ATASS Lessons



This is a paper which was given at the Annual Conference of the British Cybernetics Society in London UK on 16th September 2006.

All the contents are the responsibility of the author.

The last sections assume a small degree of knowledge about the Science of Cybernetics.










Terrorist Incidents


Development Groups Involved




Prototype Facilities and Equipment


Nature of Screening




History of Profiling




Law Enforcement


CAPS (Computer-Assisted Passenger Screening)


Political Objections


Academic Objections


Barrier Security


Physical separation






Problems with Static Barrier Security measures








Objectives of ATASS


Main Elements of the ATASS approach


Oracle Central Intelligence Unit


Mentor Security Assessor and Controller


The integration of the system


Types of Attack you might contemplate (not exhaustive)


Types of Information




Possible Data Items


Possible Data Sources


Construction approach


Is ATASS still relevant?


Elements still relevant


Relevant elements already incorporated


Is Cybernetics relevant to systems such as ATASS?


Requisite Variety


Signal to Noise


Viable Systems


Conversation Theories




1. Summary

We designed ATASS to improve Airport security while reducing the cost and inconvenience of heavy barrier defence methods. This was between 1978 and 1986, not yesterday. Recent events seem to have made that old work a little topical.

We undertook this project in an environment very different from today’s challenges. In someway identification was more difficult as the felons normally came from the same European stock that we were trying to defend. However their methods, although unbelievably violent, lacked the fatalistic commitment of today’s opponents.

Five principles predicated our approach:-

1.      Focusing on identifiable risks using information.
2.      Active and catholic information gathering, from globe to person.
3.      Promotion of professional responsibility by a security certification scheme.
4.      The close integration of all airport security, involving an in-built command system.
5.      The structured sharing of information between airports and countries on all public air movements.


The forensic science mantra is that “Every contact leaves a trace”. The ATASS maxim was that “Every contact leaves some information for us to study”.


We believed that relevant information must be diligently hunted, coaxed out of unexpected places, preserved and intelligently analysed to target the real risk areas. It should then be shared. Such an intelligence led approach enhances the effective and cost efficient targeting of prevention forces. The preventative results then feedback into the equation in a continuous and often recursive manner.

The functional concept of ATASS was an information funnel. Moving from Global threat information, down through various levels to the individual passenger on a flight. This approach anticipated feedback and feedforward information flows at every juncture, and an infinitely evolving model predictive methodology.

At each level, generic and specific threat information and ‘worry levels’ were to be calculated by the ATASS system. The levels include, the global situation, national vulnerability, risk levels for specific airports, carriers, travel routes, aircraft types and of course individuals or groups of passengers. ATASS was intended to be much more encompassing than anything that existed in the mid 1980’s, when it was conceived; or even now in 2006, as far as we know.


2. Introduction

I last spoke at this conference nearly twenty years ago. Then it was on the subject of expert systems to catch burglars. I think that the then President Professor Fatmi thought that a strange Policeman might be a relevant speaker as he knew that a model that I had produced on ‘crowd violence’ had the term ‘feedback’ in it.

I understand, from the current President, Professor Smith, that this annual Conference of the British Cybernetics Society is billed as having an historic theme. My talk certainly fits that objective. It resurrects a 20-year old project which current events have made topical. It concerns the prototype called ATASS (Anti-Terrorist Aircraft Screening System). This outline system was explored by an esoteric group of academics and security practitioners in the early and mid 1980’s.
ATASS was an information rich approach to transport safety and introduced the revolutionary initiative of additive mandatory security certification.

The paper describes the overall methodology that we contemplated in those days and reviews whether some of those old concepts and modules are still relevant in today’s environment.

I must admit that it was not designed around any coherent Cybernetic model. It was bolted together, at times in some haste, by a group of professional enforcement and security practitioners, systems and information specialists, a few psychologists and some political thinkers. It was intended to be pragmatically encompassing, but theoretically it is a bit rough around the edges.


3. History

3.1 Terrorist Incidents

Air incidents are not new. The first recorded seems to be when a United Airlines Boeing 247 was blown up over Ohio in 1933 with a nitro-glycerine bomb, nobody was ever convicted of that crime.

However by the 1970’s interest in the prevention of air incidents grew, due to a dramatic outbreak of high profile aircraft terrorist events. Albeit that there had been many, more modest, but quite deadly, events in the intervening times.

In 1970 public attention was seized by the coordinated hijacking of five airliners, ending in the Dawson’s field affair. There four aircraft were blown up as a sign of defiance to the Hashemite Kingdom of Jordan and of course the west. This is an incident, for which many security officials have never forgiven the late UK Prime Minister Edward Heath, when his resolve crumbled and he released Leila Khaled from British detention. That act is often, possibly mistakenly, thought to be the beginning of terrorist appeasement.

Soon after the Dawson’s field incident, the massacre at Lod Airport (now Ben Gurion International Airport) near Tel Aviv in Israel signaled a new development. This was the subcontracting of terrorist acts between global fanatical groups in order to sidestep the preconceptions of the defensive authorities. Three members of the Japanese Red Army (JRA) undertook a terrorist attack on behalf of the Popular Front for the Liberation of Palestine (PFLP). The defenders were looking for Palestinians, what they got was Japanese terrorists. Before the Israeli airport guardians could re-orientate the JRA had killed twenty-four people and injured seventy-eight others.

In the subsequent period there were usually two or three such incidents a year. We in the west became somewhat inured to the horror, which is the last thing that terrorists want. Therefore in 1976 members of the Baader-Meinhof Group (RAF) and the PFLP upped the ante by seizing an Air France airliner and its 258 passengers. They forced this plane to fly to Uganda with obvious complicity of Idi Amin (Dada). The bizarre nature of this situation, with a dysfunctional head of state and a heroic rescue by Israeli commandoes, brought the whole air safety position back into the attention of the international community.

Following many more incidents, in a new twist, the Abu Nidal Organisation (A Fattah offshoot) bombed a Gulf Air Flight 771 en-route from Abu Dhabi, United Arab Emirates (UAE) killing 177 persons. Abu Nidal then managed to use this outrage to extort the UAE and Kuwait to pay him not to attack them again. A classic, but colossal, new venture into international protection racketeering.

In 1985 a gripping ping pong flight occurred when a Trans-World Airlines flight was hijacked en route to Rome from Athens by two Lebanese Hezbollah members. Eight crew members and 145 passengers were held for seventeen days. The world’s media looked on whilst it shuttled back and forth to Algiers. Finally one US Sailor was murdered; but the remaining hostages were set free after Israel released 435 Lebanese and Palestinian prisoners. So much for terrorism not being effective!

In the same year a Boeing 747 Air India Flight exploded in mid air off of the southern coast of Ireland. All of the 329 passengers and crew on board were killed, of whom 82 were children. 280 were Canadian citizens. This atrocity was blamed on Sikh extremists, clearly indicating that terrorist tactics had no boundaries.

It appeared to many of us in the early 1980’s that terrorism was on the rise. The Air transport industry was, and still is, the soft underbelly of the technological complex western culture, a society which is so often the butt of such attacks. It is after all the perfect target, where low cost, low tech strikes can cause maximum mayhem and publicity.

It was in this atmosphere that an esoteric group of experts from the UK and the US came together of their own volition to design and build a prototype anti-terrorist aircraft screening system. This group included some of the world’s best terrorist experts, criminal profilers and security technologists available at that time. It was organised around the Independent Research Centre at Exeter University in the United Kingdom.

A system prototype was created which utilised generic threat risk analysis, personal profiling, group profiling and scenario testing. That system was demonstrated on real but historical aircraft movements and seemed to be effective. We believed that it was not just “post hoc ergo propter hoc”. The findings were discussed with military and airport authorities throughout the UK and the USA but the system was never implemented. Following the prototype’s inception, during the early 1990’s, the incidence of aircraft hijackings diminished after some of the main terrorist organisations had been reduced. It was decided by the ‘powers that be’ that at the time the airline industry did not need to support the cost of such additional security screening.

The situation is very different today. The will now exists to put in place such measures. The technologies required to implement those envisioned capabilities have dramatically improved in power, whilst reducing in size and cost. The prospect is infinitely more possible today than it was 20 years ago, but is it still relevant?


3.2. Development Groups Involved

3.2.1 Personnel

The ATASS work was managed by members of the Independent Research Centre (IRC) based in the Centre for Criminal Justice Studies at Exeter University, UK.

IRC was a police research charity set up initially by a weird group of relatively senior police officers who wished to undertake scientific studies which were not easily possible within the official police research structures.

They were well connected and attracted collaboration and in some cases funding from some significant international organisations. These included the National Institute of Justice and the Police Executive Research Forum in the USA. The National Physical Laboratory and various Universities in the UK.

A number of commercial concerns loaned very advanced Artificial Intelligence (AI) computing equipment valued at many hundreds of thousands of pounds. The Devon & Cornwall Constabulary, Exeter University and local commercial concerns provided office facilities and work space. It was a privatisation of police research which ante-dated Tony Blair’s efforts with the Heath Service by some decades. Naturally not all of the conservative police hierarchy were totally enthusiastic.

The ATASS endeavour was literally a Cecil B deMille operation (a caste of thousands). Police and security students from all over the world were canvassed for their ideas and expertise whilst attending courses at Police Training colleges, Universities and the National Police College.

We were also lucky to have at Exeter Richard Clutterbuck (Major General) the notable terrorist expert, who was a research fellow of the University at the same time as was I. The team’s ideas benefited greatly from many discussions with him at this time. Many other security personnel, criminal profilers and fellow travelers were bullied and roped in by the eclectic group at IRC to aid the effort.

The initial design was modified and extended by me after 9/11. Alas the rest of the team had by then been blown to the four winds.


3.2.2 Prototype Facilities and Equipment

If anyone is interested the prototypes were developed on some unbelievable early AI systems. The main work was on two Texas Instruments Explorer work stations with KEE3 running in a LISP environment. Supporting was a massive Symbolic's LISP machine which we never quite got off the ground. We also had embryo PCs (some of which we assembled ourselves) for data collection which ran what later became ‘Golden Lisp’ and C for those who wanted to be normal.

Most of the software modules seemed to be priced at a conservative $50K which was a lot of money in those days; luckily we managed to sweet talk everyone into loaning us the hardware and software. I still cannot believe that we had our hands on all that kit and did not do more with it.

The major equipment was loaned by the Vanilla Flavor Company and Scientific Computers Ltd.


4. Nature of Screening

Screening for Air terrorism really comes down to intelligence directed profiling and barrier screening. The two approaches tend to be separate but this need not be so, as we will discuss later in the ATASS section of this talk.

4.1. Profiling

I am using the term profiling as meaning “an analysis of data to reduce the universe of possible incidents, objects or people to a manageable set for further investigation”. In this context profiles, exemplars or even the much-maligned stereotypes are related. So I guess are our old friends’ scripts, frames and structured nets.

This definition goes far beyond physical description, it encompasses behavioural patterns, necessities for certain acts, geographical locations and motivation for example. In fact, any potentially relevant information.

Profiling’s main objectives are to identify and describe similar cases and offenders. It can be either reactive or proactive. The former is an attempt to identify lawbreakers or link crimes after the event; the latter is intended to extrapolate current evidence to frustrate future antisocial activities by identifying targets and likely perpetrators. ATASS profiling is mainly proactive.


4.2. History of Profiling

4.2.1 Natural

We as human beings profile every moment of our lives. Even the opponents of profiling are doing it; they and we could not function otherwise.

We make coarse approximations of the exquisite variety of sensory information available to us. We do not have the computational power to do otherwise.

When a car is bearing down on you on a pedestrian crossing you do not normally check every aspect of its visual image. Has it been washed lately, is the tax disc up-to-date, has it two doors or four. No you identify it as a dangerous object and quickly get out of its way.

We are continuously refining, defining and classifying our sensory inputs rather in the manner suggested by my old PhD examiner Oliver Selfridge in his Pandemonium theory. (Selfridge 1959)


4.2.2 Law Enforcement

Popular belief associates offender profiling with the work of the Behavioural Sciences Unit (BSU) at the FBI Academy, Quantico, Virginia, USA. Their analysis of serial killers in particular has been well publicised. Our American counsins are generally better than us at self promotion.

However police forces have been using ad hoc profiling for as long as they have been in existence. There are even suggestions that the surgeon in the London Ripper murders made profile based propositions. The more formal approaches seem to have started in California in the 1960’s when the School of Criminology, at the local University provided help to Howard Teten who later became a founding member of the FBI profiling unit (BSU).

Academics became interested in the area soon after that time, first among them being Professor David Canter of Liverpool University, who is often thought of as the father of ‘academic offender profiling’. Since then many other researchers have entered the field with various models. In the 1980’s we and other practitioners became interested in using the then vogue “expert systems” to develop profiles from crime scene evidence. We built several prototype systems for UK and US police forces.


4.2.3 CAPS (Computer Aided Profiling System)

In the USA over 600 million passengers pass through airports, in the UK the figure is around 250 million. Given this volume it is not economically or practically possible to subject every passenger to a thorough physical and questioning security screening.

CAPS (Computer Aided Profiling System) is the main computer-assisted screening system in operation. It was designed to relieve this blanket approach by developing profiles of the people most likely to commit terrorist acts. The system then alerts security staff to concentrate the manual screening on that small subset of the traveling public.

The CAPS system was installed in the USA in 1999 and the version currently in use undertakes analysis using data pertaining to the history of ticket purchases. Future versions of CAPS, however, will be able to incorporate a richer set of data, including driving history, credit card purchases, telephone call logs, and criminal records, among other information.  Currently its integration engine is believed to be a thin neural network.

Once CAPS crafts a profile, it is incorporated into software that is accessible from every airline check-in counter nationwide. When a passenger checks in, the ticket agent enters the passenger’s name into the CAPS console. Data mining software linked to government databases then scours for information about the passenger, retrieving data relevant to the profile. The software compares the similarity of the acquired data to the profile and calculates a “threat index” assessing how much potential risk that passenger may pose. In the technical scenario outlined above, the estimated threat index would simply be the product of the profile with the passenger’s mined data vector.

If the passenger is in the top 3-8% of the CAP threat level relative to the other people on his flight, then CAPS flags him for an in-depth check.


4.2.4 Political Objections

Offender profiling has received a bad press lately with books like “Driving while Black”. (Meeks 2000). However this is largely because the tabloid press have mixed up Racist Stereotyping with Offender Profiling. Daniel Carlson calls the former “Irrational Profiling” (Carlson 2004). There is a world of difference between ignorant assumptions concentrating on race and the careful analysis of relevant data. Ethical and Political considerations aside. The former would be useless as an efficient predictive tool and thereby of no use to professional security personnel, even if they were totally amoral which most are not. In other words no professional would use an inefficient system based on prejudice in the real world, because he would soon be seen to fail in his duties.

However Political considerations have to be addressed even if they are believed to be ill-founded. In the case of the US CAPS system its operation is believed to be severely curtailed by political controls. In every case it is the responsibility of the elected authorities to decide when the prejudicial aspects of a profiling system outweigh its probative potential.


4.2.5 Academic Objections

Samidh Chakrabarti and Aaron Strauss in an MIT student law paper argue against profiling from another angle. They contend that CAPS has an Achilles’ heel. (Chakrabarti & Strauss 2002).

They point out that individuals can learn their CAPS status and that information enables the system to be reverse engineered.

Their reasoning is as follows. You know if you’re bags have been frequently manually inspected. You know if you’ve been questioned. You know if you’re asked to stand in a special line. You know if you’ve been frisked.

They argue that open scrutiny makes it possible to create an antiprofile to defeat CAPS, even if the profile itself is always kept secret. They call this the “Carnival Booth Effect” since, like the sideshows at a carnival or fair, it enables potential terrorists to “Step Right Up! See if you’re a winner!” In this case, the terrorist can step right up and see if he’s been flagged. The he can avoid that behaviour in the future.

In a sense they are right, probing attempts have been made in the past. A famous incident is the so-called Operation Bojinka, a plot to bomb 11 U.S. airliners. This plan was discovered on a laptop computer in a Manila, Philippines in 1994. Two Arab men Yousif and Khaled Sheik Mohammed started testing airport security. Yousif booked a flight between Kai Tak International Airport in Hong Kong and Chiang Kai Shek International Airport near Taipei. Mohammed booked a flight between Ninoy Aquino International Airport near Manila and Kimpo International Airport near Seoul. The two had already converted fourteen bottles of contact lens solution into bottles that could contain nitro-glycerine, which was readily available in the Philippines. Yousif had taped to the arch of his foot a metal rod, which was a surrogate detonator. The two wore jewellery and clothing with metal to confuse airport security. To support their claim that they were meeting women, they packed condoms in their bags. Their intent was to see what they could get past security.

The point being made by Chakrabarti and Strauss is that if the profiles are static then a ‘Carnival Booth’ like attack could succeed. In this they are probably right. Unfortunately there is reason to believe the way that CAPS operates is insufficiently flexible. This is because its profile algorithms have to be ‘approved’ by the Department of Justice.

The Great Wall of China and the Maginot line have shown us that static defences are vulnerable. However enforcement agencies expect probing, we have had it for decades in building and computer security; and for millennia in warfare.

Systems like ATASS or CAPS like system must incorporate continuous and flexible scenario/ profile generation. In that way the affect of probing is greatly modified. Also the predictive system has to be part of a wider armoury such as random checks and physical barrier security.


4.3 Barrier Security

Barrier security is an embracing term for forms of security that start and end with physical obstruction or surveillance.

4.3.1 Physical Separation

At its simplest this is the various barriers which divide Airside from Landside. The intent being to separate security checked-in passengers from persons in the outside world; a sort of temporary quarantine. Even this important but simple measure can be improved by intelligent layout as Prochansky noted in a different context (Proshansky et al. 1976). Layouts which improve surveillance and facilitate commuter flow are valuable improvements to security.

4.3.2 Technologies

Most of the technologies are designed to probe for unacceptable objects on passengers or in their luggage. We are all familiar with the standard x-ray machines but in addition a whole raft of such tools are beginning to be deployed. These include metal detectors for baggage. Scatter x-rays machines which are supposed to find items covered by other items. Millimetre cameras which ‘strip off’ your outer clothing, air analysers for detecting explosives and drugs.


Ultimate Barrier Search!


In addition we have CCTV observation, sniffer dogs and the prospect of smart tickets and boarding cards to name but a few initiatives.


4.3.3 Interrogation

The gold standard for air safety is arguably the most besieged air line in the world, EL AL. It employs a range of defensive actions including air marshals, secure cockpits and armoured baggage holds. However it’s main line of defence is screening by passenger interrogation. It employs an unabashedly racial classification of Jews, Arabs and others with a few tweaks like increased worry for single females.


Operator Error !


The ‘selectors’ as they are called are thoroughly trained not only to question the passengers but also to observe their behaviour in the airport. As a result of these measures EL AL has not had a hijacking since 1968, before the system was in place.


4.3.4 Problems with Static Barrier Security measures

The main problems concern the effectiveness and cost of the measures and also the disruption to passengers and airport operation. Effectiveness

Physical Barriers are generally effective for their limited objective of separation. Interrogation seems to work, certainly in the Israeli context. Probing technology however suffers from two main efficiency problems. Setting the threshold and maintaining operator alertness.

The main problem with most sensing devices is setting the alert threshold to a level which is sufficiently high to catch most incidents, but not so high that the operator is inundated with false positive alarms. Sadly few technical systems seem to have achieved the nirvana of accurate sensing and intelligent control which will allow graceful degradation.

The second problem with those systems that use technical sensing mediated by human observation is that the monitoring capability tends to abrade over time. Usually in about 20 minutes if human attention is required. After that it is all a blur and a Heckler and Koch masquerading as a walking stick can get past the barrier. Cost

No security is going to be cheap. However any security system that has to be physically deployed to every airport entry point will have its costs multiplied as those access points increase, as surely they will and also as the through traffic increases, as surely it will; global warming or no.. The technology of barrier security, especially the new facilities like millimetre radar or large scale magnetometers, is horrendously expensive.

The costs of Israeli type ‘selectors’ on every check in queue line is very high. Not all of these costs can be avoided, but by a judicious pre-physical screening phase, the need for global barrier screening should be reduced and with it the costs. It is also worth noting that the costs are not only those that fall on the airport or the carrier to operate the security. The delays and excessive ‘early presentation’ requirements seriously impact on the bottom line of businesses when their executives travel. Disruption

A major problem with barrier security measures is that they take time at the point of departure. If the checks are tightened they inevitably take longer causing considerable disruption to both staff and customers. We only need to recall the effects of the recent terror alert on London airports with in some cases ½ km queues for the x-ray screening machines and physical checks.
The very effective Israeli system requires passengers to be at the Airport some 3 hours before departure. Scalability

Some of the barrier measures such as the lengthy interrogation of each passenger works well for small volumes but is almost certainly impossible for large airports or carriers. The disruption caused by wide deployment in locations of high traffic volume would become a serious disincentive to the use of that form of transport.





ATASS was intended to operate at the interses of Intelligence, Profiling and Screening. None of those definitions are orthogonal. Profiling is enriched by Intelligence gathering, screening provides information for intelligence etc. However they are useful generalisations of activity.


6. Objectives of ATASS


The twin objectives of ATASS were to:-

1.      Increase the security of flying passengers.
2.      Diminish the disruption caused by security measures.


The approach would protect passenger safety whilst at the same time preserving the commercial viability of the travel industry.

It was intended that these aims would be accomplished by a system which undertook: -


Catholic Intelligence / Information Gathering



  • Applied a holistic cradle to grave approach to the assessment of terrorist risk and the control of remedial actions


  • Used eclectic all encompassing intelligence resources to identify potential terrorist threats, including


  • General global threat level.


  • Specific country threat level.


  • Airport environment information.


  • Carrier Threat assessment.


  • Airport threat level.


  • Proposed a ‘milkman’ approach to information gathering by non security personnel in addition to professional analyses.


  • Proposed international standards on transport movement risk information.


  • Recommended international real time information sharing of transport movement risks (a neo Internet approach to security collaboration). Covering trips actually being undertaken.


  • Did not rely exclusively on official intelligence sources. The absence of cooperation in some countries would not have entirely negated the system.


  • Utilised Profiling of people, groups and objects


  • Both Positive and Negative Passenger Profiling.  (Trusted Passenger approach) Passenger Ticketing to Goodbye Taxi information.


  • Route Profiling. (Including previous stops by the Aircraft)


  • Carrier Profiling.


  • Plane Profiling.


  • Airport Profiling.


Deployed a dedicated Airport Security Command and Control system



  • To direct the activities of airport security personnel by using intelligence information to focus their activities.


  • To ensure that airport security personnel (of all professions) knew the basis of any warnings so that they could take intelligent action rather than respond woodenly to blanket alerts from on high.


  • Integrated specific ATASS intelligence capabilities with existing and proposed airport security measures and tools including barrier security.


  • Used an additive approach to all available information feed to define an overall security risk level and specific risk elements.


  • Provided an integrated encompassing management, command and control capability for airport security measures and certification


Integration of Barrier Screening into a holistic security approach


Operated a Security Certification Scheme



  • Proposed an air movement security certification system to maintain high levels of performance and standards in the long haul.


  • Forwarded certification information from departure airport to arrival airport.


It was a unique integrated approach to airport security in general and flight safety in particular.



7. Main Elements of the ATASS approach

The system comprised of two main components. A central country based terrorist intelligence system (Oracle) and a local threat assessment and security control facility (Mentor), based in each airport.

The approach was intended to provide a holistic approach to air travel safety. It achieves this by the comprehensive use of all available information sources and the integration of the best security components available with some new and very unique features.

The initiative also proposed an air movement security certification scheme, which could have been either voluntary or regulatory





7.1. Oracle Central Intelligence Unit

This unit provides a general background indication of the risk of terrorist activity, almost a temperature of the security water. It also identifies specific threats concerning particular nations, carriers, organisations, targets etc. It operates in real time 24/7.

The system comprises of sophisticated associative databases with advanced analysis and data discovery features. The source data comes initially from publicly available sources, augmented where agreed by input from covert and official sources. That data will be maintained continually by a group of expert analysts in each country. The Oracle units have a country-to-country communication capability implemented where agreed by bilateral agreement.

Whilst the availability of government data will enhance the systems performance, the lack of such sources will not invalidate the Oracle capability. In fact the judicious and eclectic use of publicly available data often rivals the predictive capability of the official and covert agencies, much to their chagrin.

The Oracle units will forward all assessment changes in the various risk categories to their own country Mentor units as and when such information changes due to new data or alternative analyses. The Mentor units use this ‘base level’ risk assessment as the starting point of their specific local aircraft movement risk assessments.

The Oracle unit also acts as the data interface to all Government and covert information sources for the ATASS System within a particular country. It relays all data requests from the local Mentor units and receives responses to such queries as well as generic intelligence where provided.

There is a growing acceptance that government agencies in many countries will collaborate more fully with professional security agencies in the area of information sharing. For instance in the USA the FBI has recently agreed to release their ‘watch list’ to approved security operatives and the airlines.


7.2. Mentor Security Assessor and Controller

This unit delivers three main capabilities at the local airport level. Primarily it provides assessments of the risks attending each and every aircraft movement using intelligence analyses. Secondly it provides an integrating overall management and control service for all airport security facilities. Thirdly it administers a proposed air movement security certification scheme. The system operates in real time 24/7 or whilst the airport is in operation.

The local Mentor unit currently consists of nine modules. This list of module capabilities can be increased in the future by the integration of existing third party facilities or by further development of the ATASS System.

The existing elements are categorised as either operational modules or support modules. The five operational modules provide security management and control capability, aircraft movement risk assessment, inter-agency integration of passenger risk evaluation, general airport security risk level monitoring capability and staff and contractor monitoring faculty. The support modules sustain those activities by providing information interfaces; aircraft network data, security certification management and a historical audit trail.

The most unique aspects of the mentor unit reside in its three risk assessment modules, which respectively assess the risk from individual passengers, aircraft movements and the airport in general. These modules utilise approaches to the assessment of risk that have not been deployed before in this context.

The passenger module is based upon the concept that persons involved in routine activities such as passenger handling become the subject experts on what is normal for that situation. This module integrates their expert but subjective judgments and delivers such analyses to the professional security staff for decision and action. We call this the ‘milkman syndrome’.

The aircraft movement module provides specific aircraft movement and passenger risk assessments. In particular it will try to identify undisclosed groups, anomalous behaviour and specific suspect passengers. It has the potential to identify risk from previously unknown perpetrators.

This is a particularly important capability aimed at combating perpetrators at both ends of the professional scale. Biometric identification systems require pre-existing records in a suitable format. There will be no such official records where terrorist groups use gullible or religiously brain washed unknown amateurs or proxy agents. Neither will there be useful details for the highly sophisticated professional terrorists who have managed to avoid effective official record. However a general risk analysis system has the potential to detect such offenders.

Additionally this capability has a symbiotic prospect, in its potential to considerably enhance the capabilities of biometric and similar known suspect target identification systems; by reducing their incidence of ‘false-positive’ results.

The researching assessment activity commences from the time of the first passenger reservation and continues until the aircraft takes off. It uses a wide range of information collected over many months. These data will be gleaned from airline scheduling systems, ticketing information systems, credit card databases, local postal and voting registers, passport records, entry visa records, past flight and passenger information and local airport data entry points. The system accepts intelligence inputs from the central Oracle Unit and the local passenger-judge system and the airport-screening module etc where these are in place.

It will also accept data from other third party security systems especially biometric devices.
The airport screening module makes an assessment of the level of terrorist risk at a particular airport in real time. It gathers information concerning anomalous or threatening events and computes a number of general risk categories. The information feeds include long term and real-time information. Long-term information includes details of personnel, occupations level of sensitivity for security matters, the results of spot checks, breaches in the airport security fabric. Short-term data includes ‘no shows’ of staff, late attendances, and early leavers. Concourse incidents such as unattended baggage, ‘lost’ passengers, unauthorised access to secure areas. Airside incidents such as unauthorised entry, unaccounted exits, apparent accidents etc

The other operational mentor modules are designed to allow the integration of these unique assessment capabilities into the general security capability of an airport. They therefore include management and command facility and specialist systems to integrate third party equipment such as x-ray screeners, psychometric devices, access controls etc.

This comprehensive security approach is embodied in a certification system. The concept being that every aircraft movement should receive a security certificate before take off. This would be analogous to a certificate of airworthiness in the engineering sphere.

The design calls for authorised Mentor staff in the local airport to sign off a security certificate indicating that on the evidence available to them an aircraft is safe to fly. The support available to the Certificator from the mentor systems would be considerable, but so would the responsibility, which is aimed at focusing accountability and maintaining high security standards over the long haul. A special mentor module would handle the issuing and forwarding of secure air movement security certificates under a range of situations.

The Mentor Unit contains a wide range of other capabilities especially Command and Control. That latter element will use available capabilities but will be based upon the design of the most advanced police command and control system ever developed.
An expanded explanation of the ATASS modules can be found at http://www.hulbert.net /ATASS.


7.3 The integration of the system

The Oracle intelligence units will normally be situated at a central location with just one in each country. The Mentor screening facilities will be located at each point of entry, normally airports.



The central Oracle Unit will be continuously assimilating intelligence feeds from a whole range of sources, public, covert and governmental. Automated systems within the Oracle facility will utilise intelligence to provide analyses, recommendations and alerts. At the same time this information is researched and processed by expert human analysts who will augment and modify the continuous output of general level intelligence from the Oracle system. This intelligence will be categorised for ease of communication and assimilation. Upon any change of either a generic or a specific threat level, the assessment will be broadcast to all appropriate country airports Mentor Units.

At the local airport, assessments received from the Oracle Unit will be utilised as the base line for the risk calculations for each particular flight.

To that base risk level will be added assessments from the passenger judge system, the general airport risk assessment module and the aircraft screening module, which will be looking for anomalous passenger behaviours and undisclosed groups etc.

As passengers traverse the various processing stages before entry to the aircraft these assessments will be continually updated. Just prior to the time of boarding a trained security officer operating the security certificate assessment module will assess the current status of all data and make a decision on whether or not to issue a security certificate for that air movement. At that time, and indeed at any other time up to the issue of a certificate; alerts of either a specific nature or by the passing of a security risk threshold, could have triggered remedial action by the security control room staff.


8. Types of Attack you might contemplate (not exhaustive)

The following are some of the types of attack which were considered.
·        Passenger carry on weapon in cabin for hijack
·        Passenger carry on in-cabin bomb (suicide)
·        Passenger carry on in-cabin bomb (not suicide)
·        Bomb placed in Luggage Hold (unaccompanied)
·        Bomb placed in Luggage Hold (accompanied) (suicide)
·        Drive up action (often shooting or bombing)
·        Walk in action (often shooting or bombing)
·        Bomb Placed in Strategic Location (Not suicide)
·        Bomb Placed in Public Location (Not Suicide)
·        Bomb Placed in Strategic Location (Suicide)
·        Bomb Placed in Public Location (Suicide)
·        Remote action (e.g. Missile attack)
·        Pseudo Official carry on weapon in cabin for hijack
·        Pseudo Official carry on in cabin bomb (suicide)
·        Proxy Bombing (Dupes or Coerced)
·        Pseudo Official place Luggage Bomb
·        Proxy Weapons cache
·        Use Vessel as a bomb


9. Types of Information

The information needed for analysis would fall into the following non-exclusive categories.

9.1 Categories

·        Personal identification confidence.
·        Personal address information.
·        Personal pre-travel behaviour / Recent Commercial Activity / Previous travel history.
·        Current trip behaviour (One-way tickets etc) / Reasons for travel.
·        Personal appearance / demeanour.
·        Membership (or denial) of traveling groups.
·        Aircraft / Airport / Route information.
·        Specific terrorist group Information / Liaisons / Methods/ Targets.
·        Background and Intelligence information / General and Specific threat information.


9.2 Possible Data Items

·        Passenger demeanour
·        Passenger dress - relevant to purpose (Some groups try to look military)
·        Does luggage fit the travel profile
·        Concourse behaviours - meetings strangers etc
·        Location of home address / Longevity address - Information on domicile
·        Passenger Nationality
·        Relationship between credit card and address's
·        Recent shopping and movement history
·        Frequent international flights (especially to specific countries)
·        Plane connections / destination
·        Non-Routine changes in Airport - late / absent  workers etc
·        Human intelligence information (i.e. big event coming up soon)
·        Anniversary dates (Religious, past atrocities etc)
·        Terrorist Groups, Key noting behaviour
·        Demographic make up of past hijackers individuals
·        High profile passengers (are they targets)


9.3. Possible Data Sources

·        Address Database information.
·        Airline Passenger Information (Current).
·        Airline Passenger Information (Historic).
·        Airline route databases.
·        Airport Management Records.
·        Airport worker records.
·        Border entry Forms / Information.
·        CCTV analysis.
·        Credit Card Information.
·        Credit Card Profiles (Anti-Fraud) Maintained by Banks etc.
·        Credit History Records (Experion etc.)
·        Driving License details.
·        Historical Records of Past incidents.
·        Intelligence information.
·        Observation by Non- Security workers.
·        Observation by Security Personnel.
·        Passport Details.
·        Police / Criminal Records.
·        Ticketing Information.
·        Utility Bills.
·        Visa Information.
·        Voters Registers.

Some data acts as a portal to other information sources


10. Construction approach

The original ATASS design team never considered that any one organisation should build the system. I know that sounds a little strange. Our concept was that prototypes should be built and tested to develop standards and guidelines. These would be open and not in any way copyrighted. In a way it was a pale precursor of the more formal GNU (General Public License) and of course the way the Internet has subsequently developed. It was very much a reaction to the constipated Central Government IT projects which were already showing signs of pre-conception senility in the mid 80’s and seemly have improved little since that time.


11. Is ATASS still relevant?

The point in resurrecting this old project, apart from historical interest, is to consider whether it or any part of it is still relevant. I would review that prospect in two stages. Firstly what elements, if any are applicable in today’s climate and secondly which of those have not been taken up in modern systems. This sieve should drop out potentially useful facilities which are not yet being employed.


11.1 Elements still relevant

The main unique elements of the ATASS approach can be summarised in the following list.

·        Holistic Approach to Air Transport Security.
·        Integrated Local Systems with own C&C.
·        The Global Information Funnel.
·        International Information Sharing on routine operational security matters.
·        Catholic Profiling/Assessment of people, airports, carriers, routes etc.
·        Using the ‘Milkman syndrome’.
·        Incremental Security Information building.
·        Air movement Security Certification.
·        International Standards on the modules.


Naturally my question about the value of these elements was rhetorical and I consider that they were of value at the time of their original consideration. Whilst the new environment may have changed the way some of these areas would be approached most seem to remain potentially useful for any modern Anti-Terrorist system.


11.2 Relevant elements already incorporated

ATASS elements completely implemented into Modern Systems





Partially implemented

Holistic Approach to Air Transport Security.

There is little indication that information from intelligence, profiling, barriers security checks, airport security breaches etc is effectively integrated into a single source to support the decision to allow an aircraft to fly.

The Global Information Funnel.

Global threats are passed down often in the form of crude ‘alert levels’ The routine passage of specific information down to all levels of the operation does not occur in the tightly bound manner considered by ATASS. However CAPS information is passed to the individual Airlines. Unfortunately that system is not universal.

International Information Sharing on routine operational security matters

This occurs to some extent largely at the behest of the USA after 9/11. It covers a range of personal information which is forwarded with each flight. However it does not come up to the idea of certification covering all aspects of an air-movement’s security checks.

Catholic Profiling/Assessment of people, airports, carriers, routes etc.

The CAPS system and the Israeli screeners do carry out profiling. However the concept of combining the analysis of ‘worry factors from airport activities, carriers as well as personal profiles on an ‘on the fly’ basis has not been implemented.
ATASS predated CAPS by a decade so you never know some of the ideas might have filtered in by osmosis.

Integrated Local Systems with own C&C.

Originally many communications systems of different agencies could not easily communicate with one another. This has improved but the tight integration of diverse security measures under a unified C&C has not been considered viable.


Not Implemented

Using the ‘Milkman syndrome’

The idea of adding in the expertise of situation experts has not been considered in any formalized manner.

Incremental Security Information building

The concept that ‘worry levels’ at one security station should follow the passenger on his route through the system has not generally been formalized.

Air movement Security Certification.

No moves on this concept.

International Standards on the modules

No universal or even widespread agreements on modules or their design.


12. Is Cybernetics relevant to systems such as ATASS?

I believe it is incontrovertible that Cybernetics has relevance to systems such as I have been describing. We are after all taking about a large complex system that needs the best control mechanisms available.

In any case Cyberneticians should love Intelligence work, especially Terrorist intelligence. It is a dance of recursion with each party second guessing the other, then analysing whether their second guess has been analysed by the other side ad infinitum. What will they do when they think they know what you think you know about them? If the footsteps falter it moves from cybernetics into simple systems and becomes ‘deadly embrace’

. It is certainly second order cybernetics as the practitioners are definitely situated within their own observations.

I did have a few ideas and I am sure that you have more.



12.1 Requisite Variety

When I gave the talk I rather flippantly responded to a question that was dear to Ashby’s heart concerning requisite variety. I think I jokingly impugned that the questioner was suggesting that policemen had fewer little grey cells than their criminal opponents. Of course that may be true, however there is a very serious aspect to the problem of ‘requisite variety’.

I recently found the attached on a website:

 "Good" people are bound by rules as to what is acceptable and what not; "wicked" people are bound by no such rules. In the short term at least, "wicked" people have no constraints and hence greater freedom of action, and the "Law of Requisite Variety" suggests that those components of a system which have the greatest flexibility and freedom are therefore the most powerful.” http://www.doceo.co.uk/background/requisite_variety.htm

Perhaps the bad guys are destined to win!


It is axiomatic that any organisation will have far less variety than the environment in which it operates. Additionally the potency of an organisation is not really measured by the total possible variety of the system. The real potential must be in the variety which can be effectively deployed. In the case of an organisation which is strictly controlled from the top, the managerial constraints, whilst probably improving coherence, will have an impact on the degree of variety available. This has consequences for both defenders of democratic institutions and their attackers. Too much central control not only reduces reactivity to events, but also impacts on the variety that can be deployed to effect.

These points indicate that organisations like Anti-terrorist operations will always have less complexity than their environment and even that diversity will be affected by their management style.

In this context Al-Qa'ida may now be a much more dangerous organisation than it was at the time of 9/11 as it has changed into a more diverse, flat franchise. This could greatly increase the diversity of the threats that security defenders can expect in the future. Large centralised organisations like ‘Homeland Security’ will constrain the range of the policing response.

Boisot and McKelvey of Universitat Oberta de Catalunya, and UCLA Anderson School of Management, respectively, have come up with an approach to increase the scope of the defenders capability. They say “We have drawn upon Ashby’s Law of Requisite Variety/Complexity (1956) to analyze the nature of the security challenges that nation states face in the 21st century”. (Ashby 1956). They are recommending a Global Neighbourhood watch scheme with citizens reporting unusual circumstances to a central control. (Boisot & McKelvey 2004)

I am not sure that I buy into bankers and lawyers on the underground sensing strangeness in other passengers. However in a manner of speaking it is an extension of our ATASS ‘milkman syndrome’. I have general reservations concerning ‘snitch on your neighbour schemes’ as the distrust induced can affect the fabric of communities. However some method for harnessing the wider public in a non damaging way might be worth considering. Apparently the US Homeland security and the CIA are looking at the Boisot & McKelvey paper.

12.2 Signal to Noise

A major problem with any intelligence system is the ratio of signal to noise. Unfortunately analysts and profilers do not have band-pass filters or any of the other useful tools available to electronic engineers.
An additional nuisance is that data elements which may be ‘noise’ in one context may be ‘signal’ in another. The identification of useful signals against background noise is therefore intimately tied up with the information processing. The filters may be near the sensors such as suggested by Selfridge (Selfridge 1959) or at a higher level of cognitive processing when more complex concepts define relevance. The quality of the raw data is crucial. Its value will be affected by its appositeness, its accuracy and its degree of truthfulness.

The objective of the sensing/analysing system is to push the acquired elements up the DIKW (Data, Information, Knowledge, and Wisdom) hierarchy so that they can be used for practical purposes.

In this context frugal heuristics such as those suggested by the ABC group of the Max Planck Institute for Human Development may be of interest (Gigerenzer & Todd, 1999). They explore the concepts of bounded rationality in situations where “knowledge is limited, time is pressing, and deep thought is often an unattainable luxury”. Their thesis is that ‘good enough’ decisions can be made with faster and with much less information than classical decision theory would recommend. This approach holds the promise to greatly reduce both the data sensing and the information processing loads.


12.3. Viable Systems

Another angle in reviewing ATASS would be to examine whether it approximates to a Viable System. It was not as I have said earlier built with Stafford Beers model in mind. (Beer 1979)

Procrustes might shoe horn it in but there are some deficits. It was certainly more distributed than most organisational models of the 1980s but there is a greater degree of structural hierarchy than probably Beer would have liked.

Recursion is the main element largely missing. There was intended to be a lot of informational feedback between the Mentor Units, (largely areas 1 to 3 of VSM) and Oracle (areas 1 and 2). but it did not really amount to a recursive structure.

The other divergence from VSM was at levels 2 and 3, Communication and Control. These were largely fused at the Mentor operational level and intended to be quite hierarchical. Also the upper level 1 (of Oracle) retained a lot of hands on responsibility for international communications and also interfacing with official agencies. The level 2 like component of ORACLE i.e. the intelligence and analysis module seems to fit VSM quite well. It might be interesting to revamp ATASS with VSM in mind.


12.4 Conversation Theories

The Oracle Intelligence module had the task of analysing events and coming up with scenarios to be used at operational (Mentor) level. It was one of the least defined areas of the prototype, but there were good precursors in police crime intelligence units, collators, military Intel etc. However most of the analytic methods were rather crude and very much blunt instruments supported by intuition.

It might be interesting to ascertain if the intervening years have yielded some more subtle means of event evaluation.

In someway our actions in defending sites against criminal or terrorist attack can be viewed as a form of conversation. It is a slightly more forceful set of transactions than is normally envisaged in verbal exchanges. One party takes action the other responds and so on. In some way each is striving to understand the others intentions and approaches.

Your past president Gordon Pask produced a calculus of such transactions in his Conversation Theory (CT) and extended it in his Actors Theory (AT). (Pask 1976). Largely, though not exclusively, his concentration in CT was on ‘conversations between consenting (collaborating!) adults. Here we are considering conversations between antagonists; (perhaps game theory might be more appropriate!)

In a way entailment meshes when used in learning are trying to bring about a common understanding. They are as I understand it also trying to make explicit the underlying structure of the understandings (knowings) in a conversation. If the two learning participants can comprehend the knowledge state of each other then they can make decisions on how (or if) to proceed.

Could you use a variant of Pask’s CT to clarify the purposes of your opponent? I suspect that with fanatical fundamentalists opposed to megalomaniac democrats the gap of potential understanding is too wide. Perhaps even if we did not muddy Pask’s elegant theory by using it for antagonists, our respective unveils would be too diverse to reconcile.

Another possibility is to infer the arrangement of another person’s mental furniture by using a bastardised version of personal construct theory (Kelly 1955). The elements and eventually the constructs would of course have to be inferred by a third party rather than directly elicited from a cooperating partner. It could be a way of building a mental model (repertory grid) of your protagonist which could be used for scenario building. If you are looking at groups the prospect of FOCUS or SOCIO-GRIDS might be appropriate, where you amalgamate the personal grids of a number of ‘respondents’. (Shaw 1988)


13. Conclusion

This has been an interesting nostalgic tour through an old project. I think that it was well before its time and that could be why so little has been fully implemented. Many of the elements seem to have relevance in today’s ‘Fight against Terrorism’ and could be much more easily implemented than in days of yore.

The system described is complex. It and any similar modern systems could certainly benefit from the most relevant expertise of Cyberneticians.



  • Ashby, W. R. 1956, An introduction to Cybernetics, Harper & Row Publishers Inc.
  • Beer, Stafford. 1979, The Heart of Enterprise, John Wiley and Sons Ltd.
  • Boisot, a. & McKelvey,Bill. 2004, 'Counter-Terrorism as Neighborhood Watch: A Socio/Computational Approach for Getting Patterns From Dots', in International Military Testing Association.
  • Carlson, D. P. 2004, When Cultures Clash: Strategies for Strengthened Police-Community Relations, Prentice Hall.
  • Chakrabarti,Samidh & Strauss, A. 2002, 'Carnival Booth: An Algorithm for Defeating the Computer-Assisted Passenger Screening System', Law and Ethics on the Electronic Frontier
  • Gigerenzer,Gerd & Todd,Peter.M. 1999, Simple Heuristics that Make Us Smart, Oxford University Press.
  • Kelly, G. 1955, The Psychology of Personal Constructs, Norton : New York.
  • Meeks,Kenneth. 2000, Driving while black : highways, shopping malls, taxicabs, sidewalks : how to fight back if you are a victim of racial profiling., Broadway Books.
  • Pask, G. 1976, Conversation Theory, Applications in Education and Epistemology, Elsevier.
  • Proshansky, H. M., Intension, W. H. & Rivlin, L. G. 1976, 'Freedom of Choice and Behaviour in a Physical Setting', in Environmental Psychology, eds. H. M. Proshansky, W. H. Ittelson & L. G. Rivlin, Holt, Rhinehart and Winston.
  • Selfridge, O. G. 1959, 'Pandemonium: A Paradigm for Learning', in Symposium on the Mechanisation of Thought Processes, HMSO (Her Majesty's Stationery Office), London.
  • Shaw, M. 1988, 'Validation in a Knowledge Acquisition System with Multiple Experts', in  Proceedings of the International Conference on Fifth Generation Computer Systems, ed. ICOT, pp. 1259-1266.

Acknowledgement is made to the Daily Telegraph for permission to use their copyright cartoon

(c) John Hulbert 2006

Home Page
Current Work
Web Site Map