Targeting Threats and Vulnerabilities

Oct. 27, 2008
Should the TSA shift its focus?

Dateline: Raleigh-Durham International Airport

Soon after authorities in the United Kingdom arrested a group of potential terrorists, our own Department of Homeland Security responded by instituting new restrictions on carry-on luggage.

The suspects apprehended in England had been planning to use explosive liquids and accelerants disguised in water bottles and toiletries, so the Transportation Security Administration prohibited certain liquid and gel-based items in carry-aboard bags. I found out exactly how the rules were being interpreted when I showed up for a flight at Raleigh-Durham International Airport .

I entered the screening line and performed my comic shoe-removal dance after I had pulled the laptop from my bag to put it in the plastic bin. My normal procedure is to send the laptop through first, followed by my briefcase, and then my roll-aboard if I am not traveling light. The briefcase reminds me to repack the laptop, and the last items to come through are my shoes and outerwear.

This time, however, I was left holding my briefcase in my stocking feet as the TSA screeners stared intently into the video display unit and kept pointing at it like a couple of kids with an ant farm. I knew I was soon to hear the dreaded, “Is this YOUR bag, sir?” I wasn't disappointed.

I reluctantly claimed my roll-aboard, and one of the TSA screeners carried it over to a table on the other side of the magnetometer. He found the latches, opened it, and proceeded to rifle through my clothes, toiletries and various other necessities. He unzipped my shaving kit. He reached in with a sense of purpose and pulled out a large tube of toothpaste (they are a better value than the small ones) and said it was no longer allowed in carry-on luggage. He absent-mindedly tossed it into a nearby trash bin with similar contraband.

I asked if that was what had showed up on the screen. He curtly replied that he had seen a liquid of some sort, but, no, the toothpaste was not the reason they had pulled my bag. That confirmed my suspicion: The X-ray equipment had not identified the toothpaste. At this point the source of the alert finally occurred to me, but the screener's last answer indicated he was having a tiring day, so I kept my mouth shut and allowed him to probe the suitcase further.

He moved everything around and was about to send it back through the X-ray when I suggested he unzip an opaque pocket on the divider. I told him he would find the culprit in there. With a roll of his eyes, he did as I suggested and produced a factory-sealed bottle of fat-free wasabi-dijon-flavored salad dressing. He asked what it was. I told him it was, in fact, a bottle of fat-free wasabi-dijon salad dressing I was planning to take with me to Washington .

I felt it necessary to explain further that I found it difficult to find that favorite brand of dressing in Washington , so I was taking one I located in a North Carolina grocery store. His eyes responded, “Whatever, dude.” He finally said that salad dressing, opened or not, was now unacceptable as well, so he chucked the bottle into the trash bin next to my toothpaste. After sending the bag through again, the agent handed it over and told me to have a nice flight.

I stood there for a few moments internally debating whether I wanted to pursue this further with the TSA screener. I wanted to ask him why, if he thought he was dealing with a potential threat to the aircraft, he was satisfied to simply toss my toothpaste and salad dressing into an overflowing waste can full of similar items. I knew the answer, and I knew my enquiries would not be appreciated, so I shrugged and headed down the concourse toward my flight.

Of course, he knew he was disposing of toothpaste and salad dressing. There was no threat from anything he was going to dredge out of my carry-on. He was simply doing his best to fulfill his duties by ensuring passengers could not bring aboard liquids and gels of a certain size. That's how I learned about the new requirements.

It was certainly annoying to lose the toothpaste. That meant a stop at a drug store or a plea to a hotel front desk for a substitute. I have been caught at a destination without my checked luggage on more than one occasion, so I had learned the hard way to ensure I carried basic toiletries and any required medications with me so I could handle life without the checked bag for at least a couple of days. Now I had to change the formula that had worked so well for me over the years.

As I made my way to the gate and confronted another delayed flight, I had a few moments to consider the impact of these restrictions. Every American demands safe air travel, and the TSA is daily confronted with the monumental challenge of helping protect the traveling public. However, as a nation we will have to find ways to balance freedom with security in air travel. Existing screening technology does not currently allow an easy way to screen for gels in plastic tubes, and I suspect this requirement will change soon. A rule you cannot enforce is often worse than no rule at all.

For us to have a sensible debate on this issue, we must understand the three elements of risk. In order to realize risk, you must have a threat, a vulnerability and an asset that can be impacted. If any one of the three elements is missing, no risk is present. In the case of airline safety, the assets are well established and immutable. They are the lives of the passengers and crew, the value of the aircraft, and, of course, the potential impact of an attack on our airline industry and economy in general.

It stands to reason, therefore, that the only two elements the TSA can influence to reduce risk are threats and vulnerabilities. Threats are relatively obvious; they include terrorists and other malicious actors. Additionally, the TSA must guard us against non-malicious people who can inadvertently endanger their fellow passengers by bringing items such as explosives and firearms aboard.

The inventory of vulnerabilities is much, much longer. A good place to start for anyone interested in compiling the complete list would be the catalog of items disallowed in carry-on luggage. Don't forget to add in all the other vulnerabilities associated with access to the parked aircraft, and the concerns with checked luggage and the screening done to it. You will soon notice your list of threats seems miniscule compared to the pages and pages of potential vulnerabilities.

Programs like the no-fly list are aimed at reducing the presence of human threats; however, the most visible and expensive aspects of the TSA efforts are those designed to eliminate or reduce this lengthy list of vulnerabilities. This means a Herculean task of not only identifying existing vulnerabilities, but constantly keeping the list current as new ones are uncovered.

If you travel internationally, you can see how the emphasis is often different in other countries. In some airports, in addition to the ubiquitous screeners, you can see heavily armed, uniformed guards who approach passengers near the gate to ask probing questions. Sometimes they are stationed at ticket counters to closely observe or query passengers as they check in for their flights. In this case, the emphasis shifts more toward the detection of potential threats.

As long as terrorists see passenger aircraft as potential targets to achieve their political ends, it will be critical for us to maintain vigilance and endeavor to manage both threats and vulnerabilities. However, the list of vulnerabilities is already ponderous and growing every day. The list of potential threats is also daunting, but not nearly as long. Perhaps it is time we put more resources into reducing th e threats to the traveling public, the crews, and ultimately, our freedoms.

John McCumber is a security and risk professional. He is the author of Assessing and Managing Security Risk in IT Systems: A Structured Methodology from Auerbach Publications. Mr. McCumber can be reached at [email protected].

About the Author

John McCumber

John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail [email protected].