PARLIAMENT of CANADA
Home Parliamentary Business Senators and Members About Parliament Visitor Information Employment
 
 

Presentation to Senate Committee

NATIONAL SECURITY AND DEFENCE 

Airline Security - A Security Professional's View

Chuck Wilmink  

November 4, 2002


Table of Contents

Bio - Chuck Wilmink

Executive Summary

Present Status of Airline Security in Canada
    Definition of Security
    Initial Response to 9/11
    The Proper Response
    Other CATSA Initiatives - Peddling Snake Oil
   
     Cockpit Doors
        Passenger Screening Agents
        Explosive Vapour Detection Equipment (EVD)
        Hiring CATSA Managers and Increasing Transport Canada Inspectors

Summary of New Initiates

Recommended Security Improvements
   
1.     Regulate Security Responsibility
    2.     Deploy Police Officers at Passenger Screening Points
    3.     Increase Training and Efficiency Standards of Passenger Screening Agents    
    4.     Airline and Airport Employee Security
    5.     Limit Airport Authority Involvement in Passenger Screening Security
    6.     Combine the Aerodrome Operators and Airlines Security Regulations
    7.     Cargo Security

Summary

Appendix A - Crypto-Gram Newsletter
   
The Attacks
    Airline Security Regulations
    Biometrics in Airports  
    Diagnosing Intelligence Failures
    Summary

Resume


Bio - Chuck Wilmink

A security professional with over 15 years experience in the field, including:

·          Five years as a Reserve Police Constable with the Vancouver Police Department.;

·          Six years as general manager of a large private security firm, partial duties included the set up and management of contracts at the Vancouver International Airport with Air Canada, Canadian Airlines and Purolator.;

·          Two years as a Corporate Security Manager for Canadian Airlines, stationed at YVR.  Partial duties included performing security audits at Canadian and US airports that Canadian Airlines servedflew to.

·          Two years as Director of the Canadian Centre for Information Technology Security (CCITS).

·          Independent consultant, managing partner of Corporate Security Solutions.

 

Education

Masters of Business Administration
Bachelor of Science
Certified Information Systems Security Professional (CISSP)
Federal Bureau of Investigations (FBI) Airline Terrorism Training Program
RCMP Aviation Security/Explosives Detection Course

 

Executive Summary

With the recent passing of the first anniversary of the tragic events of September 11th, a very important question to ask is "Are our airports and airlines more secure and safer today"?  The short answer is yes, but not much.  There is still much more that could be done to improve aviation security. 

Airline travel is more secure as a direct result of the US led fight against terrorism, specifically the disruption of the Al Queda terrorist cells.  Members of this group are busy trying to stay alive and are not able to finance, plan and train for more large scale attacks.   

Another cause for increased security is the paradigm shift by flight crews and passengers in how they respond to hijackings.  Instead of a passive response and the hope of a peaceful ending through negotiations, flight crews and passengers are now more likely to fight back against hijackers and deny them the opportunity to use the aircraft as a guided missile.  This is exactly what the crew of the American Airlines flight did when passenger Richard Clark tried to light a bomb hidden in his shoe during a cross Atlantic flight. 

This leaves the question, what about the new security initiatives of the Federal Government, have these helped increase aviation security?  The short and long answer to this is a resounding no. 

In the December 2001 Federal Budget, the Canadian Government created the Canadian Air Transport Security Association (CATSA).  CATSA took over the responsibility for aviation security from the airlines, and was given a budget of 2 Billion dollars over five years.  To finance this budget, a new departure tax of $12.00 per flight went into effect on April 1st of this year. 

To date, the results of this new department and tax have been zilch. CATSA has been collecting the security tax for almost seven months, and yet there has been no dramatic change to how pre-flight screening is conducted at the airports.  In fact, CATSA is now paying the airlines to manage the same pre-flight screening system that the airlines were providing at their own cost prior to September 11th.  

By taking away the security responsibility from the airlines, the Federal Government has reduced the airlines' ability and incentive to proactively develop and deploy effective preventative security measures.  But it is the airlines who have the financial and contractual responsibility for providing secure flights, the comprehensive knowledge of airline operations and the in-house security professionals who can design and implement effective security improvements.  The creation of a government security agency now allows the airlines to reduce or side step their security responsibilities, and blame any future incidents on the government. 

The most interesting fact about CATSA is all the initiatives they undertook before they had even hired their CEO leader/visionary.  CATSA has introduced cockpit upgrades, put to tender the design and implementation of new training standards and even hired managers at the Class 1 airports to oversee the preflight passenger screening.  CATSA has undertook serious responsibilities and expensive initiatives before they have even had a chance to work out their mandate and study how they should proceed. 

Here are my recommendations on how to provide a quick and truly effective increase in security levels at Canadian Airports, keeping cost increases at a minimum:

·          Re-deploy the police officers stationed at airports from their community police offices to the actual passenger screening points. 

Under existing Transport Canada regulations there must be police officers on site at airports at all times to respond to a security incident at the screening points in under five minutes.  Presently, these police officers are kept busy by staffing airport community police offices and responding and investigating crimes that occur on site.  These police officers would be much better utilized if they were stationed at the passenger screening points and became part of the team protecting anyone from bringing weapons onto planes.  They could be trained by CSIS on recognizing known terrorists, plus their presence at the screening points would provide a strong backup to the existing security screeners.  The folly of the current situation is that the police presence at airports is paid for by the airlines to protect against terrorism threats, but they spend their time on regular police duties that the rest of the airport community should be receiving through the municipal taxes they pay.

·          Deploy Canada Customs Officers at the passenger screening points. 

These agents are competent, well trained and experienced in checking passengers' bags for illegal items.  Why not have them check the passengers leaving the country as well as those coming in?

·          Similar to police and firemen, make ongoing training an integral part of the security screeners' duties.

Require them to spend 10 to 20 percent of their work week training on computer simulators to increase their weapons and explosives detection skills.

·          Utilize members from the Canadian Military Joint Task Force 2 (Anti Terrorist group) and local police officers to perform penetration tests at the passenger screening points at all airports. 

The number of Transport Canada inspectors is small, and once they do one test at an airport they become well known to the security staff.  Instead, give them a crew of 10 to fifteen police officers who they can train to perform the weapons detection tests.

·          Require a set percentage of passengers' checked luggage to be hand searched for explosive devices. 

Presently none of the checked luggage that goes into the bellies of the planes is security screened.

·          Station security officers at the airline's cargo facilities to perform security checks on all cargo shipments.  Send all cargo packages through X-ray machines. 

Currently there are very minimal security checks done, and not by trained security personnel but by the cargo agents.  Levy a security fee on all cargo shipments.

·          Require all employees working at airports to go through security screening checkpoints every time they enter the airside areas (where they have close access to the luggage and planes). 

Presently employees go through unchecked, and are able to take with them bags and other items in which they could easily hide weapons or explosive devices.

·          Utilize drug sniffing dogs to randomly check passengers luggage as they are checking in.

·          Redo criminal records checks on everyone with a Restricted Airside Pass (RAP) on an annual basis.

Personal situations can change quickly.  People can develop drug habits, or undergo crisis in their lives that lead to criminal behavior.  Once a person is connected with criminals, there may be pressure on them to put a package on a plane, or leave a weapon in the washroom for someone to pick up.  Each case must be looked at separately. 

If CATSA were to implement changes like these, the security levels at Canadian airports would increase dramatically.  Many of these changes would not be expensive to implement, they just require that security become the first priority in operations at the airports.


Present Status of Airline Security in Canada

Definition of Security

As a security professional, I define security as: 

The protective actions/measures taken to reduce risk to an acceptable level. 

I think it is very important that the public be made aware that even after security measures have been applied, there are still residual risks left over.  In the case of airline transportation, security measures are being applied but not all risks can be protected against. 

Security is not some all-encompassing magical potion that can be applied to a problem and make everything safe.  Total protection in most cases impossible.  US presidents get shot/assassinated, warships get sunk/damaged, banks get robbed, and occasionally airplanes get hijacked and/or destroyed.  

For a business with residual risk, they will have to decide what risks they want to transfer to a third party through the use of insurance and what risks they are willing to accept themselves.  In the case of the public, they should be made aware of the residual risks, and make their own decision whether they want to fly or not. 

It is also appropriate at this time to note the difference between terrorism security and criminal security concerns.  Prior presenters to this committee, former police officers, commented that they faced roadblocks in trying to investigate organized crime at Pearson Airport.  This is purely a criminal problem, and is distinctly different from any terrorism threats or concerns.  If anything, the organized crime factions will help in the fight against terrorism because disruptions due to terrorism would break up their illicit revenue streams.

 

Initial Response to 9/11

The initial response of the Federal Government, Transport Canada and CATSA was to put a huge burden on the airline passengers by greatly increasing the scope and time of the pre boarding security checks.  This may give the illusion of increasing security and helping to protect the public, but in reality it provides no net security gains.  Taking the nail clippers away from a pilot or a passenger will not stop a hijacker/terrorist from attacking with a broken wine bottle, fork, pen, martial arts or simple brute strength. 

It does not look like a comprehensive Risk Analysis was completed.  The serious security vulnerabilities of baggage, cargo and airport employees were not addressed.  It is still possible for an airport or airline employee to put a bomb or weapon in their lunch bag and gain access to anywhere in the airport and on any airplane.  It is still possible for a passenger who is willing to die to put a bomb in their suitcase and have it checked in and stored in the belly of a plane without being checked.  It is still possible for anyone to go to an airline cargo facility and ship a package with a bomb in it to any destination in the world.  It is still possible for a person to put a bomb in a package, put it in Canada Post, and have it carried in the belly of a passenger plane, or they can also ship it via Fed-ex, UPS or Purolator and in one of their planes. 

CATSA and Transport Canada have spent a lot of money and efforts on passenger screening, but this is only one small part of airline security.  There are many other ways in which someone could sabotage and airport or airplane.  These other vulnerabilities must be protected against, otherwise all of the money and effort being spent on passenger screening (over five hundred million dollars) is wasted.

The Proper Response

What should have happened after 9/11 is that Transport Canada and the Public Policy arm of the Federal Government should have performed an in-depth Risk Analysis of aviation security in Canada, in consultation with security experts, airline officials and the general public. 

·          What are the risks/threats/vulnerabilities?

·          What is the likelihood of attack (occurrence rates)?

·          How can the risks be reduced?

·          What level of the minimum levels of protection is acceptable?

·          What is the cost of the preventative measures to reduce risk?

·          What measures can the Canadian public afford?

·          Who would benefit from these measures?

·          How should the costs be assigned?

Unfortunately, it does not appear any of this was done.  Instead the Federal Government rushed in the $12.00 security tax, and the formation of a new department, the Canadian Air Transport Security Agency (CATSA) to oversee the spending of the taxes collected.

Other CATSA Initiatives - Peddling Snake Oil

As mentioned previously, the initial measures of increasing passenger screening standards do very little to increase overall security.  In fact, they can almost be considered as a snake oil remedy, they make it appear to the general public that security has been increased, but in actual fact nothing positive has been done.

Cockpit Doors

The second initiative has been the reinforcing of the cockpit doors.  This is a good protective measure, but one weakness is that pilots still have to come out of the cockpit to use the washroom.

Passenger Screening Agents

The third initiative was to take over control of the passenger screening agents from the Airlines, and assume the cost.  While hoping to increase the effectiveness of the screeners by increasing training standards, what this move has really done is take the responsibility away from the airlines to protect their own flights and given it to a federal bureaucracy who is not really accountable to anyone.  Before there was incentive on the airlines to provide effective screening to protect their flights and protect against the human, financial and reputation losses due to a hijacking or terrorist incident.  Now this responsibility lies with CATSA, a government agency, who does not have the same financial and business reasons to ensure top level security. 

Instead of taking over responsibility for passenger screening, CATSA would have been better off concentrating on training and proficiency standards for the screeners, and set the bar so high that the airlines would have had to significantly increase the resources and attention they gave to passenger screening to ensure it met safety standards.  They would no longer be able to tender the contracts and accept low ball bidders who pay minimum wages to their staff and attract low quality employees.

 

Explosive Vapour Detection Equipment (EVD)

Another initiative has been the ordering of explosive vapour detection (EVD) equipment to screen checked luggage. The search for explosives through the detection of trace elements of the explosives is a very complex test, and one that is not foolproof.  EVD equipment is very expensive, has limited throughput (bags checked per hour), has a high number of false positives (in 20% of the bags checked the machine falsely detects explosives present) and requires many security personnel to operate it. 

Vancouver International Airport recently received their first EVD machine, and located it in their Transborder (US bound) bag room.  The machine is capable of checking 200 bags per hour, but 1,200 bags per hour go through this area in peak times.   It is physically not possible to EVD screen every piece of luggage.  It would require too many machines, significantly more screening staff, major renovations to airport baggage room facilities and would add a significant time delay.  As well it would do nothing about all of the bags in transit from the smaller Class 2 and Class 3 feeder airports in Canada, or for all the cargo packages shipped in the belly of passenger planes.  All this for a technology that is very complex and not 100% foolproof is not a reasonable allocation of resources. 

EVD equipment can be a valuable tool, used to perform random searches of bags to deter passengers from packing explosives in their luggage, but there is no way it can be considered a single, foolproof method of stopping explosives from getting onto a plane.

Hiring CATSA Managers and Increasing Transport Canada Inspectors

CATSA has hired a Security Manager for each Tier 1 airport.  Many of these managers are former Canadian Airlines operations managers.  They know airport operations really well, but their security knowledge is very limited.  If these people are responsible for security, how come they do not have a strong background in this area? 

Transport Canada has hired extra Inspectors, and they have been busy at airports auditing the work of the airlines check in staff.  Their favourite tactic is to watch passengers checking in, and then ask the passenger if the check-in agent asked them the security profiling questions: 

·          Did you pack your bags yourself?

·          Have your bags been out of your care and control?

·          Did anyone ask you to carry anything onboard the plane? 

If the passenger tells the Inspector that they were not asked these questions, the Inspector writes a violation notice to the airline, which comes with a $10,000 fine.  Air Canada currently has over 35 of these violations outstanding. 

Transport Canada is trying to make themselves look like they are doing something towards improving security, but this charade has absolutely no effect on security and is really just a make work project.  They have statistics showing how many checks they are doing, but the checks are of very little value, and really take their time away from doing useful security functions (see recommendations later).

The US government, through the FAA, recently stopped requiring the asking of the security profile questions because they realized they have no positive effect on security.  If a terrorist wants to go on a flight with a bomb in their luggage, all they have to do is lie to the questions.  Actually they don't even have to lie, they did pack the bag themselves - they just won't tell the check in agent that they packed a bomb in there.   

With respect to the question about the bag being out of a passengers care and control, for 90% of the passengers the bag has been in their control, and for the other 10% who have had their bags out of their control, they are most likely to answer yes because the don't want to go through the hassle of doing a security check on their luggage.  A common example of this is people on tours who leave their bags outside their hotel room for the hotel porters to pick up and load on the bus for them, or the passengers from cruise ships.  The bags have been out of their control, but they never admit this at check in.  In my two years of being stationed at Vancouver International Airport, I was never once contacted by a check in agent to come check a bag from a passenger who admitted that the bags had been out of their control. 

The primary purpose of the questions may be to promote understanding of security among passengers, but, if so, this has signally failed.  Some other means of passenger awareness/education, such as advertising the possible risks of leaving bags unattended, might be more effective.

Summary of New Initiates.

The new security initiatives have the impression of improving security, but they do not really address the true security problems of airline security in a meaningful way.  Too much emphasis is being place on the passenger, and not enough on the many other ways a plane can be hijacked/sabotaged. 

Why tax passengers $12.00 per flight, and spend $400 million dollars on passenger screening security, when nothing is being done to protect against the many other ways that hijackers or terrorists could get weapons or explosives on board an aircraft.  In other words, why pay all this attention and money to protect the front door, and leave the windows and back door wide open?

Recommended Security Improvements

1. Regulate Security Responsibility

A common problem in the security industry is that people, organizations and business do not pay proper attention to security concerns because they are not aware of the problems, and there is no fiscal incentive for them to spend money on security.  Security is seen as a lost cost, or non revenue generating expense that is to be avoided if at all possible.  This is supported by the fact that security incidents or attacks are hard to predict, and there is a good chance that a company will never be a victim of a serious security incident.  As a result, many companies ignore their security responsibilities, or give them token attention because they are required to have a security department due to the industry they operate in. 

In order to ensure that airlines and all other companies working in the airline transportation field devote proper attention and resources to security, legislation or regulations should be introduced that assigns liability for airline security to the airlines.  Every airline and airport authority should be required to designate a Chief Security Officer (CSO - similar to the Chief Information Officer requirement from the Personal Information Privacy and Electronic Documents Act) in their executive.  This person would be responsible for doing an annual risk assessment of all operations, and designing and implementing a security plan that reduces risks to mandated or acceptable safety levels. 

By regulating company executives to address and sign off on security, you are making them aware of the risks their company faces and the dangers (including their own personal liability as a Director) if they don't act.  This personal responsibility will also ensure that they devote sufficient resources and management support to the security department to enable them to perform their duties.  Too often in today's business world, the security department reports to a low level manager, and are blocked by the senior executive of other departments when they try to introduce security initiatives.  Unfortunately, proper security sometimes means that business process will get done slower, may be more expensive, and may not be allowed at all (for example, not letting the cargo departments accept packages from unknown shippers - this would increase security but it would also turn away a lot of business and greatly reduce revenues).   

In order to ensure companies follow the CSO guidelines, their annual risk assessment and security plan should be audited by an accredited outside individual, organization or agency, in the same way financial records are audited by accounting firms. 

This regulation does not require companies to develop large security teams and devote a large portion of their revenues towards security.  It simply requires them to asses the risks against their company and install reasonable protection measures to protect the people and assets of their company.  Hopefully it will give the regular security departments more authority and resources to perform their duties.

2. Deploy Police Officers at Passenger Screening Points

Re-deploy the Police Officers assigned to the airports to the passenger screening points from the community police offices they currently staff.  Transport Canada regulations require an armed response to emergencies (someone with a weapon) at the passenger screening points within five minutes.  This requirement is met by the airlines paying for a set number of police officers to be stationed at the airport full time.  Currently, these officers keep themselves busy by staffing a community police office and responding to police incidents in the airport concourses and surrounding ground.   

This police presence is paid for by the airlines for passenger screening security, why not station these officers directly at the screening points full time?  They could be trained by CSIS, the RCMP and JTF2 to lookout for known terrorists.  They could also supervise an electronic biometrics recognition program which could be used to catch Known terrorists.  The static presence of uniformed police officers at the screening points would also act as a strong support for the passenger screening agents.  Passengers would be much more compliant to having their bags thoroughly checked when they have the uniformed presence of a police officer right in front of them. 

One month after 9/11, my family went on a vacation to Fort St John.  We were at YVR and as we got to the front of the passenger screening line, two pilots stepped in front of us to undergo the security check.  The security supervisor had a list of all pilots scheduled to fly that day and looked for the pilots names.  The pilots explained that they would not be on the list because they were filling in and walked right past the security supervisor.  I could see the look on the supervisors face, he knew he should stop the pilots, but he did not have the courage to do so and let them go.  If there had been a police presence at the screening point, the security supervisor could have summoned them over and had them deal with the pilots. 

Similar problems occur all the time with passengers and their oversized luggage.  There is a plastic frame in front of the x-ray machine that is supposed to screen out over size bags.  Countless times per day a passenger will lift the screen up and try and sneak their bag through.  Sometimes the security agents stop them and send them back to passenger check in, but often times they will let the passenger through after being intimidated by an overbearing passenger. 

This past summer I coordinated the security for the Air Canada Championship, the PGA golf tournament in Surrey BC.  In the past years we have had volunteer security officers at the front gates checking spectators for cell phones and cameras, and it was amazing how many spectators would lie and say they had no phone, and then later be found on the course with their cell phone or pager buzzing.  This year, due to new requirements by the PGA that no bags be allowed on the course, we had uniformed RCMP officers at the front gate helping the volunteer security officer do the checks.  It was amazing the different response from the public, once they saw the uniformed police officers they happily submitted to the search.   

Stationing the police officers at the passenger screening points would have the same positive effect.  Passengers would be much more compliant, searches would be more thorough, and there would be reduced problems with passengers trying to bully their way past.

3. Increase Training and Efficiency Standards of Passenger Screening Agents

·          Increase the number of bags that have to be hand searched.

·          Reduce the number and size of carry on bags passengers are allowed to increase search efficiency (more time per bag and smaller packages to search).

·          Require the security screeners to undergo on the job training every week, perhaps ten to twenty per cent of their time should be spent on training.

·          Provide computer enhanced training, where images of weapons and explosive devices are laid on top of images of regular bags.  Have CSIS and police agencies submit the latest weapons they come across so that the screeners become aware of them and can recognize them.

·          Increase the testing capabilities of the Transport Canada Inspectors by allowing them to use police officers from local detachments to do the penetration tests.  Once an Inspector does an audit, all the passenger screening staff know who the inspector is and will obviously be on the lookout for them.  The Inspectors would be much more efficient if they could train a whole team of penetration testers and bombard the checkpoints.  This increased testing would be both an educational tool, improving the screeners skills, and it would also keep them on their toes (not allow them to get complacent).

·          Look at deploying Canada Customs Officers at the check points, either as supervisors or as senior searchers.  They are trained and experienced in searching luggage for contraband items.  They are already stationed at all Tier 1 airports, rotate their schedule and assigned duties through the passenger screening points.

Raising the standards and expectations on passenger screening agents will force the companies that provide these services to employ higher caliber employees and will result in more effective screening.

 

4. Airline and Airport Employee Security

Create a separate entrance to the airside areas for employees and make them go through the same screening process as passengers.  Right now employees go through a simple security check of showing their Restricted Airside Pass (RAP) to a security officer, or at non-staffed entries simply using the access card on the back of their RAP.  Right now they are allowed to take anything in with them, and are never searched by security.  It would be incredibly easy for them to take a weapon or explosive device into a restricted area and place it on a plane or give it to a passenger who has already undergone their security check.  This is a major loophole that must be addressed. 

Another tool that can be used to increase security for employees is the use of biometrics (see the Schneier article attached).  The use of biometrics would protect against individuals forging a RAP pass and gaining easy access to the planes.

There seems to be a great emphasis put on the fact that all employees at airports undergo a criminal background check and thus can be considered safe.  The first problem is that these criminal background checks take several weeks to complete, and in the interim an employee is given a temporary pass that allows them to go into the restricted areas as long as they are accompanied by an employee with a regular pass.  The airlines are constantly hiring new people to clean their planes at minimum wages.  Osama Bin Laden could apply for one of these positions, receive his temporary pass, and immediately have access to planes and cockpits.  He could put a bomb in his lunch bag, go to work, and one minute when the supervisor isn't looking hide the bomb somewhere on the plane.  

The other problem with relying on the criminal background check is that it only catches those people with a criminal record.  All of the 19 hijackers involved in the 9/11 attacks were in the US on legitimate visas (though two of them received their official documents posthumously from the INS).   

What if someone in Canada with no criminal record suddenly decides to become a terrorist.  With no criminal record they will be given their RAP pass, and can have free reign of the restricted areas of airports.  In reality, the criminal record check done for RAP passes is more of a feel good procedure than an effective security measure.  

Because there is little that can be done to prevent someone with terrorist or criminal intent obtaining work at an airport (similar to the problem with checking all passengers for the same intent) it is necessary to perform a thorough physical security check on each employee and the bags they carry with them every time they enter the restricted areas of airports.  This will add extra costs, and cause time delays for employees getting to work, but it is absolutely necessary for security reasons.  

 

5.  Limit Airport Authority Involvement in Passenger Screening Security

The airport authorities have mentioned that they are the natural pick to assume the responsibility of passenger screening security, considering they already manage the other security services at airports.  It is true that overall security would benefit if it was combined under one roof, but the airport authorities may not be the best organization to oversee the entire security team. The airport authorities main concern is to ensure that their airports run smoothly and that the passengers have an enjoyable experience.  Unfortunately, good security means that there will be delays, inconveniences and disruptions to passengers at airports, all things that go against the philosophies and mission statements of airport authorities. 

Another important issue is cost.  Allowing airport authorities to manage passenger screening, yet having the airlines or CATSA pick up the cost, gives the airport authorities a free reign to overstaff the operations and pass on the excessive costs to passengers or tax payers.  

The final and most important reason not to give the airport authorities responsibility for passenger security screening is the poor track record they have in providing regular security at Canadian airports.   At Vancouver, Calgary, Winnipeg, Edmonton and other Canadian Airports, the Domestic baggage retrieval area for passengers is wide open to the public.  Anyone can come in and take any bag off the carousel.  Passengers who take time to get from the plane to the retrieval area can have their bags stolen before they get there. The problem is not only theft, but outsiders could hide explosive packages in suitcases that passengers may be taking on to connecting flights. 

As a Corporate Security Manager for Canadian Airlines stationed at YVR, I worked with the local RCMP officers to combat the theft problem but received no help from the YVR Airport Authority.  It is still a problem today, with thefts occurring constantly.  Yet the YVRAA will not address the problem.  In Terminal 3 at Pearson, the airport the baggage retrieval areas is still in the restricted area, and accessible only to disembarking passengers.  This commitment to security should be the standard at all airports.

The second example is the design of the Transborder (US) check in area at YVR.  All passengers check in at the kiosks and their bags are marked with the airline bag tags.  By regulations, the bags are now the responsibility of the airlines.  However, after passing through the ticket kiosks the passengers have to carry their bags through a duty free shop before they reach US Customs.  During this time, passengers often do some shopping, and leave their bags unattended, or decide to come back out to go to a bank machine.  Well, this is in direct contradiction of the Transport Security Regulations, and the Inspectors have been fining the airlines for this.  This problem is solely due to the design of the airport, and the fact that YVR can charge the Duty Free store high rents because the passengers are forced to walk through it.   

Issues like these show that the airport authorities at time put customer satisfaction and revenues ahead of security issues.  Only with extensive auditing, and joint control by the airlines, should the airport authorities be given control of passenger screening security.

6. Combine the Aerodrome Operators and Airlines Security Regulations

Presently there are two sets of security regulations in place at airports, the Aerodrome Act that regulates the airport authorities and the Air Carriers Act that regulates the airlines.  These two sets of regulations are written in typical government and legalese code, and do not clearly define all of the security responsibilities and duties of either group.  As a result, there is a conflict between the two groups, and certain security functions are disputed or fall through the cracks.  

I have two good examples of this from my time at YVR.  First, late one night (1:00 a.m.) I was doing an audit of security at the new International terminal and I accidentally set off an alarm at a boarding gate that was not in use.  I sat down to wait for the security guard to respond so that I could explain the alarm, but after 35 minutes no one showed up to reset the alarm.  I continued with my audit, and two hours later when I walked past the gate again the doors were still in alarm and the strobe light above the door was still flashing.  The next day I contacted YVR security and asked them how come they did not respond to the alarm.  They informed me that they don't respond to these alarms, that the airlines are responsible for the passenger boarding gates.  I asked them if they had let anyone in the airlines know (this was a trick question, how would they know which airline to call? - the gate was not in use) and they confirmed that they had not let any one know about the alarm.   Here is an instance where the security system is wired to the airport authorities monitoring station, where there is no airline staff assigned or using the gate, where none of the airlines even have any designated security staff, and yet the airport authority refuses to take responsibility for the alarm and check it out.   The dangers of not responding to these alarms is that passengers can easily pass through the doors and have access to the cockpits of unattended planes, or pass through another emergency door and find themselves on the tarmac. 

The second example dealt with an unattended bag found by a passenger check in agent at an unoccupied check in kiosk at YVR (the check in kiosks are all standard, managed by YVRAA and assigned to the airlines for specific flight check ins).  The agent notified security about the unattended bag (a big security risk, the bag must be searched for explosives) and security attended the scene.  One hour later the passenger agent contacted me because the bag was still there.  By this time the agent and surrounding staff were quite concerned about the risks associated with the bag, and asked me to follow up with airport security.  I contacted airport security and they informed me that the bag was at a check in kiosk, so it was not their responsibility - it was the airlines responsibility.  I informed them that our agents were not trained in searching bags for explosives, and that the bag did not have one of our bag tags on it so there was no legal grounds for our staff to search the bag.  Finally after talking with a supervisor I was able to have the security staff respond to the bag and do a proper search.

These two examples show that there is a clear conflict between having two entities (the airlines and the airport authorities) responsible for different parts of security, and how easy it is due to self interested interpretations of the two security acts for serious problems and inefficiencies to occur. The irony of the situation is that the Airlines pay for both groups, yet the two systems work against each other and result in inefficient security services to the airlines, airports and the public.

7.  Cargo Security

Require every Cargo operator to perform security screening on every package they ship.  This would be similar to the screening that carry on baggage goes through, x-ray screening and random hand and EVD searches on a set percentage of parcels.

 

Summary

After the attacks on 9/11 one course of action could have been to do nothing, to maintain the status quo.  The last terrorist attack in Canada was 1985, Air India, and since that time there have been no major attacks against Canadian planes.  As a result of Air India, positive bag match was introduced which allows only the luggage belonging to a passenger actually on board an aircraft to be allowed into the cargo holds.  The events of 9/11 were so drastic, and quite possibly a once in a lifetime occurrence, that perhaps airline security could be left alone.  Well this is not the case, airline security is in fact pretty weak, and corrective actions had to be taken to increase safety and public confidence in airline travel.  

Good security is like an onion, it has many layers and to get to the treasure at the centre you have to pass through each one.  In order to provide effective security for airline transportation, you must layer different security measures on top of each other with the goal of making the sum of defenses impenetrable.  Because airline transportation is so complex (passengers, baggage, cargo, airports), it requires an enormous amount of different security policies, procedures and equipment to create a comprehensive security plan which can provide adequate protection against the associated risks.  The different layers of protection must include passenger screening, baggage searches (EVD and dogs), searching cargo packages, increased perimeter security at airports, strong employee security, increased criminal records checks, redeployment of uniformed police officers, biometric recognition systems and more.  

Ineffective security is like a chain, you cut one link and the rest become useless, no matter how strong they were.  To date Transport Canada and CATSA have concentrated their efforts on passenger screening, the front end and most visible part of airline travel.  Special attention must also be paid to all of the other vital areas of airline security including cargo, airport premises, airport employees and support services. They have committed vast efforts and financial resources to date, but if they do not focus attention to the other areas of airline security as well, all of their work will be in vain.  It makes no sense to devote five hundred million dollars per year to protecting the front door, while leaving the rest of the industry wide open to attack.

 

Appendix A - Crypto-Gram Newsletter 

September 30, 2001 

by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier@counterpane.com
http://www.counterpane.com 

Note (from Chuck Wilmink): Bruce Schneier, who wrote this article, is the (in my humble opinion) leading scientists/researchers/businessmen in information security in the World.  I highly recommend his most recent book, Secrets & Lies, for a fascinating, yet easy to read, introduction to the world of computer security.  It is a must read for anyone in the security industry. 

The Crypto-Gram newsletter is an online editorial that Schneier puts out on the 15th of every month.  The newsletter deals with topical issues in security, and again is a must read for people in the security industry.  Please go to the web site http://www.counterpane.com/ to find the full edition with all of the references and links. 

This is a special issue of Crypto-Gram, devoted to the September 11 terrorist attacks and their aftermath. 

 

In this issue:

    * The Attacks
    * Airline Security Regulations
    * Biometrics in Airports
    * Diagnosing Intelligence Failures 

(Not Included in this condensed version)

    * Regulating Cryptography
    * Terrorists and Steganography
    * News
    * Protecting Privacy and Liberty
    * How to Help 

The Attacks

Watching the television on September 11, my primary reaction was amazement. 

The attacks were amazing in their diabolicalness and audacity: to hijack fuel-laden commercial airliners and fly them into buildings, killing thousands of innocent civilians. We'll probably never know if the attackers realized that the heat from the jet fuel would melt the steel supports and collapse the World Trade Center. It seems probable that they placed advantageous trades on the world's stock markets just before the attack. No one planned for an attack like this. We like to think that human beings don't make plans like this. 

I was impressed when al-Qaeda simultaneously bombed two American embassies in Africa. I was more impressed when they blew a 40-foot hole in an American warship. This attack makes those look like minor operations. 

The attacks were amazing in their complexity. Estimates are that the plan required about 50 people, at least 19 of them willing to die. It required training. It required logistical support. It required coordination. The sheer scope of the attack seems beyond the capability of a terrorist organization. 

The attacks rewrote the hijacking rule book. Responses to hijackings are built around this premise: get the plane on the ground so negotiations can begin. That's obsolete now. 

They rewrote the terrorism book, too. Al-Qaeda invented a new type of attacker. Historically, suicide bombers are young, single, fanatical, and have nothing to lose. These people were older and more experienced. They had marketable job skills. They lived in the U.S.: watched television, ate fast food, drank in bars. One left a wife and four children. 

It was also a new type of attack. One of the most difficult things about a terrorist operation is getting away. This attack neatly solved that problem. It also solved the technological problem. The United States spends billions of dollars on remote-controlled precision-guided munitions; al-Qaeda just finds morons willing to fly planes into skyscrapers. 

Finally, the attacks were amazing in their success. They weren't perfect. We know that 100% of the attempted hijackings were successful, and 75% of the hijacked planes successfully hit their targets. We don't know how many planned hijackings were aborted for one reason or another. What's most amazing is that the plan wasn't leaked. No one successfully defected. No one slipped up and gave the plan away. Al-Qaeda had assets in the U.S. for months, and managed to keep the plan secret. Often law enforcement has been lucky here; in this case we weren't. 

Rarely do you see an attack that changes the world's conception of attack, as these terrorist attacks changed the world's conception of what a terrorist attack can do. Nothing they did was novel, yet the attack was completely new. And our conception of defense must change as well.

Airline Security Regulations

Computer security experts have a lot of expertise that can be applied to the real world. First and foremost, we have well-developed senses of what security looks like. We can tell the difference between real security and snake oil. And the new airport security rules, put in place after September 11, look and smell a whole lot like snake oil. 

All the warning signs are there: new and unproven security measures, no real threat analysis, unsubstantiated security claims. The ban on cutting instruments is a perfect example. It's a knee-jerk reaction: the terrorists used small knives and box cutters, so we must ban them. And nail clippers, nail files, cigarette lighters, scissors (even small ones), tweezers, etc. But why isn't anyone asking the real questions: what is the threat, and how does turning an airplane into a kindergarten classroom reduce the threat? If the threat is hijacking, then the countermeasure doesn't protect against all the myriad of ways people can subdue the pilot and crew. Hasn't anyone heard of karate? Or broken bottles? Think about hiding small blades inside luggage. Or composite knives that don't show up on metal detectors. 

Parked cars now must be 300 feet from airport gates. Why? What security problem does this solve? Why doesn't the same problem imply that passenger drop-off and pick-up should also be that far away? Curbside check-in has been eliminated. What's the threat that this security measure has solved? Why, if the new threat is hijacking, are we suddenly worried about bombs? 

The rule limiting concourse access to ticketed passengers is another one that confuses me. What exactly is the threat here? Hijackers have to be on the planes they're trying to hijack to carry out their attack, so they have to have tickets. And anyone can call Priceline.com and "name their own price" for concourse access. 

Increased inspections -- of luggage, airplanes, airports -- seem like a good idea, although it's far from perfect. The biggest problem here is that the inspectors are poorly paid and, for the most part, poorly educated and trained. Other problems include the myriad ways to bypass the checkpoints -- numerous studies have found all sorts of violations -- and the impossibility of effectively inspecting everybody while maintaining the required throughput. Unidentified armed guards on select flights is another mildly effective idea: it's a small deterrent, because you never know if one is on the flight you want to hijack. 

Positive bag matching -- ensuring that a piece of luggage does not get loaded on the plane unless its owner boards the plane -- is actually a good security measure, but assumes that bombers have self-preservation as a guiding force. It is completely useless against suicide bombers. 

The worst security measure of them all is the photo ID requirement. This solves no security problem I can think of. It doesn't even identify people; any high school student can tell you how to get a fake ID. The requirement for this invasive and ineffective security measure is secret; the FAA won't send you the written regulations if you ask. Airlines are actually more stringent about this than the FAA requires, because the "security" measure solves a business problem for them. 

The real point of photo ID requirements is to prevent people from reselling tickets. Nonrefundable tickets used to be regularly advertised in the newspaper classifieds. Ads would read something like "Round trip, Boston to Chicago, 11/22 - 11/30, female, $50." Since the airlines didn't check ID but could notice gender, any female could buy the ticket and fly the route. Now this doesn't work. The airlines love this; they solved a problem of theirs, and got to blame the solution on FAA security requirements. 

Airline security measures are primarily designed to give the appearance of good security rather than the actuality. This makes sense, once you realize that the airlines' goal isn't so much to make the planes hard to hijack, as to make the passengers willing to fly. Of course airlines would prefer it if all their flights were perfectly safe, but actual hijackings and bombings are rare events and they know it. 

This is not to say that all airport security is useless, and that we'd be better off doing nothing. All security measures have benefits, and all have costs: money, inconvenience, etc. I would like to see some rational analysis of the costs and benefits, so we can get the most security for the resources we have. 

One basic snake-oil warning sign is the use of self-invented security measures, instead of expert-analyzed and time-tested ones. The closest the airlines have to experienced and expert analysis is El Al. Since 1948 they have been operating in and out of the most heavily terroristic areas of the planet, with phenomenal success. They implement some pretty heavy security measures. One thing they do is have reinforced, locked doors between their airplanes' cockpit and the passenger section. (Notice that this security measure is 1) expensive, and 2) not immediately perceptible to the passenger.) Another thing they do is place all cargo in decompression chambers before takeoff, to trigger bombs set to sense altitude. (Again, this is 1) expensive, and 2) imperceptible, so unattractive to American airlines.) Some of the things El Al does are so intrusive as to be unconstitutional in the U.S., but they let you take your pocketknife on board with you.

Biometrics in Airports

You have to admit, it sounds like a good idea. Put cameras throughout airports and other public congregation areas, and have automatic face-recognition software continuously scan the crowd for suspected terrorists. When the software finds one, it alerts the authorities, who swoop down and arrest the bastards. Voila, we're safe once again. 

Reality is a lot more complicated; it always is. Biometrics is an effective authentication tool, and I've written about it before. There are three basic kinds of authentication: something you know (password, PIN code, secret handshake), something you have (door key, physical ticket into a concert, signet ring), and something you are (biometrics). Good security uses at least two different authentication types: an ATM card and a PIN code, computer access using both a password and a fingerprint reader, a security badge that includes a picture that a guard looks at. Implemented properly, biometrics can be an effective part of an access control system. 

I think it would be a great addition to airport security: identifying airline and airport personnel such as pilots, maintenance workers, etc. That's a problem biometrics can help solve. Using biometrics to pick terrorists out of crowds is a different kettle of fish. 

In the first case (employee identification), the biometric system has a straightforward problem: does this biometric belong to the person it claims to belong to? In the latter case (picking terrorists out of crowds), the system needs to solve a much harder problem: does this biometric belong to anyone in this large database of people? The difficulty of the latter problem increases the complexity of the identification, and leads to identification failures. 

Setting up the system is different for the two applications. In the first case, you can unambiguously know the reference biometric belongs to the correct person. In the latter case, you need to continually worry about the integrity of the biometric database. What happens if someone is wrongfully included in the database? What kind of right of appeal does he have? 

Getting reference biometrics is different, too. In the first case, you can initialize the system with a known, good biometric. If the biometric is face recognition, you can take good pictures of new employees when they are hired and enter them into the system. Terrorists are unlikely to pose for photo shoots. You might have a grainy picture of a terrorist, taken five years ago from 1000 yards away when he had a beard. Not nearly as useful. 

But even if all these technical problems were magically solved, it's still very difficult to make this kind of system work. The hardest problem is the false alarms. To explain why, I'm going to have to digress into statistics and explain the base rate fallacy. 

Suppose this magically effective face-recognition software is 99.99 percent accurate. That is, if someone is a terrorist, there is a 99.99 percent chance that the software indicates "terrorist," and if someone is not a terrorist, there is a 99.99 percent chance that the software indicates "non-terrorist." Assume that one in ten million flyers, on average, is a terrorist. Is the software any good? 

No. The software will generate 1000 false alarms for every one real terrorist. And every false alarm still means that all the security people go through all of their security procedures. Because the population of non-terrorists is so much larger than the number of terrorists, the test is useless. This result is counterintuitive and surprising, but it is correct. The false alarms in this kind of system render it mostly useless. It's "The Boy Who Cried Wolf" increased 1000-fold.

I say mostly useless, because it would have some positive effect. Once in a while, the system would correctly finger a frequent-flyer terrorist. But it's a system that has enormous costs: money to install, manpower to run, inconvenience to the millions of people incorrectly identified, successful lawsuits by some of those people, and a continued erosion of our civil liberties. And all the false alarms will inevitably lead those managing the system to distrust its results, leading to sloppiness and potentially costly mistakes. Ubiquitous harvesting of biometrics might sound like a good idea, but I just don't think it's worth it.

Diagnosing Intelligence Failures

It's clear that U.S. intelligence failed to provide adequate warning of the September 11 terrorist attacks, and that the FBI failed to prevent the attacks. It's also clear that there were all sorts of indications that the attacks were going to happen, and that there were all sorts of things that we could have noticed but didn't. Some have claimed that this was a massive intelligence failure, and that we should have known about and prevented the attacks. I am not convinced. 

There's a world of difference between intelligence data and intelligence information. In what I am sure is the mother of all investigations, the CIA, NSA, and FBI have uncovered all sorts of data from their files, data that clearly indicates that an attack was being planned. Maybe it even clearly indicates the nature of the attack, or the date. I'm sure lots of information is there, in files, intercepts, computer memory. 

Armed with the clarity of hindsight, it's easy to look at all the data and point to what's important and relevant. It's even easy to take all that important and relevant data and turn it into information. And it's real easy to take that information and construct a picture of what's going on. 

It's a lot harder to do before the fact. Most data is irrelevant, and most leads are false ones. How does anyone know which is the important one, that effort should be spent on this specific threat and not the thousands of others? 

So much data is collected -- the NSA sucks up an almost unimaginable quantity of electronic communications, the FBI gets innumerable leads and tips, and our allies pass all sorts of information to us -- that we can't possibly analyze it all. Imagine terrorists are hiding plans for attacks in the text of books in a large university library; you have no idea how many plans there are or where they are, and the library expands faster than you can possibly read it. Deciding what to look at is an impossible task, so a lot of good intelligence goes unlearned. 

We also don't have any context to judge the intelligence effort. How many terrorist attempts have been thwarted in the past year? How many groups are being tracked? If the CIA, NSA, and FBI succeed, no one ever knows. It's only in failure that they get any recognition. 

And it was a failure. Over the past couple of decades, the U.S. has relied more and more on high-tech electronic eavesdropping (SIGINT and COMINT) and less and less on old fashioned human intelligence (HUMINT). This only makes the analysis problem worse: too much data to look at, and not enough real-world context. Look at the intelligence failures of the past few years: failing to predict India's nuclear test, or the attack on the USS Cole, or the bombing of the two American embassies in Africa; concentrating on Wen Ho Lee to the exclusion of the real spies, like Robert Hanssen. 

But whatever the reason, we failed to prevent this terrorist attack. In the post mortem, I'm sure there will be changes in the way we collect and (most importantly) analyze anti-terrorist data. But calling this a massive intelligence failure is a disservice to those who are working to keep our country secure.

Summary

There are copycat criminals and terrorists, who do what they've seen done before. To a large extent, this is what the hastily implemented security measures have tried to prevent. And there are the clever attackers, who invent new ways to attack people. This is what we saw on September 11. It's expensive, but we can build security to protect against yesterday's attacks. But we can't guarantee protection against tomorrow's attacks: the hacker attack that hasn't been invented, or the terrorist attack yet to be conceived. 

 


Resume

CHARLES (CHUCK) W. WILMINK  
#304-1990 East Kent Avenue South, Vancouver, BC V5P 4X5 CANADA  
604-323-0242, E-mail: chuckw@telus.net  

Accomplished senior corporate and IT security professional with excellent business and management skills.  Looking for opportunities to interface with “C” level professionals to investigate current security risks and develop appropriate Corporate Security Plans consistent with bottom line profitability and client satisfaction. 

   

EDUCATION

Certified Information Systems Security Professional (CISSP)  
Masters of Business Administration, Simon Fraser University  
Bachelor of Science, University of British Columbia    

MAJOR ACCOMPLISHMENTS

 

EMPLOYMENT HISTORY  

CANADIAN CENTRE FOR INFORMATION TECHNOLOGY SECURITY (CCITS)

Director, September 2000 to June 2002

Responsible for developing, marketing and managing all areas of CCITS, a joint venture between the Justice Institute of British Columbia and the University of British Columbia.  Developed partnerships with other educational institutes to deliver the program across Canada, and with the leading industry professional association to deliver the program world wide.  

Promoted information security issues in the community through a regular column in the Vancouver Sun, frequent television interviews on CTV and Global, newspaper stories and interviews in The Vancouver Sun, The Vancouver Province, The Courier and Silicon North, and on radio stations CKNW, CBC and CHMB (Chinese Radio Station).


PGA AIR CANADA CHAMPIONSHIP

Volunteer Position - Vice Chairman of Security Committee, 1996 - Present

Developed and implemented the initial security plan, and each year co-ordinate and supervise 150 volunteers to provide security for the annual PGA golf tournament in Vancouver.  

 

CANADIAN AIRLINES INTERNATIONAL & AIR CANADA

Corporate Security Manager, August 1998 to September 2000

Responsible for facility and equipment security world wide, and for managing Canadian's union security department. Conduct annual security audits of Canadian Airlines stations (hangar, office, cargo and airport facilities). Perform interviews and investigations in security or criminal incidents involving Canadian employees, clients, contractors and passengers; taking appropriate actions to stop losses immediately and making recommendations to prevent similar problems from reoccurring.  

Designed and managed the security upgrades of the main CAI facility that contained 5,000 employees, $400 million facility, $400 million parts inventory and $1.2 billion in airplanes.  Upgraded/changed the scope of duties of the on-site unionized security team to dramatically increase security effectiveness.  Designed and managed the implementation of physical security and policies and initiatives during design and construction of the new CAI head office in Calgary.

 

VIKING PROTECTION SERVICES

General Manager, September 1993 to July 1998

Member of the original three-person management team hired to start the company, individually responsible for starting the security officer division. Duties included all facets of providing security services, from marketing, sales and contract negotiations to developing client security plans, system operations and quality control. After two years promoted to general manager for the entire company. After four years Viking had one hundred and fifteen employees, and invoiced over three million dollars annually in sales. Clients included The Bank of Nova Scotia, General Motors Place, Concord Pacific, Henderson Development, The Pan Pacific Hotel, Canadian Airlines and Air Canada.

 

VANCOUVER POLICE DEPARTMENT

September 1988 - September 1993

Reserve Constable, training and experience in Police Officer patrol duties, criminal law,

investigations, self-defense, control tactics and traffic direction.

 

MUSIC '91 and EARTH VOICE FESTIVAL '92

MUSIC ‘91 was a province-wide concert tour which attracted crowds of up to fifteen thousand people to temporary sites throughout BC's smaller communities for artists such as Bryan Adams, MC Hammer, Kenny Rogers, The Doobie Brothers, John Denver, Crosby Stills and Nash, Natalie Cole, Linda Ronstadt, and Bob Hope. Responsible for the complete design, implementation and management of site security, emergency planning, crowd control, traffic and parking. Hired and managed a full time security crew of ten; and in addition recruited, hired and trained 40 - 180 local residents in each community to act as crowd control staff.

 

INTERESTS

The Information Systems Security Association (ISSA), The Computer Security Institute (CSI), former ASIS member, Rugby (UBC Varsity, UBC Old Boys Rugby Club), Basketball, Golf, Fraternity member (Phi Gamma Delta)


Top of document