Exclusive: Did TSA and DHS Under Napolitano Disregard Warning of Security Vulnerability in July 2009?
Morgen on January 3, 2010 at 10:43 am
In the aftermath of the attempted bombing of Northwest flight #253, much of the focus for what went wrong is justifiably on the National Counterterrorism Center (NCTC) for failing to connect the dots on an array of available intelligence data which should have prevented Umar Farouk Abdulmutallab from ever being allowed to board that plane. Abdulmutallab had been placed on a broader terrorist identification system (TIDE) in November, but for reasons that are not yet clear, the NCTC failed to add him to the more restrictive Terrorist Screening Database (TSDB) from which the TSA’s No-Fly list is derived. President Obama has now ordered a comprehensive review of federal policies related to the terrorist watch lists. However, what has not yet been reported is that the TSA completed a congressionally mandated review of passenger screening vulnerabilities this past July. More troubling, it appears that TSA and DHS leadership under Janet Napolitano may have downplayed a key vulnerability identified in the review. The very same vulnerability which nearly resulted in the deaths of 300 people on Christmas Day.
The final 9/11 Commission Report in 2004 made two key recommendations related to passenger screening. One, that TSA implement a system to perform passenger screening directly rather than requiring the airlines to do it. And two, that the TSA screen passengers against the government’s comprehensive terrorist watch lists rather than the much more limited No Fly and “Selectee” lists which had been used since 9/11. (Passengers flagged on the Selectee list are required to go through more extensive security screening, but are not necessarily banned from flying.) The exact figures are classified, but it’s estimated that there are in excess of 500,000 individuals represented in the comprehensive TIDE and TSDB databases, with a subset of only 4,000 of these on the No Fly list, and an additional 18,000 on the Selectee list.
After years of delays, the TSA is in the midst of addressing the first recommendation through the implementation of the Secure Flight program, which is expected to be completed by next year. However, TSA decided early on to continue passenger screening against only the No Fly and Selectee lists, even once the Secure Flight program is fully implemented. This decision appears to have stemmed from a desire on the part of the TSA to avoid the large number of false positives which marred the early implementation of the No Fly list, as well as civil liberty and privacy concerns. (Even now the ACLU seems more concerned about passenger inconveniences than airline safety).
However, members of Congress from both parties were concerned with the TSA’s decision, and included a provision in the 2008 appropriations bill for the DHS which required the Inspector General (OIG) of the TSA to report on any vulnerabilities inherent in the screening system, and to certify to Congress “that no significant security risks are raised by screening airline passenger names only against a subset of the full terrorist watch list“. The OIG conducted the fieldwork for this report from March 2008 to September 2008, but apparently waited until after the Inauguration to begin circulating a draft of the initial report within the DHS and other relevant agencies for comment. The final report was completed and published in July 2009.
A heavily redacted copy of the report is available here. While some of the key findings of the OIG are unclear due to the redactions, there is nothing ambiguous about this statement which is mentioned in various forms throughout the report:
No Fly and Selectee Lists Reduce Vulnerabilities to Commercial Aviation Security, but Additional Vulnerabilities May Exist
The No Fly and Selectee lists are subsets of the TSDB, the federal government’s consolidated watch list. The name inclusion criteria for these two lists are more narrowly focused and restrictive than the inclusion criteria for the entire TSDB. Specifically, the No Fly and Selectee lists focus on aviation security and concentrate on [---redacted---]. Although the No Fly and Selectee lists are largely successful in identifying potential terrorists who could threaten commercial aviation, some individuals not included on the lists may also present threats to aviation security. [emphasis added]
Included within the OIG’s report is a response letter from Gayle Rossides, the acting Administrator of the TSA. Here is the excerpt where Rossides comments directly on the statement quoted above:
TSA appreciates the work OIG has done in this review and agrees with OIG’s analysis and conclusion that the No Fly and Selectee Lists successfully identify terrorists who pose a threat to aviation security.
Huh? Not only did Rossides exaggerate the OIG’s statement that the No Fly and Selectee lists are “largely successful”, she also completely disregarded the second part indicating that “some individuals not included on the lists may also present threats to aviation security”. It’s a direct contradiction, so how did she get away with this dodge?
As it turns out, the OIG seemingly muddled it’s own analysis by adding this qualifying statement to the statement about “additional vulnerabilities”:
Passenger prescreening against terrorist watch lists proposed by the Secure Flight program is only one component of a larger security cycle that protects the nation’s commercial aviation system. International and domestic security activities within and outside of the Department of Homeland Security, such as intelligence gathering, law enforcement investigations, visa issuance, and border protection, mitigate potential vulnerabilities not addressed by the Secure Flight program and enhance commercial aviation security overall.
In other words, the vulnerability exists but in the opinion of the OIG it is mitigated to an unspecified extent by the existence of other government security organizations and processes outside the scope of TSA screening. Or as the TSA characterized it in their response, an “overlapping system of multiple layers of security”.
Of course this is the very same “overlapping system” which failed to properly assess readily available intelligence on Abdulmutallab from multiple sources. The same “multiple layers” which failed to review and revoke his visa after he was added to the initial terrorist watch list. This “overlapping system” utterly failed in the midst of as many specific warning signs as we could ever hope to receive leading up to a terror attack.
Knowing that TSA management had a vested interest in maintaining the status quo on the use of the more limited No Fly and Selectee lists, it’s hard not to conclude that they purposefully exaggerated the somewhat ambiguous findings of the OIG into the statement of certainty “that the No Fly and Selectee Lists successfully identify terrorists who pose a threat to aviation security”.
As the events of December 25 make crystal clear, the No Fly and Selectee Lists do NOT successfully identify terrorists who pose a threat to aviation security. And it’s undeniable that if the TSA had properly considered the expressed concern of congress and adopted the recommendation of the 9/11 Commission on passenger screening, Abdulmutallab would have been stopped before boarding the flight to Detroit.
The OIG report also made one specific recommendation to the TSA related to the No Fly list. Unfortunately the most relevant portion is redacted so it’s impossible to tell what the recommendation was:
Recommendation #1: Determine whether it is appropriate to [---redacted---] to No Fly restrictions or additional screening prior to boarding an aircraft.
Whatever it was, the TSA’s response to this recommendation was that it “raised privacy and other concerns”, and that it was “highly unlikely” that the No Fly and Selectee lists would be revised based on the OIG’s recommendation. Was this recommendation also pertinent to the events of 12/25? We may never know, but hopefully this will come up in the course of the congressional hearings next month.
I should also note that this report was distributed widely throughout the executive branch agencies dealing with security, and of course Janet Napolitano as the Secretary of the DHS was included on the distribution. In fact, as the cabinet member in charge of the TSA, it seems likely to me that Napolitano was included in the deliberations leading up to the TSA’s formal response to the report’s conclusions.
I can understand the hesitation on the part of the TSA to expand the screening of passengers against the full terrorist watch lists. We all remember the negative media coverage over the large numbers of people falsely flagged under the system in the early days, including young children and even some celebrities. However, as part of the new Secure Flight program, the TSA is now including the use of additional biographical data (gender, date of birth, etc.) to match up passengers against the watch lists. And with Secure Flight, the TSA will be handling this screening directly rather than the airlines, and in advance of passenger check-in, which should greatly reduce any flight delays due to false positives.
We were extremely fortunate to have avoided disaster on Christmas Day, but the key vulnerability which enabled this attack still exists. I can think of no good reason for the government to not expand passenger screening against the full terrorist watch lists.