Better Breach Tracking Needed
Print Issue: October 2012
After a rash of security breaches occurred at Newark Liberty International Airport from early 2010 to early 2011, including six in less than two months, Sen. Frank Lautenberg (D-NJ) requested an investigation. The resulting report from the Department of Homeland Security’s (DHS) Office of Inspector General (OIG) revealed that the problem was much larger than one airport. It found that the Transportation Security Administration (TSA) didn’t have a process in place for ensuring that breaches were consistently reported, tracked, and corrected, or any system for learning from its mistakes.
“TSA does not have a comprehensive oversight program in place to gather information about all security breaches and therefore cannot use the information to monitor trends or make general improvements to security,” concluded the report. “As a result, it does not have a complete understanding of breaches occurring at the Nation’s airports and misses opportunities to strengthen aviation security.”
Findings were based on visits to six airports; they were not named in the public version of the report. Investigators determined that TSA staff at these airports did not report all security breaches through the agency’s Performance and Results Information System (PARIS), which is the system through which staff is supposed to record and track all security incidents that take place.
According to the report, the airports studied used PARIS to document only 42 percent of the security breaches that occurred over a 17-month period. This failure to report security breaches, according to DHS OIG, jeopardizes TSA’s ability “to detect security vulnerabilities and identify trends among airports nationwide.”
It also undermines the agency’s chances of connecting the dots of something potentially more threatening because the agency’s Transportation Security Operations Center (TSOC) uses the PARIS database to “identify events occurring at disparate locations throughout the U.S. transportation system that could represent an orchestrated attempt to defeat or circumvent security protocols.”
The OIG did not blame the local TSA officials at the airports for the problem. Instead, it pointed the finger at the federal TSA leadership for not providing adequate guidance to airports regarding how they should identify and report breaches. The report notes that inconsistencies have occurred because TSA has 33 different kinds of security incidents, one of which is specifically labeled “security breach.”
Confusion reigns. For instance, investigators found that an improper bag hand-off was recorded in the category of “sterile area access event” at one airport, but four similar incidents were recorded in the category of “security breach” at another airport. These inconsistencies are magnified because the definition of the category of “security breach” is vague.
Peter Boynton, codirector of the George J. Kostas Research Institute for Homeland Security at Northeastern University, said the ambiguities identified by DHS OIG existed when he was the federal security director at Connecticut’s Bradley International Airport between 2007 and 2009.
“If you put three reasonable people in the room, they might all come up with a different way to enter [a security incident] into PARIS based on the guidelines, and none of them would be wrong, but they would all be different,” he explains.
TSA officials use these reports to determine whether they need to adjust their security posture, says Erroll Southers, managing director of counter-terrorism and infrastructure protection at TAL Global and the former chief of homeland security and intelligence at Los Angeles International Airport. So if the categories are confusing, that’s a problem.
Boynton agrees, adding that accurate breach reporting allows TSA to identify those airports that experience more or less than the baseline number of breaches and learn lessons from each. In addition, if TSA knows which types of breaches are most common at airports nationwide, it can direct scarce research and development dollars to those issues.
Another area of concern was the failure of airport TSA officials to take corrective action after breaches were reported. At the six airports reviewed, investigators determined that corrective actions were only taken 53 percent of the time. At Newark, corrective action was taken only 42 percent of the time, although the report notes that the airport improved within the time frame of the study. Possible corrective actions range from training to suspension to reconfiguring the screening checkpoint.
Again, rather than blame local staff, the DHS OIG faulted the federal agency itself for not doing more to watch over its employees at U.S. airports. Investigators also reported that TSA could not provide evidence that it looks over the information submitted to PARIS to double check the information’s accuracy.
In a public statement, Lautenberg described the findings as a “gaping hole in our airport security systems. The OIG report recommended that TSA clarify what constitutes a security breach as well as develop a comprehensive oversight program to ensure that security breaches are reported and corrective action is taken.
Bill Hillburg, acting director of public affairs at DHS OIG, says TSA concurs, and he expects the agency to make the necessary corrections.