Each country has a unique aspect to its aviation security system. At a high level there might be a harmonised approach to regulation through organisations like ICAO, but there are still stark differences. Some of these differences represent best practice in mitigating against specific threats whilst others focus on promulgating operational efficiency in aviation security. Shreemen Prabhakaran explores some of these best practices that set different countries apart, specifically considering the approaches to private security providers, profiling, facial recognition, landside security and insider threats.
Private security providers in aviation security were more ubiquitous before the 9/11 attacks; post-9/11, many countries federalised aviation security. However, the benefits of private security providers never changed and they can be a very effective method of increasing operational efficiency and effectiveness. As pointed out in the 9/11 commission report, private security does have its weaknesses; fundamentally, private security providers within the aviation security system bring a market-driven approach to security management which can sometimes lead to a decrease in quality as providers seek to reduce costs and increase profits. But, in turn, this approach also removes excess from the system and forces operators to be more effective and efficient. For an aviation security system to effectively utilise private security providers, it must be well regulated and have a robust inspection and testing regime managed by the regulator. This is the success of the Australian model.
Australia’s regulator spends significant resources on inspection, testing and engagement with airports to ensure they are aware of regulatory requirements and are held accountable for the outcomes of their systems. The other key focus of the Australian model is that it is outcome-focused as opposed to being an overly prescriptive model of regulation; this places responsibility on airport operators to deliver security outcomes and, in turn, means that airports force security service providers to be accountable through contracts, key performance indicators and internal testing and inspection. The Australian regulator can also test individual airport security systems on a regular basis, forcing providers to be more vigilant. This model works because of the relatively small number of international and large regional airports in Australia.
Aside from the role of the regulator, over time a working relationship developed between airport operators, airport police and security providers. This working relationship has been described as, ‘integral to the success of mitigating security threats in aviation’ by the 2005 Independent Review of Airport Security and Policing for the Australian Government. This working relationship developed because of the security culture and structure in Australian aviation – the security culture is inclusive, with information sharing networks that inform airports’ security providers to ensure there is a common cause. However, some of this is also due to the size of the market both in terms of providers and in airports. While the concern over quality might be valid in some countries, taking an Australian approach to regulating private security does create a system that is more agile to respond to new processes, technology and threats.
“…key focus of the Australian model is that it is outcome-focused as opposed to being an overly prescriptive model of regulation…”
Another example, where the size of airport operations has supported the development of a best practice capability, is with behavioural profiling in Israeli airports. Broadly speaking, Israel places a greater value on security than on facilitation, which has resulted in the development of possibly the most secure airports in the world. This means that the aviation security system in Israel is concerned with ensuring effective security measures and, as a result, it has often received criticism from international passengers who feel targeted and inconvenienced. One reason for this feeling of being targeted is the passenger-oriented security system used at airports. Israeli airports, like Ben Gurion International Airport, focus on human intent rather than on a search for prohibited or restricted items; all passengers are profiled.
The profiling system in Israel is a three-tier system, beginning with the analysis of Passenger Name Record (PNR) data. This is a common method used to different degrees across the world. However, it is stages two and three which are unique to the Israeli aviation security system; both involve direct passenger questioning and behaviour profiling/detection. Stage two involves questioning a passenger throughout the passengers’ journey through the airport, allowing security resources to be focused on the highest risk passengers. The final stage is behaviour detection; this focusses on both observing passengers as they go through the airport and their reactions to security questioning and screening.
This structured and tiered approach to profiling/behaviour detection is unique to Israel. This is best highlighted through a comparison to other aviation regulatory responses trying to use similar profiling methods. The U.S. Transportation Security Administration (TSA) has developed a profiling/behaviour detection programme. This is referred to as Screening Passengers through Observation Techniques (SPOT) and has been heavily criticised for its ineffectiveness; the Government Accountability Office (GAO) 2017 report highlighted its ineffectiveness in detecting threats. However, while the execution is poor, the practice of profiling and behaviour detection can be highly effective. It is important to note that the training programmes and mode of operation are very different between Israel and the U.S. An Israeli profiler is generally responsible for about 30 flights (roughly 900 passengers) a day, which is much less than a TSA officer. The training programme for an Israeli profiler is longer and more rigorous than any other country and the investment in and time available for an Israeli profiler ensures a better outcome. However, this is not possible in a larger aviation security market and system.
“…detractors of the facial recognition technology suggest that it is an invasion of privacy and aids in the creation of a ‘big brother’ state…”
Along with profiling, the use of facial recognition at airports is becoming more common. A recent example is the use of facial recognition at Dubai International Airport to clear passengers boarding flights to the U.S. on Emirates Airlines. This technological application is now used at many airports in the U.S. As passengers walk through the boarding gate onto the aerobridge, their face is scanned and checked against the Customs and Border Protection (CBP) database. This system clears about 85% of passengers and removes the requirement for travel documents and profiling at the gate, which was previously present for flights leaving Dubai to the U.S. The implementation of technology like this dramatically improves facilitation and maintains border security, an often-forgotten function of aviation security. However, it does raise the question of privacy issues. Detractors of the facial recognition technology suggest that it is an invasion of privacy and aids in the creation of a ‘big brother’ state. But this is not entirely true; as discussed earlier, profiling already occurs in the U.S. using passenger data from airlines, border forces and immigration; the use of facial recognition simply streamlines the process and increase efficiency significantly. In fact, the application of the technology in Dubai is really where the value of the facial recognition boarding can be seen. With the removal of additional security profiling and travel document checks of 85% of the passengers, boarding has become seamless.
The use of technology within the screening process has also been changing rapidly. However, a best practice used by Russia and China focuses on when screening occurs as well as how. Both countries secure the check-in landside areas of airport with 100% screening of passengers and baggage prior to entry at major international airports. The screening of passengers and baggage before entry into the airport is a security measure that has strong merit in ensuring landside security at the airport. Airport attacks in Brussels and Istanbul highlighted the need to secure the check-in area to mitigate threats. In fact, since the attack on Domodedovo International Airport in 2011, where a suicide bomber attacked the arrivals hall, there is now screening prior to entry to the arrival hall as well.
Screening like this has security benefits but it also means that queues are now created in the front of the airport, shifting the potential target from one location to another. However, in many cases, especially in China, new airports are specifically designed to accommodate and improve passenger facilitation through screening on entry. The tensions between facilitation and security are ongoing with any security measures, but consideration should be given to how much impact the measure has on improving security. Unfortunately, due to recent attacks, it seems like the latest best practice is to screen passengers and baggage at the airport entry.
The other key security measure that recent attacks have highlighted is the necessity to screen airport staff. The insider threat is real and a concern for many regulators, yet many of those same regulators argue about the value of 100% staff screening. Best practice in this area is the effective 100% screening of staff entering the airside of an airport. This is done across the UK and EU as well as many new airports around the world. However, there is tension with the global adoption of this security measure in other countries like the U.S. and Australia. At an ICAO meeting this year, this conflict was discussed again but with no real resolution. A number of countries, including the U.S. and Australia, argue that the financial and operational cost to implement 100% staff screening at airports is too high. They argue that the use of a risk-based, unpredictable model that targets anywhere from 30% to 45% of staff entering the airside is both effective and efficient. However, this approach misses the significance of the security measure; 100% screening addresses the ‘needle in the haystack’, a single rogue employee can cause serve damage to the aviation industry and background checks alone are not an effective means to prevent this from occurring. The UK and EU have implemented this practice across different operating environments and there are some airports in the U.S. that have gone beyond regulations to have 100% screening in place too, thereby supporting the argument that the of cost of this practice has been proven to be manageable.
“…a number of countries, including the U.S. and Australia, argue that the financial and operational cost to implement 100% staff screening at airports is too high…”
This article, while it has highlighted some best practice measures by a number of key players across the world, has also draws attention to the lack of real harmonisation of global security measures. Aviation security best practice is often not widely adopted unless it is prescribed by regulators. All of the examples discussed are measures that should be replicated across all countries and, in particular, between those discussed in this article.
Shreemen Prabhakaran is an aviation security practitioner with 15 years’ experience in industry and government. Currently he is a PhD researcher with Edith Cowan University, Perth and the Managing Director of The Big Sky Advisory. He can be contacted at: firstname.lastname@example.org