This monograph is a brief introduction to the ATASS system that was designed and promoted in the late 1980's to help prevent the then epidemic of aircraft hijacking.

The original conception of ATASS was strange in that it was put together by a weird and unofficial group of police and security practitioners, most of whom had academic pretensions as well as practical experience. It was more in the vein of Edwardian inventors than the supposedly hardheaded deliberations of security committees. Nonetheless the original protagonists included some of the best security brains in the UK at that time. The organisation involved was the Independent Research Centre based in the Centre for Criminal Justice Studies at Exeter University, England.

Anti-Terrorist Aircraft Screening System (ATASS)

1. Introduction

The objective of ATASS was to increase the security of flying passengers whilst at the same time diminishing the disruption caused by security measures. This approach would protect passenger safety whilst at the same time preserving the commercial viability of the travel industry.
It was intended that these aims would be accomplished by a system which: -

  • · Applied a holistic cradle to grave approach to the assessment of terrorist risk and the control of remedial actions.
  • · Used eclectic all encompassing intelligence resources to identify potential terrorist threats.
  • · Directed the activities of airport security personnel by using intelligence information to focus their activities.
  • · Ensure that airport security personnel (of all professions) knew the basis of any warnings so that they could take intelligent action rather than respond woodenly to blanket alerts from on high.
  • · Improved the capability and professionalism of the overall security effort by the integration of different personnel capabilities.
  • · Integrated specific ATASS intelligence capabilities with existing and proposed airport security measures and tools.
  • · Provides an integrated encompassing management, command and control capability for airport security measures.
  • · Proposed an air movement security certification system to maintain high levels of performance and standards in the long haul

It was a unique integrated approach to airport security in general and flight safety in particular. It was based on two decades of experience and the design capability of a previously developed prototype system.

2. History and Background

In the 1980's interest in the prevention of hijacking during the 80's was high in Europe, due to a dramatic and very public explosion of high profile aircraft terrorist events. These had started in 1968 when Arabs seized an E l Al plane in Rome, it continued with many other incidents including the hijacking of the Air France airliner diverted to Entebbe, the Malta hijacking when 59 people died, the Dawson's field incident and the attack on Lodd Airport. Therefore in the late 1980's it seemed as though hijacking was in the ascendancy and that systems should be put into operation to combat that menace. This was the main impetus for a project to combat such activities.

An esoteric group of experts from the UK and the US was established to build and design a prototype anti-terrorist aircraft screening system. This group included some of the best terrorist experts, criminal profilers and security technologists available at that time.

A system prototype was created which utilised generic threat risk analysis, personal profiling, group profiling and scenario testing. That system, although demonstrated on real aircraft movements and discussed with military and airport authorities throughout the UK and the USA was never implemented. The reason was that after its inception, during the early 1990's, the incidence of aircraft hijackings diminished, particularly after some of the, then main, terrorist organisations had been eliminated. It was therefore decided that at that time the airline industry could not support the cost of additional security screening.

The situation changed with the new millennium. We believed that in 2001 there existed the will to put in place such measures. Also the technologies required to implement those capabilities had dramatically increased in power and reduced in size and cost. The prospect was therefore now infinitely more viable at then end of 2001 than it was 15 years before.

3. The Proposed System

The scheme provided a holistic approach to air travel safety by a catholic use of all available information sources and the integration of the best security components.

The system comprised of two main components. A central country based terrorist intelligence system (Oracle) and a local threat assessment and security control facility (Mentor) based in each airport.

It also proposed an air movement security certification scheme, which could have been either voluntary or regulatory.


3.1. Oracle Central Intelligence Unit

This unit would have provided a general background indication of the risk of terrorist activity, almost a temperature of the security water. It also would have identified specific threats concerning particular nations, carriers, organisations, targets etc. It was intended to operate in real time 24/7. It would also have provided a cohereht threat level indicator which was common to government, police, military and civil security organisations, a situation which did not appertain in the 1980's.

The system comprised of sophisticated associative databases with advanced analysis and data discovery features. The source data would have come initially from publicly available sources, augmented where agreed by input from covert and official sources. That data could have been maintained continually by a group of expert analysts in each country. The Oracle units were designed to have a country-to-country communication capability implemented where agreed by bilateral agreement.

Whilst the availability of government data would have enhanced the systems performance the lack of such sources would not have invalidated the Oracle capability. In fact the judicious and eclectic use of publicly available data often rivals the predictive capability of the official and covert agencies, much to their chagrin.

However it was the intention of the designers to promote the integration of available data from various sources such as internal intelligence organisations, external intelligence organisations, national police forces, local security operations and specialist security facilities. This needs the incorporation of data spuriously designated as 'intelligence' and that equally foolishly designated as 'criminal'. There should be no barriers to anti terrorism intelligence and the ultimate aim of this approach was to provide a means of amalgamating and usefully fusing such diverse sources. However in addition, much more sophisticated analysis and data mining of the available information is essential and will provide the most effective shield against terrorist activities. We almost certainly had the data to protect ourselves, what we needed and still need is the will to collate all available sources coupled with the skill to identify, isolate and analyse it. Our approach was to work towards this utopia of total data integration and analysis from the position of using the best pragmatically available sources and synthesis which would still provide significant intelligence benefits and practical security.

The Oracle units would have forwarded all assessment changes in the various risk categories to their own country Mentor units as and when such information changed due to new data or alternative analyses. The Mentor units were to use this 'base level' risk assessment as the starting point of their specific local aircraft movement risk assessments.

The Oracle unit was also intended to act as the data interface to all Government and covert information sources for the ATAS System within a particular country. It would have relayed all data requests from the local Mentor units and received responses to such queries as well as generic intelligence where provided.

There was a growing acceptance that government agencies in many countries would collaborate more fully with professional security agencies in the area of information sharing. For instance in the US the FBI had in late 2001 recently agreed to release their 'watch list' to approved security operatives.

3.2. Mentor Airport Security Assessor and Controller

This unit was intended to deliver three main capabilities at the local airport level. Primarily it would have provided assessments of the risks attending each and every aircraft movement using advanced intelligence analyses. Secondly it would have provided an integrating overall management and control service for all airport security facilities. Thirdly it would have administered a proposed air movement security certification scheme. The system would have operated in real time 24/7 or whilst the airport was in operation.

The local Mentor unit consisted of nine modules, categorised as either operational modules or support modules. The five operational modules provided a security management and control capability, an aircraft movement risk assessment, an inter-agency integration of passenger risk evaluation, a general airport security risk level monitoring capability and a staff and contractor monitoring facility. The support modules were intended to sustain those activities by providing information interfaces; aircraft network data, security certification management and a historical audit trail.

The unique aspects of the mentor unit resided in its three risk assessment modules, which respectively were designed to assess the risk from individual passengers, aircraft movements and the airport in general.

The passenger module was based upon the concept that persons involved in routine activities such as passenger handling become the subject experts on what was 'normal' for their situation. This module integrates their expert but subjective judgments and cumulatively delivers such analyses to the professional security staff for decision and action.

The aircraft movement module provides specific aircraft movement and passenger risk assessments. In particular it would try to identify undisclosed groups, anomalous behaviour and specific suspect passengers. It would have had the potential to identify risk from previously unknown perpetrators.

This researching activity was intended to commence from the time of the first passenger reservation and continue until the aircraft took off. It used a wide range of information collected over many months. These data would be gleaned from airline scheduling systems, ticketing information systems, credit card databases, local postal and voting registers, passport records, entry visa records, past flight and passenger information and local airport data entry points. The system would have accepted intelligence inputs from the central Oracle Unit and the local passenger-judge system and the airport-screening module etc. where these are in place.

It would also have accepted data from other third party security systems especially biometric devices and physical screening systems.

The airport screening module would have made an assessment of the level of terrorist risk at a particular airport in real time. It was designed to gather information concerning anomalous or threatening events and compute a number of general risk categories. The information feeds would have included long term and real-time information. Long-term information includes details of personnel, occupations level of sensitivity for security matters, the results of spot checks, breaches in the airport security fabric. Short-term data includes 'no shows' of staff, late attendances, and early leavers. Concourse incidents such as unattended baggage, 'lost' passengers, unauthorised access to secure areas. Airside incidents such as unauthorised entry, unaccounted exits, apparent accidents etc.

The other operational mentor modules were intended to be designed to allow the integration of these unique assessment capabilities into the general security capability of an Airport. They therefore included management and command facility and specialist systems to integrate third party equipment such as x-ray screeners, psychometric devices, access controls etc.

This cradle to grave security approach was embodied in a certification system. The concept being that every aircraft movement should have received a security certificate before take off. The design called for authorised Mentor staff in the local airport to sign off a security certificate indicating that on the evidence available to them an aircraft was safe to fly. The support available to the Certificator from the mentor systems would be considerable, but so would the responsibility, which was aimed at focussing accountability and maintaining high security standards over the long haul. A special mentor module would have handled the issuing and forwarding of secure air movement security certificates under a range of situations.

3.3. An Operational Scenario

The central Oracle Unit would be continuously assimilating intelligence feeds from a whole range of sources, public, covert and governmental. Automated systems within the Oracle facility would utilise intelligence to provide analyses, recommendations and alerts. At the same time this information would have been researched and processed by expert human analysts who would augment and modify the continuous output of general level intelligence from the Oracle system. This intelligence would be categorised for ease of communication and assimilation. Upon any change of either a generic or a specific threat level, the assessment would be broadcast to all appropriate country airports Mentor Units.

At the local airport assessments received from the Oracle Unit would be utilised as the base line for the risk calculations for each particular flight.

To that base risk level would be added assessments from the passenger judge system, the general airport risk assessment module and the aircraft screening module, which would be looking for anomalous passenger behaviours and undisclosed groups etc.

As passengers traversed the various processing stages before entry to the aircraft these assessments would be continually updated. Just prior to the time of boarding a trained security officer operating the security certificate assessment module would assess the current status of all data and make a decision on whether or not to issue a security certificate for that air movement. At that time, and indeed at any other time up to the issue of a certificate; alerts of either a specific nature or by the passing of security risk threshold, could have triggered remedial action by the security control room staff.

Let us look at a hypothetical scenario. If say, during the days approaching the anniversary of the commencement of the Interfada uprising in Palestine, indications were received by the Oracle analysts that a Japanese terrorist group had been receiving training from Palestinian organisations, then the following set of reactions might occur. There could be a general heightening of awareness of terrorist threat in general during the days preceding the anniversary. There would almost certainly be increase of the threat awareness concerning specific aircraft movements with Israeli connotations e.g. flights to and from Israel, those involving Israeli personnel or Israeli airlines.

The awareness markers for known types of terrorists who consider Israel as a legitimate target would be widened to include the characteristics of the Japanese group. In addition any more specific information concerning their methods and approached would be computed and analysed. These assessments would be passed to the Mentor Units with particular flagging for those involved in the security supervision of any Israeli related aircraft movements.

The local Mentor Units would undertake a more focussed analysis in the search for undisclosed groups etc. to include the additional protagonists or mixtures of such collaborating groups. In addition it would automatically increase the 'worry loading' for any aircraft movement in the heightened risk categories.

The controllers in the Mentor control room would pay particular attention to the flagged categories and would be more likely to instruct in-depth security intervention for such movements.

Operational security personnel on the ground would receive additional risk category briefings to focus their activities. Security staff could check any passengers receiving a high-risk judgment locally and / or have his details forwarded to the Oracle unit for specific identity checking. (Oracle might, in automated collaboration, then farm out that check to other Government or covert agencies as well as undertaking its own ID checks).

If approaching the time of takeoff the risk assessments were sufficiently high the SCAM personnel could either refuse to issue a certificate or take regulatory action to remove suspected persons and thereby reduces the risk to acceptable levels. They would do this backed by the wide range of information from the assessment modules available in the Mentor system and by the utilisation of the command and control directing local security personnel to undertake physical activities.

In other scenarios the airport screening module might indicate the suspicion of proxy bombers based on erratic staff behaviour or unauthorised access etc. Biometric identification systems might have high matches on known protagonists. Ordinary foot slogging security checks may reveal unsettling situations. In all such circumstances the local security control room would have a complete picture of the airport security situation and could use that range of information to support its decisions. Those decisions would be further aided by standard C2 information capabilities to allow the professionals to take the necessary remedial actions swiftly and effectively.

The above scenario was very simplistic, as one would not anticipate that the Oracle and other units would be reacting to a single gross piece of intelligence with a small number of assessment changes. Normally they would be making a myriad of minor adjustments based upon a vast range of disparate intelligence feeds. This would provide a much more subtle and measured response by the security professionals.

The design approach to the ATASS project has been to ensure that it can operate under a number of different international regimes concerning the regulation of airport security. None of its features rely absolutely on government intervention or even cooperation although some elements such as certification would be aided by such official support. In other words the ATASS system has the potential to be deployed in any country that has the facilities to operate a modern airport.

3.4. Operational Staff

The Oracle unit would have been operated by expert intelligence and data operatives, augmented where necessary by country and subject specialists. There would have probably been just one Oracle unit located in each sovereign country. Normally it would have been expected to operate under the supervision of a government mandate although that was not essential.

The Mentor units would have been located in each airport and would have functioned at all times when the airport was operational. Trained security staff would have had command and control expertise plus assessment and certification expertise. The unit would have been under the supervision of the senior security officer who would also have been responsible for the Security Certificators of Aircraft Movements (SCAM) personnel. This unit would have operated under the direction of the authority responsible for the security of the airport.

4. Ancillary Notes

Much of this work was undertaken on a Kee 3 workstation ($200,000 worth) kindly lent by the Vanilla Flavor Company and a Lisp Machine ($250,000) lent by Scientific Computers Ltd. Other work used early PCs and goldworks a lisp environment.

5. Current Situation

After the 9/11 disaster the very old and somewhat sketchy prototype described above was resurrected and details passed to the relevant authorities in Europe and the USA. This included some visits and explanations.
No interest was evinced by the authorities. This could have been due to a NIH syndrome. A more charitable view is that time had passed on since the old initial concept. Therefore our ideas of the 1980's was now obsolete due to improved intelligence and analysis capabilities.

6. Thanks

These are due to

Major General Clutterbuck - Terrorist Expert and Fellow of Exeter University.

Ex Acting Police Chief Constable Dr Brian Morgan.

Ex Chief Police Superintendent Davis Webb.

And the vast majority of other collaborators from the security services who cannot be identified as they are still active in their professions.

Whilst modesty normally precludes it, at this late stage perhaps I should also add myself as I was the Technical Manger and Designer of the project

Ex Chief Police Superintendent Dr John Hulbert FBCS, Ch PsyChol, Ch ITP.



(c) John Hulbert 2002