Dear Admiral Neffenger,
Please Continue using risk based security – our biggest enemy is not bombs and guns, but political overreaction.
Trying to protect everything results in protecting nothing. While there are nice phrases that play well in the media, for politicians and for motivating someone on an individual level, like, we have to be right all the time, the bad guys only have to be right once, that’s not realistic from a strategic perspective. We can’t lock the system down so tight that we eliminate the benefit of air travel. There will always be some level of risk. We have to accept it and move on. When London was hit with bombs on their subways and busses in 2005, they didn’t hire 85,000 people and start screening everyone before boarding. They utilized other methods to increase security that didn’t eliminate public transportation nor adopt unsustainable strategies bankrupted the country. We need to think in more broad terms.
I’m always challenged with this question: if someone really wanted to successfully attack aviation, in some form, could they? The answer is yes, but, if someone really wanted to break into their house could they? Sure, no matter the countermeasures. So why do we still lock our doors? Deterrence. We can’t be a slave to the process; our goal isn’t to prevent every knife from getting on a plane, nor every bad guy from slipping through the system. Our goal is to provide a layered security system that convinces the bad guy that their attack will either (a) not be successful, (b) not have a significant impact, and (c) that if it is successful and has a significant impact, that we are going to fix what broke, and carry on (resiliency). If one thinks an attack will result in minimal impact that doesn’t cause significant economic damage and an erosion of our values, through political and regulatory overreaction, one thinks about trying other ways to attack that hopefully do not include transportation.
[Note: I do understand that TSA is about all modes of transportation security, but you’ll find you spend the majority of your time in aviation. Rail, maritime (as you well know) and trucking are all vulnerable areas, but it’s aviation that the terrorists keep coming back to.]
Don’t get treed by a Chihuahua
I’ll borrow a phrase I heard from the Special Ops community to make my point here – when someone jumps a fence at an airport, but then doesn’t do anything and is caught on the ramp, that’s not a failure of the aviation security system. It’s a failure of one layer, but other layers worked. In fact, it may not be a failure of perimeter security at all as one of the objectives of perimeter security is to delay an attacker long enough for them to be detected and responded too. Regardless, it’s not the goal to protect the ramp. It’s our goal to protect the airplanes and airports. The ramp is a layer that helps us detect, deter and respond to a threat to airplanes and airports. Even if they make it into the wheel-well and successfully fly to Hawaii, and the press says, “but what if that was a terrorist?” Well, it wasn’t. I’m sure our US intelligence assets aren’t looking for random fence jumpers and benign stowaways, and had this been a real attack, the perpetrator may have already come up on the radar of other law enforcement and intelligence assets. Again, political overreaction is our enemy. Just as a bunch of four-year olds playing soccer all chase the ball, we can’t all chase the latest minor issue as, amplified by the press, or agenda-drive politician about why we should all be scared and how their legislation will make it all better again. Kissing boo boos only works on kids. We need effective measures and realistic policies, not knee jerk reactions.
Another example of getting treed by a Chihuahua, is the recent focus on reducing access points at airports. There is such a focus on this to the extent that its become it’s own outcome, rather than a component of a larger strategy – as if to say, ‘we’ve eliminated 2 more access points so we must be winning’. This is not the desired outcome. Most airports have already reduced their access points to the operational minimum and to continue to tell them to reduce more, just hurts the system rather than improving security. Just because a little of something worked, doesn’t mean more of that something is going to continue to work.