menu
|
December 15, 2009

TSA's Security Breach – The Posting of the Classified Standard Operating Procedures

As the House Homeland Security Committee prepares to hear testimony from Acting TSA Administrator Gale Rossides tomorrow, it should be reiterated that there is absolutely no acceptable excuse for TSA’s recent blunder in posting classified Standard Operating Procedures (SOP) for passenger and baggage screening on the Internet. While the agency’s response that the inadvertently posted SOPs are out of date is an accurate statement, it’s a disingenuous explanation that attempts to mask the nature of the breach. I understand that Secretary Napolitano has taken personnel actions in the aftermath of the breach – as well she should.

I make these comments as the former TSA head of policy where I had responsibility in 2002 for creating the first baggage screening SOPs to comply with the statutory requirement to screen all bags using Explosive Detection Systems by December 31 of that year.

The agency is leading the public and the Congress to believe that the current version of the SOPs is something significantly different in substance from what was posted, thus diminishing the potential security damage. TSA routinely updates SOPs for various reasons, but I believe it is reasonable to assume that few major changes were implemented during the past year. I know from experience that most updated versions usually contain minor processing changes.

But the important issue now is to assess the security risk of TSA’s error. In my opinion, the actual risk to security is low. TSA has roughly 40,000 Transportation Security Officers (TSOs) at any given time, each of whom has been trained on and has daily access to the SOPs. The agency has about a 15 percent annual attrition rate. So every year, 6,000 additional people have access to and are trained on the SOPs. Then there are airport and airline personnel who have a need to know the SOPs in order to integrate their own operations with TSA’s. TSA Airport Management personnel – add several thousand more people with access. The reality is that while the SOPS are classified at a low level, literally tens of thousands of people know what is in them.

The reality is that TSA has a presence at about 450 U.S. commercial airports providing security to nearly 30,000 flights a day by screening about 2 million passengers and nearly as many bags a day. The bottom line is a lot of people have a need to know the SOPs. There is no other choice. By definition, maintaining and keeping a complete lid on these SOPs is a security challenge that cannot be met 100 percent of the time. There are just too many people who have a legitimate need to know what is in them in order for TSA to carry out its security responsibilities.

So, this breach is less about lax security at airports and more about poor security management at TSA headquarters. Not good at all but neither is it an urgent new threat to our national security.

Read More
  • factchecker

    Mr. Blank,

    Since you said you were in a leadership position at TSA and therefore could be perceived as being knowledgeable about things there, I think it's important for this blog's readers to note that you have some errors in your post.

    First, TSA's SOP is not classified. That's an inaccurate and misleading term for those not familiar with designation and classification terms. The SOP is Sensitive Security Information. It's bad that the SSI information got out, and good to see people are being punished, but it's not a classified info leak.

    You also imply that multiple SOPs – dealing with the screening of people and baggage – were leaked. That's not correct. The one SOP that got posted without correct redaction was the screening management SOP, which doesn't cover how screeners actually screen people or bags.

    If you're going to write a post about your former agency, you could at least take the time to get your facts right.

  • webroalty

    Your website is very informative.
    I like it very much. Keep up the good work.

    webroyalty