[Infowarrior] - How Secure Is Your Flight?
Richard Forno
rforno at infowarrior.org
Tue May 30 16:03:49 EDT 2006
How Secure Is Your Flight?
<http://www.homelandresponse.org/500/Zone/HLRSecurity/Article/False/17965/Z
one-HLRSecurity>
Challenges to air travel security named by the Government Accounting Office
in a new study have caused the Transportation Security Administration to
rethink implementation of the Secure Flight Program.
By: Sandy Smith
Following the events of Sept. 11, 2001, Congress created the Transportation
Security Administration (TSA) and directed it to assume the function of
passenger prescreening - the matching of passenger information against
terrorist watch lists to identify passengers who should undergo additional
security scrutiny - for domestic flights. Such screenings currently are
conducted by air carriers, which compare passenger names against
government-supplied terrorist watch lists and apply the Computer-Assisted
Passenger Prescreening System rules, known as CAPPS rules.
For the past four years, TSA has been working to develop the Secure Flight
program. As currently envisioned, under Secure Flight, when a passenger
makes flight arrangements, the organization accepting the reservation, such
as the air carrier¹s reservation office or a travel agent, will enter
passenger name record (PNR) information - obtained from the passenger - into
the air carrier¹s reservation system. While the government will ask for only
portions of the PNR, the PNR data can include the passenger¹s name, phone
number, number of bags, seat number and form of payment, among other
information. Approximately 72 hours prior to the flight, portions of the
passenger data contained in the PNR will be sent to Secure Flight through a
network connection provided by the Department of Homeland Security¹s Customs
and Border Patrol Security (CBP). Reservations or changes to reservations
that are made less than 72 hours prior to flight time will be sent
immediately to TSA through CBP.
Upon receipt of passenger data, TSA plans to process the passenger data
through the Secure Flight process. During this process, Secure Flight will
determine if the passenger data match the data extracted daily from the
Terrorist Screening Center¹s (TSC) Terrorist Screening Database (TSDB),
which is the information consolidated by TSC from terrorist watch lists to
provide government screeners with a unified set of terrorist-related
information. Currently, that database contains approximately 200,000 names.
In addition, TSA will screen against its own watch list composed of
individuals who do not have a nexus to terrorism but who may pose a threat
to aviation security.
When a passenger checks in for the flight at the airport, he or she will
receive a level of screening based on his or her designated category.
A cleared passenger will be provided a boarding pass and allowed to proceed
to the screening checkpoint in the normal manner. Passengers who are not
cleared will receive additional security scrutiny at the screening
checkpoint.
A no-fly passenger will not be issued a boarding pass. Instead, appropriate
law enforcement agencies will be notified. Law enforcement officials will
determine whether the individual will be allowed to proceed through the
screening checkpoint or if other actions are warranted, such as additional
questioning of the passenger or taking the passenger into custody.
It all sounds good on paper, but the plan is headed back to the drawing
board after repeated delays and a price tag of some $130 million and
counting.
TSA Director Edmund ³Kip² Hawley admitted to the Senate Committee on
Commerce, Science and Transportation on Feb. 9, ³Despite sincere and
dedicated efforts by TSA, there has been an undercurrent of concern from
outside stake-holders, really from the beginning. Over the past four years,
many concerns have been raised and addressed but Secure Flight continues to
be a source of frustration.²
Hawley said the plan was to ³re-baseline the program and insure that we use
technology development best-practices in management, security and
operations. While the Secure Flight regulation is being developed, this is
the time to ensure that Secure Flight¹s security, operational and privacy
foundation is solid.²
He said TSE plans to move forward with the Secure Flight program as
³expeditiously as possible,² but added, ³in view of our need to establish
trust with all of our stakeholders on the security and privacy of our
systems and data, my priority is to ensure that we do it right...not just
that we do it quickly.²
The decision to ³rebaseline² the program came in part, no doubt, because of
a scathing report from the Government Accountability Office (GAO), which
must certify the program before it can take effect.
GAO and others have concerns that the process being used to manage the
program is not effective and doubts about whether passengers¹ rights to
privacy will be protected and if the system¹s database can handle the amount
of data it will be expected to store and analyze.
What GAO Said
In recent testimony to the Senate Committee on Commerce, Science and
Transportation, Cathleen A. Berrick, director of Homeland Security and
Justice Issues for GAO, offered an overview of TSA¹s progress and challenges
in:
* Developing, managing and overseeing Secure Flight;
* Coordinating with key stakeholders critical to program operations;
* Addressing key factors that will impact system effectiveness; and
* Minimizing impacts on passenger privacy and protecting passenger rights.
³The purpose of Secure Flight,² explained Berrick, ³is to enable our
government to protect the public and strengthen aviation security by
identifying and scrutinizing individuals suspected of having ties to
terrorism, or who may otherwise pose a threat to aviation, in order to
prevent them from boarding commercial aircraft in the United States, if
warranted, or by subjecting them to additional security scrutiny prior to
boarding an aircraft. The program also aims to reduce the number of
individuals unnecessarily selected for secondary screening while protecting
passengers¹ privacy and civil liberties.²
GAO found that while TSA has made some progress in developing and testing
the Secure Flight Program, the agency has not followed ³a disciplined life
cycle approach² to manage systems development, nor has it fully defined
system requirements, she said. Instead, TSA has thrown together the
management system in a piecemeal fashion in an effort to develop the program
quickly.
In addition, GAO and stakeholders worried that TSA was proceeding to develop
Secure Flight without a program management plan that contains a schedule for
implementation and cost estimates.
The entire process, said Berrick, resulted in project activities being
conducted out of sequence, requirements not being fully defined and
documentation containing contradictory information or omissions.
Further, while TSA has taken steps to implement an information security
management program for protecting information and assets, its efforts are
incomplete, according to Berrick.
³Because Secure Flight¹s system development documentation does not fully
address how passenger privacy protections are to be met, it is not possible
to assess potential system impacts on individual privacy protections,² said
Berrick.
Privacy
The Privacy Act and the Fair Information Practices - a set of
internationally recognized privacy principles that underlie the Privacy Act
- limit the collection, use and disclosure of personal information by
federal agencies. TSA officials have stated that they are committed to
meeting the requirements of the Privacy Act and the Fair Information
Practices. However, said Berrick, ³it is not yet evident how this will be
accomplished because TSA has not decided what passenger data elements it
plans to collect, or how such data will be provided by stakeholders.²
At one point, TSA indicated it would collect such information as credit
histories, which caused an outcry among a large number of consumer and civil
rights groups.
>From GAO¹s perspective, part of the problem is that TSA has not issued the
systems of records notice, which is required by the Privacy Act, or the
privacy impact assessment, which is required by the E-Government Act, which
describe how TSA will protect passenger data once Secure Flight becomes
operational. In addition, privacy requirements were not incorporated into
the Secure Flight system development process in a manner that would explain
whether personal information would be collected and maintained in the system
in a manner that complies with privacy and security requirements.
The American Civil Liberties Union (ACLU) says that many of the privacy and
civil liberties concerns identified in the Computer-Assisted Passenger
Prescreening System (CAPPS II) remain with Secure Flight.
³We are concerned that the government is moving ahead with building this
system before ironing out the fundamental problems with the old watch list
systems on which it would be based,² says Barry Steinhardt, director of the
ACLU¹s Technology and Liberty Program. ³At best, Secure Flight¹ is a
misnomer - it still does not protect innocent travelers¹ safety or privacy.²
The Business Travel Coalition has joined with the ACLU to protest the Secure
Flight program.
³The same major problems that plagued CAPPS II remain with the Secure
Flight¹ program, ³ says Kevin Mitchell, chairman of the Business Travel
Coalition. ³It makes no sense whatsoever to subject travelers to a system
that is already a proven failure.²
In its review of Secure Flight¹s system requirements, GAO found that privacy
concerns were broadly defined in functional requirements documentation,
which states that the Privacy Act must be considered in developing the
system, but those broad functional requirements have not been translated
into specific system requirements.
³Until TSA finalizes these requirements and notices, privacy protections and
impacts cannot be assessed,² said Berrick.
TSA also is determining how it will meet a Congressional mandate that the
Secure Flight program include a process whereby aviation passengers
determined to pose a threat to aviation security may appeal that
determination and correct erroneous information contained within the
prescreening system. According to TSA officials, no final decisions have
been made regarding how TSA will address the challenges of passenger appeals
and of correcting misinformation stored in the system.
Data Accuracy
Perhaps as important, if not more so, than privacy is the accuracy of the
data in the system. In a review of the TSC¹s role in Secure Flight, the
Department of Justice Office of Inspector General found that TSC could not
ensure that the information contained in its databases was complete or
accurate. According to a TSC official, TSA and TSC plan to enter into a
letter of agreement that will describe the data elements from the
terrorist-screening database, among other things, to be used for Secure
Flight. To address accuracy, TSA and TSC plan to work together to identify
false positives - passengers inappropriately matched against data contained
in the terrorist-screening database - by using intelligence analysts to
monitor the accuracy of data matches.
³An additional factor that could impact the effectiveness of Secure Flight
in identifying known or suspected terrorists,² Berrick noted, ³is the
system¹s inability to identify passengers who assume the identity of another
individual by committing identity theft, or who use false identifying
information.²
Just how much data it will be required to screen is a concern for TSA, and,
in fact, all key program stakeholders also stated that additional
information is needed before they can finalize their plans to support Secure
Flight operations.
³A TSC official stated, for example, that until TSA provides estimates of
the volume of potential name matches that TSC will be required to screen,
TSC cannot make decisions about required resources,² said Berrick. ³Also,
ongoing coordination of prescreening and name-matching initiatives with CBP
and TSC can impact how Secure Flight is implemented.²
Several activities that have an impact on Secure Flight¹s effectiveness are
still in process, or have not yet been decided, according to GAO. For
example, TSA conducted name-matching tests, which compared passenger and
terrorist screening database data, to evaluate the ability of the system to
function. However, TSA has not yet made key policy decisions that could
significantly impact program operations, including what passenger data it
will require air carriers to provide and the name-matching technologies it
will use.
TSA has taken steps to collaborate with Secure Flight stakeholders whose
participation is essential to ensuring that passenger and terrorist watch
list data are collected and transmitted to support Secure Flight.
TSA is in the early stages of coordinating with Customs and Board Patrol
Security and the Terrorist Screening Center on broader issues of integration
and interoperability related to other people-screening programs used by the
government to combat terrorism. In addition, TSA has conducted preliminary
network connectivity testing between TSA and federal stakeholders to
determine, for example, how information will be transmitted from CBP to TSA
and back.
³However,² said Berrick, ³these tests used only dummy data and were
conducted in a controlled environment, rather than in a real-world
operational environment.²
According to CBP, without real data, it is not possible to conduct stress
testing to determine if the system can handle the volume of data traffic
that will be required by Secure Flight. TSA acknowledged it has not
determined what the real data volume requirements will be, and cannot do so
until the regulation for air carriers has been issued and their data
management role has been finalized.
In her testimony, Berrick commented that additional information and testing
are needed to enable stakeholders to provide the necessary support for the
program. ³TSA has, for example, drafted policy and technical guidance to
help inform air carriers of their Secure Flight responsibilities, and has
begun receiving feedback from the air carriers on this information,² she
said.
However, key program stakeholders - including the CBP, the Terrorist
Screening Center TSC and air carriers - stated that they need more
definitive information about system requirements - and the cost of the
program - from TSA to plan for their support of the program.
What¹s the Cost?
Many stakeholders voiced concern that TSA has not yet established cost
estimates for developing and deploying either an initial or a full operating
capability for Secure Flight, and it has not developed a life cycle cost
estimate (estimated costs over the expected life of a program, including
direct and indirect costs and costs of operation and maintenance). TSA also
has not updated its expenditure plan - plans that generally identify
near-term program expenditures - to reflect the cost impact of program
delays, estimated costs associated with obtaining system connectivity with
CBP or estimated costs expected to be borne by air carriers. In her
testimony, Berrick noted:
* Program and life cycle cost estimates are critical components of sound
program management for the development of any major investment.
* Developing cost estimates is also required by OMB guidance and can be
important in making realistic decisions about developing a system.
* Expenditure plans are designed to provide lawmakers and other officials
overseeing a program¹s development with a sufficient understanding of the
system acquisition to permit effective oversight, and to allow for informed
decision-making about the use of appropriated funds.
³In our March 2005 report, we recommended that TSA develop reliable life
cycle cost estimates and expenditure plans for the Secure Flight program, in
accordance with guidance issued by OMB, in order to provide program managers
and oversight officials with the information needed to make informed
decisions about program development and resource allocations,² Berrick
pointed out. ³Although TSA agreed with our recommendation, it has not yet
provided this information.²
TSA officials told GAO that developing program and life cycle cost estimates
for Secure Flight is challenging because no similar programs exist from
which to base cost estimates and because of the uncertainties surrounding
Secure Flight requirements.
They contended that cost estimates cannot be accurately developed until
after system testing is completed and policy decisions have been made
regarding Secure Flight requirements and operations.
TSA officials did acknowledge they currently are assessing program and life
cycle costs as part of establishing a new baseline and that this new
baseline will reflect updated cost, funding, scheduling and other aspects of
the program¹s development.
³While we recognize that program unknowns introduce uncertainty into the
program-planning process, including estimating tasks, time frames and costs,
uncertainty is a practical reality in planning all programs and is not a
reason for not developing plans, including cost and schedule estimates, that
reflect known and unknown aspects of the program,² Berrick insisted.
³Program management plans and related schedules and cost estimates - based
on well-defined requirements - are important in making realistic decisions
about a system¹s development, and can alert an agency to growing schedule or
cost problems and the need for mitigating actions. Moreover, best practices
and related federal guidance emphasize the need to ensure that programs and
projects are implemented at acceptable costs and within reasonable and
expected time frames.²
To review the full GAO report on Secure Flight, visit
http://www.gao.gov/cgi-bin/getrpt?GAO-06-374T
<http://www.gao.gov/cgi-bin/getrpt?GAO-06-374T> .
More information about the Infowarrior
mailing list