The Prescreening Puzzle
WHEN FEDERAL AGENTS approached would-be Times Square bomber Faisal Shahzad on a Dubai-bound plane at New York’s John F. Kennedy International Airport on May 3, he’s said to have remarked that he had been expecting them. If that’s true, we’re left to wonder whether he was surprised at even being allowed to board the plane. He would not be alone. Many people were surprised that Shahzad was not stopped by the airline even though authorities had added him to the no-fly list earlier in the day. With regard to accused Christmas Day bomber Umar Farouk Abdulmutallab, a different problem created the vulnerability that almost led to tragedy—his name was never put on the list.
Abdulmutallab benefitted from failures in intelligence analysis, Shahzad from lax time constraints on airlines for processing government watch-list data. Like other misfires since the massive government reorganization that followed 9-11, these incidents show that much needs to be done to make the no-fly list and related watch lists useful, which clearly also means improving the way that intelligence about individuals who might present a threat is collected, analyzed, and distributed.
The federal government operates a complex interagency system of name-related databases aimed at identifying and flagging potential terrorists in hopes of preventing them from successfully carrying out any harmful activity. The system is built around two primary databases. The Terrorist Identities Datamart Environment (TIDE), maintained by the National Counterterrorism Center (NCTC), is the catch-all repository for information about individuals with known or suspected ties to international terrorism. The separate Terrorist Screening Database (TSDB), maintained by the FBI’s Terrorist Screening Center (TSC), is the country’s de facto national terrorist watch list, incorporating domestic and international terrorist identities. While TIDE and NCTC are a primary source for TSDB nominations, any official from any federal agency can nominate an individual to the TSDB.
Individuals on the TSDB are also automatically placed in a number of other federal government databases both to help find them and to prevent them from engaging in potential terrorist precursor behaviors. These databases include the State Department’s Consular Lookout and Support System (CLASS) and the FBI’s internal National Crime Information Center Known or Suspected Terrorist File.
Two of those lists, both entirely subsets of the TSDB, are used by the U.S. Transportation Security Administration (TSA) for passenger prescreening: the federal no-fly list, consisting of individuals barred from U.S. air travel, and the selectee list, which includes persons required to undergo secondary screening before they are permitted to board an airplane departing from or planning to land in the United States. It is this list that sometimes results in confusion when more than one person has the same name; in those cases, sometimes innocent travelers are kept off planes.
Placement of an individual on the TSDB and no-fly and selectee lists requires satisfaction of specific criteria. Testifying before the House Judiciary Committee after the Abdulmutallab incident, Russell Travers, deputy director of the NCTC for information sharing and knowledge development, explained that nominees must meet a standard of “reasonable suspicion” for inclusion on the TSDB. Further, TSC criteria states that, “individuals described as militants, extremists, jihadists, etc., should not be nominated without particularized derogatory information.” Regarding the smaller no-fly and selectee lists, Travers testified that “those who only associate with known or suspected terrorists, but have done nothing to support terrorism” are ineligible.
Abdulmutallab’s omission from the list resulted not from a lack of derogatory information but from a failure to connect disparate pieces of information that, once connected, would have kept him off a plane, officials explained.
For air carriers to serve the United States internationally, regulations require that they share passenger name record (PNR) data with the U.S. government. PNR is the basic personal data submitted to passengers’ airlines when they purchase tickets; it varies by airline. The information is in turn used by U.S. intelligence analysts to detect potential threats posed by airline passengers.
There are problems with PNR data. It is unwieldy because of the vastly different collection and storage methods employed by different airlines, and it is subject to usage restrictions by the governments that allow its transfer to the United States, Stewart Baker, former DHS assistant secretary of homeland security for policy, tells Security Management.
Separately, airlines with international flights departing for the United States must provide the government with advanced passenger information (API), also called manifest data. API is the personal data, such as birth date, contained in passports and other official travel documents. The API data, required under the prescreening program called Secure Flight, helps TSA limit instances of false positive no-fly list matches, which were more frequent under the government’s old Computer Assisted Passenger Prescreening System II.
Currently, API for U.S.-bound international flights is collected by another Department of Homeland Security agency, Customs and Border Protection (CBP). That responsibility, however, is scheduled to shift entirely to TSA by the end of this year.
Timing. Time is a critical issue in what stakeholders call “the last mile” before a commercial flight takes off. Carriers are required to provide TSA with API between 72 hours and 30 minutes before an international flight takes off for the United States. Any passengers whose names are on the no-fly list will be prevented from boarding. For international flights into the United States, further manifest screening of the API by CBP while flights are in transit may turn up obstacles to admission for some passengers when their flight lands, such as listing in other diplomatic or law enforcement databases. That was the case with Abdulmutallab, which is why CBP was waiting for him in Detroit on the day that he tried to blow up the plane. Obviously, if a person’s intent is to blow up a plane in transit to the United States, having officials waiting for him on the ground in a U.S. airport isn’t going to prevent the terrorist act, a weakness pointed out by Baker in his book Skating on Stilts.
A separate issue is how often airline have to check the no-fly list. That was the problem that allowed Shahzad to board the Dubai-bound flight even though his name had been added to the list hours earlier. Airlines were required to check only within 24 hours of a notification of a change. The TSA sent an alert to airlines regarding Shahzad’s addition to the no-fly list at 12:30 p.m. on May 3. Shahzad reserved a ticket for a flight to Pakistan via Dubai at 6:30 p.m. and bought the ticket—with cash—at 7:35 p.m.
Emirates Airlines was not required to check for updates to the no-fly list and run that against their reservations during that time period, and they did not do so. Shahzad boarded the flight. Fortunately, manifest data sent to CBP alerted the agency, which held the plane and took him into custody.
Months after Abdulmutallab’s failed attack, debate persists about whether the 23-year-old Nigerian should have raised clear red flags within the intelligence and law enforcement communities, or whether critics are imposing the unreasonable benefit of hindsight in the case. At least some of those responsible for prescreening accept that it was a failure of the system. Abdulmutallab “should not have stepped on that plane,” NCTC director Michael Leiter told the Senate Commerce Committee. “The counterterrorism system failed, and we are determined to do better.”
While no single piece of intelligence rose above what one stakeholder called “the noise level,” if all those pieces had been properly tied together, they would have painted a picture to keep him off the plane. Together, as John Brennan, assistant to the president for counterterrorism and homeland security said afterward, “there was a threat stream of intelligence.”
Collection of potential intelligence on Abdulmutallab began with one of the United States’ closest allies and closest collaborators in terrorist information sharing: the United Kingdom, where Abdulmutallab studied from 2005 to 2008. During that time MI5, the country’s domestic intelligence agency, assessed Abdulmutallab as one of many Muslim youths in the county who associated with extremists, but the agency determined that he posed no security threat, according to London’s The Times. Then in May of 2009, Abdulmutallab was placed on a U.K. security list after he listed a phony college on a rejected application for a new British visa. Abdulmutallab was banned from future entry to the United Kingdom, but the information was not shared with British counterterrorism officials, because it was not considered a national security issue.
Later at least four more significant pieces of intelligence would fall into the hands of U.S. government officials, but the failure to connect them analytically kept Abdulmutallab out of the TSDB.
According to press reports, British intelligence informed U.S. authorities that an individual named “Umar Farouk” was in contact with expatriate extremist U.S. cleric Anwar al-Awlaki, believed at the time to be in Yemen. That was significant because of al Qaeda in the Arabian Peninsula (AQAP), a terrorist organization based in Yemen that posed a continued threat not only to U.S. interests in that region but also to the U.S. homeland, which the group said it aspired to attack, according to former Office of the Director of National Intelligence (ODNI) Admiral Dennis Blair. Additionally, the U.S. National Security Agency (NSA) intercepted communications indicating that there was an unfolding terrorist plot involving a Nigerian. Then in November of last year, Abdulmutallab’s father visited a U.S. embassy in Nigeria and shared his concern that his son was under the influence of Islamic extremists in Yemen.
Following the meeting with Abdulmutallab’s father, State Department officials took two actions based on his tip: they entered his name and related information into the agency’s CLASS database. It was this entry that resulted in CBP agents responding to Detroit Metro Airport with plans to question Abdulmutallab upon his arrival. Second, the embassy issued a cable via the agency’s Visa Viper system relaying the information provided by Abdulmutallab’s father to State Department intelligence and law enforcement officials, as well as NCTC.
In the Visa Viper cable, however, Abdulmutallab’s name was misspelled, which prevented authorities from realizing that Abdulmutallab held a U.S. visa. But for that error, the visa would have been revoked before he could purchase his ticket to the United States. The misspelling issue revealed a deeper problem: that the State Department, and possibly other partner agencies, lack the “smart” search functions common to free commercial Internet search engines like Google, which automatically suggest alternatives to search terms and alternative spellings. Beyond common English misspellings, the technology becomes all the more critical when dealing with transliterations of non-English names and terms, like “Osama bin Laden” and “Usama bin Laden,” or “Hezbollah” and “Hizbollah.”
The data from the Visa Viper cable arrived at NCTC and was entered into TIDE, but analysts did not nominate Abdulmutallab for the TSDB for the very reasons Travers would later share with Congress: His father’s assertion that he was under the influence of Islamic radicals, while highly credible, did not establish reasonable suspicion that he sought to engage in terrorist acts in the view of decision-makers who lacked an analytical connection with the other intelligence.
According to an unclassified summary, an investigation into the Abdulmutallab case by the Senate Intelligence Committee produced a scathing report highlighting 14 specific points of failure in four agencies: the State Department, the FBI, the CIA, and the NSA. Among the points of failure: the CIA did not search certain data bases that contained information on Abdul mutallab, and it conducted limited name searches of others that failed to uncover data. Further, the CIA failed to disseminate data about him to other agencies until after the attack.
The NCTC, the committee found, did not conduct enough research to locate information about Abdulmutallab’s growing affiliation with terrorist groups, which should have been discoverable, while FBI analysts were unable to locate relevant reports. As noted, another failure was that the NSA did not nominate Abdulmutallab for TIDE or the TSDB based on the partial data it held on him.
One issue that remains a problem, according to additional comments issued with the report by U.S. Sens. Saxby Chambliss (R-GA) and Richard Burr (R-NC), is that NCTC and CIA analysts must search different databases separately to find potentially related information on individuals and threats.
Perhaps most remarkable in light of post-9-11 reforms that established both NCTC and the ODNI to coordinate intelligence sharing across government: “the committee found that no one agency saw itself as being responsible for tracking and identifying all terrorism threats.”
The Abdulmutallab and Shahzad incidents both led to immediate procedural changes in passenger prescreening and calls for further reforms. For example, the CIA will now disseminate data on suspected extremists and terrorists within 48 hours, review information on individuals from “countries of concern,” expand name traces, and increase the number of analysts focused on Yemen and Africa. The TSA, in the immediate aftermath of the Christmas-Day attempted bombing, expanded physical screening of travelers from specific countries.
In congressional testimony, officials responsible for the TSDB told Congress that changes in the criteria used to decide who should be flagged immediately after the attack led to many more names being placed on the TSDB. Also in response to these incidents, the TSC was ordered to reevaluate criteria for nominations to the TSDB and no-fly and selectee lists.
In addition, the White House counterterrorism advisor—currently Brennan—has been given the authority to adjust the criteria for moving persons already listed in one database, such as TIDE, to another, such as the TSDB, according to an official who spoke to Security Management. For example, individuals between certain ages who have traveled to Yemen might be elevated from TIDE to the TSD or from the selectee list to the no-fly list.
The White House has called for other changes as well, such as for the State Department to enhance technology for visa management. NCTC was instructed to improve processes for prioritizing and pursuing threat threads.
Analysis. The failures that allowed Abdulmutallab’s plot to proceed were, according to testimony of intelligence officials, matters of capacity, not only in terms of technology, but human analysis.
“In hindsight, the intelligence we had can be assessed with a high degree of confidence to describe Mr. Abdulmutallab as a likely operative of AQAP,” Blair told members of the Senate Homeland Security and Governmental Affairs Committee. “But without making excuses for what we did not do, I think it critical that we at least note the context in which this failure occurred: Each day NCTC receives literally thousands of pieces of intelligence information from around the world, reviews literally thousands of different names, and places more than 350 people a day on the watch list—virtually all based on far more damning information than that associated with Mr. Abdulmutallab prior to Christmas Day. Although we must and will do better, we must also recognize that not all of the pieces rise above the noise level.”
Senate investigators likewise noted frequent comments from their sources that the Abdulmutallab data “was among thousands of other intelligence reports and that other terrorist threats were assessed to be more pressing at the time.” One policy change since Christmas Day: analysts and officials can subjectively weigh the credibility of sources as a factor in assessing intelligence and deciding whether to submit a name to the TSDB.
Travers and others noted that agencies’ capacity to chase down threat threads—including those that might not immediately present themselves as critical—was also limited by the number of analysts on their respective staffs. Added staffing requires funding from Congress, and lawmakers indicated that they would review the effect of procedural improvements made since Christmas Day before pursuing legislative or spending remedies.
Technology. Government officials and database management experts like Jeff Jonas of IBM have cited the need for wider implementation of “smart” databases that provide automated feedback. For example, with such a capability, the State Department’s entry into its CLASS database could have automatically alerted the agency that Abdulmutallab held a U.S. visa. With such a system, accurate entry of the tip from Abdulmutallab’s father might have correlated its data—name, nationality, country of association, and state of mind—with existing, but “undiscovered” intelligence about Abdulmutallab. Specifically, the Senate committee has recommended development of technology that can automatically weigh threat threads by severity, prioritizing them for analysts’ attention. These capabilities may be a long way off.
Another problem is that a traditional government database search requires a separate login for each search: one based on a single name or other fact—not, for example, repeated human trial-and-error “fuzzy” logic searches based on different transliterations of names or data configuration.
Some progress has been made. For example, a 2008 report by the House Science and Technology Committee found ongoing problems with NCTC’s IT system, called Railhead—including a lack of capacity to conduct Boolean database searches, such as “black AND white OR red BUT NOT blue.” Now, however, NCTC has that capability, as well as intuitive search algorithms that consider misspellings and transliterations, according to an official familiar with the watch-listing process. NCTC’s system also employs “persistent search,” with which an analyst can set a search to continuously search for a certain factor to appear in a database, according to an intelligence official familiar with the process.
A counterterrorism official familiar with the search capabilities of the TSC, which falls under the FBI, said that agents and analysts there also have capabilities for both advanced searches. The official emphasized that those capabilities are just tools, and human “eyes-on” analysis is necessary to determine whether a threat “rises up out of the noise level.”
Interoperability. With current technology, the kind of smart database management system experts envision is not difficult to create—from scratch. But the difficulty for the government’s interagency operations is that they are not starting from scratch, and like two merging businesses, they have to find a means of establishing interoperability between different databases, often written in different programming languages, which is more challenging, says Kyle D. Lutes, an associate professor of computer and information technology at Indiana’s Purdue University.
Lutes speculates, however, that the real impediment to solving the problem has nothing to do with technological issues and everything to do with bureaucracy and the human factor. “It’s not that the job is difficult—it’s how do you design the system when everybody has a different idea of how it should be done.”
Timeliness. Beyond the issue of the overall collection and analysis of intelligence data is the question, as noted, of the timeliness of watch-list data that airlines use to decide who to allow onto a plane. Addressing that problem, while complicated, is somewhat simpler than fixing the database interoperability issue. Following Shahzad’s arrest, the TSA required that airlines check watch-list updates within two hours of receiving TSA notifications of updates. Sen. Dianne Feinstein (D-CA), chair of the Senate Intelligence Committee, has introduced legislation that would require airlines to check watch lists within 30 minutes.
Moreover, under Secure Flight, TSA is expected to have earlier access to TIDE for more detailed prescreening information where passengers originate from, or have passed through, regions that are rated high risk.
As several politicians and pundits have noted, the real reason disaster was averted in both the Abdulmutallab and Shahzad incidents was sheer luck. And no one wants that to be the basis of the country’s homeland security. “We cannot depend on dumb luck, incompetent terrorists, and alert citizens to keep our families safe,” noted Senator Kit Bond (R-MO). “It is critical we make changes to prevent these types of intelligence failures in the future.”
Joseph Straw is an assistant editor at Security Management.