Clearing the path to Aviation Security Resilience: Tackling Complacency, Complexity and Confusion

Driven to distraction

The recent terrorist attacks in Paris, Dresden, Conflans-Sainte-Honorine, Nice and Vienna are chilling reminders of the need for ongoing vigilance and security awareness. The general public can be forgiven for ‘taking their eye off the ball’ a little as they come to terms with managing life in the midst of a deadly and unpredictable pandemic. The flurry of necessary public health messaging though can risk drowning out key security messages. The slogans See it, say it, sorted, along with Run, Hide, Tell or Run, Hide, Fight if you happen to live in the US, have in many respects been overtaken by Hands, face and space, Stay at home, Stay alert and control the virus and more lately Stay alert, control the virus, save lives.

Whilst the pandemic presents unique challenges and despite appearing on government risk registers for many years it tends to be regarded by many as a ‘new’ threat. The ‘old’ (conventional) threats such as terrorism haven’t gone away though, with threat actors including the so called Islamic State, al Qaeda and al-Shabab all making recent calls for renewed attacks.

The Director General of the Security Service (MI5) has warned that the UK faces a “nasty mix of threats”, with terrorism remaining the biggest threat. On 3.11.20, as a precautionary measure, the UK’s Joint Terrorism Analysis Centre (JTAC), raised the national terror threat level from Substantial to Severe signifying that an attack is highly likely. The public have been urged to remain vigilant.

The New IRA’s discussions about a possible attack on Shannon Airport are indicative of the unhealthy interest terrorists retain in civil aviation targets. The US Department of Homeland Security’s Domestic Threat Assessment also highlights this risk and warns that transportation infrastructure, especially aviation, will almost certainly remain a primary target for terrorists. Ed Butler, Chief Resilience Officer at Pool Re, is reported as saying he fears a new terror spectacular in the next 12 months and that the key concern is the aviation sector which provides an iconic target for terrorists.

Organisations not only have to manage the challenges posed by COVID-19, but need to maintain situational awareness about conventional and emerging security threats. Hostile threat actors have not been dormant during the pandemic, and will wait for opportune moments to strike, invariably seeking the path of least resistance.

Complacency

Complacency is often referred to as the biggest risk of all, and the enemy of excellence. We see it compromising safety, security and more recently, public health. Businesses fail due to it, and lives are lost because of it. One of the most concerning examples of complacency is the Deepwater Horizon disaster involving a BP-operated well that exploded on 20th April 2010, killing 11 workers and injuring 17 others. The explosion sunk the rig and leaked almost 5m barrels of oil into the Gulf of Mexico. Investigators criticised the culture of complacency on the rig, and Bob Graham, co chair of the bipartisan commission appointed by President Barack Obama to investigate the disaster said during the hearing, “The problem is that there was a culture that did not promote safety and that culture failed. Leaders did not take serious risks seriously enough and did not identify a risk that proved to be fatal”.

Complacency has compromised the security and resilience of the aviation sector on many occasions, the most notable being the 9-11 ‘spectacular’ terrorist attacks that killed 2977 people and injured over 25000 . The highly successful WWII attack method of deploying kamikaze suicide bombers to fly aircraft into enemy assets at sea, failed to make it onto the risk registers of those charged with protecting civil aviation long after the war had ended. This ‘failure of imagination’ to consider that a well known and highly successful attack method could potentially be adapted to target and exploit civil aviation assets typified the reactive approach taken to identifying and managing the industry’s risks. 14 years after 9-11, the topic of complacency once again reared its ugly head following suicide attacks at Brussels Airport and Malvern Metro station in March 2016 which killed 32 innocent people and injured over 300. A report by Politico, published shortly after the attacks, covered Belgium’s shortcomings in dealing with security threats and listed 12 ‘blunders’ including insufficient resources, missed signals, failure to pass on information and complacency. Two years later, Belgium featured in a RUSI Commentary article linked to the country’s response to Returning Foreign Fighters. Whilst Belgium had made good progress dealing with this particular threat, there were concerns that complacency may be setting in were again highlighted. Complacency, like any other risk, needs careful, ongoing management.

Human judgement and decision making deviates from rationality

We know that immediately following a significant disruptive event such as a terrorist attack, the vigilance of our people and the general public will be at its highest, but as time passes, and without further recurrences, the level of security mindedness often wanes. Countries and organisations who have not previously experienced terrorist attacks, or significant disruptive events can become complacent about the threat landscape, believing they are not at risk, and this can undermine their security and crisis preparedness.

Established research reveals that human judgement and decision making deviates from rationality, and rather than investing in prevention, we tend to take action only after having personally experienced or witnessed a disruptive event, or where we can clearly imagine what the danger will be to us, or those close to us. Many battle-hardened security and risk managers will be familiar with the comments “This could never happen here”, “We are not a target”, and “This has never happened before, so why now?, and then being called in to help pick up the pieces after such an event has occurred, with the organisation resorting to a ‘panic stations’ approach with all the inherent risks that brings. It is easy to be wise after the event and hindsight is a wonderful thing, but so is sensible risk management, and breaking the ‘they (terrorists/hostile adversaries) act and we react cycle’ by acting on what we know will enable us to take a more proactive stance, and one that minimises the risk of the event becoming a crisis.

The challenge for organisations operating in multi-faceted threat environments is how to ensure they don’t just focus on the ‘loudest’, most publicised threat to the detriment of other credible and potentially damaging ones.

Complexity

Complexity is cited as one of the reasons why so many mistakes happen in the medical sector, and a similar exposure exists in the realm of security and resilience. Overly complex emergency plans and incident management systems can impede security and resilience efforts, particularly in high-pressure situations, where they can’t be easily understood or operated. Organisations who use their existing platforms for crisis response are less exposed than those who have a dedicated platform which crisis responders may only use once or twice per year. Time lost in managing the initial phases of an incident can be the difference between the event being managed, or it developing into a full-blown crisis. The last thing you want is your response team trying to manage the intricacies of a complex incident management system they are unfamiliar with, when time is of the essence.

Whilst the response to the pandemic has resulted in a number of simple public health slogans, governments have been criticised for their complex and somewhat contradictory guidance material. There are lessons we can all learn from this, to ensure simplicity and clarity of our security, risk and resilience communications. This will reduce the chance of mistakes and failures in our sector, and help build resilience.

In the simplest of terms, from a security perspective, we need our people and the public to Remain vigilant; Immediately report security concerns; and, Strictly comply with existing security arrangements. The See it, Say it, Sorted security awareness campaign extensively used by the rail industry and other critical national infrastructure organisations is widely regarded as a success, with reports to the police from the public increasing by 90% in the year after launching. The first two of our requirements are covered by See it and Say it, and the slogan conveys the message that if you do this then the matter will be Sorted. Reminding people of the need to comply with security arrangements is a further safeguard against complacency.

Confusion

Poorly defined command structures, accountabilities and instructions can lead to confusion to those managing and responding to disruptive events.

The following examples from the aviation sector highlight this challenge:

On 6 January 2017, at Fort Lauderdale-Hollywood International Airport, confusion reigned following a non-terrorist fatal shooting which left 5 people dead and 6 wounded. 90 minutes after the original incident, false reports of a second shooter sent people stampeding, and a further 40 people were injured. 2,600 law enforcement officers from across South Florida attended the incident, but the lack of command hampered the response.

The independent report into the handling of the incident criticised the Broward Sheriff’s Office for ‘not taking adequate control of the response’. The report went on to say that ‘most of the law enforcement personnel who responded lacked clear instructions, objectives and roles’, and that ‘there was initial confusion about what role the FBI played in the investigation — shootings at airports are a federal crime’.

A report into an earlier shooting incident, at Los Angeles International Airport on 1st November 2013, which involved a lone gunman who murdered a Transport Security Administration officer and wounded two others and a passenger. Whilst the overall response to the incident was described as successful, there were a number of key lessons identified. The two most relevant to this article are ‘the need for continued emphasis on incident command basics’ and ‘the need to take a more focused, risk-based approach to security and preparedness’. These learning points are as relevant today as when written.

Confusion inhibited the response to multiple reports of drone sightings at Gatwick Airport between the 19th and 21st of December 2018, resulting in the airfield’s closure for 36 hours and cancellation of hundreds of flights. The financial impacts were considerable. Poor communication was said to be the main cause of the confusion, although lack of clarity over the role of the police and military, uncertainty over what was available to tackle the ‘threat’, and not knowing whether this was a safety event, or something more sinister all contributed to the uncertainty. A drone detection programme for the airport had commenced in 2016, with additional measures being implemented after the adverse event in 2018.

Tackling the security and resilience inhibitors

The following non-exhaustive list, provides some practical guidance for organisations seeking to overcome complacency, complexity and confusion in the areas of security and resilience:

• Adopt a focused, risk based approach to security and preparedness. Security Management Systems such as the UK Civil Aviation Authority’s CAP 1223 framework provide much useful information on this topic.

• Ensure your organisation has ready access to reliable and timely information about threats and risks.

• Maintain a relentless focus on threat and risk management to ensure risk registers provide an accurate picture of the key threats and risks the organisation is facing, together with the actions being taken to safely mitigate them.

• Act on what you know in a timely manner.

• Treat failures and mistakes (your own, and those of others) as opportunities for the organisation and individuals to learn. Lessons identified are worthless unless they become lessons learned and implemented, where the learning is converted into actual practice.

• Use training, desktop exercises, and drills to prepare for security and other disruptive events.

• Keep your people alerted, but not alarmed. Explain the ‘why’; why they need to be alert, why risk management is so important, and why particular security and resilience practices and procedures need to be adhered to. The greater the understanding of ‘why’, the greater the buy in from everyone.

• Secrecy has its place, but the more authentic the insights we provide to our people are, the better chance we have of enhancing their security awareness and combat complacency. As always, getting the right balance between operational security and keeping the public and our employees informed is key. The importance of connecting with people on the ground is key.

• Keep security and resilience procedures, particularly those relating to incident command, clear and simple. Focus on getting the basics right, and wherever possible use existing processes people are familiar with.

Conclusion

Aviation security has a chequered history of failure and the sector hasn’t always learned from its own mistakes or those of others. Despite COVID-19’s devastating impact on civil aviation, the industry still faces a dynamic threat environment that creates novel security challenges and requires innovative solutions. There is a constant need to monitor the latest attacks and attack plots, not just those targeting aviation. This will ensure the industry is best placed to mitigate and respond should threat actors mount attacks on the sector. The aim is to break the ‘they act, we react’ cycle to get ahead of the curve. Whilst it’s all too easy to say that terrorists will always have the upper hand as they are not constrained by finances, resources, legislation or ethics, we must always strive for security supremacy.

Clear and simple communications will ensure our people and the public fully understand what’s expected of them, and why the security arrangements and response plans are in place, Understanding the ‘why’ will guard against complacency and maintain security mindedness. By tackling the security and resilience inhibitors we will create an organisational culture that promotes vigilance, proactivity and transparency. Any complacency, confusion or complexity on our part risks providing attack opportunities for those with sinister intent.

References: Sources and Further reading

Keep it Simple, Risk, Resilience and Security in an Uncertain World https://isarr.com/keep-it-simple-risk-resilience-and-security-for-an-uncertain-world/

Crisis Leadership by Russ Huxtable
https://isarr.com/crisis-leadership/

A Framework for an Aviation Security Management System, UK Civil Aviation Authority https://publicapps.caa.co.uk/modalapplication.aspx?appid=11&mode=detail&id=6543

Subscribe

Subscribe to our newsletter to stay up to date with our most recent articles and updates.