By Sandy Smith
Following the events of Sept. 11, 2001, Congress created the Transportation Security Administration (TSA) and directed it to assume the function of passenger prescreening - the matching of passenger information against terrorist watch lists to identify passengers who should undergo additional security scrutiny - for domestic flights. Such screenings currently are conducted by air carriers, which compare passenger names against government-supplied terrorist watch lists and apply the Computer-Assisted Passenger Prescreening System rules, known as CAPPS rules.
For the past four years, TSA has been working to develop the Secure Flight program. As currently envisioned, under Secure Flight, when a passenger makes flight arrangements, the organization accepting the reservation, such as the air carrier’s reservation office or a travel agent, will enter passenger name record (PNR) information - obtained from the passenger - into the air carrier’s reservation system. While the government will ask for only portions of the PNR, the PNR data can include the passenger’s name, phone number, number of bags, seat number and form of payment, among other information. Approximately 72 hours prior to the flight, portions of the passenger data contained in the PNR will be sent to Secure Flight through a network connection provided by the Department of Homeland Security’s Customs and Border Patrol Security (CBP). Reservations or changes to reservations that are made less than 72 hours prior to flight time will be sent immediately to TSA through CBP.
Upon receipt of passenger data, TSA plans to process the passenger data through the Secure Flight process. During this process, Secure Flight will determine if the passenger data match the data extracted daily from the Terrorist Screening Center’s (TSC) Terrorist Screening Database (TSDB), which is the information consolidated by TSC from terrorist watch lists to provide government screeners with a unified set of terrorist-related information. Currently, that database contains approximately 200,000 names. In addition, TSA will screen against its own watch list composed of individuals who do not have a nexus to terrorism but who may pose a threat to aviation security.
When a passenger checks in for the flight at the airport, he or she will receive a level of screening based on his or her designated category.
A cleared passenger will be provided a boarding pass and allowed to proceed to the screening checkpoint in the normal manner. Passengers who are not cleared will receive additional security scrutiny at the screening checkpoint.
A no-fly passenger will not be issued a boarding pass. Instead, appropriate law enforcement agencies will be notified. Law enforcement officials will determine whether the individual will be allowed to proceed through the screening checkpoint or if other actions are warranted, such as additional questioning of the passenger or taking the passenger into custody.
It all sounds good on paper, but the plan is headed back to the drawing board after repeated delays and a price tag of some $130 million and counting.
TSA Director Edmund “Kip” Hawley admitted to the Senate Committee on Commerce, Science and Transportation on Feb. 9, “Despite sincere and dedicated efforts by TSA, there has been an undercurrent of concern from outside stake-holders, really from the beginning. Over the past four years, many concerns have been raised and addressed but Secure Flight continues to be a source of frustration.”
Hawley said the plan was to “re-baseline the program and insure that we use technology development best-practices in management, security and operations. While the Secure Flight regulation is being developed, this is the time to ensure that Secure Flight’s security, operational and privacy foundation is solid.”
He said TSE plans to move forward with the Secure Flight program as “expeditiously as possible,” but added, “in view of our need to establish trust with all of our stakeholders on the security and privacy of our systems and data, my priority is to ensure that we do it right...not just that we do it quickly.”
The decision to “rebaseline” the program came in part, no doubt, because of a scathing report from the Government Accountability Office (GAO), which must certify the program before it can take effect.
GAO and others have concerns that the process being used to manage the program is not effective and doubts about whether passengers’ rights to privacy will be protected and if the system’s database can handle the amount of data it will be expected to store and analyze.
What GAO Said
In recent testimony to the Senate Committee on Commerce, Science and Transportation, Cathleen A. Berrick, director of Homeland Security and Justice Issues for GAO, offered an overview of TSA’s progress and challenges in:
- Developing, managing and overseeing Secure Flight;
- Coordinating with key stakeholders critical to program operations;
- Addressing key factors that will impact system effectiveness; and
- Minimizing impacts on passenger privacy and protecting passenger rights.
“The purpose of Secure Flight,” explained Berrick, “is to enable our government to protect the public and strengthen aviation security by identifying and scrutinizing individuals suspected of having ties to terrorism, or who may otherwise pose a threat to aviation, in order to prevent them from boarding commercial aircraft in the United States, if warranted, or by subjecting them to additional security scrutiny prior to boarding an aircraft. The program also aims to reduce the number of individuals unnecessarily selected for secondary screening while protecting passengers’ privacy and civil liberties.”
GAO found that while TSA has made some progress in developing and testing the Secure Flight Program, the agency has not followed “a disciplined life cycle approach” to manage systems development, nor has it fully defined system requirements, she said. Instead, TSA has thrown together the management system in a piecemeal fashion in an effort to develop the program quickly.
In addition, GAO and stakeholders worried that TSA was proceeding to develop Secure Flight without a program management plan that contains a schedule for implementation and cost estimates.
The entire process, said Berrick, resulted in project activities being conducted out of sequence, requirements not being fully defined and documentation containing contradictory information or omissions.
Further, while TSA has taken steps to implement an information security management program for protecting information and assets, its efforts are incomplete, according to Berrick.
“Because Secure Flight’s system development documentation does not fully address how passenger privacy protections are to be met, it is not possible to assess potential system impacts on individual privacy protections,” said Berrick.
Privacy
The Privacy Act and the Fair Information Practices - a set of internationally recognized privacy principles that underlie the Privacy Act - limit the collection, use and disclosure of personal information by federal agencies. TSA officials have stated that they are committed to meeting the requirements of the Privacy Act and the Fair Information Practices. However, said Berrick, “it is not yet evident how this will be accomplished because TSA has not decided what passenger data elements it plans to collect, or how such data will be provided by stakeholders.”
At one point, TSA indicated it would collect such information as credit histories, which caused an outcry among a large number of consumer and civil rights groups.
From GAO’s perspective, part of the problem is that TSA has not issued the systems of records notice, which is required by the Privacy Act, or the privacy impact assessment, which is required by the E-Government Act, which describe how TSA will protect passenger data once Secure Flight becomes operational. In addition, privacy requirements were not incorporated into the Secure Flight system development process in a manner that would explain whether personal information would be collected and maintained in the system in a manner that complies with privacy and security requirements.
The American Civil Liberties Union (ACLU) says that many of the privacy and civil liberties concerns identified in the Computer-Assisted Passenger Prescreening System (CAPPS II) remain with Secure Flight.
“We are concerned that the government is moving ahead with building this system before ironing out the fundamental problems with the old watch list systems on which it would be based,” says Barry Steinhardt, director of the ACLU’s Technology and Liberty Program. “At best, ‘Secure Flight’ is a misnomer - it still does not protect innocent travelers’ safety or privacy.”
The Business Travel Coalition has joined with the ACLU to protest the Secure Flight program.
“The same major problems that plagued CAPPS II remain with the ‘Secure Flight’ program, “ says Kevin Mitchell, chairman of the Business Travel Coalition. “It makes no sense whatsoever to subject travelers to a system that is already a proven failure.”
In its review of Secure Flight’s system requirements, GAO found that privacy concerns were broadly defined in functional requirements documentation, which states that the Privacy Act must be considered in developing the system, but those broad functional requirements have not been translated into specific system requirements.
“Until TSA finalizes these requirements and notices, privacy protections and impacts cannot be assessed,” said Berrick.
TSA also is determining how it will meet a Congressional mandate that the Secure Flight program include a process whereby aviation passengers determined to pose a threat to aviation security may appeal that determination and correct erroneous information contained within the prescreening system. According to TSA officials, no final decisions have been made regarding how TSA will address the challenges of passenger appeals and of correcting misinformation stored in the system.
Data Accuracy
Perhaps as important, if not more so, than privacy is the accuracy of the data in the system. In a review of the TSC’s role in Secure Flight, the Department of Justice Office of Inspector General found that TSC could not ensure that the information contained in its databases was complete or accurate. According to a TSC official, TSA and TSC plan to enter into a letter of agreement that will describe the data elements from the terrorist-screening database, among other things, to be used for Secure Flight. To address accuracy, TSA and TSC plan to work together to identify false positives - passengers inappropriately matched against data contained in the terrorist-screening database - by using intelligence analysts to monitor the accuracy of data matches.
“An additional factor that could impact the effectiveness of Secure Flight in identifying known or suspected terrorists,” Berrick noted, “is the system’s inability to identify passengers who assume the identity of another individual by committing identity theft, or who use false identifying information.”
Just how much data it will be required to screen is a concern for TSA, and, in fact, all key program stakeholders also stated that additional information is needed before they can finalize their plans to support Secure Flight operations.
“A TSC official stated, for example, that until TSA provides estimates of the volume of potential name matches that TSC will be required to screen, TSC cannot make decisions about required resources,” said Berrick. “Also, ongoing coordination of prescreening and name-matching initiatives with CBP and TSC can impact how Secure Flight is implemented.”
Several activities that have an impact on Secure Flight’s effectiveness are still in process, or have not yet been decided, according to GAO. For example, TSA conducted name-matching tests, which compared passenger and terrorist screening database data, to evaluate the ability of the system to function. However, TSA has not yet made key policy decisions that could significantly impact program operations, including what passenger data it will require air carriers to provide and the name-matching technologies it will use.
TSA has taken steps to collaborate with Secure Flight stakeholders whose participation is essential to ensuring that passenger and terrorist watch list data are collected and transmitted to support Secure Flight.
TSA is in the early stages of coordinating with Customs and Board Patrol Security and the Terrorist Screening Center on broader issues of integration and interoperability related to other people-screening programs used by the government to combat terrorism. In addition, TSA has conducted preliminary network connectivity testing between TSA and federal stakeholders to determine, for example, how information will be transmitted from CBP to TSA and back.
“However,” said Berrick, “these tests used only dummy data and were conducted in a controlled environment, rather than in a real-world operational environment.”
According to CBP, without real data, it is not possible to conduct stress testing to determine if the system can handle the volume of data traffic that will be required by Secure Flight. TSA acknowledged it has not determined what the real data volume requirements will be, and cannot do so until the regulation for air carriers has been issued and their data management role has been finalized.
In her testimony, Berrick commented that additional information and testing are needed to enable stakeholders to provide the necessary support for the program. “TSA has, for example, drafted policy and technical guidance to help inform air carriers of their Secure Flight responsibilities, and has begun receiving feedback from the air carriers on this information,” she said.
However, key program stakeholders - including the CBP, the Terrorist Screening Center TSC and air carriers - stated that they need more definitive information about system requirements - and the cost of the program - from TSA to plan for their support of the program.
What’s the Cost?
Many stakeholders voiced concern that TSA has not yet established cost estimates for developing and deploying either an initial or a full operating capability for Secure Flight, and it has not developed a life cycle cost estimate (estimated costs over the expected life of a program, including direct and indirect costs and costs of operation and maintenance). TSA also has not updated its expenditure plan - plans that generally identify near-term program expenditures - to reflect the cost impact of program delays, estimated costs associated with obtaining system connectivity with CBP or estimated costs expected to be borne by air carriers. In her testimony, Berrick noted:
- Program and life cycle cost estimates are critical components of sound program management for the development of any major investment.
- Developing cost estimates is also required by OMB guidance and can be important in making realistic decisions about developing a system.
- Expenditure plans are designed to provide lawmakers and other officials overseeing a program’s development with a sufficient understanding of the system acquisition to permit effective oversight, and to allow for informed decision-making about the use of appropriated funds.
“In our March 2005 report, we recommended that TSA develop reliable life cycle cost estimates and expenditure plans for the Secure Flight program, in accordance with guidance issued by OMB, in order to provide program managers and oversight officials with the information needed to make informed decisions about program development and resource allocations,” Berrick pointed out. “Although TSA agreed with our recommendation, it has not yet provided this information.”
TSA officials told GAO that developing program and life cycle cost estimates for Secure Flight is challenging because no similar programs exist from which to base cost estimates and because of the uncertainties surrounding Secure Flight requirements.
They contended that cost estimates cannot be accurately developed until after system testing is completed and policy decisions have been made regarding Secure Flight requirements and operations.
TSA officials did acknowledge they currently are assessing program and life cycle costs as part of establishing a new baseline and that this new baseline will reflect updated cost, funding, scheduling and other aspects of the program’s development.
“While we recognize that program unknowns introduce uncertainty into the program-planning process, including estimating tasks, time frames and costs, uncertainty is a practical reality in planning all programs and is not a reason for not developing plans, including cost and schedule estimates, that reflect known and unknown aspects of the program,” Berrick insisted.
“Program management plans and related schedules and cost estimates - based on well-defined requirements - are important in making realistic decisions about a system’s development, and can alert an agency to growing schedule or cost problems and the need for mitigating actions. Moreover, best practices and related federal guidance emphasize the need to ensure that programs and projects are implemented at acceptable costs and within reasonable and expected time frames.”
To review the full GAO report on Secure Flight, visit www.gao.gov/cgi-bin/getrpt? GAO-06-374T.