Products without Process
During the Clinton administration, the White House Commission on Aviation Safety and Security (better known as the Gore Commission) recommended assessments. Many, if not most, of the major airports in the United States, acting on these recommendations, proceeded to conduct in-house assessments. These products involved airport and airline stakeholders, and in some cases were fairly comprehensive. The commission also tasked the Federal Aviation Administration (FAA), precursor to the Transportation Security Administration (TSA), to conduct vulnerability studies of selected domestic airports using models developed by Sandia National Laboratories, after which action plans based on the findings for each airport would be developed.
In this process, airports were subjected to rigorous testing protocols to identify major vulnerabilities. At the conclusion of the effort, reports were completed and disseminated to the respective airports following a debriefing by the contractors who had done the work for the FAA. A “Blue Ribbon Panel” was then convened by the FAA to choose the model best adaptable to the Sandia model.
It would be satisfying, if not redeeming, to say that the model chosen was adopted for use at all U.S. airports and eventually produced a comprehensive, adaptable set of data that continues to provide a base for threat assessments. That was not the case.
The results of this multimillion dollar effort were not used. Worse, that entire exercise has been repeated many times since without increasing airport security. The problem is that the products of such initiatives fail to integrate themselves into a process which, in turn, is designed to meet strategic (or operational) goals.
Nothing is accomplished when we examine an airport’s vulnerabilities if the product stands alone.
The process of vulnerability assessments is to combine vulnerability findings with threats to determine something else, which is normally defined as risk. It is risk—the probability of a certain type of attacker exploiting a vulnerability—that determines the true danger, irrespective of an airport’s vulnerabilities in an assessment vacuum. The widely accepted formula of vulnerability + threat = risk defines a process that results in findings that have meaning in a larger context of security. Let’s look at these constituent parts one by one.
There is a maxim in the civil aviation community: “If you’ve seen one airport, you’ve only seen one airport.” The meaning of this, in the context of airport security assessments, is that each airport is unique. To the extent that this is accepted as true, it suggests the need for security assessments of airports on an individualized basis.
But all airports are fundamentally similar. A throng of customers present themselves for preboard screening, after which they enter a “sterile” area, where they wait to enter a corridor (usually a jetway), and board the aircraft. Meanwhile, staff and contractor employees come and go throughout the day and night, traversing the public and restricted areas largely unfettered. In this model, which exists in slightly differing modes almost everywhere, vulnerabilities do not appreciably differ from one airport to the next.
To take this a step further, not only are vulnerabilities similar, they are inherent. All airports are by their very nature vulnerable. They are built to facilitate the movement of large numbers of people onto aircraft and to support those aircraft.
Much as we may want to take vulnerabilities out of the equation, we cannot make our airports fortresses. Trying to do so would be cost-prohibitive. What’s more, enhanced security tends to have an adverse effect on passenger facilitation, all the more so when many U.S. airports are facing capacity issues.
Sooner or later, the need for greater security and a commensurate need for ease of passenger movement clash. The fact that many similar vulnerabilities still exist in airports throughout the country is a silent statement of who usually wins these battles.
That is why we need to focus not on the abstract vulnerability but on the threat—and on a more creative attitude toward risk reduction.
During my years in the FAA’s Office of Civil Aviation Security, the possibility of a suicide bomber was given short shrift. Civil aviation security was predicated on the assumption that attackers had a goal beyond self-destruction.
Today we have a shift in the threat paradigm. While threats to civil aviation may come from a variety of sources, in general it’s fair to say that attackers have moved from political hijackings to religious martyrdom under the banner of global Salafi jihad, and the threatscape has shifted to ever more lethal possibilities. This new threat environment is reminiscent of the anarchist “propaganda of the deed,” where direct action served as inspiration to others. In this scenario, the terrorist act becomes the statement. While that has been true of other movements, today the death toll and destruction matter as much as or more than the symbolic nature of the act.
The authorities tend to respond to each new incident on the global stage in a very targeted way. Because the terrorists worked in teams of five on 9-11, passengers eye groups of men who look Arab warily as they board planes today. After the infamous shoe-bomber incident, we were all asked to remove our shoes; after word of a plot to use liquid explosives, mothers were no longer allowed to carry baby’s formula and we were all restricted to three ounces of any liquid with carry-on luggage. These reactive approaches, whatever their merit, are insufficient, because they do not represent an overall strategy. They do not acknowledge and address the changed threat paradigm.
A countermeasure that was effective against a hijacker won’t work to reduce the risk of harm from a suicide bomber. That was the essential lesson of 9-11. Addressing this new threat paradigm requires a concomitant paradigm shift in airport security countermeasure strategy. But we have failed to make such an adjustment.
Over the years, we have adopted a layered approach to aviation security. But all of our efforts are based on the assumption that the target is the aircraft. Given today’s new threat model, where the explosion is the statement, attackers do not need to reach the aircraft to achieve their objective. Terrorists can detonate outside of the first security layer, as was recently attempted in Great Britain when two terrorists drove a car with explosives into a security barricade at Glasgow Airport.