A recent report from TSA showed that over 300 people evaded some element of the screening process, which is obviously not good, but we need to take a closer look at what’s happening here before rushing to judgement.
The TSA screens about 800 million passengers per year, at the rate of about 2.9 million passengers per day. Statistically, that means 0.0000375% of the passengers evaded some element of the security checkpoint process (if the calculator on my phone and Google is right). Not bad frankly. That’s pretty much measuring the noise of the system. This is a system run by humans (so far) and there’s always going to be some mistakes. We just try not to make critical ones nor make them so often they become a predictable vulnerability that threat-actors can rely on and exploit – like they did on 9/11/01.
Of the 300, 80 bypassed the travel document check area but were still screened. That’s why we have multiple layers. Although some element was bypassed, others did what they were supposed to do.
An estimated 200 entered the sterile area via the exit lane. This is the real problem. What we don’t know is how many people evaded security that we don’t know about. Nor will we ever know this number because threat-actors or people who’ve made a mistake or intentionally bypassed security, don’t call us later and tell us (most of the time).
All we can do is look at the number of times people are caught bypassing the system, and make some reasonable estimates of how many people are actually getting by, then determine what we need to do to fix the problem. But realize this – there will always be a problem. It’s about mitigating the risk while still having the system function.
So am I saying there’s an acceptable limit? Realistically, yes, but I’m not saying we accept that. If you’re NOT a security professional you’re cringing right now, but if you are, you know that 100% security is impossible unless you just want to shut down the entire aviation system. I’m not saying we don’t improve – we need to figure out how to always improve, and to also understand whether the overall system is doing its job, then fix the critical failures. In my mind, a critical failure is one where the entire screening process is bypassed and a person gets on a plane.
TSA likes to say that they have to get it right all the time while the bad guys just have to get it right once. True enough but humans run the system and we don’t always get it right – the key is to get it right at the right time, and to get it right enough times that the bad guys don’t attempt the attack for fear of getting caught or failing the mission. It’s about deterrence while still allowing the system to operate. You can’t eliminate crime but you can often relocate it to someone else’s problem (eliminating crime is a social problem – security is about it not happening on our watch, at our facility or to our asset).
TSA – keep saying that you always have to get it right, because it’s a great rallying cry to get people to work towards nothing happening on their watch (I’m not being sarcastic, I’m being serious). But in reality, let’s understand that there’s a difference between rare occurrences that didn’t result in tragedy versus critical, predictable, failures of the system.
Even with the occasional stowaway, in most cases the person has still gone through the screening process (keep in mind, your ID isn’t checked again at the boarding gate because the assumption is it’s already been checked by TSA). We’re more worried about the ones that aren’t screened.
Many airports are implementing anti-flow back technologies, which reduces the chances of a security breach, and I encourage this measure. Some airports still use just personnel to protect the exit lane but humans are fallible – they get bored, they get distracted and sometimes people stop to ask them for directions or information as they leave the sterile area and they miss someone trying to access the exit lane. Early in my airport security career, part of my job as a screener in the 1980s (not the 1880s as some of my university students have speculated) was to protect the exit lane and I can tell you it’s mind-numbingly boring. This is a better job for technology (or technology plus human).
How does this relate to TSA’s self-screening pilot program? What I DON’T encourage is taking TSO personnel out of the checkpoint, the way TSA has proposed as part of their new self-screening pilot program currently underway at the Harry S. Reid Las Vegas International Airport.
I’ve written about this previously in TSA’s Screening at Speed and I want to clarify that I have nothing against the airport, but I do have a problem with the TSA’s self-screening concept. If security breaches are a concern, particularly people bypassing the travel document check, then reducing the number of screening personnel in the checkpoint is NOT the solution. When you keep missing the target you don’t put less eyes on the target. TSA was on the right track with the automated screening bins and CT machines, and other improvements they’ve made to the process, but self-screening isn’t one of them.
