Agency’s risk assessment out of date, does not address insider threats

TSA airport lines


The Transportation Security Administration, tasked with protecting the nation’s airports from terrorism and other threats, exhibits weaknesses in its oversight of commercial airport security, according to a government watchdog report.

The Government Accountability Office issued an 85-page report on Tuesday detailing how the TSA has failed to assess vulnerabilities in the nation’s system of airport hubs and communicate information about security risks to airport stakeholders.

The watchdog also found that the TSA’s Risk Assessment of Airport Security, released by the agency in 2013, has not been updated for three years to include new information about potential risks such as insider threats.

The report comes amid increased concerns about domestic and international terrorism. The U.S. government has warned of the heightened probability of terror plots against the West in the wake of coordinated attacks carried out by ISIS in Paris and Brussels.

In a follow-up to a 2009 review of the TSA, GAO auditors looked into the agency’s assessment of threats and vulnerabilities at the nation’s approximately 440 commercial airports. The watchdog also looked to measure how the TSA has improved oversight of airport perimeter and access control security.

The GAO found that while the TSA has improved its assessment of risks to airport security since 2009 the agency “has not comprehensively assessed the vulnerability of airports system-wide” through its primary measure of airport vulnerability, the joint vulnerability assessments conducted with support from the FBI.

The TSA has conducted these assessments since fiscal 2009 at 81 commercial airports, or about 18 percent of commercial airports nationwide. The agency has almost completely neglected smaller airports—classified as Category III and IV airports—despite the fact that these airports make up over 60 percent of U.S. commercial airports.

The agency has ignored these airports despite evidence they have experienced over 1,670 security incidents connected to perimeter and access control security since 2009. The incidents documented at these airports include “individuals driving cars through or climbing airports’ perimeter fences and aviation workers allowing others to follow them through airport access portals against protocol,” the GAO wrote.

While the number of vulnerability assessments performed by the TSA increased slightly between 2009 and 2015, the watchdog emphasized that the current practice still does not constitute a comprehensive assessment of the nation’s airports.

“By assessing the vulnerability of airports system-wide, TSA could better ensure that it has comprehensively assessed risks to commercial airports’ perimeter and access control security,” GAO wrote.

“The events that occurred at Category III and IV airports may not have garnered the same media attention, or produced the same consequences, as those at larger airports. However, they are part of what TSA characterizes as a system of interdependent airport hubs and spokes in which the security of all is affected by the security of the weakest one.”

TSA officials who spoke to GAO auditors blamed “resource constraints” on the limited number of vulnerability assessments. FBI officials left it up to the TSA to increase the number of reviews but indicated it would not present a “significant strain” on the bureau’s resources to do so.

Additionally, the GAO investigation revealed that the TSA has not updated its 2013 risk assessment of airport perimeter and access control security to reflect new information gleaned from joint vulnerability assessments and other security risk reviews, which runs counter to federal standards. The agency has not routinely shared new information about potential risks with airport operators and other stakeholders.

This includes information about potential insider threats at commercial airports from the TSA workforce and other aviation workers.

“TSA’s Risk Assessment of Airport Security is not up-to-date. According to both TSA and the FBI, the insider threat is one of aviation security’s most pressing concerns,” the GAO explained. “Insiders have significant advantages over others who intend harm to an organization because insiders may have awareness of their organization’s vulnerabilities, such as loosely enforced policies and procedures, or exploitable security measures.”

TSA officials told GAO that the agency does not have plans or a process to update the risk assessment or share updated information with airport operators and other parties. The TSA’s chief risk officer agreed with the watchdog’s recommendation that updating and routinely sharing the risk assessment information would boost oversight at the nation’s airports.

The GAO report made a number of recommendations for the agency to improve security oversight, including developing the means to assess airport vulnerabilities throughout the entire system of U.S. airports.

The report was provided to the Department of Homeland Security, which concurred with the GAO’s recommendations and said the agency has undertaken actions to address deficiencies.

The TSA, which operates on a $7 billion budget, has been widely scrutinized for its inefficiency and major security screening failures. The acting TSA administrator was reassigned last June after an internal investigation revealed that mock explosives and weapons made it past security checkpoints 95 percent of the time.

The agency has been criticized recently as fliers waited in long lines for security screening at airports. The lines were also attributed to a lack of personnel resources by the agency. The TSA is poised to add hundreds of newly trained agents to its ranks in the coming months in order to shrink security wait times.