The U.S. homeland’s vulnerability to attack was demonstrated to a terrifying degree 20 years ago when terrorists hijacked four airliners and succeeded in flying three into some of the greatest symbols of America’s economic and military power.

The devastation would have been magnified had not courageous passengers on a fourth jet overpowered their hijackers and flown it into the ground in Pennsylvania. Hijackers may have intended to destroy the White House or the U.S. Capitol with it.

America’s reaction was swift to the September 11, 2001 attacks on New York’s Twin Towers and Washington’s Pentagon and the deaths of nearly 3,000. War was launched in Afghanistan. At home, reactions included a rapid overhaul of domestic security operations.

In the decades since, the domestic efforts have succeeded in securing American skies. But threats and their related challenges are ever-changing, according to security officials.

David Pekoske
David Pekoske

“The modes and methods of terrorist attacks have become more decentralized and opportunistic than ever before,” David Pekoske, currently Acting Deputy Secretary of Homeland Security, told a hearing of the U.S. House of Representatives Homeland Security Committee on the Transportation Security Administration (TSA) Fiscal Year 2021 budget. The agency was created in the months after 9/11. “The daily threat environment TSA faces in the aviation, surface, and cyber security realms is persistent, pervasive, and constantly evolving.”

In passenger rail particularly, federal, state, local and private-sector officials struggle continually to ensure the free, safe movement of people and commerce on America’s tracks. They must wrestle with how to secure a transportation mode made up of 98 independent rail systems operated by an assortment of state, local and regional organizations, with 12,737 miles of track, 5,645 passenger stations, thousands of rail vehicles and facilities to operate and support them, according to the latest American Public Transportation Association (APTA) data. All must be secured to some degree.

U.S. rail systems operate on the principle of free, ready access to trains and passenger stations. Many facilities are open as well to the dirty air of their surroundings. Ridership is sensitive to fare levels, which typically can only be increased through public hearings.

These and other factors pose challenges to keeping passengers, employees and vendors safe from terror attacks in a cost-efficient manner. One concerning attacks using explosives entails finding and fielding the means of analyzing potential threats. These include from insiders (those who have or had approved access to a rail system’s operations) and the domestic violent extremist.

Aviation has been working on insider threats for several years (see TSI, Aircraft Security: Protection from the Insider Threat, Feb. 19, 2019). Last February, Homeland Security Secretary Alejandro Mayorkas for the first time declared combatting domestic violent extremism a “National Priority Area” for specific FY 2021 DHS grants. That requires state, local, tribal, and territorial governments to spend 7.5 percent of their grant awards on combating this threat.

Other challenges include identifying real threats at safe standoff distances from passengers and security and fielding instruments that can discriminate bomb components at such distances from the “normal” contamination of rail station environs. Assuming a bomb-laden attacker walks at 1.34 meters/second (a normal gait), a sensor capable of detecting the explosive at 30 meters — or just under 100 feet — would give a security officer a bit more than 22 seconds to identify the threat and intervene before the attacker gets far into a station.

Another challenge is mitigating threats without subjecting passengers to long screening processes and searches of their persons and belongings (which also could raise the rail operator’s costs and drives fare increases).

The matter of analyzing and mitigating explosives threats to passenger rail has been complicated by the relegation to lower priority in the overall U.S. campaign to prevent transportation system attacks.

To meet such challenges, security officials are reinforcing old-fashioned policing techniques (such as conducting patrols at random times and periodically moving fixed-location posts). They are attempting to hinder the sale of precursor chemicals used in “homemade” explosives. They also are engaging the public and employees in security awareness campaigns. In addition, officials are testing the capability of advanced technology to identify and interdict “bad actors” before they can attack.

After 9/11, the U.S. government put domestic security agencies under the umbrella of the Department of Homeland Security (DHS), created in 2002. The TSA was created “to protect the nation’s transportation systems to ensure freedom of movement for people and commerce.” Those systems include airports and their terminals and hangars; commercial truck operations; commercial bus companies; passenger and freight railroad stations and facilities; pipelines; seaports, and bridges and tunnels.

TSA’s attention and resources were focused on airline security, for good reason. Additional attacks were expected. It strengthened security measures on and around aircraft and toughened controls on movement of passengers, airline personnel and airport workers. Armed federal air marshals were deployed once more on U.S. airline flights.

Dec. 22, 2001’s apprehension of Richard Reid, attempting to detonate a shoe bomb of triacetone triperoxide (TATP) and pentaerythritol tetranitrate (PETN) on American Airlines Flight 63 from Paris to Miami, propelled some restrictions. The need for ongoing aviation security restrictions, analysis and mitigation efforts became clear Dec. 25, 2009. That day, Umar Farouk Abdulmutallab was captured attempting to detonate a TATP/PETN bomb in his underwear on Northwest Airlines Flight 253 from Amsterdam to Detroit.

Conceptual art for anywhere

Counter-terror efforts remain focused heavily on airline operations to this day. That is curious, given the relative passenger loads borne by U.S. airlines and rail systems. The latter (primarily subway systems) carry about five times as many passengers each day as do airlines, according to David Randall Peterman, a transportation policy analyst for the U.S. Congressional Research Service in reports on transportation security issues on Feb. 9 for the 117th Congress and in 2019 for the 116th and 2017 for the 115th.


DHS has a big mandate. Presidential Policy Directive 21, issued Feb. 12, 2013 by President Barack Obama, named 16 critical infrastructure sectors and made departments responsible for overseeing their security and resilience. They range from chemicals and commercial facilities to transportation and wastewater. DHS alone is responsible for eight. It shares responsibility for two more: for transportation with the Transportation Department, and with the General Services Administration for government facilities. DHS delegated to TSA and the U.S. Coast Guard its responsibilities for transportation. That includes aviation, freight rail, highway and motor carriers, maritime, mass transit and passenger rail, pipelines and postal and shipping.

On May 26, 2021, Mayorkas told the House Appropriations subcommittee on Homeland Security of his department’s priorities. He said they are:

• defeating the COVID-19 pandemic,

• advancing technology for border security “while promoting a humane and efficient immigration system”

• combatting domestic violent extremism, and

• detecting, deterring, and recovering from malicious cyber-attacks.

Mayorkas’ prepared testimony, at 2,455 words, didn’t include “rail” or “mass transit”.

Rail Use Up Despite Pandemic Blip

Beyond DHS’ higher priorities, passenger rail officials know TSA is not (and unlikely to be) heavily involved in day-to-day security operations like it is at airports. It approaches “surface transportation security as a partnership with the owners and operators of the system,” Susan Proctor, assistant administrator for Surface Operations in the TSA’s Security Operations division, has told Congress. “This difference in approach is reflective of the characteristics of the system.” Surface transportation’s interconnected, varied and expansive scope “creates unique security challenges that are best addressed by system owners and operators and federally supported through stakeholder communication, coordination, and collaboration.”

Indeed, according to APTA data, the 98 U.S. passenger rail systems include heavy rail (subways/metros that don’t interact with traffic), surface rail (light rail and streetcars, which may operate on streets with or without dedicated lanes) and commuter rail (with higher-speed, higher-capacity trains and less frequent stops). That last category also includes hybrid rail, which operates exclusively on freight railroad right-of-way.

Those systems conducted more than 4.83 billion trips in 2019, APTA said. It defines a trip as one passenger boarding and includes transfers. All those trips covered 56.1 billion miles, APTA said. The pandemic suppressed rail traffic growth, but all three categories saw slight increases compared to 2018. The sector remains on a growth trajectory, with traffic on light rail up 66 percent, heavy rail up 44 percent and commuter rail up 26 percent since 2000.

Refocusing on Prevention as Well as Response

Given their experience, passenger rail agencies “tend to emphasize managing the consequences of an attack,” Peterman said in the Feb. 9 Congressional Research Service transportation security report. “Nevertheless, steps have been taken to try to reduce the risks of an attack as well.” These have included:

• vulnerability assessments;

• emergency planning;

• emergency response training and drilling of transit personnel (in coordination with police, fire and emergency medical services personnel);

• increasing the number of transit security personnel;

• installing video surveillance equipment in vehicles and stations, and

• conducting random inspections of bags, platforms and trains.

train at station

Regarding efforts to counter explosives attacks, a sampling from DHS’s Multi-Jurisdiction Improvised Explosive Device Security Planning (MJIEDSP) program may offer insight on how local agencies are faring. DHS’ Office for Bombing Prevention (now in the Cybersecurity and Infrastructure Security Agency, or CISA) has run the program for some years to build analysis, training, and planning capabilities among public and private-sector first responders, bomb squad and special weapons and tactics (SWAT) personnel and response agency executives for counter-IED responses. The program also aims to enhance interoperability and coordinate response resources.

From July 2019 to July 2020, the program conducted 12 workshops in the Southeast, Southwest and Northwest U.S., with more than 400 attending. Program officials said each workshop was tailored to reflect the hosting jurisdiction’s attributes and participants’ specific objectives.

MJIEDSP officials said the most common strengths demonstrated by jurisdictions participating in the workshops included robust interagency connectivity and close partnerships with military and federal assets and private-sector partners to enhance community preparedness and resilience.

Operational coordination was another common strength. Participating fire departments and law enforcement agencies reflected a clear understanding of the need to establish and maintain procedures enabling them to coordinate response operations. Common dispatch centers and integrated communications systems improved situational awareness and the efficiency of coordinated operations. Such advancements appeared attributable to close collaboration among key community leaders, program officials said.

A third common strength was incident management and planning. Participants understood the need for effective interagency coordination in responding to a complex, coordinated IED attack, program officials said. They observed that all jurisdictions appeared to use the National Incident Management System and the Incident Command System.

Last year’s workshops also revealed areas for improvement.

Participants in all 12 workshops said greater IED awareness/recognition training was a priority. This came from all responder disciplines.

Participants also cited a common need for enhanced search capabilities to assist responders in safely locating IEDs and explosive material. All EMS responders saw the need for more training in treating patients with blast injuries and blast trauma, for EMS personnel and paramedics as well as physicians and other hospital emergency department personnel who provide definitive care to bombing victims.

Workshop discussions in each participating jurisdiction also revealed local, IED attack-related policies were inadequate, outdated or incongruent with those of other jurisdictions and private-sector partners.

The workshops showed that hospitals require early notification of trauma patient/mass casualty incidents so they can rapidly activate emergency operations plans, recall staff and potentially discharge or relocate patients needing lower levels of care.

train side

“Four of the six jurisdictions hosting workshops were identified to have Bomb Threat Management Plans that were either inadequate or require updating to reflect current capabilities, procedures, and available resources,” a report on the workshops said. Three jurisdictions “identified the need to ensure bomb squads and SWAT teams gain access to current facility maps and diagrams to enable them to properly plan and conduct successful tactical operations.”

Regarding equipment, participants said remote electronic surveillance gear (drop cameras, pole cameras, fiber-optic cameras and listening devices) and personal protective equipment are essential. However, they cited shortcomings in such gear’s acquisition and training in five of the six jurisdictions.

A focus on explosives threats to passenger rail is warranted. A 2007 RAND Corporation study found that 80 percent of worldwide rail systems attacks were bombings, followed by sabotage (6 percent) and armed attack (6 percent). Explosives accounted for 77 percent of the weapons used in rail system terrorist incidents, with 8 percent of the incidents involving hoaxes or threats. A 2010 U.S. Government Accountability Office concurred, noting the most common means of attack against passenger rail targets was IEDs, including attacks by suicide bombers.

Traditional policing measures can help improve passenger rail security without paralyzing operations. Brian Michael Jenkins, a special advisor at RAND and director of transportation security research for the Mineta Transportation Institute, has observed that more security patrols, security cameras and emergency phone boxes in rail stations and on trains can help make them a hostile setting for would-be attackers. He also has suggested that rail systems design vehicles and facilities to reduce hiding places, facilitate surveillance and cut casualties by removing materials that can produce flying shards or toxic fumes after a blast.

Going Back in the Attack Chain of Events

Rail officials are confronting the prospect that the enabler of an explosives attack may be someone known to them.

In 2019, the TSA established the Surface Transportation Security Advisory Committee to advise, consult with and makes recommendations to the TSA administrator on surface transportation security matters. It is based on the Aviation Security Advisory Council, set up after the 1988 bombing of Pan Am Flight 103 over Lockerbie, Scotland.

The surface advisory committee consists of 37 industry voting members and 14 government non-voting members. The industry members include nine from mass transit and passenger rail. One, Polly Hanson, APTA’s director of security, risk and emergency management, serves as the committee’s vice chair. The chair is Thomas Farmer, assistant vice president of security for the Association of American Railroads.

Committee members spent a good part of the last year identifying priorities for future work. They set up four subcommittees to complete work. They were focused on security risk and intelligence, cybersecurity information sharing, emergency management and resiliency and insider threats.

The insider threat risk was spotlighted on May 26, 2021, when a nine-year veteran mechanic with California’s Santa Clara Valley Transportation Authority walked into San Jose’s Guadalupe rail yard and shot and killed nine people, then killed himself. The employee, Samuel Cassidy, appears to have had long-standing grievances with co-workers and difficulty managing anger, according to his ex-wife, supervisors, the authority and U.S. Customs and Border Protection agents (who detained him in 2016 on his return from the Philippines after finding books on terrorism and notebook recording his hatred toward the transit authority).

Open Rail

“It is frequently not a matter of whether indicators are present, but rather if their significance is recognized,” Farmer has said. “Highlighting these indicators affords opportunities for training workers and police and for informing the public on what to look out for and how to report those observations effectively.”

In addition to the employee deaths, Valley Transportation Authority suspended its light rail service. It only restored full service Sept. 18.

That case points to a common element in many insider threat incidents: the danger was evident individuals in close contact with the perpetrator. The same is the case for threats from domestic violent extremism.

Analyses of terrorist and violent extremists attacks, failed attempts, and disrupted plots consistently show there are always indicators of the developing threat, Farmer, the security advisory committee chair, told the group’s meeting, according to its minutes.

The FBI and DHS define a domestic violent extremist as an individual based and operating primarily within the U.S. or its territories without direction or inspiration from a foreign terrorist group or other foreign power who seeks to further political or social goals wholly or in part through unlawful acts or force or violence. That was the definition offered to the surface security advisory committee by an FBI official briefing its May 20 meeting, according to meeting minutes.

The FBI official told the committee that the Bureau still considers lone actors to be the greatest threat to the homeland. He explained that these are individuals self-radicalized online, with no formal connection to a group, and looking to attack soft targets with easily accessible weapons.

“The U.S. government is aware of domestic terrorist concerns,” Pekoske, the acting deputy Homeland Security secretary, told the May 20 meeting. “This threat vector is particularly concerning because domestic terrorists tend to act impulsively and often alone. Subsequently, it is notable that domestic terrorism might be more of a threat to surface transportation venues than to aviation because of aviation’s more visible security envelope.”

To head off lone actors, domestic violent extremists and insider threats, CISA is working to enlist the public and local officials to be aware of potential indicators of threats. Its efforts include sharing information on The Pathway to Violence, a concept developed in 2003 by threat assessment experts Frederick Calhoun and Steve Westin to understand how an individual progresses from a normal state to an extreme one bent toward violence.

The path starts with the presence in a person’s mind of a grievance, a real or perceived wrong from which most people would move on. Instead, the person fixates on a need to resolve the grievance. “That sense of fixation or a need for resolution is an indication that this is a grievance that is a bit different,” said Gene Deisinger, managing partner of SIGMA Threat Management Associates in Alexandria, Va. He is featured in a CISA video on the pathway concept.

At the next milestone on the path, the person develops ideas for the use of violence or significantly disruptive behavior. Then the person begins planning, mulling the who, what, when and where of resolution. “Who or what would best satisfy my fantasies?” Deisinger said of the person’s thinking. “Who or what is most available to me and is most vulnerable?”

At the preparatory step, the person considers what is needed to fulfill the plan. This may include the means of fulfillment and the weapons, tools, equipment, clothing and other necessary elements. “This step involves both skill and will,” Deisinger said.

The next milestone involves what is called probing and breaching. The person is probing behaviors and checking vulnerabilities within a system, Deisinger said. “Where are the best entry points, or escape points if that’s part of the plan?”

Then comes the attack, or the implementation phase. Deisinger stressed an important concept: “Don’t take the sequence literally. They’re milestones on the path, versus concrete steps.”