Second public hearing of the National Commission on Terrorist Attacks Upon the United States
Statement of Jane Garvey to the
National Commission on Terrorist Attacks Upon the United States
May 22, 2003
What was the nation's aviation security posture as of September 11, 2001?
Mr. Chairman and Members of the Commission:
Thank you for this opportunity to testify today and provide my perspective as the administrator of the Federal Aviation Administration from August 1997 until August 2002. I commend the work of this Commission to prepare a full and complete account about the attacks of Sept. 11. This is essential in safeguarding our nation against future attacks whether our attackers use aviation or some other means.
It is a dangerous world. The U.S. learned just how dangerous the morning of Sept. 11, 2001. Perhaps the greatest lesson of Sept. 11 is that the terrorist threat is just as real here at home as it is for our embassies in East Africa, a naval destroyer in Yemen, or the Marine Barracks in Beirut.
On Sept. 10, 2001, by statute civil aviation security in the U.S. was a shared responsibility. Air carriers had the primary responsibility for screening passengers and baggage, and for applying security measures to everything that went on their planes. Airports were responsible for keeping a secure ground environment and for providing local law enforcement support. Government's role - the FAA's role - was regulatory. By rulemaking, FAA set the security standards for 429 U.S. airports, for U.S. airlines worldwide, and for foreign air carriers flying to the U.S. from about 250 foreign airports, and ensured compliance with those standards.
On Sept. 10, 2001, aviation security in this country was on a peacetime footing. The FAA had fought hard to make changes in the aviation security baseline - changes supported by credible threat information and analysis.
As Brian Jenkins, senior advisor at Rand Corporation has said, "Security against terrorism is always reactive." You can think as a terrorist might and "conjure up more diabolical scenarios than any security system can protect against." The challenge is not formulating attack scenarios. The challenge is figuring out how best to allocate finite resources in an environment of uncertainty.
On Sept. 10, we were a nation bedeviled by delays, concerned about congestion, impatient to keep moving. Congress was considering a passenger bill of rights to get airlines to perform better - reduce delays, keep passengers informed about problems, and do a better job with baggage. On Sept. 10, aviation security was responsive to the assessed threat based on information from intelligence and law enforcement agencies.
The FAA's Office of Civil Aviation Security Intelligence had the primary responsibility of assessing the threat to U.S. civil aviation security. Threat analysis was conducted in collaboration with the U.S. intelligence and law enforcement communities, and based on raw and finished intelligence products supplied to the FAA from these communities.
On Sept. 10, everyone in aviation security had to target limited resources to those threats that history and current intelligence told us needed to be a priority. And FAA did not have any solid intelligence that indicated the type of attack we saw on Sept. 11 was planned, or even that it was possible within the United States.
Aviation has long been a target for terrorists, criminals, or the mentally deranged. It was a target in the 1960s and 1970s when hijackers took over commercial flights and diverted one after another to Cuba. The government and industry responded and began the universal screening of passengers and their hand-carried baggage. Two extremely violent hijackings in 1972 led to the checkpoints with metal detectors and X-ray equipment that are now commonplace.
Subsequent additions to the aviation security baseline involved control of access to aircraft and the physical security of airport premises.
Following these initial steps, further changes to the domestic baseline were incremental until the 1980s when Palestinian terrorist organizations attacked U.S. carrier aircraft outside of the United States.
Three attacks took the form of small explosive devices left aboard the aircraft by ticketed passengers who planted the device within the cabin and then got off, leaving the device behind. Two of the devices detonated in flight killing a small number of passengers, but not totally destroying the aircraft. One device malfunctioned and was found some time later during aircraft cleaning.
As the threat changed, based either on incidents - or on intelligence indicating a likely attack scenario - changes were made in counter-measures to address the new threat. For example, in response to the threat of small bombs left behind in the cabin by passengers traveling between foreign locations, new procedures for search of aircraft overhead bins and other areas of the aircraft at intermediate stops abroad were implemented.
During the same period, there were a series of terrorist team hijackings by the Hezbollah, a Shiite Arab terrorist group. Two hijackings targeted Kuwaiti Air Lines aircraft and one an Air Afrique aircraft. But the most notable for the United States, was the hijacking of TWA flight 847 in 1985. This three-week ordeal received worldwide public, media and governmental attention.
The takeover of TWA flight 847 was one of the most important in a series of incidents that drew the nation's attention to the greater threat overseas to U.S. flag carriers. The hijacking began in Athens, Greece, and continued as the aircraft was moved from place to place. Along the way, the hijackers picked up reinforcements and supplies. Eventually, the hostage passengers and crewmembers were taken off the airport in Beirut and held prisoner.
This incident was a watershed in U.S. civil aviation security programs. Following it, the Congress and the Executive Branch took a number of important steps that included:
- Re-emphasizing the Air Marshal program and giving it a primarily overseas mission.
- Creating an FAA Intelligence Division with direct real-time connectivity to the U.S. Intelligence Community and enhancing FAA Command Center operational facilities.
- Instituting the Foreign Airport Assessment program with a cadre of inspectors based outside the United States to evaluate the security provided at foreign airports in accordance with internationally accepted standards.
- Establishing a mechanism for the Secretary of Transportation to take sanctions against countries whose airports failed to meet international standards. For example, the Secretary prohibited flights between Nigeria and the U.S. because Nigeria was not meeting the standards.
In 1986, another major incident involved the seizure of a Pan American Airways B-747 on the ground in Karachi, Pakistan, by members of the Abu Nidal Organization. This Arab terrorist group was well known for attacks against Israeli and U.S. targets and claimed its attacks were part of the group's campaign against Israel.
All of these hijackings occurred in the Eastern Mediterranean/Middle East/South Asia area in which the Arab terrorist organizations had an operational infrastructure. The possibility of attacks within the U.S. proper was not ruled out, but virtually all sources of intelligence and analysis agreed that the threat to not just aviation, but to all U.S. interests, was much greater abroad.
Furthermore, the bombing attempts and the hijackings directed against the U.S. airliners in this period occurred internationally, and the hijackings were what we now consider traditional hijackings - in which the hijackers seize control of the aircraft in order to obtain transportation or in which they use the passengers as hostages.
As a result, in the mid and late 1980s the existing security baseline for the protection of U.S. civil aviation was raised for U.S. air carrier operations outside of the United States, particularly those operating in what was then called the "Extraordinary" security area (Europe, Middle East, South Asia, and North Africa). These measures included more stringent security procedures applied to checked baggage, carryon items, passengers, and cargo. The majority of the airline service was by TWA and Pan American.
However, over the next ten years, other major U.S. carriers entered foreign markets with new routes or took over existing routes. By 1996, 14 U.S. air carriers served 57 higher- threat locations where "extraordinary" security measures were required. While both the number of U.S. carriers and destinations increased, the threat to U.S. carriers was also increasing. And, as host governments and host airport authorities each had unique policies and security programs, FAA coordinated the implementation of security measures with each country's government officials. This led to a more complicated - and challenging - U.S. aviation security program abroad for both FAA and the U.S. carriers. It was, in effect, modified and tailored to address the threat posed to U.S. aviation on a country-by-country basis.
Within the U.S., requirements were levied on all airports to control access to airport- restricted areas, to provide a secure operating environment for air carrier operations, and to provide law enforcement support. These included systems that allowed authorized personnel only into airport-restricted areas, the requirement to wear identification media by all personnel in those areas, and lock and key controls. These were to complement the security requirements imposed on the airlines.
The danger posed by onboard explosives was demonstrated in 1987 when North Korean agents put an explosive device aboard a Korean Air Lines jet and got off at an intermediate stop. All aboard perished and the aircraft was destroyed.
The focus returned to domestic security with the 1987 PSA flight 1771 incident. A recently terminated airline employee used his employee credentials to bypass screening and board the flight. He killed a former supervisor and caused the aircraft to crash.
This incident and other domestic developments led to increased emphasis on control of employee credentials and a major effort to establish a system of automated access controls, alarms, and other measures to improve access control to restricted areas of the airports.
In 1988, the world saw the devastating effects of an explosive device in checked luggage. The December 21, 1988, bombing of Pan Am flight 103 over Lockerbie, Scotland, was at the time one of the most deadly terrorist acts ever - resulting in the death of 270 people. A sophisticated explosive device was hidden in a radio-cassette tape player in checked baggage, without a passenger being onboard. The bag containing the bomb was checked on a connecting flight that originated in Malta. The bag was subsequently transferred to the Pan Am flight.
The bombing of Pan Am 103 stimulated the most significant changes in aviation security since the early 1970s. This bombing generated the largest criminal investigation in history, an inquiry by the FAA concerning the security program of the air carrier, an inquiry in Scotland called the "Fatal Accident Inquiry" and a U.S. Presidential Commission in the United States called the "President's Commission on Aviation Security and Terrorism."
The work of that commission influenced the Aviation Security Act of 1990, which gave FAA additional responsibility for research, directed the use of explosives detection systems, heightened the emphasis on intelligence and threat assessment, and elevated the stature of aviation security within the FAA
Also as a result of discussions with that commission, the FAA established a special testing and inspection activity to simulate criminal and terrorist attacker modus operandi and conduct covert examinations of the effectiveness of aviation security systems. This "Red Team" was designed to produce information that could be used at the highest levels of the FAA security organization to make strategic decisions concerning aviation security programs. It was not designed to provide the basis for local enforcement action although it did, from time to time, produce information that was used on a local basis to identify problems for follow up by locally assigned inspectors.
The Red Team data was very valuable to the FAA's top security official for identifying systemic problems and trends. In some instances, the Associate Administrator for Civil Aviation Security used Red Team findings in discussions with airline executives about how best to correct security performance problems. This data helped guide key decisions on the deployment of explosive detection systems and in setting aviation security research and development priorities. Red Team findings influenced screener training, led to changes in the computer-assisted profiling program, and helped direct changes in the protocols for Positive Bag Match, among others.
Also, FAA adopted some of the innovative testing methods developed by the Red Team for use by the general security inspector workforce as "Realistic Operational Testing" during the late 1990s.
Unfortunately, Red Team members were not always kept well informed on the ways in which the information they produced was used, and some may have concluded their efforts were wasted. I assure you this was not the case.
In the mid-1990s, FAA increased the security measures required of U.S. air carriers flying into South America because of intelligence assessment of activities in the region. In 1992, the Israeli Embassy in Buenos Aires was bombed and in 1994, the Argentine Israeli Mutual Association was also bombed. Subsequent investigation and analysis indicated that a growing operational presence of Middle Eastern terrorist groups existed in certain countries in South America. Some of those groups had a history of attacking U.S. targets, including civil aviation. As a result, the FAA directed that additional security measures be applied to those flights on a permanent basis.
More emphasis would follow in 1996 with TWA 800 and the White House Commission on Aviation Safety and Security recommendations. Key security recommendations from this commission focused on airport screening, especially to counter the threat of explosive devices. A summary of the recommendations of these commissions and action taken are attached. The FAA and Department of Transportation - as well as the other elements of the United States government and aviation industry - took the commission recommendations seriously. FAA had already completed 24 of the 27 Commission security recommendations assigned to the FAA and the other three were being addressed through rulemaking before Sept. 11.
One recommendation of the 1990 (Pan Am 103) Commission led to the creation of FAA Civil Aviation Security Liaison Officers to coordinate security programs and activities with foreign counterparts. This helped address the steadily increasing complexity of international aviation security. Another commission recommendation resulted in legislation creating Federal Security Managers at the larger U.S. domestic airports. Eighteen such posts were created initially and two more as other airports grew in size and complexity.
In addition to other actions taken in response to the increased threat to U.S. civil aviation abroad, the FAA further expanded its Intelligence Office and increased its capabilities. On the eve of the first Gulf War in 1991, a 24-hour, seven-day-a-week intelligence watch was created and permanent FAA intelligence liaison officers were assigned to the CIA, Department of State, and FBI.
By the mid-1990s, the FAA Office of Intelligence had grown to 41 employees. Most of the analysts in the office were drawn from agencies such as CIA, FBI, Secret Service, and State Department, where they had worked the terrorist problem for years before coming to FAA. At FAA, they put that experience to work from a unique aviation perspective.
One of the explicit recommendations of the 1990 Presidential Commission was that FAA create a system of Security Directives to replace the pre-Pan Am 103 "Security Bulletins." These bulletins had been used by the Intelligence Office to notify regulated parties within the aviation security system of new information concerning threats or possible attack methods, but did not levy mandatory changes in security measures. The new system of Security Directives did levy mandatory and enforceable changes in security measures to offset a new threat.
The process for developing and issuing a Security Directive provides a good illustration of the risk assessment process in use at the time of the Sept. 11 attacks. This process is similar to what is used by many other agencies with responsibilities for risk assessment and development of security policy.
The FAA Intelligence Office, in concert with other U.S. Government entities, would consider both the intentions and the capabilities of would-be attackers to determine if such entities actually posed a threat. FAA brought aviation expertise to the threat analysis, but it relied on the other agencies to gather the intelligence information.
Then the Intelligence, Policy, and Operations elements of the FAA Office of Civil Aviation Security would collaborate on examining the threat in comparison with the vulnerabilities of the aviation industry operation or facility in question. Vulnerability information came from observation, testing, and inspection of the industry and information from the industry itself and, on occasion, from other entities such as the Department of Transportation Inspector General and the General Accounting Office of the Congress.
In this fashion, FAA determined for urgent matters what needed to be ordered by a Security Directive. And if the threat was of a more long-term nature, the same process applied to establishing or modifying the baseline security requirements for U.S. air carriers, foreign air carriers flying to the U.S., and U.S. airport operators through the traditional rulemaking process. In addition, FAA worked through the International Civil Aviation Organization, the aviation arm of the United Nations, to develop appropriate baseline standards for aviation around the world.
To oversee industry's application of these security requirements FAA had several hundred inspectors assigned across the country as well as around the world where U.S. air carriers operated. Inspectors conducted inspections and assessments routinely at all air carrier stations and airports. These were augmented by the Special Assessment "Red" Team" inspectors who often traveled through the system as passengers, while testing a specific element of the security system.
Additionally, FAA field inspectors conducted special emphasis inspections system-wide concerning individual components of the aviation system. FAA used an automated tracking system for trend analysis of findings, and used that data along with audit results from the General Accounting Office (GAO) and the Office of Inspector General (OIG) to make adjustments in training for FAA inspectors and industry security personnel, as well as to clarify or improve our requirements and adjust our inspection schedules.
For example, in January 2001, the Office of Inspector General recommended in its Report of Top DOT Management Challenges that FAA improve screener performance. FAA was working on a rule to improve screener performance by certifying screening companies. The rule was completed and was designed to give the FAA direct regulatory authority over screening companies. It increased the amount of training required by screeners, tracked the performance of screening companies to performance criteria, and provided uniform standards to improve the training and testing of screeners.
The OIG also recommended that employees at airports have strengthened background investigations. Since 1992, FAA had been attempting to strengthen the background checks of individuals with unescorted access to sterile areas of the airport but had not found sufficient support for this proposal in the industry or the Congress to create a stronger regime.
At the time of the 2001 OIG recommendation, FAA already required that individuals at airports with access to sensitive areas have employment history checks, and criminal history checks were being conducted for new employees at the nation's largest 20 airports. FAA planned to require criminal history checks at all airports by the end of 2003.
Performance of the thousands of screeners hired by the air carriers and access controls at the 429 airports across the country were two of the most continually challenging aviation security issues faced by the FAA, and both were largely a human factors issue. Screeners conducted extremely repetitive activities and rarely saw weapons, much less explosive devices. Employees at airports were responsible for carrying out security functions along with their fulltime jobs. Keeping both categories of employees vigilant in an environment where they did not necessarily perceive a threat to exist was the underlying challenge prior to Sept. 11.
Furthermore, a frustration in aviation security, as FAA knew from its experience in safety, is measuring success - since success is the absence of failure. There is no way to know how many incidents or how many accidents your efforts prevent. The successes are usually unseen.
We do know that over the years, the U.S. approach to aviation security had its successes. Preventive measures stemmed the domestic hijacking epidemic. Although there were later waves of air piracy, domestic hijackings never again reached the worst pre-1973 levels. It had been more than 10 years since the last such crime before Sept. 11. At the same time, there were more hijackings overseas - nearly 200 over the past ten years.
Yet, following the bombing of the World Trade Center in 1993 it became obvious that the general terrorist threat in the United States had increased. It was not immediately clear what the threat might be with respect to domestic civil aviation but evaluation of the intelligence that continued to come in drove the FAA Office of Intelligence to the conclusion that some terrorist groups were preoccupied with the idea of attacking civil aviation and that, in fact the domestic threat to civil aviation had, in fact, increased.
An important event that contributed to this analysis was Ramzi Yousef's 1995 plot to bomb as many as 12 U.S. jetliners nearly simultaneously. Yousef had been key to the planning of the 1993 bombing of the World Trade Center - but had escaped. His new plot was code-named "Bojinka" by the terrorists.
Early in 1995, a fire in an apartment in the Philippines led U.S. law enforcement and intelligence officials, working with the Philippine authorities, to discover information about a plot to simultaneously destroy 12 U.S. passenger aircraft in the Pacific region by putting explosive devices aboard. FAA received information about possible methods of attack, such as how the explosives would be hidden and disguised, how the attackers would use leave-behind devices, and how they would look at all avenues of access to the aircraft. FAA immediately issued additional security measures for U.S. carriers operating in that part of the world specifically responsive to those means of attack.
For the next six weeks, the U.S. government followed developments closely. The FAA and the intelligence community saw in real time terrorists adjust their targeting because our measures were too difficult to take on. One attacker turned back from an air cargo facility when he saw counter measures being implemented. FAA learned from further intelligence information the next approach the attackers were planning to take. When FAA learned the new plans, it put in new measures. These were high-impact measures, which complicated the air carriers operations, but everyone knew of their importance because of the underlying intelligence information. For example, cargo had to be held for a period of time before transport, to guard against explosive devices being hidden inside. Searches of carryon luggage were intensified, and aircraft searches were also increased, both in frequency and specificity. The airlines did an outstanding job instituting these measures making sure their flights were properly
protected and safe. The plot was finally disrupted by the efforts of law enforcement.
There is no doubt this teamwork by the U.S. government and industry, assisted by our international counterparts, saved certainly hundreds, and likely thousands, of lives. This was perhaps the greatest aviation security success and illustrated the ability of industry and government to thwart a severe threat when armed with good intelligence.And until Sept. 11, the 1995 plot was the most spectacular aviation attack ever planned. It had all been planned for execution outside the United States.
After the success in the Philippines, we began discussions within the Executive Branch, the Congress, and industry on what we believed was a significantly elevated domestic threat, given the connection between Yousef and both the Bojinka Plot and the 1993 World Trade Center bombing. We achieved some consensus that the security measures in place within the U.S. - what is referred to as the "baseline" - needed a comprehensive review and possible overhaul.
Based on this analysis, the first meeting of the Baseline Working Group (BWG), composed of government and industry experts, to begin to establish the parameters of the new baseline took place on July 17, 1996. TWA flight 800 crashed in the Atlantic that evening.
Given the general belief that the terrorist threat in the United States had increased and the recent Bojinka plot, it is not surprising the public and government immediately focused on the possibility the crash had been caused by a criminal, most likely terrorist, act. The President rapidly established the White House Commission on Aviation Safety and Security, or Gore Commission, mentioned earlier.
The Baseline Working Group continued to map out recommendations for a new domestic security baseline, and the commission made good use of that effort adopting and endorsing much of what the Baseline Working Group recommended to improve screening and counter the threat of explosive devices.
From the Baseline Working Group, the FAA developed a new approach to screener proficiency using false threat image projection. This program, called TIP, was designed to train and test screeners through the projection of images of threat objects into the explosive detection systems or checkpoint cabinet X-ray units.
This was a promising development. One of the biggest challenges in screener training and performance was that the occurrence of any real threat objects in X-ray images during normal screening operations was infrequent. The occurrence of the most highly sophisticated objects, such as disguised explosive devices, was so extremely rare that screeners, regardless of their rate of pay and experience levels, just did not expect to see a threat object. They could become complacent or dulled by looking at thousands of images without finding a suspect item. By early 2001, we had achieved significant progress with a substantial number of these systems installed, with more on the way.
Similarly, we were pursuing deployment of explosive detection systems equipment. With the Gore Commission's determination that aviation security was a national security issue, for the first time significant federal funding was directed toward the purchase of security equipment for civil aviation - $100 million per year.
The initial target of full system deployment of explosive detection system equipment by 2014 had been accelerated to 2007. The airlines, airports, and FAA had to work through a host of engineering concerns, liability issues, and peripheral cost concerns surrounding the deployment of these large, complex units.
EDS was designed to screen checked bags of selectees identified by the Computer Assisted Passenger Prescreening System, or CAPPS. CAPPS examined actions of passengers in making their reservations and the details of their travel itineraries along with inputs made at the time of check-in by airline personnel. It was not based on ethnicity or race. The details are highly sensitive and cannot be discussed in this forum. CAPPS was a useful tool in determining which passengers were unlikely to have an explosive device in their checked baggage. This allowed us to concentrate limited explosive detection capabilities on a smaller number of passengers and bags.
On Sept. 10, CAPPS was used only to focus efforts to counter explosive sabotage. Passengers without checked baggage, such as most of the Sept. 11 hijackers, were not evaluated by CAPPS. Passengers who were evaluated by CAPPS because they had a checked bag would still not have been prevented from boarding the aircraft nor subjected to additional security measures beyond examination of their checked bags.
On Sept. 10, based on the intelligence reporting we were seeing, we continued to see attacks upon aircraft with explosive devices as the most dangerous threat. We were also prepared for the type of hijackings in which the hijacker wanted transportation or wanted hostages to further some political objective.
Over the years there had been a small number of reports, at least one of which appeared in the media, that one terrorist group or another may have talked of blowing up or crashing an aircraft after hijacking it. There was, however, no credible law enforcement reporting or intelligence confirming these stories. Similarly, there have been many possible terrorist attack scenarios developed by theorists, but no hard evidence that the type of attack we saw on Sept. 11 was in the making, or that the perpetrators had the capability to carry out such an attack within the United States.
In a 1994 Air France hijacking there was media speculation that the hijackers may have planned to crash the aircraft into the Eiffel Tower. Since Sept. 11, that incident has been touted as alleged proof that we should have seen the attack coming. But, in fact, that information was unconfirmed and there was no current reporting indicating that seizure of aircraft in order to attack ground targets was being planned or was likely.
Hindsight is always 20/20. But looking back on bits and pieces of information that have surfaced in the wake of Sept. 11 is one thing. Seeing the same patterns when only a part of the data now being studied was previously available and when it was available, it flowed in among literally thousands of pieces of other, often-conflicting information over a period of years, is quite another thing. Policy makers must rely on the intelligence analysts to sort the meaningful data from the misinformation and irrelevant data and tell us what it means. We need to know what to prevent.
And when the civil aviation security community has good information, like it did with the Bojinka plot, it can take effective action.
With respect to Sept. 11, we knew quite a few things, but not nearly enough.
We knew of foreign students in U.S. flight schools - we always have many, as one of the world leaders in aviation - but we did not know some were terrorists.
We wish we had received the FBI/Phoenix memo on flight school students - and it would have worried us a lot - but we did not.
When one of our inspectors was asked to evaluate the language proficiency of Hani Hanjour, a flight school student, we knew nothing of his terrorist connections.
When another hijacker left a rented aircraft parked on the ramp at an airport in Florida and walked away months before Sept. 11 he was just a guy with a plane that broke down.
And shortly before Sept. 11 we did know that a flight school in Minnesota had an unusual student pilot, but at the time he was in custody and did not appear to be a threat.
And on Sept. 11 we did not know that two of the individuals who turned out to be hijackers were already on an immigration watch list.
Before Sept. 11 we had a good intelligence analysis capability but we lacked the quality of information that emerged only after the attacks. We were procuring and installing explosives detection equipment and we were focused on improving screening performance through training and standards. Based on what we knew, we continued to see attacks upon aircraft with explosive devices as the most dangerous threat as well as taking measures against what we now think of as traditional hijackings.
The goal of aviation security and air travel is the same - safe transportation. But the characteristics are often contradictory. Security is careful and measured. Air travel is rapid and efficient. Airport workers need to move freely. Yet, airports need access controls to thwart unwanted activity. Passengers want to board quickly and get moving, but they and their luggage must be carefully examined. People want technological solutions, but so many solutions require application of the even more complex human element.
Americans have long known that "eternal vigilance is the price of liberty." Now we know it's the price of mobility as well.