« The Great TSA Debacle: Groping for Success | Main | How to Run a BSides: Reflections on Ottawa »

How to Fix the TSA

The latest burst of complaints over TSA are well-documented (see my coverage here). There's definitely a lot of merit to many of the arguments, not the least being that the focus on perimeter screening suggests a blind naivety that the TSA thinks that a) all threats come through checkpoints, and b) that they're somehow able to stop all threats (known or unknown). Unfortunately, while our civil liberties continue to be forfeited on a whim for the secure feeling of a police state, the terrorists continue to win.

Background: A Massive Policy Failure

Before getting into my 10 recommendations for fixing the TSA, let's first look a bit into the background of the TSA so as to better define the problem space (again, you can read my original list of gripes here). It's important to understand the background of the TSA before launching into discussion of how to remediate the problem because it turns out that the TSA is - corruption aside (see #10 below) - doing its best to meet the task assigned. See, the problem isn't so much that the TSA is stupid and only understands how to do one lousy thing, but that they're really only chartered to do one thing: screening, with a heavy emphasis on perimeter controls.

The TSA was created in 2001 as a knee-jerk reaction to the 9/11 terrorist attacks (see the Aviation and Transportation Security Act (ATSA)). It was originally positioned under the U.S. Dept. of Transportation (USDOT), but was later moved under the newly-created Dept. of Homeland Security (see the Homeland Security Act of 2002, which created DHS). Along with creating TSA, the ATSA also created the Transportation Security Oversight Board, which followed TSA from USDOT to DHS.

The ATSA provides the key defining characteristics about the TSA. The Homeland Security Act (2002) does little to modify the mission of TSA< with perhaps one small exception (specifically "Preventing the entry of terrorists and the instruments of terrorism into the United States." [IV.A.402.1] - scope is an interesting question, incidentally, because TSA is merged under the same Under Secretary responsible for Border Patrol and Immigration and Customs Enforcement).

If you read through the ATSA, then you'll want to key in on a couple places. Section 106 specifically addresses the mission of the TSA. Specifically, it says:

SEC. 106. IMPROVED AIRPORT PERIMETER ACCESS SECURITY.
‘‘(4) AIRPORT PERIMETER SCREENING.—The Under Secretary—
‘‘(A) shall require, as soon as practicable after the date of enactment of this subsection, screening or inspection of all individuals, goods, property, vehicles, and other equipment before entry into a secured area of an airport in the United States described in section 44903(c);
‘‘(B) shall prescribe specific requirements for such screening and inspection that will assure at least the same level of protection as will result from screening of passengers and their baggage;
‘‘(C) shall establish procedures to ensure the safety and integrity of—
‘‘(i) all persons providing services with respect to aircraft providing passenger air transportation or intrastate air transportation and facilities of such per- sons at an airport in the United States described in section 44903(c);
‘‘(ii) all supplies, including catering and passenger amenities, placed aboard such aircraft, including the sealing of supplies to ensure easy visual detection of tampering; and
‘‘(iii) all persons providing such supplies and facilities of such persons;

As you can see from the above quote, TSA is primarily charged with perimeter security, not with securing the entire airport environment. This is a rather significant problem! No wonder they're so focused on making the checkpoints the biggest, baddest things ever - it's about the only thing they're allowed to do!

BTW, you might have read that some people are encouraging airports to privatize security. All good and fine, except one small problem: the TSA still has regulatory oversight, and the private companies must implement perimeter security that is at an equal or greater level (aka "degree of intrusiveness") as the TSA maintains. Section 108 describes these requirements:

SEC. 108. SECURITY SCREENING BY PRIVATE COMPANIES.
‘‘§ 44920. Security screening opt-out program
‘‘(a) IN GENERAL.—On or after the last day of the 2-year period beginning on the date on which the Under Secretary transmits to Congress the certification required by section 110(c) of the Aviation and Transportation Security Act, an operator of an airport may submit to the Under Secretary an application to have the screening of passengers and property at the airport under section 44901 to be carried out by the screening personnel of a qualified private screening company under a contract entered into with the Under Secretary.

‘‘(d) STANDARDS FOR PRIVATE SCREENING COMPANIES.—The Under Secretary may enter into a contract with a private screening company to provide screening at an airport under this section only if the Under Secretary determines and certifies to Congress that—
‘‘(1) the level of screening services and protection provided at the airport under the contract will be equal to or greater than the level that would be provided at the airport by Federal Government personnel under this chapter; and
‘‘(2) the private screening company is owned and controlled by a citizen of the United States, to the extent that the Under Secretary determines that there are private screening companies owned and controlled by such citizens.

The bottom line is this: The TSA is operating with the mission focus that they've been assigned by Congress. The problems we're seeing today are a direct result of a massive policy failure. While I think that there are some changes that can be made without modifying the ATSA, ultimately it is amendment of the ATSA that will help provide a revised mission and scope of work that can lead to a much-needed overhaul of the TSA.

10 Steps to a Better TSA

  1. Amend the ATSA - The fundamental problem with the TSA is a massive policy failure in the Aviation and Transportation Security Act (2001), which created the organization with the incredibly short-sighted and ill-conceived focus on screening and perimeter security. If you want to create a law enforcement agency (which is how the ATSA describes the TSA), then you must create a full-scope force that has investigative powers and not just wand-waving, groin-groping responsibilities. The TSA is a failure because of the law that created it, plain and simple.
  2. De-Emphasize Screening Technologies - Too much focus is being placed on screening technologies. A big part of that is corruption (see #10 below), but it's also indicative of a failure to understand how to properly and effectively screen passengers. Technology is ok, but it is no panacea, and it will not replace human intuition anytime soon. Instead, the TSA needs to implement behavioral profiling, whether it's politically correct or not. If Americans (80% or more) are willing to be seen naked on machines, then they should have no objection to being more heavily scrutinized in line. TSA officers are already checking tickets and IDs at the beginning of the screening checkpoint. There is absolutely no reason why they can't also ask a few pointed questions to begin the profiling process. The screening procedures themselves can then be relaxed a bit to allow other investigators to passively monitor how people respond once they can "relax" past the initial check. Using this approach would produce far better results.
  3. Improve Officer Training Requirements - All TSA officers should have the same level of training and education that the average law enforcement officer has received. The thought that a minimum wage employee with a GED is somehow equivalent to a police officer is insulting to the police and dangerously naive. For officers conducting more intensive profiling and investigations, then the experience and training+education requirements should be commensurately higher. A law enforcement agency was chartered, so why isn't it being staffed like one?
  4. Add Whole-Airport Presence - This recommendation is somewhat dependent on #1 insomuch as the scope of the TSA is somewhat limited. However, there is nothing to prevent the TSA today from doing more walkthroughs, spot checks (profiling!), etc., through airports. It's not how people act in the originally screening lines, but what they're doing after screening that I think would be very interesting. Yes, some people will crack under the pressure of the initial screening, but I'm really not as concerned about those people. It's the professional killers we need to worry about, because they are the ones who are far more likely to carry out successful attacks that kill a lot more people.
  5. Provide Dosimeters to Officers - If you want the public to be confident that the new scanners are safe, then you need to take up the offer by the AFL-CIO to provide free dosimeters (radiation badges) and badge monitoring to TSA officers. If these x-ray machines are so safe, then what's the harm? On the other hand, if they're not safe, then it's time to come clean before it turns into a massive class action lawsuit. Bottom line: If you want me to use the "naked" scanners, then provide me with a daily reminder that they're safe!
  6. Mandate Technical Controls Halting Image Storage - Procedural controls that prohibit storing and copying "naked scanner" images is grossly inadequate. These machines need to be reconfigured so that they can only temporarily cache images (in memory or NVRAM), and that outright block storage of images beyond a short-term case. There are a couple things here to keep in mind. First, this change likely means adding a separate "investigations" server for archiving images for forensics purposes (if someone gets caught carrying something through, then you may need the image as evidence later). However, at the same time, it should not be possible to save the images in order to play back "favorites" over time. Also, access to external storage (e.g., USB drives) needs to be physically disabled. Use of physical and technical controls is far more reliable than expecting people to always act responsibly.
  7. Prohibit Photo/Video Capture in Control Room - In addition to implementing technical controls prohibiting storage of "naked scanner" images, it is also important to prohibit bringing photo and video capture devices (e.g., mobile phones) into the scanner control room/area. It's very common to forfeit your phone on entering a SCIF, and this area should be treated exactly the same. In fact, one could argue that the control area/room is a SCIF and that all standard practices should apply. This would be a simple procedural change that would help improve public confidence.
  8. Increase Transparency, Reporting, and Accountability - We've all heard stories about the kinds of things confiscated by TSA officers, but what threats have been neutralized? These are public-facing law enforcement officers, so the public has a right to know how effective they are. All police departments publish a "blotter" report that lists recent activities. The TSA should be, minimally, publishing similar reports. Along the same lines, it is also imperative that accountability be raised to public awareness. All of the allegations about improper screening by officers should be directly correlated to disciplinary actions, and those actions need to be reported to improve public confidence in the TSA. Open is the new closed, dontchaknow?
  9. Fire, Arrest Officers Abusing Authority - There have been numerous reports of abuse by TSA officers in executing their screening duties. Women have been fondled inappropriately, as have children. In at least one case a boy was strip-searched. All of these situations MUST result in severe disciplinary action (minimally, termination of employment, if not criminal complaints). To restore public confidence, all complaints must be taken seriously and actioned appropriately; especially in the short-term while the TSA works to restore public trust. Americans generally distrust government already, and the past few weeks of enhanced screening has done nothing to improve that perspective.
  10. Fine the Manufacturer, Sanction Chertoff - It is perhaps the worst kept secret making the rounds right now: Michael Chertoff, former DHS secretary, has a financial stake in the company that makes the "naked" scanners (see "Chertoff-Lobbyists and Airport Scanners" and "Why Is Michael Chertoff So Excited About Full-Body Scanners?"). That's right: the guy who was in a position to dictate the adoption of a technology also stands to profit handsomely from the Government's purchase. Can you say "conflict of interest" and "insider trading"? I sure can. This is the very definition of government corruption, and it's time to make an example of someone. Chertoff, the Chertoff Group, and any associated lobbyists, should be banned from any contact with the US Government going forward, and full-on corruption investigations should be launched. Talk about violating the public trust! I can't think of a much better example. Oh, and in case you don't find that bad enough, then it's also interesting to read that Chertoff is apparently also peddling a new "Verified Bio ID" that would allow one to bypass the invasive screening lines that he helped create!

What You Can Do Today

First, review the EFF's excellent guide on how to "Stand Up Against TSA’s Invasive Security Procedures."

Second, donate to the Electronic Privacy Information Center (EPIC), which is leading court action against the TSA.

Third, join the American Civil Liberties Union (ACLU), which is a perennial defender of your rights, and which is also leading court action against the TSA.

Finally, contact your U.S. Representative and your U.S. Senators to let them know that you're rather fond of freedom, and to express your disgust over this continual slide toward a despotic police state.

TrackBack

TrackBack URL for this entry:
http://www.secureconsulting.net/MT/mt-tb.cgi/1073

Listed below are links to weblogs that reference How to Fix the TSA :

» You Can't Solve What's Undefined from The Falcon's View
It's all over the news, whether we're talking about the TSA and "security theater" or Wikileaks and the sensitive data spewing out of government, business, and academia (there's a certain irony here, btw, insomuch as much of this data has... [Read More]

Comments (2)

Ben:

Updated to correct "SKIF" to "SCIF"...

Here's the opinion of Stephen Whitten who is the expert on Interactive Security Technology: "Techno-physiology can stop terrorists NOW!" http://ow.ly/3eo4I

Post a comment

About

This page contains a single entry from the blog posted on November 22, 2010 9:45 AM.

The previous post in this blog was The Great TSA Debacle: Groping for Success.

The next post in this blog is How to Run a BSides: Reflections on Ottawa .

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.