USA Flag

Official website of the Department of Homeland Security

Speech

Quantum Security: Keeping Ahead of the Threat

Tuesday, May 27, 2008
Contact:
TSA Press Office
(571) 227-2829

Testimony & Speeches

Kip Hawley
Administrator, Transportation Security Administration
U.S. Department of Homeland Security
Berlin Air Transport Security Conference:
1st Public-Private Security Conference
Berlin, 27 May 2008

Thank you. I am excited to be here in Berlin, with its rich scientific and creative heritage, and especially at the Berlin Air Show celebrating the accomplishments of aviation. It is hard not to think of the science that has made it all possible.

Aviation advances have been propelled by dedicated specialists in aviation and by incorporating the broader context of developments in learning about the physical world at large. It is the mix of steady, disciplined progress—accompanied by irregular leaps forward in contextual understanding—that enable the incredible accomplishments in science and aviation that we celebrate at the Berlin Air Show this week. That same phenomenon, a mix of the carefully regulated and the unexpected, also brings progress to our system of aviation security.

I would like to recognize someone whose name is familiar, even if it does not come up often in connection with aviation or security, and that is Max Planck.

Much of the critical thinking that underlies our understanding of the physical universe—the outside context that affects everything, including aviation—took place here in Berlin in the early days of the twentieth century. While the Wright Brothers were preparing their breakthrough by looking upward, Max Planck, with his contributions in physics in the area of quantum mechanics, went in the other direction, inward, in his breakthrough thinking about the micro world.

I do not mean this as a literal, technical discussion. Merely, that thinking about Planck brought to mind that there are some loose analogies between classical and quantum physics and our own security work pre- and post- 9/11.

Just as 19th century scientists operated within the stable context of classical physics and then had to reassess their thinking based on 20th century learnings about quantum physics, so too should we take a fresh look at our 20th century security strategies based on 21st century experience, most notably 9/11.

Physics at the end of the 19th century had succeeded in explaining the phenomena that make up our physical world. There was a stable order of the universe that could be confirmed by experiments. Classical physics gave an orderly, proven, sensible framework for our physical world.

To a point, or should I say, to a particle.

One of the challenges that Planck resolved was the question of whether energy is a particle or a wave. We now know of the photon, a discrete chunk of light, a particle. We also know that light can be thought of as a wave. In the world of quantum mechanics, it is possible to be both a particle and a wave at the same time.

In the same way that physicists once asked of light, "Is it a wave or a particle?" we sometimes hear the question rephrased about today's aviation priorities. Is it safety or is it security? The answer, of course, is that it is both. You cannot have one without the other.

However, safety and security, like particles and waves, are very distinct in a practical sense and I would argue that it is through the lens of quantum physics that can help us reconcile what I consider to be a central issue confronting aviation security today throughout the world: Do security strategies rooted in classical safety-based risk management principles meet our need in the world of the patient, adaptive terrorist? Do we need to look at it in a different, or at least complementary, way?

The laws of classical physics provide order and predictability in a seemingly chaotic universe. Physics gives us a reliable framework to understand the cosmic and the ordinary: the sun rises and sets on schedule. Objects stay on the ground in a fixed position until gravity is overcome by enough force to move a mass in the appropriate direction – including upward.

Through science, we have learned in the last 100 years how to construct and operate a highly sophisticated and very reliable aviation system. It is safe because we know how much thrust has to be applied, how the air must flow, and what pressures individual parts must withstand, among several thousand other facts of physics. The government can set required minimum tolerances for many of those variables with extraordinary precision, and thus provide the flying public with very high confidence in the safety of air travel. The rules of classical physics, applied and understood, allow for precision and confidence in the results.

That is a good description of safety. But it does not cover our security needs.

In the ultra-tiny world of the building blocks of atoms, what to the visible world is predictable is, under the surface, actually unpredictable. In the classical world, we observe and chart activity and learn how to predict it. We can safely plan our activities knowing that the past is a reliable guide to future results. In the quantum world, the act of observing a specific particle's behavior ruins any chance of knowing its other attributes, let alone studying their observable outcomes.

Past experience in the quantum world can be a fickle predictor. At the macro level, things work together in a way we can understand and predict, and can even manipulate. Unfortunately, the converse is not true.

Perhaps the issues illuminated in quantum physics can help us understand security in the age of terrorism.

Terrorist behavior is not obvious or predictable. As in the quantum world of Planck's particles, the activity changes if we watch it overtly or when we structure defensive measures to control it.

If we try to apply the reliable, predictable-world principles of safety to the non-linear, inherently unpredictable world of terrorism, it may lead to the worst kind of disaster: where calamity occurs because we think we are following all the rules, doing it "right."

For example, if we design a classical security system that meticulously identifies and prevents a set of prohibited items from getting on an aircraft, we might be under the illusion that we have an effective security system. As we have seen a number of times, including with the 2006 liquid explosives plot, the terrorist planner designs an attack around the barriers and rules that we have erected.

Non-linear thinking beats linear planning, even if perfectly executed.

The more subtle vulnerability is that our tried and true safety compliance mentality can, in fact, work against us when applied in the security context. Over-reliance on regulatory compliance regimes can reinforce system security vulnerabilities by inadvertently creating a "checklist mentality" where the emphasis of management and regulators is on whether or not individuals working in security have faithfully followed the approved checklist. In a safety context, this approach works because the laws of physics stay predictable. However, if the forces of gravity conspired regularly with the principles involving mass and acceleration, we would be in trouble.

We should not be lulled into a false sense of security by thinking that a set of static, sensible rules, diligently applied, will remain effective in the face of enemies who—with all the time in the world—actively conspire to beat them. Unpredictable, non-linear terrorist risk can only be successfully met by efforts that are directed by a security strategy, and supported by technologies, that deny our enemies a static and predictable target.

In terms of strategy, many of the world's aviation security systems are regulatory in nature and housed in the same organizations that regulate aviation safety. This was the case in the United States immediately after 9/11 when TSA was created inside the Department of Transportation. The Department of Homeland Security was created in 2003 and TSA has been a part of DHS for the past five years.

To me, the most important consequence of being in DHS is that we are now better connected into the worlds of law enforcement and intelligence and that has led to added capability on top of the traditional, principally regulatory approach.

We have added measures like behavior detection, surge strike forces, document verification, and purposefully unpredictable security measures to thwart someone who may know our regulations, technology, or procedures. These added security measures are suited to the adaptive and patient terrorist threat that we face. TSA activities are more directed to active operational disruption of potential terrorist activity than to a more detached compliance approach.

Nations that combine safety, or civil aviation, and security must stay plugged in to intelligence and law enforcement. To be sure, regulatory compliance is a necessary and continuing ingredient of our total system, but we are now using our inspector force of over 1,000 knowledgeable professionals to participate in disruption activities that complement TSA's law enforcement, regulatory work and airport screening assets.

Similar issues arise in the technology area.

Should we devote our resources and our energies to rushing out ever more and more sophisticated and expensive machinery? Or are we better served by more flexible and mobile lower-tech layers of security, where each individual layer has vulnerabilities but when linked together they form a formidable system?

Clearly, TSA is spending hundreds of millions of dollars every year on advanced technology that is essentially fixed in place but is the foundation of our security baseline. I believe that is the right way to go. However, we are spending more of our resources on technology that is multi-purpose and mobile. Portable explosives detection units are now are a key part of TSA's security system. We have found that pairing these handheld devices with the inspector workforce that I mentioned earlier gives us a capability that can be rapidly and unpredictably deployed anywhere in the U.S. or, for that matter, the world.

Which brings me to my final point this morning.

One of the more curious aspects of quantum physics is the phenomenon whereby it is possible for a particle to be at two places at the same time. At some future time, this might make air travel a whole lot quicker and easier, but not probably on our watch.

A parallel reality to a particle's ability to be in different places at once, is that, as I mentioned earlier, particles are never actually at any one specific identifiable place. There are no barriers in quantum physics. In the world of particles, there are no borders.

This is another case where the very basics of our classical system work against us.

We spend a great deal of time and energy in defining our borders and legal systems and getting roles correct between the private sector and government. Borders and rules only restrict nations and people who recognize our common values and respect our legal systems. Obviously, terrorists do not and they exploit the gaps that exist because only we play by the rules.

As each nation puts in place security measures against a common enemy, each of us operate within our own cultural and legal norms, and while they are similar, they are not identical. That creates gaps. Therefore, one of TSA's top priorities of the last two and a half years has been to harmonize U.S. security measures with global partners.

The most notable of these efforts was the common response to the threat of novel liquid explosives in 2006. That was the first time since 9/11 in which security measures were jointly developed in advance. Today, most of the world has identical rules for bringing liquids on planes.

I would like to publicly thank my colleagues of the E.U. and their Member States for the extraordinary level of sharing and cooperation that has allowed us to make great progress across the board in harmonizing our security programs. We seek to do the same with other partners around the world. Information exchange, technology sharing, common inspection criteria, and even joint operational activities are examples of the close and continuing security relationship between the U.S. and the E.U.

This, I believe, is the model we must follow worldwide for truly effective security.

We must first communicate and coordinate and then act together in a way that leaves no space between us.

One of the principal attributes of the Quantum Security approach that I have been describing is that multi-purpose, flexible, mobile security systems are not expensive.

There is no nation that cannot afford smart security. Large capital budgets are not required. Huge investments and structures are not needed. All that we need for an effective, linked, layered security system is a common approach based on our shared values and commitment to each other.

While I have not figured out how to be in more than one place at a time, I can say that TSA stands with you in our common effort. We will dedicate whatever resources we have and all of our energy to protect our citizens from the threat of attack. We are finding ways to harmonize measures and share information, and we are willing to devote resources so that attacks can be disrupted whether they be within our borders or yours.

We live in a world where playing by our own individual rules alone is not enough to be safe. We live in a world, where for aviation security purposes, there are no borders and therefore no safe havens. We live in a world where partners—whether or not they realize it—truly depend on each other for their security, and they must—we must—stay closely aligned, no matter what.

And in that effort, I am proud to be with you today and represent the men and women of the TSA, who—every one of us—stand with you going forward together.

Thank you.