[House Hearing, 112 Congress]
[From the U.S. Government Printing Office]
ACCESS CONTROL POINT BREACHES AT OUR NATION'S AIRPORTS: ANOMALIES OR
SYSTEMIC FAILURES?
=======================================================================
HEARING
before the
SUBCOMMITTEE ON TRANSPORTATION SECURITY
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED TWELFTH CONGRESS
SECOND SESSION
__________
MAY 16, 2012
__________
Serial No. 112-91
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.gpo.gov/fdsys/
__________
U.S. GOVERNMENT PRINTING OFFICE
78-151 PDF WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop SSOP, Washington, DC
20402-0001
COMMITTEE ON HOMELAND SECURITY
Peter T. King, New York, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Daniel E. Lungren, California Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Michael T. McCaul, Texas Henry Cuellar, Texas
Gus M. Bilirakis, Florida Yvette D. Clarke, New York
Paul C. Broun, Georgia Laura Richardson, California
Candice S. Miller, Michigan Danny K. Davis, Illinois
Tim Walberg, Michigan Brian Higgins, New York
Chip Cravaack, Minnesota Cedric L. Richmond, Louisiana
Joe Walsh, Illinois Hansen Clarke, Michigan
Patrick Meehan, Pennsylvania William R. Keating, Massachusetts
Ben Quayle, Arizona Kathleen C. Hochul, New York
Scott Rigell, Virginia Janice Hahn, California
Billy Long, Missouri Vacancy
Jeff Duncan, South Carolina
Tom Marino, Pennsylvania
Blake Farenthold, Texas
Robert L. Turner, New York
Michael J. Russell, Staff Director/Chief Counsel
Kerry Ann Watkins, Senior Policy Director
Michael S. Twinchek, Chief Clerk
I. Lanier Avant, Minority Staff Director
------
SUBCOMMITTEE ON TRANSPORTATION SECURITY
Mike Rogers, Alabama, Chairman
Daniel E. Lungren, California Sheila Jackson Lee, Texas
Tim Walberg, Michigan Danny K. Davis, Illinois
Chip Cravaack, Minnesota Cedric L. Richmond, Louisiana
Joe Walsh, Illinois, Vice Chair Vacancy
Robert L. Turner, New York Bennie G. Thompson, Mississippi
Peter T. King, New York (Ex (Ex Officio)
Officio)
Amanda Parikh, Staff Director
Natalie Nixon, Deputy Chief Clerk
Vacant, Minority Subcommittee Lead
C O N T E N T S
----------
Page
STATEMENTS
The Honorable Mike Rogers, a Representative in Congress From the
State of Alabama, and Chairman, Subcommittee on Transportation
Security....................................................... 1
The Honorable Sheila Jackson Lee, a Representative in Congress
From the State of Texas, and Ranking Member, Subcommittee on
Transportation Security........................................ 12
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security.............................................. 2
WITNESSES
Panel I
Mr. John P. Sammon, Assistant Administrator, Office of Security
Policy and Industry Engagement, Transportation Security
Administration:
Oral Statement................................................. 3
Prepared Statement............................................. 5
Mr. Charles K. Edwards, Acting Inspector General, Department of
Homeland Security:
Oral Statement................................................. 7
Prepared Statement............................................. 8
Panel II
Mr. Mark Crosby, Chief of Public Safety and Security, Portland
International Airport, Testifying on Behalf of The American
Association of Airport Executives:
Oral Statement................................................. 33
Prepared Statement............................................. 35
Mr. Sean P. Cassidy, First Vice President, Air Line Pilots
Association, International:
Oral Statement................................................. 39
Prepared Statement............................................. 41
Mr. William H. Swift, Chairman, Airport Minority Advisory
Council:
Oral Statement................................................. 45
Prepared Statement............................................. 47
ACCESS CONTROL POINT BREACHES AT OUR NATION'S AIRPORTS: ANOMALIES OR
SYSTEMIC FAILURES?
----------
Wednesday, May 16, 2012
U.S. House of Representatives,
Subcommittee on Transportation Security,
Committee on Homeland Security,
Washington, DC.
The subcommittee met, pursuant to call, at 10:03 a.m., in
Room 311, Cannon House Office Building, Hon. Mike Rogers
[Chairman of the subcommittee] presiding.
Present: Representatives Rogers, Lungren, Walberg,
Cravaack, Turner, Jackson Lee, Thompson, Davis, and Richmond.
Mr. Rogers. The Committee on Homeland Security,
Subcommittee on Transportation Security will come to order. The
committee is meeting today to receive testimony on secure area
access control points at our Nation's airports.
I would like to welcome everybody to this hearing and thank
our witnesses. We look forward to your testimony and greatly
appreciate the time and effort that you had to put into
preparing for these hearings.
Securing our Nation's aviation system requires 100 percent
accuracy. Our enemies could exploit any weaknesses in the
system.
The many reports of security breaches and unauthorized
access to the tarmac are extremely troubling and continue to
underscore the need to strengthen our access controls.
We must make certain that the billions of taxpayer dollars
we spend screening passengers is not wasted if systematic
vulnerabilities exist through the back doors of our airports
that could lead to attack.
I look forward to questioning TSA and its partners about
the measures in place to not only physically protect our
airports, but also to ensure that employees with sterile-area
access have been thoroughly vetted and do not pose a threat.
A secure airport requires the coordination and cooperation
of a range of stakeholders. When a breach occurs, it is
incumbent on both TSA and its partners to evaluate what went
wrong and take immediate steps to mitigate or eliminate the
vulnerability.
What concerns me is that we had such a large number of
breaches occurring, it is hard to believe that these do not
reflect some larger systematic problem.
In October 2011, a local news station in Atlanta
investigated the access control procedures at Atlanta
International Airport after a whistleblower contacted the
station.
The whistleblower, an employee of an airline catering
company, was able to capture on video a company employee
swiping his badge to let another person in a secure area,
allegedly without that person having the necessary credentials
to pass through.
The video also revealed that an employee was able to put
unauthorized juice containers onto several carts as inspectors
from the company responsible for inspecting all food containers
loaded onto an aircraft, stood nearby without doing anything.
The Aviation and Security Transportation Security Act
requires all supplies put on an airplane to be sealed to ensure
easy visual detection of tampering. However, the video showed
rows of unsealed catering carts on the dock and in trucks
waiting to be loaded onto flights.
While we can all hope that this is an isolated incident at
Atlanta Airport, this is more than likely indicative of a
broader, more pervasive problem affecting airports Nation-wide.
In another recent case, a civilian vehicle crashed through
an airport gate and drove onto a taxiway near a busy runway at
Philadelphia International Airport. According to sources, the
vehicle drove past a Philadelphia police officer in a patrol
car and two airport employees.
Thankfully in these two examples there was no harm done.
However, we may not always be so lucky. With a huge financial
cost to taxpayers, we frankly expect better from TSA and others
who are responsible for securing our aviation system.
Finally, I cannot stress enough how disturbing it is that
DHS and the Office of the Inspector General reported just this
week that over half of all security breaches that occur at
airports are never properly reported to TSA headquarters. In
addition, only half of all incidents result in some corrective
action.
Mr. Sammon, these are sobering findings.
I am eager to receive testimony today from the acting DHS
IG about the report and the recommendations that TSA will need
to address going forward.
With that I now recognize the Ranking Member of the full
committee, the gentleman from Mississippi, for any opening
statement he may have.
Mr. Thompson. Thank you very much, Mr. Chairman.
No agency in the Federal Government has a more central role
in securing our aviation system than TSA. Accordingly, it is
essential that TSA have the necessary processes and protocols
in place to secure our aviation systems.
These processes and protocols must include ensuring the
integrity of airport perimeters by securing access controls and
providing comprehensive and sufficient guidance to airport
operators.
In March, the media reported on an individual who drove a
truck onto the runway at the Philadelphia Airport. Last year,
we learned of the tragic case of a young man who breached the
airport perimeter and became a stowaway in a wheel well of a
plane.
While none of these people involved in these cases had any
terrorist intentions, each case should have been put on notice
that the grounds surrounding the airport must be considered in
airport vulnerability assessments.
To accomplish that, TSA must establish a single
comprehensive definition of what constitutes a security breach.
Failing to establish such a definition leads to inconsistent
and subjective reporting.
Without a clear understanding of the types of breaches
occurring at our airports, TSA cannot make any reasonable
conclusions about the kinds of security enhancements that
should be broadly implemented. But in a system of layered
security, perimeter security must be complemented with other
measures.
An equally important component of layered security
environment is ensuring that only properly vetted people can
gain access to the secured areas of the airport and access to
aircraft and field operations. The vetting process should not
be a burden to individuals or businesses, but it must enhance
the security of the airport.
I look forward to hearing from our second panel of
witnesses on how TSA's vetting process is working today.
Mr. Chairman, thank you for holding this hearing, and I
yield back.
Mr. Rogers. I thank the gentleman.
Other Members of the committee are reminded that opening
statements may be submitted for the record.
We are pleased today to have several distinguished
witnesses before us on this important topic. Let me remind the
witnesses that their entire written statements will appear in
the record.
Our first witness, Mr. John Sammon, currently serves as
assistant administrator for the Office of Security Policy and
Industry Engagement at TSA. We appreciate Mr. Sammon for
appearing once again before this committee.
The Chairman now recognizes Mr. Sammon for his opening
statement.
STATEMENT OF JOHN P. SAMMON, ASSISTANT ADMINISTRATOR, OFFICE OF
SECURITY POLICY AND INDUSTRY ENGAGEMENT, TRANSPORTATION
SECURITY ADMINISTRATION
Mr. Sammon. Good morning Chairman Rogers, and Mr. Thompson,
and the distinguished Members of the subcommittee. I appreciate
the opportunity to appear before you today to discuss the
Transportation Security Administration's responsibility
regarding access control at U.S. commercial airports.
Every airport and airline has a security plan of which
access control is an important piece. While TSA is responsible
for approving the plan and inspecting airport compliance with
the plan, airport authorities and airlines are responsible for
carrying out the plan.
TSA sets standards, conducts inspections associated with
access control including badging, perimeter security, and
testing of access control processes at airports.
TSA analyzes the results of these inspections and
assessments to develop mitigation strategies that enhance an
airport security posture and to determine if any changes are
needed. Every commercial airport receives an annual security
inspection to include an assessment of perimeter and access
controls.
While the current badging process was put in quickly after
9/11 thanks to the work of AAAE, TSA, and the Nation's
airports, TSA issued security directive 1542-08G in 2009 to
address a number of badging process deficiencies to include
identity verification and work authorization, document
authentication, standardized 2-year badge renewal requirements,
requirements to return and reactivate expired badges,
recordkeeping requirements, documentation requirements for
naturalized and non-U.S. citizens, enrollment process audits,
and expanded the covered populations.
While that directive improved the badging process, TSA has
written a regulation called the Universal Rule that addresses
many of the gaps left by that security directive, and also
concerns that have been raised by the DHS inspector general.
Specifically that rule will provide for trusted enrollment
agents to identify verification and document inspection and
collection; more uniform, more stringent, and recurrent
training for enrollment agents; one uniform enrollment process;
data that will be entered directly into the TSA system for
adjudication; TSA up-front edits for completeness and accuracy
of data; identity documents scanning the TSA; identity
documents verification by TSA; criminal history records check
every 5 years which is consistent with other Federal background
checks; strengthen ID verification and immigration standards,
including documentary evidence of U.S. citizenship.
It will be a person-centric versus an airport-centric
system--enroll once and use many times in different fields.
Instant access to the data by TSA inspectors, and it will be
much more enforceable than what we have today.
That rule is currently being reviewed within the
administration, and we hope to issue it for comments later this
year. In the mean time, TSA will be stepping up inspection
efforts to close gaps in existing process.
In terms of breaches, the DHS inspector general recently
released a report on airport breaches. That report had two
recommendations.
The first was to define and use one comprehensive
definition of what constitutes a security breach, and ensure
the guidance is clearly understood and used throughout the
agency. The second recommendation was to develop a
comprehensive oversight program for reporting and corrective
actions.
TSA concurred with the recommendations, and the inspector
general found that TSA's planned actions sufficiently addressed
the two recommendations in this report.
TSA's goal is to work with airport authorities and airlines
in our shared responsibilities to stay ahead of evolving
terrorist threats while protecting passengers' privacy and
facilitating the efficient flow of travelers and legitimate
commerce.
TSA's airport control initiatives are one part of that
comprehensive effort.
I want to thank the committee for the opportunity to
discuss this important issue. I am pleased to answer any
questions you may have.
[The statement of Mr. Sammon follows:]
Prepared Statement of John P. Sammon
May 16, 2012
Good afternoon Chairman Rogers and Ranking Member Jackson Lee and
distinguished Members of the subcommittee. Thank you for the
opportunity to testify today about the Transportation Security
Administration's (TSA) successes and challenges in developing and
implementing a comprehensive risk-based approach to secure our Nation's
transportation systems, including the management of airport access
controls. In 2011, the Transportation Security Administration's 50,000
Transportation Security Officers screened more than 603 million
passengers at 450 airports across the country and stopped more than
125,000 prohibited items at airport checkpoints. Of those items, more
than 1,300 were firearms.
TSA employs risk-based, intelligence-driven operations to prevent
terrorist attacks and to reduce the vulnerability of the Nation's
transportation system to terrorism. TSA protects the Nation's
transportation systems to ensure freedom of movement for people and
commerce. TSA's security measures create a multi-layered system of
transportation security that mitigates risk. In partnership with
airport operators, airlines and local law enforcement agencies, TSA
secures our Nation's commercial airports through a variety of programs
that create layers of security. These measures include a focus on
preventing and detecting the unauthorized entry, presence, and movement
of individuals and ground vehicles into and within the Airport
Operations Areas (AOA) and the secured area of an airport.
risk-based security
TSA is committed to focusing resources on higher-risk aviation
passengers, while speeding the travel of lower-risk populations, and we
have made significant progress transforming TSA's approach to aviation
security away from a one-size-fits-all paradigm. We continue to evolve
our security approach by examining the procedures and technologies we
use, how specific security procedures are carried out, and how
screening is conducted.
TSA's risk-based and intelligence-driven Security Playbook program
strengthens the transportation security environment by increasing
unpredictability and providing additional layers of security. This
program employs security measures at direct access points and airport
perimeters and uses a variety of resources and equipment to conduct
screening of individuals and vehicles entering the AOA. Examples of the
security measures that may be employed at direct access points and
airport perimeters include: Vehicles inspections, explosive trace
detection (EDT) of individuals and property, enhanced screening,
accessible property searches, and ID/media verifications, as well as
behavior detection.
Following are some of the concrete steps we have taken to implement
key components of the agency's intelligence-driven, risk-based approach
to security, advancing the agency toward the ultimate goal of becoming
a high performing counterterrorism agency that provides the most
effective security in the most efficient way possible.
known crewmember
We hold airline pilots responsible for the safety of the traveling
public every time they fly a plane. It makes sense to treat them as our
trusted partners. To build on our risk-based approach to security, we
are currently conducting a pilot where TSA security officers positively
verify the identity and employment status of airplane pilots, which
enables the pilots to receive expedited access through the checkpoint.
The Known Crewmember program is the result of a collaborative effort
between the airline industry, pilots, and TSA, which currently allows
uniformed pilots from 28 airlines in ten airports to show two forms of
identification. After evaluating operational data from ten airports,
and through much discussion with industry representatives, we are
planning to expand the Known Crewmember solution to more airports this
calendar year.
tsa precheck expedited passenger screening
Perhaps the most widely known risk-based security enhancement we
are putting in place is TSA PreCheckTM. Since first
implementing this initiative in the fall of 2011, the program has been
expanded to 14 airports and over 1,000,000 passengers around the
country have experienced expedited security screening through TSA
PreCheckTM.
Under TSA PreCheckTM, travelers volunteer information
about themselves prior to flying. TSA pre-screens TSA
PreCheckTM passengers each time they fly through
participating airports. If the indicator embedded in their boarding
pass reflects eligibility for expedited screening, the passenger is
able to use the TSA PreCheckTM lane. TSA
PreCheckTM travelers are able to divest fewer items, which
may include leaving on their shoes, jacket, and light outerwear, and
may enjoy other modifications to the standard screening process. As
always, TSA continues to incorporate random and unpredictable security
measures throughout the security process, and at no point are TSA
PreCheckTM travelers guaranteed expedited screening.
Currently, eligible participants include certain frequent flyers
from Alaska Airlines, American Airlines, and Delta Air Lines, as well
as existing U.S. citizen members of U.S. Customs and Border
Protection's (CBP) trusted traveler programs, such as Global Entry,
flying domestically on participating airlines. TSA is actively working
with other major air carriers to expand both the number of
participating airlines and the number of airports where expedited
screening through TSA PreCheckTM is provided. In February
2012, Secretary Napolitano and TSA Administrator Pistole announced the
goal to have TSA PreCheckTM rolled out and operating at 35
of the busiest domestic airports by the end of 2012.
TSA has expanded the TSA PreCheckTM population to
include active duty U.S. Armed Forces members with a Common Access Card
(CAC) traveling out of Ronald Reagan Washington National Airport.
Similar to other PreCheckTM travelers, service members
always undergo the standard TSA Secure Flight pre-screening. If we are
also able to verify the service member is in good standing with the
Department of Defense, by scanning their CAC card at the airport, they
will receive TSA PreCheckTM expedited screening benefits.
credential authentication technology/boarding pass scanning system
TSA is also employing technology to automatically verify boarding
passes, and provide TSA with a greater ability to identify altered or
fraudulent passenger identification documents. This technology, known
as Credential Authentication Technology--Boarding Pass Scanning Systems
(CAT-BPSS), will eventually replace the current procedure used by
security officers to detect fraudulent or altered documents. CAT-BPSS
enhances security and increases efficiency by automatically comparing a
passenger's ID and boarding pass to a set of security features to
concurrently seek to identify indicators of fraud and ensure that the
information on both documents match. The system can screen a wide range
of travel documents. TSA began testing the technology in July 2011 and
has begun evaluations at select airports.
strengthening access control
Effective access control at our Nation's airports is vital to
ensure the safety of the traveling public. The regulatory compliance
inspector workforce routinely conducts access control tests as directed
by the National compliance work plan. Access control procedures are
reviewed and tested at all areas where access may be gained to non-
public areas of the airport to include the air operations area and the
Secure Identification Display Area (SIDA)/Secure areas. Access control
measures can range from simple lock and key control to biometric
devices that may require a scan of your fingerprint or iris to make
positive identification of individuals trying to gain entry into the
secure airport environment. Inspectors use different methods to try and
defeat or compromise various access control devices as part of their
regular duties. If any weaknesses are discovered, they are communicated
to the airport operator immediately so that corrective measures can be
implemented.
TSA also conducts on-going and comprehensive airport inspections to
enhance security and mitigate risk associated with access control and
perimeter integrity, including Joint Vulnerability Assessments, Special
Emphasis Inspections, and the testing of access control processes at
airports. TSA analyzes the results of these inspections and assessments
to develop mitigation strategies that enhance an airport's security
posture, and to determine if any changes are required. TSA also works
in collaboration with airport operators to identify effective best
practices across the industry regarding access control and perimeter
security.
conclusion
Thank you for the opportunity to appear before you today to discuss
TSA's efforts in securing our Nation's transportation system in the
most effective and efficient manner possible.
Mr. Rogers. Thank you, Mr. Sammon, for your testimony. We
appreciate you being here today.
Our second witness is Mr. Charles Edwards. He is the acting
inspector general of the Department of Homeland Security.
Mr. Edwards has appeared before this subcommittee on a
range of important topics, and the Chairman now recognizes him
for his opening statement.
STATEMENT OF CHARLES K. EDWARDS, ACTING INSPECTOR GENERAL,
DEPARTMENT OF HOMELAND SECURITY
Mr. Edwards. Good morning, Chairman Rogers, Ranking Member
Jackson Lee, Ranking Member Thompson, and Members of the
subcommittee.
Thank you for inviting me to testify today regarding access
controls at our Nation's airports. I will present the results
of three audits we have conducted in the past year on this
topic.
We looked at TSA's oversight of the process for determining
whether an individual may be issued a badge granting unescorted
access to secure areas of an airport, TSA's oversight of
physical access controls at airports, and third, we looked at
TSA's oversight of the reporting and collection of information
about security breaches at individual airports.
We found that TSA's oversight of the process for screening
employees, prior to giving them an access or security badge,
did not ensure that the employees are fully screened. We
analyzed data from 359 airport badging officers and identified
badge holder records with omissions or inaccuracies pertaining
to security threat assessment status, birth dates, and birth
places.
For example, our analysis identified an individual with
badges issued at three airports. Each badge showed a different
birthplace.
We believe these problems exist because TSA's oversight of
the process does not ensure the airports use sufficient quality
assurance measures, such as checking the applications and data
entry for accuracy and completeness, or provides sufficient
training and tools to badge office employees.
TSA also does not require its own transportation security
inspectors to verify the badge holder data during the review of
airports.
We did identify several airports with best practices in the
badging review process. We have provided details of those
practices to TSA to share with all airports across the country.
TSA also does not require airports to conduct a recurring
criminal history records check of current security badge
holders. Passing an initial criminal history check does not
preclude employees from engaging in subsequent criminal
activity and presenting an insider threat.
For example in 2007, it was discovered that a customer
service officer with no prior record had agreed to smuggle
money and illegally export weapons and military equipment to a
foreign country.
TSA concurred with five of our recommendations from this
audit, and concurred in part with an additional recommendation.
In a separate audit we conducted covert testing to
determine if unauthorized individuals could gain access to
secured airport areas. Our audit identified areas of concern.
However, the detailed results of our tests are classified.
We have shared the classified results with this and other
appropriate Congressional committees, TSA staff, and Department
officials.
The third audit looked at TSA's ability to identify and
track security breaches. For the purposes of the audit, we
identified an airport security breach as an individual gaining
access to an unauthorized area without submitting to all
screening, inspections, and detection according to TSA's
standard operating procedures.
For example, a person sticking to an exit lane to get
around a checkpoint would be considered a security breach. Some
of the results of our testing have been designated sensitive
security information and cannot be included in this testimony.
It can be stated, however, that even though TSA has several
programs to report and track identified security breaches, it
does not have a comprehensive oversight program to gather
information about all security breaches at airports across the
Nation, and therefore cannot use the information monitor trends
or make improvements.
TSA does not provide needed guidance and oversight to
ensure that all breaches are consistently reported, tracked,
and corrected. We determined that only 42 percent of the
security breaches be reviewed in individual airport files but
reported to TSA's official records.
For example, a person entered through a security gate with
a handwritten boarding pass, but was not reported TSA's
official records as a security breach incident. Further, our
review of airport records identified corrective actions being
taken for only 53 percent of the security breaches in airport
files.
We made two recommendations. TSA concurred with both and
started taking action to implement them.
In conclusion, despite the billions of dollars spent on
multiple layers of aviation security since September 11, 2001,
issues remain. Our recent reports have included best practices
and recommendations to address those vulnerabilities.
TSA has agreed to make changes to improve the effectiveness
of its efforts to protect the traveling public.
Mr. Chairman, this concludes my prepared remarks. I thank
you again for the opportunity to testify before this committee.
[The statement of Mr. Edwards follows:]
Prepared Statement of Charles K. Edwards
May 16, 2012
Good morning Chairman Rogers, Ranking Member Jackson Lee, and
Members of the subcommittee: I am Charles Edwards, Acting Inspector
General for the Department of Homeland Security (DHS) Office of
Inspector General (OIG). Thank you for inviting me to testify today
about the results of our audits regarding the Transportation Security
Administration's (TSA) access controls at our Nation's airports. Since
the events of September 11, 2001, TSA has spent billions of dollars on
multiple layers of aviation security and relies on those layers of
security to ensure the safety of the traveling public.
My testimony today will present the results of three recent audits
of aspects of TSA's oversight of security at our Nation's airports.\1\
Specifically, I will address TSA's oversight of the process to vet
airport, or airport vendor, employees prior to giving them badges that
allow unescorted access to secure areas; TSA's oversight of airports'
physical access controls; and last, I will summarize our evaluation of
TSA's collection of security breach information which should be used to
identify and correct potential vulnerabilities.
---------------------------------------------------------------------------
\1\ The information provided in this testimony is contained in the
following reports: TSA's Oversight of the Airport Badging Process Needs
Improvement (OIG-11-95); Covert Testing of Access Controls to Secured
Airport Areas (OIG-12-26); and Transportation Security Administration's
Efforts To Identify and Track Security Breaches at Our Nation's
Airports (OIG-12-80).
---------------------------------------------------------------------------
airport badging process \2\
---------------------------------------------------------------------------
\2\ TSA's Oversight of the Airport Badging Process Needs
Improvement (OIG-11-95).
---------------------------------------------------------------------------
We evaluated TSA's oversight of the process for issuing airport
security badges. These badges allow an individual unescorted access to
secure airport areas, including:
Sterile Area.--A portion of an airport, defined in the
airport security program, that provides passengers access to
boarding aircraft, and to which the access is generally
controlled by TSA through the screening of persons and
property.
Air Operations Area (AOA).--A portion of an airport that
includes aircraft movement areas, loading ramps, and safety
areas for use by aircraft.
Security Identification Display Area (SIDA).--A part of the
AOA regularly used to load cargo on, or unload cargo from an
aircraft. TSA can designate all or portions of the AOA as SIDA.
As of the time of our audit fieldwork, there were approximately
890,000 individuals with 1.2 million active badges that had access to
secure areas of airports.\3\
---------------------------------------------------------------------------
\3\ Employees could have more than one badge if working for
multiple employers at the airport or if working at multiple airports.
---------------------------------------------------------------------------
Applicants for these badges are required to undergo a fingerprint-
based criminal history records check and have an approved security
threat assessment (STA) from TSA before receiving a badge and obtaining
unescorted access to secure airport areas. The STA is accomplished by
comparing an applicant's information against critical data sets to
discern whether the applicant is a threat to transportation or National
security.
TSA relies on designated airport operator employees as trusted
agents to perform the essential functions of the badging process. Their
duties consist of collecting, verifying, and inputting applicant data
used for the STA process and fingerprinting applicants for the Criminal
History Records Check. Airport operator employees are responsible for
ensuring that the badge application is complete with the required
biographical and fingerprint data for the STA. Critical data processed
from the application includes full legal name, date of birth, place of
birth, passport number, and alien registration number. Airports are
responsible for ensuring that badges are issued only to qualified
applicants, and must account for and manage all active and deactivated
badges.
TSA has the statutory responsibility for requiring individuals with
unescorted access to secure areas of the airport to be properly vetted,
or checked. TSA fulfills this responsibility through its Threat
Assessment and Credentialing adjudication service, which completes the
STAs for applicants and provides oversight of the airports' processes
through its Transportation Security Inspectors.
Individuals who pose a threat to airport security may be able to
obtain badges and gain access to secured airport areas. We evaluated a
database of information on active badges at 359 airports. We identified
a number of badges issued with one or more instances of omissions or
inaccuracies of key applicant data used for vetting, such as STA
status, birthdates or birthplaces.\4\ Many of the omissions or
inaccuracies pertained to critical information used for vetting. For
example, one applicant was listed as having three active badges at
three different airports. The applications for this individual
reflected three different places of birth: The United Kingdom, Ukraine,
and the United States. With inaccurate information on place of birth,
TSA was unable to accurately vet the applicant, yet the three airports
issued the requested badges.\5\
---------------------------------------------------------------------------
\4\ The exact number of discrepancies we identified is Security
Sensitive Information and cannot be disclosed in publicly available
documents.
\5\ We followed up on this individual's information. He is a United
States citizen and all three badging application files contained copies
of his passport identifying the United Kingdom as his place of birth.
---------------------------------------------------------------------------
We believe these problems exist because the design and
implementation of TSA's oversight of the application process is
limited. Specifically, the agency did not ensure that airport operators
have quality assurance procedures for the badging application process;
ensure that airport operators provide training and tools to designated
badge office employees; and require its TSA Inspectors to verify the
airport data during their reviews.
Quality assurance.--TSA does not ensure that airport operators have
quality assurance procedures to safeguard the completeness and accuracy
of the vetted data. For example, TSA does not require, and most
airports do not have, different individuals verifying the entry of an
applicant's information into the vetting process. Having separate
individuals verifying the information would likely enhance the
detection of missing or inaccurate information, such as a missing place
of birth or a transposition in a date of birth.
In our audit work, we found an airport that had several procedures
in place that could be considered ``best practices,'' such as
conducting on-site badge audits annually; using a supervisory review
checklist to ensure that at least two agents handle each application;
using equipment to check identification; and using local police to run
criminal investigation checks on badge applicants.
Other best practices include: (1) One airport used daily system-
generated reports to identify and resolve potential problems with
active badge holders; (2) another airport had a Memorandum of
Understanding with U.S. Customs and Border Protection to have the
agency verify all immigration documents before submitting the
information to TSA for vetting; and (3) yet another airport used a
supervisory review checklist to ensure that at least two agents have
reviewed the application for completeness and accuracy.
Training and tools.--In addition to the lack of quality assurance
procedures for gathering and inputting the applicant data, TSA also
does not always ensure that airports are providing their individuals
with proper training and tools. For instance, officials at 12 airports
visited did not know what happens to the data once they enter it. These
officials were unaware of how data entry errors or transposed numbers
related to key identifying elements could create vulnerabilities, be
exploited, and provide the wrong individuals access to secured airport
areas.
TSA also does not ensure airport operator employees are using
available tools while performing their duties. Tools such as
identification document scanners, ultraviolet lights, and loupes
(magnifying lenses) allow employees to more closely inspect a document,
which prevents fraud. At 8 of 12 visited airports, these employees had
tools available to assist in identifying fraudulent documents, but did
not consistently use them. For example, at one airport, there was an
identification scanner available, which reads the magnetic strip on a
driver's license or State-issued ID to display its validity. One
employee admitted to using the scanner only occasionally, but not using
the lights and loupes at all.
Inspectors verify data.--Regarding the inspection process, TSA
Inspectors review the airport badging process during inspections;
however, the limited coverage does not ensure vetting information is
complete and accurate. Inspectors consult TSA's Handbook and the
Performance and Results Information System to use basic questions
provided, along with guidance, which is based on regulatory
requirements from the CFR and TSA Security Directives. The Handbook
does not require Inspectors to verify the information reported to TSA
to identify discrepancies with badging information. It simply indicates
that the Inspector should ensure that proper documentation has been
submitted and returned to the airport operator before an employee is
granted unescorted access to secured areas. TSA also does not require
Inspectors to review any percentage of files; therefore, inspections of
badging office records may be insufficient to determine the airports'
compliance with vetting process requirements.
Additionally, Inspectors do not always have direct access to the
Transportation Security Clearinghouse database and are not required to
compare or cross-reference records. This direct access would not only
enable Inspectors to verify records for approved STAs timely and take
immediate corrective action if necessary, but it would increase
inspection effectiveness and efficiency.
When our audit findings were presented to airport operators, TSA
officials, and Inspectors, more than 100 updates were generated, which
airport operators sent to the Transportation Security Clearinghouse. We
also provided a list of suspect STAs, which prompted Inspectors to take
corrective action at some locations. In fact, Inspectors at one airport
revealed numerous badges issued without accurate or complete vetting
data and immediately revoked access pending an approved STA.
To this end, unless airport operators implement quality assurance
procedures for the badging process, the data integrity and vetting
results will continue to be questionable. TSA needs to also ensure that
airports are providing airport operator employees with the proper
training and tools to perform their assigned duties and
responsibilities. Furthermore, the agency's inspection activities must
be enhanced in order to identify application omissions or inaccuracies
for immediate corrective action.
covert testing of physical access to secure areas of airport \6\
---------------------------------------------------------------------------
\6\ Covert Testing of Access Controls to Secured Airport Areas
(OIG-12-26).
---------------------------------------------------------------------------
We conducted covert testing to determine whether TSA's policies and
procedures prevent unauthorized individuals from gaining access to
secured airport areas. We also identified the extent to which
Transportation Security Officers, airport employees, aircraft
operators, and contractors are complying with related Federal aviation
security requirements. The compilation of the number of tests
conducted, the names of the airports tested, and the quantitative and
qualitative results of our testing are classified, or designated as
Sensitive Security Information. We have shared the information with the
Department, TSA, and appropriate Congressional committees.
We identified access control vulnerabilities at the domestic
airports where we conducted testing. As a result of our testing, we
made six recommendations to TSA. TSA concurred with three
recommendations, partially concurred with two recommendations, and did
not concur with one. TSA continues to conduct significant work in a
number of areas to address our recommendations.
tsa's efforts to identify and track security breaches \7\
---------------------------------------------------------------------------
\7\ Transportation Security Administration's Efforts To Identify
and Track Security Breaches at Our Nation's Airports (OIG-12-80).
---------------------------------------------------------------------------
Based on a request from Senator Frank Lautenberg, we conducted an
audit into the security breaches at Newark Airport reported in the
media. Senator Lautenberg asked the DHS OIG to review the contributing
factors that led to the security breaches, TSA's response to the
breaches, and the general level of security at the airport. He also
requested that we compare the incident rate of breaches at Newark to
other airports in the New Jersey/New York region and comparable
airports Nation-wide, and that we determine whether corrective action
had been taken on the specific security incidents.
Our audit objectives were to determine whether TSA at Newark had
more security breaches than at other airports; and whether TSA has an
effective mechanism to use the information gathered from individual
airports to identify measures that could be used to improve security
Nation-wide.
Some of our results, such as the comparison of the number of
incidents at Newark to other airports, have been designated Sensitive
Security Information and cannot be included in this testimony.
Overall, however, we found that while TSA has several programs and
initiatives that report and track identified security breaches, it does
not have a comprehensive oversight program in place to gather
information about all security breaches and, therefore, cannot use the
information to monitor trends or make general improvements to security.
We determined that only 42 percent of the security breaches we reviewed
in individual airport files were reported in TSA's official record, the
Performance and Results Information System (PARIS)\8\ under any
category. Additionally, the agency does not provide the necessary
guidance and oversight to ensure that all breaches are consistently
reported, tracked, and corrected. Our audit work identified corrective
action being taken for only 53 percent of the breaches we reviewed.
---------------------------------------------------------------------------
\8\ PARIS is TSA's internal reporting system and official record of
a security incident and it contains 33 categories of possible
incidents. In our audit, we focused on incident reports in three PARIS
categories--security breaches, improper/no screening, and sterile area
security events.
---------------------------------------------------------------------------
While there are varying levels and definitions of security
breaches, our audit defined ``security breach'' as an individual or
individuals gaining access to the sterile area, specifically at the
checkpoint or exit lane, without submitting to all screening,
inspections, and detection according to TSA's Standard Operating
Procedures. For instance, a person entering the sterile area by
sneaking through an exit lane without anyone preventing the entry would
be considered a security breach.
Security breaches are documented locally by TSA at each airport,
and TSA staff is required to report security breaches through PARIS and
the Transportation Security Operations Center (TSOC). The TSOC is
expected to use this information to identify events occurring at
disparate locations throughout the U.S. transportation system that
could represent an orchestrated attempt to defeat or circumvent
security protocols. We did not determine or evaluate how the TSOC used
the information about the security breaches we reviewed.
In its response to our audit, TSA reported that it collects
thousands of records of incidents and security breaches occurring at
airports and other transportation facilities. The agency documents and
disseminates the information to the program offices through various
channels of reporting, to include the Transportation Security
Operations Center, the Executive Summary Report, TSA's Management
Controls Program, as well as an Assessment Team that TSA formed in
March 2010.
TSA concurred with both of our recommendations in this audit report
and is taking action to implement the recommendations.
Mr. Chairman, this concludes my prepared remarks. I welcome any
questions that you or the Members of the subcommittee may have.
Mr. Rogers. Thank you, Mr. Edwards. I appreciate that
revealing testimony.
The Chairman now recognizes the Ranking Member, my friend
and colleague from Texas, for her opening statement.
Ms. Jackson Lee. Mr. Chairman, thank you so very much. I
acknowledge the Members of the committee and the Ranking Member
of the full committee.
Mr. Chairman, I have been discussing TSA since early this
morning, and I thank you for your indulgence, as I made my way
back from a discussion on airport security.
This is a very important hearing, and I am delighted to
collaborate with Chairman Rogers and the full committee on
finally getting to this hearing, and particularly hearing both
Mr. Sammon and Mr. Edwards together.
A little over a year ago, under the direction of the
President of the United States, Navy SEALs eliminated the
architect responsible for the most horrific terrorist acts
against this country. Since September 11, we have made
significant progress in securing our transportation system,
particularly our aviation sector.
Particularly, Mr. Sammon, I made it a point earlier in my
discussions that TSA has been a pivotal part of this. Certainly
I consider the officers of TSA, TSOs, a crucial front-line
component to the fact that we have not had a terrorist incident
of catastrophic proportions on our soil.
We all know that airports and aviation--and I would add
mass transit but in this instance aviation--is a keen and
focused target by terrorists tragically, probably yet unborn
where individuals would wish to do the American people, but
even more the American system and way of life, great damage.
We must recognize and proactively address the evolving
nature of the threat to aviation to protect the millions of
people every year who use commercial aviation. I am told that
if we assess the amount of people that TSOs have processed or
that enter airports, it would be billions over the last decade,
billions plus.
In 2011 alone, U.S. Air flew 730 million passengers.
Mr. Chairman, when we discuss aviation security we usually
think of transportation security officers, pilots, flight
attendants, and passengers. However, we must not forget those
who work behind the scenes to ensure that these jets are
properly stocked and maintained.
The mechanics, technicians, and operators play a critical
role in the function of our aviation system. Additionally, we
must not forget about the small businesses that operate at the
airports.
By and large, we know great Americans, individuals who
would have no interest in doing us harm. The men and women who
own, operate, or work at these shops can be a helpful component
to a layered security environment, but we know it takes just
one person to disrupt this system.
The men and women working at our airports and board
aircraft must not only have the proper training to be a part of
this effort, but they must also undergo proper vetting to
ensure that risks are reduced. This is an issue that Nita Lowey
and myself worked on in early years about the ingress and
egress and the access to the airport and, of course, concern
about the perimeter of the airport.
I look forward to hearing from our witnesses today and
gaining a comprehensive understanding of where we stand with
access and control and perimeter security. Earlier this year,
the Philadelphia International Airport was a subject of
discussion after an individual drove through the airport's
metal fence and headed for the runway while a plane was gearing
for landing.
If we take a survey of our airports, we will see that most
of them, unless they are inner city, in city airports, have
perimeters that are unattended, that may be wetlands. They are
quite attractive for intrusion, for piercing.
We have a challenge. We need to address this challenge
head-on.
Frankly, I want to hear today in our question and answers
how TSA plans to address it head-on quickly, expeditiously, and
respond to the assessment made by GAO.
Unfortunately, this is not the first time an incident like
this happened and has threatened passengers at an airport, the
one in Philadelphia.
Just before this particular incident took place, the media
reported that another couple bypassed perimeter security,
headed for the runway at Philadelphia International Airport, I
am sure innocently, but it happened.
Last year, the media reported on a video at Hartsfield
Atlanta Airport that showed back doors being opened to allow
several people through without swiping their badges and gaining
access to catering carts destined to be loaded on flights.
I would say innocent acts, friend helping friend, but it
cannot be tolerated. There must be zero tolerance. We have to
protect the traveling public.
We all recall the infamous shutdown in Newark in 2010. I
led this committee to Newark when that happened, when flight
operations were shut down and thousands of members of the
flying public were inconvenienced for nearly 7 hours.
Operations were halted after a man walked into the sterile
area of the airport, through the exit lane and without being
screened.
These are instances where perimeters and access controls
were breached and caused major disruptions, and shed light on
security vulnerabilities at these airports.
Unfortunately, all relevant examples are far too many to
cite in the 5 minutes allotted to me today, and span across
various commercial airports of all sizes.
I look forward with you, Mr. Chairman, to ensure that we
continue to conduct oversight on perimeter security at our
airports.
As I mentioned to you, I am also interested in looking and
holding a hearing on cabin security as well so that we don't
leave all of our internal airport as a plane is airborne, if
you will, to passenger courage, which we know there are many
courageous passengers.
As you know, Mr. Chairman, I am committed to working with
you to ensure TSA improves its operational capabilities to
manage access controls and perimeter security, and that it is
as effective and cost-efficient as possible.
In addition, I am concerned about the badges, and the
review process for determining the badges, how the badges are
protected, how they are secured, how they are maintained, and
whether or not we have sufficient oversight of the individual
process of providing the badges.
I want to compliment Mr. Thompson for recognizing some
years back of the single focus or single contractor that was
engaged or responsible for providing, assessing, reviewing the
badges for personnel, and to open the door for greater
opportunity for other contractors or providers.
I think that helps the level of security to have more eyes
looking and more technology and more techniques, and so I thank
Mr. Thompson for that.
Before yielding back, Mr. Chairman, I ask unanimous consent
that statements from the Association of Flight Attendants and
the United Steel Workers urging TSA to include flight
attendants in the Known Crewmember Program be inserted for the
record.
I have repeatedly waged this issue and raised this issue,
and waged it as an effort that I hope we can join in a
bipartisan way. But I ask unanimous consent to place these two
letters or statements into the record.
Mr. Rogers. Without objection, so ordered.*
---------------------------------------------------------------------------
* Documents have been retained in committee files.
---------------------------------------------------------------------------
Ms. Jackson Lee. Mr. Chairman, again, this is a very
important hearing. Thank you and I yield back.
Mr. Rogers. I thank the gentlelady and she is right. We
also have perimeter concerns that will be the subject of a
later hearing.
As you know, this hearing was called long before this IG's
report came out. We knew that there were problems with the
access control points, but this was very eye-opening. We didn't
realize that these particular components were problems and that
being the information reporting.
Mr. Sammon, in your opening statement, you made reference
to the fact that you count on the airports to follow your
policies and report. But my understanding from the IG's report
is that these access breaches were reported by TSA local, but
they just never made their way up to big TSA to PARIS for
processing.
Is that not correct? Is there some failure that is not
revealed in the IG's report?
Mr. Sammon. No, no and that is why we have concurred with
the IG's two recommendations in terms of having a consistent
definition. A definition, that in terms of a security breach,
that has to do with immediate danger and security to the
airport itself, as opposed to other definitions of breaches
that have one consistent definition of a breach, and have that
communicated and understood by all people not only within an
airport, but among airports around the country.
So we are looking at one standard definition of what a
breach is----
Mr. Rogers. So----
Mr. Sammon [continuing]. And so that people can understand
that.
Mr. Rogers. So I am understanding that the 58 percent of
breaches that were not reported up to PARIS were viewed by
somebody at the local TSA level as not being a breach by
definition?
Mr. Sammon. That is quite possible, yes.
Mr. Rogers. Okay. Well, let me ask, of the 42 percent that
were reported according to the IG's report, only half of them
had a response made.
Do you have an answer for why that occurred?
Mr. Sammon. Again, I would go back to--with the IG's
recommendations in terms of what we have concurred with them,
and in terms of our plans that we are putting forward in terms
of getting a uniform definition, and developing a comprehensive
oversight program that is being developed right now, the IG has
concurred that those are sufficient requirements in terms of
their recommendations.
These two recommendations are being held open until we
supply the specific documentation and the reports of exactly
what we are going to do and they are holding those two
recommendations open.
Mr. Rogers. Well, it is disturbing that, regardless of
definition used, that 58 percent of breaches are not being
reported up to big TSA in PARIS.
I am really disturbed by the fact that a handwritten
boarding pass was able to get somebody through a checkpoint.
Do you have any explanation as to how that happened?
Mr. Sammon. I don't, but I can get you--if you would like
to put a question for the record, would be happy to get the
specifics on that. I would like to give you a complete answer
on that specific instance.
Mr. Rogers. I have here a directive, a 10-page document,
that TSA has outlined, dated December 16, 2005, on how to
report incidents to PARIS.
I would like to offer this for the record. If there is no
objection, it will be submitted.*
---------------------------------------------------------------------------
* Documents have been retained in committee files.
---------------------------------------------------------------------------
The first thing that I am most concerned about is there is
a recorded document about this. Apparently nobody was--in a
directive that nobody was following or, at least, 58 percent of
the time they weren't following.
Are you saying the definition outlined in your own policy
is not adequate?
Mr. Sammon. Apparently, it was not clear enough. What we
are doing right now is--based upon working with the IG--is
coming up with a clear set of directions and making sure those
directions are understood throughout the airports that TSA
operates in. Yes, sir.
Mr. Rogers. Well, apparently, the definitions were adequate
for the IG to feel like that they were not being followed.
Why is it that 7 years have lapsed since this has been
updated?
Mr. Sammon. I would have to get back to you on that. I
don't know, sir.
Mr. Rogers. Okay.
Mr. Edwards, did you feel like the definition in the TSA's
own policies was adequate for you to discern what were and were
not breaches?
Mr. Edwards. Thank you, Chairman.
Well, there is no set clear definition, you know. Also even
if there is a definition, TSA needs to clearly give guidance on
that and TSA needs to follow through.
Mr. Rogers. So this 10-page directive that TSA has on this
does not have a definition that is adequate in your view?
Mr. Edwards. I have to get back to you on that, Chairman.
Mr. Rogers. Well, how did you come up with the number of 58
percent that were reported if you didn't have a definition?
Mr. Edwards. We didn't, you know. We came up with the
definition.
In my opening statement, I have said, you know, anybody
accessing unauthorized area, either through inspections, or
getting through, that is clearly a breach, you know.
Mr. Rogers. It is not rocket science, is it?
Mr. Edwards. No, sir.
Mr. Rogers. Tell me about this hand-written boarding pass.
What did you find? How did that happen?
How does somebody hand-write a boarding pass and get
through security? What was the explanation that you found in
the records?
Mr. Edwards. It was part of our testing, Chairman. I can
get back to you on details of that. I don't have it here with
me.
Mr. Rogers. Okay, thank you.
My time has expired.
I recognize the Ranking Member for her opening questions.
Ms. Jackson Lee. Thank you very much, Mr. Chairman.
I see a pathway to fixing what has been laid out by your
report, Mr. Edwards.
Are you recommending today that we eliminate TSA and TSO
officers?
Mr. Edwards. No, ma'am. All we are saying is, based on our
audit work, TSA needs to provide clear-cut guidance and have
procedures in place, and needs to follow through.
Ms. Jackson Lee. From your assessment, do you find that a
fixable or a doable process? As you look at TSA and TSO
officers, do you find that doable?
Mr. Edwards. Yes, ma'am.
Ms. Jackson Lee. Then let me proceed with these questions.
As I ask Mr. Edwards, Mr. Sammon, I am going to be asking
you to respond because he said a number of things that I think
is extremely important.
Mr. Edwards, explain again about the checking of the
application for completeness, and TSA not requiring its TSOs to
review the process. Because you are talking about the document
that the person who has the right of ingress, of entering the
airport, is going to show something, and you are saying TSA is
missing-in-action.
Explain that.
Mr. Edwards. Well, at the airport when the application is
being filled out, in some of the airports we have found there
is a quality check process that somebody is looking through the
data, and verifying and validating that the data, in fact, is
correct.
There is also audits on badging applications to look for
common errors. Some airports follow that, but overall it is not
being followed.
Also----
Ms. Jackson Lee. When you say airports, you are talking
about not the airport personnel, you are talking about TSA?
Mr. Edwards. Airport personnel, you know, they take the
information down.
Ms. Jackson Lee. Right and then----
Mr. Edwards. Then it is sent to the Threat Assessment
Center----
Ms. Jackson Lee. Right.
Mr. Edwards [continuing]. For them to read it. So there is,
you know, inaccurate information that is being entered.
What happens is when TSA's inspectors go to review, the
review is not really in detail.
So what we have recommended that when the inspectors go
back and review these, make it more detailed inspection and
look for these errors. Also recommend look at the quality
assurance that some of the airports are following.
Ms. Jackson Lee. Where do the TSA inspectors intervene? At
the point before the application is approved?
Mr. Edwards. They routinely come--you know, they do a
review of the airports. So when they do that, that is the time
they will be looking at that----
Ms. Jackson Lee. You find that that is a missing element.
It is not sufficiently broad-based and TSA doesn't take it
sufficiently seriously----
Mr. Edwards. Yes, ma'am.
Ms. Jackson Lee [continuing]. To make sure that it happens.
Mr. Sammon, why not? What are you doing to fix that
problem?
Your mic is not on, sir.
Mr. Sammon. In the opening testimony, referred to a rule, a
very large and comprehensive rule, called the Universal Fee
Rule that has been drafted. It is in the administration's
review process.
We agree with the IG's overview of badging processes, that
some are good and some are not as good. The airports are
responsible for completing the badging, accepting the
information, and checking the documentation.
What we want to do is have a much more complete process;
require much more stringent enrollment age and training; have
the documents submitted through TSA so we can put up front
edits for completeness and accuracy; scan the documents in
through TSA so we can do this up front. So we are not relying--
--
Ms. Jackson Lee. You have to be governed--you said that the
rule--what is the potential time frame for that rule being
promulgated?
Mr. Sammon. We would guess that the rule would be--what we
are hoping is that it would be out for public comment later
this year. It is in executive department review.
Ms. Jackson Lee. You started working on the rule when?
Mr. Sammon. Several years ago.
Ms. Jackson Lee. Okay.
Let me go back to Mr. Edwards again. I think this is
enormously important. That is why we are here.
We are talking about breaches and you mentioned that, to
Chairman Rogers' question, you know a breach when you see it. A
breach is a breach is a breach.
My question is, Mr. Edwards, you are saying there is a
failure to keep a detailed and adequate record of breaches that
could result in a horrific and terrible incident.
Mr. Edwards, is that----
Mr. Edwards. Yes, ma'am.
Ms. Jackson Lee. So there is no depository where one could
go and pull up all of the breaches that have occurred.
Mr. Edwards. Well, first, you know, they need to have, you
know, like I said earlier and the Chairman alluded to, there
needs to be a clear definition of what a breach is.
Then TSA needs to give clear guidance to the airports what
to report and when to report. Then TSA needs to follow through
with that.
They have the system, PARIS. They need to make sure that
the metric, the indicator is there. Also, they can go back and
look at the trends and look to see how it is being addressed.
That is not there. That is part of----
Ms. Jackson Lee. So it is setting a standard for airports
to adhere to, which we don't have. Therefore that hinders the
collection of the data.
Mr. Sammon, why is that not happening?
Why do we not have a complete picture of breaches in
America's airports, at least 450 that we are in charge of?
Mr. Sammon. So we have concurred with the IG's
recommendations. The IG, in terms of their report that was
issued just recently, they agree that our plan going forward
would meet the requirements of that recommendation. But they
will keep their recommendations open until we supply them the
documentation.
So our people are actively, at this point, putting together
the information, the requirements, the system, the training to
be able to do that; to have a consistent definition of breaches
and reporting and response to breaches across the country.
Ms. Jackson Lee. Okay, but is that in place now?
Mr. Sammon. It is being put together right now and being
drafted right now, I think.
Ms. Jackson Lee. I may have an additional question, Mr.
Chairman.
I will just yield and just simply say this. Let me put an
exclamation point.
I am glad Mr. Edwards said that we need TSA and TSO. That
is my commitment continuously.
But he also indicated a wide gap. To hear that the first
answer is about a rule and the end of the year, let me put a
punctuation mark after now. If not now, when?
I think in terms of security, our functionalities are too
slow. It is imperative that we move now.
So I would like to discuss this with you further on an
expedited process. I know the rulemaking goes by rules. But
clearly we have to put an exclamation mark to moving forward
more quickly.
I yield back, Mr. Chairman.
Mr. Rogers. I thank the gentlelady.
The Chairman now recognizes the gentleman from Michigan,
Mr. Walberg, for 5 minutes.
Mr. Walberg. Thank you, Mr. Chairman.
Thank you, Mr. Edwards and Mr. Sammon, for being here.
It is almost, humanly speaking, an impossible
responsibility that you all have in screening and making sure
that security is 100 percent, because that is really what is
has to be.
But even having said that, it is still a requirement that
we expect to take place, and hopefully, what we have seen in
the report and read will be fodder for continuous improvement.
Mr. Sammon, TSA's Playbook program employs security
measures at the direct access points and airport perimeters, as
you know, and uses a variety of resources to conduct screening
of individuals and vehicles entering the airport operation
areas.
Could you provide examples for this committee of the
security measures that may be employed at an airport's access
point and its perimeter?
Mr. Sammon. Yes, there may be, in terms of access points
and perimeter, particularly for access points, random screening
that a team may show up and screen employees, coming through to
check badges throughout the airport operations area. There are
random challenges for badges to make sure that the people out
there are the people who belong there.
You referred to Playbook earlier. We use, if you think of
secure flight where we look at watch list passengers who are
traveling selectees. We look at patterns.
We may look at particular airports they are going out of,
gates. You may have seen random gate screening in terms of EDT
and taking swabs of passenger hands. That is risk-driven in
terms of intelligence, where we see people traveling, so all
these are random elements that take place throughout the
airport within the sterile area and the access points and in
the airports operations area.
Mr. Walberg. How often has this program prevented a
security breach at airports?
Mr. Sammon. Again, that particular program has prevented a
number. I couldn't give you specific numbers in terms of how
many have been prevented.
I think if you look at access control through doors,
piggybacking, if people suspect that they may be stopped; if
there are TSA people on the other side that it does to a
certain extent. It is probably not complete.
A number of airports have various programs in place in
terms of technology that prevent piggybacking; camera systems
in place that people, operators, can view what is going on at
those access control points, but not all airports do.
Mr. Walberg. Are you required to notify an airport before
setting up these additional measures?
Mr. Sammon. We generally work with the airport law
enforcement and security people in terms of what we are doing.
We like to include them and have them part of the efforts,
because if we can build on their capabilities along with ours,
it is a better deterrent and better enforcement than otherwise.
Yes.
Mr. Walberg. According to the report issued by the
Department of Homeland Security Inspector General's Office,
inspection enforcement analysis tracks and analyzes breach data
only upon request, if I understand it correctly, which appears
to me to present a potential vulnerability.
Do you agree that this could be a problem?
Mr. Sammon. Yes, and that is why we concurred with both of
the inspector general's recommendations. We are putting plans
together that we have shared with the inspector general.
They have concurred that those plans, if properly
implemented, would meet their requirements or recommendations.
Mr. Walberg. Thank you.
Mr. Edwards, has the TSA given you a reason why it tracks
and analyzes breach data only upon request, though they have
admitted that it is a problem?
Mr. Edwards. No, sir.
Even though TSA has agreed to our recommendations, and they
are going to implement it, I would, for the record, would like
TSA to kind of aggressively pursue and implement our
recommendations.
Mr. Walberg. What does aggressive mean?
Mr. Edwards. Well, some of them have taken years just based
on the previous question. We wanted TSA--I know it is a
challenging monumental task, but we need those recommendations
to be implemented.
Mr. Walberg. Okay.
In the remaining 29 seconds here, Mr. Sammon, while I have
the opportunity, and it is on a different subject, Mr.
Chairman, forgive me for it, but this is the opportunity.
Anything about the foreign repair stations; is that coming
to conclusion here? That is a security issue as well.
Mr. Sammon. Yes, as we briefed you, and Chairman Rogers,
the economic analysis has moved on. It is under executive
department review.
So that has moved on in the time frame that we have briefed
you on earlier. Yes, sir.
Mr. Walberg. Well, we are not forgetting that. It is an
awful long time it is going on here, and hope to see a
conclusion.
Thank you, Mr. Chairman.
Mr. Rogers. I thank the gentleman.
The Chairman now recognizes the Ranking Member of the full
committee, Mr. Thompson, for any questions he may have.
Mr. Thompson. Thank you very much.
Mr. Edwards, your testimony before the committee, I want to
make sure we are absolutely on the same page.
Presently there is no definition that you could find
codified by TSA for a security breach?
Mr. Edwards. The definitions are not consistent across all
policy, sir, so that is why the definition for our testing, we
used the simple definition that I have indicated in my opening
statement.
Mr. Thompson. So, it is no.
Let me add this. You know, I think we already--I am just
trying to get it on the record that is all.
The other point I think we want to make is, Mr. Sammon,
what directive in these security breaches did you give TSOs
before this IG report came out?
Mr. Sammon. The TSOs and inspectors throughout the airport
are given direction in terms of their screening procedures and
processes. We have found that in every case, there have been
examples where people have been able to evade or avoid those.
So we have continuous training with the officers.
Obviously, the point is to have everyone who is entering
the sterile area to have been properly screened. The officers
know that, and it is a matter of making sure that the officers
and their supervisors are continuously and constantly every day
reinforcing it and carrying out the procedures that are
required.
Mr. Thompson. So your testimony is that rather than a
defined statement for what a security breach is, training was
the substitute.
Mr. Sammon. We agree with the inspector general that the
less specific definition of a security breach was not helpful.
That we need to have a specific definition that everyone
understands and uses in implementation across all 450 airports.
Yes, sir.
Mr. Thompson. All right.
So what is the latest statistics that you can provide this
committee on security breaches that have occurred in airports
across the country?
Mr. Sammon. I would have to provide the committee--be happy
to provide those to the committee. But I don't have those
specific numbers with me today, sir.
Mr. Thompson. Who collects it?
Mr. Sammon. Our operations department, the Office of
Security Operations.
Mr. Thompson. So security operation manages the data for
security breaches?
Mr. Sammon. Yes, sir.
Mr. Thompson. Is that your understanding, Mr. Edwards?
Mr. Edwards. Well, there are so many offices in
headquarters in TSA that provides the reporting guidance, and
they have the PARIS data system.
But the corrective action on the breaches is taken at the
field level. It is not at the headquarters.
Mr. Thompson. So, Mr. Sammon, Mr. Edwards just said
something different.
Mr. Sammon. The field-level people he is referring to all
report to the Office of Security Operations. All the TSOs, all
the inspectors, all the Federal security directors are all
under the Office of Security Operations.
Mr. Thompson. How is the data for the breaches transferred
from the field to headquarters? What is the directive?
Mr. Sammon. So it would come up through, if there is a
breach noted by an employee, they would report it to the
supervisor, who would report it to the airport, who then
reports it back up in through the system, up to the
headquarters, where it is compiled for all 450 airports.
Mr. Edwards, is that your understanding?
Mr. Edwards. That is my understanding too, sir.
Mr. Thompson. So you agree with that?
Were you able to see any reports of the information
transfer at the headquarters?
Mr. Edwards. Well, that is where we say there is 42 percent
of the reports at the airport and what is reported to
headquarters, there is no consistency, because there is no
clear guidance on what to report and when to report.
One of our recommendations is that they have to have a
comprehensive oversight program where they provide clear
guidance on how each of the airports need to be reporting and
when, and then TSA needs to follow through.
Mr. Thompson. Mr. Sammon, all of us have heard about this
incident at the Newark airport.
Was TSA involved in that at all?
Mr. Sammon. The New York Port Authority had issued the
badge for that particular person. He is employed by the New
York Port Authority to staff exit lanes at the Newark airport.
So in terms of TSA, he is not employed by TSA. His badging
process that the New York Port Authority went through is the
process that TSA prescribes.
We have, you know----
Mr. Thompson. Describe what that process is.
Mr. Sammon. In terms of initially, it would be a criminal
history records check. It would be a watch list check. It would
be immigration status or citizenship status.
Those three things comprise the check.
He had been working there for quite some time. A number of
those airports, when we put procedures in, were grandfathered
in, in terms of not having to redo criminal history records
check or other things.
His identity was run through a criminal history records
check and the watch list. It did not show up. He did not hit
anything--nor both his assumed identity and his original
identity.
Mr. Thompson. So your testimony is that there are people
working at airports from a security standpoint, who were
grandfathered in and we did not do background checks on them?
Mr. Sammon. They were run with background checks. They were
run--the watch list is run on them every single evening.
In terms of their original criminal history records check
that was put in when people apply for a badge. They get a
criminal history records check.
What we are proposing in this rule, however, is to make the
renewal of that criminal history records check every 5 years,
the same as it is for all other Federal badging standards.
Mr. Thompson. So criminal history does not require
identification?
Mr. Sammon. It requires submission of fingerprints, sir,
and identification.
Mr. Thompson. So I could--Mr. Chairman, with your
indulgence on this.
I am trying to figure out how somebody could put their
fingerprint on a badge, and end up having identity of somebody
else.
Mr. Sammon. So he, as I mentioned, the process was he has
been in the system for quite some time. He has been working in
the New York area under the Airport Authority for quite some
time.
He went in--even if you submitted his fingerprints, if he
is not a criminal and there is no criminal history, he is not
going to make--there is not going to be a match.
So unless either identity, either his real identity or the
assumed identity, had a criminal record when you put his
fingerprints in, there would be no match in the FBI criminal
history records check.
Mr. Thompson. So you are saying that there could be a lot
of people just like this person in the system because our
system is not designed to pick up people like this?
Mr. Sammon. Again, this is why we want to have this more
comprehensive rule. We are using rulemaking because we are
making substantial changes to the documentation and
verification.
This person apparently has--he assumed an identity. He
didn't attempt to do anything other than maintain his job with
that identity.
He didn't use it for fraud. There were no criminal nor
terrorist associations with----
Mr. Thompson. But I think he used it for fraud. He is
working under somebody who is dead.
Mr. Sammon. Right. He was using it for fraud to get that
job, yes, sir.
Mr. Thompson. Well, I yield back, Mr. Chairman.
Mr. Rogers. I thank the gentleman.
Listen, I have listened patiently. You all keep making
references, both of you, to not having a clear definition as
being excuse for these not being reported, and that is just
B.S.
The fact is a breach is a breach.
If somebody gets through a checkpoint, a secure access
checkpoint, that is not supposed to and it is reported to a
supervisor, that ought to be reported up to TSA. I don't care
what definition you use.
So please don't excuse that anymore in your remarks. We
have got to find a way to make sure every breach, by any
definition, is reported up to big TSA and PARIS, so we can come
up with processes to fix this.
Chair would now recognize the gentleman from Minnesota, Mr.
Cravaack, for any questions he may have.
Mr. Cravaack. Thank you, Mr. Chairman, for this very
important hearing. I would like to request that we have a field
hearing sometime in the future regarding this important issue.
Mr. Sammon, I flew 17 years as an airline pilot. I have got
to tell you, if you had asked an airline pilot where--before 9/
11--what was going to happen, we would have told you.
I am going to tell you now that I feel the next breach that
will occur is going to come from the shadow of the airplane,
and coming from the ground, hooking up to a passenger that
comes in through clean through the airport.
Would it surprise you, sir, if I told you that several
people, both pilots and ground personnel, have told me the
security around the aircraft coming from outside sources is a
joke?
Mr. Sammon. I would think that there is a lot of activity
on the back side of the airport. There are a lot of different
people and crafts coming and going.
The people who have SIDA badges undergo three layers of
checks.
Does that prevent all criminal activity and whatever else?
It does not.
TSA does random inspections of folks in terms of what they
are doing there. We have also had a large number of people on
the back side of the airport who have reported activities in
terms of contraband being shipped in and out of aircraft.
So, no, it is a very active area, yes, sir.
Mr. Cravaack. Okay. I could tell you that I have had people
call me up because of my background and telling me--and warning
me that this--and I am going to tell you right now, the next
incident is going to come from the ground.
It is going to come from the shadow of the aircraft. It is
not going to come through the passenger terminal.
I am telling you that. Okay?
Now, I don't know if you are aware, in October 2011 Channel
2 down at Hartsfield-Jackson Airport did an undercover report.
This is what they said, the whistleblower that went in: ``If I
were a crazy lunatic or an Osama bin Laden sympathizer, I can
come in and put anything on the plane.''
The other comment was, ``I can bring a gun in there if I
want to, a bomb, anything,'' said the whistleblower, ``that is
how easy it is.''
So my question to you, sir, is: Do you believe that TSA has
sufficient procedures in place to protect the traveling public
from an incident from occurring?
Mr. Sammon. So with regard to the whistleblower, and the
story was reported in the Atlanta paper, or the newspaper--or
the TV anyway.
First of all, they do not understand the procedures and the
law. They don't understand the requirements of what has to be
sealed.
In terms of the areas that they are talking about people
piggybacking were not a secure area, they are the catering
facilities. The allegations in terms of what could or could not
be done in terms of what was sealed between the carts and
between the trucks, the person does not understand the
regulations.
We have also inspected this operation at least 20 times in
the past several months and found that in terms of all the
regulations, they meet all the requirements that are in place.
Mr. Cravaack. Well, it says here--this is part of the
thing--it says--he said the carts that were sealed are the
liquor carts to keep employees from stealing the liquor. That
was really the only things that were consistently sealed.
Mr. Sammon. So the carts can be unsealed if the truck is
sealed or the driver is accompanied to the aircraft. So there
is--we have had a running contention with that reporter in
terms of his understanding and reporting on what the law says
and what the regulation is saying.
Mr. Cravaack. Well, we know what the law says and the
regulation says. What I am telling you, sir, is that with--this
is just a report that has been done.
But I am telling you from people that I know that have been
on--that are ground counters around the shadow of the airplane
are basically reinforcing what this person is telling me.
So my question--you know, and when asked the TSA responded
pretty much what you just said right now, sir.
Now, I am not trying to----
Mr. Sammon. Right.
Mr. Cravaack. This is bigger than pointing fingers. This is
about protecting the flying public.
This is ensuring that we don't have another incident like
9/11 ever again. I am trying to fix the problem. I am not
trying to point blame, trust me on that.
I am trying to make sure that we never have that incident
occur again. We never have an aircraft that is used as a human
missile.
So what I am trying to say is pretty much the response to
this was all that TSA sent to Channel 2 was a generic statement
reiterating that it does regular inspections on airline
security operations to make sure everyone is following the
rules.
Now with that said, sir, I understand that only 17 percent
of the airports have been assessed. Is that correct?
Mr. Sammon. I think what you are referring to is the JVA.
Mr. Cravaack. Correct.
Mr. Sammon. The JVA is a very in-depth assessment. It is
done with TSA and the FBI. It takes quite a bit of time and a
limited number of airports are assessed each year.
Mr. Cravaack. Okay. Well in all due respect, sir--and I am
over my time--we have a very intelligent enemy that very easily
can find the weaknesses of a small airport connecting into a
larger airport connecting further on.
I don't envy you your job. Trust me when I say that.
But we have to be much smarter than the enemy. I see a lot
of holes here.
I am being alerted to a lot of holes. I am telling you
where the next incident is going to occur.
So with that, sir, I will yield back.
Mr. Rogers. I thank the gentleman.
The Chairman now recognizes the gentleman from Louisiana,
Mr. Richmond, for any questions he may have.
Mr. Richmond. Well, I will just start where my colleague
left off, and a very general question.
Mr. Sammon or Mr. Edwards, either one of you can answer it.
But is there a line or protocol or procedure for an
employee to call, whether it is a pilot, stewardess, janitor at
an airport, so that, when they have these gut feelings about
what the next plan may or may not be, that they can report it
to somebody so that it is on the radar and you all respond to
those reports?
So does something like that exist?
Mr. Edwards. Sir, we have a hotline. DHS OIG has a hotline
that we get referrals and allegations about a wide variety of
issues. We also educate all the DHS employees to refer to when
they see a situation like this.
If I may, if I could go back to the Congressman from
Minnesota about the concern he had about the shadow of the
aircraft.
Sir, that is why we do covert testing. We have done a
number in the last several years.
The results of it is classified. I would be glad to come by
and brief on the results that we came up with.
Mr. Richmond. Mr. Sammon, you also talked about the goal. I
think it was having 35 airports in the prescreen program?
Mr. Sammon. Yes, sir.
Mr. Richmond. Where are you up to right now?
Mr. Sammon. Right now, we are at probably about a dozen or
so. Getting up to PreCheck is a function of also adding the
additional airlines.
United Airlines will be coming on shortly. U.S. Air will be
coming on within the next month or so. Also JetBlue will be
coming on later this summer.
So we are getting the airlines up. They are modifying their
systems to be able to do this. We expect to be rolling up
additional airports over the balance of this year.
Mr. Richmond. Also--and I listened to the exchange between
you and Ranking Member Thompson about the incident at Newark
and what happened and all of that.
What I didn't hear is what procedure could have been in
place to prevent it, and is it in place now?
So----
Mr. Sammon. Again, the types of procedures and process
changes we need, in terms of getting data into the system,
identifying documents, does require rule-making, unfortunately.
There are impacts on airports. It costs money.
Those procedures that we have outlined, I believe, if we
had those in place, it may have caught this gentleman. I can't
guarantee it, but it may have.
Mr. Richmond. So with the rule-making and things not being
done yet, we still don't have a procedure in place to prevent
this in the future?
Mr. Sammon. Right now, the system still has gaps, and that
is what this rule-making is intended to address. Yes, sir.
Mr. Richmond. I guess the other question just becomes is
there a general feedback to TSOs, TSAs, and airport security?
At least in my experience, people try something one time
just to see if it works, and they continue to do it. So do we
do a continuing education or training or anything to let people
know this is the latest attempt in getting into secured areas
or getting past certain checkpoints?
Do we do that with our on-the-ground troops?
Mr. Sammon. Yes, we take--in terms of incidents, not only
in terms of the kinds of things that--in terms of access
control, but people attempting, testing the system, say
shipping cheese with electronics attached to those things,
putting those images back for training for TSOs in terms of
what to look for and the kinds of things that they should be up
to date.
So we have increased the number of TSOs with security
background checks so that we can share more intelligence with
them. Because we want to keep this feedback not only from where
the incident happened but to share it across the country,
because they are not isolated. They are generally--things can
happen at any location.
Mr. Richmond. But in order to do that, the breach has to be
reported and put in something so that all of them can be used
as teachable moments. Hopefully, we are getting to fewer and
fewer teachable moments in the process.
Mr. Sammon. Yes, we agree, and concur with the IG. Yes,
sir.
Mr. Richmond. Is there anything else you can do besides
something that takes rule-making so that we can prevent people
from getting into secured areas, or what happened in Newark,
just in case we don't have time to wait on rule-making?
Mr. Sammon. Our inspection efforts have been increased to
working with the IG in terms of things we can do in the near
term, in terms of badging process kinds of audits, and
information analysis. But also our training at the checkpoint
and other areas throughout the airport is being stepped up,
because we realize there are process things that have to be
done.
But also, in the shorter term, the intensity has to be
picked up. Yes, sir.
Mr. Richmond. Thank you.
My time has expired. I yield back.
Mr. Rogers. I thank the gentleman for his questions.
The Chairman now recognizes Mr. Lungren for any questions
he may have.
Mr. Lungren. Thank you very much. I guess I have got 37
seconds.
So, thank you.
Mr. Rogers. You have got time.
Mr. Lungren. Thank you very much.
Mr. Sammon, first of all, let me just say there is a lot of
criticism that has been leveled at DHS and at TSA. It is
probably where more Americans get to see--I was going to say
are touched by TSA--than any other place in the country.
But we ought to reflect on the successes. I mean, 9/11 was
over 10 years ago.
We know the enemy probably wishes to continue to use
commercial air traffic as one of the vulnerabilities to attack
us. We have been, through a lot of hard work, a lot of people
dedicated, and some luck, not subjected to another attack like
we were on 9/11.
So I think there are some thanks that ought to be delivered
to TSA and those that work.
Having said that, let me ask you about your prescreening
expedited passenger program.
Would Henry Kissinger qualify for that?
Mr. Sammon. I think we saw this morning in The Wall Street
Journal a very complimentary article from Dr. Kissinger, in
terms of how he was treated professionally at the airport. He
was--I can pull a copy of the article out----
Mr. Lungren. I understand that. But in the mind of a lot of
people, it would seem to be a waste of time to subject Mr.
Kissinger to extra, sort of----
Mr. Sammon. Yes, he would qualify if he--again, there are
two ways, right now, to qualify: One, through opting in through
your airline if you are of a certain level of flying; also
through global entry, through CBP.
We are looking at many more ways to say: How do we get
trusted people into the system?
I mean, our vision would be that, in the future, the
majority of passengers are going through a less physically
intensive screening process. Because if we know more about them
up-front, that we can improve the level of security while
improving the passenger experience through the airport.
Yes, sir.
Mr. Lungren. I hope that happens because, frankly, I have
heard that with two administrations. I have heard that in
classified briefings and in open briefings, that this makes
sense, that it would be better for us.
Yet it seems like it is stretched out and stretched out. I
am glad that we at least are going forward.
Here is a question I would address to both of you.
This is a serious matter in terms of control points with
respect to access. But let us face it. It is a tedious job.
If you are successful, and if most people are not trying to
bring something that is prohibited through, you know, 99
percent of the time. I mean, there is a tendency to slack off.
There is a tendency to presume that you are not going to find
an item that you ought to stop.
So how do you continue to keep the edge?
It would seem to me one of the things is very, very
aggressive supervision. I know that part of that is, you know,
management versus employees and that sort of thing.
But it just seems to me, that is one of the toughest
conundrums that you have.
Mr. Sammon. Right.
Mr. Lungren. I wonder what you would have to say to that.
Mr. Edwards, if, in the reviews that you have undertaken,
you have any comment on that?
Mr. Sammon. So I think your point about supervision is
critical. TSA was stood up basically around the country, local
hiring, training took place locally.
What we have done is stood up a training program in Glynco,
Georgia for the first-line supervisors. Because that is where
you make it or break it, in terms of what those supervisors
communicate to the employees, what they see, and how they
manage those individual checkpoints.
We have not--TSA in its first 10 years had had no central
place to run all the supervision through a standardized
approach to understanding TSA's mission to TSA's--what we were
trying to accomplish at the checkpoint, and maintaining that
edge that you are referring to.
So that is--what you brought up is exactly what we have
recognized and are beginning to do.
We have run two classes through, the first two classes. I
think there is another graduation this week. We are going to
be--our goal is to get all the first-line supervisors through
that process because that is where you have to begin.
Mr. Lungren. Mr. Edwards, is that the proper approach?
Are you satisfied with what they are doing?
Mr. Edwards. Yes, sir.
But I also would like to point out, if I may, that, you
know, we want to make sure that TSA operates in an optimum
fashion. We want to make sure that they bring issues and
concerns to you and to the American public to see TSA fix those
recommendations in a timely fashion.
I think they add value by bringing--pointing out those
issues to TSA. TSA is working towards fixing them, but we would
like it to be fixed sooner than later.
Mr. Lungren. I would just reflect on this, Mr. Chairman,
and that is that in virtually every other endeavor in our
society competition has been viewed as one of the ways in which
we sharpen our instincts, and sharpen our approaches, and
sharpen our performance.
Yet for whatever reason TSA administrators, over the past
number of years, have been reluctant to support a program that
allows private sector to be involved as an adjunct or a
competitor to the regular TSA operation.
I would just say I hope we don't lose sight of that. I know
that there are many of us in the Congress that believe that
that is one component.
It is not a criticism of TSA employees. But it is one
component of how you improve performance. I yield.
Thank you, Mr. Chairman.
Mr. Rogers. I thank the gentleman.
Before the Chair recognizes Mr. Davis for any questions,
the Ranking Member has informed me she needs to leave and wants
to make an observation before she has to step out.
The Ranking Member is recognized.
Ms. Jackson Lee. Thank you, for a moment, Mr. Chairman.
Let me just try to pointedly go back to this question of
breaches, which I think really deserves an immediate response.
I do want to indicate that I am pleased. I think that the
Chairman is having this hearing, and we are joined together at
this hearing.
The Members are here, I would say, because of the faith we
have in the fine men and women that work for TSA and realizing
the work that they do.
I believe Administrator Pistole's concept of a Federal
force, if you will, combined with intelligence, information,
and fighting counterterrorism is probably the best approach and
does not lend itself, from my perspective, though my mind is
open, to massive privatization.
The reason I say that are these two pointed questions.
The gentlemen at Newark used identification of a deceased
person. We need to get that on the record. He was operating
with an identity that could have generated in a heinous
incident.
So the question is: Did you do a security threat assessment
of what might have happened, Mr. Sammon?
Then with respect to breaches, this also includes airport
collaboration. I see a gaping hole while we are sitting here
talking to each other about the communication between TSA and
airports.
Mr. Edwards, you see the direction that I am going.
Even though you are doing a comprehensive rulemaking at
this point, a simple missive, if you will, to your lead
officers at these airports, you take the risk assessment
approach to indicate that airports are responsible for
reporting those breaches.
Why have you not done that simple task, even though the
rulemaking is proceeding?
A missive to our 10 most vulnerable, or however the risk
assessment is made, Mr. Edwards, would that be a fair approach,
even though we are in the middle of rulemaking, to communicate
with airports?
Mr. Edwards. Yes, ma'am.
Ms. Jackson Lee. And insist that they provide information
of breaches.
Mr. Sammon, can that be done now?
Mr. Sammon. We can communicate that to our airport
operating people and make sure that they do get the breaches
reported properly. Yes, ma'am, it can be done.
Ms. Jackson Lee. I would ask you to do that. I would ask--
you cannot answer it now, but I would ask whether or not you
have done a security threat assessment of what it meant for a
person having a deceased person's documentation for the period
of time that this gentleman had it.
I thank the gentleman for yielding.
Mr. Rogers. I thank the gentlelady.
The Chairman recognizes the gentleman from Illinois, Mr.
Davis, for any questions he may have.
Mr. Davis. Thank you very much, Mr. Chairman.
I trust that the questions I am going to ask have not been
already asked. If they have been I apologize for that.
Mr. Edwards, in your testimony you mentioned that you gave
six recommendations to TSA in reference to access control
vulnerabilities.
Have the recommendations accepted been implemented? If so,
what has been the outcome of those recommendations?
Mr. Edwards. Out of the--thank you, Congressman.
Out of the six recommendations, TSA has implemented one and
has agreed to implement the other five. They are in the process
of doing it. They haven't given us detailed information back to
us on when they are going to implement the other five.
Mr. Davis. I would imagine that there has not been
sufficient time to evaluate the impact of the one that is
undergoing implementation now?
Mr. Edwards. Yes, sir.
Mr. Davis. Mr. Sammon, I am actually quoting from your
testimony in terms of a statement.
``The Known Crewmember program is the result of a
collaborative effort between the airline industry, pilots, and
TSA which currently allows uniformed pilots from 20 airlines in
10 airports to show two forms of identification. After
evaluation, evaluating operational data from 10 airports, and
through much discussion with industry representatives, we are
planning to expand the Known Crewmember solution to more
airports this calendar year.''
Let me ask you, is it a feeling or is it your feeling that
there is a one-size-fits-all approach to this? Or is this
experimental in a way? Or is it testing an approach?
Could you respond to that?
Mr. Sammon. I would be happy to.
We had piloted or had tested the approach at about three
airports for probably over 2 years. Having had considerable
conversations with the various pilot associations and the
airline industry, and have come to a rollout approach that we
expect to get to over 30 airports by the end of the year.
The pilots are the most trusted person coming through the
checkpoint. The pilot does not need an explosive device to
damage the plane. So what we want to do is expedite their
access.
We actually do more identity verification today through
Known Crewmember than is done through the regular process
coming through the checkpoint. So we feel that we have a higher
identity verification that the person is indeed a pilot. But
there is less physical inspection.
Mr. Davis. Thank you very much.
Thank you, Mr. Chairman.
Mr. Rogers. I thank the gentleman.
I will recognize myself for a second series of questions.
Yesterday at this time of the day, I was in New York City
at Ground Zero touring that progress there--very sobering. Then
to come here today and hear this is just disturbing.
As I told you earlier, regardless of the definition, if a
breach was reported by a TSA agent or officer to their
supervisor, it should be reported up the food chain, regardless
of the definition.
I just can't get past that point.
Mr. Sammon, I have worked with you for a long time and I
know you to be an extremely competent fellow who does a lot of
things very well. This isn't one of them. I hope that you
recognize that this has got to be fixed and fixed quickly.
We don't need a rulemaking. We need your supervisors in the
airports to know if a breach is reported to them it goes up--no
matter what the definition is--it goes up to PARIS and to you
all so you all come up with processes to fix this.
Having said that, when do you think that this definition
will be in place? Tomorrow would be a good time.
Mr. Sammon [continuing]. A good time. People are working on
it right now in terms of definition, and we are working on the
security operations directives to get them rolled out to the
field.
We can get you a timing--I would be happy to get you an
update on the timing here.
Mr. Rogers. I hope you will.
Mr. Edwards, would you agree that given we haven't had the
reporting of all breaches, that we really don't know if there
is a pattern of breaches that have been occurring for TSA to be
able to respond to or prepare for?
Mr. Edwards. No, sir. The airports that we looked at and
what was reported, we don't have that, sir.
Mr. Rogers. You don't what?
Mr. Edwards. There is--we cannot predict a pattern because
it has not been reported up all of them.
Mr. Rogers. Exactly my point.
Mr. Edwards. Yes, sir.
Mr. Rogers. Until we get 100 percent of these breaches
reported, there could be a pattern that is being established by
folks feeling their way through these different airports to
find out our vulnerabilities. We don't have a way of responding
to it.
Mr. Edwards. Right. If it is reported back to the PARIS
system then they can look at trends and do some analysis to see
what the breaches were.
Mr. Rogers. The Ranking Member wants to ask something right
quick.
Mr. Thompson. Yes.
Mr. Sammon, you made a statement that a lot of employees at
airports were grandfathered.
Do we know how many?
Mr. Sammon. I don't know off the top of my head. We can
get--I would be happy to supply the committee information, but
not off the top of my head.
Mr. Thompson. I really think the committee really needs
that because this is my first time hearing this.
Mr. Edwards, were you aware of this grandfathering?
Mr. Edwards. No, sir.
Mr. Thompson. Would you be concerned too?
Mr. Edwards. Absolutely.
I also would like to point out that even--you know, there
has to be--I gave an example in 2007. There has to be periodic
and recurrent criminal history checks.
That is one of the findings in our audit. You know, I am
definitely concerned just like you.
Mr. Thompson. So with 450 airports, and if we grandfathered
all these individuals in, Mr. Chairman, we could have any
number of people working in airports right now that we don't
know whether they are who they say they are----
Mr. Rogers. That is exactly right.
Mr. Thompson [continuing]. Based on the Newark Airport
incident.
Mr. Edwards, are you aware of a method that could provide
TSA with the identification of the employee and the criminal
background that would not require rulemaking to get done?
Mr. Edwards. Can I get back to you on that, sir?
We will work on a simple process to get back to you.
Mr. Thompson. Well, are you aware of any other agency that
is doing--let me just--Mr. Chairman, the general public assumes
that every person who goes to an airport that goes through this
process is first, who they say they are and whether or not the
criminal background.
I am concerned now that we don't have a way of identifying
the identity of that person other than some fingerprint that
may or may not only show that that person does not have a
criminal history but it does not verify identity.
Mr. Rogers. Right.
Mr. Thompson. That is a real concern on my part.
I yield back, Mr. Chairman.
Mr. Rogers. I thank the gentleman.
I want to go back to something Mr. Edwards said in his
opening statement talking about how you found the various
employees that had gotten certification badges or access badges
at different airports with different information.
Is there not a database where when somebody applies for
clearance that they are checked against every other airport?
Is there a single database or clearinghouse for that?
Mr. Edwards. Well, there are--the 359 airport offices,
badging office that we looked at, we found this anomaly of this
one individual having three different birth places.
We brought it to TSA's attention. They immediately fixed--
got the correct birth place, and fixed that and completed the--
and updated the record----
Mr. Rogers. That is not my question.
My question is these badges are allowed based on TSA's
criteria.
Mr. Edwards. Right.
Mr. Rogers. When an airport is going to grant a badge, do
they not have to check it against the database of TSA-approved
persons?
Mr. Edwards. They have to check the database, but all the
fields do not match in order for them to get a valid----
Mr. Rogers. So the database is worthless then?
Mr. Edwards. Right, that is what they tell me.
Mr. Rogers. Goodness gracious. I don't have any further
questions.
Do you have any?
I want to thank the gentlemen for their time. This panel is
now dismissed.
We will call up the second panel.
The Chairman now recognizes the second panel.
We are pleased to have several additional witnesses before
us today on this important topic. Now, let me remind the
witnesses that their entire written statements will appear in
the record.
Our first witness, Mr. Mark Crosby, currently serves as
chief of public safety and security in Portland International
Airport. He will be testifying on behalf of the American
Association of Airport Executives.
As Chairman, I recognize Mr. Crosby for his opening
statement.
STATEMENT OF MARK CROSBY, CHIEF OF PUBLIC SAFETY AND SECURITY,
PORTLAND INTERNATIONAL AIRPORT, TESTIFYING ON BEHALF OF THE
AMERICAN ASSOCIATION OF AIRPORT EXECUTIVES
Mr. Crosby. Thank you, Chairman Rogers, Ranking Member
Thompson, Members of the subcommittee. Thank you again for this
opportunity to speak before you today on behalf of the American
Association of Airport Executives.
As AAAE's security committee chair, and the chief of public
safety and security at three airports, including Portland
International and three seaports, I can assure you that airport
operators take the insider threat to the aviation environment
very seriously.
We also take seriously the findings highlighted today by
the DHS inspector general. Ten-and-a-half years after 9/11, I
still hold monthly conference calls with airport security
managers to talk about current issues and to talk about best
practices.
It is a very dynamic area of our industry and it continues
to evolve.
As you know, TSA is largely responsible for controlling
access to sterile areas beyond the security checkpoints. My
comments today are focused on the other areas where airports
control access via airport-issued security badges.
First, airports are public entities with an imperative to
provide the highest levels of security. It is our airport. We
work there every day, and we care about it.
In addition to partnering with TSA to meet the core mission
of passenger and baggage screening, airports perform a number
of inherently local security-related duties, including incident
response and managements, perimeter security, employee vetting,
credentialing, access control, and local law enforcement
functions.
These important duties have long been local
responsibilities performed by local authorities in accordance
with Federal standards, and subject to Federal oversight.
The public safety professionals that I have the privilege
of working with every day to perform these duties at airports
are highly trained and have first responder duties that we all
value immensely.
While these responsibilities are important, let me focus on
badging and access control responsibilities, and urge you to
preserve the local role of airports in these areas.
Background check process for airport workers has operated
for many years successfully as a partnership between Federal
and local officials, with the Federal Government holding the
sole responsibility for the security threat assessments; and
with local airport authorities operating and managing
enrollment, credentialing, badging, criminal history background
check adjudication, and access control systems in accordance
with strict Federal standards.
Local involvement provides a critical layer of security and
gives airports the operational control they require to ensure
that qualified employees receive the credentials they need to
work in the airport environment.
My final point today is that any effort to increase the
Federal role in airport badging in access control procedures
will diminish security and divert TSA's attention from its core
mission. The underachieving results of the TWIC program in the
maritime environment provide my point.
As someone with responsibilities for security in both the
airport and seaport environments, I can tell you that any move
to shift additional functions in aviation to the Federal
Government will diminish security by reducing or eliminating a
critical extra layer of security that is already in place at
airports.
Pursuing such an approach would scuttle a successful local
Federal model that has worked for decades. It would streamline
significant efforts already underway at airports to upgrade and
biometrically enable the existing airport badging and access
control systems, and significantly increase costs to the
aviation industry with no demonstrable security benefit.
Members of the subcommittee, the access control systems at
airports are unique among other transportation facilities, and
have operated successfully for decades.
That is not to say there isn't areas for improvement. As
was mentioned earlier, the threat is always changing, therefore
our measures need to change and improve as well.
Local involvement provides a crucial additional security
layer that should not be discarded. That concludes my comments.
I look forward to your questions.
[The statement of Mr. Crosby follows:]
Prepared Statement of Mark Crosby
May 16, 2012
Chairman Rogers, Ranking Member Jackson Lee, and Members of the
subcommittee, thank you for the opportunity to be with you today to
discuss airport access control--an important security function that
local airport operators have held for decades in accordance with strict
Federal standards, requirements, and oversight. I am testifying today
on behalf of the American Association of Airport Executives, which
represents thousands of men and women across the country who manage and
operate the Nation's airports. I am actively involved with AAAE as
chair of the association's Transportation Security Services Committee.
In addition to my work with AAAE, I currently serve as chief of
public safety and security for the Port of Portland in Oregon, a joint
port authority that operates three seaport terminals and three
airports, including Portland International Airport (PDX). In that
capacity, I have overall responsibility for Emergency Management at the
Port and manage the Port's Public Safety and Security Department, which
includes the Airport and Marine Security Departments, the Airport
Police Department, Fire Department, and the Communications Center. I
have also served on the Public Safety & Security Steering Group for
Airports Council International--North America. I am a graduate of the
U.S. Air Force Academy and serve currently as a colonel in the Oregon
Air National Guard.
Mr. Chairman, I want to assure you and the Members of the
subcommittee that airports take recent incidents and the prospect of
the ``inside threat'' in the aviation environment seriously. Airport
executives are working constantly in collaboration with the
Transportation Security Administration to enhance the layers of
security that exist to identify and address potential threats in the
airport environment, including extensive background checks for aviation
workers, random physical screening of workers at airports,
surveillance, law enforcement patrols, robust security training, and
the institution of challenge procedures among airport workers, to
mention a few. In the public areas of airports, local law enforcement
presence and patrols provide security far beyond what is typically in
operation at other potential public targets such as sport stadiums,
train stations, or shopping malls.
The title of today's hearing poses the question as to whether
recent incidents are an anomaly or the sign of systematic failure in
terms of access control at airports. From my perspective and the
perspective of AAAE, the existing access control system at the Nation's
airports works well and is continuously improving. It relies on local
management of credentialing and access control systems in accordance
with strict Federal standards, requirements, and oversight; a robust,
multi-layered security apparatus; and extensive efforts to identify
``bad'' people before they are ever given access to security sensitive
areas of airports. That is not to say that the current system is
infallible or that improvements cannot be made. Airport executives, for
example, are aggressively working to enable voluntary migration to
biometric-based badging and access control systems at airports as part
of an initiative known as the Biometric Airport Security Identification
Consortium. Other efforts to enhance airport access control technology
and procedures are underway as well.
In our view, the best approach to enhancing access control at the
Nation's airports lies with continuing to focus on robust background
checks, maintaining our multi-layered security approach, and preserving
and protecting the critical local layer of security that airports
provide with credentialing, access control, and other inherently local
functions. While some have argued for Federalizing virtually all
security responsibilities in airports, doing so would add to TSA's
already daunting mission and abandon the successful local systems and
process in place that have proven effective for decades in enhancing
security and ensuring efficient airport operations. From a security and
resource perspective, it is critical that inherently local security
functions remain local with Federal oversight and backed by Federal
resources when appropriate.
airports add a critical, local layer of security that must be preserved
and protected
As you know, airports play a unique and critical role in aviation
security, serving as an important partner to the TSA in helping the
agency meet its core mission of passenger and baggage screening. The
significant changes that have taken place in airports over the past
decade with the creation of the TSA and its assumption of all screening
duties have been aided dramatically by the work of the airport
community, and we will continue to serve as a critical local partner to
the agency as it continually modifies its operations with PreCheck and
other risk-based approaches to security, which we fully support.
In addition to partnering with TSA to meet its core mission,
airports as public entities provide a critical local layer of security,
performing a number of inherently local security-related functions at
their facilities, including incident response and management, perimeter
security, employee vetting and credentialing, access control,
infrastructure and operations planning, and local law enforcement
functions. These important duties have long been local responsibilities
that have been performed by local authorities in accordance with
Federal standards and subject to Federal oversight.
Airport operators meet their security-related obligations with a
sharp focus on the need to protect public safety, which remains one of
their fundamental missions. The professionals who perform these duties
at airports are highly trained and have the first responder duties that
I know each and every Member of this subcommittee, the Congress, and
the country value immensely.
preserving the local role of airports with badging and access control
is critical
A cornerstone of security within the Nation's airports is the
credentialing and background check processes that all workers must
undergo prior to receiving airport-issued credentials that grant access
to security sensitive airport areas. While a relatively new concept in
the maritime environment, credentialing tied to strict, Federally-
specified access control has been a key component of security at
airports for more than 20 years. I have included a 1-page document at
the end of my testimony that provides additional details on airport
badging processes and requirements.
In the aviation environment, the background check process for
workers operates successfully as a Federal/local partnership with the
Federal Government holding sole responsibility for criminal history
record checks, security threat assessments, and other necessary
Government checks for prospective workers and with local airport
authorities operating and managing enrollment, credentialing, badging,
criminal history background check adjudication, and access control
systems in accordance with strict Federal standards.
The current system for aviation ensures the highest level of
security by combining the unique local experience, expertise, and
knowledge that exists at individual airports regarding facilities and
personnel with Federal standardization, Federal oversight, and Federal
vetting assets. Local involvement provides a critical layer of security
and gives airports the operational control they require to ensure that
qualified employees receive the credentials they need to work in the
airport environment.
In contrast to the long-standing locally-controlled credentialing
and access control apparatus that exists in the aviation environment,
the credentialing/access control system in place in the maritime
environment with the Transportation Worker Identification Credential
(TWIC) program is relatively new. Under the TWIC model, the Federal
Government or its contractors are responsible for virtually all aspects
of credentialing, including worker enrollment, applicant vetting, and
credential issuance.
Some have suggested abandoning the successful local systems and
processes already in place at airports with badging and access control
to expand TSA and the Federal Government's control over more of the
process as is the case with TWIC in the maritime environment. Airport
executives oppose any move to shift any additional functions in
aviation to the Federal Government and believe that such a move would
diminish security by reducing or eliminating a critical, extra layer of
security that is already in place in airports.
Pursuing such an approach would scuttle a successful local/Federal
model that has worked well for decades, eliminate local operational
control, stymie significant efforts already underway at airports across
the country to upgrade and biometrically enable existing airport
badging and access control systems, and significantly increase costs to
the aviation industry with no demonstrable security benefit.
While the desire to centralize and Federalize the process for all
transportation worker vetting programs may be understandable from the
Federal Government's perspective, airport executives are concerned
about Federal intrusion into existing processes that have worked well
for decades. Airports are also very concerned about having to help foot
the bill for these initiatives--estimated at $633 million through 2025
in appropriations and new fees as part of the TTAC Infrastructure
Modernization (TIM) program--for changes that provide them with no
demonstrable security or operational benefit. The current system in
aviation operates efficiently and effectively at a fraction of the cost
of other transportation vetting programs and at no cost to the Federal
Government. Airport executives want to ensure that remains the case.
With the Federal Government and State and local governments
operating under historic budget constraints, it makes little sense to
devote hundreds of millions of dollars in scarce resources to
Federalize functions that airports have performed successfully for
nearly a decade. The TIM effort fails to take into account the long-
proven approach that exists in the aviation industry.
biometric airport security identification consortium (basic)
Before concluding, I want to take this opportunity to bring the
subcommittee up to date on a related topic and the efforts of the
Biometric Airport Security Identification Consortium or BASIC
initiative. In simple terms, the objective of BASIC is to define a
comprehensive, airport-driven Concept of Operations that will enable
voluntary migration to biometric-based badging and access control
systems at airports--a goal that I know subcommittee Members share.
More than 40 airports of all sizes actively participate in BASIC. I
would note that BASIC airport participants are working cooperatively
with TSA on this initiative as well as with other groups, including the
Airport Consultants Council.
Many airport operators--including the Port of Portland--are eager
to move forward with biometrics, but concerns remain about the prospect
of overly prescriptive and costly solutions. Airports are also eager to
avoid repeating mistakes made in the past where the Federal Government
required costly and often proprietary access control systems to be
deployed in airports in a compressed period of time. That approach
proved both expensive and ineffective.
In an effort to avoid unnecessary regulations and a one-size-fits-
all mandate regarding biometric-based systems, airports participating
in BASIC have identified several key principles that must be part of
any future biometric-based badging and access control systems,
including:
Safeguards on local control and issuance of credentials,
Leveraging of existing capital investments and resources,
Standards-based open architecture and local determination of
qualified vendors, and
Phased implementation that migrates over time.
In addition to building on the processes and regulations already in
place at airports today, BASIC is also working to adapt important
Federal standards regarding secure biometric credentials into the
airport's operational environment. For example, Federal Information
Processing Standard (FIPS) 201 and the more recent Personal Identity
Verification Interoperability (PIV-I) for Non-Federal Issuers are
reflected throughout the BASIC Concept of Operations and greatly inform
the recommended phased implementation for airports.
The BASIC working group, which meets on a regular basis, is moving
forward aggressively to update and refine a detailed Concept of
Operations that will define the biometric components and common
business processes that need to be added to airports' existing
procedures to enable biometric-based badge and access control systems
in a reasonable and cost-effective time frame. In fact, several
airports have already begun to implement the early phases of the BASIC
Concept of Operations. Newark Liberty International Airport, San
Francisco International Airport, Aspen Pitkin County International
Airport, Los Angeles International, and Salt Lake City International
Airport--to name just a few--have implemented a secure messaging
structure for the submission of biographic security threat assessments
and biometric criminal history record checks that will ultimately
enable the return of trusted biometrics back to the airport for use on
credentials or in access control systems.
Airports are committed to moving forward to bring biometrics into
the airport environment as soon as possible in a manner that builds
upon existing capabilities and limits operational difficulties. The
BASIC initiative, which is being driven by airports in cooperation with
the Federal Government, offers the best opportunity for making the
promises of biometrics a reality in a timely manner.
Mr. Chairman, in closing, let me thank you once again for the
opportunity to testify today. As an experienced security professional
responsible for managing public safety and security operations at
airports as well as vibrant maritime port facilities in my home of
Portland, I am proud of the important role that local officials play in
ensuring the highest levels of security and safety within critical
transportation facilities.
As I have highlighted throughout my testimony, the access control
apparatus at airports is unique among other transportation facilities
and has operated successfully for decades. Airport operators, which are
extensions of local government, are directly responsible for
credentialing and access control under strict Federal rules and
oversight in recognition of the security and operational expertise that
exists at the local level. Local involvement provides a crucial,
additional security layer that should not be discarded.
The current system in aviation leverages local experience,
knowledge, and expertise with Federal standardization and vetting
assets. Airport operators know and understand their facilities, and
they maintain decades-old relationships with the numerous parties that
employee individuals throughout the airport environment, resulting in
high levels of security.
Abandoning a decades-long record of local expertise and investment
in favor of an unproven system under which credentialing and access
control would be controlled centrally out of Washington or elsewhere--
as is being attempted in the maritime environment with TWIC--would be a
huge step backwards in terms of security from where we are now with
aviation.
We appreciate your leadership and the work of this subcommittee to
preserve and protect the important role that local airport officials
play in partnership with TSA to ensure the highest levels of security
at their facilities.
I look forward to answering any questions you might have.
Attachment.--Airport Badging Requirements and Processes
historical context
Airport operators and the aviation industry have a robust history
of credentialing and access control experience. Since the inception of
this approach more than 20 years ago, airport operators have been
delegated badging authority by the Federal Government. In the early
1990's airports installed access control systems that for the first
time were tied to a credential. In 1996, airports started utilizing
criminal history record checks (CHRC) conducted by the FBI to
adjudicate employees whose employment backgrounds could not be
verified.
current requirements and practices
Since shortly after the September 11, 2001 terrorist attacks, CHRCs
have been conducted on all employees with access to the Secure
Identification Display Areas (SIDA) and Sterile Areas. Beginning in
October 2007, TSA regulations also require name-based security threat
assessments (STAs) for all individuals applying for either a SIDA or
Sterile Area badge.
The FBI performs CHRCs and provides airports with the full results
of an applicant's check. TSA performs STAs, which check an individual
against the Terrorist Screening Database and ``determines whether there
are any outstanding immigration, terrorist or federal open wants or
warrants issues pending against the potential employee.'' TSA provides
airports with either ``approved'' or ``disapproved'' status for a
prospective employee only based on security sensitivities.
Airport operators maintain responsibility for worker enrollment,
and badging, issuing local badges with card topography and identifying
features unique to that airport facility. By regulation, airport
operators and air carriers are responsible for adjudication of the CHRC
which allows airport operators to know more about individuals that have
access to their facilities. In some cases an individual is not
disqualified under CHRC rules; however the individual may require
further scrutiny or at least situational awareness for the Airport
Security Coordinator. This approach provides a critical local layer of
security.
federal/local partnership in aviation--unique among other
transportation modes
In the aviation environment, the background check process for
workers operates successfully as a Federal/local partnership with the
Federal Government holding sole responsibility for STAs and other
necessary Government checks for prospective workers and with local
airport authorities operating and managing enrollment, credentialing,
badging, criminal history background check adjudication, and access
control systems in accordance with strict Federal standards.
The current system for aviation ensures the highest level of
security by combining the unique local experience, expertise, and
knowledge that exists at individual airports regarding facilities and
personnel with Federal standardization, Federal oversight, and Federal
vetting assets. Local involvement provides a critical layer of security
and gives airports the operational control they require to ensure that
qualified employees receive the credentials they need to work in the
airport environment.
Mr. Rogers. I thank the gentleman.
The Chairman now recognizes my colleague from Minnesota who
will introduce our next guest.
Mr. Cravaack. Thank you Mr. Chairman.
I would like to introduce Captain Sean Cassidy. Captain
Cassidy serves for Alaska Airlines, and ALPA's first vice
president.
Captain Cassidy has served as both chairman and vice
chairman of Alaska Airlines Master Executive Council, and he
was the chairman of Alaska Air Group Labor Coalition from 1999
to 2009.
Hired by Alaska in 1996, Captain Cassidy serves as a Boeing
737 captain, has thousands of hours in the air.
Most importantly, prior to his airline experience, Captain
Cassidy serves as an officer in the United States Navy as a
pilot.
Captain Cassidy has performed duties in the carrier-based
EA-6B which is the hardest aircraft to bring on the aircraft
carrier, and supported numerous military operations including
those in the Persian Gulf, and finished his naval career flying
the C-9 as an officer in the United States Naval Reserves.
With that, I would like to welcome Captain Cassidy.
I will yield back to the Chairman.
Mr. Rogers. I thank the gentlemen.
Captain, you are recognized for your opening testimony.
STATEMENT OF SEAN P. CASSIDY, FIRST VICE PRESIDENT, AIR LINE
PILOTS ASSOCIATION, INTERNATIONAL
Mr. Cassidy. Thank you, sir. On a side note, my wife was an
Air Force pilot. I think she might beg to differ with you, sir.
So good morning, Mr. Chairman, Ranking Member Thompson, and
Members of the subcommittee, as the introduction said, I am
Captain Sean Cassidy, the first vice president of Airline
Pilots Association International. I represent 53,000 pilots,
both in the United States and Canada at 37 different airlines.
Controlling access to secure airport areas is critically
important to the safety and security of the airline industry
and the traveling public as we have certainly demonstrated
today. While the Transportation Security Administration and
airport authorities do a good job of controlling and preventing
unauthorized access to these areas, it is my hope that both the
TSA and the individual airports involved will continue to
develop better response strategies.
ALPA believes that like the vast majority of airline
passengers, the overwhelming share of airline workers are
trustworthy individuals who want to see their airlines and
their industry succeed.
In this context, the insider threat to passenger and all-
cargo airline operations has always existed. Advances have been
made in identifying those individuals who are reliable versus
those who could pose a potential threat.
However, effort is still needed to enhance the security of
airlines and airports by ensuring those who have access to
aircraft and payloads are appropriate to do so.
The solution lies in advancing a risk-based approach to
aviation security, and achieving one level of security for all
airline operations regardless of whether they fly passengers or
cargo.
Unfortunately, a significant disparity exists today between
the security of passenger and all-cargo flight operations. This
gap is a serious concern for ALPA.
For example, the Air Cargo Final Rule of 2006 does not
require all airports that serve all-cargo airline operations to
establish security identification display areas, otherwise
known as SIDAs.
As a result, the individual with access to secured areas of
the airport are background-checked only through a biographic
process, rather than through fingerprint-based criminal record
history checks that are required for airline employees working
similar jobs at passenger airlines.
The U.S. Government has publicly acknowledged that a
fingerprint-based system provides greater security, and a long-
established precedent exists for using these systems. Moreover
without such a system, we cannot reliably determine whether a
person has been convicted of any of the 28 prohibited crimes
that preclude access to secure airport areas.
Just as practical experience has shown that the vast
majority of airlines passengers have no harmful intent, the
same can be said for aviation workers.
We need to do more to identify those prospective employees
who pose no threat, so that greater resources can be focused in
identifying those who may pose a threat.
One example of the kind of risk-based security that is
needed is the ALPA- and Airlines for America-sponsored enhanced
crew screening system for pilots known as Known Crewmember.
This Government-approved alternative means of access to sterile
areas of airports is available to pilots who comply with Known
Crewmember requirements.
Known Crewmember has been implemented at seven airports,
and 11 more are expected to receive the system soon. ALPA and
A4A have encouraged the TSA to include flight attendants in
this program.
The Known Crewmember program is just one example of risk-
based security. By properly vetting, training, harnessing, and
empowering airline workers much more can and must be done to
employ them as part of the solution to advancing overall
aviation security.
Adopting a threat-based approach must also mean creating
and fostering a security culture at airlines and airports in
the same way that our industry has sought to achieve a safety
culture.
Such a security culture needs investments from airline,
airports, and regulatory leaders, and decisive action to
establish and enforce a true security culture. Achieving a
security culture will call for these organizations to place
more emphasis on providing meaningful, practical security
training for all employees.
A security culture will also require that all airline
airport workers become the eyes and the ears for potential
threats.
With me today is airline--pardon me, Alaska Airlines First
Officer Ed Finnegan sitting right behind me in the red tie, who
I am pleased to say was concerned enough about this issue to
take the time to contact his congressman, Congressman Cravaack.
Also he is here with us today.
He is a great example of how professional airline pilots
stand ready to help advance aviation security in every way
possible.
One hundred percent screening of individuals entering the
secure areas of airports is not the answer to counter the
insider threat. Rather, we need to develop and immediately
implement a risk-based systematic method of employee vetting
that includes fingerprint-based criminal history background
checks of every employee with unescorted access to passenger
and cargo aircraft in our operations areas.
To this end, Congress must take action to ensure that full
SIDA requirements are mandated for all airports serving Part
121 all-cargo operations.
A risk-based approach to aviation security, coupled with
more traditional methodologies and a commitment to building a
security culture at all airlines and airports, will help our
industry reduce the insider threat at a very reasonable cost.
Equally important, realizing such an approach will enhance
aviation security for all who depend on air transportation. It
will ensure the U.S. airline industry continues to fuel the
Nation's economy.
Thank you.
[The statement of Mr. Cassidy follows:]
Prepared Statement of Sean P. Cassidy
May 16, 2012
Mr. Chairman and Ranking Member Jackson Lee, thank you for the
opportunity to testify. The Air Line Pilots Association, International
(ALPA), representing more than 53,000 pilots flying for 37 airlines in
the United States and Canada, is the world's largest professional pilot
association and the world's largest non-Governmental aviation safety
organization. We are the representative for the majority of
professional airline pilots in the United States with a history of
safety and security advocacy spanning more than 80 years. As the sole
U.S. member of the International Federation of Airline Pilots
Associations (IFALPA), ALPA has the unique ability to provide active
airline pilot expertise to aviation safety and security issues
worldwide, and to incorporate an international dimension to safety and
security advocacy.
overview
We applaud the subcommittee's demonstrated interest in airline and
airport security by holding this hearing on airport access and other,
related subjects.
Maintaining and enforcing effective control of access to sterile
and secure airport areas is critically important to the safety and
security of the airline industry and the traveling public. The
Transportation Security Administration (TSA) reviews and approves
mandated Airport Security Programs (ASPs) which must be followed by our
Nation's certificated, commercial airports.
ASPs must delineate effective measures designed to preclude
unauthorized access to sterile and secure areas, and also must provide
effective response protocols in those instances where unauthorized
access is attempted or occurs.
To comply with these mandated security measures, airports utilize a
variety of mechanisms, to include: Security Identification Display Area
(SIDA) protocols; security training and challenge protocols for SIDA
badge-holders; perimeter fencing and physical barriers; sophisticated
technologies to prevent and detect unauthorized entry into sterile and
secure areas; law enforcement patrol and response; and, interior access
control systems which incorporate both technological and human
resources.
Airport screening checkpoints play a prominent role in an airport's
security plan, providing access and screening controls to airport
sterile areas for passengers, aviation and airport workers. Airports
work in close partnership with the TSA to facilitate the checkpoint
screening process.
Accompanying these required airport access control measures
dictated in the ASP are certain other TSA policy mandates, normally
implemented through Security Directives (SDs) or Emergency Amendments
(EAs), which obligate airports and aviation workers to enforce and
follow prescribed protocols related to accessing sterile and secure
airport areas, and, at times, dictating specific protocols aviation
workers must follow as pertains to traditional checkpoint screening,
or, alternative forms of approved screening prior to entering sterile
and secure airport areas.
The ALPA- and Airlines for America-sponsored security screening
system for pilots, Known Crewmember (KCM), is an example of a
Government-approved, alternative means of access to sterile areas of
airports which is available to pilots who comply with KCM requirements.
KCM has been implemented at 7 airports thus far, with 11 more that have
been identified to receive the system soon and many more thereafter.
ALPA and A4A have encouraged the TSA to include flight attendants in
this program, as they should be part of risk-based security.
It has been ALPA's general experience that TSA and airport
authorities do a very good job in controlling and preventing
unauthorized access to sterile and secure airport areas. There have
been some documented failures in this regard, causing inconvenience to
passengers and resulting in a negative impact on the timeliness of
airline and airport operations. However, we know of no such instances
which involved persons who possessed the intent to do harm to the
aviation industry. Based on the specifics of these reported incidents,
we believe that both TSA and airports have developed sound strategies
intended to prevent their reoccurrence.
It has also been ALPA's experience that, in general, aviation
workers comply with Government requirements regarding entry into
airport sterile and secure areas. Because of practical constraints or
operational needs, those regulations do not require all such workers to
undergo traditional checkpoint screening protocols prior to entry, but
apply alternative means of screening instead. It is normally in this
context that discussion ensues regarding the ``insider threat'' to
aviation.
source of the threat
The insider threat to passenger and all-cargo aviation operations
has always existed in aviation security; it is not a new threat. It is
one that must always be addressed, so that the risk of this threat
causing a serious event is minimized to the maximum, practical extent.
Notwithstanding the advances that have been made in passenger and cargo
screening since 9/11, and the reliability of most aviation employees, a
concentrated effort is needed to identify and eliminate threats posed
by individuals who have access to commercial aircraft and their
payloads.
Shortly after the Christmas day 2009 underwear bomber's thwarted
attack on NWA Flight No. 253 as it approached Detroit, ALPA published a
white paper entitled Meeting Today's Aviation Security Needs: A Call to
Action for a Trust-Based Security System. In it, we cited the need for
a more comprehensive, threat-based approach to aviation security,
stating: ``The insider threat to the aviation industry must not be
overlooked or minimized. It must be addressed along with enhanced
screening capabilities; background checks should be conducted on all
those with access to our airplanes.''
Historically, the insider threat has been well-documented, both
internationally and domestically. Al-Qaeda in the Arabian Peninsula
(AQAP) has attempted to facilitate the hiring of flight attendants,
baggage handlers, and airport security personnel, and in 2010, a
Taliban sympathizer gained employment as a baggage handler at a U.S.
carrier and traveled to Afghanistan to provide assistance in fighting
against U.S. forces.
While we believe that the vast majority of individuals employed by
the airlines and Government agencies at the airport are upright,
responsible, and trustworthy, no organization is immune from the
possibility of employing individuals who engage in criminal behavior.
Criminal organizations in the United States have regularly used
airport, airline, Government, and contract employees to facilitate
criminal activities in the airport environment, which include, but are
not limited to, drug trafficking, contraband smuggling, theft, and
prostitution. In March, a security officer in Buffalo, NY was
criminally charged with allowing passengers to pass through screening
checkpoints while using false identification, and as recently as last
month, Federal drug agents arrested two former and two current security
personnel at Los Angeles International Airport on drug trafficking and
bribery charges.
Fortunately for the traveling public, the insider threat has
primarily been associated with the perpetration of criminal rather than
terrorist activity. However, just as a criminal organization can
infiltrate a segment of the aviation work force or circumvent existing
security procedures, so too can a terrorist organization. Whether
breached by a willing participant who is working for a criminal or
terrorist organization, or an unwitting dupe believing he is simply
facilitating a criminal rather than a terrorist act, existing
weaknesses which facilitate these dynamics must be identified and
corrected.
Vulnerability and risk associated with the insider threat is
magnified because risk-based security measures have not yet been
applied to the extent that they are needed. One example: The May 2006
Air Cargo Final Rule did not require all airports which serve all-cargo
airline operations to establish Security Identification Display Areas
(or SIDAs). Many persons with access to air operations areas of these
airports and to wide-body cargo aircraft are background-vetted only by
means of a biographic-based Security Threat Assessment (STA) process,
rather than by means of a fingerprint-based Criminal History Records
Check (CHRC) which is required for similar employee categories in the
passenger airline domain.
This lack of standardized application of fingerprint-based CHRCs in
background-vetting of aviation workers exists even though the
Government has publicly acknowledged that a fingerprint-based CHRC
provides a greater degree of security than an STA, and that there
should be congruency in background vetting for workers in functions
that present similar security concerns, such as checked baggage
screeners and cargo screeners. As a result of this imbalance in
background-vetting standards, many persons holding positions of trust
in the all-cargo domain, and who have unescorted access to cargo
aircraft, the goods they carry and to air operations areas of airports,
are not vetted to the same standard as persons occupying equivalent
positions in the passenger aviation domain.
There is long-established precedent for using fingerprint-based
CHRCs in determining an individual's suitability for hiring in a
security-sensitive position. Numerous employment categories exclude
convicted felons from eligibility, deeming them to be unsuitable
candidates due to security concerns, character issues, and recidivism
rates. The difference between undergoing CHRC-based background vetting
as opposed to a STA is significant when viewed in terms of the dangers
presented by the insider threat. Without use of a fingerprint-based
CHRC, no reliable determination can be made as to whether a person has
been convicted of any of the 28 prohibited crimes that are described in
49 CFR � 1544.229, and which preclude unescorted access to secure
airport areas. This lack of standardization between the background-
vetting processes applied to workers employed by passenger airlines and
all-cargo carriers unnecessarily creates yet another challenge in
mitigating the insider threat to aviation.
reasonable expectations
To effectively mitigate the problem of the insider threat to
aviation, we must begin with reasonable expectations, have a good
understanding of the industry's operational environment, acknowledge
that there can never be total elimination of risk and accept the fact
that the best we can hope to achieve is reasonable mitigation of the
threats we face. It is also necessary to recognize that a certain
degree of trust must always exist within the framework of securing the
aviation domain. For the system to work, we have to trust Federal
Security Directors, Transportation Security Officers, airport law
enforcement officers, air traffic controllers, pilots, flight
attendants, aircraft mechanics, et al. If we did not, the industry
would be paralyzed.
History has demonstrated that ``trust'' is a very fluid dynamic
which offers no guarantees. Aldrich Ames and Robert Hanssen attained
the highest levels of trust within their respective agencies, but
ultimately compromised the values they had sworn to protect and the
security of their Nation. Fortunately, such events are extremely rare
and despite the uncertainties which will always accompany the
allocation of ``trust,'' so doing is a necessary component of any
security system. It is in this context that the concept of ``trust, but
verify'' takes on significance.
recommendations for mitigation
Since its creation following the 9/11 attacks, the TSA has
continued to evolve its passenger screening measures in an attempt to
address the challenges posed by an intelligent, adaptive terrorist
adversary. We have witnessed the evolution of Advanced Imaging
Technology and the increased use of Behavioral Detection Officers.
Regardless of the tremendous advances in airport screening
capabilities, however, we only have to recall the incident of the
infamous ``underwear bomber,'' or last week's reports that intelligence
and law enforcement agencies had identified and interdicted an IED
created entirely of non-metallic material reportedly designed by an
AQAP master bomb-maker to be detonated by a suicide bomber aboard an
aircraft.
Although technology plays an integral role in the aviation security
process, it is not a stand-alone solution. TSA Administrator John
Pistole has recognized this fact by applying a more risk-based, threat-
driven approach to aviation security, as evidenced by his support of
the Known Crewmember program and other special screening programs such
as Global Entry, Pre-Check, I-Step, SPOT, and behavioral detection
techniques. The DHS public message of ``If you see something, say
something'' is a valuable public awareness campaign to help mitigate
the threat of terrorism.
harnessing existing resources
Aviation workers, which number in the hundreds of thousands,
represent a vast and under-utilized resource in protecting the aviation
domain, to include combating the insider threat. Commercial pilots, all
of whom have undergone security awareness training as part of their
employment, know their segment of the aviation industry and can sense
anomalies whether commuting for work, on personal travel, or flying
their assigned routes. Just as a police officer knows the beat he
patrols and the mailman knows the neighborhood in which he delivers, so
does the pilot know his or her normal work environment. As such, pilots
should be considered assets in identifying threats to the industry,
including insider threats, and treated as part of the solution rather
than being viewed as part of the problem. This logic can be applied to
other classes of aviation workers who frequent the airport domain:
Flight attendants, mechanics, caterers, fuelers, baggage handlers,
airport service providers, et al.
In the late 1990's, ALPA served on the Government/industry Employee
Utilization Working Group (EUWG) for the purpose of identifying
guidelines to be followed by aviation sector employees to enhance
security. One of the recommendations ALPA made to that group was to
focus on the largely untapped resource of airport, airline, and other
tenant employees. All of the individuals who work at an airport,
regardless of position, background, and experience, and can usefully
serve as the ``eyes and ears'' of security.
Regrettably, the EUWG's recommendations have been largely ignored,
but we believe that this hearing provides an opportune time to revisit
them, because they are still valid:
Encourage and assist airports and air carriers to develop
and implement security awareness programs which emphasize the
``team'' concept.
Encourage each airport and airline to employ or designate an
existing employee as a security training manager.
Create a standing security awareness working group comprised
of Government and industry representatives for the specific
purpose of enhancing employee's security awareness and
compliance.
Perform human factors research into why security lapses
occur, applying lessons learned from that research to future
employee awareness training efforts.
Encourage certain employee groups (e.g., baggage handlers)
to have their members serve as candidates to be used as a
security observer/auditor for a few hours each month on a
rotating basis when schedules allow. Employees should be
utilized in this fashion in order to make them more security-
conscious.
Create a common, easily remembered, and dedicated phone
number for specific employee use at airports for reporting of
suspicious behavior or security breaches.
Maintain a repository of employee utilization and security
awareness media, including videos.
Just as practical experience has shown that the vast majority of
airline passengers have no evil intent and represent no threat to
aviation, the same can be said for the vast majority of aviation
workers. By properly vetting, training, harnessing, and empowering
them, much can be done to counter the insider threat.
The accomplishment of this goal will require a paradigm shift
within the aviation domain. Just as the airline industry has placed
great emphasis on the use of Safety Management Systems (SMS) in order
to achieve and maintain aviation's excellent safety record, similar
emphasis must be placed on the development and maintenance of a
comprehensive security management system.
The successful completion of this task will require true buy-in
from the leadership of critical aviation stakeholders such as airlines,
airports, and regulators, and their definitive action in the
establishment and enforcement of a true security culture within their
respective organizations. It will require these entities to invest more
resources in and place more emphasis on providing meaningful, practical
security training to employees and their empowerment as valued security
resources, rather than simply ``checking the box'' in meeting
Government mandates regarding the length and content of security
training. Only in this way can a true security culture be established.
conclusions
One hundred percent physical screening of individuals entering
secure/sterile areas of airports is not the answer to the insider
threat. A highly-developed, systematic and reliable method of employee
vetting, including fingerprint-based criminal history background checks
(CHRC) of every employee with unescorted access to passenger and cargo
aircraft, air operations areas, baggage and cargo should be implemented
to support a risk-based approach to identify ``evil intent.'' To this
end, full SIDA requirements must be mandated for all airports serving
FAR part 121 all-cargo operations. In addition, fingerprint-based CHRCs
must accompany the STA process in the background vetting of all
individuals who have unescorted access to all-cargo air operations
areas, aircraft, and the cargo they carry.
If the leadership of critical aviation stakeholder organizations
and regulators commit themselves to following through on the
aforementioned recommendations, and if aviation workers are properly
vetted, provided the appropriate training and reporting mechanisms and
then empowered, they can be counted upon to counter the insider threat.
This approach to aviation security, coupled with other more
traditional methodologies such as the use of random inspections,
employment of technological assets, such as surveillance and detection
equipment, will do much to mitigate the insider threat, at very
reasonable cost.
ALPA is grateful for the opportunity to be heard on this important
matter and to provide its views to the subcommittee.
Mr. Rogers. Thank you, Captain Cassidy, for your testimony.
Our third witness, Mr. William Swift currently serves as
chairman of the Airport Minority Advisory Council.
The Chairman now recognizes Mr. Swift for his opening
statement.
STATEMENT OF WILLIAM H. SWIFT, CHAIRMAN, AIRPORT MINORITY
ADVISORY COUNCIL
Mr. Swift. Mr. Chairman, Ranking Member Thompson, and
Members of the House Homeland Security Subcommittee on
Transportation Security, I am a principal at Business Traveler
Services, Inc. BTS is a privately-held concessionaire based out
of Atlanta, Georgia.
I thank you for the opportunity to participate in today's
hearing, and would like to discuss some of the issues that
concessionaires like myself face on a regular basis in the
airport security arena.
As a concessionaire, I am concerned about airport security,
as are all those who travel daily through nearly 400 U.S.
commercial airports. A breach of security that leads to a major
incident significantly impacts the traffic and business for all
airports, and for all of us who have businesses at these
airports.
As part of my testimony, I would like to make three
suggestions for the committee and Transportation Security
Administration to consider: One, raising the SIDA Badge
allocation limit.
I ask the subcommittee to consider raising the 25 percent
allocation limitation, or implementing a reasonable minimum
allocation that would allow small businesses to successfully
operate in the airport arena.
Two, in showing a consistent delivery process--I recommend
that the subcommittee look at ways to ensure the delivery
process is subject to consistent security standards for all
airports that do not unduly inhibit the ability of small
concessionaires to compete and do business.
Three, in showing consistency in the processing time line
for new hires--we must be able to depend on a consistently
timely response from TSA and the airport, and ask the
subcommittee to examine methods to ensure consistency in this
process.
My comments today are focused on the impact of allocation
of identification badges with SIDA badge privileges for
concessionaires. It is particularly difficult for those of us
who are small operators in airports having as few as one to
three locations, and as a result as few as 6 to 12 employees.
In posting a 25 percent limitation on those total number of
employees permitted to be issued a SIDA badge suggests that
only one and a half to three employees may have a SIDA badge.
This limitation is arbitrary at best, and not based on facts
relative to the procedures and practices by which we are
required to operate in the airport environment.
Now as we operate more often imposed by the airport, 12 to
17 hours per day, require at least two complete employee teams
per day, 7 days per week on-site. A company needs opening and
closing personnel, as well as floaters to address a variety of
circumstances, i.e., repairs requiring an escort, product
deliveries, replacing employees who call in sick or are late.
The mathematical equation applied here does not work.
Under one contract I have in Atlanta Airport, we provide a
number of products and services via vending and/or mechanized
units. Our employee operates this array of machines through
three partners: A full-time maintenance man and a clerical
assistant. We all have to pitch in to keep our company a step
ahead of customer service demands.
Amongst ourselves, we have asked rhetorically why does TSA
view our business group as a higher risk to security of the
airport.
I recommend the subcommittee consider raising the 25
percent allocation limitation, or implementing a reasonable
minimum allocation that would allow small businesses to
successfully operate in the airport arena.
Inconsistent handling of deliveries--another area of
concern is the inconsistent handling of U.S. Postal, UPS, or
FedEx packages.
Small operators frequently do not maintain an off-airport
warehouse for one to two stores operating, and therefore must
rely on UPS or FedEx deliveries. Some airports permit
deliveries by these companies' post-security stores, while
others do not permit these deliveries.
I recommend that that subcommittee look at ways to ensure
the delivery process is subject to consistent security
standards that do not unduly inhibit the ability of small
concessionaires to compete and do business.
Inconsistent processing time frames for new hires--
additional impact on the small operators, the inconsistent time
frame to get hires through the TSA airport badging process,
typically, this is 10 to 14 days processing, but as has been as
long as 30 days. Consider that many of our new hires can ill
afford to wait several weeks to get an approval, resulting in
the loss of potential employees, as well as the $110 fee we are
charged for each employee.
In conclusion, I thank you for allowing me to share my
experiences as an airport concessionaire with the subcommittee.
I understand the careful balance between maximizing security
while also ensuring businesses can still operate successfully
and efficiently.
I appreciate the work both the subcommittee and full
committee have done in this area. Should any Members of the
subcommittee have any questions for me today, I would be happy
to address them.
Thank you.
[The statement of Mr. Swift follows:]
Prepared Statement of William H. Swift
May 16, 2012
Mr. Chairman, Ranking Member, and Members of the House Homeland
Security Subcommittee on Transportation Security, my name is William
Swift, a principal at Business Traveler Services, Inc. (BTS). BTS is a
privately-held concessionaire based out of Atlanta, Georgia. I thank
you for the opportunity to participate in today's hearing and would
like to discuss some of the issues that concessionaires like myself
face on a regular basis in the airport security arena.
As a concessionaire, I am as concerned about airport security--as
are all those who travel daily through nearly 400 U.S. commercial
airports. A breach of security that leads to a major incident
significantly impacts the traffic and business for all airports and for
all of us who have businesses at these airports. As part of my
testimony, I would like to make three suggestions for the Committee and
Transportation Security Administration (TSA) to consider:
1. Raising the SIDA Badge Allocation Limit.--I ask the subcommittee
consider raising the 25% allocation limitation or implementing
a reasonable ``minimum'' allocation that would allow small
businesses to successfully operate in the airport arena.
2. Ensuring a Consistent Delivery Process.--I recommend that the
subcommittee look at ways to ensure the delivery process is
subject to consistent security standards that do not unduly
inhibit the ability of small concessionaire to compete and do
business.
3. Ensuring Consistency in the Processing Timeline for New Hires.--
We must be able to depend on a consistently timely response
from the TSA/airport, and I ask the subcommittee to examine
methods to ensure consistency in this process.
sida badge privileges
My comments today are focused on the impact of the allocation of
identification badges with SIDA badge privileges for concessionaires.
It is particularly difficult for those of us who are small operators on
airports, having as few as 1-3 locations, and as a result as few as 6-
12 employees. Imposing a 25% limitation on the total number of
employees permitted to be issued a SIDA badge suggests that only 1.5-3
employees may have a SIDA badge. This limitation is arbitrary at best--
and not based on facts relative to the procedures and practices by
which we are required to operate in an airport environment. The hours
we operate, more often imposed by the airport, 12-17 hours per day,
require that at least two complete employee teams per day 7 days per
week be on-site. A company needs opening and closing personnel, as well
as floaters to address a variety of circumstances, i.e. repairs
requiring an escort, product deliveries, replacing employees who call
in sick or late. The mathematical equation applied here does not work.
Under one contract I have in the Atlanta airport, we provide a
number of products and services via vending and/or mechanized units.
Our company operates this array of machines through three partners/
principals, a full-time maintenance man and a clerical assistant. We
all have to pitch in to keep our company in-step or ahead of the
customer service demands. The arbitrary number of SIDA badges permitted
is stifling to the small operator who, through necessity of the
Homeland Security proportioned allocations, is being forced into a
``one-size-fits-all standard'' that cannot work when it comes to the
small operator. Amongst ourselves, we have asked rhetorically, why does
TSA view our business group as a higher risk to the security of the
airport?
I recommend the subcommittee consider raising the 25% allocation
limitation or implementing a reasonable ``minimum'' allocation that
would allow small businesses to successfully operate in the airport
arena.
inconsistent handling of deliveries
Another area of concern is the inconsistent handling of U.S.
postal, UPS, or FedEx packages. Small operators frequently do not
maintain an off-airport warehouse for a 1-2 store operation and,
therefore, must rely on UPS or FedEx deliveries. Some airports permit
deliveries by these companies to post security stores, while others do
not permit these deliveries. The impact is significant and costly for a
small operator, possibly requiring that they must hire additional
personnel and vehicles to be available on standby for these deliveries
that can only be made and transported across the tarmac. Small
operators cannot financially absorb the additional costs and remain
profitable.
I recommend that the subcommittee look at ways to ensure the
delivery process is subject to consistent security standards that do
not unduly inhibit the ability of small concessionaire to compete and
do business.
inconsistent processing time frame for new hires
Additional impact on the small operator is the inconsistent time
frame to get new hires through the TSA/airport badging process.
Typically there is a 10-14 day processing, but it has been as long as
30 days. Considering that many of our new hires can ill-afford to wait
several weeks to get an approval, resulting in the loss of potential
employees and the fees we were charged by the airport for processing
them. We must be able to depend on a consistently timely response from
the TSA/airport, and I ask the subcommittee to examine methods to
ensure consistency in this process.
conclusion
I thank you for allowing me to share my experiences as an airport
concessionaire with the subcommittee. I understand the careful balance
between maximizing security while also ensuring business can still
operate successfully and efficiently, and I appreciate the work both
the subcommittee and full committee have done in this area. Should any
Members of the subcommittee have any questions for me today, I am happy
to provide my insight and will answer your questions to the best of my
ability.
Mr. Rogers. Thank you, Mr. Swift.
I recognize myself for opening questions.
Mr. Crosby, what are airports doing proactively to
incorporate biometrics into their access control systems?
Mr. Crosby. Thank you, Mr. Chairman.
It is an exciting thing that we are doing. We have
voluntarily formed a consortium with airports and vendors to
develop a concept of operations for biometrically-based access
control systems.
Rather than being mandated by the TSA, TSA supports the
fact that we are trying to do it voluntarily. Like any piece of
technology, access control systems need to be replaced over
time.
An example I will give you is our airport in Portland. We
are about to replace our 20-year system. Right now we are
heavily engaged with the free information that we are getting
from airport officials at other airports who have already
implemented biometrics, and those from the vendor community to
get the latest technology at our airports.
Mr. Rogers. What suggestions do you have for how both
airport operators and TSA can reduce the number of security
breaches that occur?
You have heard the testimony earlier today. But I would
love to hear your thoughts.
Mr. Crosby. I have.
I think that first of all TSA has made a lot of progress
when it comes to breaches, in spite of maybe some of the
reporting discussion that happened today. I can say, because I
have been in this position since 9/11, when we all remember the
times when airport concourses were dumps and many of us maybe
missed flights, caused delays, hundreds of thousands dollars'
worth of delay to people.
Those don't happen near as much anymore. That is because
the TSA is doing a better job of communicating with their own
staff and with airport law enforcement officials.
So I have seen improvement there. We have used technology
to help us out.
An example of that is using closed circuit television to
better identify where the anomaly happened.
The biggest area for traditional breaches at checkpoints is
in the hand-off of an uncleared bag or an uncleared person
between TSA officials. They are able to rectify that much more
clearly and quickly now with the use of CCTV and better
communication procedures.
Mr. Rogers. Do you feel that access controls have a uniform
level of security from airport to airport?
Mr. Crosby. No, sir.
As you know, the saying in our industry is if you have seen
one airport, you have seen one airport. We all have the same
parts, but we are all laid out differently.
I think like any system, the best systems in the airport
access control systems in the country are at airports that have
proactive programs like Captain Cassidy referred to.
We have lots of programs where we rely on all badge holders
to report information to us so that we can respond to it and
act and deal with security instances. We award badge holders,
crewmembers, concessionaires for their reporting of things.
I think those best practices that TSA has compiled, that we
at airports talk about, we need to continue to spread around.
Mr. Rogers. Thank you.
I have got to step away for a few minutes. Mr. Cravaack is
going to take the chair.
I do want to let the Members know though, that later today
I will be sending a letter to Administrator Pistole demanding
that 100 percent of all breaches by any definition be reported
up to PARIS, which is the Performance and Results Information
System, the database by which they come up with processes to
resolve these problems.
I will also demand that the administrator take immediate
action to remedy the database deficiencies that were outlined
in the testimony and the questioning by Mr. Thompson and me.
Those are inexcusable and should be remedied immediately. I
am going to follow the gentleman from California's advice and
recommend that if the administrator does not have the capacity
to do that he needs to contract somebody that does.
With that, Mr. Cravaack, you take the chair.
Oh, and Mr. Thompson is recognized right now for any
questions he may have.
Mr. Thompson. Thank you very much, Mr. Chairman.
Mr. Swift, in your testimony you suggested that TSA raise
the minimum allocation of SIDA badges to vendors above the
present 25 percent to allow businesses to successfully operate.
Can you explain to the committee why you raised that as a
concern?
Mr. Swift. Primarily because if we have a small sales staff
or operating staff of 10 to 12 people, 25 percent is only two
or three people. When we run such a long day and 7 days a week,
we have several shifts.
If we lose one person, and it takes 2.5 to 3 weeks to
replace that person through the approval process, we are short.
Now we are trying to figure out or jerry-rig the process in
order to stay in business.
That is not acceptable to us.
Mr. Thompson. So in other words, the 25 percent for a small
business provides what is, by that small business, an undue
burden through no fault of their own from a security
standpoint.
Mr. Crosby, have you looked at that?
Mr. Crosby. Yes, sir, Ranking Member Thompson. I am glad
this issue came up because I am happy to report some good news.
Over the last 2 years as chair of AAAE's security
committee, and in conjunction with Airport Councils
International and the TSA, we have formed a task force that has
been looking at all the new security regulations that have been
written since 9/11, and then modifying them to fit today's
world.
One of those areas that is currently out for public review
is this 25 percent rule that Mr. Swift may not be aware of. Our
committee, that includes airport operators, has worked with TSA
to come up with a modification to that rule that allows for
relief of the 25 percent rule as long as the operator can prove
a business need to have a higher percentage.
So that rule is currently under review and should be
implemented in the next couple months.
Mr. Thompson. I guess my point is, so it is no longer 25
percent, but what is it?
Mr. Crosby. It is whatever the vendor, concessionaire, can
prove to the Federal security director is needed. Mr. Swift, as
he said, we have the same case at our airport with a great
concession program.
We have vendors with four operators and some with 400. It
depends on where your storage area is and what times of
operations you have. If you can prove that all four of those
four need it, then the FSD has the authority to approve that
now to 100 percent.
Mr. Thompson. To give you all four.
Mr. Crosby. Yes, sir.
Mr. Thompson. Would that alleviate the problem we are
talking about here, Mr. Swift?
Mr. Swift. Absolutely, but it is a matter of timing.
Mr. Thompson. Yes.
Mr. Swift. We are talking about another 6 months. We are
still--it costs us money every day that we don't have the
flexibility to do it right.
Mr. Thompson. Captain Cassidy, you suggested in your
testimony that airports designate an existing employee as a
security training manager.
How does that differ from your understanding of the present
way things are done?
Mr. Cassidy. Well, the way things work right now, you know,
airlines have a corporate security department. They also have
security personnel that are affiliated typically with the labor
groups, to use an example, labor groups representing mechanics,
pilots, flight attendants, dispatchers, et cetera. The bigger
groups typically have a security person affiliated with them as
well.
When you go to the airport, the security responsibilities
alternate between being in a non-sterile area where you have
security more oriented with the law enforcement folks, and then
when you get to the airplane, it kind of moves over towards the
airlines. So the training responsibility also moves depending
on, you know, where you are in your phase of operations.
But I think the important thing is that however you get
there, there has to be a team that is composed that takes into
account the unique security aspects of operating an airport,
operating concessions, flying the airplanes, servicing the
airplanes. They need to kind of work towards coordinated----
Mr. Thompson. So----
Mr. Cassidy [continuing]. On the training.
Mr. Thompson. So do you--is that presently your comment
that that is kind of uncoordinated? Or----
Mr. Cassidy. That is exactly right. What we have been
striving for, and in fact we were involved in a working group
that made a number of recommendations in the 1990s.
What we are looking for is development of a team concept so
we have all the stakeholders involved with one common goal, and
there is enhanced communications, you know, amongst all the
stakeholders.
I think that we have a very good example of that with our
safety programs, where we do have commercial air safety teams,
where we have stakeholders from the manufacturers, from the
labor groups, from the operators. I think that there is a
tremendous power, tremendous synergy when we get them all
coordinated and working in a focused manner.
Mr. Thompson. Thank you.
I yield back, Mr. Chairman.
Mr. Walberg [presiding]. Thank you.
I recognize myself for 5 minutes of questioning.
Mr. Crosby, let me ask you: How frequently does your
airport revoke credentials because a worker poses a threat or
violates a security policy?
Mr. Crosby. Fortunately, security violations aren't overly
common. But we have a prescribed matrix of penalties for
security violations.
As far as how often a security badge is revoked for a
violation, it is not very often, sir. At our airport, we are
the 30th largest airport in the country, I would say a couple a
year.
More often, there are suspensions and retraining that
happens for minor violations. But major violations we do
suspend on occasion.
Mr. Walberg. Can you discuss for us the different camera
systems that the Portland International Airport has installed?
Who controls the different cameras on sites, for instance?
Mr. Crosby. Yes, sir.
The core closed circuit television system around the
airport that we have enhanced over the last couple of years is
the Port Authority's. But we recognize that we are in a
partnership with others. We have given access to many of those
cameras around the screening areas to TSA so they can better
manage the customer service side of things with the line
management and put their resources there.
We also work closely with Customs and Border Protection in
our Federal inspection station, where they have access to those
cameras. So it is a collaborative process. It really has
enhanced our ability to respond and find out really what has
happened when something is reported.
Mr. Walberg. Thanks.
If one of your employees witnesses a breach of security,
how can the employee report that to TSA? What is the process?
Mr. Crosby. Well actually, our process is report it to the
airport dispatch, the airport 9-1-1. That is what we train all
of our badge holders on. If you see something, to use the DHS
phrase, ``see something, say something.''
But that has been a core value at most airports for many
years before that catch-phrase came out.
Every airport badge holder is required to report a security
violation if they see it. We don't want them to put themselves
in danger. So they call--everyone knows at our airport to call
extension 4000 to get the immediate response from our law
enforcement.
Mr. Walberg. Thank you.
Captain Cassidy, thanks for being here.
Based on your experience, how do you think access control
and perimeter security can be improved?
Mr. Cassidy. Well, I think----
Mr. Walberg. Give us your list.
Mr. Cassidy. It is pretty big.
I think that the high level, you know, looking at it from
the 33,000-foot level, we need a standard consistent approach
to perimeter security. That clearly does not exist today.
In my verbal remarks, I touched a little bit on the SIDA,
the identification display area. I think one of the big issues
that we have is the fact that there is really a bipartite rule
with respect to passenger operations and cargo operations.
Passengers have one standard, whereas there are cargo
facilities, and we have no idea what kind of screening, what
kind of access, what kind of perimeter security is being
applied in those cargo facilities, which then enter our
airspace.
That would be at the very top of my list. It is clearly in
line with our desire to have one level of safety and one level
of security.
I applaud Congressman Cravaack for, you know, putting the
Safe Skies bill forward which tries to achieve one level of
safety with regard to fatigue issues and crew duty limits. I
think we should apply the same to security.
Even within the various airports, each airport has its own
individual airport security program. Depending on the needs of
that particular airport, the access issues change a little bit,
so even the way that they get access through some of the
control points, through the gates to the airplanes, differs
from airport to airport.
Mr. Walberg. Okay.
So those are the top two that you would say would go a long
way.
Mr. Cassidy. I would say one consistent approach to
screening and access right across the board regardless if it is
cargo or passenger would be at the very top of the list.
Mr. Walberg. What process is in place for you to report as
a pilot--report suspicious activity?
Mr. Cassidy. Any number of ways.
First of all, typically most crewmembers have--and I don't
have my crew badge with me--but typically there is a list of
quick-call numbers that you have on your crew badge which takes
you right to your security folks, as well as airport security.
I think that we have enough awareness, especially post-9/
11, that anybody who approaches a uniformed crewmember at a
dispatch desk, at a gate, will know immediately to be able to
relay the information to airport security.
Mr. Walberg. Have you ever reported?
Mr. Cassidy. Yes.
Mr. Walberg. What was the outcome?
Mr. Cassidy. I have reported on any number of occasions. A
very simple--and it is not particularly sexy--but, you know, I
will be walking through the terminal waiting for a flight and I
will notice a bag sitting in the corridor unescorted,
unaccompanied.
I can't tell you how many times I have just made a simple
report like that. Grabbed the CSA, who has made an announcement
over the P.A. system--CSA, customer service agent, pardon me--
who has made an announcement over the passenger system. If they
are not able to have somebody claim the bag, then they notify
airport security.
That happens thousands of times a day in all of our
airports right now.
Mr. Walberg. Okay.
Thank you. My time has expired.
I recognize the Ranking Member for her question.
Ms. Jackson Lee. Chairman, thank you very much.
Let me thank the witnesses for their testimony that I
reviewed. I was delayed at another meeting.
I want to follow the line of reasoning that I followed
earlier, and I think it is imperative that we provide a safe
perimeter, and also a safe opportunity for departing passengers
to board. Finally for that plane to become airborne, if you
will, and land at its destination.
I think that is our ultimate responsibility. You have heard
in our earlier testimony and questioning how crucial that is.
Each of us has, I would say, a very large part sometimes
that poses inconvenience. But I think in the midst of
inconvenience, we should also be rational as well.
So I am interested in us being rational, and that my line
of questioning will pose along the lines of how important it is
that we all team up on this concept called securing the
airport.
It is enormously difficult to hear at one of our great
airports, Atlanta-Hartsfield, that people are entering it as if
they are entering a carnival or they are getting away with not
paying tickets for a baseball game, and two and three and four
people are passing through the turnstile.
As I said, we have been discussing this perimeter and
badging issue for a very long time, and we continue to have
these incidents.
So let me go to you, Mr. Swift.
You are committed to making sure that your employees are
credentialed. Is that not correct?
Mr. Swift. Absolutely.
Ms. Jackson Lee. First of all, let me say that I am glad
that we see our airports as opportunities for minority and
small and women-owned businesses. I want to make sure that you
know that I am completely supportive of those opportunities,
and frankly believe there should be more.
So you are committed to the credentialing.
What would be--first, what is the cost that you have to pay
for credentialing? What would you want to see to expedite the
process?
Mr. Swift. Firstly, the cost is $50 for the fingerprinting
and $60 for the badge. If you have been fingerprinted in the
last 10 years, you don't have to get it done again.
However with the rate of turnover that takes place in any
retail or food-and-beverage operation, this is a significant
cost, especially when you are talking about 200 percent
turnover on an annual basis.
The second part of your question, ma'am? Sorry.
Ms. Jackson Lee. What would you like to see happening now
to, one, do our chief mission, which is to secure that airport
and those passengers and all others that work there, and that
comports with a responsible way of dealing with your
businesses, plural, meaning the concessions that are in
airports?
Mr. Swift. Clearly, the first responsibility as a
concessionaire, when I send an employee for approval for their
application, I make sure the application is completely filled
out. If I do my job on that end, I don't understand why it
takes anywhere from 10 days to 30 days to process the employee.
The problem we have with that is on the street, if I send
someone to get a job, within 2 or 3 days, they can be processed
and hired.
We recognize the security issue as it relates to the
airport, but it doesn't work well with us who are operating in
the airport to not know exactly how long it should take us.
A day or two slip is acceptable, but when it gets in the
30-day range, it is unacceptable.
Ms. Jackson Lee. Where do you place that burden of the time
frame?
Mr. Swift. Well, we are not on the other side of once that
application is submitted, so we don't know whether or not that
time frame takes place at the airport, in terms of the
fingerprint process, TSA. We just know that it takes too long.
Ms. Jackson Lee. But the airport is where you submit the
data to. Is that correct?
Mr. Swift. That is correct.
Ms. Jackson Lee. Okay.
Let me--as I pursue my questions, I want to acknowledge Ed
Finnegan, who has been such a great leader on a number of
issues--thank him for his presence.
Captain Cassidy, let me pursue.
You would agree that flight attendants should be included
in this process that is utilized by the pilots?
Mr. Cassidy. Yes, ma'am, absolutely.
We have come out very clearly in favor of having flight
attendants included in the Known Crewmember program.
Ms. Jackson Lee. Where do you think the burden of the delay
in badges may fall?
Mr. Cassidy. Well--is this related to Known Crewmember or
employee badges?
Ms. Jackson Lee. Employee badges--if you would just give a
general sense of it.
Mr. Cassidy. You know, that is a little bit out of my area
of expertise. But I know that there is a pretty significant
screening process that I had to go through to get the access
badges, the SIDA badges, for access at the airport that I am
domiciled at.
When we turn those in, we would have to go through a whole
security class, training video, and I think a 2- or 3-hour
class to regain that before it even began the processing phase.
So as Mr. Swift said, that is on the other side of the
fence. So I don't really have enough feeling for what happens
once----
Ms. Jackson Lee. Well, why don't you talk about the
experience with the pilots?
Mr. Cassidy. Pardon me?
Ms. Jackson Lee. Why don't you talk about the experience
with the pilots for securing that document?
Mr. Cassidy. For securing the Known Crewmember?
Ms. Jackson Lee. Yes. Yes.
Mr. Cassidy. Well, it is actually a very, very effective
program because what it does, it relies on existing employee
databases.
All pilots and flight attendants go through a very rigorous
screening and background check process. Each airline maintains
employee databases.
So, every time you transit one of the Known Crewmember
portals that our 20 pilot groups do, you have an instant query
that is done to the pilot's active employment status with the
airline. That query is continuously happening. So that combined
with the other form of ID makes for a very, very seamless
transit.
The best thing about it, I don't think we have really
emphasized it, is that by having this alternate screening
method, what it does is it allows the known travelers, the
known crewmembers who are very, very well-known and background-
checked to get through.
It allows TSA and all the other law enforcement agencies to
focus their resources on the people they don't know about. I
think that is a hugely important aspect of these advanced
screening programs.
Ms. Jackson Lee. So, you are comfortable and believe that
it is a working system?
Mr. Cassidy. Yes, ma'am.
I was at the very first airport on the very first day it
stood up. From that day until right now it has worked
flawlessly.
Ms. Jackson Lee. So it should be a tool that we should look
to expand.
Mr. Cassidy. One of many tools in a multilayered security
environment, absolutely.
Ms. Jackson Lee. Let me just pose this question to Mr.
Crosby coming out of Portland International Airport.
You are well aware that data for badging comes to the
airport and they have a responsibility. So I would make the
point that I, having lived with a lot of airports since--in my
early days of being elected to the Houston City Council, I know
there is a lot of work that is being done there.
But I do believe that the airports have a heightened
responsibility to have a process to heighten their review so
that TSA can intervene at an appropriate time and get this
done.
What is your assessment of that?
Mr. Crosby. My assessment of that, ma'am, is that airports
have a lot of hardworking people that process tens of thousands
of applications every day with a lot of what is on-going
changing requirements that TSA has given us. We do a really
good job at that the vast majority of the time.
With any document collection processor, there is always
going to be an opportunity to review and check and cross-check
for errors. The good news is that bad people haven't gotten
through the system.
But clerical errors, a lot--there are things that we can do
that are highlighted by the IG report and some airports have
voluntarily done to have better cross-checks in place to make
sure that the information that we are getting from the
applicant is given to the Federal Government is complete.
Ms. Jackson Lee. Mr. Chairman, if you would just yield to
me a moment more, I just want to pursue this.
Do you think it is reasonable to have employees use one
badge identification and allow several individuals to enter a
secured area?
Mr. Crosby. I am not sure I understand the question.
Ms. Jackson Lee. Do you believe that it is appropriate for
an employee of a concession, of the airport, under the
airport's jurisdiction, because you have locked in areas where
you have to badge. To have an employee that has a badge allow
three and four and five employees to follow in behind them
without using their badge or maybe they don't have a badge.
Mr. Crosby. I understand.
Ms. Jackson Lee. What are airports doing about that?
Mr. Crosby. Yes, ma'am.
Well, first of all we are--in our training we highlight
what the rules allow and don't allow. The rules do not allow
for multiple badged people to enter through a gateway without
swiping their badge. If you have a badge----
Ms. Jackson Lee. But multiple people, they enter on one
badge. I left my badge at home, et cetera.
Mr. Crosby. Correct, ma'am. They have to swipe it if they
have the badge----
Ms. Jackson Lee. What is your oversight?
I mean I am disappointed--you happen to be from an airport,
so don't think I am calling out Portland, but what is the
oversight for that not happening?
Mr. Crosby. The oversight is--because there are escorting
provisions in the rules. You have to allow for some flexibility
when you have visiting guests.
I mean, Mr. Swift knows, Captain Cassidy knows that
sometimes you have to escort officials on business into the
secured areas. So there has to be provisions for escorting un-
badged, un-badged people.
The way the system works without having bad things happen
is that you have to hold people accountable. That is what we do
at our airport.
We have cameras at key access points. Whenever we determine
there has been a piggybacking violation, as this is called, we
put a penalty on that person for doing it.
Ms. Jackson Lee. Do you report it to TSA?
Mr. Crosby. Absolutely. All of our security violations that
are reported to us, we give TSA full access to.
Ms. Jackson Lee. All right.
I yield back, Mr. Chairman.
Thank you.
Mr. Cravaack [presiding]. The gentlelady yields back.
I will yield myself 5 minutes.
Thank you very much for being here today, what I consider
extremely important, obviously from previous testimony
regarding the security of our airlines.
I would also like to recognize Ed Finnegan again, from the
8th District of Minnesota. Thank you for taking even more time
away from your family and being here today.
So thank you very much.
Captain Cassidy, with all the experience and hours that you
have in flying in many different airports throughout the
country, if not around the world, you mentioned in your
testimony examples of al-Qaeda basically probing our security
measures in trying to gain access to the shadow of the
aircraft.
What procedures do you think, as a first-line observer,
that need to be implemented in ensuring that the shadow of the
aircraft remains secure?
Mr. Cassidy. Well, I think that you know a robust criminal
history and background check, including fingerprinting is an
absolute requirement to make sure that we have as much data
available for potential threats to the aircraft.
The other thing I think that we have to recognize is that
we are never going to live in a world where we are 100 percent
risk-free with regard to security issues. It is just that world
does not exist.
So what we have to do is apply multiple layers of security.
That comes with prescreening methods, working with our
agencies, using intelligence-based methods just as they did
when they were able to intercept a potential terrorist who was
basically going to have a little bit of a clone of the
underwear bomber.
Fortunately, they were able to identify the threat and
thwart it offshore before it even got to the airplane shadow. I
think that probably one of the biggest ways that we can help to
mitigate that security threat is to recognize the fact that we
have a tremendously talented pool of folks that are in our
airports right now. They are the operators, they are the
pilots, they are the flight attendants.
If you operate an airplane day-in, day-out, if you staff an
airplane day-in, day-out, even though you can't quite identify
something that is a little bit different, you know that
something is different.
By having a coordinated approach, by having stakeholder
teams that work together, identify security breaches, do a
data-driven analysis of what caused those breaches, hopefully
we can take a more kind of data-driven approach to enhancing
our security environment; rather than just taking an ad hoc one
that looks at the last time that the caterer inadvertently got
in the airplane. Try to figure out what went wrong after it
happened.
What we need to do is develop a system that looks at
precursors to security breaches and try to identify those
things before they get to the airplane shadow.
I think that as we have with safety systems--we have
something called the Safety Management System which aggregates
all these different safety events, safety data, and looks at
precursors. We look at one kind of coordinated way of enhancing
safety.
We haven't quite got there yet with security, but I think
that is probably where we need to go next is to take an
enlightened view towards security, and look at security
management systems which incorporate all those different layers
of safety.
Of course, the very last layer of safety, and I applaud you
for your support of that, is the Federal Flight Deck Officer
program. When all else fails, it is really extremely reassuring
to know that there is a pilot in the front who is prepared to
defend that airplane and keep it from being used for very, very
evil intentions.
So all those things work in tandem, not any one solution is
the answer. But a coordinated kind of more kind of data-driven
approach is clearly the way to approach that.
Mr. Cravaack. I would tend to agree. The information that I
am receiving as well, having layered approaches of security is
obviously the way to go.
At the same time making sure that we use a risk-based
analysis and identifying those that are safe risks, those that
are either unknown or potential risks. I would strongly agree
with that.
One point you made, and I wanted to make sure that this
does not go unnoticed, what would you consider the last line of
defense of any passenger aircraft or cargo aircraft for that
matter?
Mr. Cassidy. That would be the Federal Flight Deck Officer
program. We are very pleased to be involved in the incipient--
the development of the program. We are very proud supporters of
it. We continue to be enthusiastic supporters of the Federal
Flight Deck Officer program.
Mr. Cravaack. I would tend to agree with you, Captain.
Thank you.
Also, Mr. Crosby, you did mention that when you do report
to TSA--what you considered a breach of security, you report to
the TSA.
Have you had satisfactory response from the TSA?
Mr. Crosby. Yes, we have, Congressman.
TSA has an open book to look at all security violations
that we investigate. Every time we have a reported violation,
our Department investigates it and makes a determination of
whether there has been a violation and issues the proper
penalty, a due process for all things. We allow TSA to see that
whole process.
Mr. Cravaack. Excellent.
Thank you very much, sir.
My time has expired.
I will recognize Mr. Davis from Illinois.
Mr. Davis. Thank you very much, Mr. Chairman, and I thank
our witnesses for being here.
Mr. Crosby, in your testimony you made several references
to the importance of the airport's need to leverage local
experience, expertise, and knowledge.
How do you envision that being phased into a Federal system
cooperatively for use that may be applied in many different or
in several different locations?
Mr. Crosby. Well, Congressman, I think it is--the system
that we have had in place at airports has evolved over time,
and before Federal credentialing was necessary in other
transportation venues, and it has worked well.
I will give you two examples.
One, we get the criminal history record information back
from the Federal Government that may not be fully complete and
we locally adjudicate it.
Meaning if there is a person who has been arrested for a
crime, but the information we get from the Federal Government
doesn't show a conviction, we are able to meet with the
applicant, verify the information, help them get the court
documentation they may need, and really verify whether this
person is a threat and whether they meet the threshold for
getting a badge.
Second, I think that the local application is that all
access control systems--while our badge colors may look the
same--the captain and I have, we work at the same airport, most
airports tailor access to what that person needs to do their
job. That is what is critically important.
With the advancement in access control systems, an airport
may have 100, 1,000 different doors in and around the airport,
but you only get access to the ones that Alaska Airlines needs
not the ones that Delta. That makes for people having less of
an opportunity to do bad things if we control their access to
do their job.
Mr. Davis. Captain Cassidy, and Mr. Swift, both, how do you
view your interactions with Federal or local authorities in a
cooperative way, that would meet both the needs that represent
say, the needs of pilots in a sense, and the needs of vendors
in a sense?
How does that work to become more effective as well as more
facilitative of your needs?
Mr. Cassidy. Do you want to go first?
Mr. Swift. Well, one side of that, of course, from a
concessionaire's perspective is try to help. How can we do this
better, faster, easier, and make sure it is accurate?
One thing that we are entertaining is the possibility of
all our employees fill out an application on-line. That will
help to guarantee that there is no difference in what is stated
on the application and what the applicant wrote.
Unfortunately, many of the applications are done by hand.
We can understand why there are problems with understanding
certain numbers and letters--don't look the same to everyone.
So we think that that is something we would suggest is a
simple software package that allows an employee to step up to a
computer, fill out the application, and now we can be sure that
everyone is looking at the same document.
We think that, in itself, would help as part of the
process. We think there is a cooperative effort on everyone's
part to do it.
It is just that it is a massive process where you are
processing over half a million applications a year. It is
significant.
Mr. Cassidy. I picked up on one word in particular, and
that was collaborative. I think that that is the really key
ingredient to a successful relationship is working
collaboratively together with the various law enforcement
agencies, both at the Federal level and also the local level.
We have a good relationship, especially with the program
managers for the Federal Flight Deck Officer, with TSA
officials tasked with various aspects of security. The local
relationships are really where the rubber hits the road, and
that really varies from airport to airport.
We have dedicated committee volunteers. We have over 400
volunteers working in our safety and security structure, many
of them have previous law enforcement backgrounds. So they have
much more of a conduit to kind-of relating to the local
enforcement officers.
The challenge is really the sharing of intelligence, the
sharing of data. That is where I would like to see some
improvements where we have a better sharing of information
which indicates what the security threats are. We are going to
continue to work in that effort.
Mr. Davis. Thank you, gentlemen, very much. I appreciate
your being here.
I yield back, Mr. Chairman.
Mr. Cravaack. The gentleman yields back.
The witnesses--thank you very much. We have a second round
of questions if you would be so inclined.
I would like to recognize the Ranking Member.
Ms. Jackson Lee. Mr. Chairman, thank you very much and to
the witnesses.
Let me pose again, to Captain Cassidy, how important the
airline crew, captain, flight attendants are to be trained to
report breaches or to--and I think there is a balance.
You are there to serve. We realize that.
You are there to promote the brand of the airline. We
appreciate that.
But how important are the eyes and ears of those who are
familiar with airports?
Mr. Cassidy. Well, I think it is incredibly important. I
think, you know, looking at first, the pilots and the flight
attendants, the airplane crew--you notice that I talk about us
as one cohesive crew, not the pilots separated by the flight
attendants because, really, especially when the planes pushes
back from the gate, they are really the eyes and ears of the
activity in the cabin.
Their ability to communicate irregular situations to us, to
indicate potential security threats, allows us to take
appropriate action, lock down the flight deck, and decide
whether or not we have to take the next step and consider
diverting the airplane to a location to get on the ground as
expeditiously as possible to try to ameliorate some of the
threat, try to reduce the threat and avoid taking it further
down the road.
Now, expanding that tight circle of trust that exists
between the pilots and the flight attendants, we also have
mechanics, service employees that service the airplanes, that
man the gates.
In fact when you are on the ground, your ground security
coordinator is typically the lead customer service agent for
the airline before the cabin door shuts and you push back.
So it is incredibly important that we figure a way to work
as efficiently and as collaboratively as possible.
Before I came over here, I pulled up some statistics and I
think the Bureau of Transportation statistics said that there
was about 480,000 airline employees employed in the United
States in 2010.
When you look at the component that you have very well-
known, very well-trained employees that form a significant
majority of that, you have a massive talent pool of folks that
can work together and become the eyes and ears with respect to
potential security threats.
Ms. Jackson Lee. Do you feel that you have a direct or
immediate access to report a breach that you have seen?
Do you know what to do? If a captain--you could be coming
through and you see three people go through a door. You know,
there was a badge----
Mr. Cassidy. Right.
Ms. Jackson Lee [continuing]. And the door is open and
three people go through.
Have we made our airline crews sensitive enough--they are
going about their business. They may be rushing to their
flight.
Is there an easy number, an easy call to make to say this
is what I saw at door number 2468?
Mr. Cassidy. 9-1-1. You can go to any place in any airport,
any concession----
Ms. Jackson Lee. Is that a 9-1-1 to the airport or a 9-1-1
to police?
Mr. Cassidy. Typically it goes--it depends on the airport
and I think Mr. Crosby would back me up on this, but it is
going to get routed fairly expeditiously.
You can also go to a concession stand and say you have an
emergency. They are going to have law enforcement there quicker
than you would probably realize because of the way that they
are stationed around the terminals.
Ms. Jackson Lee. So you would feel comfortable in doing
that because I would imagine you would see three uniformed
concession--I mean I call him by his name, but different things
that are in the airport and they look legitimate.
Do you keep going or do you call 9-1-1?
I mean I think that is a very sensitive question. We need
to try to understand so we can----
Mr. Cassidy. Right.
Ms. Jackson Lee [continuing]. Improve our circumstances.
Mr. Cassidy. We have 53,000 members that we represent. We
are the biggest pilot union in the world. I am very, very
confident that the vast, vast majority of those members would
feel the same way that I would, and that is where we would say
something.
I can give you an example. One of the times I was flying I
was walking around doing my pre-flight on the ramp, and I
noticed that one of the service folks, the rampers that carry
the bags and whatnot, had no identification on him, none.
So I went up to the individual and I said, ``Do you have an
airport ID? Do you have a SIDA badge?''
Fortunately he pulled one out of his pocket and put it
around his neck and thanked me.
But had he not had that, the very first thing I would have
done was gone to his supervisor and said, ``We have somebody
walking around in a sterile area, on the ramp, around all these
airplanes and we have no idea who that person is.''
I am very confident that the flight attendants that I work
with and the pilots and the mechanics would do likewise.
Ms. Jackson Lee. We need to just continue to reinforce that
is what----
Mr. Cassidy. Yes, ma'am.
Ms. Jackson Lee [continuing]. Is what we need, to make it
clear or approving that that be done.
Do you think that the airlines themselves, the corporate
entities, need to recognize that value that you have in doing
that and reinforce that in their employees as well, and
airports?
Mr. Cassidy. Yes, ma'am.
I can't emphasize enough how important it is for the
airlines and the airports to really understand the talent and
the potential that you have when you empower all those
different employees to be part of the stakeholder team, be part
of the team that can make a difference in the security systems
at that particular airport.
I think we have already done that with safety systems, as I
said before. I think it is time to look at the next frontier
and apply that same kind of standard to security systems.
Ms. Jackson Lee. Mr. Chairman, I thank you for indulging.
Let me--I just want to finish this line of reasoning.
Captain, do you also believe it is important, because I
would like to work with the Chairman and I would like to work
with this Chairman as well, because of his expertise, that
cabin security. You know, we have gotten comfortable because--
and I only use that term comfortable--but we always cite we
have got the reinforced door and we have got the on-deck
pilots, which I appreciate.
That--but your responsibility is make sure that plane stays
up and not down, even though you may be equipped to come
running out of there.
I know you would like not to run out of there. We have had
a number of incidences. One in particular that deals with the
pilot.
But the point is my concern is that we have comfort with,
well, the brave passengers will jump up.
Do we need to look at cabin security as well as an issue?
Mr. Cassidy. I think it is an evolving thing. We have to
understand what the potential threats are.
I think that with regard to the security behind the flight
deck door, we go through recurrent training annually. Airlines
typically do it as an integrated crew.
We participate in security training with the flight
attendants, and discuss things such as what do you do if you
find an unidentified suspicious-looking device sitting in an
overhead bin? What happens if you have an unruly passenger? How
do you communicate it to the pilot, and everything in between?
So I think that the training is there. But am I going to
tell you that it couldn't get better? Absolutely not, it can
always get better. But I am very pleased to say that we work
very well together.
Ms. Jackson Lee. We would like to help you get better.
I understand that we have got a few of friends that are
engaged in negotiations with their pilots, in particular
United. I would like to get a briefing.
I, frankly, believe that when you have an extended
negotiation that you can't resolve you really do raise a
question about focused effectiveness. I think pilots, flight
attendants, being right on the airplanes are so important that
any delayed negotiations.
So how can we ramp that negotiation up as they proceed to
try to settle this issue?
Mr. Cassidy. Ma'am, I would be happy to give you a brief on
what the status is right now of the negotiations. I think that
I would be remiss if I also didn't point out that I think it is
a tribute to the professionalism and the quality of the men and
women that we have flying for us that despite the distractions
of all these negotiations we still fly the safest skies in the
world and we still have the safest air transportation in the
history of the world right here, right now.
Ms. Jackson Lee. I absolutely want to get that on the
record. That is why I believe they need to ramp up their
efforts and get this resolved, so that the men and women who
are at this high level can not only fly airplanes, but be quick
eyes to help the traveling public.
I know the Chairman has been very indulgent. Here is my
last point, Mr. Chairman, as I conclude.
I also believe judgment should be key. Let us see--as you
well know, you might have heard the story of a 2-year-old
toddler that was on the no-fly list.
I am really going to point back at our good friends,
captains, you are--he or she is the king of that flight, and
rightly so. I would just ask publicly that a 2-year-old on a
no-fly list, let us report it and let them fly.
Obviously, we have had a series of issues on the no-fly
list, and I guess I am going to ask on the record--this will
not be--I would want a response back--what is the penalty for
an airline who indicates that a toddler could fly and their
name is on a no-fly list?
Because everyone always says what the FAA is going to do,
they cite agencies that are probably not even relevant, but
that is what they know to cite. I think that gives all of us a
bad name, if we have to clarify the no-fly list.
But if a toddler has got their name on the no-fly, in this
incident the pilot or the airline--let us not say pilot--the
airline made the toddler get off. Obviously they couldn't get
off by themselves. So I am really concerned about that.
I will conclude on this note. I believe that what we have
discovered in this hearing is a fracture that has to connect
the Transportation Security Administration as a front line in
receiving all reports on breaches, every one of them.
I appreciate, Captain, that it will be 9-1-1, but then the
airport, if they have 9-1-1--and it may be an issue that is
relevant for
9-1-1. But that 9-1-1 call and the response, that should go to
the TSA.
Mr. Crosby, I believe I didn't get the next sentence from
you as to whether or not the airport is reporting this to TSA.
So let this be a statement from me as the Ranking Member on
this committee.
I know that I want to work with the Chairman and Chairman
Cravaack, who is here, that we have got to have a zero
tolerance on missing the reporting of any breach that is
occurring in the Nation's airports, to make good on our promise
to secure America.
I think that should be a demand out of this particular
hearing. As I asked Mr. Sammon, Assistant Secretary Sammon, to
begin doing that now and communicating with airports, and if
you have to go back through old dusty, rusty records that
happen to be 2 months old or a year old, we have to start where
you can find your records.
Those breaches need to be reported. All of our workers need
to feel free to do so.
Although we don't want to compromise security, we need to
work with our small businesses, and TSA needs to develop a time
line that does not compromise security, but in fact responds to
some of the concerns that have been expressed in this hearing.
Mr. Chairman, you have been overly indulgent. Thank you
very much. I yield back to you.
Mr. Cravaack. I thank the gentlelady.
I thank the witnesses for their testimony today and the
Members' valuable questions as well.
Members of the committee may have some additional questions
for the witnesses, and we ask you to respond to these in
writing.
The hearing record will be open for the next 10 days.
Without objection, so ordered.
The committee stands adjourned with your thanks.
[Whereupon, at 12:28 p.m., the subcommittee was adjourned.]
|
NEWSLETTER
|
|
Join the GlobalSecurity.org mailing list
|
|
|
