My father was involved in mechanical engineering all his life and he used to say that a good boss would often ignore one of his people staring into the distance because many times that person was considering the ‘what ifs’ of a design. It may have been that it was my dad’s excuse for just wool gathering.
So, what has that to do with aviation security? Well, I have always been a fan of conducting something similar that I have come to call ‘what if’ tests. I know that many readers will say that this idea is no more than contingency planning or systems testing or product testing and, while correct, they are all of those things and more; they are people with some knowledge critically thinking about their work environment and its vulnerabilities.
‘What if’ tests have many forms, but at their core they are no more than wondering: what happens if this happens; what if I want to find out what this does; what if I press this button and so on. Many times, they do not have a specific business goal or, rather, they have a difficult to establish business goal. I do not suggest that everyone should run off and start spending company money on ‘what if’ tests, but occasionally the opportunity will arise and stretching the boundary is worth the effort.
A classic example from my career involved walkthrough metal detectors (WTMDs). The particular WTMD discussed are no longer used here – WTMD technology has moved on since then.
When WTMDs were first introduced, they were tested using what was then known as the National Institute of Law Enforcement and Criminal Justice (NILECJ) Standard for Walk Through Metal Detectors for Use in Weapons Detection (June 1974). Long title, but it included several test pieces that were intended to replicate various weapons – knives and firearms. One of these test pieces – the AM3 test piece, which is intended to simulate a small handgun – is still used to test all airport WTMDs in Australia. The NILECJ gives 20 test locations that cover the inside of the WTMD, ranging from head to ankle height, and to pass a test the WTMD should find the AM3 test piece in each location.
When it was first introduced in 1974, the NILECJ standard only included test locations in a WTMD and specified the test pieces. What it did not provide was a test to show the lower end of the alarm spectrum. That is, the WTMD could be set to its most sensitive setting and it would alarm for the fillings in a person’s teeth… not really, but you get the idea. The result would be that almost everyone going through the WTMD would alarm and be subject to secondary screening. The WTMD would comply with the regulations but in effect be useless and it would fill the airport with unhappy passengers.
In the years since 1974, the NILECJ, now the National Institute of Justice (NIJ), standard has been updated a number of times and now includes a test for ‘innocuous items’ – things like glasses, pens and a small number of coins – the idea being that a person should be able to go through a WTMD with these items in a pocket and not set off the alarm.
So, back before 2000, I wanted to know what if I wanted find the highest setting that would ensure the WTMD would detect the AM3 at each of these test locations but would allow innocuous items through? So, I got permission to run some tests to find that level for the AM3 test piece. Then I pushed the envelope a little and thought, what if I wanted to find every NILECJ test piece? What setting should a WTMD be set to in order to find individual test pieces at each of the 20 test locations within the WTMD? If I had been asked (which I was not), I would have said that I was contingency planning so that, if required, I could confidently provide a setting for any weapon covered by the NILECJ. At the start of the tests that was rubbish; the only legislative requirement was to find the AM3 test piece, finding the others was not necessary. I was just curious.
Each time I tell this story I still feel the need to apologise to the people I gave the task to; it was boring and uncomfortable – 6,000 walkthrough tests at three airports and the factory. The guys brought the results back and I put them into a database that I had created. It gave a visual representation of a WTMD and when the name of the test piece and the setting of the WTMD were entered, the database showed which test locations could find each test piece.
I must admit it was pretty cool, but then came the rub. Before September 11, knives with a blade length of less than 100mm were allowed in the cabin of an aircraft. Like everyone else, I assumed that the setting to find the AM3 test piece would always find the test piece for a knife with a 100mm blade made of magnetic material. Then I used my database and tried to find a setting that would find the AM3 and would also find a knife with a 100mm blade.
Long story short, there was not one that detected both at every test location. In effect, one could be certain to find a small handgun or a small knife, but not both. Obviously, if the WTMD was set to find the metal in people’s teeth it would, but that was not feasible. It was not a disaster (there were only a few test locations where the knife test piece did not always alarm), but it was an interesting and surprising result.
As soon as I found this out, I told the predecessor to the Office of Transport Security (who really liked my database) and it was decided to use the setting that would certainly find a small handgun and have the best chance of finding a knife with the 100mm blade.
Another version of considering the ‘what if’ question is bringing a large improvised explosive device (IED) into the airport terminal. Unattended baggage has always been a known issue in aviation but, back in 2010, I was doing a survey of an airport (outside of Australia) with a person from the regulator. My associate commented that the doors to the terminal we were assessing were wide enough to bring a small car with an IED into the terminal. I stopped and asked, why would you bother? Like many of my contemporaries, I had already considered what if I wanted to bring a really large IED into a terminal and it was not in a car, it was not in individual bags, it was in a number of bags using one or more baggage trollies. It was not something he had considered. Then, six years later, attackers used a very similar method in Brussels.
I think that almost everyone who works at airports has considered the ‘what if’ questions, although many will not admit it, and even fewer security organisations will conduct ‘what if’ tests just to see what is possible. When my business works at airports, we usually ask to meet with as many of the airport stakeholders as possible and often those meetings are in one of the airport committee meetings. We regularly pose the question, what if you wanted to get a weapon or IED onto an aircraft or into the terminal? Quite often, we are initially met with silence, but when we remind them that they cannot work in aviation without thinking of these things and ask them what keeps them awake at night, the gates usually open. Many times, their ideas are remarkably consistent.
Which brings me, slowly, to my point. I think that ‘what if’ tests in aviation are about to make a comeback. Obviously, they will not be called ‘what if’ tests, but something more attractive like ‘red teaming’ or ‘threat/attack path analysis’, but in essence they will be a form of ‘what if’. Personally, I think that will lead to some very interesting times and it is about time
Steve Lawson has over 20 years’ experience in aviation security. As a security executive with Qantas, Steve held a number of senior management roles covering all aspects of aviation security from policy development to airport operations. He was sent to New York immediately following the 9/11 attacks to manage the Qantas response and undertook a similar role following the 2002 Bali Bombings. On his return to Australia, he was appointed Security Manager Freight for the Qantas Group. Since 2007 he has been a Director of AvSec Consulting in partnership with Bill Dent, a fellow former Qantas security executive. Steve can be contacted via email firstname.lastname@example.org or on 0404 685 103.