These observations are being written on the 16th anniversary of 9/11, following issuance of a GAO report that TSA claims to have made progress implementing a series of 69 requirements put forth in the Aviation Security Act of 2016. The Act requires specific actions in 8 categories:
- Conduct a threat assessment
- Enhance oversight activities
- Update worker credential guidance
- Vetting airport employees
- Implement access control metrics
- Create a tool for unescorted access
- Increase covert testing
- Review security directives
As of June, we’re told TSA had fully implemented 48 of the requirements (70%);18 need further action and two have had no action at all. In particular, TSA told GAO they’ve done nothing about changing the access control rules because it plans to avoid rulemaking altogether, in favor of simply amending all airport operator security programs – but they don’t say how. They have been able to do that, and have done so, unilaterally since Day One of their existence 16 years ago. Further, that avoids industry and public input required by the rulemaking process.
Some in both government and industry suggest there is a sharp line between informed discussion and sensitive security information; in my opinion, that is not only wrong but gets in the way of good security. There are several parts of the problem that have little to do directly with airport security, and almost everything to do with the process that comes first. I draw from Dick the Butcher, a character in Shakespeare’s Henry VI, Part 2, Act 2, who utters the famous line, “to improve the country, the first thing we do, let’s kill all the lawyers”. While perhaps taken a bit out of context, my point is that DHS and TSA are creatures of the US Congress, God help us all.
I have worked on Hill staffs, as well as in both FAA and TSA security; I have witnessed the origin of legislative and regulatory sausage, and in some small part may even personally bear some of the blame. It’s not pretty, and more importantly, it’s often more political than practical. I say this not to disparage Hill staffers, but it’s an exceptionally rare one who has actually set foot on the functioning side of an airport beyond the Dunkin’ Donuts shop to understand the nuances and consequences of an operating environment. Those who might have done so are still at the mercy of the political agendas of their boss who is responding to the lobbyist with the biggest/loudest PAC.
In the case of this GAO report on compliance with the Act, we’re talking about legislative mandates at the agency level, which in many cases must then be translated into coherent regulations, which must then be made both sufficiently flexible and enforceable at airports of every size and complexity, none of which build and operate their security systems, policies and procedures quite the same.
This is where I digress from my usual rant against TSA at the operational level. To be sure, there have continued to be many bumps and snaggles under the constantly changing guidance of thirteen (count ‘em, 13) TSA Administrators in 16 years, a few good and some not-so, resulting among other things in constant senior staff changes and their equally diverse opinions of what’s right and wrong with aviation security than you can shake your proverbial stick at. When it gets down to the people in the operational field of play, they typically have conflicting guidance from both TSA HQ and regional management, resulting in conflicting guidance to the airports.
Some of the Act’s requirements:
Conduct a Threat Assessment: TSA and its FAA predecessors have been doing that for years – that’s the foundation for a vulnerability assessment: vulnerable to what?
Enhance Oversight Activities: such as an airport rebadging if the percent of badges unaccounted for exceeds a certain threshold. Again, that’s been in the program forever - it’d be good if they occasionally spoke with the industry.
Update Airport Employee Credential Guidance: I get repeatedly annoyed when the ID badge is continually confused with the access medium. They are different animals, for different purposes, although they often ride on the same piece of plastic,
Develop and Implement Access Control Metrics: TSA developed a metric that determines the percentage of TSA inspections found to be in compliance with the airport security program. (I have an innovative idea for determining a metric: count them.)
Develop a Tool for Unescorted Access Security: A “tool” for randomly screening? How about randomly screening them.
Increase Covert Testing: TSA says it plans to increase the number of covert tests of access controls. Given several screening test failures of over 90% in the past year, this is actually a good and unfortunately necessary change. How about tossing in a little retraining as well.
Review Security Directives: Security directives are typically issued when additional measures are required to respond to a new threat. TSA officials stated they brief Congress when new directives are to be issued.
Where is Dick the Butcher when we need him….