This article was originally published as part of Homeland Security Today’s 9/11 commemoration.
Although much has changed in 20 years, many of the fundamental security challenges facing the nation’s transportation system have not. The threat of terrorism – state sponsored and otherwise – is very real. Our aviation, maritime and public transportation systems remain attractive “soft targets” for terrorists and bad actors: critical to our economy and national security, used by millions of people and businesses every day, and highly interdependent. A single attack on one part of the system can have ripple effects on the entire network.
Issues the Sector Continues to Face
On September 11, 2001, terrorists demonstrated a terrifying ability to innovate and to find vulnerabilities in our security posture. They took advantage of our assumption that terrorists would seek to hijack airplanes, not fly them into buildings. We were defending against yesterday’s threat.
The need to maintain a proactive and imaginative approach to security, while still addressing known vulnerabilities, is a tough one for any government organization, as the history of TSA itself demonstrates.
During the first 10 to 15 years after the 9/11 attacks, TSA and the aviation security industry followed a more reactive approach to security. When a security event occurred such as the shoe bomber incident or underwear bomber incident, the TSA would implement a material or non-material security change. In the case of the shoe bomber incident, the TSA changed their security procedures by requiring passengers to remove their shoes and have them X-rayed. In the case of the underwear bomber incident, the TSA deployed Advanced Imaging Technology, commonly referred as “full-body scanners,” to detect metallic and non-metallic weapons, explosives and other threats, concealed under layers of clothing.
However, in the past 5 years, TSA has grown and matured as an organization, and has taken a more proactive approach to aviation security.
TSA has tested and, in some cases, implemented security technologies such as Automated Screening Lanes (ASLs), Credential Authentication Technology (CAT), Enhanced Advanced Imaging Technology (eAIT), checkpoint Computed Tomography (CT), and biometrics to enhance the efficiency and effectiveness of the checkpoint screening process.
Equally important, TSA is slowly developing an organizational culture that welcomes innovation and ideas from “outside the building.”
Although bad actors will always have an advantage (bad actors only need to get it right once while TSA needs to get it right every time), TSA’s proactive security posture along with their mature intelligence-driven, risk-based strategy will allow them to anticipate new threats and mitigate those threats before they happen.
The Most Pressing Threats
We know that terrorists are adept at using asymmetric tactics – leveraging low-cost, easy-to-obtain weapons of all kinds and using them against soft targets. With that in mind, here are several that we believe we need to be prepared for:
Insider threats. In the past 20 years there have been a series of incidents in the U.S. and internationally in which aviation sector employees created serious risks and in some cases damage. Depending on how you define it, there are potentially millions of transportation sector “insiders”: government employees, airport and airline workers, vendors, and subcontractors. And it’s not only the sheer numbers of people involved that make this a serious threat. An insider threat could take the form of someone sharing critical information, looking the other way, or sending a malicious email.
Cyber terrorism. The aviation sector is not immune to the cybersecurity risks that have been critical issues for many other industries. Airports, airlines and TSA itself rely heavily on networked and cloud-based technologies, which are potentially vulnerable to attack. With the increased use of computer-based systems and automation across myriad aviation functions, the cyber threat has grown exponentially in the aviation sector. Although not specific to TSA, in 2020 the Government Accountability Office (GAO) published a report recommending that the U.S. government “fully implement key practices to strengthen its oversight of avionics risks.” The GAO found several potential vulnerabilities that could occur due to:
- Insufficient patches applied to commercial software
- Insecure supply chain networks
- Malicious software
- Outdated legacy systems
- Flight data spoofing
TSA has taken the first steps toward addressing what will likely be a multi-year effort to harden its cyber defenses by publishing a four-step cybersecurity roadmap that it is leveraging to achieve its cybersecurity goals. These four priorities include:
- Identifying current cybersecurity risks
- Reducing vulnerabilities to critical infrastructure and systems
- Mitigating consequences of potential incidents
- Strengthening overall security and enhancing the system’s resilience
A Critical Policy Question
In the immediate aftermath of 9/11, American taxpayers made a significant investment in aviation security. How do we sustain those investments in an era of shrinking resources and competing priorities? Can we leverage private-sector resources more effectively without compromising security?
Over the past five years, TSA has dipped their toe into the Public-Private Partnership pool. Specifically, TSA has developed the Capability Acceptance Process (CAP) to facilitate receiving ‘capability’ such as Transportation Security Equipment (TSE) and related services from industry stakeholders and security partners like airports and airlines who wish to accelerate TSE deployment timelines, recapitalizing TSE, or enhancing security and the passenger experience. There are numerous proponents of this process but there are also those who believe the government should be resourced to support all TSE deployments and recapitalizations as well as security enhancements and passenger facilitation.
The question before us is, are we prioritizing those who have the resources to fund TSE procurements over those who must wait in line for TSA to execute their mission? Like everything, there is probably a ‘middle ground’ that we’ll need to find to ensure all aviation security stakeholders get some equity regardless of the processes being used.