Rethinking the layered security approach

June 1, 2012
What a recent airport security breach can teach us about how we think of layered security instead of just layered alerts

Head over to the San Diego airport website and you'll get a couple key security messages. First is that you'll need a ticket and a photo ID to get past security, and secondly, you need to arrive two hour before your flight departs due to what San Diego is calling "longer lines and wait times."

While those longer lines and wait times aren't always a concern -- the TSA is actually quite efficient at moving people through the checkpoints -- you can't forget your ticket and ID. Well, unless you're right out of jail and decide to skip the ticket counter and TSA checkpoint simply by pushing open a emergency exit fire door and walking onto the tarmac.

When this incident happened, the San Diego Harbor Police (the team that oversees the airport facility security), seems to have responded according to their plan. According to reports, the alarm went off on the emergency exit door and officers responded to that alarm within four minutes.

Unfortunately, the news report said that the man, Marc Duncan, had already blended in with passengers on the tarmac and was indistinguishable, thereby allowing him to board a small United Express/SkyWest jet bound for Los Angeles. Presumably, this is one of those small jets which you board from stairs on the tarmac.

The only thing apparently that kept the man from getting a free ride was an alert flight attendant who, upon counting the passengers in seats on the plane, recorded a discrepancy of being "plus one". Everyone disembarked, luggage was pulled and eventually the man was identified (presumably because he didn't have a ticket).

San Diego Harbor Police Chief John Bolduc said it was that concept of concentric rings of security that was shown to have been effective: "We have multiple layers of security built into our airports, as you know, and the backup systems were able to catch this guy."

I agree with Chief Bolduc that the important thing was that the man was caught, but I'm not fully convinced that multiple layers of security were effective, and it stems from what "security" means in a layered approach. I would argue that "security" doesn't simply mean alert, but should include "effective response." In this most strict sense, there was only one layer of security -- and that was the flight attendant's count. Had the count not happened, or had the attendant miscounted somehow, this man -- no ticket and not TSA security screened -- would have flown to Los Angeles.

But wait, you'd ask, what about that door alarm? Wasn't that a layer of security? I would argue that it was not a true layer of security, primarily because the response to the alarm was four minutes later. Yes, officers responded to the door alarm, but at that point, the man was gone and blended in, so the officer response can't truly be considered a layer of security because it had no chance of catching him unless Duncan had decided to stand around for four minutes.

The lesson here is that what we perceive as layers of security may not actually be layers of security. A layer of security, in my manner of thinking, has the ability to detect a discrepancy or create an alert (a whistle blow, an alarm sounding) and most importantly, it should have the ability to stop the security situation while it still remains at that layer.

[Actually, since we're talking about airports, the TSA's layered security approach is actually a pretty good example to study. The TSA lists 20 distinct layers that are commonly used in its layered approach to fighting terrorism, and the important thing is that each layer could actually stop a threat. The beautiful thing about a behavior detection agent, for example, is that they could pull a suspicious passenger out of line for questioning. The air marshals have the ability to arrest a passenger right then and there. A bag screening system generates an alert right then and there and pulls the bag from the flow of baggage. Not that TSA's system is perfect, but generally I think it is well designed.]

Back to my thinking on layers of security: I don't believe it's enough to call a simple alert a layer of security, unless that alert and the subsequent response actually is effected in a manner where the response is fast enough to stop the action. If it doesn't create a response fast enough to do that, then I would argue that we are creating "layers of alerts", but not layers of security.

And in the end, we're lucky that this Mr. Duncan was simply trying to catch a free flight, and was not there to perpetrate a malicious act like sabotage a plane or slap an IED onto a wing.