Airline Watch List Open to Hackers

An ambitious program to check every domestic airline passenger’s name against government terrorist watch lists may not be immune from hackers, a congressional investigator said Thursday.

And because of security concerns, the government is going back to the drawing board with the program called Secure Flight after spending four years and $150 million on it, the Senate Commerce Committee was told.

Transportation Security Administration chief Kip Hawley did not say whether any security breaches had been discovered.

An agency spokeswoman, Amy von Walter, told reporters, “We don’t believe any passenger information has been compromised.”

Cathleen Berrick, the investigator for the Government Accountability Office, said in written testimony that “TSA may not have proper controls in place to protect sensitive information.”

Currently, airlines check the names of passengers against watch lists that the government gives them.

Under Secure Flight the government would take over from the airlines the task of checking names against watch lists.

According to the GAO testimony, Secure Flight was given formal authority to go live in September, but a government team found that the system software and hardware had 82 security vulnerabilities.

Hawley told the committee that he had directed TSA’s information technology staff to conduct a comprehensive audit of the program before developing it further.

“In view of our need to establish trust with all of our stakeholders on the security and privacy of our systems and data, my priority is to ensure that we do it right, not just that we do it quickly,” Hawley said.

The audit began several weeks ago and there is no deadline for completion, Von Walter said.

Secure Flight has been troubled from the start.

It is opposed by civil libertarians who fear the program would grow into a massive domestic surveillance system in which the government tracked people whenever they traveled.

Government auditors gave the project failing grades -- twice -- and rebuked its authors for secretly obtaining personal information about airline passengers.

Hawley said last month -- and the GAO agreed in its testimony Thursday -- that the agency hadn’t yet determined precisely how Secure Flight would work.

The Sept. 11 commission had urged the administration to expedite the development of the program because, it said, the watch lists currently used by airlines aren’t complete.

But checking names against watch lists hasn’t been as easy as it sounds, partly because airlines collect limited information about passengers.