Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Building the Hybrid Cloud
- Connected Government: How to Build and Procure Network Services for the Future
- Continuing Diagnostics and Mitigation: Discussion of Progress and Next Steps
- Federal Executive Forum
- Federal Tech Talk
- The Intersection: Where Technology Meets Transformation
- Maximizing ROI Through Data Center Consolidation
- Moving to the Cloud. What's the best approach for me
- Navigating Tough Choices in Government Cloud Computing
- The New Generation of Database
- Satellite Communications: Acquiring SATCOM in Tight Times
- Targeting Advanced Threats: Proven Methods from Detection through Remediation
- Transformative Technology: Desktop Virtualization in Government
- The Truth About IT Opex and Software Defined Networking
- Value of Health IT
Shows & Panels
TSA's playbook keeps terrorists guessing
Wednesday - 12/12/2012, 5:51am EST
TSA hopes to create unpredictability in the security measures it uses, with the agency detailing 120 "plays" in a playbook for officials to use randomly.
"We know terrorists study us and shape their attacks based on our procedures and methods," said John Halinski, TSA's deputy administrator during a speech at the sixth annual conference on security analysis and risk management sponsored by the Security Analysis and Risk Management Association and George Mason University's Center for Infrastructure Protection and Homeland Security in Arlington, Va. "The 120 plays are based on specific threat streams. We base the play on what threat we are seeing or trying to address."
John Halinski, deputy administrator, TSA
The use of a playbook is part of the way TSA is using a risk management approach in its mission.
Halinski said TSA is instituting risk management in every aspect of its mission, in part because of its size and because it helps managers better prioritize funding.
"You have to use a risk-based approach, because we realize that one-size doesn't fit all in the security equation," he said. "We realize we cannot eliminate risk all together, but our goal is to build a redundant system so the threat gets tangled up in our web of security. It's not just focused on the outside threat, but the insider threat too."
Risk management is spreading
TSA's move to a risk-based approach coincides with a broader use of the idea of focusing resources where they are most needed across all of the Homeland Security Department.
David Maurer, the Government Accountability Office's director of homeland security and justice issues, said at the conference DHS has struggled to implement a risk-based approach for most of its existence over the last 11 years.
He said DHS has made good progress, especially over the last three years, around implementing risk management.
"DHS has created a steering committee to integrate risk management across the agency," he said. "They've established a central methodology for risk assessment across the agency."
Maurer said Customs and Border Protection is using a risk management approach to make decisions for how best to secure the border. The Secret Service is looking at risk as they protect the president and other high-ranking officials.
"It's really hardwired within the department," Maurer said. "We'd like to have more of that carried out on a day-to-day basis in their programs and activities."
Maurer said GAO looks at risk being driven by three things:
- The threat - Who are the bad guys and what are they trying to do to attack us or hurt our interests?
- Vulnerability - How well is something protected against an external threat?
- Consequence - If there is a successful attack, what impact would it have?
"When you look at all three of those aspects, you get a sense of the risks involved in the homeland security environments," he said. "It's challenging for agencies to adopt this kind of approach. You could game out a number of scenarios and threats, and there are a lot of potential areas of things that could be attacked."
David Maurer, director of homeland security and justice issues, GAO
Maurer said GAO is encouraged by TSA's approach to risk management.
"We think that when TSA has this implemented and rolled out it will allow them to address a number of recommendations from our prior reports," he said.
Modifying security processes
Halinski said the implementation of risk management impacted several of TSA's business processes. For instance, he said TSA implemented a modified security process for children under 12 and adults over 75.
The pre-screening passenger program, known as TSA Pre, is receiving more use and support across the country. Frequent fliers still must be vetted through a government program, but when they go to the airport, they don't have to take off their shoes or remove their light jackets or laptops when going through security, which helps speed up the entire process.
Halinski said more than 4 million people have gone through TSA Pre, and 34 of the nation's busiest airports are part of the effort.
"The goal is to focus on the high-risk passengers and put less attention and resources to the lower-risk passengers," he said.
TSA screens 1.8 million passengers and 5 million bags a day, so understanding where the biggest threats come from helps the entire process.
Halinski said the use of intelligence also is helping them address actual or potential threats. He said TSA works closely with the intelligence community to share information.
"The key to any risk-based security system is that you have to have good intelligence, whether that's vetting or whether the way you look at an issue, but you have to have good intelligence to build a good mitigation strategy. It's keying in on those potential threats and building a mitigation strategy around those potential threats."
Halinski also is counting on the risk-based approach to help TSA deal with a flat or declining budget in the coming years.
"We evolve as the threat evolves and using a risk-based approach will allow us to gain more resources and become more efficient," he said. "You have to go back to the viewpoint that is based on intelligence and based on analysis of the risk, it's putting our people and conducting our operations in a very efficient way to hone in on what we consider to be biggest threat."