Several recent leaks to the media about TSA shortcomings have called into question whether TSA is effective at doing its job, and to a larger extent whether the aviation industry is actually secure. The big question is: what should be done about TSA?

The question is obviously much easier than the answer. Let’s address it point by point, and take a look at some of the solutions that have been proposed.

First, the report that TSA personnel missed 95% of the test items brought through by Department of Homeland Security red teams. Remember that red teams know every security vulnerability in the system. I would expect a very high failure rate when you compare the existing system to the red teams. There are very few terrorists (if any) that have their level of knowledge about the weaknesses and gaps in the screening system.  I would not have been surprised to see a 40 or 50% failure rate when going up against the red teams, but clearly 95% is unacceptable.

What should we do here?

The real question is whether these are isolated problems that can be fixed, or whether the whole system needs to be overhauled.  When your car breaks down, you don’t sell the car, you fix the problem. If it continues to break down, you continue to fix it but then you start to wonder what is causing the problem to begin with.

To know whether the problems are systemic or isolated, the report must be analyzed to determine why the failures took place. Was it a procedural issue? Was it a technology issue? Was it a training issue? I doubt this is a systemic failure of the entire system but clearly something is wrong. If it is technology that cannot detect what it is supposed to detect, then we need better technology. In the meantime, I fully support the deployment of more canine bomb detection dogs to airport security checkpoints.

Dogs are a great force multiplier, bad guys don’t like to see them at security checkpoints, they are less intrusive than body imagers, and they are very good at detecting explosives.  I see the deployment of more canine teams as a way to make the bad guys think that they might be caught if they tried to bring a bomb on an airplane and if we have achieved that we have achieved one of our key objectives – prevent the bombing of a plane.

If it is a performance or a training issue, then that can hopefully be fixed through better training programs, and better managerial oversight.  To a certain extent we might be seeing a frightening trend that I am seeing culturally, that may now be affecting TSA. We are 14 years from 9/11, and I am hearing many of the same statements that were made about aviation security that I heard prior to 9/11. In fact, at an industry conference the other day I heard an individual say he thought we overreacted to 9/11 because it was just one attack not a trend. I suppose if somebody just has one home invasion that’s not enough excuse to lock their doors in the future because naturally, it’s not a trend (there is no emoticon for sarcasm but there should be). I should also point out that this individual was about 8 years old when 9/11 happened and doesn’t remember what travel and air security was like before then.

The farther away we move from 9/11, the more we forget. That said, I think it’s time the aviation security system matured so that it is less intrusive and more effective. But I also think we’re getting to relaxed in this country again about aviation security, and when we did that the last time we saw the result on September 11, 2001.

The other thing to consider about the red team tests is if these had been actual terrorist penetration attempts, there is a good likelihood that the planned attacks would have been detected by law enforcement intelligence or investigation agencies, long before the bad guys made it to a screening checkpoint. We have to remember that we are a multilayered system, and that the checkpoint is just one component in a much larger system.

What I do not want to see is some of the ridiculous suggestions I have heard recently like we should turn security back over to the airlines, or ban all carry-on luggage. When the airlines had the security responsibility, that did not work so well for us, and I cite 9/11 as my example. After 9/11, even I initially argued against the formation of TSA, and argued for a higher level of accountability for the airlines, but I’ve have changed my tune. The airlines are a for-profit business which means they will look to reduce expenses wherever possible. Security is an expense. Protecting the United States is a function of government.

Extreme measures such as the banning of all carry-on luggage or severely restricting carry-on luggage creates even bigger issues. When the liquid bomb plot was discovered in 2006 in London, carry-on bags were virtually eliminated for a period of time.  Passengers were forced to check laptops, cell phones and numerous other electronic devices and valuables, whereupon baggage handlers and baggage screeners thought they had just been let loose in Walmart, and were free to grab whatever they wanted – and they did! There is a reason they tell you not to put your valuables in checked baggage. And if you think the solution is to hire people who won’t steal, then I’m all ears on how you suggest we do that.

The benefit of aviation is speed. I can get anywhere by boat, car or rail, but I cannot do it as fast as I can do it by air. Checked bags slow down business travelers in terms of time and productivity, and the loss of time adds up quickly. If you don’t understand the financial impact of restricting carry-on luggage, then you haven’t been a business traveler. When you slow down business travel, which incidentally pays for the majority of the aviation system, you cause the business world to lose time and money, which affects our national economy. Attacking the US economy is one of the goals of terrorism so now we have just done their job for them.

Our goal is to provide reasonable levels of security that deter attacks, not to shut down the US air transportation system, nor make it ridiculously onerous and nonsensical, particularly when there are better ways to do things.

The next issue, aviation worker screening.

With recent reports about aviation workers smuggling guns and drugs through airports and onto aircraft, the issue of employee screening is once again upon us. It is false to say that employees are not screened. Employees are screened though a different process than passengers. In fact, “screening” is not a defined term in the regulations. The closest the regulations come to defining screening is to define the term screening function which means the inspection of individuals and property for weapons, explosives and incendiaries (Title 14 CFR Part 1540.5).

The screening function is fulfilled at the passenger checkpoints with body imagers, magnetometers and x-ray machines. For employees, the screening function can be fulfilled through the criminal history record check and security threat assessment that is conducted on airport workers in order to receive an airport access identification badge. There are a few other regulations and internal guidance that address and better clarify this “screening function” but I am simplifying for our purposes here.

The truth is that throughout aviation’s history, there have been numerous incidences of employees committing or assisting in acts of terrorism against aviation, and I agree that something must be done.  I disagree however with just “simply” putting  all of the employees through screening checkpoints. This does not solve the problem, it cost a lot of money, it’s not “simple,” and there are just as effective ways to achieve the same result.

So what is wrong with just putting employees through the checkpoint?

Airport security checkpoints are designed to handle a certain passenger load on an hourly and an annual basis. It is part of the algebra used to determine airport terminal designs.  TSA screener staffing models are also based on these passenger projections. Putting employees through the screening checkpoints will result in longer screening lines, and cost more money in terms of terminal expansion and additional TSA personnel.

Additionally, it is not a 100% solution as screeners can also be compromised just as air marshals, baggage handlers and others in the aviation system have been compromised. Employees often have to use and carry prohibited items into security areas in order to do their jobs, and also have to frequently pass from the public to the security areas, and back many times throughout the day. If you fly, you already know how much time it takes to get through a screening checkpoint, now imagine your gate agent having to do that eight or nine times a day — yes, your flight will be delayed.

And for those that say, “well, I hear this other airport is making all their employees go through screening”, you have to look at a variety of issues. The size of the airport matters. The design of the airport matters. The political support and the financial capability of the airport matters.  What also matters is the question of whether the airport is really doing 100% screening at the level passengers are being screened, or there are they doing some form of an employee inspection that does not hit the 100% mark. Typically, for security purposes, airport operators are not going to divulge some of these secrets, and for good reason. If you think some airport is doing 100% employee inspections, then good – keep thinking that.

But I do agree we need to do something, but let’s do the right things. There are three initiatives that have my full support to increase employee security.  First, is to require biometrics to airport access control systems. Second, is a requirement to train all individuals who are issued airport identification badges, in how to spot suspicious activity, how to spot signs of potential workplace violence and how to spot behaviors that are pre-incident indicators of an attack. Third, I support the implementation of employee inspections.

TSA already does random inspection of airport workers in the security areas of the airport. I strongly encourage these programs to continue, and expand. But using TSA personnel takes them away from the security checkpoint, which is their core mission. Airport operators already know that some form of employee “screening” is coming their way so I encourage them to be proactive in engaging security personnel in setting up their own employee inspection programs. This will be a lot cheaper than expanding checkpoints and more cost-effective than putting their entire workforce through the passenger screening process. Plus, it will not slow down the flow of passengers through the airport.

Even if we do all of the above, there will still be people who will say that the system can still be compromised, and they are right. We don’t need to have 100% security, we just need to have an effective security system in place, and an effective system is one in which the bad guy thinks they will get caught if they attempt an attack.

The third issue: TSA employees on terrorist watch lists.

The recent report about several TSA workers being on terrorist watch lists is more complex than one might think. As a former US Coast Guard intelligence officer with the majority of my experience during the drug war days of the late 80s and early 90s, I can attest to the fact that there are many “watch” lists.  In fact, just about every government law enforcement agency has its own database and its own “lists,” of individuals that are watched or are in the database for various reasons.

When the Aviation and Transportation Security Act was passed in November 2001, creating TSA and giving them broad powers over transportation security, one thing it did not do was provide them unfettered access to all of the available intelligence the US government has to offer. I’m not sure I know of any government agency that has access to everything. While we have made huge leaps in intelligence sharing since 9/11, there are still lists that not everyone has access to. That seems to be the case here.

If it is discovered that access identification was issued to TSA personnel without the proper background check being conducted, then that needs to be fixed. However, the process to receive an airport identification badge includes a check by the Federal Bureau of Investigation for past criminal history, and a check by TSA itself in a process known as the Security Threat Assessment. The STA compares the individual’s name against a variety of watch lists maintained by the FBI’s Terrorist Screening Center. It may turn out that the 73 workers were simply not on the lists that TSA has access to. And if that is the case, and the individuals represented a threat, then we need to take a look at why TSA did not have access to those lists.

The new TSA administrator is going to have his hands full. Clearly, there are significant changes that need to be made at  the checkpoints to improve performance while not inconveniencing the passenger, violating their rights, or slowing the system down. It is a tall order, but that’s why it takes a special individual to do it. Former TSA Administrator Pistole brought us risk-based security, so now it’s the charge of the new Administrator to bring balance to the force. I think the best way to do this is engagement with the industry – airports and airlines, an assessment of the TSA processes and technologies – fixing what’s broken, and to take a look at new ways to deter bad guys from trying to attack aviation.

And something you probably didn’t know. . .

Behind the scenes, ultimately it will be airports that are left to deal with the longtime issue of aviation worker security. Your local airport is already trying to deal with new credentialing requirements from TSA and numerous recommendations that will result in increased capital and operating costs. But don’t worry, they will pass the cost right on to you, the consumer. Because at the end of the day we are the ones that pay for all of this. So that’s really the question isn’t it? How much security do we want to pay for? I can tell you I do not mind paying for it as long as it is effective, and by effective I mean it deters the bad guys from trying to carry out an attack, it does not unduly slow down the air transportation system, and it does not make a significant negative impact to our way of life. Security is meant to get in the way, not to stop the process entirely.