In our weekly review call for the Cisco Cyber Risk Report for March 26-April 1, 2012 we discussed the incident of the JetBlue mid-air emergency incident. The incident has been widely reported, but a short summary is that the pilot was reportedly acting irrationally, which caused the co-pilot to lock him out of the cockpit and led to the crew and passengers having to subdue him until the aircraft could be landed and authorities removed the pilot. While the investigation of this incident continues, there have also been several of these types of incidents. A review of the incident raised several security questions with us over the incident response policies and procedures.
At face value this, and most previous incidents, appear to be ‘good news’ stories where ordinary passengers came to the assistance of the aircrew and aided in controlling a mid-air security threat. But looking at these incidents closer and doing a talk-through exercise of this most recent scenario raises some serious security questions with the current practices. The review and talk-through identified several issues that not only apply to aircraft security, but can also apply to other incidents where private individuals, as opposed to trained emergency response personnel, are in a position or volunteer to assist in responding and subduing a threat.
Private individuals, again as opposed to trained emergency response personnel, may often be called upon or volunteer in critical situations to assist authorities. But these are generally the exceptions, and not the rule. In the case of aircraft security, aboard an aircraft in flight, there have been repeated cases where it was necessary for private individual passengers to assist the aircrew because the aircrew or aircraft lacked the security measures necessary to respond to a threat. The question is: has the incident response plan now become based on an expectation of assistance from private, individual passengers? Are the private, individual passengers now expected or required to assist the aircrew to protect themselves, the aircraft, and other passengers? This changes the threat response scenario significantly. The response is now based on an unknown of whether private individual passengers are willing and able, and will in fact assist the aircrew.
As we continued the talk-through of this scenario, the next question was who is making the threat response decisions? In this incident the pilot, the captain and commander of the aircraft with considerable authority under these circumstances, was identified as the threat. But who decided that he was the threat and not the co-pilot, who had just taken control of the aircraft from the pilot? The pilot’s irrational behavior might be interpreted as rational if his assessment of the situation was that the co-pilot was a terrorist who had just taken over the aircraft? So who is making that critical decision, and what authority or procedure do they have to make the decision? Picturing this scene reminded me of the scene from a movie where the commander of a nuclear submarine faces off against his executive officer over the decision to launch the submarines nuclear missiles. That situation was resolved because the Navy has strict protocols for firing nuclear missiles, and the chief of the boat stepped in and quoted those protocols, sided with the executive officer, and the captain was properly relieved. But, do aircraft passengers have any type of instructions, protocols, or guidance, aside from what might be provided by the crew? Is there anything to assist these everyday private individuals in making such complex and stressful threat decisions? The pre-flight briefing doesn’t address a threat response at all. The closest topic covered would be if you are in an emergency exit where you are directly told of your responsibilities and must verbally affirm your acceptance to perform those tasks if needed.
Again, thankfully most of these incidents have ended positively with only minor injuries and disruptions. One point to note was that the majority of this and previous events were captured on passenger cell phone video, allowing for the review of the details of the incident, in addition to the aircraft communications, and black box monitoring. But also worth noting is that the aircraft did not have this security video capability or other possible security controls that could assist in this type of incident. The last response change to mid-air threats was putting a weapon in the cockpit, which in this most recent incident could have been tragic. And placing air marshals on flights, but the passengers on the flight don’t know if there is one present and if that is the plan until the incident occurs.
So now our mid-air threat incident response plan is we have expected assistance from individuals who may or may not be willing and able to assist, are totally unprepared, briefed, or advised on how to respond to a security threat should one take place on the aircraft, accept to follow the aircrew instructions. But, in this case not the captain because he was the threat, or in a previous incident when the flight attendant giving instructions was the threat. If this sounds like an incident response “plan” for chaos and a disaster, we agreed. But, it appears that is the current security response practice we are all expected to participate in on board a commercial aircraft.
What these incidents show is that despite the serious lack of incident response plans, policies, and procedures, we have been very fortunate that these events did not end in disasters and deaths; and that by taking a closer look at your incident response plans and performing detailed reviews and exercises you can identify oversights, weaknesses, or unknowns and adjust your plans as needed through technical or physical measures prior to an actual incident. Otherwise, you too can hope that some unknown, unprepared, untrained, and possibly unresponsive measures or individuals will respond effectively and save the day.