By Spencer S. Hsu and Carrie Johnson
Washington Post Staff Writers
Wednesday, December 9, 2009
The Transportation Security Administration inadvertently revealed closely guarded secrets related to airport passenger screening practices when it posted online this spring a document as part of a contract solicitation, the agency confirmed Tuesday.
The 93-page TSA operating manual details procedures for screening passengers and checked baggage, such as technical settings used by X-ray machines and explosives detectors. It also includes pictures of credentials used by members of Congress, CIA employees and federal air marshals, and it identifies 12 countries whose passport holders are automatically subjected to added scrutiny.
TSA officials said that the manual was posted online in a redacted form on a federal procurement Web site, but that the digital redactions were inadequate. They allowed computer users to recover blacked-out passages by copying and pasting them into a new document or an e-mail.
Current and former security officials called the breach troubling, saying it exposed TSA practices that were implemented after the Sept. 11, 2001, terrorist attacks and expanded after the August 2006 disruption of a plot to down transatlantic airliners using liquid explosives. Checkpoint screening has been a fixture of the TSA's operations -- as well as a lightning rod for public criticism of the agency's practices.
Stewart A. Baker, a former assistant secretary at the Department of Homeland Security, said that the manual will become a textbook for those seeking to penetrate aviation security and that its leaking was serious.
"It increases the risk that terrorists will find a way through the defenses," Baker said. "The problem is there are so many different holes that while [the TSA] can fix any one of them by changing procedures and making adjustments in the process . . . they can't change everything about the way they operate."
Another former DHS official, however, called the loss a public relations blunder but not a major risk, because TSA manuals are shared widely with airlines and airports and are available in the aviation community.
"While it's certainly a type of document you would not want to be released . . . it's not something a determined expert couldn't find another way," the official said.
Criticism from Congress was scathing. Sen. Susan M. Collins (Maine), the ranking Republican on the Senate homeland security committee, called the document's release "shocking and reckless."
"This manual provides a road map to those who would do us harm," she said.
Sen. Joseph I. Lieberman (I-Conn.), the panel's chairman, called the breach "an embarrassing mistake" that impugns the judgment of managers at the TSA, which is still without a permanent administrator 11 months into the Obama administration. Nominee Erroll Southers, a Los Angeles airports police executive, is awaiting a confirmation vote in the Senate.
House Homeland Security Committee Chairman Bennie G. Thompson (D-Miss.) and Rep. Sheila Jackson Lee (D-Tex.) also wrote acting TSA Administrator Gale D. Rossides, saying they are were "deeply concerned" about the disclosures and calling for an independent government investigation.
The document, dated May 28, 2008, is labeled "sensitive security information," and states that no part of it may be disclosed to people "without a need to know" under threat of legal penalties.
Seth Miller, 32, an information technology consultant in Manhattan, first publicized the manual's ineffectual redactions Sunday on his travel blog, WanderingAramean.com. He said he learned about the document while chatting with other fliers on an Internet bulletin board. Miller said it made him question TSA secrecy rules, saying the agency has withheld even mundane operational rules from public view rather than clarify its practices.
"After getting over the initial shock of how stupid it seemed they were for putting out a document like that," Miller said in a phone interview, "I think the most significant risk is that when . . . you see some of the things that are marked as security sensitive information, you have to sort of smack your hand on your forehead and say, 'What are they thinking?' "
The TSA learned of the failure that day and has begun an internal review by its Office of Inspection, an official said. It also checked other procurement documents to correct similar vulnerabilities.
The original version of the manual is still available online, preserved by Web sites that monitor government secrecy and computer security.
The agency said the posted manual was outdated and was never implemented. Six more recent versions have been issued since that one, a TSA official said.
"TSA takes this matter very seriously and took swift action when this was discovered. A full review is now underway," the agency said in a statement. "TSA has many layers of security to keep the traveling public safe and to constantly adapt to evolving threats. TSA is confident that screening procedures currently in place remain strong."
The manual includes material both highly sensitive and mundane, from how TSA screening officers should handle diplomatic pouches to when they should dispose of their rubber gloves.
Among the most disturbing disclosures concern the settings used to test and operate metal detectors. For instance, officers are instructed to discontinue use of an X-ray system if it cannot detect 24-gauge wire. The manual also describes when to allow certain firearms past the checkpoint, and when police, fire or emergency personnel may bypass screening.
The document identifies the minimum number of security officers who must be present at checkpoints, how often checked bags are to be hand-searched, and screening procedures for foreign dignitaries and CIA-escorted passengers.
It also says that passport-holders from Cuba, Iran, North Korea, Libya, Syria, Sudan, Afghanistan, Lebanon, Somalia, Iraq, Yemen and Algeria should face additional screening.