Transparency in Physical Security: Q&A with John Pistole and Mike Ellenbogen

The need to provide transparency without helping potential attackers is a fundamental paradox of the security industry. In their long and distinguished careers, former TSA Administrator John Pistole and Evolv founder Mike Ellenbogen have spent decades thinking about these issues and successfully finding the right balance.  That’s why we consulted with John, Mike, and other advisors to develop the Evolv Transparency Statement. The following Q&A is excerpted from recent conversations with John and Mike to provide additional insight into how we approach transparency. 

How has transparency featured in your career? 

John Pistole 

In 31 years in the government, mainly in the FBI and as the TSA Administrator, I found that transparency is one of those key issues that help define the trust and reputation of agencies, of the U.S. government overall, and of companies that provide security technologies. Each company or agency must be as transparent as possible while maintaining the core mission of keeping the public safe. 

 Mike Ellenbogen 

I grew up in aviation security technology where there is a very well-recognized and understood policy around transparency. In essence, at least regarding public release of technical details, there is no transparency. The specifications are classified by the TSA in the US and the ECAC in the EU. That specific information is called sensitive security information, and it’s very closely-held for what I believe are all the right reasons. 

The systems are tested by security professionals who have a legitimate need to know and hold the appropriate security clearances. These are independent professionals with a great deal of experience and resources to test in ways that most people cannot. These professionals have great credibility in the industry, so certification from a group like TSA is universally recognized as an indicator that the technology is fit for purpose.  

In aviation the people who know all the details don’t share them publicly. In fact, it's illegal for them to do that, and that is well understood within that community. Outside of the aviation community, there are more questions because the standards aren't as clearly defined. But it doesn't change the basic requirement to keep detailed sensitive security information away from anybody who might use the information to exploit or attempt to penetrate a physical security system. That's the goal at the end of the day. 

What kinds of information about weapons screening systems is most sensitive? 

Mike Ellenbogen 

I think it's about granular specificity. The specific type and configuration of threats that are tested, the performance against those threats, and the specific weaknesses associated with those tests are the most sensitive. That information should be closely held. For example, it doesn’t make people safer if you publicly share that an attacker can defeat weapons screening by disassembling a particular handgun and placing one piece in their shoe and another piece under their hat. Sharing that kind of information only helps the bad guys. 

I do think that we can talk broadly about different categories of capabilities in a way that doesn't disclose specific weaknesses that could be exploited by a bad actor. However, giving untrusted people a specific report that identifies known weaknesses just makes it more attractive for the bad guys to attempt to penetrate the facility and makes it easier for them to succeed. 

Are bad actors actively looking for sensitive information? 

John Pistole 

We saw this in the real world on Christmas day 2009, when Al-Qaeda in the Arabian Peninsula sent Umar Farouk Abdulmutallab from Brussels to Detroit with a non-metallic IED hidden in his underwear. They knew in advance that there was no detection for non-metallic bombs in most airport security protocols and regimens in use at the time. We know that they discovered this vulnerability through extensive online research. We also know that they conducted multiple scouting missions to probe and test for vulnerabilities at specific facilities using specific screening methods. It was a sophisticated intelligence gathering operation.  

Mike Ellenbogen 

I think bad actors are always looking for ways to circumvent the security processes in place. We see it in loss prevention all the time: people know that if you have a foil-lined bag, you can walk out with stolen goods without being detected by loss prevention technology. So that information has gotten out and it is being exploited on a regular basis. It's a constant game of cat and mouse. 

What are the tradeoffs between transparency and security? 

John Pistole 

There's a dynamic tension between how much information can be disclosed to the public and information that provides a roadmap to the bad guys. When I was at TSA, some original equipment manufacturers were disclosing information about their detection capabilities that, given my FBI background, I did not want to have out there. We had some good discussions with the manufacturers, and they agreed that on future iterations of their products they would not publish as much information publicly. Of course, they also agreed that they would provide that detailed information to us in a closed setting, which is necessary to know that their equipment can detect capably. 

How do government Inspector General Offices provide appropriate transparency without undermining security? 

John Pistole 

It's usually a conversation between the Office of the Inspector General and the agency. Of course, the attorneys get involved to make sure that they are doing their job. There's usually the unclassified document and then a classified annex that is not available to the public. But members of Congress and others can view the classified annex to have a better assurance of what the findings were and then what steps the agency is taking to address any issues. This helps provide appropriate accountability and oversight without compromising the safety of the public. 

Who needs access to sensitive security information about the capabilities and limitations of weapons detection technology? 

John Pistole 

The people who need to know are those who have been determined to be trustworthy to have that information. The more people who know, the greater likelihood that something will be shared inappropriately and/or inadvertently. In the US government the people with a need to know are people who have a security clearance at the secret or top-secret level, and then compartment segments after that, depending on how sensitive the information is. In the private sector, there may not be such a formal classification system in place, but it's still compartmented information. Not everybody in the company needs to know everything about the businesses.  

Mike Ellenbogen 

In the private sector, the people with the most significant need to know are usually the security professionals who are responsible for protecting the organization from threats. They need to understand what the capabilities of the technologies that they're deploying are, and where the potential limitations might be so that they can mitigate them. These professionals usually think in terms of layered defense, so they need to know what every individual component or layer is capable of. Those individuals need to know what specific technologies can and cannot do. 

It's also important to realize that bad actors are looking at the people and processes just as much as they are looking at the technology. We talk about security systems as a combination of people, processes, and technology. Security professionals are rightfully concerned about the actions of any individual that creates an opening for a threat. It could be giving up passwords. It could be employees allowing unauthorized people to piggyback through turnstiles or secured doors. Bad actors know that well-intentioned people will hold a door open. They're taking advantage of known weaknesses that originate with people and processes. 

Some people say that the most secure approach is full public disclosure for everybody. What's your view? 

John Pistole 

I disagree with that view strongly. People who say that absolute transparency is best simply don't understand the security business. They apparently don't have an informed perspective or insight into just how determined the terrorists, spies, competitors, and other bad actors are in their efforts to harm individuals, countries, and companies. I get that “give full disclosure for everybody and let everybody make informed decisions” sounds great, but when you provide that carte blanche to everybody, that necessarily includes people with bad motives who are out to cause you harm. If there was no TSA security in the past 21 years, I can't imagine we would have been able to avoid having more 9/11-type attacks. It just begs the imagination to think full transparency is the best outcome. 

Conclusion 

As John and Mike noted, providing appropriate transparency without assisting adversaries is an ongoing challenge faced by security vendors and practitioners alike. The Evolv Transparency Statement is our attempt to describe the principles that guide our approach to transparency. We will continue to consult with our customers, partners, advisors, and industry professionals to update our approach over time. As always, our mission to keep people safe will be our primary guide. 

About John Pistole 

John Pistole is the former administrator of the United States Transportation Security Administration (TSA) and a former deputy director of the Federal Bureau of Investigation. He is currently the president of Anderson University. In his role as Administrator of the TSA starting in 2010, Pistole led a 60,000-strong workforce, the security operations of more than 450 airports throughout the United States, the Federal Air Marshal Service, and shared security for highways, railroads, ports, mass transit systems and pipelines. Under his leadership, the TSA worked to transform as a risk-based, intelligence-driven counterterrorism agency dedicated to protecting the nation’s transportation systems. Prior to his leadership with the TSA, Pistole served as a 26-year veteran of the FBI with extensive national security and counterterrorism experience. After the attacks of September 11, 2001, John was placed in charge of the FBI’s counterterrorism program, eventually becoming the FBI’s Executive Assistant Director for national security. In 2004, Pistole was named Deputy Director for the FBI and contributed to the formation of terrorism policies during both the Bush and Obama administrations. John earned his bachelor’s degree from Anderson University in 1978. He went on to earn a juris doctorate from Indiana University Robert H. McKinney School of Law. 

About Mike Ellenbogen 

Mike is Founder and Head of Advanced Technology at Evolv Technology. Mike has spent more than 20 years shaping the explosives detection industry including as co-founder and CEO/President of Reveal Imaging Technologies, Inc., as Vice President of Product and Business Development of PerkinElmer Detection Systems where he was responsible for Research and Development, Engineering and Marketing, and as Director of Marketing of Vivid Technologies, where he was instrumental in the transition following Vivid’s acquisition by PerkinElmer. At both Vivid and PerkinElmer, Mike was responsible for market research, definition and development of new products and product enhancements. He has been issued 16 patents in the field of X-ray inspection and automated detection technology and has been broadly published within the security industry. Mike holds a Physics degree from Colgate University.