Aviation Security Progress Report
The Government Accountability Office (GAO) conducted two studies of the nation’s aviation security system during 2007. Both evaluated progress made by the Transportation Security Administration (TSA) in satisfying 24 performance expectations that GAO had suggested in previous evaluations.
Last October, the second 2007 GAO study, “Transportation Security: Efforts to Strengthen Aviation and Surface Transportation Security are Under Way, but Challenges Remain,” reported that TSA had generally achieved 17 of those expectations and was continuing to work on seven.
The GAO described the seven remaining expectations by saying that TSA should:
Establish standards and procedures for effective airport perimeter security.
Establish standards and procedures to effectively control access to airport secured areas.
Airport perimeter security
Establish procedures for implementing biometric identifier systems for airport secured areas access control.
Develop and implement an advanced prescreening system to allow DHS to compare domestic passenger information to the Selectee List and No Fly List.
Develop and implement an international passenger prescreening process to compare passenger information to terrorist watch lists before aircraft departure.
Deploy checkpoint technologies to address vulnerabilities.
Develop and implement technologies to screen air cargo.
What has TSA done to address these issues? Government Security asked TSA for a status report on the seven remaining aviation security issues identified by the GAO. TSA responded in an e-mail addressing each issue.
Controlling access to secure areas
Despite a few notable lapses in aviation security in recent years, the interchange between the GAO and TSA illustrates how the federal government is building an aviation security system. Two powerful federal agencies, one an implementer and the other an inspector, have been pushing and pulling each other since 9/11, building system components and then finding and fixing weaknesses.
The GAO report questioned the standards and procedures by which TSA secures the perimeter of airports.
“Airport perimeters certainly provide alternative ways to get into airports,” says Brian Jackson, associate director of the Homeland security program with Rand Corp.’s Arlington, Va., offices. “But I’m not sure that the vulnerability of the perimeter would involve a hijacking scenario — to get onto a plane. But someone might walk onto the property and hook up with a work crew. That’s where credentialing checks becomes important.”
According to the TSA e-mail, the agency has implemented four processes to address this issue. First is a program called “See Something, Say Something,” which asks airport employees to report anything that seems unusual or out of the ordinary.
More formally, the Aviation Direct Access Screening Program (ADASP) assigns random screening responsibilities to Transportation Security Officers (TSOs). They will select individual airline and airport employees as they enter a security identification display area (SIDA) or an Air Operations Area (AOA), or a sterile area from an entrance other than a TSA checkpoint. The officers will check for the presence of explosives, incendiaries, weapons and other items of interest including credentials.
The GAO report acknowledged this program but complained that the Department of Homeland Security (DHS), within which TSA operates, had not provided the GAO with evidence that these actions provide for effective perimeter security.
Finally, the TSA e-mail did not discuss the use of technology at the perimeter. In the past, terrorists have caused serious problems at airports that failed to secure their perimeters. “The IRA planted mortars around Heathrow Airport and disrupted airport operations tremendously,” Jackson says. “A weapon on the perimeter is certainly a scenario to worry about.”
Controlling access to secure areas
The GAO report voiced concern about how TSA was controlling access to secure areas in airports. While TSA has evaluated the controls that limit access to secure airport areas, the report said, the agency was still working to ensure that all airport workers with access to secured areas had been properly vetted prior to being hired and trained.
TSA’s e-mail response indicates that these procedures are now in place. TSA authorizes airports to issue identification badges to airport employees. These include SIDA badges that are required for certain sterile and secure areas of airports.
TSA has confidence in the badges because of the vetting system now used to issue them. When an airport decides to hire a new employee, an airport human resources official submits background information supplied by the prospective employee to the Airport Association of Airport Executives (AAAE) Transportation Security Clearinghouse, a conduit for information connected to background checks made on all prospective airport employees. The Clearinghouse forwards the data to TSA, which conducts a security threat assessment, which must prove satisfactory before credentials are issued.
The assessment checks employees against the Terrorist Screening Database (TSDB), and scans other databases looking for outstanding immigration, terrorist or federal warrants connected to the prospect. Threat assessments take 72 hours.
At the same time, the airport conducts its own background investigation by checking fingerprints and the individual’s name for any of 28 disqualifying crimes.
After clearing each investigation, the employee receives a SIDA badge and the airport operator sets up the access control system to admit the employee through appropriate doors.
Establish procedures for biometric access control
According to the GAO report, TSA has made progress in implementing the Transportation Worker Identification Credential (TWIC) program in the nation’s ports. TWIC smart cards have the capacity to use biometric verification of identity.
However, continued the report, “DHS has not yet determined how and when it will implement a biometric identification system for access controls at commercials (sic) airports. We have initiated ongoing work to further assess DHS’s efforts to establish procedures for implementing biometric identifier systems for airport secured areas access control.”
TSA counters the GAO position by stating in its e-mail that these procedures were established years ago in the “Guidance Package, Biometrics for Airport Access Control,” which was released Sept. 30, 2005.
The package, continues the e-mail statement, was compiled in response to legislative language set forth in the “Intelligence Reform and Terrorism Prevention Act of 2004, Title IV – Transportation Security, Section 4011(a)(5)-Provision for the use of Biometric or Other Technology, and in accordance with regulations governing airport security found in Title 49, code of Federal Regulation (CFR), Chapter XII, Part 1542: Airport Security. The criteria and standards in the document were developed based on TSA’s technical expertise and consultation with the National Institute of Standards and Technology (NIST) and representatives of the aviation and biometric identifier industry.”
The statement does not directly address the GAO’s question: how and when will a biometric identification system for access controls at commercial airports be implemented?
Prescreening domestic and international passengers
The GAO report noted that TSA has established policies and procedures under which air carriers check all passengers against a Selectee list, which names people that require additional screening before being permitted to board and aircraft, and the No-Fly List, which identifies people who may not fly.
However, the law requires TSA to develop and implement an advanced prescreening system called SecureFlight that will enable TSA to take over the process of matching passenger information with Selectee and No-Fly lists from the airlines. Currently, DHS plans to begin parallel SecureFlight screening operations with domestic air carriers next year and to assume sole responsibility for matching passenger data against watch lists by 2010.
The GAO voiced similar concerns about delays in implementing a SecureFlight technology that will prescreen international passengers traveling to and from the United States.
Within several years, the two systems — for domestic and international prescreening — are supposed to merge and operate as one, TSA says.
The TSA e-mail also indicates that the agency is improving SecureFlight technology to provide better matching capabilities and identify known and suspected terrorists, prevent individuals on the No-Fly List from boarding an aircraft, identify individuals on the Selectee List for enhanced screening, facilitate passenger air travel and protect the privacy of individuals.
In addition, TSA is working out redress procedures for individuals who believe they have been wrongly delayed or denied boarding or entry into the United States.
Deploy new, more sophisticated checkpoint technologies
TSA is taking too long to install new checkpoint technologies that address existing vulnerabilities, said the GAO report: “…while TSA has developed and tested checkpoint technologies to address vulnerabilities that may be exploited by identified threats such as improvised explosive devices, it has not yet effectively deployed such technologies.”
In one effort in July 2006, TSA installed 97 explosives trace portal machines — called puffers because they use puffs of air to dislodge and detect trace amounts of explosives on people — at 37 airports. Problems with the operation of the machines, however, caused DHS to halt the deployment.
TSA is also developing backscatter X-Ray technology, which identifies and produces images of explosives, plastics and metals. The GAO report said that TSA has made limited progress in rolling out this technology.
The TSA e-mail responds by listing five new technologies scheduled for deployment during fiscal year 2008. These are bottled liquids scanners, whole body imagers, cast and prosthetics scanners, automated explosives detection systems for carry-on items and advanced technology screening systems for carry-on items.
Develop and implement air cargo screening technologies
According to the GAO report, TSA had yet to complete a strategic plan for domestic air cargo security or fully thought out the risk management principles to guide decisions related to screening technology for air cargo bound for the United States from international points of origination. In addition, while the agency had increased the number of domestic air cargo inspections, some cargo had been exempted from random inspections.
The GAO also pointed out that the 9/11 Commission Act of 2007 gave DHS until 2010 to set up a system to screen 100 percent of cargo carried on passenger aircraft. As of October 2007, the agency had not yet developed and implemented screening technologies, a process that TSA estimated might take five to seven years.
According to the TSA e-mail, the air cargo strategy is now complete. “TSA’s strategy to secure the air cargo supply chain uses a multi-layered, high-tech, threat-based approach that encompasses cooperation with the air cargo industry and other government agencies.”
The layers include people, policies and processes and technologies.
According to the e-mail, TSA currently employs 300 cargo Transportation Security Inspectors (TSIs), who do nothing but inspect cargo. TSA plans to add 235 more air cargo TSIs by the end of fiscal 2008. Each inspector undergoes training in behavior observation techniques that may make it easier for them to spot suspicious behavior.
In addition, 400 canine explosive detection teams work at U.S. airports. Their responsibilities include random screening of cargo and surveillance of cargo facilities.
Four policy and process programs have been rolled out: a new Certified Cargo Screening Program, Freight Assessment System, Known Shipper Management System and an Indirect Air Carrier Management System.
The Known Shipper program, for example, now has 1.5 million participants. Known Shippers have a documented business relationship with air carriers, have conducted successful preliminary shipments and have had onsite validation of their shipping facility. TSA also vets Known Shippers through additional database to validate their business legitimacy.
Technologies include explosive detection systems (EDSs) and explosive trace detection systems (ETDs).
By the end of 2008, TSA and its predecessor organization will have spent seven years working on aviation security. While focusing on seven unmet performance expectations, the GAO report credited TSA with having achieved great progress. “Meeting statutory mandates to screen airline passengers and 100 percent of checked baggage alone was a tremendous challenge,” the report said. “To do this, TSA initially hired and deployed a federal workforce of more than 50,000 passenger and checked baggage screeners, and installed equipment art the nation’s more than 400 commercial airports…”
Then again, the process of providing security is constantly unfolding. As vulnerabilities and threats change, so must the strategies, policies and implementations. “Once one set of holes has been plugged, you have to continue looking for new holes,” Jackson of Rand says. “It requires a systems approach in which every part of the system functions effectively. When something reduces the effectiveness of the system, the system has to change.”