This Week's Security Horror Story :
Should we subcontract the nation's security management to Visa?
Much has been made of Emirates allowing the Times Square bombing suspect
onto one of their flights as if it were their fault. But Emirates were following
normal procedures to the letter – no airline had been required to update
their 'no fly' lists on anything approaching a real-time basis.
Instead, they were asked to update their lists once every 24 hours.
The terrorist's name had been added to the
list only seven hours before he boarded the flight, and so Emirates did
nothing wrong. They were not to blame, it was the government
policy and process that was at fault. Details
here.
Fortunately, and by means that seems to be
explained differently by different people at different times, the
terrorist suspect was found to be on the Emirates flight before it
departed, and was taken off the plane. Since then, the federal
government has required airlines to update their lists every two hours,
and are now suggesting that perhaps the lists should be updated every 30
minutes. More details
here.
I struggle to understand the concept behind
this requirement. Why is there not a central database of names
that the airlines simply access and cross-reference their passengers
against? The central database would be maintained by the
government, not by each individual airline independently, and would of
course, by its very nature, almost instantly update itself to reflect
each change as it occurs.
This is not rocket science. If a
credit card company can switch your credit card off in 10 seconds or
less, why can't the federal government get a high priority terrorist
suspect's name in front of the airlines in a similar timeframe?
Perhaps we should subcontract the nation's
security management to Visa?
Panic is understandable if you're a normal person, but it is regrettable
when the panicked person is wearing a uniform, holding a gun, and
pointing it at you.
Although it is rarer than lightning hitting
the same spot twice, whenever any form of terrorist activity is
experienced, detected, or foiled; law enforcement agencies go into
unsustainable panic mode for a week or two, ridiculously over reacting
to every last little commonplace occurrence, before then returning back
to sleepy complacent normalcy once more.
Any terrorist understands this, and almost
without exception, no terrorists try to duplicate one action with a
second similar action immediately thereafter (particularly if the first
action was a failure).
But this does not stop our law enforcement
agencies from going into paroxysms of panic for several weeks after any
terrorist event.
And so, please feel sorry for the passengers
on a Greyhound bus that was subject to a hoax bomb threat (hardly a
unique occurence).
At the time, the authorities chose to treat
the bomb threat extremely seriously, and within minutes of it being
phoned in, police cruisers, SWAT teams, the bomb squad and even an
armored vehicle surrounded the bus and its passengers, who were still on
board.
Now, if you are acting as though you really
truly believe a bomb is on the bus, would you not want to urgently get
the passengers off the bus? Apparently not! For reasons that
are still unclear, the passengers were trapped on the bus for 2 1/2
hours before being marched off the bus at gunpoint, handcuffed, and
taken off into police custody for interrogation. One passenger who
was deemed to be insufficiently submissive was Tasered.
No bomb was found. But how would you
have liked to have been one of those passengers. First,
potentially trapped with a bomb for 2 1/2 hours. Second, having a
gaggle of nervous excited police pointing automatic weapons at you,
handcuffing you, and detaining/interrogating you at the police station?
More details
here.
A new Government Accountability Office
report points out that cruise ships are the single largest passenger
conveyances in the world. A single cruise ship may have as many as
8,500 passengers and crew on board – about 20 times as many as a typical
747 plane.
What to do to protect cruise ships against
terrorist attack? The GAO report concentrates on quality
controling the passengers, in the same way that airline passengers are
matched against the 'no-fly' list. That may be a prudent thing to
do, but a cruise ship would surely be vulnerable in different ways to an
airplane. It only takes a very few people, and lightly armed with
only portable weapons or small quantities of explosives secreted on
their person to take over and/or blow up an airplane. But how to
cause harm to a cruise ship and its thousands of passengers and crew?
You may remember the 1985 hijacking of the
Achille Lauro – a cruise ship in the Mediterranean. The
Achille Lauro had a capacity of about 900 passengers and 400 crew.
Amazingly, four Palestinian terrorists were able to take over the entire
ship, crew, and passengers. One would like to hope that these days
where we are all more ready and willing to resist and fight back, it
would take considerably more terrorists to commandeer a cruise ship.
A cruise ship's greatest vulnerability is
not from passengers, but from external sources in the same manner as
pirates take over ships off the Somali coast at present, and/or from
boats pulling alongside and blowing themselves up, like happened to the
USS Cole in 2000 in Aden.
The GAO report can be seen
here.
As is so often the case, while we are
obsessing over yesterday's act of terrorism, the chances are that
today's terrorists are planning tomorrow's attack in a very different
manner. Our best defense continues to be effective counter
intelligence activities, designed to find the terrorists before they
become a threat.
Lastly this week, some things just don't
know when to stop. The 'Registered Traveler' program is back
again. Various private companies have offered various programs
which vaguely promise some sort of priority treatment for passengers who
pay an annual membership fee. Unfortunately, the Achilles heel of
all these programs and their promises has been that the TSA has refused
to cooperate.
The Holy Grail of all such programs has been
to offer an arrangement whereby passengers not only get to the head of
the security line at an airport, but then get expedited and simplified
treatment going through security. Such people, in theory, would
not need to remove shoes or jackets, would not need to take laptops out
of bags, and would be pretty much waved through security with little
fuss or bother.
Unfortunately, while uttering positive
platitudes, the TSA has never done anything to allow these programs to
give privileged treatment to their members. And so, basically all
programs have offered nothing more than a fast Lane to get you to the
start of the security screening process, something that might save you
only five minutes of time (or even less if you qualify to go through a
fast Lane anyway) and none of the hassle. Only some airports even
allowed such programs to operate, and unsurprisingly, most of such
services have closed down.
The largest and best-known service was
Clear, which suddenly shut down in June 2009. Apparently a new
company has purchased the membership list and maybe other things from
the defunct company and is attempting to resurrect itself.
Unfortunately, even fewer airports now participate in such programs, the
TSA is still not offering anything special, and it would seem there are
even fewer reasons to join such a program than ever before.
“I struggle to understand the concept behind this requirement. Why is there not a central database of names that the airlines simply access and cross-reference their passengers against? The central database would be maintained by the government, not by each individual airline independently, and would of course, by its very nature, almost instantly update itself to reflect each change as it occurs.”
Don Carty said the same thing, when he was CEO of American Airlines. He said that the airlines don’t need to see the “no-fly” list, but they simply needed to submit a name and other information when a reservation is made, and the manifest shortly before departure. From the airlines end of it, the technology to submit names to a government data bank for review exitsted back in the early 2000s.