Covert testing of airport access control systems performed by the Department of Homeland Security’s (DHS) Inspector General (IG) in 2006 at several airports in the United States was compromised by officials from the Transportation Security Administration (TSA) who disclosed testing methodology and even the description of a tester, the IG said in a recent report.
The IG said that after some airport security directors realized that some form of undercover testing was being done at several airports, they forwarded the information to TSA officials, who in turn alerted their field operators via a central communications network called NetHub.
The TSA e-mail, sent from the Office of Security Operations (OSO) on the afternoon of April 28, 2008, stated that the testers had fake IDs, were planting explosives on aircraft and altered their boarding passes to get through the security checkpoint. The notification also said that the testers traveled as a couple and that the woman used an ID with a picture of an oriental woman even though she is Caucasian.
The IG said that the assistant administrator for OSO did not approve the message sent over the NetHub and attempted to recall it within 14 minutes of the broadcast, although he never alerted the IG that its testing program had been compromised.
“The e-mail revealed details about our testing methodology and provided tester descriptions that compromised testing procedures,” the IG said in its report, Investigation Concerning TSA’s Compromise of Covert Testing Methods (OIG-09-43). The report is dated March 2009 and was released on April 10. “The fact that the Assistant Administrator recalled the message is evidence that TSA officials considered it inappropriate and not an indication of unauthorized testing by non-government entities as initially interpreted.” The IG also says that the “disclosure of our covert testing procedures was inappropriate and interfered with a legitimate function of our office.”
In response to a draft of the IG report, then TSA Administrator Kip Hawley rejected that the testing procedure was compromised either through the NetHub email or by failing to alert the IG of the NetHub message. In his response, dated Oct. 3, 2008, Hawley said that it was airport law enforcers who spread the message about the covert testing. If anyone compromised the covert testing, it was the airport law enforcement community, he said.
The NetHub alert was forwarded to the TSA field officers by a NetHub duty officer who “had no knowledge of about the true nature of the incidents being reported,” Hawley said.
Hawley also pointed out, something that the IG mentioned as well in its report, that the covert testers were checking on security systems controlled by airports, not TSA.
Hawley said at the time that it was important to get the facts of the matter correct because those “unfair and unfounded allegations” had been hanging over dedicated career public servants for months.
At the time of the NetHub alert, the IG testers had already conducted operations at three airports beginning several days before. Testing was planned at 11 more airports over the next few months.
The IG, commenting on Hawley’s response, said that the fact that TSA made the alert over NetHub, which was received by at least four TSA officials at airports yet to be tested, means that “at a minimum, TSA is complicit in the compromise.”