Full circle

In the midst of the hacking scandal dominating an obsessed media in July, the government quietly announced a shake up in aviation security policy, that could have potentially serious consequence for national security in coming years.

In a written statement to the House of Commons, Transport Secretary Phillip Hammond launched a six month consultation over government proposals to shift from a system of prescribed security controls protecting air travellers, to an outcome-focused risk-based approach giving the aviation industry much greater control over security measures deployed in the operational environment.

“Under the new regulatory approach the focus will primarily be on the delivery of security outcomes rather than the delivery of specified processes. It will be for the Department to set overall requirements based on the level and nature of threat at the time. The industry will then be able to design security processes that deliver specified security outcomes rather than having to follow detailed rules,” the proposal states.

This shift in government policy has courted controversy since first intimated in the Strategic Defence & Security Review (SDSR) published in the third quarter of last year.

A step too far?
While few people involved with aviation security have any doubt that reform is long overdue, some openly question whether government is taking a step too far in placing responsibility for this vital function in the hands of a commercial sector, perhaps more attuned to profitability than national security.

“As the UK experiences extensive governmental budget cuts, it is unclear whether this is a thinly veiled cost-cutting exercise. This type of outcomes-based approach would be similar to that which existed in the US prior to the 2001 attacks. The airlines themselves were responsible for security and it was [highlighted] in the 9-11 Commission Report that this was an inadequate method of ensuring security,” suggests a paper published earlier this year by the Royal United Services Institute (RUSI).

Government insists that the proposed changes will allow airports and airlines greater flexibility to deliver high standards of security in ways that are better integrated with their day-to-day business and designed around the needs of the passenger. It goes on to say that it expects the policy reform will incentivise airports and airlines to invest in innovative solutions which pave the way to an advanced future security model.

“The outcome-focused risk-based model has the potential to bring a fundamental change to how we implement security regulations. We are keen to be involved in the development of this project, to ensure it meets the needs of our airports and delivers the best service for our passengers,” says Ian Hutcheson, director of Security, BAA plc.

High cost technology
Government expectation that an outcome-focused risk-based approach to the aviation security conundrum will lead to a more robust security model, presently appears based more on hope rather than any firm investment commitment.

Conversation with some airport community members reveals an abhorrence for possibly high cost advanced technology solutions, but strong support for unproven behavioural techniques.

The US General Accounting Office (GAO) reported in its most recent finding, that a Department of Homeland Security (DHS) study conducted last year determined behavioural techniques were more effective than random sampling in identifying travellers with fraudulent documents or outstanding arrest warrants, but no evidence existed that the technique was effective in identifying anyone engaged in acts of terrorism.

The report stated that the “high variability of traveller behaviours highlights the challenge that Transport Security Administration (TSA) faces in effectively implementing a standardised list of Screening of Passengers by Technique (SPOT) behavioural indicators.”

This doesn’t come as a particularly great surprise. It’s possible to see the wide variety of traveller behaviour exhibited in the space of an hour sitting in the average airport coffee shop on any given day. Determining who amongst the mass of humanity is dangerous or merely a nervous traveller is an enormously challenging problem, to which there are no easy answers.

Proponents of behavioural analysis continue to argue that the technique has great utility in the airport environment and this may well prove to be the case. But behavioural analysis can only be seen as a tool delivering knowledge to help identify those travellers who may need to be screened more thoroughly. The technique must therefore be supported by advanced technology screening solutions.

Perception issue
Consultation exercise documents reveal that the government proposal accords with the principal of a reduction in governmental oversight and intervention in favour of industry led and government supported initiatives encouraging growth.

Under the proposed approach, those responsible for implementing the European Union (EU) regulations and all directed parties under the Aviation Security Act 1982 (ASA), would be required to implement a Security Management System (SeMS), through which an operator plans and delivers its security processes.

“A SeMS is a dynamic management process, which is continually monitored and reviewed to take account of changes in the threat environment, organisational changes and the results of analysis. A key feature would be a process whereby the industry itself regularly reports on its own security performance, significantly increasing the volume of performance data available to the security regulator. The reporting of certain serious lapses would be mandatory (comparable to safety incident reporting in industry) with criminal penalties applying that are available in existing legislation. All entities that are required to comply with European Union common basic standards and domestic directions will of course continue to have to do so,” consultation documents explain.

The UK Civil Aviation Authority (CAA) will be the regulator with airports reporting security matters in similar fashion to airlines reporting safety issues under the proposal. Anyone who has taken the time to discuss either security or safety matters with commercial airline pilots can readily testify to this being fraught with danger.

The airline world is replete with allegations of commercial airline operators putting pressure on pilots not to report safety issues or actively controlling disclosure to the regulator. There is every reason to assume that the same will hold true in a commercial airport environment, given the need to make a profit while processing large passenger volumes for airline clients.

Consultative documents argue that adequate provision to counter such a possibility is being made. Confidential Human Factors Incident Reporting Programme (CHIRP) schemes are highlighted as evidence of this commitment. In the real world operational environment such schemes are often woefully underfunded and constantly challenged by commercial operators.

Transatlantic discord
Airports seem to be reluctant to invest in new solutions to meet modern day threats. Most recently the airport community has simply said no to a EU requirement to deploy liquid screening solutions in airports any time soon. Anecdotal evidence exists to suggest that vague promises by airports to achieve this capability at a later date will not be met either.

United States authorities also took a dim view of legislative attempts to introduce liquid screening at airports any time soon, warning that it would introduce prescriptive measures for all US bound flights if an easing of restrictions were to go ahead on schedule.

The US boast of a mature two-way dialogue between government and industry about the threats faced and the hardware performance requirements needed to address these threats. The EU doesn’t have these threat information sharing protocols in place, leading to a view that the region is behind the curve and only capable of responding to old threats.

US aviation security policy was born out of the events of September 11 and for better or worse is deemed the only standard worth considering. UK proposals to shift responsibility for aviation security to the commercial sector must have sent shockwaves through Washington D.C. unless suitably robust threat sharing protocols form a part of the recently announced protocols.

With almost half of the total global demand for aviation security technology coming from the US – the budget for passenger screening is some $769 million in this fiscal year alone – vendors will quite naturally focus attention on this market segment.

The obvious conclusion drawn from this is that any UK specific requirements – assuming airports fulfil the government expectation to invest and innovate – will be well down the priority list.

Border control
The government consultative exercise comes hard after a recent damning report on the UK’s ability to control its borders. The BBC report stated that the multi-million pound E-borders programme doesn’t have the capability to feed information to UK Border Agency (UKBA) personnel in real time.

“We don’t get the details direct to our terminal, the method is no more sophisticated than a piece of A4 paper torn up and then distributed to the staff. You then have to keep an eye out for those people. There’s no joined up IT thinking, we’re living in the Dark Ages,” a UKBA source told the broadcaster.

The issue led to the controversial cleric Sheikh Raed Salah, who is banned from entering the country, being able to walk through immigration at Heathrow and deliver a speech in Leicester after arriving in June. He was arrested before he could address a meeting in the House of Commons and is appealing against his deportation on human rights grounds.