Security at the nation’s airports still isn’t up to par nearly 15 years after the September 11, 2001 terrorist attacks. That’s what lawmakers heard recently at a congressional committee hearing in focused on aviation security issues and airport credentials.
Congress created the Transportation Security Administration (TSA) in 2001. The TSA is responsible for the oversight of access control to vulnerable areas within airports, largely through issuance of credentials to properly vetted workers. Four years ago, Congress mandated creation of improved pilot credentials to prevent counterfeits and develop capacity for use of biometrics for pilot identification.
“We see failures,” said Rep. John Mica, chair of the Subcommittee on Transportation and Public Assets. “Department of Homeland Security inspector general (John Roth) found that 73 individuals with links to terrorism passed TSA’s vetting process. They were not properly vetted. These are people that work at our airports. These are people that have access to aviation equipment and airplanes.”
Mica wants pilot licenses to contain iris and fingerprint biometrics, yet he can’t get an identifying photo added. “We asked that the pilot’s license have a photo of the pilot on it. The only photo on this license are the Wright brothers,” Mica said. “It’s a joke. We asked that this also have some biometric capability. Anything in your wallet has a better electronic strip and capability than this license.”
To make his point, Mica held up a Disney World pass that contains a fingerprint biometric. “Time and time again, we’ve gone in, we’ve passed edicts, laws for compliance,” Mica said. “This is one of the most frustrating things that we’ve seen.”
The Federal Aviation Administration says there are major challenges to implementing improved pilot certificates. “We regret that we are not further along in the rulemaking process to implement those provisions,” said Peggy Gilligan, associate administrator for Aviation Safety at the FAA. “While the National Institute for Standards and Technology (NIST) has issued standards for the collection of iris images, there are no GSA-approved products for the collection or use of iris biometrics. Before we require collection of biometrics, we need to understand where and how they would be used.”
Gilligan says the cost of installing an infrastructure for implementing biometrics at the nation’s airports is unknown. But the FAA estimates that issuing new pilot certificates that include biometric information would cost more than $1 billion over 12 years.
“The reality is that to include biometric information on pilot certificates drives cost and may not be the most effective way to meet our security objectives,” Gilligan said. “I can assure you that pilots are properly trained. We rely on TSA and the intelligence community to address security risks.”
Vetting of applicants for airport credentials
Applicants for employment at an airline or airport must provide biographic information and a fingerprint for use in various security checks.
“TSA continuously runs the biographic information against the Terrorist Screening Database, ensuring there are no ties to terrorism when the individual first applies for ID media and throughout the term of his or her employment at the airport,” TSA Deputy Assistant Administrator Darby LaJoye told the committee. “TSA verifies that all individuals applying for airport ID media have lawful presence in the United States.”
But the Department of Homeland Security reports that thousands of aviation worker records have incomplete or inaccurate biographic information. For example, 87,000 active workers did not have Social Security numbers listed even though the TSA’s data matching model identified Social Security numbers as a strong matching element. An additional 75,000 records listed individuals with active aviation worker credentials as citizens of non-U.S. countries, but did not include passport numbers.
Homeland Security says the TSA made system enhancements between 2012 and 2014 to improve the quality of data that it receives from airports. The Aviation Security Advisory Council (ASAC) analyzed existing security measures and made 28 recommendations to address potential vulnerabilities. They include wider adoption of biometric confirmation of identity for badge issuance.
Kathleen Carroll with the international nonprofit Security Industry Association offered several measures to help boost the performance of a biometric system, such as liveness detection to eliminate spoofing. “Biometric information is worthless if it isn’t usable. With liveness detection, the only way it is usable is if the living human being presents their biometric,” said Carroll, who also serves as a vice president for HID Global Corp. “Biometrics uniquely identifies airport employees in a consistent and secure manner.”
Carroll says the security industry also recommends that airport worker credentials follow a federated model since many employees work at multiple airports. “In a federated model, such as the U.S. Government’s Personal Identity Verification (PIV) program, each federal employee is vetted to an acceptable and known process across all federal agencies,” Carroll said. “PIV credentials use the Public Key Infrastructure (PKI) as one of several security features so that the credential can be trusted for access to all physical government buildings and all computer networks… PKI allows for instant revocation of a credential across all these systems from a central location.”
The meeting ended with Mica expressing his continued frustration with all the delays. “Our intent is to try to do better. We have a responsibility for oversight and making certain we move this process forward,” Mica said. He left the official record of the hearing open for ten days in hopes of getting more answers from federal agencies about when heightened security measures will be in place.