A sign promotes the TSA PreCheck program at Newark Liberty International Airport in New Jersey. The program has expanded to 26 airports in its first year. (Gannett News Service)
The Transportation Security Administration is employing a new risk-based approach to securing the nation’s airports and airways — one where resources are prioritized to address the greatest security threats.
“It’s the key to the way we’re going to have to do business,” John Halinski, TSA’s deputy administrator, said this month at a Security Analysis and Risk Management Association conference. “The reality is TSA in the next couple of years could be smaller.”
One area where this new approach is most evident is TSA’s airport screening operations.
For the past year, the agency has been introducing PreCheck, where eligible frequent fliers and other select passengers voluntarily disclose information about themselves. If they are deemed low risk, they can go through expedited screening, meaning they may not have to remove their shoes or a lightweight jacket or take their laptops from a bag. By year’s end, 35 airports will offer screening for qualified travelers.
“There will always be a haystack in which terrorist might try to hide,” Halinski said. “Risk-based security helps reduce the size of the haystack and focus attention on people who might pose a risk.”
TSA uses the risk-based approach “because we think we can use our resources more effectively and more accurately,” he said.
David Maurer, director of Homeland Security and Justice issues at the Government Accountability Office, said early attempts at the Department of Homeland Security to develop a risk-based security model focused solely on the security threat, not the vulnerabilities and consequences. He said risk-based programs should be driven by all three aspects:
The security threat, or who the threat is and what harm it is attempting to do.
Determining vulnerabilities, or how well something is protected against the threat. For example, in the aviation sector, security guards and screening are used to protect airline passengers in the airport and once they board the plane.
The consequences, or what could happen in the event of a successful attack.
“In some aspects, you have to think like a terrorist and try to develop obstacles to put in their way to keep them from achieving that goal,” he said.
“It’s challenging for agencies to adopt this approach because you can game out a number of different scenarios and threats,” he said. It also takes money and training to implement it.
Next year, GAO plans to assess how well TSA is implementing the screening initiative as part of its new risk approach.
When asked how TSA measures the success of its risk-based security model, including the PreCheck initiative, Halinski said “it’s very difficult to measure how effective TSA is.”
It’s challenging because the best possible outcome for TSA is that nothing happens and no one notices they’re there, Maurer said. Program costs and how well passengers flow through security checkpoints can be used to determine effectiveness of the new model. But the most important metric to the public and lawmakers is whether TSA is successful in ensuring there are no attacks against the aviation and transportation sector.
With PreCheck, success is measured using feedback from the airline industry and other stakeholders, who have praised the program, Halinski said.
There has, however, been some outcry from travelers who are eligible for PreCheck but have been subjected to the more intrusive screening most travelers experience.
Halinski said periodically changing screening and other procedures is intentional. He said there are terrorists groups and organizations that study TSA’s security procedures and adjust accordingly to try and circumvent the system.
That’s why behavior detection, canines, intelligence and other layers of defense are critical, he said.
“What comes with risk is that leap of faith you have to take at a certain point,” Halinski said. TSA screens 1.8 million people and 5 million bags a day, making it impossible to eliminate risk. The goal is to reduce it.
The key to a risk-based system is having good intelligence, Halinski said. TSA modeled its security approach after the intelligence community, incorporating best practices both nationally and internationally, he said.
TSA also relies on a concept in its daily operations called playbook, which provides 120 plays for dealing with certain threats. For example, if the agency learns that there is a vehicle-borne improvised explosive device near an airport, one of the proactive steps may be to stop certain vehicles of a certain size that are in the area that day.
There are daily classified intelligence briefings at TSA about security threats, and that information helps drive operational decisions on screenings and other protocols. Halinski said there is greater interaction with the intelligence community. “We’re at the table with them now. They understand our job, [and] they understand that we’re a counterterrorism organization and our job is to protect the traveling public.”