Nothing like calling the boss onto the mat in front of Congress to get some answers when a mess happens in government. Not that it is likely much will change – and certainly not quickly – but the Homeland Security Committee of the United States Congress held hearings this afternoon regarding the breach. The hearings are entitled “Has the TSA Breach Jeopardized National Security? An examination of What Happened and Why.” Sadly, there is virtually zero chance of actually getting an answer to the questions, and even less of a chance that real change will come out of this. Still, the government rolls slowly on.
After a full hour of testimony it does not appear that anyone – neither congressfolk nor TSA officials – actually understand the significance of what has happened. The hour of testimony featured a couple rather pointed questions and they went unanswered. I followed up with some public affairs folks regarding open inquiries I have and I was stonewalled. And the most pressing questions simply were not asked.
Why was the document published?
A rather significant chunk of the discussion was focused on why the document was public at all. Ignoring the redaction problems that came up that should be a non-issue. Having the SOP in public is a good thing for the traveling public. In fact, having all the screening SOPs out there is the only fair and reasonable way to treat the public. The current approach treats all potential passengers as criminals and leaves them at the whim of the TSO they interact with at any particular moment. Having the actual rules in the open would permit the public to actually know their rights and exercise them rather than be subjected to a power-tripping agent having a bad day. Acting TSA Administrator Gale Rossides acknowledged that there are a dozen other SOP documents that the TSA currently uses for passenger screening operations. All are considered SSI and therefore are more or less unknown to the public.
Despite media claims to the contrary the document is not a roadmap to anything. Sure, there are a couple things that probably didn’t need to be out in the open, but they are not creating an inherently more dangerous travel environment at all. Legitimate security doesn’t depend on the ignorance of those being policed. It depends on well-trained folks responding to legitimate threats and acting on real intelligence information. Sadly the TSA does not provide that and having this document out in public does not change that situation.
Moreover, the TSA has essentially committed to not using the Internet for dissemination of redacted documents in the future. Any SSI document that needs to be shared with potential contractors will likely be held in a “reading room” or other similar facility at a TSA office. This will increase the burden on the contractors trying to fill these contracts and provide no reasonable increase in security or any other palpable benefits to the American people.
In a move that can only be described as knee-jerk and over-the-top Rossides testified that TSA has instituted a “full operational lockdown” regarding the further sharing of SSI information. This lockdown applies to all documents containing SSI data. Most troubling, this lockdown also includes a restriction on sharing the appropriate information with members of the Congressional committees that have oversight of the TSA. Not only do they not want the public to see the documents, they also will not allow the congressmen and women who have a direct responsibility to review and understand the operations access to the current version of the SOP documents.
The TSA has held briefings and information sessions with congressional staffers and provided “access” in that way but no real access. When pressed on this issue Rossides acknowledged that she was aware of the legal obligation the department was under to share such information but insisted that she could not do so at this time. Congressmen Dent (R-PA) pressed the Acting Director on this issue quite aggressively. He suggested that the TSA was not willing to share the information because they felt congressfolks were likely to leak it or for some other similar reason. He also noted that this is the first time such a request has not been affirmatively responded to in a timely manner. Why now? Why is this one different? Rossides wouldn’t say, but she was insistent that such action was necessary. Equally troubling was that Congresswoman Jackson-Lee (D-TX) – the chair of the subcommittee – was supportive of the Acting Director’s decision to not provide the document in a timely manner. It was not immediately clear why
Targeting the wrong issues
A significant portion of the testimony focused on the IDs that were published in the document and what changes, if any, would need to be made to the IDs or processes surrounding them. Sorry, Congresswoman Jackson-Lee, but you’re barking up the wrong tree on this one. The pictures in the document were nowhere close to detailed enough to allow someone to make passable fakes from them. And that isn’t even considering the part of the “layers of security” the TSA uses that never actually verifies that the person on the photo ID is really the person traveling or that the ticket is really valid. Quite simply, checking IDs isn’t providing any security and even if it did someone desiring a fake would have better luck on Canal Street in New York City than dealing with those images.
Another significant line of questioning was focused on the use of contractors in the handling of SSI data inside the TSA. Specifically, it seems that one of the folks at the heart of producing the document for publication was a contractor at the time it was posted online (he has since become a full-time employee). Congresswoman Jackson-Lee was rather caught up on the idea that somehow there is a difference between a contractor and a full-time employee. There didn’t seem to be much rhyme or reason behind that distinction but she was more than willing to make it. Several times. Indeed, we can expect to see legislation in the new year restricting the handling of SSI from contractors. So very, very unnecessary.
Who has the document?
Congressman James A. Himes (D-CT) was rather blunt in the one question he asked, “No organization doesn’t make mistakes. The question is how well an organization learns from the mistakes. Is anyone looking to see who has downloaded it?” That’s right…forget about how it got out there, let’s focus on who is reading it and what we can do about that. Other congressfolk have inquired about any potential legal recourse that can be pursued to force websites hosting the document to remove it. That horse has already left the barn, but there’s no reason Congress can’t go out and start shooting horses randomly on the plains, or something like that. Except that there is a VERY good reason they cannot. It is 44 U.S.C. 3506(d)(4)(B). It states:
With respect to information dissemination, each agency shall—
(4) not, except where specifically authorized by statute—
(B) restrict or regulate the use, resale, or redissemination of public information by the public;
That’s the truncated version of the code but it basically means that the neither the TSA nor anyone else can do anything about it once the document is out in the open. That hasn’t stopped the congressfolk from posturing but nothing will come of it.
In that same vein, the actual reply to Congressman Himes’s query was rather chilling. Acting Director Rossides stated that The Department of Homeland Security’s Inspector General office – the same folks conducting the inquiry into the TSA’s publication of the document – has compiled a list of who downloaded the document from the Commerce Department website and that they are working to reconcile that list against other lists they might have. They are also working on lists of who is hosting the document. It isn’t entirely clear what these lists will be used for since possession and distribution of the document is completely legal, but the DHS is compiling lists, just in case. This is a rather disturbing admission on the part of the TSA and DHS.
When asked what could be done about the copies of the document that are floating about the Acting Director offered the following suggestion: “I would hope out of their patriotic sense of duty to their fellow countrymen [people hosting copies] would take [the document] down. Good luck with that. Patriotism means acting for the good of the country, not for the good of a few folks who have made mistakes in running an organization which seeks to deny basic liberties covered by the Constitution when it is convenient for them.
Two useful questions
Lest the above make it seem that the hearing did not address anything useful it is worth noting one specific line of questioning that appeared to catch the Acting Director a bit off-guard and to really drive to the point of the charade that the TSA seems to be playing with this event. Congressman Emanuel Cleaver (D-MO) noted that, as is the case with any government document, the new versions build on the old versions. So the fact that there have been six revisions since the redaction mistake came out might not really be significant. The only reply that the Acting Director could muster is that the bulk of the information in the document is not SSI so that doesn’t really matter.
Congressman Cleaver also asked a very pointed question when Rossides noted that she felt the air travel system was safe. Specifically he asked if she would have actually admitted in an open session that she thought the answer was no. They parried a bit over words and there was never a “true” answer, but it definitely caught the Acting Director off-guard.
The Acting Director Responds
Acting Director Rossides made a couple statements during the hour-long session that suggested she might actually understand the gravity of the situation. That, or she’s been in Washington long enough to know what to say. Among the responses she offered:
I regret this occurred and take full responsibility for the mistake. Our response was swift, decisive and comprehensive. Passengers will fly safely…because of the layers of security in place.
We need better processes in place and tighter controls on how we handle sensitive information. We’re going to have to make sure that we have designated personnel…who are trained and really truly understand.
The actions of one or a few can … seriously impact the credibility of the agency.
Perhaps most significant because of what it implies about the previous behavior of the agency, the Acting Director offered up this nugget: the agency has asked the National Security Agency (NSA) to come in and work with them. The NSA has had documents published publicly for many years now explaining the importance of proper redaction and how to correctly accomplish it. Now that they’ve messed it up once the TSA has apparently decided to ask the NSA to come in and teach them how to do redaction correctly. It is great that they are finally (apparently) getting it right, but this has been a long time coming.
Ultimately the Congressional inquest does not appear to have had much affect on the behavior of the TSA. They’re still doing whatever they want and even when pressed on the issues they simply decline to answer. This is not good at all.
- Congress takes TSA to task
- TSA backpedaling on the redacted SOP
- Congress takes TSA to task
- Watching the TSA SOP document leak story grow
- The TSA continues their clean-up operation
- TSA says its OK; layers will protect us
- The TSA document is gone. Or is it?
- The TSA makes another stupid move
Never miss another post: Sign up for email alerts and get only the content you want direct to your inbox.
I find this point interesting:
“Patriotism means acting for the good of the country, not for the good of a few folks who have made mistakes in running an organization which seeks to deny basic liberties covered by the Constitution when it is convenient for them.”
When you found the document, was that seriously what went through your mind? Or is that a conveniently high-minded philosophical statement you have since come up with?
Somehow, you came across what appeared to be a sensitive document on the web, and your first thought wasn’t to protect it from bad guys – instead, you posted it for everyone to see – including terrorists. If you didn’t like TSA, you could have called the DHS or the FBI or even just let the website it was on know about it.
Maybe I’m a patriotic sap, but I wouldn’t have taken the route you did, especially after 9-11. You had the opportunity to do something that could, even in a small way, safeguard your country, and you didn’t. Instead you went for the 15 minutes of fame route. It’s a common route these days, which is a sad reflection on our society.
Let’s hope you never have to come to regret it.
Thanks for the thoughts, Katie.
I was not in this for 15 minutes of fame. I honestly figured it would be like pretty much all my other posts: read by a couple folks and then promptly forgotten. Have you read through the document yourself? Do you really find that it is exposing serious secrets or details that make air travel less safe? I do not. This was certainly an embarrassing mistake for the TSA but hardly does it create a playbook for terrorists or anything of the sort.
As for how to report it, I’ve been called out by a member of Congress on that front as well. He suggested that such things be handled “internally” just as you have. If I believed that there was any chance the TSA would actually be held accountable through such channels I would go that route. The fact is that they willfully ignore any number of rules and requirements whenever they feel it appropriate. They are accountable to no one. When the government can no longer manage itself it is up to the populace to fight back. Consider this just one small battle in that fight.
I think that too many people who are involved with security that has multiple layers, have come to believe that security through obscurity is an important element of that. I would disagree on the importance of keeping any information labelled SSI secret from the public and I think you might also. A good democracy is dependant on an informed public and SSI has become a convenient excuse to hide malfeasance or incompetence. At best, keeping this document off the internet would just make it slightly more inconvenient in attempting to launch a terror attack. However, I don’t quite understand your rational for making their redaction mistake public right off the bat. Was it because you believed the entire document should have been made available to the public in the first place? Alternatively, was it just to get TSA to realize and fix the fact that their personnel don’t know how to properly redact an electronic document? If the latter, it seems to me that informing DHS, FBI, a particular congressman or senator, or some government watchdog agency might have been the route to go. The end result, so far, has been this knee-jerk reaction by the TSA to lockdown all SSI. That is not particularly helpful for anyone.
@Tristram: I hear you about trying to get real action from quietly reporting the problem rather than making a big stink about it. Unfortunately, however, the TSA has proven time and time again that unless the media gets involved and makes noise about their inane policies and inappropriate actions they will simply ignore the issues presented.
My goal is to make it abundantly clear to as many people as possible that the TSA is not capable of actually performing the duties with which they have been charged and try to motivate people to push for real change rather than blindly accept the double-speak that the TSA provides. Getting incidents like this out into the public discussion is the best way I’ve come up with to make that happen.
Comments are closed.