Large-aircraft NPRM raises more questions than answers

 - October 27, 2008, 6:26 AM

The Transportation Security Administration was scheduled to publish in the Federal Register late last month a proposed set of regulations that, if enacted, will ground every general aviation aircraft with a maximum certified takeoff weight of more than 12,500 pounds. There will be only one way that the nearly 10,000 aircraft operators affected by these rules can receive permission to fly: comply with the new Large Aircraft Security Program (LASP) regulations. Comments on the proposed regulations are due by next month. To view and comment on the proposal, see

An operator who flies a Cessna Citation CJ2+ with a maximum certified takeoff weight of 12,500 pounds would not need to comply with the proposed new security regulations. One who operates a Citation II with an mtow of 13,500 pounds would be ensnared by a complex array of you’d-better-not-break-’em regulations that will add yet more costs to the operation, complicate every single flight and quite possibly persuade the aircraft’s owner that flying on the airlines isn’t so bad after all.

Helicopters would not be exempt from this notice of proposed rulemaking (NPRM). The notice consistently uses the word “aircraft,” and the TSA doesn’t mention helicopters, so therefore the rules would apply to heavy rotorcraft such as the AgustaWestland AW139 or Sikorsky S-92, but not the 11,700-pound Sikorsky S-76C++. There is also an airport component to these regulations, requiring 315 airports to implement a security program.

Here’s what you could not do if the rules become law:

• Fly your spouse or children in your single-pilot Citation S/II without first having them cleared against the TSA’s watch list.

• Fly your boss to a business meeting in the company Hawker 800 without having him or her cleared against the watch list.

• Fly yourself in your own Super King Air 300 without having your in-house security coordinator (it could be you) check the airplane for stowaways.

• Fly yourself in your own single-pilot Premier IA without getting yourself vetted with a fingerprint and criminal-history records check.

The NPRM is specific and clear about what owners and operators of general aviation aircraft weighing more than 12,500 pounds must do once the rules take effect. To fly any Part 91 flight in any aircraft with an mtow of more than 12,500 pounds, the following will be mandatory:

• A TSA-approved security plan;

• a third-party audit of that plan six months after TSA approval of the plan and every two years thereafter;

• an in-house security coordinator, who has been provided initial and annual recurrent training;

• flight crew who have undergone FBI criminal-history records checks and fingerprint checks and TSA security threat assessments;

• preflight checks of all passengers against TSA watch lists (no-fly and selectee lists). This would be done through TSA-approved third parties, and the watch list would no longer be released to operators.

To the TSA, the proposed Large Aircraft Security Program regulations make perfectly good sense, but general aviation operators for the most part oppose the rules as unnecessary, costly, logistically difficult to implement and impossible to enforce.

The TSA justifies the new rules as follows: “Many GA aircraft…however, are of the same size and weight of the commercial operators that the TSA regulates, meaning that they potentially and effectively could be used to commit a terrorist act. Consequently, this portion of the aviation industry may be vulnerable to exploitation by terrorists. Except for limited security requirements for certain classes of GA aircraft, the TSA does not currently require security programs for many GA aircraft operators. This situation presents a security risk.”

The agency also notes, “The TSA has determined that watch-list matching of passengers on large aircraft is an important security measure, because it can prevent individuals who are believed to pose a risk from boarding a large aircraft and, potentially, gaining control of the aircraft, to use it as a weapon or to cause harm to aviation or national security. Such considerations extend beyond the simple use of aircraft as missiles, but also include aircraft as delivery vectors for other catastrophic payloads (e.g., chemical, biological, radiological or nuclear materials).”

Such statements represent the agency’s sole publicly disseminated rationalization for proposing this new set of rules, leaving business aviation to ponder what other agendas might be lurking beneath the surface. Nothing else in the 260-page proposal provides any more detail about the supposed security risk or threat posed by general aviation aircraft. There is no attachment with any scientific study, no summary of previous research and nothing to suggest that the agency has done or commissioned any research.

The TSA has conducted a “threat assessment” of general aviation. According to a November 2004 Government Accountability Office report, the “TSA has issued
a limited threat assessment of general aviation.” Unfortunately, as with much else the TSA does, the results of that assessment are not for public consumption. The last thing the TSA wants to do, an agency spokesman told AIN, is identify to terrorists vulnerabilities that they could exploit. “We typically don’t release risk assessments,” he said.

In terms of pure risk, it is interesting to note the contrast between terrorist attacks and something that most people take for granted and think nothing of, day after day after day: driving their cars. Writing in the book Traffic, Tom Vanderbilt notes the following:

“Grimly tally the number of people who have been killed by terrorism in the United States since the State Department began keeping records in the 1960s, and you’ll get a total of fewer than 5,000–roughly the same number, it has been pointed out, as those who have been struck by lightning. But each year, with some fluctuation, the number of people killed in car crashes in the United States tops 40,000.

“It might be precisely because of all the vigilance that no further [terrorist-inflicted] deaths have occurred in the United States since 9/11–even as more than two hundred thousand people have died on the roads. This raises the question of why we do not mount a similarly concerted effort to improve the ‘security’ of the nation’s roads.

“Psychologists have argued that our fears tend to be amplified by ‘dread’ and ‘novelty.’ A bioterrorism attack is a new threat that we dread because it seems beyond our control. People have been dying in cars, on the other hand, for more than a century, often by factors presumably within their control.”

Lobby Groups Prepared for Proposal
While the TSA’s release of the NPRM has ignited a firestorm of comment by business aviators (see story on page 82) and seems to have taken many operators by surprise, aviation alphabet groups expected the proposal. Ever since the TSA conducted the threat assessment of general aviation, it has made it clear that it planned someday to regulate general aviation security. “This has been in the making for several years,” said Jens Hennig, General Aviation Manufacturers Association (GAMA) vice president of operations. “The TSA has kept industry well in the loop with its development.”

“I’ve been seeing this coming over the horizon now for about 18 months,” agreed Andy Cebula, executive vice president for government affairs at AOPA.

NBAA president Ed Bolen added, “We know it’s been in the gestation process for two or three years.” And for all that time, NBAA has been warning its members that the TSA was going to do something to tighten security on general aviation operations, as it has already done for operators of large charter aircraft and the airlines. After 9/11, the NBAA formed a security council that works on security issues.

“The idea that the TSA has made that decision and is pursuing it has been well known and well understood,” said Bolen. “The real frustration is after all that time spent talking about it and us trying to explain business aviation and general aviation to them, after having worked with them on airport vulnerabilities, and all the dialog we had with the general aviation coalition, we now get a 260-page rule that doesn’t seem to reflect how Part 91 operations really work, who they are and why they’re so fundamentally different from a commercial operation.

“Business aviation takes a backseat to nobody in terms of our commitment to security,” Bolen emphasized. “We’ve participated in numerous voluntary programs and we tried to work with the TSA, whether on general aviation airport guidelines or suspicious financing or promotion with AOPA and Airport Watch. Whatever it is, we think we have clearly demonstrated our community’s commitment to business aviation security.

“This is a 260-page document that appears not to appreciate that this is a private mode of transportation, not commercial carriage of the general public. As a general rule, it has a number of things that might be appropriate if you are carrying people you don’t know but doesn’t really make sense in terms of the way business aviation clearly operates.”

“At its most basic level,” said AOPA’s Cebula, “what they’re essentially saying is that ‘one size fits all. If we’ve got this standard for commercial aviation, we the TSA now think that it ought to apply to everybody just because of the size of the airplane, not because of how it’s operated.’ The FAA doesn’t regulate that way and, up to this point, the TSA hasn’t regulated that way either.”

“They were pretty clear as far back as 2004, 2005 when they did a risk assessment on general aviation,” said GAMA’s Hennig, “the larger aircraft are the ones that they’re more concerned about both because of the ability to transport things and also from the basic perspective of mass and velocity and what you can do with an aircraft.”

There is one positive aspect to this NPRM: the TSA published the proposed rule with a comment period instead of imposing it on the industry, as it has done with previous rulemakings. Many of the alphabets agree that the 60-day comment period is too short and they are asking the TSA to extend it.

“What we told the TSA, in unison with all the other associations,” Hennig said, “is that this will have a significant impact on our industry, and there will certainly be reluctance from the community to accept it. So in order to [proceed with] this kind of a rule, they should do it through the formal rulemaking process. This is the first NPRM issued by the TSA.”

Benefits of the Proposal
A fundamental question begs to be asked in this whole TSA LASP exercise: does the rulemaking itself make any sense? The TSA thinks so, and so does the 9/11 Commission, which asserted that “major vulnerabilities still exist” in general aviation.

But this leads to other questions that must be asked to satisfy those with the power to regulate aviation: is it a prudent use of scarce resources to regulate the security of non-commercially flown aircraft weighing more than 12,500 pounds? Should the pilot of a privately owned aircraft be fingerprinted and assessed as a threat by the government? Should that owner’s spouse and children be checked against a government watch list before they can fly on their own family aircraft? Should corporate travelers be regarded as suspicious simply because their companies own and operate an airplane that weighs more than 12,500 pounds?

Reading the LASP NPRM, it’s clear that the TSA has gone out of its way to solicit comment from the public about the proposed rules. After discussion of almost every aspect of the rulemaking, the agency invites comments on each specific element of the proposal.

However, the TSA never asks for comments about the fundamental question of whether the LASP is needed in the first place. The agency’s assumption here seems to be that the LASP is a good idea, that it is necessary and that, barring a legislative revolt of some kind, this rule is coming whether the industry likes it or not.

Many National Air Transportation Association members are already regulated under TSA security programs that cover charter operations. “In general the NPRM is not entirely untenable for the operator community,” NATA stated in a Regulatory Report issued October 16, “as it is based largely upon the TFSSP [Twelve-five Standard Security Program].” (See blue box on this page for how the TFSSP works in practice.) But, added Eric Byer, NATA’s vice president of government and industry affairs, “The biggest issue we still have is what is the benefit to the general aviation community?” Even if the rule is imposed, the TSA doesn’t grant any new capabilities to general aviation operators, such as easier access to Reagan Washington National Airport or inside TFRs around sporting or security-sensitive events.

NATA does have suggestions for improving the LASP, including possibly raising the weight threshold; concern about the requirement to pay for audits by third parties instead of free TSA audits; questions about the implementation schedule being too ambitious; and the need for clarity in owner/management relationships for managed aircraft. NATA opposes the TSA proposal in two areas. First, the association suggested deleting the FBI background check for owner-pilots and eliminating the use of the selectee list (part of the terrorist screening database that includes the no-fly list).

None of the alphabet groups specifically opposes the LASP as a whole; they leave that to their members. In surveying its members, AOPA found that their top concerns are the requirement for screening of passengers against the watch list; that the government needs to tell people how to secure their aircraft; the cost of complying with the regulation; and that the LASP would be just the beginning of the TSA’s plans to impose security regulations on all general aviation aircraft.

What’s different about the LASP, said AOPA’s Cebula, is that it presents no indication of any active threat of terrorists either wanting to use or having used a general aviation aircraft. The TSA, he said, “wants to decrease the vulnerability that they could be used. That’s a pretty significant difference. The [rental] truck has been used in two events, and yet there’s not an extensive set of requirements around renting a truck.”

The way that groups such as AOPA need to look at the LASP, he explained, is to try to figure out what kind of alternative methods are available, “to get the TSA what they’re looking for. Those are the things we as an organization and aviation community are going to be looking at over the next two months. That’s typically the best way to do it.”

Of course, he added, “There can be a point where you just say, we’re not going to go there. Right now we’re trying to understand the proposal. We haven’t come up with what the alternative would be.”

NBAA’s Bolen echoed that sentiment. “The reality,” he said, “is that we’re dealing with a proposed rule. We’re going to have to respond to this and respond in a way that requests that we are informed on what it is, how it will work, what the proposal says. To the extent we feel there are better ways to promote security of business aviation, we’ll talk about those. That’s where we are in this process, and we’re going to have to respond.”

A More Productive Target?
Security expert Bruce Schneier questions the TSA’s methodology in targeting general aviation aircraft for security regulations. Schneier is chief security technology officer of British Telecommunications and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. With its approach to large aircraft security, he said, the TSA mistakenly focuses on tactics. “And by definition terrorists take the tactic you haven’t defended against. You take away guns and bombs, and they use box cutters. You take away box cutters, and they put explosives in their shoes. You check shoes, they use liquids; you take away liquids, they’re gonna do something else. There are thousands, millions of tactics, and we’re spending money to defend this one. Why is this tactic getting attention and others aren’t? It’s a stupid game; stop playing it.”

The business aviation industry faces a tough fight against the TSA LASP proposal because, he said, “The TSA has to defend airplanes. It’s going to want all the money and make all the rules it can make. It’s not because the agency is evil. The TSA is airplane security, so it wants all the money for airplane security.”

The point is often made that one of the worst terrorist attacks in the U.S. was accomplished by a U.S. citizen using a rented truck full of explosive fertilizer. (Timothy McVeigh’s April 1995 attack on the Alfred P. Murrah federal building in Oklahoma City, Okla., which killed 168 people.) And the first terrorist attack on the World Trade Center in February 1993, which killed six people, also involved a rented truck.

So should the agency focus resources on rental truck security? “That makes no sense,” said Schneier. “Why is a rental truck more dangerous than a leased truck or a purchased truck or a stolen truck? You’re trying to guess the plot correctly. It was a rental truck. Was it a yellow rental truck? We should tighten regulations on yellow rental trucks because it was yellow. Why is a truck worse than a van or a bus? This is what you get when you overly focus on the tactic.”

The proper way to tackle security without focusing on tactics, such as the possibility of a terrorist hijacking a business jet, is to employ investigation and intelligence tools. Focusing on tactics works only “if we guessed the plot correctly and the bad guys don’t change the plot after we guessed. That seems pretty unlikely. You don’t want to spend a lot of money on measures that require you to guess the plot correctly because you’re probably going to guess wrong,” says Schneier.

A spectacular example of how investigation and intelligence works was the foiling of the liquid bombers’ plot in the UK before they were able to blow up any airliners in flight. “They were caught through investigation and intelligence,” Schneier said. “Airport security is the last line of defense and not a very good one. By the time the plot gets to the airport, it’s basically too late. You want to deal with it before it gets to the airport.”

Dr. Richard Bloom, professor of political and clinical psychology and director of terrorism, intelligence and security studies at Embry-Riddle Aeronautical University’s Prescott, Ariz. campus, agrees with Schneier that the tactical approach that the TSA is taking with business jets is a waste of resources and will not be effective. “Since 9/11 and the establishment of the Aviation and Transportation Security Act of 2001,” Bloom said, “there’s been a recurring push to try to treat general aviation and business aviation as much as possible like the aviation that goes on at a large commercial airport, and that’s probably very wrong-headed.”

If the TSA is basing the LASP proposal on its threat assessment conducted four or more years ago, he said, “that doesn’t make any sense. Risk assessment is an ongoing enterprise because the threat continually changes.”

The weight threshold of 12,500 pounds is also questionable. “The whole idea that the bigger something is or the more it weighs, the more of a threat it might be, that’s wrong-headed from a terrorism point of view. Terrorism is all about psychology, it’s about symbolism, it’s about communication, it’s about getting people terrified, and that could be done with a big physical threat or a small one. And that’s what you really need to be looking at before you begin spending security dollars and allocating security resources and creating new security programs.”

No one, especially Bloom, is suggesting that security isn’t important for general aviation. “And the way you do that,” he said, “is you need to have a few people with access to threat-related information, and based on that, they will make changes in the security posture as it affects general aviation. And that should change with time. And it should change for two reasons: one because the threat changes, and the other, because the more you’re perceived as unpredictable by terrorist organizations, the more difficult it is to attack.

“To have a risk assessment,” Bloom explained, “you need accurate information on the continuously changing nature of the threat. You need an idea of all the things that can go wrong; that’s your vulnerability analysis. You put vulnerability together with threat, and you get a risk analysis. That certainly does not seem to be done on a continuous basis by the TSA, yet it’s issuing these kinds of programs, and that’s unfortunate because it ends up incurring more cost to general aviation operators without the requisite benefit in security.

“The more you put a security program in place, especially ones that do not seem linked to additional surplus value and security, you’re hurting the economic viability. And in effect, the terrorists at that point are winning without even having to launch an attack.

“The folks who are interested in supporting and nurturing general aviation are perfectly within their right to question the reliability and validity of what the TSA is trying to do,” Bloom concluded. “Any time you have a bureaucratic solution to a security problem, chances are it’s going to cost a lot, it’s not going to be implemented very well and it’s going to have little significant surplus value for security. It all goes back to the intelligence.”