As the House Homeland Security Committee prepares to hear testimony from Acting TSA Administrator Gale Rossides tomorrow, it should be reiterated that there is absolutely no acceptable excuse for TSA’s recent blunder in posting classified Standard Operating Procedures (SOP) for passenger and baggage screening on the Internet. While the agency’s response that the inadvertently posted SOPs are out of date is an accurate statement, it’s a disingenuous explanation that attempts to mask the nature of the breach. I understand that Secretary Napolitano has taken personnel actions in the aftermath of the breach – as well she should.
I make these comments as the former TSA head of policy where I had responsibility in 2002 for creating the first baggage screening SOPs to comply with the statutory requirement to screen all bags using Explosive Detection Systems by December 31 of that year.
The agency is leading the public and the Congress to believe that the current version of the SOPs is something significantly different in substance from what was posted, thus diminishing the potential security damage. TSA routinely updates SOPs for various reasons, but I believe it is reasonable to assume that few major changes were implemented during the past year. I know from experience that most updated versions usually contain minor processing changes.
But the important issue now is to assess the security risk of TSA’s error. In my opinion, the actual risk to security is low. TSA has roughly 40,000 Transportation Security Officers (TSOs) at any given time, each of whom has been trained on and has daily access to the SOPs. The agency has about a 15 percent annual attrition rate. So every year, 6,000 additional people have access to and are trained on the SOPs. Then there are airport and airline personnel who have a need to know the SOPs in order to integrate their own operations with TSA’s. TSA Airport Management personnel – add several thousand more people with access. The reality is that while the SOPS are classified at a low level, literally tens of thousands of people know what is in them.
The reality is that TSA has a presence at about 450 U.S. commercial airports providing security to nearly 30,000 flights a day by screening about 2 million passengers and nearly as many bags a day. The bottom line is a lot of people have a need to know the SOPs. There is no other choice. By definition, maintaining and keeping a complete lid on these SOPs is a security challenge that cannot be met 100 percent of the time. There are just too many people who have a legitimate need to know what is in them in order for TSA to carry out its security responsibilities.
So, this breach is less about lax security at airports and more about poor security management at TSA headquarters. Not good at all but neither is it an urgent new threat to our national security.