Nothing like calling the boss onto the mat in front of Congress to get some answers when a mess happens in government. Not that it is likely much will change – and certainly not quickly – but the Homeland Security Committee of the United States Congress held hearings this afternoon regarding the breach. The hearings are entitled “Has the TSA Breach Jeopardized National Security? An examination of What Happened and Why.” Sadly, there is virtually zero chance of actually getting an answer to the questions, and even less of a chance that real change will come out of this. Still, the government rolls slowly on.
After a full hour of testimony it does not appear that anyone – neither congressfolk nor TSA officials – actually understand the significance of what has happened. The hour of testimony featured a couple rather pointed questions and they went unanswered. I followed up with some public affairs folks regarding open inquiries I have and I was stonewalled. And the most pressing questions simply were not asked.
Why was the document published?
A rather significant chunk of the discussion was focused on why the document was public at all. Ignoring the redaction problems that came up that should be a non-issue. Having the SOP in public is a good thing for the traveling public. In fact, having all the screening SOPs out there is the only fair and reasonable way to treat the public. The current approach treats all potential passengers as criminals and leaves them at the whim of the TSO they interact with at any particular moment. Having the actual rules in the open would permit the public to actually know their rights and exercise them rather than be subjected to a power-tripping agent having a bad day. Acting TSA Administrator Gale Rossides acknowledged that there are a dozen other SOP documents that the TSA currently uses for passenger screening operations. All are considered SSI and therefore are more or less unknown to the public.
Despite media claims to the contrary the document is not a roadmap to anything. Sure, there are a couple things that probably didn’t need to be out in the open, but they are not creating an inherently more dangerous travel environment at all. Legitimate security doesn’t depend on the ignorance of those being policed. It depends on well-trained folks responding to legitimate threats and acting on real intelligence information. Sadly the TSA does not provide that and having this document out in public does not change that situation.
Moreover, the TSA has essentially committed to not using the Internet for dissemination of redacted documents in the future. Any SSI document that needs to be shared with potential contractors will likely be held in a “reading room” or other similar facility at a TSA office. This will increase the burden on the contractors trying to fill these contracts and provide no reasonable increase in security or any other palpable benefits to the American people.
In a move that can only be described as knee-jerk and over-the-top Rossides testified that TSA has instituted a “full operational lockdown” regarding the further sharing of SSI information. This lockdown applies to all documents containing SSI data. Most troubling, this lockdown also includes a restriction on sharing the appropriate information with members of the Congressional committees that have oversight of the TSA. Not only do they not want the public to see the documents, they also will not allow the congressmen and women who have a direct responsibility to review and understand the operations access to the current version of the SOP documents.
The TSA has held briefings and information sessions with congressional staffers and provided “access” in that way but no real access. When pressed on this issue Rossides acknowledged that she was aware of the legal obligation the department was under to share such information but insisted that she could not do so at this time. Congressmen Dent (R-PA) pressed the Acting Director on this issue quite aggressively. He suggested that the TSA was not willing to share the information because they felt congressfolks were likely to leak it or for some other similar reason. He also noted that this is the first time such a request has not been affirmatively responded to in a timely manner. Why now? Why is this one different? Rossides wouldn’t say, but she was insistent that such action was necessary. Equally troubling was that Congresswoman Jackson-Lee (D-TX) – the chair of the subcommittee – was supportive of the Acting Director’s decision to not provide the document in a timely manner. It was not immediately clear why
Targeting the wrong issues
A significant portion of the testimony focused on the IDs that were published in the document and what changes, if any, would need to be made to the IDs or processes surrounding them. Sorry, Congresswoman Jackson-Lee, but you’re barking up the wrong tree on this one. The pictures in the document were nowhere close to detailed enough to allow someone to make passable fakes from them. And that isn’t even considering the part of the “layers of security” the TSA uses that never actually verifies that the person on the photo ID is really the person traveling or that the ticket is really valid. Quite simply, checking IDs isn’t providing any security and even if it did someone desiring a fake would have better luck on Canal Street in New York City than dealing with those images.
Another significant line of questioning was focused on the use of contractors in the handling of SSI data inside the TSA. Specifically, it seems that one of the folks at the heart of producing the document for publication was a contractor at the time it was posted online (he has since become a full-time employee). Congresswoman Jackson-Lee was rather caught up on the idea that somehow there is a difference between a contractor and a full-time employee. There didn’t seem to be much rhyme or reason behind that distinction but she was more than willing to make it. Several times. Indeed, we can expect to see legislation in the new year restricting the handling of SSI from contractors. So very, very unnecessary.
Who has the document?
Congressman James A. Himes (D-CT) was rather blunt in the one question he asked, “No organization doesn’t make mistakes. The question is how well an organization learns from the mistakes. Is anyone looking to see who has downloaded it?” That’s right…forget about how it got out there, let’s focus on who is reading it and what we can do about that. Other congressfolk have inquired about any potential legal recourse that can be pursued to force websites hosting the document to remove it. That horse has already left the barn, but there’s no reason Congress can’t go out and start shooting horses randomly on the plains, or something like that. Except that there is a VERY good reason they cannot. It is 44 U.S.C. 3506(d)(4)(B). It states:
With respect to information dissemination, each agency shall—
(4) not, except where specifically authorized by statute—
(B) restrict or regulate the use, resale, or redissemination of public information by the public;
That’s the truncated version of the code but it basically means that the neither the TSA nor anyone else can do anything about it once the document is out in the open. That hasn’t stopped the congressfolk from posturing but nothing will come of it.
In that same vein, the actual reply to Congressman Himes’s query was rather chilling. Acting Director Rossides stated that The Department of Homeland Security’s Inspector General office – the same folks conducting the inquiry into the TSA’s publication of the document – has compiled a list of who downloaded the document from the Commerce Department website and that they are working to reconcile that list against other lists they might have. They are also working on lists of who is hosting the document. It isn’t entirely clear what these lists will be used for since possession and distribution of the document is completely legal, but the DHS is compiling lists, just in case. This is a rather disturbing admission on the part of the TSA and DHS.
When asked what could be done about the copies of the document that are floating about the Acting Director offered the following suggestion: “I would hope out of their patriotic sense of duty to their fellow countrymen [people hosting copies] would take [the document] down. Good luck with that. Patriotism means acting for the good of the country, not for the good of a few folks who have made mistakes in running an organization which seeks to deny basic liberties covered by the Constitution when it is convenient for them.
Two useful questions
Lest the above make it seem that the hearing did not address anything useful it is worth noting one specific line of questioning that appeared to catch the Acting Director a bit off-guard and to really drive to the point of the charade that the TSA seems to be playing with this event. Congressman Emanuel Cleaver (D-MO) noted that, as is the case with any government document, the new versions build on the old versions. So the fact that there have been six revisions since the redaction mistake came out might not really be significant. The only reply that the Acting Director could muster is that the bulk of the information in the document is not SSI so that doesn’t really matter.
Congressman Cleaver also asked a very pointed question when Rossides noted that she felt the air travel system was safe. Specifically he asked if she would have actually admitted in an open session that she thought the answer was no. They parried a bit over words and there was never a “true” answer, but it definitely caught the Acting Director off-guard.
The Acting Director Responds
Acting Director Rossides made a couple statements during the hour-long session that suggested she might actually understand the gravity of the situation. That, or she’s been in Washington long enough to know what to say. Among the responses she offered:
I regret this occurred and take full responsibility for the mistake. Our response was swift, decisive and comprehensive. Passengers will fly safely…because of the layers of security in place.
We need better processes in place and tighter controls on how we handle sensitive information. We’re going to have to make sure that we have designated personnel…who are trained and really truly understand.
The actions of one or a few can … seriously impact the credibility of the agency.
Perhaps most significant because of what it implies about the previous behavior of the agency, the Acting Director offered up this nugget: the agency has asked the National Security Agency (NSA) to come in and work with them. The NSA has had documents published publicly for many years now explaining the importance of proper redaction and how to correctly accomplish it. Now that they’ve messed it up once the TSA has apparently decided to ask the NSA to come in and teach them how to do redaction correctly. It is great that they are finally (apparently) getting it right, but this has been a long time coming.
Ultimately the Congressional inquest does not appear to have had much affect on the behavior of the TSA. They’re still doing whatever they want and even when pressed on the issues they simply decline to answer. This is not good at all.
- Congress takes TSA to task
- TSA backpedaling on the redacted SOP
- Congress takes TSA to task
- Watching the TSA SOP document leak story grow
- The TSA continues their clean-up operation
- TSA says its OK; layers will protect us
- The TSA document is gone. Or is it?
- The TSA makes another stupid move