Date: 5 November 2013
Remarks of Tony Tyler at the IATA 22nd AVSEC World in Istanbul
Good morning, and it is a pleasure to be with you today. Sadly, we meet in the light of yet another assault.
The terrible shooting at Los Angeles International Airport last Friday is a reminder that AVSEC World remains, in its 22nd iteration, one of our most essential forums. Our thoughts are with those who were injured, and most of all with the family of Mr. Gerardo Hernandez, who tragically lost his life in the service of ensuring the safety of all who travel by air. It is a sad reality of modern life that evil and disturbed individuals often target public spaces to commit atrocities, including airports, shopping malls, and office buildings. Regulators have the difficult task of balancing security with the needs of modern society for mobility.
And in that light, the presence of so many distinguished speakers and delegates here today is most important. My particular thanks to Mr. Raymond Benjamin, Secretary General of the International Civil Aviation Organization (ICAO), for joining us, to Bilal Eksi, Director General of the Directorate General of Civil Aviation Turkey, Angus Watt, President and CEO, CATSA and to Dr. Temel Kotil and Turkish Airlines for their generous support.
Turkey is an emerging powerhouse in aviation with great ambitions for its airlines and its airport infrastructure. Situated at the crossroads of Asia and Europe, it is well-placed to be a leader in connecting not only East and West—but also North, South and beyond.
Crossroads is also the theme for this conference. And I believe that it is an appropriate metaphor for the situation of the industry today with respect to security. Aviation today is a powerful force in shaping the global economy and developing greater linkages between regions, countries and continents. The industry supports employment for some 57 million people and supports $2.2 trillion in economic activity, but its influence goes well beyond that. Some $6.4 trillion in global trade is delivered by air. And it would be difficult to imagine a day in any modern life that is not touched many times by the impact of global connectivity.
The direction is clear. Air transport will continue to grow in importance. And the numbers are impressive. This year we will surpass the 3 billion passenger mark. By 2017 that number will be approaching 4 billion with around 450 million more passengers coming from Asia alone. Cargo has been stagnant at about 50 million tonnes annually. But as the world economy continues to revive one can only see a future defined by growth.
Connectivity is an economic catalyst. A well-functioning air transport system means jobs, development and prosperity. It is in everybody’s interest to ensure that it has a license to thrive that is supported by environmental sustainability, profitability and ever increasing levels of safety and security—the topic that we are here to discuss today.
It is clear that we need to have security systems that can cope with evolving threats and increasing volumes of travelers and goods. But we have some choices to make on how we achieve that goal. As I said, we stand at a crossroads.
- Do we choose the path of business as usual to provide security to our passengers, ignoring the lessons of the past decade, relying on ageing systems, outdated ways of thinking, and processes that may well be at a breaking point? Or do we embrace innovation and engagement to enhance security, efficiency and convenience?
- Do we use the lull in the air cargo industry as an opportunity to accelerate the introduction of e-Freight, improving security and our value proposition by transmitting shipment data electronically with superior tracking and targeting support? Or do we stick our heads in the sand until the reality hits us that paper is not the foundation for a global 21st century supply chain and necessary security?
- Even more broadly, do we change from prescriptive one-size-fits-all measures and embrace performance-based regulation, or just keep writing regulations and take solace in the fact that our stack of rules is getting bigger? And if we move to outcome-based regulations, can airlines hold up their end of the bargain when the regulatory microscopes get removed and more of our fate is in our own hands?
These are some of the big questions facing global aviation in a world of multiple, varied and constantly evolving security threats. The decisions that must be made are certainly more nuanced than how I have painted them. But the fundamental choice is between tinkering with what is currently in place or working together to develop a new paradigm based on the lessons of the past decade and in anticipation of our future challenges.
I am here today as an advocate of change. We need to be much smarter about the way that we do security. And the path to that is by adopting an end to end risk-based approach and not just congratulating ourselves for finding the low hanging fruit. Bringing about such change goes well beyond the scope of what IATA, or the airlines or even the industry can do. Partnership with regulators and governments is critical. And that is why the support of ICAO, symbolized by the presence here of Secretary-General Benjamin, is so important.
I also have to say that regulators around the world seem to be moving in the same direction. My message here today has three main thrusts or principles for evolving a risk-based approach to aviation security:
- That we work together from the start—industry and government
- That we aggressively pursue the shift to a risk-based approach
- And that we commit to a strengthened and harmonized global system—not disparate regimes
We need to apply these across security systems. And today I will highlight the issues that I believe we face in passenger data collection, how we secure passengers, cargo and our own IT systems, how we develop our talent and lastly, how we pay the bill.
The premise of any risk-based security approach is that we have data on which to make risk assessments.
Over 45 states require airlines to collect advance passenger information (API) or transmit passenger name record (PNR) data—or both. A slightly larger number of states are planning to introduce such requirements. This is a great indication that governments are putting in place the systems to support a risk-based approach and strengthen their borders. While that is good, it could quickly become a bureaucratic nightmare if the requirements and transmission methods are not harmonized or aligned. It could be a legal nightmare as well. We all remember the untenable position that airlines were placed in when the US required access to PNR data that European privacy regulation prevented them from sharing. Imagine if we had 90 or more conflicting requirements.
We must also be prudent in how we collect and spend money to support data collection. It’s preposterous that airlines pay governments for processing the passenger data that governments require. This needs to stop. Canada is the most egregious example but there are others. Where the “costs” are passed to passengers we should also recognize that they would expect the monies collected to be put towards security. Of the $14 ESTA fee travelers pay to enter the US, $10 funds the “Visit the US” advertisement campaigns. This undermines the trust that we need our passengers to have in a system that should be focused on keeping them secure.
We also need to consider carefully what data is required for over-flights. Does data about persons passing overhead at 35,000 feet actually enhance security? If it does, what level of data is needed to make the determination? We do not believe it should be the same as the data States’ require for flights landing at one of its airports. Let’s use some common sense – data for data’s sake doesn’t make anybody safer.
In response to this challenge, ICAO, the World Customs Organization (WCO) and IATA have developed detailed provisions to facilitate the harmonized exchange of API and PNR across borders. However, this strong framework is little known outside of the civil aviation world, especially in the border control community. So today, ICAO, WCO and IATA are launching an online Toolkit with videos and materials that explain, in simple terms, what API and PNR consist of, and the best way for public authorities to utilize that data. We invite all States and stakeholders with an interest in passenger data to make use of this toolkit and to participate in a series of API-PNR Days that we will be co-organizing over the next year and beyond.
Checkpoint of the Future
Most governments are using passenger data for immigration purposes—to secure their borders. But we should not stop there. We need to broaden the use of registered traveler programs.
At a basic level, data routinely collected for immigration formalities can form the basic body of knowledge for assessing risk. But the success of voluntary immigration and customs known traveler programs—of which there are over 25 programs worldwide—tells us that passengers are willing to share even more data in order to smooth the process. We are even starting to see some of these programs being connected across borders. As that happens more broadly it will fuel a virtuous cycle of increasing incentives for more people to join the programs, resulting in more knowledge about who is traveling and even better security. So I would urge governments that are looking into such programs to think from the very outset in terms that would allow them to link and mutually recognize one another’s programs.
The US Transportation Security Administration (TSA) has given us a good example of how we can assist trusted travelers through the rapidly expanding Pre-check program. There will shortly be 100 airports in the US where members of this program can leave on their shoes and jackets, and keep laptops in their cases as they undergo security screening. The TSA has shown the world that there is a better way to enhance security and make the passenger journey less stressful.
And the success of the TSA in their revolution bodes well for the Checkpoint of the Future program which seeks to make passenger information work even harder. The vision is to differentiate screening based on risk assessments so that we allocate resources where they will be most effective. By embedding risk assessments in the airport screening process we can accommodate different levels of security alert without having to interrupt normal procedures -- and in fact take things one step further than Pre-check, by dynamically changing the sensitivity of the checkpoint according to the risk assessment done on the passenger. The flying public is eager to see the Checkpoint of Future deployed as quickly as possible. Stakeholders are aligned behind a staged implementation that will see the first versions in 2014. Subsequent stages will see us move from re-purposing equipment and using data more thoughtfully to the eventual deployment of new equipment in the final stage around 2020.
But now that I’m speaking of Checkpoint of the Future, I need to talk about one aspect of the checkpoint of today in the United States - the topic of exit lanes.
It’s wrong that airports and airlines in the United States are now being asked to pay twice for exit lane monitoring services; once to the TSA through the Aviation Security Infrastructure Fee, and now a second time to fund the replacement of exit lane monitors. The TSA and the industry are aligned on many issues, but in this case we ask that they withdraw this regulation.
The cargo community is similarly eager to adopt a risk-based approach to security. Data is equally important for cargo as for passengers.
Industry and governments are working hard to implement e-freight around the world. The project started seven years ago. Ideally, we would like to be further ahead than we are today. But the entire supply chain is uniting behind the effort. And we are determined to have 100% electronic air waybills by 2016—a key element of the program.
We are also united behind Secure Freight—which can help manage the risk across the supply chain. Since the 2010 printer cartridge plot, governments, especially in the US and EU, have imposed a number of security directives tailored to managing risk. The onus is firmly on the industry to ensure air cargo is appropriately screened in accordance with this new risk-based approach. We are eager to engage with governments to implement practical and harmonized measures that both facilitate global trade and keep our industry secure.
The US, UK, Israel and others have programs in place. And where programs do not exist we are promoting Secure Freight. Nine states have so far piloted this initiative, with the Russian Federation becoming the tenth early next year. And I am pleased to announce that today Turkey’s Directorate General of Civil Aviation will engage officially with IATA under a Memorandum of Understanding for the initiation of a Secure Freight Pilot. This is a great example of industry and government working together to enhance security for air cargo shipments in one of aviation’s fastest growing markets.
The EU’s ACC3 regulation indicates the eagerness of regulators to secure the supply chain. While nobody can argue with the general principles, we would prefer a multi-lateral approach. The timeline is also challenging. By 1 July 2014 all carriers bringing cargo to Europe from most countries will have to submit independently validated audits of their supply chains. Completing the thousands of audits that this will entail will not be easily achieved.
One hurdle is training auditors. IATA is doing its best to assist here. We’ve put in place a Center of Excellence for training independent validators, which has been endorsed by 11 EU member states. And the Secure Freight initiative provides a framework for securing freight upstream and keeping it that way until delivery.
Let me be clear on cargo security in relation to ACC3 and Secure Freight. Security across the globe is not going to be enhanced through more validation programs. Mutual recognition of sovereign states’ own cargo security programs such as US/Canada, EU/US, US/Israel, and the US NCSP are the cornerstones of the future. My message to regulators is: please do not proliferate extra-territorial auditing and validation regimes.
The emphasis on data in the security process also points towards the emerging challenge of cyber security. Aviation is IT-intensive. We rely on computer systems for every facet of our operations, from reservations to operational systems and air traffic management. We are assured by manufacturers that aircraft systems are safe. But with such a globally connected network of communications, systems and data, a holistic view is needed to address the challenge. The solution needs to be developed in partnership between airlines, airports, service providers, systems providers, original equipment manufacturers and regulators. As we have done with other threats, we must work together to share best practices, identify known threats and vulnerabilities, and develop guidance, mitigation strategies and training efforts. IATA has started this process through the completion of a Landscape Study, which will lead to a first round of guidance material being developed for the industry next year.
We need to be ready for this change in thinking. How should regulators treat this new security dimension, and how can airlines tackle cyber security and airline security as a single unit? Our resources are not infinite. Inevitably we need to balance the cyber threat against the physical threats. We will still need to look for bombs, but how do we strike a balance with looking for malware?
The culture of security
As with any challenge, people need to create the solutions. It is vital that we invest properly in developing the next generation of security leaders. Airlines need to identify and train the post 9/11 generation into leaders capable of countering the menace of bombs, computer viruses, and other unknown threats. As part of that, we need to be clear what kind of people and what kind of skills we are looking for.
Governments face the same issue. Regulators need specialized knowledge to recognize what is necessary to deal with threats—modern and traditional—and how such measures can be implemented. In the same way that airlines and airports must build specialized security skills, regulators will also need to develop specialists to confront cyber and physical threats in the aviation context.
The culture of how we collect and spend money for security also needs to be challenged. Airlines have spent over $100 billion in the past decade on security. But has all this expenditure been well –targeted? Every dollar spent on one kind of security is potentially a dollar that could be spent on better security elsewhere, so we need to balance where to deploy our resources very carefully. We also need to develop a culture of cooperation that at the same time recognizes what is an aviation industry responsibility, and what is a government responsibility...and accordingly, who is responsible for funding it.
As the presence of industry and regulators in this room suggests, we have built strong partnerships and are working together with common purpose. At the beginning I described an industry at a cross roads. That is true. But I believe that the choice of the path forward is being solidified.
The common vision among industry and regulators is data-driven risk-based and outcome-focused security delivered in partnership with industry and to harmonized global standards. The challenge is to work together to deliver it while staying one step ahead of those who would choose to do our industry harm.