Establishing Digital Trust: Don't Sacrifice Security for Convenience
The acting head of the Transportation Security Authority (TSA) Wednesday sought to reassure a House subcommittee that the inadvertent posting of sensitive airport security information on the Web didn't pose a material threat to passenger safety.
"Our response was swift, decisive and comprehensive," Gale Rossides told members of the Homeland Security Committee's subcommittee on transportation security. "I want to reassure all members of this committee and the traveling public that our aviation system is strong and that passengers will fly safely this holiday season and every day."
Today's hearing continued the outcry on Capitol Hill after the revelation earlier this month that a 93-page document detailing airport screening procedures had been publicly available on the Web since March. The document had been redacted, but a blogger demonstrated that the original version could be restored with relative ease.
The TSA took the document down within hours of learning of its availability, though Rossides said she had no enforcement mechanism to limit the spread of the untold number of copies that had already been made.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"Right now there really isn't any authoritative action that we can take," she said.
Last week, Department of Homeland Security Secretary Janet Napolitano told a Senate panel that she had commissioned the department's inspector general to conduct a review of the incident, which had set off a wave of concerns that the manual could serve as a roadmap to terrorists looking to slip through airport security.
Rossides was guarded in many of her remarks today, often telling the lawmakers that she wouldn't have a definitive answer to their questions until the inspector general releases his report.
She could not, for instance, say with certainty what software the employees who posted the document were using that enabled the redacted portions to be restored. She described the agency as having gone into information lockdown hours after learning of the breach, and said that personnel made sure that staffers handling sensitive information were using the most up-to-date software and immediately began revisiting the training policies concerning sensitive information.
"Had this software been properly used it would have worked on this document," she said.
The five individuals involved with the breach have been placed on administrative leave pending the inspector general's report. One was a contractor at the time the document was posted.
Sheila Jackson-Lee (D-TX), the chairwoman of the subcommittee, said she planned to introduce legislation early next year that would set limits on the extent to which government contractors can access sensitive information.
Rossides noted the Standard Operating Procedures document that leaked was drafted in May 2008, and that in the time since six subsequent versions have come out, and the sensitive information about screening procedures has been changed significantly. She said that most of the information in the leaked manual that was still current was mundane procedural instructions, such as checklists for readying screening equipment in the morning.
"It did not have a lot of sensitive security information," she said, telling the lawmakers that the images of ID cards it contained were only photocopies, and that airport personnel are trained to look for many additional security features that could identify an impostor.
But Charles Dent (R-PA), the ranking Republican on the subcommittee, expressed frustration at TSA's unwillingness to provide lawmakers with the most recent version of the manual so they could compare the two and see how much current information had actually been exposed.
TSA officials have been briefing lawmakers and their staffers about the differences between the two versions, but Rossides said today that she was reluctant to release a hard copy of the current manual until the inspector general completes his report. Dent protested, even threatening to introduce a resolution to force the issue, but eventually relented.
After the public hearing, Rossides stayed on for a closed session with the members to address some of their more sensitive inquiries.
She said the inspector general's reported was on an "expedited track," but offered no concrete date for its delivery. In the meantime, she said TSA is asking the National Security Agency to lend its technical expertise to develop a certification system that would ensure that sensitive documents are redacted securely.
While the evolving security apparatus at TSA remains a work in progress, some Democrats today were candid in their frustration that the agency still doesn't have a permanent director.
The confirmation of President Obama's nominees to head the agency, Erroll Southers, has been blocked in the Senate by Jim DeMint (R-SC), who is concerned that Southers might support the unionization of security screeners.
"I think we've waited long enough for this confirmation," said Bennie Thompson (D-MS), the chairman of the Homeland Security Committee. "With strong leadership in place, incidents such as these are less likely to happen."