One more on Abdulmutallab

[David Farber <dave () farber net>]

Begin forwarded message:

From: Stewart Baker <stewart.baker () gmail com>
Date: December 27, 2009 4:03:25 PM EST
To: David Farber <farber () cis upenn edu>
Subject: One more on Abdulmutallab

From
http://www.skatingonstilts.com/skating-on-stilts/2009/12/security-fails.html

We've got answers to some of my questions from yesterday.  And they
aren't very comforting.  All in all, they remind me of the saying that
the small scandals in Washington are what's illegal, but the real
scandal is what's legal.  So, there were ways in which our air
security system didn't work as intended, and those are a small
failure, but the real failure is the way our air security system is
intended to work.

Here are six answers to my questions:

1.  According to press reports, Abdulmutallab had a multiple entry
visa to the US, and it was issued before Abdulmutallab's father warned
US authorities of his growing militance.  It looks as though the
warnings went to a US consular office in Nigeria while the visa was
issued in London, which might have had some modest impact on whether
consular officials took the warnings seriously. (Officials in London
might have been more alert to the risk in Abdulmutallab's visa, since
they issued it, which might have led them to dig more deeply and
report with more clarity on the warning.)

2.  The intelligence/security agencies would like the consular
officials in Nigeria to take the fall for this.  The agencies seem to
be telling journalists that the father's warning wasn't relayed to
them with enough detail to justify putting Abdulmutallab on a no-fly
or selectee list, so they just stuck him in the 550-thousand-name
catchall database (known as TIDE, the Terrorist Identities Datamart
Environment) rather than a more active 400-thousand-name database.
But neither database would have made him a automatic "selectee" for
special screening (roughly 14 thousand people are on that list), let
alone no-fly status (4 thousand).  And it's hard to imagine that even
transmitting a full transcript of the father's warning would have
boosted Abdulmutallab onto the selectee or no-fly list.

Why is it so hard to get on the selectee or no-fly lists?  In part
because privacy campaigners have made the lists less effective and
more controversial by raising phony privacy concerns -- and getting
Congress to buy into those concerns.  Here's the problem:  The lists
are full of aliases and alternative spellings that the terrorists
might use to defeat screening.  As a result, many, many people (kids,
Senators, grandmas) end up as selectees because their names resemble
the aliases of terrorism suspects.  The resulting hassles and
complaints make officials cautious about adding large numbers of names
to the selectee list.

So why doesnt the US use other information, like date of birth, to
"disambiguate" the lists -- to separate terrorist suspects from
regular folks?  After all, we knew Abdulmutallab's birthdate, along
with a lot of other information; there was no need to stop every Abdul
Mutallab or Abdul-Mutallab or abu Mutallab from flying to the US.  But
DHS hasn't been able to disambiguate the list because privacy
campaigners and Congress prohibited DHS from gathering birthdates from
passengers.  That information was too sensitive to share with the
government, said the privacy groups, and they insisted that Congress
prohibit DHS from running the selection process for years while DHS
got over a series of privacy hurdles.

All those infants and grandmas on the selectee list were, I've said
before, privacy victims.  Years after the Congressional barriers were
put in place, DHS finally got over them, and it has now started
running the screening system.  But the result the privacy campaign was
years of delay in setting up a more effective selectee database and
years of complaints from the privacy victims.  As a result, the
agencies got a bit gunshy about putting people on the selectee list,
since the larger the list, the more complaints it generated from
ordinary folks.

3.  The databases where Abdulmutallab's name was stored, however, were
accessible to both FBI and DHS.  So when he made a reservation to come
to the US, DHS should have known he was coming.  DHS probably would
have flagged him for special scrutiny when he arrived in the US.  That
would make it very hard for him to enter the US, visa or not.

Al Qaeda seems to have a lot of respect for US border security
screening.  That's why it is trying to commit terrorist attacks on US
soil without actually entering the US.  Since border measures were
strengthened after 9/11, al Qaeda has tried three separate plots using
the same basic technique -- get on a transatlantic flight and blow it
up before it lands and before the terrorists are put through our
border screening process.  Every plot has failed.  But if this doesn't
remind you of the successive World Trade Center attacks, you're not
paying attention.  They've got a schtick, and they're going to keep
using it until it works.

4.  Unfortunately, TSA, the part of DHS that screens air travelers,
doesn't use the bigger terrorist databases for screening -- unlike
DHS's border officials at CBP.  Partly that's because Congress forced
DHS to leave traveler screening in the hands of the airlines for the
phony privacy reasons described above.  But it's also because airline
screening, unlike border screening, is not well designed to vary the
level of screening depending on the risk a traveler poses.  In
shorthand, it is trying to find dangerous stuff, not dangerous people.
So DHS's access to the data about Abdulmutallab was practically
irrelevant to his ability to get on the plane.

5.  Practically but not entirely.  There is one exception.  CBP, which
had access to the data, could have decided that it didn't want
Abdulmutallab flying to the US, and it could have enforced that
decision by telling Delta/NW not to let him board.  Because the visa
had already been issued and because of limits on TSA's use of identity
in screening, this was the last chance to keep Abdulmutallab off the
plane.  We didn't use it.  How come?  Did CBP decide that the
derogatory information wasn't enough to block Abdulmutallab without an
interview?  Or did Delta/NW take that decision out of CBP's hands by
failing to implement the AQQ requirement that was put in place a year
ago?  We still don't know.

6.  I asked several questions about how good the screening was in
Nigeria and at Schiphol.  I now think that it barely matters how good
a job those screeners did.  Without a reason to treat Abdulmutallab
differently from other passengers, the current level of screening
wasn't likely to find the explosives.  Like 9/11, when the hijackers
carried boxcutters because boxcutters were allowed by current
screening rules, al Qaeda is adapting to our rules, finding explosives
and hiding places that our current procedures can't detect.

The explosives Abdulmutallab was carrying weighed 80 grams.  That's
about three ounces -- roughly the weight of a third of a cup of sugar.
So let's role-play al Qaeda at home:  put a third of a cup of sugar
in a plastic sandwich bag.  Roll it up.  Can you think of place on
your body where you could tape it so that it would be hard for a
patdown to find?  Or, if you don't have that kind of imagination,
here's one clue:  80  grams happens to be a bit less than the weight
of standard lightweight bra inserts for "enhancing cleavage."

OK, now let's roleplay TSA:  What kind of patdown procedures are you
going to put in place to find that rolled up plastic baggie?  Those
bra inserts?  Remember, you're committed to treating everyone the same
way.  Are you really going to pat down every passenger there and there
-- and carefully enough to distinguish a baggie from a fashion
accessory or an anatomical feature?

According to the press, that's DHS's plan.  From now on, we'll see
more, and more intimate, patdowns.  Less carryon luggage.  Closer
looks at everything we do carry.  And on international flights into
the US, restrictions on getting items from overhead bins, plus
restrictions on what we have on our laps, etc.  In the longer run,
we'll use more of the millimeter wave machines that will surely be
more appealing to passengers than a patdown that is indistinguishable
from getting to third base.

But al Qaeda has already invented the "booty call" bomb, which makes
even the millimeter wave machine ineffective.  So I think we're seeing
the endgame for the current, nearly identity-free screening process.
Only a system that looks for terrorists as well as weapons is likely
to be able to defeat al Qaeda's transatlantic flight plan.

Actually, al Qaeda's fascination with transatlantic flights -- and its
fear of US border procedures -- gives us an obvious way to try out a
new approach to screening.  Everyone on transatlantic flights is
already carrying a passport.  And we already have good passport-based
screening and computer systems for border officials.  Why not hook
those systems to computers at the special US-bound screening
checkpoints that already exist in European airports?  Then the
screeners could perform a graded set of inspections and patdowns that
vary depending on whether the traveler is considered risky or not.
Travelers in an intermediate status could be questioned, and US
officials could be linked in by videoconference to check the answers
against their information.

There is plenty of pain in an approach that looks for terrorists, not
just weapons.  For starters, the Obama Administration's recent retreat
from REAL ID and good driver's license standards makes it impossible
to implement identity-based screening inside the US for the next five
to ten years.  And, of course, everyone who ends up on the wrong side
of the database will want to litigate about the data that led to their
patdown, claiming viewpoint and ethnic discrimination, etc., etc.

Still, I don't see a better alternative.  The current path leads us to
more and more obnoxious treatment of all travelers.  And in the end,
after all the mass-produced humiliation, it leads in all likelihood to
failure.

Update:  According to Reuters, KLM used APIS to check Abdulmutallab's
admissibility with CBP and got back no objection:  it reports that the
head of Nigeria's civil aviation authority "said Abdulmutallab's U.S.
visa had been issued in London on June 16, 2008 and was due to expire
in June 2010. He said it was scanned without the Advance Passenger
Information System (APIS) returning any objection."  If that's so,
CBP/DHS has some explaining to do.  It would mean that they knew the
guy was coming and they also had access to the most recent
intelligence, including the father's report, but did nothing to stop
him or get him checked out in Amsterdam.  How come?

-- 
Stewart Baker
o: 202-429-6402
c: 202-641-8670




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com