High-profile screening
Ian Hutcheson, the former security director for LHR Airports (previously BAA), tells Robert de la Poer why a fundamental change is needed in the industry’s approach to airport security
RP: What are LHR Airports’ responsibilities with regards to aviation security and how does the company work with the government and other stakeholders to develop security strategy and policy?
IH: In the UK, the airports are all privatised, including those run by LHR Airports. They are legally responsible for carrying out the government’s security requirements as set out in the National Aviation Security Programme, which includes the regulations set by the European Commission (EC).
LHR Airports works through a series of forums – there is the National Aviation Security Committee, which is normally chaired by the transport secretary or another minister. Then there is an executive committee, which meets monthly, and an operations committee, which addresses the need for changes in regulations and compliance. So there is quite a high level of accountability. On top of that, the Department for Transport has inspectors who regularly inspect UK airports, and from time to time the EC will also send out inspectors as well.
RP: Does the company have much input into the policy-making process?
IH: It tries to! Through the Airport Operators Association (AOA) in the UK and through the Airports Council International (ACI) in Europe, the industry does try to influence future security regulation and review existing regulation. There is also the SASAS advisory group in Europe, which meets every couple of months. The ACI represents Europe’s airports in debates with the EC over the need for the review and development of security regulation.
RP: Do you think the threat to airport security remains as high now as it was ten years ago?
IH: It may not be quite as high, but I would say it is different now. The global threat from al-Qaeda is probably lower, but as we saw with the Woolwich attack in late May, you can’t rule out the lone wolf attack. I would split the threat into three parts: there is the threat from international terrorism, which is not as high as it was directly after 9/11; there is the threat from extremists, as we have seen in previous decades from groups like the Animal Liberation Front, which carried out attacks on BAA directors’ property; and there is the environmental protest threat. Although environmental protests have so far been peaceful, such protests could take on a violent dimension as the debate over issues such as airport expansion continues.
The newest security threat – which will be discussed at Transport Security Expo in November – is that of electronic attacks. Such attacks may include people hacking into systems to obtain confidential information – there has been a great deal in the media about this recently. There is also the risk of denial of service attacks, and we have seen several instances reported in the press recently. We’re not talking about people hacking air traffic control systems or anything as far-fetched as that. But if you look at how dependent the industry is on IT systems, you can see that denial of service could cause serious disruption.
Looking to the future, cyber terrorism could cause serious disruption. I personally think that’s a long way in the future, but the fact that an electronic attack is considered the highest risk on the National Risk Register illustrates how seriously the threat is being taken.
RP: Technology has taken on an increasingly important role in airport screening over the past ten years. Do you think there is now an over-reliance on technology at the expense of manned guarding and observational screening?
IH: Yes – I think this is a great risk. We have seen that technology can fail to provide adequate solutions. After the liquid bomb plot of 2006, for example, governments and the airline industry spent years searching for a technological solution capable of detecting liquid explosives, but it has not materialised. So it may well be that technology alone will not always provide solutions and we need to move towards a more risk-based view of security, where things like behavioural recognition and passenger profiling are contemplated, along with the acceptance that a large proportion of passengers pose a minimal risk.
RP: Passenger profiling is something of a political hot potato. Do you think it will ever be accepted as an overt security policy?
IH: It is politically sensitive and to mandate it would be extremely difficult. But the US has started down that road by introducing lower-security regimes for certain parts of the population – such as young children, people over 65 and those in the military.
The other way this could be done is through a membership scheme where people voluntarily give more personal information in order to have a faster journey through the airport. It seems very unlikely this will be possible in Europe, where you have 27 member states, all with different perspectives on data protection. But notwithstanding the politics, it seems likely the industry and the travelling public will find a way to develop this in the future, because I think something like this is the only way.
RP: As a past chairman of the AOA and ACI security committees, you played a leading role in the industry’s response to the liquid bomb plot. With hindsight, do you think the decision to ban all cabin liquids, aerosols and gels (LAGs) was the correct one?
IH: Hindsight would say this probably wasn’t the right decision because we are seven years on and we still have a ban on liquids. If you draw an analogy with the Lockerbie attack, where an aircraft was brought down by a bomb in a bag in the hold, we didn’t ban hold baggage. We lived with the risk until such time as a technological solution could be found – and in fact, the International Civil Aviation Organisation (ICAO) didn’t proscribe hold baggage screening internationally until 2006.
I won’t say the LAGs ban decision was an over-reaction because it is a real threat and the security services didn’t know that everyone involved in the plot had been caught. But the introduction of the ban could have been better executed, which would have avoided the massive initial problems, and we should not be in a situation seven years on where the travelling public is still being inconvenienced.
RP: At the end of June, airports around Europe will submit their proposals for relaxing restrictions on LAGs. Do you think screening technology has evolved enough to counter the threat?
IH: No – it hasn’t. The technology has reached a point where some liquids can be screened, but not all. In January 2014, medicines, baby foods and duty-free goods in tamper-evident bags will be screened. It is a good step forward to be able to screen for liquid explosives, but it doesn’t bring any great passenger benefits. I think the technology has some way to go before it can actually screen a washbag filled with toiletries, for example, which is ultimately what the passenger wants.
The interesting question is, if technology can only provide part of a solution, will things remain this way forever? Or will regulators accept that the majority of passengers present no risk? In that case, you could remove the ban and be more selective about who you screen, or use random screening to provide a sufficient deterrent to minimise the risk. My personal view is that this has a long way to run.
RP: Recent attempted attacks on aircraft – the liquid bomb plot, the underpants bomber, the printer cartridge plot – have revealed weaknesses in the screening process. Would you agree that the industry’s approach has been more reactive than pro-active when it comes to dealing with emerging threats?
IH: Yes I would. You always have to react to maintain public confidence, but I think security should be more corrective and, as we have discussed previously, it should encourage more than screening by technology. Looking at the printer cartridge bombs you mentioned, if the agents who inspected them had been trained sufficiently from a security perspective, they would never have left the depot where they were handed in. There were many things about the consignment that were suspicious. Why would anyone send a printer cartridge from Yemen to New York when you could walk out and buy one there without the cost of shipping? Why was it routed the way it was? If they had done some analysis of what was in front of them, that would have provided a higher level of screening. You can apply that principle to the whole security paradigm: technology manufacturers can develop technology that is far more effective, but it can’t be employed against 100 per cent of passengers. Don’t get me wrong – we have developed some great technologies, but it takes time. With Lockerbie, it took a decade and we lived with that risk for that amount of time.
RP: What other changes would you like to see over the next few years in the ongoing evolution of aviation security?
IH: I agree with many others over the need to implement some form of passenger differentiation. As we’ve discussed, this is a politically difficult area, but if by various means you can eliminate a large percentage of the travelling public from the threat scenario, then you can aim the bulk of security resources at those who you think do pose a threat. That doesn’t mean you don’t provide any security at all for those considered a minimal risk – but I think you should set a minimal baseline for those you believe to be a threat and then you have enhanced security products to which you subject those considered to be high risk. I’ve advocated that for a long time, including in the aftermath of the underpants bombing when I was with BAA.
I think this is where we are heading, and the debate has certainly started. The US has taken the first steps along with a few others, and it is just a question of how long it will take before we see a fundamental change in the current process.
Ian Hutcheson is the former security director for LHR Airports (previously BAA). He will be hosting the Aviation Security VIP Programme at the Transport Security Expo in November. An abbreviated version of this interview was first published in the July issue of the Transport Security Expo 2013 Newsletter
