Information Management Systems for Intelligence Products

The FBI does not have an information management system to store and manage the all of the FBI’s intelligence products, but the Directorate of Intelligence is developing a searchable database for all the FBI’s intelligence products. Currently, all IIRs are stored in the FBI Intelligence Information Reports Dissemination System. However, this system does not have any management capability to allow Directorate of Intelligence managers to search for an IIR by intelligence requirement. A new version of this information system, due in FY 2006, is expected to provide such a search capability.

While there is no information management system that stores and manages the FBI’s finished intelligence products (intelligence assessments and intelligence bulletins), the Directorate of Intelligence maintains an Access database of the terms of reference of all these products. When analysts start a new intelligence assessment or intelligence bulletin, they must input the terms of reference — a description of the approach, purpose and scope of a proposed intelligence product — into the database. The terms of reference are then reviewed by the FBI’s Intelligence Production Board at its monthly meeting. The board evaluates the terms of reference against the relevant collection set and other ongoing intelligence assessments and determines whether the proposed intelligence assessment addresses a known collection requirement or whether it duplicates work already being done. The IMS’s Strategic Analysis Unit prescreens the terms of reference of each proposed intelligence product before it is passed to the board. Also, intelligence assessments and intelligence bulletins should be uploaded into the ACS, but the IMS section chief said that often this is not done.

Data on the Number of Maritime Threats

FBI headquarters and its field offices receive warnings daily about terrorist threats and suspicious activities. These warnings come from a variety of sources, including other intelligence agencies, law enforcement agencies, and concerned citizens. The FBI Director has made it clear to all employees that the FBI’s highest priority is the resolution of all terrorist threats. While the FBI has created the Guardian Threat Tracking System (Guardian) to manage the resolution of threats and suspicious incidents, this system is neither easily searchable nor a useful tool for identifying trends in types of incidents. As a result, during our audit the FBI could not identify the number of maritime-related threats from 2002 to the present. Instead, in response to our request for a list of maritime-related threats to which the FBI had responded, the FBI manually reviewed reports of monthly compilations of significant incidents, called threat information reports, and identified 68 maritime-related incidents that it tracked from September 2004 to September 2005. Two of the FBI’s six maritime-related intelligence assessments also included data about the scope of the maritime threat.

Intelligence Assessments with Data on Maritime Incidents

A May 2004 intelligence assessment by an FBI field office highlights the difficulty the FBI has in determining the scope of the threat of maritime terrorism and offers potential methods for resolving those difficulties. Two intelligence analysts, one FBI and one Coast Guard, reviewed 157 suspicious incidents reported to law enforcement involving a ferry system.19 They also assessed the likelihood of whether the incidents were indicative of pre-operational planning for a terrorist attack.

Our review of the intelligence assessment noted the following difficulties encountered by the analysts. First, the FBI had to ensure it had data on all of the incidents reported to local, state and federal agencies. To accomplish this, Seattle’s Field Intelligence Group attempted to collect from its law enforcement partners all suspicious activity reports related to the ferries. Second, the FBI and its partners did not have a standardized reporting format for suspicious incidents. As a result, the partners submitted their reports in various formats which the FBI had to manually summarize. Third, multiple agencies often reported on the same incident. Inconsistencies between various reports — such as date and number of suspects — made it difficult for the analysts to identify the number of incidents. Fourth, the incident reports did not provide enough detail about the suspects or their vehicles. Fifth, the reports did not indicate whether the event had been thoroughly investigated when feasible. Finally, the FBI had no standardized guidance for assessing the likelihood that a given suspicious activity was indicative of pre-operational planning.

Despite concerns about the quality of its data, the Seattle FBI office developed a weighted ranking system to assess the likelihood that a given incident was indicative of pre-operational planning. The ranking system included the following six categories: “not applicable,” “extremely high,” “high,” “medium,” “low,” and “not weighted.” Each category had a set of criteria against which all the incidents were assessed. For example, incidents classified as “extremely high” met the following criteria:


The Seattle intelligence assessment also included two checklists intended to improve the quality of information collected about suspicious incidents. The first checklist was for law enforcement personnel responding to suspicious incidents, reminding them to:

  • photograph or videotape the incident;
  • record information about the subject’s vehicle, its occupants, and location; and
  • record descriptive information about the suspect and the suspect’s actions.

The second checklist provided questions that FBI or JTTF personnel should ask law enforcement when they report a suspicious incident to the FBI.


Guardian Threat Tracking System

In September 2004, to facilitate the accurate, complete, and timely reporting on the existence and status of terrorist threats, the FBI launched a database called Guardian.20 Guardian is available on the FBI Intranet, and all field offices and legal attaches are required to enter into Guardian new terrorism threats and suspicious incidents originating in their territory and use it to track resolution. As of September 2005, the FBI had entered information into Guardian on 51,000 threats. However, because of Guardian’s limited search capabilities, the system cannot readily be used to identify maritime or other sector-specific threats or to produce data for trend analyses.

At our request, the FBI’s Threat Monitoring Unit (TMU) queried Guardian in an attempt to identify the number of maritime-related incidents within the database, but the system was unable to conduct such a search. Instead, Guardian could be queried on the number of times certain words occurred in the system. Even this search was not simple because maritime-related terms, such as “port,” are a subset of other words that occur frequently in Guardian. For example, “report” and “airport” both include “port,” so the search for port had to be modified to exclude these other words. The chart below shows the results of the FBI’s efforts to identify the number of times a certain word occurred in Guardian.

Number of Maritime-Related Hits in
the Guardian Threat Tracking System
September 2004–September 2005

[Chart Not Available Electronically]

 Source: The FBI

Since the FBI was unable to use Guardian to identify the number of maritime-related incidents, the Threat Monitoring Unit manually reviewed threat information reports from September 2004 to September 2005 to identify the most significant maritime-related incidents in Guardian.21 Based on this review, the FBI identified 68 maritime-related incidents, with the greatest concentration found in the Seattle area. In addition, there were a substantial number of threats along the Gulf Coast, which most likely involved suspected surveillance of energy facilities and oil tankers.

The FBI categorized 68 percent of the 68 incidents as possible surveillance. As shown below, the remaining 32 percent of the incidents were classified as suspicious activity, security violations, or other.

Threat Information Report Threat Categories

Threat Information Report Threat Categories: Possible Surveillance-68%, Suspicious Activity-14%, Security Violations-10%, Other-8%.
 Source: The FBI

The FBI identified 6 categories of maritime targets, each of which accounted for at least 7 percent of the 68 incidents. The most commonly targeted maritime infrastructures were terminals and ferries, both of which were frequently filmed or photographed in the Seattle area by people acting suspiciously. Together these targets accounted for 47 percent of the incidents. Assuming the data from these 68 incidents is indicative of pre-operational activity, the FBI believes that ferries in the Seattle area and fuel tankers in the Gulf Coast region appear to be the most likely targets of maritime terrorism. The chart below shows the distribution of targets for the 68 incidents.

Threat Information Report Maritime Incidents by Target

Threat Information Report Maritime Incidents by Target: Terminal/Facility-24%, Ferry-23%, Energy/Tankers-15%, Commercial-14%, Military/Coast Guard-7%, Other-17%.
 Source: The FBI

TMU officials expressed concern that the entries in Guardian, and the threat information reports, are not representative of all the maritime suspicious incidents. Guardian generally includes only the threats the FBI has received or investigated. The FBI database does not include Coast Guard reporting on suspicious incidents, nor does it include data from the FBI’s state and local law enforcement partners such as port authority police departments. The Seattle intelligence assessment on ferries also recognized this weakness and compensated for it by canvassing other law enforcement agencies for suspicious activity reports.

The FBI plans to correct several of the weaknesses in its ability to collect and analyze suspicious activities and other security incidents by upgrading Guardian and establishing an Internet-accessible version of the database, called E-Guardian. The upgraded version, Guardian 2.0, is scheduled to be deployed in March 2006. Guardian 2.0 is expected to have improved search capabilities. In addition to improved search capabilities, Guardian 2.0 will allow users to bookmark items of interest, hyperlink items, and save the results of searches.

The FBI plans to deploy E-Guardian in April 2006. E-Guardian will allow law enforcement and intelligence personnel to enter information into Guardian through an Internet-based system accessible only to authorized users. While E-Guardian users will be able to add or update entries at any time, the data in the E-Guardian website will be updated every 6 or 8 hours. A TMU official said the exact update interval had not yet been determined. Further, E-Guardian will not include classified information. We believe E-Guardian will be a significant improvement because it will help standardize suspicious incident reporting and collect information from other law enforcement agencies.

In the EC announcing Guardian, the FBI Deputy Assistant Director for Operational Support noted, “Given the current world situation, it is imperative that all threats and suspicious activity be closely monitored and fully exploited.” However, the FBI has not established controls to ensure that field offices enter all terrorism threats, suspicious activity, and events into either version of Guardian. Without these controls, the FBI cannot be assured that Guardian contains all threat information gathered by the FBI or that this information is entered and resolved according to the established guidelines.

Since January 2005, the CTD has sent eight ECs to its field offices and legal attaches reminding them of the requirement to enter all terrorism information into Guardian and to resolve the entries. In March 2005, the TMU reviewed entries into Guardian over the previous 30 days and sent an EC to FBI field offices and legal attaches reporting “some trends showing that several offices are not fully utilizing the Guardian System and taking advantage of its capabilities.” During that 30-day period, only two field offices — New York and Baltimore — recorded more than 100 entries, accounting for 21 percent of the 1,211 entries made by field offices. As shown in the following table, 75 percent of the FBI’s 56 field offices recorded less than 25 entries. Major FBI field offices, including Boston and Dallas, recorded five or fewer entries.22

Field Office Guardian Usage,
30-Day Period Ending March 28, 2005

Field Office Guardian Usage, 30-Day Period Ending March 28, 2005: Over 100 entries-4%, 75 to 100 entries-0%, 50 to 74 entries-7%, 25 to 49 entries-14%, under 25 entries-75%.
 Source: OIG Analysis of FBI data

We are concerned that not all field offices are fully utilizing Guardian. In our judgment, the underutilization of Guardian prevents the TMU from developing a complete understanding of threat trends, including threats associated with the maritime domain.

Ensuring that each Guardian entry is investigated to its logical end and documenting the investigation are two other challenges the TMU faces and has been actively managing. TMU has sent field offices two ECs concerning unresolved Guardian entries that needed further investigation or management review. The first EC, sent in January 2005, reported that 30 percent of all Guardian entries were unresolved. When the second EC was sent in August 2005, unresolved entries accounted for 13 percent of all entries. As shown in the following table, in August 2005 the majority of the 6,028 unresolved entries were entered by field offices. Forty-eight percent of the unresolved entries were more than 90 days overdue.

Unresolved Guardian Entries,
August 2005a

  Total Unresolved Entries Unresolved for 30 Days or Less Unresolved for 31 to 90 Days Unresolved for More Than 90 Days
Field Offices 5,082 (84%) 1,796 901 2,385
Legal Attaches 625 (10%) 202 106 317
Headquarters 321 (5%) 90 62 169
Total 6,028 2,088 (35%) 1,069 (18%) 2,871 (48%)

Source: The FBI

Note: (a) Percentages do not total to 100 percent due to rounding.


The FBI has not conducted or reviewed a threat assessment that ranks the different tactics or targets that terrorists may employ. It therefore does not have any assurance that the amount of resources allocated to the various initiatives aimed at preventing terrorism in segments of the economy — such as seaports, aviation, mass transit, energy, agriculture, and other critical infrastructures — are proportional to the threat. Moreover, the FBI’s Directorate of Intelligence did not monitor the FBI’s intelligence products to ensure they met its intelligence requirements. The FBI’s threat-monitoring database, Guardian, is promising, but a number of limitations must be resolved before it can produce a complete and accurate picture of maritime threats and suspicious incidents. We identified two intelligence initiatives at FBI field offices — intelligence bulletins with a field office’s recent Guardian data, and an intelligence assessment that included non-FBI suspicious incident reporting — that the FBI may want to consider implementing more broadly.


We recommend that the FBI:

  1. Assess the threat and risk of maritime terrorism compared to other terrorist threats and ensure the National Threat Assessment ranks the various modes of attack and targets.
  2. Ensure the amount of FBI resources dedicated to maritime terrorism is based on the extent of the maritime threat in relation to other threats.
  3. Monitor the progress of operating divisions and field offices in answering intelligence collection requirements pertaining to seaports and maritime terrorism.
  4. Focus intelligence reporting to more comprehensively address potential maritime-related terrorist targets and methods.
  5. Name a unit within the Counterterrorism Division to monitor the volume and substance of all FBI maritime-related intelligence.
  6. Consider establishing a requirement for regular field office intelligence bulletins to summarize the field office’s suspicious incident reporting and, if such a requirement is adopted, establish standardized frequency, content, and distribution requirements.

  1. Federal Bureau of Investigation. FBI Report on the Terrorist Threat to the United States and A Strategy for Prevention and Response, August 2001.

  2. Federal Bureau of Investigation. The Terrorist Threat to the US Homeland: An FBI Assessment, April 2004.

  3. The FBI provided us with 41 disseminated intelligence products that it said were maritime-related. However, 38 were applicable to our audit. The remaining three dealt with other issues such as the country’s water supply. In addition, during the course of our audit, the FBI provided us with two additional assessments that discussed maritime terrorism but the FBI did not include these products in its list of maritime-related disseminated intelligence products.

  4. These Coast Guard-sponsored committees were mandated by the Maritime Transportation Security Act of 2002. See Finding 1 for a detailed discussion.

  5. Finished intelligence products, such as intelligence assessments and intelligence bulletins, are developed from multiple sources and fully addresses an issue or threat. In contrast, raw intelligence, the type of information in most IIRs, is unevaluated information, generally from a single source.

  6. When a witness is interviewed as part of a criminal investigation, FBI agents use an FD-302 to document what was said during the interview. The Foreign Intelligence Surveillance Act of 1978 allows for court-approved electronic surveillance of people suspected of being engaged in espionage or terrorism for a foreign power against the United States.

  7. When an FBI office needs assistance or information from another FBI office, it “sets a lead” specifying the assistance it needs.


  9. The scope of our work on Guardian was limited to those aspects affecting the FBI’s maritime role such as data on the number of maritime incidents. We did not examine information technology management practices used to develop or implement Guardian.

  10. Threat information reports originated in 2004 in response to a need for an up-to-date summary of threat information from the ’04 Task Force. The ’04 Task Force was formed to prepare for several special events in 2004 including the presidential elections, the Olympics, and the Democratic and Republican National Conventions. These reports provide monthly summaries of significant threat reporting by region, type, and target.

  11. See Appendix II for the number of Guardian entries for each field office.

« Previous Table of Contents Next »