Countering Terrorism in Transportation
Our failed piecemeal approach to security must be replaced with a layered, well-integrated system.
Americans now face almost weekly warnings about potential terrorist targets, from banks and apartment buildings to dams and nuclear power plants. This threat of terrorism is not new to transportation. From jet airliners to mass transit buses and rail terminals, vehicles and transport facilities are all-too-familiar targets of terrorist attacks in this country and abroad. Although new attacks could occur, we cannot simply accept a recurrence as inevitable. Terrorist attacks on the transportation system can be derailed, and they can also be deterred.
Successful transportation counterterrorism, however, will require a new strategy. There is no point in trying to protect against or weed out every possible opening for terrorists. That is a traditional approach to transportation security, but it is expensive and demonstrably ineffective. The new strategy should rely instead on layering and interleaving various defensive measures. With layering, each safeguard, even though it may be inadequate by itself, reinforces the others. A layering strategy will not only protect against vulnerabilities in transportation security, it will also deter terrorists by creating uncertainties about the chances of being caught. Developing a better transportation security strategy should be the job of the newly created federal Transportation Security Administration (TSA). We present some recommendations for how the TSA should proceed.
Transport vehicles are ubiquitous, moving virtually unnoticed within industrial locations and major population centers; across borders; and (in the case of mail and express package services) to nearly every household, business, and government office in the country. This is how our transportation system works and must continue to work.
Using four jet airliners as cruise missiles, however, the September 11th attackers showed how the omnipresent air transportation system could be turned into a weapon far deadlier than ever envisioned by those charged with aviation security. Only a few weeks later, the mailer of anthrax spores, capitalizing on the anonymity and reach of the postal system, showed how a seemingly innocuous transportation mode could be turned into a weapons delivery system.
The question now facing the federal government and the many state, local, and private entities that own and operate the nation's air, land, and water transportation systems is how best to secure these systems to keep them from being exploited again to such tragic effect.
The solutions are not obvious. The very nature of the transportation enterprise is to be open, efficient, and accessible. Security that restricts access and impedes transportation can send costly ripple effects throughout the national economy and society. Moreover, the vast scale and scope of the transportation system means that efforts to protect its many potential vulnerabilities through traditional means--guards, guns, and gates--may do little more than disperse and dilute the nation's security resources. Determined attackers can find ways to defeat such single-tiered perimeter defenses; that is the lesson from the Trojan horse's penetration of the walls of Troy as well as from modern-day experience with computer hackers.
We contend that setting out to eliminate or defend every vulnerability in the transportation system, one by one, is the wrong approach to countering terrorism. Attempts are likely to prove futile and costly. How, for instance, does one go about even identifying, much less defending, every possible target in the 300,000-mile rail and 45,000-mile interstate highway networks? Even civil aviation comprises some 14,000 airports and 200,000 airplanes scattered across the country. Deploying one protection at a time, matched to a specific vulnerability, is likely to yield little more than a thinned-out patchwork of unconnected defenses. We now know that an attacker who can find a way to breach a single imperfect protection, as the September 11th hijackers did in defeating the airport screeners, can overcome an entire security regime. Little else is in the way.
A more sensible approach is to layer security measures so that each element, however imperfect, provides backup and redundancy to another. No single protection is likely to be foolproof or impermeable. When protections are layered, if one fails, others can compensate. A layered system, therefore, does not require a sustained high-level performance from each protection, just a reasonable expectation of success. Long used to secure communications and information systems, the collective layering of protections provides deep, dynamic defenses.
This is not to say that key facilities should be left unguarded. We must identify those elements of the transportation system that require a dedication of security resources because their destruction or impairment would cause considerable harm to people and to the transportation system. Such facilities--key bridges, underwater tunnels, command-and-control centers, and the like--should be guarded, but as part of a layered system of defenses. The hardened cockpit door is not the only defense against an armed hijacker; it is the last in a series of layered defenses.
Most important, the interleaved layers can do more than protect. They can also deter, confounding the would-be attacker by making it difficult to estimate the chances of successfully breaching the many protections. The attacker might be able to seek ways of increasing the odds of defeating a single-tier protection, but calculating and overcoming the odds against beating one tier after another is next to impossible. Terrorists do not like the uncertainty that layering creates.
Given the vast scale and openness of the transportation system, security measures that deter are vital because blanket protections are not feasible. Also important are security measures designed to integrate well with the functions and services of transportation systems. The more that security can provide side benefits, from improved transportation safety to reduced cargo theft or luggage loss, the more it is likely to be maintained and improved by users and operators. We have learned from experience that a regulation-based system without such user incentives is more likely to be treated by industry as another set of rules to be complied with, often in as minimal a fashion as possible.
After the September 11 attacks, Congress passed the Aviation and Transportation Security Act, which created the TSA and mandated a number of actions to improve air transportation security, from federalizing airport passenger screeners to deploying air marshals and luggage explosive detectors at airports. The TSA's creation was long overdue, providing the potential institutional and analytic means to build coherent layered security systems in all the nation's transportation modes. Currently, however, the TSA is consumed with meeting statutory requirements to purchase and install costly, burdensome, and perhaps inadequate explosives detection systems at all commercial airports by the end of 2002. The aim of these detectors is to keep bombs out of checked luggage. Yet a bomb set to explode in a suitcase is only one threat to air transportation; it is essential that efforts to prevent such an occurrence do not consume a disproportionate share of the TSA's attention and resources.
Indeed, there is a real risk that the many security requirements hurriedly mandated by Congress could yield yet another round of ad hoc measures to secure air transportation outside an overall systems context. There is also a risk that the TSA, compelled to implement these and other aviation security requirements, will become primarily reactive in its approach to security. Responding to one legislated requirement after another, the TSA could evolve into a rule-guided enforcement agency that has neither the capacity nor the incentive to develop the overall strategic responses that are necessary to ensure security in all of the transportation modes.
The federal government has a major role in regulating and overseeing air transportation. It does not have as pervasive a role in land and water transportation systems, so neither Congress nor the TSA can take on such a hands-on approach to security there. To be effective, the approach must be strategic, and the TSA must take the lead.
Why the piecemeal approach failed
The incident-driven piecemeal approach to security has long been characteristic of commercial aviation, but it failed tragically on September 11. In response to the 1988 Pan Am suitcase bombing over Scotland, and especially the 1996 TWA explosion off Long Island, the major airlines and federal government tried to better employ their limited resources to find bombs in checked luggage with the aid of a computer-assisted passenger prescreening system known as CAPPS. Travelers with certain markers in their reservation record, such as a one-way journey or payment by cash, were singled out by CAPPS and their checked luggage scrutinized carefully for explosives. Yet these same passengers, deemed by the CAPPS algorithms to be higher risk than other passengers, were not screened more carefully at passenger checkpoints or gate check-ins. Although the September 11 hijackers had some of these risk markers, CAPPS was not used to identify them for increased scrutiny at checkpoints and before boarding. CAPPS was deployed to find bombs hidden in suitcases, not to prevent hijackings. It was a particular countermeasure deployed to address a particular vulnerability.
Indeed, ever since a rash of handgun-enabled hijackings in the 1960s, the airlines and federal security authorities have taken a reactive and piecemeal approach to aviation security. To intercept handguns used in hijackings, metal detectors and x-ray scanners were installed at passenger checkpoints. From 1994 to 2000, more than 14,000 firearms were detected and confiscated by these airport screeners. The metal detectors and scanners did more than intercept guns, however. They also discouraged the use of guns for hijacking in the first place. Note that the September 11 hijackers did not use firearms. Presumably they feared getting caught by the screeners. However, although the number of firearms intercepted was tracked routinely, the deterrent effects of passenger screening were rarely, if ever, evaluated. If the screeners had been viewed as more than just a means of detecting and intercepting guns--indeed, as part of a total security package that both preempts and inhibits attacks--then the full value and potential usefulness of the screeners would have been better recognized and rewarded.
Understanding what deters terrorists is crucial for designing effective and efficient security systems, especially in the spread-out and heavily used transportation system. If you can't physically protect or eliminate every vulnerability, then it is important that you find ways to deter the act in the first place. Doing so will require a fair amount of creativity and innovation in security methods. This means employing tactics such as randomizing security screening, routinely setting traps, clandestine policing, and masking detection capabilities, that effectively create layers of uncertainty and inhibit terrorist activity through what have been called "curtains of mystery."
Today there are more interleaved curtains of mystery in place that are helping to secure air transportation. Terrorists now must wonder whether a more thorough inspection at a checkpoint will uncover their plot, or if an air marshal could be on board the aircraft, ready to intervene at the final stage. Moreover, flight crews and passengers themselves, more vigilant and observant than ever, are more likely to detect and suspect unusual patterns of behavior. Even the random inspection of passengers at gates before boarding--procedures criticized by some as nothing more than a means to avoid unpalatable passenger profiling--may, in fact, be a deterrent. Because purely random inspections cannot be avoided except by chance, they provide added uncertainty about the odds of getting caught. Taken together, there are many more potential and hard-to-gauge obstacles to transportation terrorism today than there were one year ago.
The curtains of mystery are there now, but not, it appears, as a deliberate strategy. The curtains need to be placed purposefully, and they need to be based on an understanding of what works to deter as well as to protect. An example of what not to do was announcing to the public that air marshals would be present on certain kinds of airplanes and not others, as Congress did in instructing the TSA to give priority to deploying marshals on nonstop, long-distance flights. Such an announcement may be counterproductive to the entire effort to prevent terrorism. Warned off one target because of uncertainty, the terrorist may very well seek another. To prevent such deflection, it is vital that deterrence strategies be thought through carefully and be well placed to protect potential targets that would be most damaging.
It is, of course, important to mix creative deterrence with creative means of intervention. Since September 11, there has been much discussion about "trusted traveler" programs. The idea is that air travelers would confirm their identities through biometric means and volunteer personal information to aviation security authorities in exchange for faster passage through checkpoints. There is a common misperception, however, that this volunteered information would be used primarily to conduct background checks on passengers and thus perhaps prompt the repeated singling out of certain groups of passengers for extra security processing that is burdensome and potentially demeaning. Another possible use for such data, however, is at the more aggregate level to cross-match the characteristics of all travelers on individual flights, or even across a series of flights scheduled at similar times. For instance, a review of passenger manifests, coupled with other information volunteered by travelers and obtained elsewhere from airline databases, credit bureaus, and public records might reveal that several passengers seated separately on the same flight and with different planned itineraries once shared the same address, traveled together on previous flights, or paid for items using the same credit card. This circumstance might be considered unusual enough to merit closer scrutiny. At a minimum, good data on the characteristics of passenger traffic are crucial for understanding what is normal and thus what is abnormal and possibly suspect. Of course, the many ways in which such data can be used for security purposes can itself create a level of uncertainty that deters terrorists from targeting airlines.
What is sure to be important in devising security strategies for each mode of transportation is an understanding of the operations and characteristics of the transportation systems themselves. Strategies and tactics developed for one mode of transportation that are modified and applied to another may yield little, if any, benefit. The inspection and screening methods used for airline passengers and baggage in controlled settings, for instance, are ill suited to other kinds of transportation that require more open and convenient access.
The importance of understanding the characteristics of transportation systems and the varied security opportunities they present is illustrated by a new concept being considered for securing marine shipping containers. Currently, only about 2 percent of containers arriving at U.S. ports are subject to inspection by the U.S. Customs Service. Most ports are in urban locations, which are not desirable places to intercept a weapon, especially a weapon of mass destruction. Another security option is to subject shipping containers to security checks and inspections at much earlier stages, starting from when they are loaded. Indeed, a few large transshipment ports that act as hubs, such as Long Beach, Rotterdam, Newark-Elizabeth, and Hong Kong, offer potential points of leverage for designing a security system that encourages shippers to load containers in secured facilities and take other steps to ensure container security during the logistics stream.
Because these large ports are so critical to the container shipping industry, such requirements could soon become the de facto industry standard. Shippers that choose not to comply may be denied access to the port or be subject to greater scrutiny and resultant delays, reducing their ability to compete. In fashioning such a layered system, the prospect for an illicit container being intercepted before reaching the United States (and, thus, the chances of the act being deterred in the first place) are likely to be greater than under the current system of infrequent container inspections at the end of their journey, on U.S. land. Of course, other countries, also eager to keep terrorists off their soil, will demand the same treatment for cargoes leaving the United States.
What this example demonstrates is that transportation security will have to be undertaken collaboratively. It must involve not only government security and enforcement agencies, but also the public and private entities that operate, own, and use transportation systems in this country and abroad. The more security measures promise to provide collateral benefits and utility to all the parties, the more likely the systems are to be maintained and improved. For instance, if a security system for shipping can help reduce theft and loss of cargoes, prevent the use of containers for shipping drugs and other contraband, and help carriers and shippers keep track of shipments, it has a better chance of being accepted and sustained. In the same vein, if luggage inspection and security control systems at airports can reduce the incidence of lost bags, both airlines and their passengers may find the added costs and inconveniences worthwhile. Both the role played by the Federal Aviation Administration's air traffic controllers in grounding aircraft just after the September 11 attacks and the forensic uses made of tracking codes imprinted on U.S. mail in investigating the anthrax mailings demonstrate that such dual-use opportunities exist and can be integrated into security planning.
Those who have worked to improve quality in U.S. manufacturing are known to repeat the mantra that "you cannot inspect quality into a product." The same observation has been made for safety, and it applies equally to security. The way to strengthen security is to build it into the systems by which transportation is operated and managed, just as we have done to ensure quality and safety.
The TSA's strategic role
Building layered and well-integrated security systems into all transportation modes will not be easy. It will require an ability and willingness to step back and define security goals; to identify the layered and dual-use security concepts best suited to meeting them; and to work with many public, private, and foreign entities to implement the most promising ones. Security planners must be willing to question many existing security rules, institutional relationships, tactics, and technologies. And the planners themselves must be supported by sound systems-level research and analysis.
That is why work to devise and deploy such coherent systems must get under way now. What the tragic security failures of September 11 reveal is that the continual piecemeal imposition of new technologies, rules, and processes can compromise security and erode public confidence in the government's ability to ensure it. Federal policymakers seeking to regain public confidence in aviation security did not have a coherent system in place that could be fixed by filling identifiable gaps. Rather, the structure that was in place was fragmented and irreparable, prompting Congress to take the many dramatic, rushed, and ad hoc measures that it did. Unfortunately, further attacks may make it even more difficult to devise sound security systems, leading to more erosion of public confidence and an even greater inclination to react reflexively through piecemeal means.
Newly organized and compelled to act quickly on the congressional requirements for aviation security, the TSA is just beginning to examine the security needs of all transport modes and to define its role in meeting these needs. The TSA must be more than an enforcement agency. It must take on a strategic role in developing coherent security systems for all kinds of transportation. We urge the TSA to:
Take the lead in designing transportation security systems through collaboration. There are many public, private, and foreign entities that ultimately must field the systems that will make transportation more secure. Their decentralization and dispersion, however, hinder cooperation in devising and deploying system-level concepts. The TSA is well positioned to orchestrate such cooperation, which is essential for building security into transportation operations, as exemplified by the large port concept for securing marine shipping containers.
As the TSA works with transportation system owners, operators, and users in exploring alternative security concepts, it will become more sensitive to implementation issues, from economic to societal challenges. The prospects for deploying many new technologies and processes in support of security systems will likely raise some difficult societal issues. For instance, a more comprehensive and integrated CAPPS initiative for prescreening airline passengers may require the use of biometric cards and access to personal data to better identify passengers and their risk characteristics, presenting not only technical challenges but also raising concerns over legality, privacy, and civil liberties.
There are also issues of liability and risk. Industry participants in a linked system of security will want assurance that they are not assuming greater risk of liability if the security system fails, and that any proprietary information that is used will remain protected. Some of these legal and institutional issues will constrain or even preclude implementation, whereas others will not. Either way, they must be appreciated early on, before significant resources are invested in concepts that may prove to be unacceptable.
Conduct and marshal R&D in support of systems analysis. Thinking of security in a systems context will reveal many research and technology needs. One area of research that is likely to emerge as critical is an understanding of human behavior and performance. Human-factors expertise and knowledge will be necessary for crafting layered security systems that as a whole obscure the ways in which one might be caught--confounding the terrorist--and maximize the ability of security personnel to recognize unusual and suspect activity and behavior. Moreover, they are essential for designing security devices, facilities, and procedures that are efficient and reliable and that complement the skills of human operators and security personnel.
In support of such systems and human-factors research, the TSA must have both its own research capacity and the ability to tap expertise from within and outside the transportation community. In viewing R&D activities from a systems perspective, the TSA can determine where additional R&D investments can yield large benefits, and it can orchestrate ways to encourage such investments. To be sure, much necessary research and technology development must take place outside the transportation realm, in the nation's universities and research institutions and with support from much larger R&D sponsors such as the Department of Defense, National Institutes of Health, and National Science Foundation. However, by making the needs and parameters of transportation security systems more widely known, the TSA can help identify and shape research and technologies that are promising and relevant for transportation applications.
Provide a technology guidance, clearinghouse, and evaluation capacity. At the moment, both public and private sectors are interested in developing and employing technologies for transportation security. Many public and private researchers, for instance, are trying to develop sensors that can detect and alert transportation security personnel to the presence of chemicals and explosives. But how does one go about designing sensors that can detect chemicals in a busy transportation setting with myriad background materials? And how does one deploy and network such sensors so that they provide both a useful level of sensitivity and an acceptable rate of false alarms--alarms that can wreak havoc on transportation operations and that might ultimately be ignored?
Clearly there is potential for much effort to be expended on developing technologies that are not suited to transportation settings or that are incompatible with overarching security systems. Thus, as it proceeds in identifying appropriate security systems for each sort of transportation, the TSA should be prepared to offer guidance to commercial developers on appropriate technological capabilities. By articulating these performance needs and parameters, the TSA will provide technology developers with a clearer target for their R&D efforts. It will also provide transportation system owners and operators with a better sense of which technologies and processes will work, where they can offer dual-use benefits, and where opportunities may exist to collaborate with researchers and technology developers.
Unconventional thinking on threats
September 11 demonstrated that terrorists are able to appropriate transportation systems and assets in ways that can be difficult to conceive of and so are overlooked in day-to-day efforts to ensure transportation security. The advent of the TSA should be helpful in heightening the transportation community's attention to security, but perhaps not in overcoming the tendency to view transportation assets and operations within functional domains and securing them accordingly. The size, scope, and ubiquity of the transportation sector, coupled with its myriad owners, operators, and users, generate many opportunities for terrorists to exploit it in novel ways that may not be anticipated by those traditionally responsible for transportation security. By and large, transportation systems are regulated at the mode-specific level, and the entities that own and use them are organized for the efficient provision of specific services. Terrorists, however, are actively seeking to exploit new forms of threat that are outside such conventional perceptions of order. Terrorists may not view individual transportation assets, infrastructure, and services in such self-contained and functionally oriented ways, but rather as components and tools of other systems, as they used jet airliners and letters as weapons last fall.
We need a broader-based understanding of terrorist threats that involve transportation and how to respond to these threats. A national entity outside normal organizational settings whose sole mission is to explore and systematically assess terrorist threats, probable responses, and ensuing consequences could go a long way toward meeting this critical need. In a nationally televised address on June 6, President Bush proposed the creation of a cabinet-level Department of Homeland Security that would, among other things, gather intelligence and law enforcement information from all agencies and charge analysts with "imagining the worst and planning to counter it." The need for such systematic analysis has likewise arisen in discussions of the National Academies' Committee for Science and Technology to Counter Terrorism. We believe that such a dedicated analytic capability is critically important. It should offer a window into the mind and methods of the terrorist. It is also a prerequisite for keeping our transportation systems from being exploited again so tragically.
E. Badolato, "Cargo Security: High-Tech Protection, High-Tech Threats," TR News, no. 211 (November-December, 2000): 1417 (http://gulliver.trb.org/publications/trnews/trnews211.pdf).
A. Boyd and J. P. Sullivan, Emergency Preparedness for Transit Terrorism: Synthesis of Transit Practice 27 (Washington, D.C.: Transportation Research Board, National Research Council, 1997) (http://gulliver.trb.org/publications/tcrp/tsyn27.pdf).
Computer Science and Telecommunication Board, IDs--Not That Easy: Questions about Nationwide Identity Systems (Washington, D.C.: National Research Council, National Academy Press, 2002) (http://www.nap.edu/catalog/10346.html).
S. E. Flynn, "Transportation Security: Agenda for the 21st Century," TR News, no. 211 (November-December 2000): 37 (http://gulliver.trb.org/publications/trnews/trnews211.pdf).
Brian M. Jenkins, Protecting Public Surface Transportation Against Terrorism and Serious Crime: An Executive Overview (Report No. MTI-01-14, Norman Y. Mineta Institute for Surface Transportation Policy Studies, San Jose State University, San Jose, California, 2001) (http://transweb.sjsu.edu/publications/TerrorismExOverv.pdf).
National Research Council, Summary--Assessment of Technologies Deployed to Improve Aviation Security: Second Report. Progress Toward Objectives (Washington, D.C.: National Materials Advisory Board, National Academy Press, 2002) (http://www.nap.edu/catalog/10344.html).
U.S. Customs Service, Customs-Trade Partnership Against Terrorism (C-TPAT) (2002) (http://www.customs.gov/enforcem/tpat.htm).
Mortimer L. Downey (firstname.lastname@example.org), deputy U.S. secretary of Transportation from 1993 to 2001, is principal consultant with PBConsult in Washington, D.C. He chaired the transportation panel of the National Academies' Committee on Science and Technology to Counter Terrorism. Thomas R. Menzies (email@example.com), a senior program officer in the National Research Council's Transportation Research Board, was study director for the transportation panel.