After a TSA operating manual was published online, what is next? How does TSA recover and ensure that security will not be breached at America's airports?
The 93-page instruction manual was written for airport screeners, providing details on how screening is conducted and the limitations of X-ray machines. It was posted on a Web site for government contractors, with sensitive parts redacted -- but the redacted information was not properly protected, and the information was restored by people familiar with the computer program. The manual was dated May 2008, but the TSA said it was never implemented and has been revised six times, although it did not elaborate on the extent of the revisions. It said the report was removed as soon as it learned of the problem, but the full, unredacted version of the report appeared on at least one Web site Sunday and was distributed more widely Tuesday.
Chris Wacker, senior vice president for Laserfiche, told Security magazine that the person who released the document did not understand how to properly redact an electronic document. The TSA simply drew black rectangles over the sensitive areas. The PDF still contained the sensitive text in the text layer of the document. This means that anyone can simply select all in the document, copy and paste somewhere else to see all the text. It only requires basic computer literacy to circumvent the redaction, he said.
If the TSA had been using a certified electronic document management solution, he suggested, this problem would have been much less likely to have happened. Redaction can be set up to automatically “burn in” the redaction whenever a document is exported. This means that it is not possible to circumvent the redaction, because the text is removed from the image and from the text layer. This lapse, he said, shows a profound lack of understanding of electronic documents at the TSA.
Yet, yesterday, TSA put five of its employees on administrative leave.
What's next for travelers and airport security? At a hearing on Wedesday, Homeland Security Secretary Janet Napolitano told a Senate Judiciary Committee that “the traveling public was not at risk.” The agency has instituted an internal review of the incident "to see what else needs to be done so that the incident never recurs," she said, and the Department of Homeland Security has asked its inspector general to conduct an independent review "to make sure that we are being rigorous and very disciplined on what is posted and what is not."