General Aviation Security: TSA's Process for Ensuring Foreign Flight Students Do Not Pose a Security Risk Has Weaknesses

Published by the Government Accountability Office on 2012-07-18.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                             United States Government Accountability Office

GAO                          Testimony
                             Before the Subcommittee on
                             Transportation Security, Committee on
                             Homeland Security, House of
                             GENERAL AVIATION
For Release on Delivery
Expected at 10:00 a.m. EDT
Wednesday, July 18, 2012

                             TSA’s Process for Ensuring
                             Foreign Flight Students Do
                             Not Pose a Security Risk
                             Has Weaknesses
                             Statement of Stephen M. Lord
                             Homeland Security and Justice Issues

Chairman Rogers, Ranking Member Jackson Lee, and Members of the

I am pleased to be here to discuss the findings of our report assessing
the Transportation Security Administration’s (TSA) efforts to address
general aviation security. 1 Altogether, more than 200,000 general aviation
aircraft—from small aircraft with minimal load capacities to business jets
and larger aircraft such as privately operated Boeing 747s—operate at
more than 19,000 facilities. 2 U.S. government threat assessments have
discussed plans by terrorists to use general aviation aircraft to conduct
attacks. Further, analysis conducted on behalf of TSA has indicated that
larger general aviation aircraft, such as midsized and larger jets often
used for business purposes, may be able to cause significant damage to
buildings and other structures. Also, the terrorists responsible for the
September 11, 2001, attacks learned to fly at flight schools in Florida,
Arizona, and Minnesota. TSA, within the Department of Homeland
Security (DHS), has responsibilities for general aviation security, and
developed the Alien Flight Student Program (AFSP) to help determine
whether foreign students enrolling at flight schools pose a security threat.

My testimony this morning will address the key findings from the general
aviation security report that we are issuing today. 3 Specifically, my
statement will address (1) TSA and general aviation industry actions to
enhance security and TSA efforts to obtain information on these actions
and (2) TSA efforts to ensure foreign flight students do not pose a
security threat.

For the report, we reviewed applicable laws, regulations, and policies, as
well as documentation provided by TSA on its oversight of general
aviation security, including procedures for conducting security threat
assessments of AFSP candidates. In addition, we interviewed 22 general
aviation operators—including 5 private operators, 7 private charter

 GAO, General Aviation Security: Weaknesses Exist in TSA’s Process for Ensuring
Foreign Flight Students Do Not Pose a Security Threat, GAO-12-875 (Washington, D.C.:
July 18, 2012).
 General aviation includes nonscheduled aircraft operations such as air medical-
ambulance, corporate aviation, and privately owned aircraft—generally, aircraft not
available to the general public for transport.

Page 1                                                                        GAO-12-900T
                        companies that also perform as private operators, and 10 flight schools—
                        located at eight selected airports to observe and discuss security
                        initiatives implemented. We selected these airports based on their
                        geographic dispersion, types of general aviation operations present, and
                        size of aircraft based at each airport. We also interviewed representatives
                        from six aviation industry associations. Further, we reviewed TSA
                        analysis comparing Federal Aviation Administration (FAA) data from
                        January 2006 to September 2011 on foreign nationals applying for airman
                        certificates (pilot’s licenses) with AFSP data. We conducted this work in
                        accordance with generally accepted government auditing standards.
                        More detailed information on the scope and methodology can be found in
                        our published report.

                        TSA and aircraft operators have taken several important actions to
TSA and Aircraft        enhance general aviation security, and TSA is working with aviation
Operators Have Taken    industry stakeholders to develop new security guidelines and regulations.
                        Among other measures, TSA worked with members of the General
Actions to Secure       Aviation Working Group of its Aviation Security Advisory Committee in
General Aviation; TSA   2003 and 2004 to develop recommended guidelines for general aviation
Obtains Information     airport security, and TSA expects the group to issue updated guidelines
                        later this year. 4 In addition, pursuant to the Aviation and Transportation
through Outreach and    Security Act, TSA established and oversees implementation of a security
Inspections             program in which aircraft weighing more than 12,500 pounds in
                        scheduled or charter service that carry passengers or cargo or both, and
                        that do not fall under another security program, must implement a
                        “Twelve-Five” standard security program. 5 Aircraft operators
                        implementing a Twelve-Five security program must include, among other
                        elements, procedures regarding bomb or air piracy threats. TSA obtains
                        information directly from aircraft operators that fall under Twelve-Five
                        through its review and approval of the security programs developed by
                        these operators and through periodic inspections to determine the extent
                        to which operators comply with their security programs. TSA inspectors

                         Originally established in 1988, following the 1988 Pan American World Airways Flight
                        103 bombing over Lockerbie, Scotland, the Aviation Security Advisory Committee was
                        developed to allow all segments of the population to have input into aviation security
                        considerations. The committee’s charter expired in 2010, but was subsequently
                        reestablished by TSA in November 2011.
                         See 49 C.F.R. § 1544.101(d). See also Pub. L. No. 107-71, § 132(a), 115 Stat. 597, 635-
                        36 (2001).

                        Page 2                                                                       GAO-12-900T
are responsible for conducting these periodic inspections and determining
whether operators are in compliance with program requirements or
whether a violation has occurred. Independent of regulatory
requirements, operators of private general aviation aircraft not covered
under existing security programs we spoke to indicated that they
implement a variety of security measures to enhance security for their
aircraft. For example, 7 of the 12 operators that perform as private
operators that we interviewed stated that they park their aircraft in
hangars to protect them from possible misuse or vandalism.

TSA has also conducted outreach to the general aviation community to
establish a cooperative relationship with general aviation stakeholders.
TSA officials we spoke to stated that the agency does not have a
systematic mechanism to collect information on the security measures
implemented by other general aviation aircraft operators that do not fall
under TSA security programs. Rather, the agency has developed informal
mechanisms for obtaining information on security measures enacted by
these operators, such as outreach conducted by TSA inspectors, and has
contacted general aviation industry associations to obtain this information.

In 2008, TSA developed a proposed rule that would have imposed
security requirements on all aircraft over 12,500 pounds, including those
not currently covered under existing security programs, thereby
subjecting them to TSA security requirements and inspections. However,
industry associations and others expressed concerns about the extent to
which TSA obtained industry views and information in the proposed rule’s
development. They also questioned the security benefit of the proposed
rule and stated that it could negatively affect the aviation industry given its
broad scope. In response to these concerns, TSA officials said the
agency is revising the proposed rule and plans to issue a supplemental
notice of proposed rulemaking in late 2012 or early 2013. Officials from
all six industry associations we spoke with stated that TSA has reached
out to gather industry’s input, and three of the six associations stated that
TSA has improved its efforts to gather input since the 2008 notice of
proposed rulemaking.

Page 3                                                              GAO-12-900T
                        TSA vets foreign flight student applicants through AFSP, but weaknesses
Weaknesses Exist in     exist in the vetting process and in DHS’s process for identifying flight
Processes for           students who may be in the country illegally. In our July 2012 report, we
                        recommended two actions that DHS and TSA could take to address these
Conducting Security     concerns.
Threat Assessments
and for Identifying     Under AFSP, foreign nationals seeking flight training in the United States
                        must receive a TSA security threat assessment before receiving flight
Potential Immigration   training to determine whether each applicant is a security threat to the
Violations              United States. According to TSA regulations, an individual poses a
                        security threat when the individual is suspected of posing, or is known to
                        pose, a threat to transportation or national security, a threat of air piracy
                        or terrorism, a threat to airline or passenger security, or a threat to civil
                        aviation security. 6 According to TSA officials, when a foreign national
                        applies to AFSP to obtain flight training, TSA uses information submitted
                        by the foreign national—such as name, date of birth, and passport
                        information—to conduct a criminal history records check, a review of the
                        Terrorist Screening Database, and a review of the Department of
                        Homeland Security’s TECS system. 7

                        According to TSA officials, most foreign nationals taking training from a
                        U.S. flight training provider will apply for an FAA airman certificate (pilot’s
                        license) once their flight training is completed. Information obtained by
                        FAA as part of this application for certification is placed in the airmen
                        registry. From January 2006 through September 2011, 25,599 foreign
                        nationals had applied for FAA airman certificates, indicating they had
                        completed flight training. We provided data from FAA’s airmen registry to
                        TSA so that the agency could conduct a matching process to determine
                        whether the foreign nationals in the FAA airmen registry were in TSA’s
                        AFSP database and the extent to which they had been successfully
                        vetted through the AFSP database. The results of our review of TSA’s
                        analyses are as follows:

                        See 49 C.F.R. § 1540.115(c).
                         Information in the Terrorist Screening Center’s consolidated database of known or
                        suspected terrorists—the Terrorist Screening Database—is used for security-related
                        screening of foreign nationals applying to AFSP. TECS, an updated and modified version
                        of the former Treasury Enforcement Communications System, is an information-sharing
                        platform that allows users to access different databases relevant to the antiterrorism and
                        law enforcement mission of numerous other federal agencies.

                        Page 4                                                                        GAO-12-900T
•   TSA’s analysis indicated that some of the 25,599 foreign nationals in
    the FAA airmen registry were not in the TSA AFSP database,
    indicating that these individuals had not applied to the AFSP or been
    vetted by TSA before taking flight training and receiving an FAA
    airman certificate. 8

•   TSA’s analysis indicated that an additional number of the 25,599
    foreign nationals in the FAA airmen registry were also in the TSA AFSP
    database but had not been successfully vetted, meaning that they had
    received an FAA airman certificate but had not been successfully
    vetted or received permission from TSA to begin flight training.

Since 2009, TSA has continuously vetted all new and existing FAA
airman certificate holders against the Terrorist Screening Database,
which would include the foreign nationals identified through TSA’s
analysis. However, this vetting does not occur until after the foreign
national has obtained flight training. Thus, foreign nationals obtaining
flight training with the intent to do harm, such as three of the pilots and
leaders of the September 11 terrorist attacks, could have already
obtained the training needed to operate an aircraft before they received
any type of vetting. In our report, we recommended that TSA take steps
to identify any instances where foreign nationals receive FAA airman
certificates without first undergoing a TSA security threat assessment and
examine those instances so that TSA can identify the reasons for these
occurrences and strengthen controls to prevent future occurrences. DHS
concurred with this recommendation and stated that TSA signed a
memorandum of understanding with FAA in February 2012 to exchange
data. The memorandum, which FAA signed in March 2012, outlines a
process for FAA to provide certain data from its airmen registry on a
monthly basis and authorizes TSA to use the data to ensure flight training
providers are providing TSA with information to conduct the appropriate
background check prior to flight instruction. This is an important first step
toward addressing our recommendation, provided that TSA uses the data
to identify instances where foreign nationals receive FAA airman
certificates without first undergoing a TSA security threat assessment,
identifies reasons for these occurrences, and strengthens controls to
prevent future occurrences, as we recommended.

 For its analysis, TSA used a software tool that performs “fuzzy matching” of data such as
names, dates, or telephone numbers. The specific number is deemed sensitive security
information and is therefore not included in this report.

Page 5                                                                        GAO-12-900T
Another weakness that we identified is that AFSP is not designed to
determine whether a foreign flight student entered the country legally;
thus, a foreign national can be approved for training through AFSP after
entering the country illegally. In March 2010, U.S. Immigration and
Customs Enforcement (ICE) investigated a Boston-area flight school after
local police stopped the flight school owner for a traffic violation and
discovered that he was in the country illegally. In response to this
incident, ICE launched a broader investigation of the students enrolled at
the flight school. ICE found that 25 of the foreign nationals at this flight
school had applied to AFSP and had been approved by TSA to begin
flight training after their security threat assessment had been completed;
however, the ICE investigation and our subsequent inquiries revealed the
following issues, among other things:

•   Eight of the 25 foreign nationals who received approval by TSA to
    begin flight training were in “entry without inspection” status, meaning
    they had entered the country illegally. Three of these had obtained
    FAA airman certificates: 2 held FAA private pilot certificates and 1
    held an FAA commercial pilot certificate.

•   Seventeen of the 25 foreign nationals who received approval by TSA
    to begin flight training were in “overstay” status, meaning they had
    overstayed their authorized period of admission into the United

•   In addition, the flight school owner held two FAA airman certificates.
    Specifically, he was a certified Airline Transport Pilot (cargo pilot) and
    a Certified Flight Instructor. However, he had never received a TSA
    security threat assessment or been approved by TSA to obtain flight
    training. He had registered with TSA as a flight training provider under
    AFSP. 9

 We recently reported on issues related to ICE’s oversight of the Student and Exchange
Visitor Program (SEVP). Specifically, ICE certifies schools to accept foreign nationals on
student visas in academic and vocational programs, including those that provide flight
training. SEVP-certified flight schools are a relatively small percentage of schools
nationwide that offer flight training to foreign nationals. See GAO, Student and Exchange
Visitor Program: DHS Needs to Assess Security Risks and Strengthen Oversight of
Schools, GAO-12-572 (Washington, D.C.: June 18, 2012).

Page 6                                                                        GAO-12-900T
                  As a result, TSA and ICE jointly worked on a pilot program for vetting
                  names of foreign students against immigration databases, but have not
                  specified desired outcomes and time frames, or assigned individuals with
                  responsibility for fully instituting the program. Having a road map, with
                  steps and time frames, and assigning individuals the responsibility for
                  fully instituting a pilot program could help TSA and ICE better identify and
                  prevent potential risk. We recommended that TSA and ICE develop a
                  plan, with time frames, and assign individuals with responsibility and
                  accountability for assessing the results of their pilot program to check
                  TSA AFSP data against information DHS has on applicants’ admissibility
                  status to help detect and identify violations, such as overstays and entries
                  without inspection, by foreign flight students, and institute that pilot
                  program if it is found to be effective. DHS concurred with this
                  recommendation and stated that TSA will prepare a plan by December
                  2012 to assess the results of the pilot program with ICE to determine the
                  lawful status of the active AFSP population. The plan is to include specific
                  details on time frames and accountability and recommendations for next
                  steps. We believe that these are positive actions that could help TSA
                  address the weaknesses identified in our report and we will continue to
                  work with TSA to monitor progress on the proposed solutions as the
                  agency proceeds.

                  Chairman Rogers, Ranking Member Jackson Lee, and Members of the
                  Committee, this concludes my prepared statement. I look forward to
                  responding to any questions that you may have.

                  For questions about this statement, please contact Steve Lord at
GAO Contact and   (202) 512-4379 or lords@gao.gov. Contact points for our Offices of
Staff             Congressional Relations and Public Affairs may be found on the last page
                  of this statement. Individuals making key contributions to this statement
Acknowledgments   include Jessica Lucas-Judy, Assistant Director, and Adam Hoffman,
                  Analyst in Charge. Additional contributors include Thomas Lombardi and
                  Anthony Pordes.

                  Page 7                                                           GAO-12-900T
This is a work of the U.S. government and is not subject to copyright protection in the
United States. The published product may be reproduced and distributed in its entirety
without further permission from GAO. However, because this work may contain
copyrighted images or other material, permission from the copyright holder may be
necessary if you wish to reproduce this material separately.
GAO’s Mission         The Government Accountability Office, the audit, evaluation, and
                      investigative arm of Congress, exists to support Congress in meeting its
                      constitutional responsibilities and to help improve the performance and
                      accountability of the federal government for the American people. GAO
                      examines the use of public funds; evaluates federal programs and
                      policies; and provides analyses, recommendations, and other assistance
                      to help Congress make informed oversight, policy, and funding decisions.
                      GAO’s commitment to good government is reflected in its core values of
                      accountability, integrity, and reliability.

                      The fastest and easiest way to obtain copies of GAO documents at no
Obtaining Copies of   cost is through GAO’s website (www.gao.gov). Each weekday afternoon,
GAO Reports and       GAO posts on its website newly released reports, testimony, and
                      correspondence. To have GAO e-mail you a list of newly posted products,
Testimony             go to www.gao.gov and select “E-mail Updates.”

Order by Phone        The price of each GAO publication reflects GAO’s actual cost of
                      production and distribution and depends on the number of pages in the
                      publication and whether the publication is printed in color or black and
                      white. Pricing and ordering information is posted on GAO’s website,
                      Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
                      TDD (202) 512-2537.
                      Orders may be paid for using American Express, Discover Card,
                      MasterCard, Visa, check, or money order. Call for additional information.
                      Connect with GAO on Facebook, Flickr, Twitter, and YouTube.
Connect with GAO      Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts.
                      Visit GAO on the web at www.gao.gov.
To Report Fraud,
Waste, and Abuse in   Website: www.gao.gov/fraudnet/fraudnet.htm
                      E-mail: fraudnet@gao.gov
Federal Programs      Automated answering system: (800) 424-5454 or (202) 512-7470

                      Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-
Congressional         4400, U.S. Government Accountability Office, 441 G Street NW, Room
Relations             7125, Washington, DC 20548

                      Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
Public Affairs        U.S. Government Accountability Office, 441 G Street NW, Room 7149
                      Washington, DC 20548

                        Please Print on Recycled Paper.