Our Expensive “Security Theater:” Failure in the Face of New and Troubling Threats to Air Travel

When I lived in Sweden years ago, there was a delightful little holiday they celebrated in June called “Midsummer’s Eve.”  Maypoles, flowers, singing, dancing until midnight.  I always felt so joyful after that holiday.

Here in the U.S., I see that our own celebration of the summer season has begun.  It’s called the “Airport Security Theater” holiday.  Per tradition, we all gather at the airport at least three hours early, do a shuffle in a long conga line as Transport Security Officers gleefully bark out instructions at the top of their lungs about laptops, water bottles, and whatever else has been recently added to the list of prohibited items.  We make merry with complete strangers, sharing dark jokes and even darker language about the TSA agents and the government in general.  Not exactly delightful…but, it’s our holiday and By Gum we’ll hang on to it like grim death.

I am being a bit cynical to make a serious point.  What we are witnessing with the insanely long lines, tired excuses, and knee-jerk reactions by the Transport Security Administration (TSA) is indeed a version of “Security Theater.”  What is this, exactly? As with any kind of theater, it is meant to entertain us.  The Romans called it “Bread and Circuses.”   No, seriously – security theater is a show for us put on by the Federal Government and enacted by the Department of Homeland Security (DHS) through the TSA to reassure the audience – i.e., all of the unfortunate travelers out there — that everything is “OK.”  We’re safe.  Big brother is taking care of us.  I daresay you didn’t know this, but this performance is increasingly one of the most expensive tickets in town…courtesy of your tax dollars.  The Security Industrial Complex salivated after 9/11 and has – in addition to the workhorse baggage X-Ray scanners and metal detectors, rolled out billions of dollars of technology to screen conspicuously for bad things such as the “puffer machine” (trace explosive detection), backscatter X-Ray machines, Millimeter Wave Scanners, and a byzantine process of disrobing and disassembling one’s baggage and accoutrements, and placing these into bins to be inspected one-by-one, like cattle going through a tick-bath.    Political correctness plays a huge role, after all this is the U.S.  So, randomly (and the TSA takes great pains, to emphasize ITS RANDOM) a 7-year old with a teddy bear, or an octogenarian with a WWII veteran ballcap and a walker gets hauled aside and given the third degree (politely but firmly, of course), all to pay homage to the great gods of equality-of-outcome.

We are expected to accept this as the – wait for it! – “new normal” (a favorite Government cliché’) due to insufficient funding of the TSA, shockingly inept management despite incentive bonuses, and the growling thunder of new threats on the horizon including the bombing of a tourist-filled airliner, a suicide bomber who blew himself out of the side of another commercial airliner in the same region, and then the EgyptAir flight that vanished catastrophically at 37,000 feet a couple of weeks ago.

Let History be the Guide

A healthy dose of criticism of TSA and this latest iteration of Security Theater is in order for two reasons.  First, the operative security policy that calls for securing the chokepoint between public space and the concourse implies that the principal threat we must guard against is a passenger trying to smuggle through a gun, a bomb, a knife or some combination of these and other “bad things.”  The TSA stubbornly adheres to the philosophy that we must emphasize protection against bad things, not bad people; hence the massive capital investments in technology and manpower to reinforce and screen the chokepoints between the public space at airports and the concourse.  Second, it’s increasingly apparent that those “bad people” – the terrorists – that TSA is protecting us from have figured out how to get around the multi-billion dollar “wall” inside airports, and get at the aircraft.  It’s called the insider threat, and the philosophy of bad-things-not-bad-people, while politically soothing for Washington, fails us in this regard.  The new terrorist threats on the horizon that I alluded to worry me, and they should worry you too.  This is why:

– On 31 October 2015 Metro Jet 9268, an international chartered jet filled with innocent tourists was blown out of the sky over the Sinai Peninsula by a strategically-placed 2.2 lb. explosive inside the cargo hold.  The culprit?  A mechanic with red-badge (trusted) access to the aircraft.  The group claiming responsibility was the Islamic terrorist group, ISIS.

– In early February 2016 Daallo Airlines 159, a Somali-based commercial airliner, was nearly blown apart by a suicide bomber sitting strategically over the wing and fuel tanks.  He carried aboard an explosives-laden laptop with a timer, but delays in takeoff saved the aircraft.  It was at 14,000 feet and remained intact.  Only the bomber, who was sucked out a hole made by the blast, died in the explosion.  The culprit?  Two airport workers with red-badge access (trusted) to the concourse and a screened passenger aboard the flight.  CCTV video shows the airport employees handing off the laptop to the Al-Shabab operative after he got through security screening.  Had that bomb gone off at cruising altitude, say 37,000 feet, the story would have had a much more tragic ending.

– On 19 May 2016 EgyptAir 804, enroute from Paris Charles de Gaulle to Cairo, cruising at 37,000 feet, abruptly and violently vanished from radar and plunged into the Mediterranean Sea.  It’s abrupt disappearance and crash remains a mystery, however I suspect terrorism for two reasons.  First, while there are those naïve souls out there among us that cling to the hope it was a catastrophic mechanical failure and point to the fact that the “terrorists have not claimed responsibility”…it’s clear they do not understand the nature of this terrorist threat.  In early December 2015 over 70 employees at Charles de Gaulle airport had their red-badges revoked due to links to radical Islamic terrorism.  That, in itself, is a significant concern.  A plausible working theory is that the terrorist group responsible, out of operational security (yes, they do pay attention to these things) will not take credit because they have an active cell of insiders still active at the airport. For them, that is a valuable asset not to be wasted or compromised.  Hence, no attribution will be forthcoming.  Even if my suspicions are disproven in this case, the underlying risk exposure remains.

– On 22 March 2016, ISIS-linked terrorists calmly detonated their baggage carts in the ticketing and departures area of Brussels International Airport, killing 17 innocent travelers and wounding over 300.

What each of these recent incidents share is the trend towards terrorist tactics that either avoid (such as in Brussels) or get around (Sharm-El-Sheikh, Mogadishu and potentially Paris CDG) the vaunted Security Theater put on for our benefit.  Rather than ingeniously crafting ways to smuggle disguised explosives through the security gauntlet – like the underwear bomber – terrorist operatives have adapted and are now targeting insiders with access to the aircraft, access to screened people.  Airport security has become our modern version of the French Maginot Line.  It did nothing for the security of France at the outset of WWII as the German military planners simply crafted and executed a strategy to go around.

Address the Issues

What does this mean?  It means we need to get smarter about security and learn from the threat actors who want to kill us.  The “bad things, not bad people” approach is a bit like the “guns kill people, people don’t kill people” line of thinking that stubbornly persists in our political discourse.  Illogical, but useful for those who need to adhere to political correctness and ensure one group is not singled out for preferential treatment.  There are solutions to security theater that make sense and should be implemented.  These can and should include the following:

Risk-managed security programs instead of compliance-based programs.  The difference between the two is that with one, which requires risk assessment, the “lights are on” and an intelligent and agile process is applied to designing a cost-effective countermeasure response.  With the other, it’s “check the box” and no real thought is put into countermeasures…it is compliance based on “best-practice” or whatever knee-jerk response is politically expedient and passed down from senior management.  It’s lazy.  That is often how Security Theater originates.

Procedural changes.  DHS and TSA should get proactive and convene a stakeholder meeting with the airline industry and push for a rollback of checked-bag fees.  This, coupled with stricter management of what (and how much) can be carried on board, could help alleviate the long screening lines at airport security.  Further, the TSA Pre-Check program, an excellent vetting mechanism for business travelers, should be staffed at all times.  Alleviating the pressure of the long-lines is very relevant to security.  Ultimately, those long lines of passengers doing the TSA shuffle puts pressure on TSA screeners to increase throughput and efficiency inevitably will suffer, no matter how professional they are.  There are metrics to back this up.  In early 2015, it was reported that TSA had a 95% failure rate in undercover security tests at airports across the U.S.  While that failure rate would spell the end of a private-sector CEO or Manager, not the TSA.  In September of 2015, five months later, the DHS Inspector General reported that there had been no improvement by TSA, and that subsequent testing was “disappointing and troubling.”  They reported failure of technology, failure of procedures, persistent human error, and consistently missing layers of security.

Profiling.  Screening for “Bad People” profiles should – if they do not already – begin at the check-in and ticketing area and continue through security screening and onto the concourse.  Profiling is not exclusively meant to target ethnicity or nationality.  It also includes behavioral traits, and this can be the difference between life and death.  The Israeli carrier El Al is considered the world’s most secure airline because of the layers of both physical AND procedural security layered into their protocols.  El Al does do ethnic as well as behavioral profiling (not exclusively, but common sense prevails), they do interview passengers individually and watch for behavioral queues, they search checked luggage by hand, and they maintain strict control of who gets access to the aircraft on the ground.  Their security starts at the public-space around departure, the ticket counters, and adjacent areas, includes the public-to-concourse security screening, and includes further screening at the boarding areas.  Armed air marshals are on each El Al flight.   This holistic and realistic approach to security ensures that while other airliners in neighboring countries are blown out of the sky, one after the other, the Israeli passenger airliners continue on their way unmolested.

Screening for Insiders.  Airlines and airports vet and screen their employees.  However, what is less clear is how robust and proactive this screening and vetting program is across the industry.  Vetting and screening for insider threat means putting in place a more frequent, random program that updates existing profiles.  Insiders more often than not start off as good people, but in the course of their personal life develop vulnerabilities and become exploitable.    Inadequate screening updates will miss these changes.

Accountability.  Ultimately, crisp and effective rollout of changes across the TSA will not happen if they do not have a senior leader who “gets it” and is capable of cutting through the bureaucracy and calcified culture that exists in the organization. I emphasized a leader, not a manager. The head of TSA needs to be replaced, also with, from the sound of it, quite a few senior executives.   Certainly, if they cannot exhibit leadership traits, it is imperative to boot them out.  If not, management-by-committee and bonuses that are not tied to performance will be the culture that prevails.  Managers, not leaders.

So, the next time you feel tempted to feel sorry for the TSA when you are at the airport, don’t.  They received $8 billion dollars of taxpayer money last year, and their public-unionized workforce is howling for more.  That is at least $8 billion that was not paid out to a government-run entity before 9/11, and the spectacular fail of their shiny objects & security theater last year should be a wakeup call for us all.  It is not a new normal.  The federal DMV – which is what it’s become – is unacceptable, particularly since it is exhibiting such inefficiency and ineffectiveness in the face of a very real, dynamic threat.

Take Action – Drop the Act!

TSA’s Summer Theater Spectacular is not unique. Commercial industry and other government agencies fall prey to the same dramas, dysfunctions, and weaknesses.  It’s imperative to focus on Prudent Protection and skip the performance of Security Theater.   When people and institutions feel safe due to a false sense of security, they let their guard down – inviting the villains of this world to make their move, and that is a show no one wants to see.