[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
SECURING OUR SKIES: OVERSIGHT OF AVIATION CREDENTIALS
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON
TRANSPORTATION AND PUBLIC ASSETS
OF THE
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
SECOND SESSION
__________
FEBRUARY 3, 2016
__________
Serial No. 114-103
__________
Printed for the use of the Committee on Oversight and Government Reform
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.fdsys.gov
http://www.house.gov/reform
_____________
U.S. GOVERNMENT PUBLISHING OFFICE
23-402 PDF WASHINGTON : 2017
________________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
JASON CHAFFETZ, Utah, Chairman
JOHN L. MICA, Florida ELIJAH E. CUMMINGS, Maryland,
MICHAEL R. TURNER, Ohio Ranking Minority Member
JOHN J. DUNCAN, JR., Tennessee CAROLYN B. MALONEY, New York
JIM JORDAN, Ohio ELEANOR HOLMES NORTON, District of
TIM WALBERG, Michigan Columbia
JUSTIN AMASH, Michigan WM. LACY CLAY, Missouri
PAUL A. GOSAR, Arizona STEPHEN F. LYNCH, Massachusetts
SCOTT DesJARLAIS, Tennessee JIM COOPER, Tennessee
TREY GOWDY, South Carolina GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas MATT CARTWRIGHT, Pennsylvania
CYNTHIA M. LUMMIS, Wyoming TAMMY DUCKWORTH, Illinois
THOMAS MASSIE, Kentucky ROBIN L. KELLY, Illinois
MARK MEADOWS, North Carolina BRENDA L. LAWRENCE, Michigan
RON DeSANTIS, Florida TED LIEU, California
MICK, MULVANEY, South Carolina BONNIE WATSON COLEMAN, New Jersey
KEN BUCK, Colorado STACEY E. PLASKETT, Virgin Islands
MARK WALKER, North Carolina MARK DeSAULNIER, California
ROD BLUM, Massachusetts BRENDAN F. BOYLE, Pennsylvania
JODY B. HICE, Georgia PETER WELCH, Vermont
STEVE RUSSELL, Oklahoma MICHELLE LUJAN GRISHAM, New Mexico
EARL L. ``BUDDY'' CARTER, Georgia
GLENN GROTHMAN, Wisconsin
WILL HURD, Texas
GARY J. PALMER, Alabama
Jennifer Hemingway, Staff Director
David Rapallo, Minority Staff Director
Michael Kiko, Staff Director, Subcommittee on Transportation and Public
Assets
Ari Wisch, Counsel
Michael Ding, Counsel
Willie Marx, Clerk
------
Subcommittee on Transportation & Public Assets
JOHN L. MICA Florida, Chairman
MICHAEL R. TURNER, Ohio TAMMY DUCKWORTH, Illinois, Ranking
JOHN J. DUNCAN, JR. Tennessee Member
JUSTIN AMASH, Michigan BONNIE WATSON COLEMAN, New Jersey
THOMAS MASSIE, Kentucky MARK DESAULNIER, California
GLENN GROTHMAN, Wisconsin, Vice BRENDAN F. BOYLE, Pennsylvania
Chair
C O N T E N T S
----------
Page
Hearing held on February 3, 2016................................. 1
WITNESSES
Mr. Darby LaJoye, Deputy Assistant Administrator, Office of
Security Operations, Transportation Security Administration,
U.S. Department of Homeland Security
Oral Statement............................................... 5
Written Statement............................................ 8
Mr. John Roth, Inspector General, Office of Inspector General,
U.S. Department of Homeland Security
Oral Statement............................................... 17
Written Statement............................................ 19
Ms. Margaret Gilligan, Associate Administrator for Aviation
Safety, Federal Aviation Administration, U.S. Department of
Transportation
Oral Statement............................................... 32
Written Statement............................................ 34
Ms. Kathleen M. Carroll, Vice President, Government Affairs, HID
Global (On Behalf of the Security Industry Association ``SIA'')
Oral Statement............................................... 38
Written Statement............................................ 40
APPENDIX
TSA's responses to the Committee's Questions for the Record,
Submitted by Chairman Mica..................................... 58
TSA Warehouse Information by Quarter FY12, Submitted by Chairman
Mica........................................................... 71
SECURING OUR SKIES: OVERSIGHT OF AVIATION CREDENTIALS
----------
Wednesday, February 3, 2016
House of Representatives,
Subcommittee on Transportation and Public Assets,
Committee on Oversight and Government Reform,
Washington, D.C.
The subcommittee met, pursuant to call, at 1:05 p.m., in
Room 2154, Rayburn House Office Building, Hon. John L. Mica
[chairman of the subcommittee] presiding.
Present: Representatives Mica, Duckworth, and DeSaulnier.
Mr. Mica. I call this hearing of the Transportation and
Public Assets Oversight Subcommittee to order, and I welcome
everyone this morning.
Without objection, the chair is authorized to declare a
recess at any time. We do expect some votes pretty quickly into
the beginning of this session, so we'll try to get our opening
statements made, and then we will hear from our witnesses. And
the order will be after we've heard from all the witnesses to
go back and have questions offered to the witnesses.
So I'll start with my opening statement. And, again,
welcome, everyone.
We have an important responsibility in transportation
oversight, and that's to make certain that the laws and all of
the caveats that we set forth for public agencies, particularly
for security and safety, are complied with by agencies. And the
purpose of this hearing is 15 years after 9/11 we want to look
at credentialing, we want to look at vetting of employees, and
we want to look at what poses the biggest risk as far as
security to our Nation's aviation system.
Unfortunately, even 15 years--2001, this is 2016--15 years
later we still seek a system that has not complied with the
laws that we have passed multiple times with the requests we've
had, and we see failures. One of the biggest failures is the
most recent report that we had. And the DHS, Department of
Homeland Security inspector general found that 73 individuals
with links to terrorism passed TSA's vetting process. They were
not properly vetted.
These are people that work at our airports. These are
people that have access to aviation equipment, to airplanes.
Even TSA employees are not properly vetted.
And, unfortunately, we've also found through that report
that tens of thousands of incomplete records are even lacking
full names. They had 14,000 immigrants listed in the database
that did not have alien registration numbers, and 75,000 of
these records lacked passport numbers. Again, this is not
acceptable.
When we passed the aviation security bill, and in
subsequent legislation I tried to get a--we used to have a
folded piece of paper for an airline pilot license. An airline
pilot has access to the controls, flying the plane. I can tell
you today, after numerous enactments of laws and edicts and
meetings, we still have a pilot's license. And I borrowed this
one from our ranking member. She's a pilot, Ms. Duckworth.
We asked that the pilot's license have a photo of the pilot
on it. The only photo on this license are the Wright brothers,
Orville and Wilbur. Orville and Wilbur, I blew it up here.
Okay? It's a joke.
We asked that this also has some biometric capability.
Anything in your wallet has a better electronic strip and
capability than this license.
Now, you say it's too difficult to do with the pilots that
we have. This is a Mickey Mouse. This happens to be Minnie
Mouse pass to Disney World, and I borrowed this. My wife was
there the other day with her sister visiting. They take your
thumb print, and they know when you enter, who enters, who
leaves. This is Minnie Mouse, and this is Mickey Mouse, the FAA
pilot license.
So this is what we have, people going into the airports,
people who, secure areas, either working for TSA or airports,
not properly vetted, a responsibility of TSA. We have pilots
who are flying planes, we don't know who they are. You cannot
tell.
Again, the frustration level has just peaked with me,
because time and time again we've gone in, we've passed edicts,
laws, for compliance.
Now, this particular Mickey Mouse, Disney World pass has a
biometric for a thumb, and that we're told by FBI it possibly
could be compromised. But we have nothing. I've tried to get
not only a thumb, but also iris, and it took a dozen years to
get a standard in place. We'll find out where they are. Because
between iris and thumb, which some European nations, some of
the defense agencies, some nuclear facilities, some other
government facilities, both in the United States and outside,
have the capability to do both, and then we're sure of who is
entering and who is leaving. But I'm telling you, this is one
of the most frustrating things that we've seen.
We've seen examples of employees with accomplices, for
example, in New York, were able to smuggle more than 150 guns
on half a dozen flights between Atlanta and New York City.
Just a few weeks ago, the FAA suspended a program allowing
safety inspectors to bypass TSA checkpoints after one was
caught with a firearm in a bag he was carrying.
So, again, we have examples of the Transportation inspector
general opened nearly 70 pilot license fraud cases since 2011,
just the last few years, including a foreign national who
hacked into FAA's record system, stole the pilot's identity,
and to illegally obtain a license and crashed an airplane.
We had recently one of our oversight agencies found
hundreds and thousands of IDs missing, not accounted for, SIDA
badges, TSA badges, airport identity badges, badges that some
of the officers wear, everything you could imagine stolen or
missing or unaccounted for. None of this is acceptable.
So we have other examples we can cite where it has been
done, both the private sector, other government agencies,
Canada to the north. And, again, I cited Disney World as a good
example.
So with that, I will yield to our ranking member, Ms.
Duckworth, welcome her, and give her back her FAA Mickey Mouse
pilot license with Orville and Wilbur. And you are much better
looking than either of those dudes.
I yield.
Ms. Duckworth. Thank you, Mr. Chairman. And I'm also much
more alive as well.
Mr. Mica. I visited their gravesite, and they are there,
they're very much dead.
Ms. Duckworth. Yes. Well, thank you so much for holding
this hearing, Mr. Chairman. I am somewhat astonished that the
inspector general for the Department of Transportation could
not find the time to be here. But we'll deal with that at
another time.
Our Nation's 440 airports are complex mazes of public and
secure spaces. Chicago O'Hare, for example, which served more
than 34 million passengers in 2014 alone, has 8 active runways,
189 gates, nearly 23,000 parking spaces, and approximately
167,000 square feet of concession space.
In addition to being responsible for screening all
passengers who come into the airport to board a flight, the TSA
must oversee the procedures that airports implement to ensure
that all controlled areas, such as passenger loading areas,
cargo and baggage handling areas, and perimeter areas, are
accessed only by authorized personnel.
The first step in this process is identifying the
individuals who should have access to secured areas and the
level of access that they should be given.
Now, our Nation has different models for issuing access
credentials in the various transportation modes. In the
aviation realm, each airport issues its own set of access
credentials. And before an airport can issue a badge allowing
access to a controlled area, a person to be credentialed must
be screened against terrorism databases and pass a check of
lawful authority to work in the United States conducted by the
TSA using data collected by each airport.
They must also complete a criminal history records check.
This check is then conducted by the FBI using fingerprints and
data collected by the airports, but the results are adjudicated
by each individual airport to determine whether an individual
has a disqualifying conviction. The Department of Homeland
Security's Office of Inspector General has repeatedly found
numerous flaws and lapses in the management of this
complicated, multiagency process.
In 2011, the IG determined that airports issued badges to
individuals despite omissions and even inaccuracies in the
records used to conduct the background checks. In some cases,
airports even issued badges to individuals who have not
undergone security threat assessments at all.
This finding was troubling enough, yet what truly concerns
me is that just last year, 4 years after that very alarming
2011 finding, the DHS inspector general found that airports
continue to lack accurate quality controls necessary to ensure
criminal background checks are properly adjudicated.
They found systemic problems with the credentialing process
also. For example, unlike tourism screenings, which are
continually updated on a near real-time basis, criminal records
checks are conducted only once every 2 years. Between checks,
airports have to rely on the willingness of the credentialed
person to self-report any disqualifying arrests or convictions.
This dangerous loophole must be closed.
Officials have also uncovered airport employees illegally
using stolen or fraudulent credentials. In 2007, more than 100
vendor employees at O'Hare were caught using stolen badges to
access secured areas at the airport. In one instance, an
uncleared individual rummaged through a box of active security
badges to select one that looked most like him and matched his
likeness.
Other incidents have involved cleared personnel who misused
the access granted to them. Following a 2014 incident involving
the smuggling of over 100 guns, some of which were loaded onto
multiple flights between Atlanta and New York, TSA asked its
Aviation Security Advisory Committee to recommend ways of
strengthening the control of employees' access to secured
airport areas. This committee made 28 recommendations in April.
Fewer than half of those have been implemented.
America's airports are vital hubs that support billions of
dollars in commerce and connect Americans from coast to coast.
Yet, their importance also makes them high-value targets to our
enemies that seek to harm Americans, weaken our economy, and
instill fear throughout the populous. The front gates to our
Nation's commercial aviation system must be worthy of all they
defend. We must ensure that anyone passing through the gates,
including airport employees, do not pose a threat to our
Nation's security.
I look forward to hearing from our witnesses today on how
TSA will strengthen its coordination with airport authorities
across the country to implement critical security
recommendations and dramatically enhance how we control access
to secured areas.
Congress has an important role to play in this effort, and
if additional authorities over oversight actions are needed, I
would like to use this afternoon to examine those potential
reforms.
Again, I thank the chairman for this very timely and
important hearing, and I yield back.
Mr. Mica. Well, thank you. And the title of this, I guess,
was originally ``Securing Our Skies: Oversight of Aviation
Credentials.'' I think a more fitting title, after hearing our
opening statements, would be ``Aviation Credentials in Chaos.''
That might sum it up better. I thank you for your opening
statement.
And we will hold the record open, with your agreement, for
5 legislative days for members who would like to submit a
written record.
Mr. Mica. And as I said, we'll probably be in and out
because of the vote schedule this afternoon.
I would like to now recognize our panel of witnesses. I'm
pleased to welcome Darby LaJoye, deputy assistant administrator
for the Office of Security Operations at the Transportation
Security Administration within DHS; the Honorable John Roth,
who is the inspector general for the U.S. Department of
Homeland Security; Margaret Gilligan, and she is the associate
administrator for aviation safety at the FAA within the
Department of Transportation.
Welcome back.
Kathleen Carroll, who is vice president of government
affairs at HID Global, speaking on behalf of the security
industry.
So those are our witnesses. Some of you have been here
before. I know the inspector general has.
This is an investigation in an oversight subcommittee of
Congress. We do swear in all of our witnesses. If you'll stand
now, please, raise your right hand.
Do you solemnly swear or affirm that the testimony you are
about to give before this subcommittee of Congress is the whole
truth and nothing but the truth?
And all the witnesses, the record will reflect, answered in
the affirmative.
Let's go first, from TSA representative, Mr. LaJoye.
You're welcome and recognized, sir.
We do give you about 5 minutes. If you have additional
information you want submitted for the record, just request and
we'll put it in.
Thank you.
WITNESS STATEMENTS
STATEMENT OF DARBY LAJOYE
Mr. LaJoye. Good afternoon, Chairman Mica, Ranking Member
Duckworth, and members of the subcommittee. Thank you for the
opportunity to appear before you today to discuss TSA's role in
airport access control and aviation worker credentialing.
TSA ensures airport access control is executed in
partnership with airports, air carriers, and other Federal
agencies. Collectively, we employ a risk-based approach that
includes vetting and credentialing of airport and airline
employees, development and execution of security plans, TSA
inspections, assessments, and testing of access control, along
with random screening of aviation workers.
TSA requires airport and airline employees to successfully
complete a security threat assessment prior to receiving an
access credential to a secure area of an airport. The
assessment includes a daily check against the Terrorist
Screening Database, ensuring there are no known ties to
terrorism when applicants apply for a credential and throughout
the term of a worker's airport employment.
TSA also verifies all individuals have lawful presence and
have not committed a disqualifying offense in the past 10
years. TSA recognizes the value of conducting frequent criminal
history record checks and has established a requirement for
airports or airlines to do so every 2 years for all credential
holders. Later this month, we will begin to a pilot a new FBI
automated capability called Rap Back, providing employers with
current information on criminal activity committed by
credential holders.
We recognize the value of automated access to additional
intelligence-related data to inform TSA's vetting decisions.
Working closely with DHS and the interagency partners, we've
recently received approval for automated access to additional
data addressing a key IG recommendation. We expect to begin
receiving automated access in the coming weeks.
While TSA is responsible for conducting vetting of aviation
workers, airport operators are responsible for issuing and
managing the credentials that allow an individual access to
airports' sterile or secure areas. TSA requires airport
operators to conduct recurring comprehensive audits of all
airport-issued credentials and to maintain records of those
audits for 1 year, subject to TSA inspection.
Individuals who are responsible for reporting lost or
stolen credentials, and airport ID systems must be capable of
immediately denying access to any lost or stolen credentials.
If the percentage of unaccounted-for or lost credentials
reaches a certain threshold, the airport must reissue all
credentials in that access category.
TSA also requires airport operators to control entry to
nonpublic areas of the airport and provide for detection and
response to unauthorized presence in these controlled areas and
to aircraft. To enforce these standards, our inspectors conduct
assessments and audits and employ a progressive methodology
that provides for a range of enforcement measures, from helping
stakeholders with corrective actions to issuing fines.
We've made progress in addressing the insider threat at
America'sairports, which were highlighted by the Atlanta gun-
smuggling incident in 2014. In addition to new vetting and
regulatory measures, TSA and airport authority resources are
deployed on a random basis to screen airport and airline
workers throughout the day. In 2015, we increased the number of
employee screenings from 2 million to nearly 13 million, and 90
percent of airports have reduced access points, resulting in
nearly 500 fewer nationwide.
Finally, under the leadership of Administrator Neffenger,
TSA has renewed its commitment to security effectiveness. In
late May, after reviewing the DHS IG's covert testing results,
TSA began implementing a range of measures to address the
shortfalls noted. We have refocused on our primary security
mission, retrained our entire workforce, improved processes and
procedures, enhanced our technology, implemented new measures
of effectiveness, and analyzed systemic issues. Notably, we
have begun to employ a doctrinal approach to counterterrorism
leading to screening improvements across the agency.
In January, we began to send all new hire officers to basic
training at the TSA Academy at the Federal Law Enforcement
Training Center. This will drive consistency, professionalism,
dedication, and connectedness to a common agency culture. Also,
thanks to the help of Congress, we halted FY '16 staff
reductions, providing appropriate officers to pursue screening
effectiveness.
The administrative intent is to place mission first, invest
deliberately in a well-trained and disciplined workforce, and
deliver mission excellence. We are confident that the agency is
better positioned today to deter, detect, and disrupt threats
against our aviation system, and we will continue to pursue a
range of improvements to protect the traveling public.
I am proud to represent TSA's hard-working nationwide team
of officers, inspectors, explosive specialists, air marshals,
and a dedicated network of professional staff who support them.
I look forward to answering your questions.
[Prepared statement of Mr. LaJoye follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Mica. Thank you so much.
We'll go now to the inspector general, Mr. Roth.
You're welcome and recognized.
STATEMENT OF JOHN ROTH
Mr. Roth. Chairman Mica, Ranking Member Duckworth, and
members of the subcommittee, thank you for inviting me here
this afternoon to testify.
Since 2004, we have published more than 120 audit and
inspection reports about TSA's programs and operations. Our
work includes evaluations of passenger and baggage screening,
TSA PreCheck, acquisitions, equipment deployment, and
maintenance. We have also used covert testing to determine
whether unauthorized and potentially dangerous individuals and
items could gain access to secure airport areas.
The audit I am discussing this afternoon looked at how well
TSA vets airport workers who have unrestricted access to secure
areas of the airport. While we found that TSA's efforts to
screen against the terrorist watch list were generally
effective, we found that TSA did not have access to the
complete terror watch list, known as the TIDE database. As a
result, we identified 73 airport workers contained within that
database who had been cleared to work in sensitive areas.
TSA officials recognize that not receiving the full
database represents a weakness in its program and informed us
that TSA could not guarantee that it can consistently identify
all questionable individuals without receiving these
categories. Fortunately, at the request of DHS, the National
Counterterrorism Center, working as part of the interagency
process, has changed their policy as a result of this audit,
and TSA now or will soon have access to this information.
TSA is considerably challenged, however, when it comes to
verifying workers' criminal histories and immigration status.
First, TSA does not currently vet airport workers' criminal
histories after they are initially cleared to work, but rely on
individuals to self-report disqualifying crimes. As a result,
individuals could lose their job if they report these crimes,
so they have little incentive to do so.
Under the law, the 450 commercial airports maintain the
ultimate authority to review and determine whether an
individual's criminal history contains disqualifying crimes
under Federal law. TSA officials informed us that airport
officials rarely or almost never document the results of their
reviews electronically. Thus, TSA cannot systematically
determine whether individuals have been convicted of
disqualifying crimes.
Instead, TSA performs annual manual inspections of
commercial airport security operations, including the review of
documents that aviation workers have submitted when applying
for credentials. However, due to the large workload involved,
particularly at larger airports, this inspection process looked
at as few as 1 percent of all aviation workers' applications.
We also found weaknesses in the verification process for an
individual's authorization to work in the United States.
Airport operators are required to ensure that aviation workers
are authorized to work in the United States before they send
their information to TSA for review. However, our review of TSA
data showed that TSA has denied credentials to over 4,800
people because they could not show their lawful status to work.
This occurred even after or even despite the fact that these
individuals had been previously cleared by the airports as
being authorized to work in the United States.
Lastly, the records TSA uses for vetting individuals is not
reliable, as it contains incomplete or inaccurate data. For
example, we found that there were 87,000 active aviation
workers who did not have Social Security numbers listed, even
though Social Security numbers are the best way to match
individuals to existing records.
An additional 75,000 records listed individuals with active
aviation worker credentials as citizens of non-U.S. countries,
but did not include passport numbers. Of those records, over
14,000 individuals also did not list alien registration
numbers.
TSA did not have appropriate checks in place to reject such
records from vetting. Without complete and accurate
information, TSA risked credentialing and providing unescorted
access to secure airport areas for a worker who could
potentially harm the Nation's air transportation system.
We made six recommendations in our report. TSA has agreed
with all of our recommendations and has provided target
completion dates for corrective action. We are satisfied with
TSA's corrective actions to date, but we will continue to
follow up on implementation of these actions.
Mr. Chairman, thanks again for inviting me here to testify.
I look forward to discussing your work with you and other
members of the subcommittee.
[Prepared statement of Mr. Roth follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Mica. Thank you.
We will recognize FAA representative Margaret Gilligan.
Welcome back, and you're recognized.
STATEMENT OF MARGARET GILLIGAN
Ms. Gilligan. Thank you, Chairman Mica. Thank you, Ranking
Member Duckworth and members of the subcommittee. I welcome
this opportunity to appear before you today on the issue of
oversight of aviation credentials. I know this is an issue of
significant interest to Chairman Mica because we have appeared
on this issue under your leadership before, sir.
The mission of the FAA is ensuring the highest levels of
safety for the millions of passengers flying every day. The
agency is charged with the oversight of airlines and aircraft
manufacturers, the safety of our Nation's airports, and
training our air traffic controllers. Taken together, we
operate the safest and most efficient airspace system in the
world.
The FAA issues 23 different types of airman certificates,
including those to pilots, mechanics, dispatchers, flight
attendants, and air traffic controllers. There are more than
800,000 active pilot certificate holders alone.
A pilot certificate is a credential attesting to the
training and competence of the pilot. It is the same as a
lawyer who must have evidence of admission to the bar or a
doctor who is board certified in a specialty.
In all these cases, the credential is not used as
identification media, and it does not impart security access to
courtrooms, to operating rooms, or to airports. A pilot never
uses his or her pilot certificate to gain access to airport
areas. Instead, he or she uses the security credential issued
by the airport, as required by TSA.
Since 2002, FAA has taken actions to enhance the security
of pilot certificates. We require pilots to carry a valid
government-issued photo ID in addition to a pilot certificate
whenever they're flying. This allows an FAA inspector or others
to confirm both the pilot's identity and his or her pilot
qualification.
The FAA phased out paper certificates and incorporated
tamper- and counterfeit-resistant features, including
microprinting, a hologram, and a UV-sensitive layer. In 2010,
FAA issued a notice of proposed rulemaking to require a photo
on pilot certificates and to improve the process for getting a
student pilot certificate.
While we were preparing that final rule, the FAA
Modernization and Reform Act required that the pilot
certificate accommodate fingerprints, iris, and comply with
specific security standards. Unfortunately, our 2010 proposal
did not include those security requirements, and to allow the
pilot community as well as the general public to comment on the
full statutory mandate, we needed to draft a new proposal.
However, at the same time, the security and intelligence
communities determined that allowing student pilots to operate
an aircraft as pilot in command prior to being vetted was an
unacceptable security risk. The administration committed to
closing that security gap, and last month, FAA published a
final rule requiring student pilots to appear before an FAA
inspector or other authorized designee to verify the student's
identity. The student pilot certificate will be issued once TSA
completes its vetting.
We recognize that the 2012 legislation included specific
direction on airman certificates, and we regret that we are not
further along in the process of implementing those provisions.
But as our 2013 report to Congress outlined, there are major
challenges to implementing the congressional direction. While
the National Institute for Standards and Technology has issued
standards for the collection of iris images, there are no
approved GSA products--there are no GSA-approved products for
the collection or use of iris biometrics.
Before we require collection of biometrics, we need to
understand where and how they would be used. There are no
requirements that airports use iris or other biometric
information for authorizing access at airports. So neither FAA
nor TSA have estimated the costs to develop and install such an
infrastructure at nearly 550 airports eligible for Federal
grant funds or the more than 5,000 airports that are open to
the public. As part of our rule to require biometrics, we will
have to estimate what the costs of that infrastructure system
will be to the airports and to the taxpayer.
In our report to Congress and in the preliminary work we
have done on the rule, we estimated that the new certificates
will cost more than a billion dollars over 12 years. As both
Congress and the administration are committed to minimizing the
costs to the public of Federal actions, that cost estimate
alone may be our biggest challenge. The reality is that to
include biometric information on pilot certificates drives
costs and may not be the most effective way to meet our
security objectives.
FAA has worked with TSA to develop options to accomplish
the congressional direction. We will work to publish a
proposal, although demonstrating benefits to justify a billion
or more dollars in costs will be very difficult, and we will
keep Congress informed on our progress.
That concludes my remarks, sir, and I'll be happy to answer
any questions.
[Prepared statement of Ms. Gilligan follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Mica. Thank you. And we'll hold the questions.
Let's get to Ms. Carroll, who's vice president of HID
Global.
Welcome, and you're recognized.
STATEMENT OF KATHLEEN M. CARROLL
Ms. Carroll. Good afternoon, Chairman Mica and Ranking
Member Duckworth. Thank you for the opportunity to appear
before you today to discuss how private industry can contribute
to and support all stakeholders in securing our Nation's
airports.
I am testifying on behalf of the Security Industry
Association, a nonprofit international trade association
representing more than 600 companies. I am the chair of SIA's
Government Relations Committee, and I also chair the Privacy
and Public Policy Working Group at the IBIA.
We believe that to confront the ever-evolving threats to
aviation security, all stakeholders should be working more
closely with private industry. We recognize that TSA has been
working diligently toward solutions that further enhance
security in the Nation's airports. To that end, TSA requested
that the Aviation Security Advisory Council analyze the
adequacy of existing security measures and recommend additional
measures to improve employee access controls.
One of those recommendations included biometric
confirmation of identity for badge issuance. Biometrics are
already in use at several airports across the Nation, including
BWI and San Francisco. These biometric deployments enhance
security by tying the badge to the holder of the badge.
Biometric technology has improved substantially in recent
years, and industry continues to invest in further
advancements.
There are several key measures to help ensure optimum
performance of a biometric system that should be included in
any standard that TSA establishes. One is false acceptance
rates, which sets the level of security. Another is the false
rejection rate, which delivers a good customer experience. You
can't have one without the other.
Another key measure is liveness detection, which eliminates
spoofing. For example, liveness detections would solve the
worry around the biometrics that were stolen during the OPM
breach. Biometric information is worthless if it isn't usable.
With liveness detection, the only way it is usable is if the
living human being presents their biometrics.
Beyond biometrics, the security industry suggests that
airport worker credentials follow a federated model. Many
airport employees work at multiple airports and often need to
go through the vetting process and carry a badge for each
airport.
In a federated model, such as the U.S. Government's
Personal Identity Verification program, each Federal employee
is vetted to an acceptable and known process across all Federal
agencies. PIV credentials use the Public Key Infrastructure as
one of several security features so that the credential can be
trusted for access to all government buildings and computer
networks. PKI also allows for instant revocation of a
credential across all these systems from a central location.
A federated credential system would significantly enhance
airport security, be more convenient for airport employees, and
reduce the costs of having to issue multiple credentials.
As the ASAC and TSA have recognized, the best security
relies on a risk-based approach, and one that is layered so
that a breach in any one layer does not compromise security.
The use of CCTV cameras, physical access control systems, and
physical barriers are just some of the layers in use at
airports today.
The ASAC report also recommends an audit process that
reconciles a badge holder's work schedule with the access
control system to identify anomalies or irregularities, such as
an employee using his or her badge at the airport outside their
normal work hours. Unfortunately, this looks into the past and
will not detect such anomalies in real time when a security
breach might be occurring.
The security industry has developed identity management
systems that serve as systems of record for every airport
worker and will detect anomalies or deviations from normal work
patterns in real time. These systems will alert airport
security if anomalies deviations occur so they can be
investigated immediately if necessary.
Equally important, such identity management systems, which
are being used by several major airports throughout the
country, are structured so that they enforce all TSA guidelines
for badging and meet airport security policy as determined by
each airport. These same systems can conduct audits recommended
by the ASAC to ensure that an authorized signatory is in
compliance with badging requirements.
In the future, as TSA explores the use of social media to
track and assess emerging threats that may pose a risk to
aviation, identity management systems could prove to be a
valuable tool in automating this vital undertaking.
It's important to remember that the credential is just one
piece of the security solution. The infrastructure must be in
place to authenticate and authorize badge holders in an always-
connected environment.
I want to thank the committee again for including the
security industry in this important discussion. We welcome the
opportunity to contribute to improve the aviation and airport
security nationwide. I look forward to your questions.
[Prepared statement of Ms. Carroll follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Mica. Well, thank you. We now have 9 minutes left in
this vote. I have to depart. And we will not be convened before
2 o'clock, and probably sometime between 2 and 2:10 we will
reconvene. So you are free to disappear until then. But we will
proceed with questions at that time.
The subcommittee stands in recess.
[Recess.]
Mr. Mica. We will call the subcommittee back to order, and
thank you for your patience while we conducted our votes. We
have heard from all four witnesses, and now we'll proceed with
some questions.
Well, let's see, Ms. Gilligan, you have been here before.
As you cited today, you said you made apologies for not having
some of this done and trying to get things done. April 14,
2011, you testified before us, Congress, the Transportation
Committee. I know FAA has not acted on these directions as
quickly or as comprehensively as this committee intended. So
was yesterday Groundhog Day?
Ms. Duckworth. Yes.
Mr. Mica. We keep hearing the same thing over and over. Did
you want to respond?
Ms. Gilligan. Well, Mr. Mica, as I noted in my testimony
this morning, we do understand that you are very frustrated
with this. Having said that, as I also testified, there are
tremendous challenges in moving this forward, not the least of
which is the amount of costs that it's likely to drive. And
that's why we are going to try to work with TSA, and quite
honestly now, with Ms. Carroll's organization.
Mr. Mica. With Ms. Carroll's organization? Ms. Carroll,
don't you have examples where this can be done fairly cost-
effectively? Most of these pilots' licenses only cost--the cost
is minimal. I know Disney can't be paying a fortune for their
card.
Ms. Carroll. Well, it depends. I mean----
Mr. Mica. How much would a card be?
Ms. Carroll. A card?
Mr. Mica. A range. A range.
Ms. Carroll. Okay. Depending on what kind of electronics
are in there, what kind of security features, $2.50.
Mr. Mica. Well, again, I want to know who has the card and
who is getting access. We don't know that now.
Ms. Carroll. Who get--that gives----
Mr. Mica. Who is in possession of the card and who is
gaining the access? Are we identifying who the person is? And
do we have that information embedded in the card?
Ms. Carroll. For certain programs, yes, sir, we do.
Mr. Mica. They already have that. You already produce some
of that, don't you?
Ms. Carroll. We do. We make the U.S. green card, sir.
Mr. Mica. Does that have a fingerprint?
Ms. Carroll. It does not have the fingerprint.
Mr. Mica. It doesn't? Well, it sure as hell should. That's
another waste of money.
We sat with these people after 9/11, State Department and
others. They are all producing garbage IDs. I mean, I am going
to put Ms. Duckworth on staff. She has a 1904 pilot's license,
1904 pilot's license she pulled up. It has a picture, it has
the name, it has the signature. It has a physical description.
Now here it's not embedded. And then it has the fingerprints.
1904.
Here is Amelia Earhart's picture, all identifying
information. I'm pretty sure the other side is fingerprints.
And here we are in 2016, 15 years after 9/11, we don't know
who's going in and who's coming out. There is no way to ensure
it.
The TWIC card, we should do another hearing on that,
Transportation Worker Identification. They spent half a
billion, $500 million total? It's just incredible. Now they
have to come with a driver's license. They have a card, but it
doesn't have a reader. We still don't have a reader, do we, at
the ports, to read them? Does anyone know? DHS know?
Mr. LaJoye. Not as of yet.
Mr. Mica. Not as of yet. See? Fifteen years. And Mickey
Mouse, or at least I called the FAA card Mickey Mouse, but the
Minnie Mouse one, we know who it is.
You spoke a little bit about identity management systems,
okay, but they're in very few airports or many airports? What's
the status?
Ms. Carroll. There are 21 airports. Boston Logan----
Mr. Mica. Out of 450.
Ms. Carroll. Yeah, 21 out of 450, right.
Mr. Mica. Are they all the largest category, in the largest
category?
Ms. Carroll. DFW, Sea-Tac.
Mr. Mica. Pretty much----
Ms. Carroll. Yeah, pretty much the bigger ones, yes, sir.
Mr. Mica. But they're not everywhere?
Ms. Carroll. No, sir.
Mr. Mica. That's troubling, even when you have the systems.
And that's interesting that the systems also can identify
erratic----
Ms. Carroll. Yes, sir. It can detect anomalies in patterns
of access and where people go, and it automatically alerts
security if there is an anomaly. So, for example----
Mr. Mica. But there's no requirement, and they have
voluntarily put them in place.
Ms. Carroll. Yes, sir.
Mr. Mica. But, again, we have seen that these folks target
our soft areas. So you have 21, so we have another 430
locations that you can--you don't have that in place.
Iris. Where are we on iris, Ms. Gilligan?
Ms. Gilligan. Well, sir, I think as you know, the National
Institute for Standards and Technology did issue a standard for
the collection of iris.
Mr. Mica. Right. But you said there was no GSA----
Ms. Gilligan. Right, at this point. One of the requirements
in the statute was that the system be linked to PIV
requirements, and GSA has apparently----
Mr. Mica. Information, what is PIV requirements?
Ms. Gilligan. Ms. Carroll used it earlier, sir. I don't
know what it stands for.
Ms. Carroll. So I'm not a real technology expert, I'm more
of a policy person, but the PIV card is the credential that
follows the standard developed by NIST. It's a FIPS 201
standard. And so it was developed for all Federal employees so
that they had---
Mr. Mica. Right. So that's the standard.
Ms. Carroll. That's the standard, right.
Mr. Mica. But we have--we don't have that in place.
Ms. Gilligan. There are no systems--to your earlier point--
there are not yet any approved vendors of systems to be able to
read and take advantage of the iris biometric.
Mr. Mica. But you developed--I didn't mean to interrupt,
but I do. Actually, I'm from New York originally. This is
interesting, guys, listen. I read these old books--I collect
old books--usually before 1800, printed in America. And they
are little capsules of time and space. Somebody wrote them on
what they observed at that time and space. This doesn't count
against my time. Turn it off.
So I am reading this book, and this is back in the 1790s,
and it's a guy that came from England, and he wrote his
memoirs. He says: I am in New York now visiting. He said people
in New York have a habit of interrupting people when they're
talking. And that's over 200 years ago. I do the same thing.
It's just--I think it's in the DNA or maybe the water system.
I'll give you one more quick one, and this is an aside
since it's a small group. I got another book, a guy visited
here 1828. Listen to this. He came to the House of
Representatives. He's from England. He says, I have come to the
Chamber of the House of Representatives, and he says, it's a
strange body that meets there. He says, the Members stand up,
he says, there's no one in the room, he says, and they give a
speech, and the stenographer takes it down. Obviously, for the
consumption of their constituents back home. This is before C-
SPAN. This is 1828.
Then his other observation, in 1828, he says, I am here in
the United States visiting, and he says, 1828 is an election,
they elect the chief magistrate of the United States. They used
to call them that. He says, and in this year everything circles
around who shall be the next chief elected executive of the
United States and nothing else gets done. Do things change
much?
That was a terrible aside, but I thought I could share that
with you all. There are some prerogatives as chairman.
But, again, not much has changed on this. I don't know what
to do. It's troubling too to hear--you talked about TSA setting
standards for IDs. Who talked about that? Carroll? Ms. Carroll?
Ms. Carroll. Yes, sir, the ASAC recommended that the----
Mr. Mica. But they haven't.
Ms. Carroll. Well, the recommendation just came out.
Mr. Mica. But they haven't.
Ms. Carroll. Set standards, no.
Mr. Mica. How about that? Let's do a letter too, as a
result of the hearing, staff, I won't dictate it now, we would
like you to set standards for this credentialing. But that's
not done yet. It just came out.
Ms. Carroll. Yeah. I mean the recommendation to set the
standards. But I mean, you know, the FIPS 201 standards, and
NIST has done significant work on setting standards for
biometrics as well.
Mr. Mica. But it's all out there, but they have to adopt
it. And then what was troubling is no full use of all the
databases. And I think that's being corrected now. Is that
right, LaJoye?
Mr. LaJoye. Yes, sir, it is.
Mr. Mica. And I don't like to ask this, but you started
giving us some numbers, like there is 70--well, there's 87,000
with no Social Security number in the base?
Mr. Roth. That's correct. Of the 900,000 names that we
pulled, there are about 87,000, or about 10 percent, had no
Social Security number in the database.
Mr. Mica. And then 75,000, what was that figure?
Mr. Roth. The 75,000, if I recall, was no passport number.
And then a subset of that had no alien identification number.
Mr. Mica. So they could technically have people who are
aliens working, without us knowing about it, at the airports?
Mr. Roth. Yeah. The issue we had with TSA's data set was
that there wasn't an ability, any assurance that the data could
be used. So when you run it against the terrorist database or
you run it----
Mr. Mica. And the 73 that you found, were they airport
workers, TSA workers, combination of the above, or people who
just got into secure areas?
Mr. Roth. They would be airport workers that held a secure
identification badge, in other words to be able to go into the
secure areas of the airport next to the aircraft, checked
baggage, that kind of thing.
Mr. Mica. I don't know why TSA can't contract--it's not
that expensive--with someone who can do sort of a nonstop
criminal check. Do you know any reason? We can talk to the
administrator about that. That's a big gap too. And the self-
reporting, as the IG pointed out, doesn't cut it, the last
thing they want to do.
Do you think that's possible, Mr. LaJoye? I know you don't
set policy, but----
Mr. LaJoye. Well, Mr. Chairman, one of the things that
we've recognized, along with the ASAC, is we are piloting the
Rap Back program with the FBI that would allow us to get
recurrent vetting with criminal records history checks similar
to what we do with TSDB today. So that pilot is going to start
in March, and we are hopeful that we can roll it out before the
end of the year.
Mr. Mica. A couple of other quick ones before I yield.
The employee assessment is only done every 2 years. Is that
correct? Or is that just for employment and then----
Mr. LaJoye. Again, that's an interim measure we put in
place, you know, until we have----
Mr. Mica. But you've been hiring people without that
employee and putting them to work without that assessment
completed. Is that not correct?
Mr. LaJoye. Well, again, we put out, it was a few months
ago, the requirement. We knew we wanted to work with the ASAC
to get to the FBI Rap Back. But in the meantime, knowing it
would take some amount of time, months, better part of a year
to get that across the airports, we did require that they go
out and conduct criminal history records checks at the renewal
point or every 2 years thereafter.
Mr. Mica. One of my sheriffs called me and said he had
fired a couple of deputies for really serious offenses and
misconduct. He said the next thing you know they were over in
Daytona Beach as TSA screeners. He asked me what's going on and
I couldn't tell him. But they, as we've checked, they hadn't
been cleared, hadn't been properly vetted, but they could get a
job.
How quickly, Ms. Gilligan, how quickly does FAA revoke a
license after disqualifying information is received?
Ms. Gilligan. We issue the revocation based on a request by
TSA that they have made a determination that someone holds a
pilot certificate and is a risk to national security. So as
soon as we receive the notification the process--the action is
taken by our counsel's office.
Mr. Mica. But they could still use that ID with another
form of ID and you'd never know who that person was.
Ms. Gilligan. No. When the pilot certificate is revoked,
they are required to turn it in. And if they don't, we pursue
that, so that we do--retrieve the pilot certificate when it's
been revoked.
Mr. Mica. I want to give everyone a chance. Ms. Duckworth,
we will go to you. I have more questions, unfortunately. Go
ahead, Ms. Duckworth.
Ms. Duckworth. I just want to follow up on that Ms.
Gilligan. When you said the pilot certificate is revoked you
retrieved it. What about when it's changed or they get a new
certification?
Ms. Gilligan. I'm sorry, I was responding specifically to
Mr. Mica's question. We have a process where TSA notifies us if
they have determined, after someone has gotten a pilot
certificate, that they now pose a risk to national security,
and based on that notification we revoke that certificate.
Separately, any time a pilot gets a new rating or raises to
a new level, they must present themselves to an inspector or to
another designated--usually a flight instructor or other
designated representative, have their photo ID. Our folks will
then confirm that they demonstrate that they have met the
requirements to become a commercial pilot, for example, or that
they have passed their type rating in a 737, whatever it may
be. And that information is transmitted then to the registry
and the new certificate is issued.
Ms. Duckworth. Right. But you don't take--you don't recover
their old certificate with the old information.
Ms. Gilligan. I don't--apologize, ma'am, I actually don't
know the answer to that. I thought they turn--I thought they
give their old certificate when they get their new one.
Ms. Duckworth. I have both my old one and my new one.
Ms. Gilligan. Okay. Then you're right.
Ms. Duckworth. So something to take a look at.
So I'd like to take a look at the credentialing process and
effectiveness and security lapses. My whole point today is just
to make sure you guys get the resources and the support you
need to do what you need to do to keep our people safe. And if
there is something that we find out today where you need
congressional help, legislative help, you need appropriations,
you need something, let us know. That's really what I am
interested in, to make sure you get the resources to do what
you need to do.
And so, Mr. Roth, there are many issues to be discussed
today, but the central one is this. In 2011, that inspector
general's report concluded that individuals who pose a threat
may obtain airport badges and gain access to secured areas. Do
you believe that individuals who pose a threat may still be
able to obtain airport badges and gain access to secured areas
today?
Mr. Roth. Yes, I do, for a number of reasons. One is, as I
highlight in my testimony, the TSA, as a regulator who has to
regulate the 450 airports who make the determination with
regard to criminal history, for example, can only do a fraction
of the regulation that they probably need to do to check on how
well the airports are adjudicating some of the criminal
history. That would be one thing.
The second is that TSA's database is very, very filled with
errors, and it is going to be difficult to do any kind of
matching between TSA's database and, for example, the criminal
history databases or even the terrorist watch list databases.
And third, the way the legislation works, it's really a
box-checking exercise. You've either been convicted or not
convicted of certain offenses. If you have not been convicted
of those offenses, you are free to get--and you have you the
ability to work in the United States--you have unrestricted
access to the most secure areas within the airport. It's
functionally the same level of security clearance that an
individual with PreCheck would have. It isn't a holistic: We
will look at this person and determine whether or not he is a
threat to aviation security. Rather, if he is convicted of a
certain level of crimes, he doesn't get it. Or if he is
convicted, he doesn't get it. If he isn't convicted, then he
gets it, regardless of what could be in his background.
Ms. Duckworth. So what do you think are the most important
outstanding recommendations that your office has made to TSA
that have yet to be implemented?
Mr. Roth. We are in the process of--we made six
recommendations. Two of those have been closed, one of which
was the most serious one, in our view, which was the lack of
TSA having all the information in the TIDE database. So that's
been worked out. There are a number of ones in which they are
working towards getting a solution towards it. So we are
satisfied that they are making progress in the right direction.
The difficulty, as I see it, is that TSA is working in a
system where airports have certain authority and TSA has
certain authority, and any time you have a split in authority
like that, it's going to be very difficult to ensure that
things don't fall through the cracks.
Ms. Duckworth. Mr. LaJoye, do you have any comments on
that? Or what do you need to help you to be able to meet all
six of those recommendations?
Mr. LaJoye. Well, I think at this point, Ranking Member, to
the IG's point, it's just a matter of putting some technical
fixes in place with data quality, is how I would characterize
it. This is an intensely manual process, as you can imagine.
And so errors in data, you know, inhibits our ability at times
to effectively vet. And so to the extent to which we can, you
know, incorporate some logic into a system to cut down on data
entries, we have gone out and we have changed our national
inspection manual for all of our inspectors. When they go to a
badging office, look at the original documents.
So there is a number of things we are putting in place. But
with respect to the IG's open comments, I think at this point
it's just a matter of putting the technical fixes in place.
Ms. Duckworth. And do you have a plan for those technical
fixes? Do you have the support you need to put those technical
fixes into place? And what is that timeline? Are you saying
that--you know, the IG is saying you are on your way to meeting
those, but on your way could be 6 months or it could be 6
years.
Mr. LaJoye. I think we're acting deliberately, sensitive to
the fact that there is the cyber issues, you know, we have to--
with respect to privacy. And so I couldn't characterize it as
years. I'd characterize it more as months. And, again, getting
back to our office I could get you specific timelines on some
of them, but I can assure you there is a deliberate plan to
close these in short order.
Ms. Duckworth. I would love to see, and if it's all right
with the chairman, a report back as to the timeline as to when
they will be closing all six of the recommendations from the
IG.
Mr. Mica. Okay. And we can ask the staff to follow up with
questions. There will be questions submitted. And if we can get
a response for the record.
Mr. LaJoye. Absolutely.
Mr. Mica. Without objection, we will do that.
Ms. Duckworth. Thank you, Mr. Chairman. I yield back.
Mr. Mica. Okay. Well, a couple more questions here. There
is obviously a huge number of lost or stolen credentials. You
found a lot of that, Mr. Roth?
Mr. Roth. In our earlier audit we did find a number of
essentially lost credentials. We are currently doing an audit
of the SIDA badge process to see whether or not that has
improved. Hopefully, we will have that audit out later this
year.
Mr. Mica. And even if you had the pilot's license, which
has no photo on it, has no biometric way to tell that that's
the individual, and another form of ID, which might not have
any form of biometric, we still don't know who's entering. Is
that correct?
Mr. Roth. My understanding is that the way the SIDA badge
works in a large majority of the circumstances----
Mr. Mica. Right now I'm talking about the pilot's license.
Mr. Roth. That I cannot comment on.
Mr. Mica. It's a fact, Ms. Gilligan. We don't know, we have
no way of knowing because we still have this, as I've termed
it, Mickey Mouse pilot's license. We have no biometric. We
don't know who those people are. And then if it's a stolen or
lost one--we had a hearing some years ago on credentials. I
never realized how you can duplicate credentials. And college
kid and students are incredible at reproducing these IDs. But
we really don't know who that individual is unless there is a
biometric.
Ms. Gilligan. But at this point the pilot certificate is
not used to gain access in any situation.
Mr. Mica. I know. It can't be. They can use a driver's
license. But the whole purpose was for us to know who is in
control of the aircraft, who the pilot is. We have had at least
one instance, we saw the European, sometimes some things happen
with people who have taken control of aircraft or gained access
with false credentials.
Do we know with--the other thing is vetting people. I think
you can screen them through metal detectors, but you need to be
reviewing these individuals that are working behind a secure
area--or in secure areas. And we don't do a very good job of
that.
TSA has failed in vetting some of those folks, right, Mr.
Roth?
Mr. Roth. That's correct. To be more accurate, it's the
airport.
Mr. Mica. What worries me after this hearing is you have
just said we have got thousands of people working there. We
don't even know--well, 10 percent of them we don't have Social
Security numbers of. Then we have 75,000 that you mentioned,
14,000 no passports. They could be aliens.
One of my concerns is--I've seen some of the big airports
on the East Coast, Chicago, they do employ a lot of folks from
different nationalities, no offense, and they should be able to
work. But there are people we don't know about as far as their
background, and then we're not vetting them.
We don't know about Egypt, what took place there yet, do
we, Mr. LaJoye, with that? They thought that the plane that was
taken down supposedly by ISIS was an inside airport job. Do we
know that?
Mr. LaJoye. Well, I think that's probably worth a closed
session discussing any particulars we have on that, but I am
not prepared to comment beyond that, Mr. Chairman.
Mr. Mica. But a lot of things indicated it was an inside
job.
And the other thing too is everything we have done with TSA
is always a reaction; 9/11. We finally put in some standards.
You know, everybody says private screening failed. It wasn't
private screening that failed, it was the Federal Government
that didn't put any standards in for the screeners. And part of
that they got--the government got lobbied, don't put anything
that would cost the airlines another penny. So it was the
failure--it was the failure of the government to put in
policies for what could not be brought onboard. There was no
Federal prohibition to box cutters.
I remember when we looked at it after 9/11, the direction
to pilots, and we actually read from the manual for dealing
with hijacking, was to land the plane in Havana and contact the
Swiss consul there. That was the instructions, to cooperate,
basically, with the hijackers and then land the plane there.
That was the government's instructions to the pilot.
So the government failed. And the government to me is
failing to take steps. Everything we've done, the metal
detectors, the shoe bomb, they saw a flaw in those. So what did
we do? Of course I remember going to Italy, where they made
most of the--we brought--we actually brought the metal defector
capability down lower to the floor. But today most people
take--have to take off their shoes unless you've got PreCheck
or some situation. That's a result of Richard Reid and his--
going after the diaper bomber explosives. Now we have the body
scanners. It's always a reaction.
And here, again, I think they can easily determine what our
most vulnerable points are. Liquid bombing, a vulnerable point,
now we all have to take our liquids out. So it's always after
the fact.
Is there any progress you can report, speaking of liquid
bombs? There is equipment that we went to purchase, and that
sat around for a while, that could detect liquids that posed a
risk, and that equipment was dumbed down or not used. Is there
any current effort to buy that equipment or deploy that
equipment, Mr. LaJoye?
Mr. LaJoye. Well, again, there is various pieces of
technology with respect to liquids. Some of it we do employ,
some of it we have not yet deployed. We could perhaps give you
a full briefing on the various different pieces of technology
that are available.
Mr. Mica. I can tell the committee and staff. We looked at
it, we had a whistleblower, equipment was sold to them, had
that capability. They neither could train their people or
operate it. So basically they disarm ability of the equipment
to detect that. So we still--we can't bring things on to this
day. But that equipment is available.
Let me look here. Renewal and lost. Okay. I heard that you
can--can you renew your--I am going to say license, you keep
saying certificate--but can you renew that license by either
electronic request or by phone?
Ms. Gilligan. The pilot certificate is not renewed. It
doesn't need to be renewed. But as Member Duckworth mentioned,
most pilots add additional capabilities to their certificate
over time. Any time you----
Mr. Mica. So it's just permanent? It's never--okay. Go
ahead.
Ms. Gilligan. Well, any time you are getting----
Mr. Mica. So embedded in it would be only the information
about additional capability of flying, say, certain aircraft
or, like, civil versus commercial----
Ms. Gilligan. Right.
Mr. Mica. --versus cargo or whatever, or big planes, small
planes.
Ms. Gilligan. That's right. Every time someone adds a
capability to their credential----
Mr. Mica. That's interesting, because provided by Ms.
Duckworth, again, incredible research--in fact, maybe we could
divide some of the staff money to add it on to your pay for the
work you've done on this one. But this even has license
renewals here----
Ms. Gilligan. That would likely have been the medical. So
pilots do renew their medical certificate.
Mr. Mica. Inspector's endorsement. That's what it says. And
the renewal. We don't have that--there is no renewal.
Ms. Gilligan. We don't require renewal.
Mr. Mica. Okay. Okay. Just, again, and lost, you have any
information on lost or stolen credentials, Mr. Roth?
Mr. Roth. Again, the airports have an obligation when a
SIDA badge is reported lost or stolen or that employee quits,
leaves, to turn it off.
Mr. Mica. And they are required to notify TSA?
Mr. LaJoye. They're required to notify the airport, Mr.
Chairman, where then the airport is required to immediately
deactivate the badge.
Mr. Mica. But do you get a notification on them?
Mr. LaJoye. We would not if it's a lost or stolen badge.
Again, that would happen to the airport. Now, we do inspect,
right, because every airport they have thresholds they can't
exceed. So we went back----
Mr. Mica. There is a law or regulation that says when 7
percent of the credentials are compromised they have to reissue
all new. Is that----
Mr. LaJoye. We can--I mean, I can brief you specifically on
what the requirements are, but it's lower than what you just
cited, Mr. Chairman. But we went back over a 5-year period,
understanding this is an area where the majority of airports
are really very compliant because the cost of noncompliance is
steep. It's exceedingly expensive for them to rebadge their
population. So we went back over 5 years, almost 450 airports,
and we only had 23 instances of airports having to rebadge any
part of their population.
So, again, this is really an area where the airports have a
high level of compliance with respect to maintaining control of
those lost and stolen badges.
Mr. Mica. So you're basically relying mostly on a driver's
license for identification, right?
Mr. LaJoye. I'm referring to SIDA badges that are lost.
Mr. Mica. Well, let's say for a passenger--or for a pilot,
because the pilot has an ID that doesn't have a picture and
information.
Ms. Gilligan. But, Mr. Chairman, the pilots do have SIDA
badges.
Mr. Mica. Yes.
Ms. Gilligan. Pilots are vetted through the airport system,
just as all employees are.
Mr. Mica. But they're all different, as we've heard.
Ms. Gilligan. There are differences. And as I think Ms.
Carroll makes the case, there is value in looking at how to
perhaps refine that process. But I don't want to leave the
impression that pilots aren't----
Mr. Mica. And some of this too is--I can't blame you all
totally because I have seen what happens. The airports lobby
for keeping everything they're doing, and they don't want to
change it, my God, you can't change it. The airlines are just
as bad. Oh, no, they can't do this. You can't require that.
There can't be standardization. They're just as bad. And then
some of you are left in the lurch. So I'll give you that much
credit.
But we still have credentials, as I called it, in chaos.
And somehow it's gotten us to this stage, but it's in spite--we
have been very lucky and fortunate so far. I try to stay a
little bit ahead of the curve. I think we need to have a
sitdown with the new Administrator again. He was good to come
in at the beginning. I know he's trying to institute some
changes and reforms, things that make sense. But I think there
are some of these items that we need to go over.
I think we probably should look at some of the results--
sometimes we do these hearings and nothing gets done. But what
we might do, staff on both sides, make a list of some of these
items. And then they have we have authorizers, Mr.--from New
York--Katko, he is an authorizer. He has also passed a couple
of bills. We are not an authorizing committee. We are
investigation and oversight. But if we just look at these and
do nothing, not much comes as a positive result.
So if we could, staff, let's put together, work with the
minority, the things that we have uncovered here today that we
could.
And if you get a chance, we will sit down with the
Administrator and see where we could do more.
FAA, we'll have another Groundhog Day in a couple of years
and we'll hear that they're on their way. But they also have
some constraints, I know. And then the private sector has the
solutions.
Don't you have the solutions, Ms. Carroll?
Ms. Carroll. Yes, sir, we do. And all we want to do is help
in whatever way we can.
Mr. Mica. You are doing both the fingerprint and iris. You
have that capability?
Ms. Carroll. Yes, sir.
Mr. Mica. You have readers for both?
Ms. Carroll. We have readers for all, yes, sir. And we have
the systems to overlay.
Mr. Mica. I think the staff, when we were putting this
together, 15 years ago I was at some of the European airports,
and they had the finger and iris in operation. That's 15 years
ago.
Ms. Carroll. Well, sir, just a point of clarification. In
the United States, especially, fingerprints seems to be the
default because they have to do criminal background checks and
things like that. And so most of our databases for criminal
background checks are fingerprints. And so that seems to be--
especially for workers.
Mr. Mica. For a passenger. Like I have PreCheck.
Ms. Carroll. Perfect. Iris is a good solution for
passengers because of the----
Mr. Mica. I think CLEAR might have that. Does CLEAR have
that?
Ms. Carroll. I'm not sure. I'm not sure. Yeah.
Mr. Mica. They may have. And we've looked at turning that
over to the private sector, all of the people who could qualify
for PreCheck or credentialing, and then let TSA keep some of
the rest of the mix. But, again, we don't know who is getting
on. We don't know where the credentials are. The credentials
are lacking information.
Let's see if I have got any final questions. We will be
submitting, as I said, some questions for you to respond to.
One last question about--we rely quite a bit on a driver's
license. The Feds have set some REAL ID standards, I guess, and
I guess there are still some States in noncompliance. Where are
we with that, Mr. LaJoye?
Mr. LaJoye. Some of the initial enforcement of that will
begin in 2018, and final enforcement will begin in 2020, Mr.
Chairman, you know, at the point----
Mr. Mica. I'm sorry? 2000--give me the----
Mr. LaJoye. Some of the initial enforcement of the REAL ID-
compliant driver's license to gain access to the checkpoint
will begin in 2018, with final enforcement beginning in 2020 on
that.
Mr. Mica. But we're still 2 years out. But you're accepting
the flawed IDs now.
Mr. LaJoye. Well, again, I mean, it's----
Mr. Mica. It's noncompliant. Yes. I mean, yes, you are.
Mr. LaJoye. Well, again, we will start enforcement of that
in 2 years. It gives time for States to----
Mr. Mica. We can pick out the States you should enforce it.
Ms. Duckworth. Like Illinois.
Mr. Mica. Illinois.
And then final for Ms. Gilligan. When does FAA expect to
establish a pilot records database?
Ms. Gilligan. We're working closely, actually, sir, with
one of the representatives from the family groups from Colgan
who has a technical background.
Mr. Mica. This is way, way back.
Ms. Gilligan. The requirement for the pilot records
database was in the FAA Extension and Safety Act of 2010.
Mr. Mica. And what year is this?
Ms. Gilligan. 2016. So we are working to establish--we have
done a pilot program. We do understand what is required. The
dilemma is that there are a number of kinds of records that
airlines have kept over the years, including paper records and
microfiche and----
Mr. Mica. But you can set standards----
Ms. Gilligan. Yes, sir, but----
Mr. Mica. --for the records. Have you?
Ms. Gilligan. Set standards for the records?
Mr. Mica. For what is required as far as keeping for a
database.
Ms. Gilligan. Yes, we have informed the airlines----
Mr. Mica. And then it can be electronically transmitted.
Ms. Gilligan. We have informed the airlines of the records
that they need to maintain in accordance with the statute, and
that began in 2011 after the passage of the statute.
Mr. Mica. But yet we still don't have a database.
Ms. Gilligan. We have not been able to establish the
integrated database at this point.
Mr. Mica. Again, it's just very, very, very, very, very,
very frustrating.
Anything else, Ms. Duckworth?
Ms. Duckworth. Not at this time, Mr. Chairman.
Mr. Mica. Okay. I will ask the staff to go through and see
what questions we want to submit. We appreciate your response
for the record. We leave leave the record open for--instead of
5 days, let's change it to 10 days, because we'll submit a
bunch of questions to them that have not been answered here.
Mr. Mica. We appreciate your participation. Our intent is
to try to do better. And we have a responsibility for oversight
and making certain we move this process forward and keep us
safe and secure.
There being no further business before the subcommittee,
this subcommittee hearing is adjourned.
[Whereupon, at 2:51 p.m., the subcommittee was adjourned.]
APPENDIX
----------
Material Submitted for the Hearing Record
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]