Transportation Department investigators penetrated security so easily at major U.S. airports that some were seated comfortably aboard airliners at departure time and could have taken a free trip.
The Federal Aviation Administration redacted the names of the airports from a sanitized version of the report made available yesterday, but sources said one of the airports was Washington's Reagan National Airport. The others were in Atlanta, Chicago (O'Hare), New York (John F. Kennedy), Miami, Salt Lake City, San Francisco and Honolulu.
A statement from Inspector General Kenneth Mead, whose office conducted the probe, said control of access to airports is a continuing problem but the FAA "has been slow to take actions necessary to strengthen access control requirements and adequately oversee the implementation of existing controls." The FAA replied in a statement that it was already vigorously addressing the problems.
The report said the investigators found themselves able to walk into secure areas of the airports that are supposed to be open only to authorized personnel. During the tests from December 1998 through April of this year, the investigators successfully breached airport security on 117 of 173 attempts--a 68 percent success rate.
"During our testing, we successfully penetrated secure areas by piggybacking [following] employees through doors; riding unguarded elevators; walking through concourse doors, gates and jetbridges; walking through cargo facilities unchallenged, and driving through unmanned vehicle gates," the IG's statement said.
The report indicated the most successful method of entry was "piggybacking" behind employees, with 71 of 75 attempts successful. The least successful was at vehicle gates, with only seven of 43 attempts successful.
"After penetrating secure areas, we boarded a substantial number of aircraft operated by U.S. and foreign air carriers. In some instances, we were seated and ready for departure at the time we concluded our tests," the statement said.
The report said investigators boarded aircraft from 35 air carriers 117 times. It noted that some aircraft were boarded several times as investigators wandered on and off the plane. In 43 boardings, no one was on board to challenge the investigators; in 43 other cases there were personnel aboard but no one challenged them. In 13 others no one challenged them for at least three minutes, and in only 18 boardings did personnel challenge them within three minutes.
The report also noted that inspectors deliberately set off 25 emergency exit alarms but security personnel never responded to 10 of them.
The FAA said the agency, aware of early audit results, had taken action to plug the security holes. The agency worked with the airports involved and then from April through May ran "a series of aggressive tests--approximately 3,000 tests at 79 airports--and opened 393 enforcement cases for weaknesses in any of the security layers that work together to control access to the aircraft."
The FAA also said it is permanently increasing the rate of unannounced tests, accelerating FAA data-collection and analysis plans, working with airlines to control access to parked aircraft, working with the industry to improve employee training, and taking steps to crack down on employees who violate rules.
The agency released two letters from Cathal L. Flynn, the FAA's associate administrator for civil aviation security, to the airport industry outlining plans to tighten security.
"It is clear that both the FAA and the industry need to have effective programs to hold individuals accountable for carrying out the fundamentals of access control: wearing ID and challenging others who do not . . . and making sure that doors are properly closed after they are used," Flynn wrote in a Sept. 2 letter.
Tara Hamilton, a spokeswoman for Reagan and Dulles International airports, said that she could not comment on the specifics of the report but that the airports are working actively with the FAA to improve security. She said a "security consortium" of the airports, the airlines and security companies meets monthly to discuss improvements and "the FAA says we have one of the more active security consortiums in the country."
The inspector general's report attributed access-control problems to failure of airlines and airports to implement access-control procedures, failure of employees to meet their responsibilities, failure of FAA oversight, and FAA policies "that contribute to weaknesses in access control."
Because the FAA said the report contains "some sensitive security information," the inspector general will not post it to the department's World Wide Web site, the announcement said. But the FAA released a redacted version of the report.
Although many specific FAA methods were blanked out of the report, it did reveal some FAA policies that had led to weakened access control, including allowing lesser access controls in "secure" areas after passengers go through metal detectors, and allowing easily observed "cipher" push-button locks on secure doors. Most of specific recommendations for solving these problems were redacted.