I want to ask you about general philosophy. Basically, there are three broad ways of defending airplanes: preventing bad people from getting on them (ID checks), preventing bad objects from getting on them (passenger screening, baggage screening), and preventing bad things from happening on them (reinforcing the cockpit door, sky marshals)…
Image at left courtesy of Ryan Air, “Have fun while flying”.
Computer security consultant Bruce Schneier interviews Kip Hawley, the head of the Transportation Security Administration (TSA). While Bruce’s commentary is frequently quoted to demonstrate TSA incompetence, I think reading Kip Hawley’s responses will give you some perspective. First, Kip Hawley is a good bit sharper than the TSA’s public image:
Bruce Schneier: …Can you please convince me there’s not an Office for Annoying Air Travelers making this sort of stuff up?
Kip Hawley: Screening ideas are indeed thought up by the Office for Annoying Air Travelers and vetted through the Directorate for Confusion and Complexity, and then we review them to insure that there are sufficient unintended irritating consequences so that the blogosphere is constantly fueled. Imagine for a moment that TSA people are somewhat bright, and motivated to protect the public with the least intrusion into their lives, not to mention travel themselves. How might you engineer backwards from that premise to get to three ounces and a baggie?
We faced a different kind of liquid explosive, one that was engineered to evade then-existing technology and process. Not the old Bojinka formula or other well-understood onesâ€”TSA already trains and tests on those. After August 10, we began testing different variants with the national labs, among others, and engaged with other countries that have sophisticated explosives capabilities to find out what is necessary to reliably bring down a plane.
We started with the premise that we should prohibit only what’s needed from a security perspective. Otherwise, we would have stuck with a total liquid ban. But we learned through testing that that no matter what someone brought on, if it was in a small enough container, it wasn’t a serious threat. So what would the justification be for prohibiting lip gloss, nasal spray, etc? There was none, other than for our own convenience and the sake of a simple explanation.
Based on the scientific findings and a don’t-intrude-unless-needed-for-security philosophy, we came up with a container size that eliminates an assembled bomb (without having to determine what exactly is inside the bottle labeled “shampoo”), limits the total liquid any one person can bring (without requiring Transportation Security Officers (TSOs) to count individual bottles), and allows for additional security measures relating to multiple people mixing a bomb post-checkpoint. Three ounces and a baggie in the bin gives us a way for people to safely bring on limited quantities of liquids, aerosols and gels.
There are many topics covered: from new technology to no-fly lists to TSA’s Behavior Detection teams. The latter implies that TSA is moving towards far more effective methods than screening for explosive sneakers. I’ve posted earlier on the value of this security layer — exemplified by Israeli methods.
BS: Let’s talk about behavioral profiling. I’ve long thought that most of airline security could be ditched in favor of well-trained guards, both in and out of uniform, wandering the crowds looking for suspicious behavior. Can you talk about some of the things you’re doing along those lines, and especially ways to prevent this from turning into just another form of racial profiling?
KH: Moving security out from behind the checkpoint is a big priority for us. First, it gives us the opportunity to pick up a threat a lot earlier. Taking away weapons or explosives at the checkpoint is stopping the plot at nearly the last possible moment. Obviously, a good security system aims at stopping attacks well before that. That’s why we have many layers of security (intel, law enforcement, behavior detection, etc.) to get to that person well before the security checkpoint. When a threat gets to the checkpoint, we’re operating on his/her termsâ€”they pick when, where, and how they present themselves to us. We want to pick up the cues on our terms, before they’re ready, even if they’re just at the surveillance stage.
We use a system of behavior observation that is based on the science that demonstrates that there are certain involuntary, subconscious actions that can betray a person’s hostile intent. For instance, there are tinyâ€”but noticeable to the trained personâ€”movements in a person’s facial muscles when they have certain emotions. It is very different from the stress we all show when we’re anxious about missing the flight due to, say, a long security line. This is true across race, gender, age, ethnicity, etc. It is our way of not falling into the trap where we predict what a terrorist is going to look like. We know they use people who “look like” terrorists, but they also use people who do not, perhaps thinking that we cue only off of what the 9/11 hijackers looked like.
Our Behavior Detection teams routinelyâ€”and quietlyâ€”identify problem people just through observable behavior cues. More than 150 people have been identified by our teams, turned over to law enforcement, and subsequently arrested. This layer is invisible to the public, but don’t discount it, because it may be the most effective. We publicize non-terrorist-related successes like a murder suspect caught in Minneapolis and a bank robber caught in Philadelphia.
Most common are people showing phony documents, but we have even picked out undercover operativesâ€”including our own. One individual, identified by a TSO in late May and not allowed to fly, was killed in a police shoot-out five days later. Additionally, several individuals have been of interest from the counter-terrorism perspective. With just this limited deployment of Behavior Detection Officers (BDOs), we have identified more people of counterterrorism interest than all the people combined caught with prohibited items. Look for us to continue to look at ways that highlight problem people rather than just problem objects.
BS: That’s really good news, and I think it’s the most promising new security measure you’ve got…
Then Bruce raises another of my major concerns — security of the aircraft on the ramp and of the airport workers.
BS: What about airport workers? Nearly one million workers move in and out of airports every day without ever being screened. The JFK plot, as laughably unrealistic as it was, highlighted the security risks of airport workers. As with any security problem, we need to secure the weak links, rather than make already strong links stronger. What about airport employees, delivery vehicles, and so on?
KH: I totally agree with your point about a strong base level of security everywhere and not creating large gaps by over-focusing on one area. This is especially true with airport employees. We do background checks on all airport employees who have access to the sterile area. These employees are in the same places doing the same jobs day after day, so when someone does something out of the ordinary, it immediately stands out. They serve as an additional set of eyes and ears throughout the airport.
Even so, we should do more on airport employees and my House testimony of April 19 gives details of where we’re heading. The main point is that everything you need for an attack is already inside the perimeter of an airport. For example, why take lighters from people who work with blowtorches in facilities with millions of gallons of jet fuel?
You could perhaps feel better by setting up employee checkpoints at entry points, but you’d hassle a lot of people at great cost with minimal additional benefit, and a smart, patient terrorist could find a way to beat you. Today’s random, unpredictable screenings that can and do occur everywhere, all the time (including delivery vehicles, etc.) are harder to defeat. With the latter, you make it impossible to engineer an attack; with the former, you give the blueprint for exactly that.
And, lastly I’ll highlight the comments on in-the-air measures:
BS: …I want to ask you about general philosophy. Basically, there are three broad ways of defending airplanes: preventing bad people from getting on them (ID checks), preventing bad objects from getting on them (passenger screening, baggage screening), and preventing bad things from happening on them (reinforcing the cockpit door, sky marshals). The first one seems to be a complete failure, the second one is spotty at best. I’ve always been a fan of the third. Any future developments in that area?
KH: You are too eager to discount the firstâ€”stopping bad people from getting on planes. That is the most effective! Don’t forget about all the intel work done partnering with other countries to stop plots before they get here (UK liquids, NY subway), all the work done to keep them out either through no-flys (at least several times a month) or by Customs & Border Protection on their way in, and law enforcement once they are here (Ft. Dix). Then, you add the behavior observation (both uniformed and not) and identity validation (as we take that on) and that’s all before they get to the checkpoint.
The screening-for-things part, we’ve discussed, so I’ll jump to in-air measures. Reinforced, locked cockpit doors and air marshals are indeed huge upgrades since 9/11. Along the same lines, you have to consider the role of the engaged flight crew and passengersâ€”they are quick to give a heads-up about suspicious behavior and they can, and do, take decisive action when threatened. Also, there are thousands of flights covered by pilots who are qualified as law enforcement and are armed, as well as the agents from other government entities like the Secret Service and FBI who provide coverage as well. There is also a fair amount of communications with the flight deck during flights if anything comes up en routeâ€”either in the aircraft or if we get information that would be of interest to them. That allows “quiet” diversions or other preventive measures. Training is, of course, important too. Pilots need to know what to do in the event of a missile sighting or other event, and need to know what we are going to do in different situations. Other things coming: better air-to-ground communications for air marshals and flight information, including, possibly, video.
So, when you boil it down, keeping the bomb off the plane is the number one priority. A terrorist has to know that once that door closes, he or she is locked into a confined space with dozens, if not hundreds, of zero-tolerance people, some of whom may be armed with firearms, not to mention the memory of United Flight 93.
I think Hawley used “bomb” as a token for any “weapon” that a terrorist could use to commandeer or destroy the aircraft. Bottom line — the TSA seems to be building more defense-in-depth than the public impression. It’s important to keep in mind that TSA priorities and methods will be different than what a private company would do if it controlled the entire airline infrastructure — because the TSA can only do what Congress tells it and funds to do. So there is a lot of political pressure to focus on high visibility activity [passenger screening] at the expense of securing the working airport and the aircraft.
But Hawley get’s the key points I think — as a windup, here’s a fragment from his April testimony, where he tries to convince Congress not to screw it up worse than they already have:
While we often look at aviation security one slice at a time,
â€¢ what do we do for employee screening, for air cargo,
â€¢ for passenger checkpoint, for checked bags, for watchlists,
â€¢ for perimeter, etc.
It is critical that we keep in mind that to terrorists, we are one target, and they donâ€™t care which particular place they attack.
We need balance and flexibility in our all of our security measures.
If we jump from concern to concern mandating measures for each one, we may tie up critical resources and do nothing more than make it easy for a terrorist to attack somewhere else.
If an attack is successful, it does us no good to say that we were impenetrable at a different spot.
Magnetometers cannot detect suspicious behavior.
In fact, installing fixed checkpoints makes the job easier for terrorists.
Although it may be comforting for us to see employees in line for screening, a checkpoint provides an unchanging, predictable barrier that is always there, every day. And the terrorist can spend all the time he needs to find ways around, over, or through it.
For this reason, we must use many layers of securityâ€”each nimble, unpredictable, and dynamic.