Almost 10 years after 9/11, the Transportation Security Administration (TSA) recently introduced another technology system to improve airline security. Known as Advanced Imaging Technology (AIT), or “body scanners,” the new devices created a public uproar over privacy concerns since the technology effectively sees through a subject’s clothes during screening. The AIT systems have been rapidly installed at airports across the United States in the wake of an attempted terrorist attack on a U.S.-bound airliner on December 25, 2009.
On that day, Umar Farouk Abdulmutallab, a young Nigerian Muslim, concealed a small explosive device in his underwear and boarded a flight departing from Lagos, Nigeria, connecting in Amsterdam to Detroit, Michigan. The young terrorist was on a “divine” mission to blow up the aircraft along with more than 200 passengers and crew over Detroit. His intention was to kill as many people as possible, including the unsuspecting Detroit suburban inhabitants on the ground. Luckily, due to his poor skills (rather than any security measures implemented at the airport) he failed his mission and ended up in a federal jail.
This incident has special significance for two reasons. First, Abdulmutallab’s attempt revealed security failures at every layer—intelligence analysis, airport security, and the handling of the incident by the on-board crew as well as the handling of the plane by ground authorities. Second, the attempted attack was almost a carbon copy of an incident that took place eight years earlier when another poorly skilled terrorist carried a similar explosive device (concealed in his shoe) on an American Airlines flight from Paris to Miami, earning his place in history as the “shoe bomber.” What is alarming is that Abdulmutallab’s attempted terrorist attack in 2009 represents a level of security failure worse than the one eight years earlier.
Similarities to the Shoe Bomber
The similarities between the two attacks are astounding. Both devices used pentaerythritol tetranitrate (PETN) as the main explosive material. Both contained no metal parts to avoid airport metal detection technology. Both used improvised detonators. Both were carried on the terrorist’s body to avoid x-ray screening. Both explosives required some basic skill to detonate, which is why both terrorists failed.
On the human side, both Richard Reid (the “shoe bomber”) and Abdulmutallab were inexperienced and were not able to avoid suspicion from people around them prior to the attack. Richard Reid, for example, drew suspicion from the security guard that interviewed him prior to checking in to his flight, to the point that French police were called in to interrogate him for more than two hours only to release him as a legitimate passenger. Missing the original flight as a result, he showed up the next day and once again the French police were summoned, although this time they cleared him to fly. Reid still drew further suspicion from the flight attendant at the aircraft door who described him as having a threatening appearance, as well as by the cabin attendant who reported to the senior flight attendant a “suspicious passenger” prior to takeoff.
In both cases, there were clear “red flags” in the way their journey was prepared. Both Reid and Abdulmutallab had one-way tickets, both paid the travel fare in cash, and both did not check any bags (for a transatlantic flight). Richard Reid twice failed a short interview conducted by a private security firm (hired by American Airlines as part of a procedure implemented on inbound flights to the United States). Abdulmutallab was not subjected to this procedure as it had since been changed to address immigration concerns. Security aspects of his limited human encounter were minimized to checking his name against the “No Fly” and suspected terrorist watch lists. There is good reason to assume, based on his behavior after his arrest, that had Abdulmutallab been subjected to a professional security interview, he would have been flagged as “suspicious.”
The TSA’s conclusion from the “shoe bomber” attack in 2001 was disappointing and off the mark. It was characterized by a minimalist approach, defining the terrorist modus operandi (MO) as “carrying a bomb in shoes” rather than “carrying a bomb on the body.” This reactive approach led to forcing passengers to take off their shoes and submitting them to x-ray screening. As a result, it left the door open to an al-Qa`ida operative and bombmaker based in Yemen to take advantage of it eight years later, sending Abdulmutallab with an explosive device concealed in his underwear. The only surprise, perhaps, is that it took al-Qa`ida eight years to repeat the attack.
Current Security Practices Inadequate
Reviewing all attempted attacks against U.S. aviation—starting with 9/11, including Richard Reid’s shoe bomb attempt, the liquid explosives plot and Abdulmutallab’s Christmas Day attack—a clear common denominator is identified. It is the failure of aviation security technology to detect and prevent terrorists from carrying out their missions successfully. In all of these attacks, the weapon or the explosive devices were smuggled through security checkpoints to the aircraft, or, as in the case of the liquid explosives plot, was luckily stopped by early intelligence as there was nothing at the airport that could have detected explosives in liquid form.
The problem started shortly after 9/11 when the TSA was created with the conviction that the terrorist threat could be met by improving the quality of the airport screening operation. Yet the notion that the terrorists’ success on the morning of 9/11 was the result of a “screening failure” is misleading. At that time, box cutters and other sharp items were practically allowed on board. Even if such items were banned, however, there was still the open cockpit door and the FAA guideline for pilots to cooperate with hijackers; indeed, this would have led to the same tragic result.
Moreover, nine of the 19 terrorists on 9/11 were identified by a computerized (non-racial) profiling system called CAPPS, which was developed by the FAA and used by the airlines as a mandatory requirement. The response protocol to CAPPS selection of “high risk” passengers was an additional shallow “pat down,” which was less than adequate to stop Muhammad `Atta and his team since they did not carry banned items.
In the aftermath of 9/11, the policy that was created and implemented to avoid another terrorist attack could be summarized as using screening technology to detect forbidden items prior to boarding the aircraft. The emphasis was on the use of technology to mitigate the threat. The other aspect of that policy was to avoid any form of discrimination; as a result, the search for banned items had to be carried out in a uniform manner. This policy, however, does not recognize different individual passenger risk levels.
Indeed, this policy has proven less than successful with all the attempted attacks since 9/11. After each attack, authorities have responded with small, reactive changes in policy. After 9/11, for example, a substantial portion of security resources was spent on confiscating small sharp items even after reinforced cockpit doors were introduced. After Richard Reid’s shoe bomb attempt, security focused on footwear only, neglecting more intensive searches of the passenger’s body. After the liquid explosives plot, authorities implemented a demanding policy of limiting quantities of liquids carried on board the plane, yet avoiding any response related to checked bags. It was only after the recent action by Abdulmutallab to carry a bomb on board in his underwear when authorities finally moved to deploying “full body scanners.”
Clearly, the one conclusion that can be drawn with certainty is that there is an urgent need to find a more effective way to achieve “airport security.” Steps need to be taken to put airport security one step ahead of the terrorists, rather than pursuing a reactive approach which characterizes the present strategy.
Applying the Israeli Model
A growing number of people in the U.S. government, the aviation industry, the media and the general public are pushing toward a strategy modeled on a real “risk-based” approach, or, in other words, “profiling.” The proven success of the Israeli aviation security model, which is based on this approach, has drawn much attention, and it has become an attractive option to many in the United States. There is little dispute over the track record of the Israeli model, but most people who suggest its implementation “as is” are not fully familiar with it.
The Israeli model was developed and refined for use by Israeli aviation and tailored to address the unique conditions that exist in Israel. Largely speaking, it is based on the understanding that each passenger carries a different risk level and that the depth of security processing and search is adjusted to the individual’s risk level. At the heart of this model is an interview process with every single passenger by a highly skilled professional. The term “profiling” is usually used to describe this process.
The American environment, however, is different from the Israeli one in many ways. Therefore, one has to be cautious when attempting to implement a similar solution in the United States. For example, the ethnic profile of the majority of travelers on Israeli aviation is rather uniform compared to the plural ethnic profile of the American population. There are also a number of differences in the legal environment between the U.S. constitution and Israeli law. There are differences in the volume of passenger traffic, as well as the fact that more than 80% of travelers on Israeli aviation are international travelers equipped with passports and other travel documents that contain significant information about the passenger and their flight history. Most flights to and from Israel are also long-haul flights, which require passengers to arrive at the airport three hours before departure—this allows authorities adequate time to complete a face-to-face interview process.
Having mentioned the above differences, the Israeli concept is still valid for the U.S. environment after some substantial and careful modifications. First, discriminating factors such as ethnicity, religion or gender must be removed to meet U.S. constitutional requirements. There is still enough behavioral information left to create effective profiles. Second, the 100% interview standard must be replaced with a robust computerized (non-discriminating) security profiling program that would divide the passenger population into risk groups. The security checkpoint and baggage screening system would respond to the risk group level with a compatible level of search, including the use of highly professional face-to-face interviews for those passengers designated as “high risk.”
The key to the success of this approach is that it preserves the ability to identify the risk where it exists and adjust the search level to achieve the most effective result. By using the interview technique with the “high risk” passengers, authorities can take advantage of the terrorists’ “Achilles heel”: the difficulty in maintaining a “cover story” in a professional interview situation.
It is never too soon to replace the current ineffective “one size fits all” approach with an effective “risk-based” strategy that builds on U.S. advantages and the terrorists’ vulnerabilities.
Rafi Ron is a leading aviation security expert with more than 30 years of security and counterterrorism experience worldwide. He served as the Director of Security at Tel-Aviv Ben-Gurion International Airport and the Israeli Airport Authority from 1997 to 2001. Mr. Ron helped establish the EL-AL sky marshal program. Mr. Ron was hired by Massport immediately after 9/11 to upgrade security for Boston Logan Airport. Among the new programs he instituted was the development of the Behavior Pattern Recognition (BPR) protocol that helps authorities identify terrorists before they endanger airports or aviation travelers. In 2001, Mr. Ron formed New Age Aviation Security and New Age Security Solutions where he is president and CEO. In that capacity he manages aviation security related projects in the United States and internationally, including: threat and vulnerability studies, security planning, system design and integration, and training.
 The alternative to body scanning, however, is arguably worse, as it involves intensive manual “pat downs” that under other circumstances would be considered a form of harassment.
 For example, despite the grave situation on board, the captain reported to the ground that there was no need for any emergency procedures. As a result, the airport called off any emergency measures and the aircraft (carrying a detained terrorist and an unexploded device) was directed to a normal gate linked to the terminal (full of passengers and employees) with other aircraft close by. Passengers were allowed to disembark and mix with people present in the gate area without any screening or questioning (ignoring the risk of a second terrorist on board). The wounded terrorist was detained by two law enforcement officers and was taken without any special security measures by ambulance to the nearest hospital. This chain of events is characterized by a lack of understanding of the situation and resulted in putting the public at risk of a potential disaster at the airport.