Too much attention has been paid to assessing vulnerabilities and reacting to each new accident. We need to rethink risk mitigation in the light of the new threat paradigm.
Domestic civil aviation infrastructure has undergone a series of vulnerability assessments of varying types; this has gone on not only since 9-11 but for decades. These vulnerability assessments have become a feel-good exercise. While they are often applauded as a proactive step, they ultimately provide little more than a canvas for rhetorical flourishes.
The problem with this endless cycle of assessments is threefold.
First, each exercise tends to be self-contained; each assessment becomes a discrete product that is completed for its own sake, then put on a shelf, with its recommendations most likely ignored. The next assessment goes over the same ground.
Second, each assessment is devoid of any purpose beyond stating the obvious—you don’t have to be a security expert to spot airport vulnerabilities; the lack of an overarching process with a clearly defined end precludes any real strategic utility to most of these efforts.
Third, and most critical, this approach feeds a myopic focus on vulnerabilities. We need to pay more attention to the other parts of the equation: threat and risk, with the ultimate goal of assessing how better to counter the former and reduce the latter.
Airports would be better served if assessments and resulting data were folded into a process-based risk assessment that was focused not on individual airports but rather on holistic mitigation strategies to identify, meet, and counter changing threats, thereby reducing overall risk.
It is time for the industry and regulators to reassess the value of repeatedly doing assessments of domestic airports without process-driven results.
Products without Process
During the Clinton administration, the White House Commission on Aviation Safety and Security (better known as the Gore Commission) recommended assessments. Many, if not most, of the major airports in the United States, acting on these recommendations, proceeded to conduct in-house assessments. These products involved airport and airline stakeholders, and in some cases were fairly comprehensive. The commission also tasked the Federal Aviation Administration (FAA), precursor to the Transportation Security Administration (TSA), to conduct vulnerability studies of selected domestic airports using models developed by Sandia National Laboratories, after which action plans based on the findings for each airport would be developed.
In this process, airports were subjected to rigorous testing protocols to identify major vulnerabilities. At the conclusion of the effort, reports were completed and disseminated to the respective airports following a debriefing by the contractors who had done the work for the FAA. A “Blue Ribbon Panel” was then convened by the FAA to choose the model best adaptable to the Sandia model.
It would be satisfying, if not redeeming, to say that the model chosen was adopted for use at all U.S. airports and eventually produced a comprehensive, adaptable set of data that continues to provide a base for threat assessments. That was not the case.
The results of this multimillion dollar effort were not used. Worse, that entire exercise has been repeated many times since without increasing airport security. The problem is that the products of such initiatives fail to integrate themselves into a process which, in turn, is designed to meet strategic (or operational) goals.
Nothing is accomplished when we examine an airport’s vulnerabilities if the product stands alone.
The process of vulnerability assessments is to combine vulnerability findings with threats to determine something else, which is normally defined as risk. It is risk—the probability of a certain type of attacker exploiting a vulnerability—that determines the true danger, irrespective of an airport’s vulnerabilities in an assessment vacuum. The widely accepted formula of vulnerability + threat = risk defines a process that results in findings that have meaning in a larger context of security. Let’s look at these constituent parts one by one.
There is a maxim in the civil aviation community: “If you’ve seen one airport, you’ve only seen one airport.” The meaning of this, in the context of airport security assessments, is that each airport is unique. To the extent that this is accepted as true, it suggests the need for security assessments of airports on an individualized basis.
But all airports are fundamentally similar. A throng of customers present themselves for preboard screening, after which they enter a “sterile” area, where they wait to enter a corridor (usually a jetway), and board the aircraft. Meanwhile, staff and contractor employees come and go throughout the day and night, traversing the public and restricted areas largely unfettered. In this model, which exists in slightly differing modes almost everywhere, vulnerabilities do not appreciably differ from one airport to the next.
To take this a step further, not only are vulnerabilities similar, they are inherent. All airports are by their very nature vulnerable. They are built to facilitate the movement of large numbers of people onto aircraft and to support those aircraft.
Much as we may want to take vulnerabilities out of the equation, we cannot make our airports fortresses. Trying to do so would be cost-prohibitive. What’s more, enhanced security tends to have an adverse effect on passenger facilitation, all the more so when many U.S. airports are facing capacity issues.
Sooner or later, the need for greater security and a commensurate need for ease of passenger movement clash. The fact that many similar vulnerabilities still exist in airports throughout the country is a silent statement of who usually wins these battles.
That is why we need to focus not on the abstract vulnerability but on the threat—and on a more creative attitude toward risk reduction.
During my years in the FAA’s Office of Civil Aviation Security, the possibility of a suicide bomber was given short shrift. Civil aviation security was predicated on the assumption that attackers had a goal beyond self-destruction.
Today we have a shift in the threat paradigm. While threats to civil aviation may come from a variety of sources, in general it’s fair to say that attackers have moved from political hijackings to religious martyrdom under the banner of global Salafi jihad, and the threatscape has shifted to ever more lethal possibilities. This new threat environment is reminiscent of the anarchist “propaganda of the deed,” where direct action served as inspiration to others. In this scenario, the terrorist act becomes the statement. While that has been true of other movements, today the death toll and destruction matter as much as or more than the symbolic nature of the act.
The authorities tend to respond to each new incident on the global stage in a very targeted way. Because the terrorists worked in teams of five on 9-11, passengers eye groups of men who look Arab warily as they board planes today. After the infamous shoe-bomber incident, we were all asked to remove our shoes; after word of a plot to use liquid explosives, mothers were no longer allowed to carry baby’s formula and we were all restricted to three ounces of any liquid with carry-on luggage. These reactive approaches, whatever their merit, are insufficient, because they do not represent an overall strategy. They do not acknowledge and address the changed threat paradigm.
A countermeasure that was effective against a hijacker won’t work to reduce the risk of harm from a suicide bomber. That was the essential lesson of 9-11. Addressing this new threat paradigm requires a concomitant paradigm shift in airport security countermeasure strategy. But we have failed to make such an adjustment.
Over the years, we have adopted a layered approach to aviation security. But all of our efforts are based on the assumption that the target is the aircraft. Given today’s new threat model, where the explosion is the statement, attackers do not need to reach the aircraft to achieve their objective. Terrorists can detonate outside of the first security layer, as was recently attempted in Great Britain when two terrorists drove a car with explosives into a security barricade at Glasgow Airport.
A New Model
It is time to adopt an approach that involves going beyond the immediate airport environment. A more more holistic, and far-reaching model is needed. It could entail the following primary elements.
Remote check-in. Remote check-in of baggage is one way to remove an opportunity for an attack. Driven more by private-sector initiatives and capacity issues than security concerns, Orlando International Airport has adopted off-airport baggage check-in procedures. In this model, baggage is collected off site (usually at participating hotels) by airline representatives, secured and transported to remote screening locations, and taken to a baggage sorting system at the airport. Bags are then sorted and loaded onto aircraft.
The efficacy of this system, where it exists, has proven itself. Baggage is kept out of the airport until screening is complete. It results in less congestion within the airport as well as fewer unscreened bags lying about in terminal areas.
Taking this concept a step or two further, there is nothing to preclude a model that facilitates remote screening of passengers and their carry-on baggage. Several remote passenger screening locations would diffuse the concentration of people in any one location and lessen the opportunities for terrorists within the terminal building.
Pursuing this thought a little further, it is not inconceivable to imagine the sterile terminal, wherein all passengers and their baggage, carry-on as well as check-in, have been screened prior to arrival in the building. This approach would not only open the entire area up for movement of people and concessions (a boon to most airports), it would also significantly scale down targets of opportunity for acts of terrorism.
Employee screening. While passengers are all screened, employees are not. Though the issue has again made headlines recently, and a bill is pending, it remains a gaping hole in the security net. Employees represent a serious insider threat. Our sterile airport should be serviced only by screened employees. (It is important to differentiate between the daily screening of employees entering a sterile workplace from the security vetting that is accomplished when they are hired. The latter is a one-time criminal records check that is of limited use in preventing acts of terrorism, or even criminal activity, from occurring in airports.)
Employees should be screened along with passengers, and at other, employee-only locations, such as cargo facilities adjacent to air operations areas, catering houses, and airline operations offices.
Using Orlando International Airport as an example, passengers and workers could go through security at “screening centers” located at the parking areas prior to leaving for the airport. This would coincide nicely with existing facilitation measures already in place, wherein check-in bags are screened (at a remote location on airport property) prior to being placed on board the aircraft.
Cargo screening. The third consideration is getting the attention it deserves. In the cargo areas, recent TSA screening initiatives could, and are, being expanded to include 100 percent screening of all cargo as called for in the just passed H.R. 1. But there is the risk that the phase-in of this initiative will be slower than promised, as has occurred with many other homeland security programs.
Technologically, access control systems have improved over the years with the advent of biometrics and “smart” camera systems. Overlaying this technology on the airport infrastructure as is being done further enhances airport security.
Intel. But screening and access control measures can only go so far. It is the plan, and the terrorist organization behind it, that need to be interdicted, not the individual. In this regard, surveillance needs to start at our borders, not at airport doorways or curb areas.
Terrorist infrastructures need to be identified and disrupted; organizations infiltrated and turned to our advantage. Hearts and minds need to be won. None of this can take place at an airport.
Meanwhile, we must stop focusing all our efforts on catching the bomb at the x-ray machine within the airport. On the deadly combat field of terrorism, by the time the explosive-laden suicide bomber enters the facility, we’ve already lost that engagement.
Bob Raffel is associate professor in the homeland security department of Embry-Riddle Aeronautical University in Daytona Beach, Florida. He is a retired colonel from the U.S. Army Reserve. Raffel served 17 years with the FAA and more than five years as senior director of public safety for the Greater Orlando Aviation Authority.