TSA Flunked Its Security Test Big Time — Now What?

commentary

Jun 15, 2015

TSA Acting Administrator Melvin Carraway meets with TSA officers at New Orleans International Airport the day after a man attacked security agents and later died in the hospital where he was being treated for gunshot wounds

TSA Acting Administrator Melvin Carraway meets with TSA officers at New Orleans International Airport the day after a man attacked security agents and later died in the hospital where he was being treated for gunshot wounds

Photo by TSA/Reuters

This commentary originally appeared on The Hill on June 15, 2015.

The failure of Transportation Security Administration (TSA) agents to detect 67 out of 70 weapons or fake explosives smuggled through airport security checkpoints by the TSA's own inspectors renews questions about the agency's ability to protect the country's airlines. A failure rate of 95 percent also provides a new opportunity for attack by the TSA's many foes and rekindles the hostility many Americans have not just for the TSA, but for what they see as an increasingly intrusive and untrustworthy federal government.

Without knowing more about the details of the undercover tests, it is hard to judge the precise nature of the apparent security breakdown, but in any context, a 95 percent failure rate — the repeated news story headline — is shockingly unacceptable.

There is one slender ray of good news: Department of Homeland Security inspectors found the cracks in the system, not terrorists. However, this is far outweighed by the bad news: A highly publicized failure of this magnitude destroys the illusion of security, and yes, for those who criticize airport security as being merely for show, illusion is a useful component of security. Security checkpoints, here and abroad, have almost never caught terrorists; the screeners find enough weapons — over 2,000 in 2014 — to create an impression that they are on their game. And that deters terrorists.

Whatever TSA's critics may think of airport security, terrorists seem to take it very seriously. Faced with an array of greater intelligence efforts — even the perception of increased security at the airport, the possible presence of air marshals on any flight, locked and armored cockpit doors, and passengers ready to take on anyone threatening the plane — they seem to have just about abandoned hijacking airplanes as a viable terrorism tactic.

Over the long run, attempts to sabotage airliners also have declined, but terrorists have not stopped trying to smuggle explosives aboard airliners, and sometimes they have succeeded. In an attempt to foil security, they build small devices that can be concealed in ways that will make them undetectable to all but the most intrusive searches. To find the most artfully concealed explosive devices on the most dedicated suicide bombers would require a full-body search. This vulnerability is hard to close, but forcing terrorists to operate at this level of technical sophistication and commitment is still an achievement.

The recent TSA testing failure is not merely a public relations problem. Firing one or more top officials may temporarily satisfy Washington's bloodlust, but will not solve the problem of performance. Appointing a new director does not immediately improve performance. That would be the task of the new director. A failing grade in this round of tests also should not lead to a wholesale reorganization of TSA. Getting the wiring diagram right will not by itself improve performance.

Those who despise the TSA for various reasons, most of which are unrelated to airline security, will take perverse delight in its failure and use it for political capital. Some will want to punish the TSA by cutting its budget. If $7 billion a year delivers a lousy 5 percent success rate, they will argue, what are we paying for?

Some will want to take the opportunity to return airport security to private contractors. Certainly, they can't do worse, right? Scores from old tests can be resurrected to show that they performed better. This was primarily because tests from an earlier era were unrealistic — the original test bombs looked like they had been ordered from Acme by Wile E. Coyote in a Warner Brothers cartoon — and the screeners often were tipped as to when they were going to be tested. As tests become more realistic and are carried out covertly, the test-takers' grades are going to go down. Faced with today's tests, I suspect that the pre-9/11 private screeners wouldn't catch a single threatening object, although this is still no excuse for TSA's 95 percent failure rate.

Giving security responsibilities back to the airlines would not necessarily be much cheaper. It would reduce a line item in the federal budget, and the costs would instead be reflected in passengers' tickets. The airlines would have every incentive to reduce security costs. The assumption that airlines have a lot to lose if a breach in security resulted in disaster — and therefore will do a better job in terms of security — did not lead to stellar security in the past. Contracts were given to low bidders. Screeners were poorly paid, training was reduced, and in some cases, omitted. Turnover rates of screeners reached 300 to 400 percent a year.

The government would still need an infrastructure to ensure compliance with security requirements and standards. Security would again become a matter of compliance with precisely prescribed rules, creating an adversarial relationship. Private security may be an option. It does not guarantee better security.

The inspectors who foiled the security measures were described as “auditors,” not a “red team.” The term “auditors” conjures up guys in green eyeshades, mild-mannered men and women as opposed to special forces teams with James Bond gadgets. The investigators were, in fact, experienced inspectors with an insider's knowledge of airport security. The tests were conducted covertly, and they appeared as ordinary passengers. Their boss, the inspector general, who heralds from the Department of Justice, has been tough on TSA's performance. One may safely presume that the inspectors were determined to succeed. That makes them a pretty good red team.

The inspectors had additional advantages. There is no indication that they used names that were on the no-fly list. If they did, and they were undiscovered, there is an intelligence problem in addition to a screening problem. There is a lesson here, though: TSA claims that its security is “intelligence-driven,” which is good, but it cannot become intelligence-dependent. Not every would-be hijacker or saboteur may be on some list — airport screening is still needed. We also don't know if the inspectors deliberately used counterfeit identification documents.

The inspectors would also be able to more easily thwart any behavioral detection efforts. A terrorist, knowing that he or she faces imprisonment for life if apprehended, the prospect of a shootout, or certain death, seems likely to be under greater stress than an inspector who, if discovered, will show his real credentials and walk away.

Airline security is multilayered, meaning that failure of any single component will not be fatal to the entire system. In this case, inspectors had the benefit of a free pass to the checkpoint.

So, what lessons should we take away from this latest test? First, note the word “we.” TSA is not an enterprise created by the federal government to torment the American people. Its failure provides no joy. Air security should be the nation's collective concern.

Second, the inspector general's report should be thoroughly analyzed to see what lessons can be learned. What failed? Was it the technology? Was it human performance? How can the immediate holes be plugged? Behind the public statements and testimony before Congress, that is probably going on right now.

Third, TSA should be conducting even more testing, even at the risk of more failures being publicized. Continuous testing is essential to keep security ahead of our terrorist adversaries. Our red teams should be even better than the terrorists they imitate. Tests provide continuing measurement of performance, a basis for analysis and feedback to those performing the tasks. Do some procedures frequently fail? Do some airports consistently perform better? What are they doing that can be emulated at other airports? Do some consistently perform poorly, and if so, why?

More than 13 years after 9/11, we are still struggling to ensure the continued security of America’s airliners, which suggests that this is not an easy task. Most of the problems seem to be in human performance. This is not because TSA agents are not up to the task. Screeners work hard to do their best, and they regularly uncover guns and other weapons that passengers attempt to conceal. Their failure is not owed to the fact that passengers have observed them taking breaks or occasionally joking with one another. The checkpoint is their workspace. Effective security does not require visible hardship or a scowling demeanor.

Screeners have a difficult task to perform under often terrible conditions. They have to deal with crowds of soon-to-be passengers, who are often apprehensive about flying or missing flights or complain about being told by some stranger to take off their shoes or their belts or empty their pockets. Every move the screeners make is watched by hundreds of people who view the screeners as adversaries.

Do we have enough screeners? Since 2001, the number of airline passengers boarding planes in the United States has increased by roughly 17 percent. Security procedures have also increased. In response to terrorist attempts or uncovered terrorist plots, passengers are now obliged to remove shoes and carry limited amounts of liquids. Full-body scanners have been introduced and all checked baggage is inspected for explosives. But the number of screeners has not increased. Is poor performance a matter of stress? Or are we being too politically correct? Pat-downs in Europe comprise grips that in the U.S. would be regarded as gropes. Can anyone find a bomb with the back of their hand?

Screeners are obliged to repeat the same procedures to detect prohibited objects or substances. They find thousands of weapons, but these finds are statistically rare. Approximately 700 million passengers annually board flights in the United States — and every single one must be screened. That means every screener may be screening tens of thousands of passengers. And since 9/11, billions of passengers have boarded airplanes, but no hijacking attempts have been carried out in the United States. The “Shoe Bomber” and “Underwear Bomber” boarded their flights abroad.

The problem is not a shortage of terrorists, but how to keep thousands of screeners on alert every minute of every hour of every day they work for months and years. Routines set in. Tasks are invariably performed pro forma. Complacency is not far behind.

As we look ahead, we have to accept that humans, no matter how well-trained they are or how dedicated they are to their mission, are just not very good at maintaining laser-like focus while performing repetitive tasks. We need to figure out ways to be less dependent on human performance. That does not mean airport security can ever be completely given over to machines. Human intervention will still be required to do what humans can do best — make calculated judgments based on training, experience and common sense.


Brian Michael Jenkins is senior adviser to the president of the nonprofit, nonpartisan RAND Corporation.