monograph is a brief introduction to the ATASS system that
was designed and promoted in the late 1980's to help prevent
the then epidemic of aircraft hijacking.
The original conception of ATASS was strange in that it was
put together by a weird and unofficial group of police and
security practitioners, most of whom had academic pretensions
as well as practical experience. It was more in the vein of
Edwardian inventors than the supposedly hardheaded deliberations
of security committees. Nonetheless the original protagonists
included some of the best security brains in the UK at that
time. The organisation involved was the Independent Research
Centre based in the Centre for Criminal Justice Studies at
Exeter University, England.
Anti-Terrorist Aircraft Screening
The objective of ATASS was to increase the security of flying
passengers whilst at the same time diminishing the disruption
caused by security measures. This approach would protect passenger
safety whilst at the same time preserving the commercial viability
of the travel industry.
It was intended that these aims would be accomplished by a
system which: -
Applied a holistic cradle to grave approach to the assessment
of terrorist risk and the control of remedial actions.
- · Used eclectic all
encompassing intelligence resources to identify potential
- · Directed the activities
of airport security personnel by using intelligence information
to focus their activities.
- · Ensure that airport
security personnel (of all professions) knew the basis of
any warnings so that they could take intelligent action
rather than respond woodenly to blanket alerts from on high.
- · Improved the capability
and professionalism of the overall security effort by the
integration of different personnel capabilities.
- · Integrated specific
ATASS intelligence capabilities with existing and proposed
airport security measures and tools.
- · Provides an integrated encompassing
management, command and control capability for airport security
- · Proposed an air movement
security certification system to maintain high levels of
performance and standards in the long haul
It was a unique integrated
approach to airport security in general and flight safety
in particular. It was based on two decades of experience and
the design capability of a previously developed prototype
2. History and Background
In the 1980's interest in
the prevention of hijacking during the 80's was high in Europe,
due to a dramatic and very public explosion of high profile
aircraft terrorist events. These had started in 1968 when
Arabs seized an E l Al plane in Rome, it continued with many
other incidents including the hijacking of the Air France
airliner diverted to Entebbe, the Malta hijacking when 59
people died, the Dawson's field incident and the attack on
Lodd Airport. Therefore in the late 1980's it seemed as though
hijacking was in the ascendancy and that systems should be
put into operation to combat that menace. This was the main
impetus for a project to combat such activities.
An esoteric group of experts
from the UK and the US was established to build and design
a prototype anti-terrorist aircraft screening system. This
group included some of the best terrorist experts, criminal
profilers and security technologists available at that time.
A system prototype was created which utilised generic threat
risk analysis, personal profiling, group profiling and scenario
testing. That system, although demonstrated on real aircraft
movements and discussed with military and airport authorities
throughout the UK and the USA was never implemented. The reason
was that after its inception, during the early 1990's, the
incidence of aircraft hijackings diminished, particularly
after some of the, then main, terrorist organisations had
been eliminated. It was therefore decided that at that time
the airline industry could not support the cost of additional
The situation changed with the new millennium. We believed
that in 2001 there existed the will to put in place such measures.
Also the technologies required to implement those capabilities
had dramatically increased in power and reduced in size and
cost. The prospect was therefore now infinitely more viable
at then end of 2001 than it was 15 years before.
3. The Proposed System
The scheme provided a holistic approach to air travel safety
by a catholic use of all available information sources and
the integration of the best security components.
The system comprised of two main components. A central country
based terrorist intelligence system (Oracle) and a local threat
assessment and security control facility (Mentor) based in
It also proposed an air movement security certification scheme,
which could have been either voluntary or regulatory.
3.1. Oracle Central Intelligence Unit
This unit would have provided a general background indication
of the risk of terrorist activity, almost a temperature of
the security water. It also would have identified specific
threats concerning particular nations, carriers, organisations,
targets etc. It was intended to operate in real time 24/7.
It would also have provided a cohereht threat level indicator
which was common to government, police, military and civil
security organisations, a situation which did not appertain
in the 1980's.
The system comprised of sophisticated associative databases
with advanced analysis and data discovery features. The source
data would have come initially from publicly available sources,
augmented where agreed by input from covert and official sources.
That data could have been maintained continually by a group
of expert analysts in each country. The Oracle units were
designed to have a country-to-country communication capability
implemented where agreed by bilateral agreement.
Whilst the availability of government data would have enhanced
the systems performance the lack of such sources would not
have invalidated the Oracle capability. In fact the judicious
and eclectic use of publicly available data often rivals the
predictive capability of the official and covert agencies,
much to their chagrin.
However it was the intention
of the designers to promote the integration of available data
from various sources such as internal intelligence organisations,
external intelligence organisations, national police forces,
local security operations and specialist security facilities.
This needs the incorporation of data spuriously designated
as 'intelligence' and that equally foolishly designated as
'criminal'. There should be no barriers to anti terrorism
intelligence and the ultimate aim of this approach was to
provide a means of amalgamating and usefully fusing such diverse
sources. However in addition, much more sophisticated analysis
and data mining of the available information is essential
and will provide the most effective shield against terrorist
activities. We almost certainly had the data to protect ourselves,
what we needed and still need is the will to collate all available
sources coupled with the skill to identify, isolate and analyse
it. Our approach was to work towards this utopia of total
data integration and analysis from the position of using the
best pragmatically available sources and synthesis which would
still provide significant intelligence benefits and practical
The Oracle units would have forwarded all assessment changes
in the various risk categories to their own country Mentor
units as and when such information changed due to new data
or alternative analyses. The Mentor units were to use this
'base level' risk assessment as the starting point of their
specific local aircraft movement risk assessments.
The Oracle unit was also intended to act as the data interface
to all Government and covert information sources for the ATAS
System within a particular country. It would have relayed
all data requests from the local Mentor units and received
responses to such queries as well as generic intelligence
There was a growing acceptance that government agencies in
many countries would collaborate more fully with professional
security agencies in the area of information sharing. For
instance in the US the FBI had in late 2001 recently agreed
to release their 'watch list' to approved security operatives.
3.2. Mentor Airport Security Assessor and Controller
This unit was intended to deliver three main capabilities
at the local airport level. Primarily it would have provided
assessments of the risks attending each and every aircraft
movement using advanced intelligence analyses. Secondly it
would have provided an integrating overall management and
control service for all airport security facilities. Thirdly
it would have administered a proposed air movement security
certification scheme. The system would have operated in real
time 24/7 or whilst the airport was in operation.
The local Mentor unit consisted of nine modules, categorised
as either operational modules or support modules. The five
operational modules provided a security management and control
capability, an aircraft movement risk assessment, an inter-agency
integration of passenger risk evaluation, a general airport
security risk level monitoring capability and a staff and
contractor monitoring facility. The support modules were intended
to sustain those activities by providing information interfaces;
aircraft network data, security certification management and
a historical audit trail.
The unique aspects of the mentor unit resided in its three
risk assessment modules, which respectively were designed
to assess the risk from individual passengers, aircraft movements
and the airport in general.
The passenger module was
based upon the concept that persons involved in routine activities
such as passenger handling become the subject experts on what
was 'normal' for their situation. This module integrates their
expert but subjective judgments and cumulatively delivers
such analyses to the professional security staff for decision
The aircraft movement module
provides specific aircraft movement and passenger risk assessments.
In particular it would try to identify undisclosed groups,
anomalous behaviour and specific suspect passengers. It would
have had the potential to identify risk from previously unknown
This researching activity was intended to commence from the
time of the first passenger reservation and continue until
the aircraft took off. It used a wide range of information
collected over many months. These data would be gleaned from
airline scheduling systems, ticketing information systems,
credit card databases, local postal and voting registers,
passport records, entry visa records, past flight and passenger
information and local airport data entry points. The system
would have accepted intelligence inputs from the central Oracle
Unit and the local passenger-judge system and the airport-screening
module etc. where these are in place.
It would also have accepted data from other third party security
systems especially biometric devices and physical screening
The airport screening module
would have made an assessment of the level of terrorist risk
at a particular airport in real time. It was designed to gather
information concerning anomalous or threatening events and
compute a number of general risk categories. The information
feeds would have included long term and real-time information.
Long-term information includes details of personnel, occupations
level of sensitivity for security matters, the results of
spot checks, breaches in the airport security fabric. Short-term
data includes 'no shows' of staff, late attendances, and early
leavers. Concourse incidents such as unattended baggage, 'lost'
passengers, unauthorised access to secure areas. Airside incidents
such as unauthorised entry, unaccounted exits, apparent accidents
The other operational mentor
modules were intended to be designed to allow the integration
of these unique assessment capabilities into the general security
capability of an Airport. They therefore included management
and command facility and specialist systems to integrate third
party equipment such as x-ray screeners, psychometric devices,
access controls etc.
This cradle to grave security approach was embodied in a
certification system. The concept being that every
aircraft movement should have received a security certificate
before take off. The design called for authorised Mentor staff
in the local airport to sign off a security certificate indicating
that on the evidence available to them an aircraft was safe
to fly. The support available to the Certificator from the
mentor systems would be considerable, but so would the responsibility,
which was aimed at focussing accountability and maintaining
high security standards over the long haul. A special mentor
module would have handled the issuing and forwarding of secure
air movement security certificates under a range of situations.
3.3. An Operational Scenario
The central Oracle Unit would be continuously assimilating
intelligence feeds from a whole range of sources, public,
covert and governmental. Automated systems within the Oracle
facility would utilise intelligence to provide analyses, recommendations
and alerts. At the same time this information would have been
researched and processed by expert human analysts who would
augment and modify the continuous output of general level
intelligence from the Oracle system. This intelligence would
be categorised for ease of communication and assimilation.
Upon any change of either a generic or a specific threat level,
the assessment would be broadcast to all appropriate country
airports Mentor Units.
At the local airport assessments received from the Oracle
Unit would be utilised as the base line for the risk calculations
for each particular flight.
To that base risk level would be added assessments from the
passenger judge system, the general airport risk assessment
module and the aircraft screening module, which would be looking
for anomalous passenger behaviours and undisclosed groups
As passengers traversed the various processing stages before
entry to the aircraft these assessments would be continually
updated. Just prior to the time of boarding a trained security
officer operating the security certificate assessment module
would assess the current status of all data and make a decision
on whether or not to issue a security certificate for that
air movement. At that time, and indeed at any other time up
to the issue of a certificate; alerts of either a specific
nature or by the passing of security risk threshold, could
have triggered remedial action by the security control room
Let us look at a hypothetical scenario. If say, during the
days approaching the anniversary of the commencement of the
Interfada uprising in Palestine, indications were received
by the Oracle analysts that a Japanese terrorist group had
been receiving training from Palestinian organisations, then
the following set of reactions might occur. There could be
a general heightening of awareness of terrorist threat in
general during the days preceding the anniversary. There would
almost certainly be increase of the threat awareness concerning
specific aircraft movements with Israeli connotations e.g.
flights to and from Israel, those involving Israeli personnel
or Israeli airlines.
The awareness markers for known types of terrorists who consider
Israel as a legitimate target would be widened to include
the characteristics of the Japanese group. In addition any
more specific information concerning their methods and approached
would be computed and analysed. These assessments would be
passed to the Mentor Units with particular flagging for those
involved in the security supervision of any Israeli related
The local Mentor Units would undertake a more focussed analysis
in the search for undisclosed groups etc. to include the additional
protagonists or mixtures of such collaborating groups. In
addition it would automatically increase the 'worry loading'
for any aircraft movement in the heightened risk categories.
The controllers in the Mentor control room would pay particular
attention to the flagged categories and would be more likely
to instruct in-depth security intervention for such movements.
Operational security personnel on the ground would receive
additional risk category briefings to focus their activities.
Security staff could check any passengers receiving a high-risk
judgment locally and / or have his details forwarded to the
Oracle unit for specific identity checking. (Oracle might,
in automated collaboration, then farm out that check to other
Government or covert agencies as well as undertaking its own
If approaching the time of takeoff the risk assessments were
sufficiently high the SCAM personnel could either refuse to
issue a certificate or take regulatory action to remove suspected
persons and thereby reduces the risk to acceptable levels.
They would do this backed by the wide range of information
from the assessment modules available in the Mentor system
and by the utilisation of the command and control directing
local security personnel to undertake physical activities.
In other scenarios the airport screening module might indicate
the suspicion of proxy bombers based on erratic staff behaviour
or unauthorised access etc. Biometric identification systems
might have high matches on known protagonists. Ordinary foot
slogging security checks may reveal unsettling situations.
In all such circumstances the local security control room
would have a complete picture of the airport security situation
and could use that range of information to support its decisions.
Those decisions would be further aided by standard C2 information
capabilities to allow the professionals to take the necessary
remedial actions swiftly and effectively.
The above scenario was very simplistic, as one would not anticipate
that the Oracle and other units would be reacting to a single
gross piece of intelligence with a small number of assessment
changes. Normally they would be making a myriad of minor adjustments
based upon a vast range of disparate intelligence feeds. This
would provide a much more subtle and measured response by
the security professionals.
The design approach to the ATASS project has been to ensure
that it can operate under a number of different international
regimes concerning the regulation of airport security. None
of its features rely absolutely on government intervention
or even cooperation although some elements such as certification
would be aided by such official support. In other words the
ATASS system has the potential to be deployed in any country
that has the facilities to operate a modern airport.
3.4. Operational Staff
The Oracle unit would have been operated by expert intelligence
and data operatives, augmented where necessary by country
and subject specialists. There would have probably been just
one Oracle unit located in each sovereign country. Normally
it would have been expected to operate under the supervision
of a government mandate although that was not essential.
The Mentor units would have been located in each airport and
would have functioned at all times when the airport was operational.
Trained security staff would have had command and control
expertise plus assessment and certification expertise. The
unit would have been under the supervision of the senior security
officer who would also have been responsible for the Security
Certificators of Aircraft Movements (SCAM) personnel. This
unit would have operated under the direction of the authority
responsible for the security of the airport.
4. Ancillary Notes
Much of this work was undertaken on a Kee 3 workstation ($200,000
worth) kindly lent by the Vanilla Flavor Company and a Lisp
Machine ($250,000) lent by Scientific Computers Ltd. Other
work used early PCs and goldworks a lisp environment.
5. Current Situation
After the 9/11 disaster the very old and somewhat sketchy
prototype described above was resurrected and details passed
to the relevant authorities in Europe and the USA. This included
some visits and explanations.
No interest was evinced by the authorities. This could have
been due to a NIH syndrome. A more charitable view is that
time had passed on since the old initial concept. Therefore
our ideas of the 1980's was now obsolete due to improved intelligence
and analysis capabilities.
These are due to
General Clutterbuck - Terrorist Expert and Fellow of Exeter
Acting Police Chief Constable Dr Brian Morgan.
Chief Police Superintendent Davis Webb.
And the vast majority of
other collaborators from the security services who cannot
be identified as they are still active in their professions.
Whilst modesty normally
precludes it, at this late stage perhaps I should also add
myself as I was the Technical Manger and Designer of the project
Ex Chief Police Superintendent
Dr John Hulbert FBCS, Ch PsyChol, Ch ITP.