Airport Policy and Security Newsletter #14

Topics include: the beginning of Orlando's private "Known Traveler" program, airport screening opt-out risks, the costs and limits of missile defense, risk-based threat screening, and other news.
In this issue:

Finally, Airport Screening Relief for Frequent Flyers

As predicted in previous issues of this newsletter, the Transportation Security Administration has approved the start-up of what is expected to be a nationwide privately run "known traveler" program under which pre-screened frequent flyers can bypass regular airport screening lines for express lanes.

Orlando International Airport reviewed proposals from two competing firms, Unisys and Verified Identity Pass, and selected the latter. Enrollment will begin June 21; most of it can be done on-line (at www.flyclear.com), except for providing the biometric identifiers (fingerprint and iris scan), which must be done at the airport. Members will pay an annual fee of $79.95 initially (expected to rise in later years to $99.95). Once they pass the background screening (done by TSA), they will receive a biometric membership card which they can use to gain access to members-only express lanes at the Orlando airport.

There are several sharp contrasts between this new private-sector known-traveler program and the TSA's own pilot program called Registered Traveler. The latter is limited to five airports and a single airline at each airport, as well as a maximum enrollment of 10,000 people. Verified ID's program is open to all airlines and potentially all travelers willing to pay the fee and able to pass the background screening. And it's been designed for national roll-out, to other major airports and as many as 3 million members, within six years.

A second major difference is a strong emphasis on incentives and partnerships. As the lead-off airport, Orlando will receive 23% of the initial revenue, and other early-adopter airports will also receive a share. Verified is working out co-marketing agreements with most major airlines, aimed at their premium frequent flyers. Other joint efforts are being developed with the Business Travel Coalition and with major airport retailers. In addition, there will be joint efforts at Orlando offering premium, close-in parking spaces and cross-discounts with baggage-transport company BAGS. When people ask what the private sector can do differently from a government agency, these are a few examples.

And because privacy is an obvious concern with such a program, Verified is publicizing its approach to privacy, which included pledges of no tracking, no name-sharing, strong information security, and an "identity-theft warranty" under which the company will reimburse the member for any otherwise unreimbursable monetary costs resulting from any identity theft associated with the program.

The ultimate value to frequent flyers will stem from how much relief from screening hassles the program ultimately provides. Verified ID is in ongoing discussions with TSA over whether members will be exempted from such things as removal of shoes and jackets and having to take laptops out of briefcases�requirements imposed in very few other countries. The company is creating an Equipment Fund for Orlando (and later for other airports) to help purchase any additional screening equipment TSA may require for the express lanes, so as to exempt members from these removal requirements.

While private-sector known-traveler programs have been a long time coming, it's encouraging to see that TSA is now receptive to the private sector taking on this function, as this author recommended more than a year ago (see "A Risk-Based Airport Security Policy," Reason Policy Study No. 308, May 2003, at www.reason.org/ps308.pdf).


What Price Missile Defense?

Recent discussions of proposals to equip all 6,800 U.S. airliners with defenses against Man-Portable Air Defense Systems (MANPADS) illustrate two recurring themes in dealing with the terrorist threat: opportunity costs and the limitations of target-hardening.

As you will recall from Economics 101, the real cost of a policy decision is the options foregone by choosing to spend $X on that decision. Since resources are always limited, what you spend on A is not available to spend on B. Thus, when Rand Corporation estimates a 10-year capital plus operating cost for outfitting the fleet with a directed infrared countermeasures system at $38 billion over 10 years, that's $38 billion that would not be available for other aviation-security purposes—potentially more productive purposes.

The other often-ignored point is that in an open society that is chock full of potential terrorist targets, a strategy of hardening some targets is ultimately futile. Terrorists will route around the relatively few hardened targets, focusing on attractive targets that—due to resource limitations—have not been hardened. Therefore, a far wiser counter-terror strategy is to focus a large fraction of total resources on going after the terrorists directly. In the case of MANPADS, that would include more aggressive efforts to find, buy back, and destroy the thousands of shoulder-launched missiles apparently available on black markets around the world.

Several other points should be kept in mind as politicians and well-meaning advocates continue to push for mandatory installation of defensive systems on all airliners. First, the MANPADS threat is almost certainly exaggerated. These are very small missiles, which use heat-seekers to target a plane's hot engines. Many miss their targets, and even when they hit, they damage an engine (and possibly some flight controls); most large transport aircraft can fly with an engine out. Thus, an attack on an airliner is not synonymous with hundreds of deaths.

The Rand study also concluded that, in terms of threats at a large airport like Los Angeles International, MANPADS are a smaller threat in terms of potential deaths occurring than low-tech devices such as truck bombs or suitcase bombs.

Finally, some transport planes are more exposed to MANPADS attack than others. Under a risk-based approach, it would make sense to spend money protecting those before deciding whether to do likewise for the remainder of the fleet. Northrop Grumman has suggested equipping 300 planes that fly internationally. Another possibility is to equip those planes subject to call-up by the military in times of war, the Civil Reserve Air Fleet (CRAF).

The excellent Washington Post story by Scott Higham and Robert O'Harrow, Jr., "Contracting Rush for Security Led to Waste, Abuse," (May 22, 2005) rightly faulted Congress and federal officials for making rash, costly decisions in the months right after the 9/11 attacks. "Legislate first, analyze later" is a recipe for disaster. Let's hope the same thing doesn't happen with MANPADS.


Whatever Happened to Airport Screening Opt-Out?

With some degree of fanfare, last fall the TSA opened its application window for airports to apply, as allowed for all airports as of last November, to opt out of TSA-provided airport screening. Those whose applications were accepted would thenceforth use a TSA-approved private screening contractor. But to the surprise of many, as of now only two small airports— Elko, NV and Sioux Falls, SD —have actually applied.

If you ask why, the stock answer is uncertainties over liability. There's a great security blanket effect for an airport to be able to say, if terrorists get past a checkpoint and do damage, "Not our problem�that's TSA's operation." Even though two of the leading private firms, Covenant Security (now teamed with Lockheed Martin) and First Line Security, have recently received certification under the Safety Act (which limits the liability of firms providing anti-terror goods and services), the airports themselves are unclear about their liability if they take part in the Screening Partnership Program, bureaucratese for TSA's opt-out program.

That's a real issue, but it's only part of the story. A clue as to what else is going on comes in this comment by Jill Owen, counsel for Tucson Airport. As reported in Aviation Week's Airports newsletter (May 10, 2005), airports aren't signing up because the program limits airport involvement in issues such as staffing, and as Owen puts it, "Even a small [liability] risk is unacceptable in exchange for a limited benefit."

What does Owen mean by "a limited benefit"? Well, you might imagine that if an airport opts out, it would be able to issue an RFP to TSA-certified screening companies, select the one that submits the best proposal, and then hire it with the money TSA would otherwise be spending on putting its own screening staff into the airport. But that's not how TSA defines opt-out. In its very centralized approach to things, once an airport applies to be an opt-out airport, the TSA selects the contractor that it thinks is best for the airport, it hires the contractor, and it manages their work at the airport. Therefore, the kinds of money-saving innovations you might expect the contractor and the airport to come up with if the airport hired and supervised the contractor simply aren't possible. For example, the airport might use passenger screeners for non-screening security tasks (e.g., perimeter patrol) at non-peak times. Again and again, airport people have told me they simply don't see much to gain by trading one centralized-in-DC arrangement for another.

That also helps explain why there has been no increase in applications for SPP since the Government Accountability Office report in April, finding that private screeners significantly outperformed TSA screeners. Aviation Daily (April 18, 2005) reported that screeners were judged on such things as ability to detect guns on the body and in bags, explosives in baggage, opaque objects in baggage, and bombs in shoes. No comparative numbers were included in the non-classified version of the report. In response to the report, House Aviation Subcommittee chairman John Mica (R, FL) said he is drafting legislation to expand private screening, under TSA supervision, to all US airports.

But it would be a mistake to impose the current DC-centric TSA model of outsourcing on all U.S. airports. Far better would be to give each airport the option of how to meet TSA screening requirements: either by hiring and supervising a TSA-approved screening contractor or by getting certified by TSA as the screening operator itself. Either way, the screening operation would be regulated (but not managed) by the airport's TSA-employed Federal Security Director. This decentralized model would permit real innovation, tailoring security solutions to the specifics of each airport. And it would remove the conflict of interest in TSA's current dual role as both the aviation security regulator and as one of the chief providers of aviation security services.


Vegas Casinos—A Different Approach to Security

I normally don't report un-sourced stories, but you'll have to trust me as I make an exception for this provocative item. One of the readers of this newsletter is an aviation security expert who alerted me to a different approach to the screening issue, developed for the "private sector hospitality industry." Large hospitality destinations with over 50,000 visitors per hour approached the University of Nevada last year to develop a risk-based approach to screening visitors for terrorist/criminal threats. Due to the nature of their business, they could not tolerate such methods as requiring their customers to walk through metal detectors and x-ray machines.

What the university came up with, I'm told, is an "integrated behavioral assessment program." They did prototype tests and concluded that this approach was nearly twice as effective as airport-type screening systems. In other words, look for bad people rather than bad objects, as some of us have been urging for airport security for the past three years. The program is going to be rolled out to the hospitality destinations later this year.

Note: I'm only guessing that the "hospitality destinations" that contracted for this research are Las Vegas casinos (based on the University of Nevada being chosen to do the work). It might be theme parks. The point is that risk-based approaches exist, and may well be more effective than the kind of thing TSA is spending billions on.


Quotable Quotes

"If we had taken box cutters away and made them illegal, they would have used a Bic pen. I mean, you can kill someone with a Bic pen. . . . [Banning] different things, like box cutters or knives or screwdrivers . . . that's not it. There's always another implement that somebody can use."

—Keith Meurlin, retiring manager of Dulles International Airport, Washington Post, March 17, 2005.

"When it comes to confronting terrorism�whether relating to aviation or to general society�failure to adhere to [a] risk-based, threat-managed approach is fraught with peril and easily can lead to the wrong decision."

—James C. May, president of the Air Transport Association, Homeland Security, March/April 2005.

Robert Poole is Searle Freedom Trust Transportation Fellow and Director of Transportation Policy





;