Last month, AvSec Consulting was contracted to look at the aviation security arrangements of one of our neighbours. It is not well off economically and has a low threat environment. The people from the head of the regulatory authority to the newest person in the aviation security unit were genuinely trying to do the right thing, not simply for their country but for aviation.
How is that interesting to the general security industry?
Following the project, we took a moment to consider a number of questions raised by the contract. To be fair, most were ethical rather than practical issues, but they were worth taking the time to consider. In this article, the following three will be considered:
- over servicing
- client knowledge
- transfer of risk
This client knew that there were many issues; in fact, they were overwhelmed by the number they thought existed and, like many, did not know where to start. We looked at their issues and could see how easily someone could become swamped; however, with the appropriate approaches, the problems were manageable. That is the job of the security consultant – to use his knowledge and experience, take what seems an overwhelming problem, simplify and break it down into manageable chunks and provide the client with a clear solution path.
By now many readers may be saying, “Yeah, yeah…101 Basic for security consultants”, but here is the question. How many consultants over service the client and forget that their first loyalty should be to the client and not ‘how can I spin this to make money or recommend a particular product’?
As mentioned, this client is not well off economically and a few years ago they accepted the assistance of a European nation. The Europeans contracted a consultant, who implemented a two-year project and probably made a reasonable amount of money – fortunately from the European nation and not from our client. To be fair to the consultant, the work they did was of a high quality, but it addressed high-level issues rather than the reasonably obvious basic issues that plagued our client. Their solutions did not directly address the roots of the problem and, consequently, not much changed over the two years, as highlighted in a subsequent International Civil Aviation Organisation (ICAO) audit where over 100 corrective actions were found.
Following the two-year project, some reasonably expensive security equipment was installed, but they failed to remedy many reasonably basic issues, such as putting locks on airside departure doors that were only secured by a drop bolt that passengers could and did open!
The client did not say anything about being disappointed by the European consultant; rather, they were grateful for any assistance, but we did note that following that project they were given an offer of further assistance by a rather large non-government organisation (NGO) to re-write legislation (that the Europeans had already re-written).
The draft legislation developed by the NGO was very, very well written and any first-world nation would be happy, but as our client tried to explain to the NGO, they needed simple legislation that addressed their needs, not the needs of a major nation, so in the end they declined the assistance.
We have come across this before, where a consultant is hired by a government that is providing assistance to a poorer country and the consultant produces recommendations that are beyond the client’s needs or even their ability to implement the recommendations.
Is that over servicing? It could be argued that the consultants did exactly what their client wanted. However, was there value for money and were the needs of the end client achieved? I would suggest no and that this is over servicing.
I am not suggesting that we do not want to make money, but we presented a report that was to the point, we noted the issues facing our client, but focused on broader themes and we did not overwhelm them with recommendations – we did not recommend a single product. More importantly, we focused on what was achievable and gave them a roadmap to lead them to having an effective and secure operation that was appropriate to their threat level and expertise.
We were again reminded to never assume the level of the client’s knowledge. After all, one of the reasons they hire a consultant is for their knowledge. When we went into this project, we expected a reasonable level of knowledge and, in one meeting, of the seven people in the room five had degrees from Australian universities. There were also people who had worked in airports and/or security for a number of years, but in many cases, their only aviation training was whatever they could pick up on the job or from co-workers. We were quickly reminded that sometimes people do not know the most basic thing.
Regularly, we would ask a question just to be told that they complied with ICAO Annex 17 – Security – Safeguarding International Civil Aviation, which is the foundation of international civil aviation.
As an example, we asked about the X-ray screening equipment and were told by a person in a management role that it complied with ICAO Annex 17. Annex 17 does not set standards for screening equipment or its use. In fact, it only deals with screening and equipment in broad terms:
- “Each contracting state shall establish measures to ensure that originating passengers of commercial air transport operations and their cabin baggage are screened prior to boarding an aircraft departing from a security restricted area.”
- screening simply means “The application of technical or other means which are intended to identify and/or detect weapons, explosives or other dangerous devices, articles or substances which may be used to commit an act of unlawful interference.”
The screening of passengers and cabin baggage is dealt with in four standards and contains no operational detail. These standards are so wide that they allow each contracting state to decide what is adequate screening equipment and methods. For instance, the ADE 651 is a device used at an airport within the Asian region and allowed by at least one contracting state as an aviation security measure. The device is little more than a glorified dowsing rod. If that equipment was used for last point of departure (LPOD) flights into first-world contracting states or onto their aircraft, it is likely that those contracting states would require additional screening measures.
Even what is meant by weapons is not defined by Annex 17 or the ICAO Security Manual (Doc8973/9) – the definition of weapons and other prohibited items is left to the contracting state. Consequently, what is defined as a weapon by one contracting state may not be defined as a weapon by others. An example is the Swiss Army Knife, which is not considered a weapon in Switzerland, but it is in a number of other countries.
Transfer of Risk
Aviation security must be appropriate to the assessed risk for the airport – what is a reasonable security solution for Israel’s Ben Gurion Airport is not necessarily an appropriate response in lower threat environments.
As part of our report, we did a threat assessment (a full risk assessment was not part of the brief) and assessed the threat to this particular nation as low. That does not mean that they should abrogate all security responsibilities but, for example, they do not need to invest in a large number of computed tomography X-ray machines at check-in as there are much more appropriate ways of ensuring security. However, they were concerned that as they were an LPOD to ports that were under a much higher threat, terrorists could use them as a gateway to those other ports. We also think that those other nations may have applied pressure on them to increase security.
This seems to be becoming a concern to a number of first-world and more affluent regulators as they try to, understandably, push the threat away from their borders. The result is that they not only move the threat response, but they also push a large portion of their security costs and responsibilities onto their neighbours, forgetting that many do not have the financial resources, training, equipment or expertise to comply. More worrying is that it seems that many of these larger players are trying to make the response to their threat the aviation security standard for the world.
So, here is an ethical question: how much of the cost of responding to a threat to country A should be put onto an LPOD in country B? There is no simple answer. Countries that impose strict LPOD rules tend to take a one-size-fits-all approach, which sometimes is not reasonable and in many cases is not fair to the weaker and poorer countries. The ethical answer is that if the threat is aimed at a particular country, that country should pay; however, that is not the real world and people like our client will continue to try their best.
At the end of any project it is worth sitting down and not just reviewing the report and what could have been done better, but to also look at what lessons were learned from the project and maybe just remind yourself of your role in the overall scheme of things.
Steve Lawson has over 20 years’ experience in aviation security. As a security executive with Qantas Airways, Steve held a number of senior management roles covering all aspects of aviation security from policy development to airport operations. He was sent to New York immediately following the 9/11 attacks to manage the Qantas response and undertook a similar role following the 2002 Bali Bombings. On his return to Australia, he was appointed Security Manager Freight for the Qantas Group. Since 2007 he has been a director of AvSec Consulting in partnership with Bill Dent, a fellow former Qantas security executive. Today, AvSec Consulting provides consultants from the US, NZ, ME, Israel and Europe. Steve can be contacted via email email@example.com or on 0404 685 103.