As previously posted I have a fair bit of experience with security screening in large facilities. With all the hype about airports these days it’s a good time to review the screening process and the role it plays in securing public areas. While one of the risks of security is believing expertise in one domain means expertise in all areas I believe large facilities/events and airports are related closely enough that we can apply the lessons of one to the other.

In summary the security screening process is an effective tool at reducing risk in controlled spaces but is an extremely ineffective tool at completely eliminating risk. Screening only works when used in conjunction with other security controls both inside and outside of the area/facility being protected in a layered model. Good old defense in depth applies just as much to the physical world as the electronic one. Screening has improved a bit in U.S. airports since 9/11 but seems to be relied on too heavily and just can’t provide provide the level of protection either the public or politicians seem to demand from it. Continually increasing scrutiny during airport screenings beyond normal levels or increasing ID requirements will not significantly reduce the risk of a successful attack. At this point the best way to reduce the chances of a successful attack is to use additional security controls spread throughout the air travel system. I’ll talk a bit at how we screened at events, but if you just want to know about airports you might want to skip to the end.

Back in the 90’s we used to perform physical searches on most of the people coming to concerts and sports events. Screening was just one of the many tools we used to ensure public safety at the event and it worked well for what we expected from it. Our screening met four goals:

  1. Check tickets or authenticate ID (depending on the event)
  2. Reduce unallowed items, like alcohol or cameras
  3. Reduce dangerous items like weapons/drugs
  4. Profile the person for entry (stopping extreme drunks, identifying problem children)

(more after the jump…)

Over the 10 years I worked event security I probably hand searched tens of thousands of people. It’s definitely not as fun as it sounds (and is surprisingly hard on the knees). We would vary screening considerably based on the risk profile of the event. A Barry Manilow show might get a quick visual check, while the latest skinhead gig would border a strip search. We didn’t use metal detectors due to a combination of cost and limited effectiveness. If all you’re looking for is metal they’re not too bad, but they suck for snagging boda bags full of Jack or vials of coke. One of the nice things about our events is that they were technically private- every ticket included a disclaimer that entry was solely at our discretion. You didn’t have to agree to a search, but we didn’t have to let you in. It seems harsh but some events can get a little rough. If we let everyone in with whatever they wanted things could get out of control in some very dangerous ways. Not for us, but for the people attending. I think it was a little worse back then, I rarely see the same kinds of brawls and injuries when I go to a show these days.

Screening for any particular show was designed using a few factors:

  1. Size of the event
  2. Number of staff and experience level
  3. Nature of the event/audience
  4. Special requests from the performer or event sponsor (like no cameras)
  5. Budget

A football game is huge- Folsom Stadium at the University of Colorado seats around 53,000 while the old Mile High stadium was just over 70,000. To cover an event of that size you need a large pool of cheap labor willing to work a single (or handful) of events screening at a dozen or more gates, with 5-15 screeners per gate. There’s no way to train an inconsistent group like that so we’d give them a quick briefing and place one or more experienced supervisors and regular staff with them. In this case the goal of screening is mostly to reduce the amount of booze making it’s way inside. When you convert a stadium to a concert venue that same facility might increase capacity by 30,000 while increasing the risk profile. Guns and Roses/Metallica was around 100,000. As much as we’d like otherwise we had to accept that screening at an event of that size would be only somewhat effective, so we beef up security in the event itself. We might run 50% more staff at a stadium concert than a football game.

Smaller shows usually had smaller budgets. For shows of all sizes we had to try and match staff to get the attendees in as quickly as possible. Most people show up within an hour of a show starting, so we might have to hand search 3,000-10,000 people in that time and we’d balance staff and budget as best we could. For high risk shows we’d use the most experienced staff possible and rotate frequently to keep people fresh. There’s no manual for this stuff, but after working enough shows you get a good feel for the different kinds of crowds, when they’ll show up at the doors, what they’ll try to sneak in (everyone sneaks something in), and what to look for in terms of behavior and dress. You’d be surprised at which shows were the best or worst. Buffett concerts and Dead shows had plenty of fights and injuries, while speed metal shows were usually pretty tame aside from the mosh pits.

But screening was only one small part of our security controls. Security typically stared in the parking lots and roads around the event, with a mix of identified staff and a few people in regular clothes. Out in the parking lots we’d look for problems, take care of the drunks, and give early verbal instructions for what you could or couldn’t bring in. Pre-screening plays a critical role in identifying early problems and preparing the attendees for faster screening. The goal is to filter, on sight, as much as possible before they get to the gates.

At the gates/doors supervisors or experienced staff would carefully observe and profile as people entered. Yep- profiling is an extremely effective tool. With the right experience (and a little training, but you can’t learn this in a class) you can spot a lot of problems before they start. We’d watch for drunks, fighters, medical problems, the drugged out, or any hinky behavior. Supervisors would radio in anyone we’d need to keep an extra eye on or pull the person aside for a conversation.

Past the gates we’d distribute staff throughout the facility. The most experienced staff were on roving teams or supervising an area, while temp labor would get stuck in front of a non-critical door or at some other stationary point. The job of the temp staff was just a show of force and to maybe keep people out of a specific area, while the really experienced staff would roam the facility looking for active problems or problems about to start. The most experienced supervisors would wear normal clothes and wander the crowd without drawing attention to themselves. And this is the key to effective event security- basic screening combined with experienced staff constantly monitoring for both active problems and unusual behavior or situations that might lead to a problem.

So with that entirely-too-long overview of concerts let’s look at airports. As a frequent traveler I’m in airports about four times a month, sometimes more, so I have a good feel for any visible security. As I see it the problems with current airport security are:

  1. Lack of effective pre-screening
  2. No tolerance for risk but a nearly complete reliance on screening for security
  3. Lack of post-screening security
  4. Over-reliance on technology for screening
  5. Lack of brain profiling
  6. Use of computer profiling
  7. Reliance on ID as a security control
  8. Inadequate staff adjustments when security needs change (longer lines)

Since this post is already long I won’t bore you with a drill down on each of these problems but will highlight a few points and make some suggestions on improving security overall. The biggest issue is we, or the bureaucrats in charge, have adopted a zero tolerance policy but rely on screening as pretty much the only security control. Thus anytime there’s a new threat our main response is to increase screening or ban more items. Shoe bombers? Time to take off those shoes (not that the x-rays will find anything). Liquid explosives? Leave the shampoo at home. And despite all these measures someone with the right knowledge and determination is still a threat. You can’t bring on your pocket knife but nothing stops the bad guy from sharpening the edges of the metal supports in his roller bag to a knife edge and assembling them into a full-sized sword in the anything-but-full-sized restroom. Even worse, our screening relies nearly completely on technology with limited effectiveness. The real bad guys will build bombs into their laptops (and x-ray them ahead of time to make sure they look right).

Screening only reduces what gets in, it doesn’t eliminate it.

Now I do think screening has improved since 9/11 and the quality of TSA seems a lot higher than the lowest-bid contractors we used to have. But nearly 5 years later the government is just starting to implement behavioral (not ethnic) profiling and there’s still nearly no internal security outside a few police on overtime wandering the terminals.

Short of banning all carry-on luggage and in the process destroying the aviation industry we’ve hit the limits of what security screening can prevent. Rather than inconveniencing passengers even more, TSA can improve security while potentially streamlining screening through:

  1. Increasing pre-screening and patrols outside security checkpoints
  2. Increasing use of profiling. Replace temp-workers checking IDs with security professionals visually screening passengers
  3. Increase uniformed and plain clothes security patrols in terminals
  4. Increase the variation in security screening- banning liquids for a short time when a threat might still be active is reasonable, but security can be randomly increased, decreased, and changed so attackers never know what to expect (and I don’t mean pissing passengers off by randomly banning items).
  5. Increasing security officers in airplane cabins. I don’t mean more armed air marshals, but unarmed (yet well-trained) security professionals.

No security is perfect, and a determined and intelligent attacker could probably defeat even these controls, but by adding additional non-intrusive security controls we can rely less on screening and increase security while improving the flight experience. We need to build more layers into air transport security, not try and build a single really big wall. We have defense in depth at concerts and football games, why not airports?

added: a more techie-based take on screening at Security Sauce