In the wake of what President Barack Obama deemed a "systemic failure" to prevent a botched Christmas terrorist attack, he ordered on Tuesday an immediate review of the Transportation Security Administration's security measures.

As it happens, a review of the TSA already took place a few months ago. And the results were, to put it mildly, quite sobering.

On September 29, 2009 the U.S. Government Accountability Office did a comprehensive study on aviation security entitled "A National Strategy and Other Actions Would Strengthen TSA's Efforts to Secure Commercial Airport Perimeters." In it, the GAO concluded that despite increased efforts to assess and counteract risk, airport security remained largely vulnerable and/or untested.

In the 68-page report, author Stephen M. Lord, Director of Homeland Security and Justice Issues at the GAO, noted that 87 percent of the nation's approximately 450 commercial airports had never actually undergone a risk assessment analysis. Due to the absence of a proper risk assessment, "TSA officials said that... they do not know how vulnerable they are to an intentional security breach."

The TSA was given lead authority to oversee security operations on February 17, 2002, pursuant to the Aviation and Transportation Security Act. But, as of September 2009, the GAO reported that the agency failed to properly identify the bureaucratic or budgetary needs that it required to ensure that risk of a terrorist attack or security breach was minimized. There was, the GAO concluded, no "unifying national strategy" guiding the TSA's "efforts to enhance the security of the nation's airports."

The result was a national airport system that not only remained susceptible to attack but was witnessing more and more of those attacks. In 2007, the TSA examined the "joint vulnerability assessment" it had implemented in 23 domestic airports over several prior years. They found six criteria in which "20 percent or more the airports assessed were identified as vulnerable."

Meanwhile, security breaches steadily increased. According to the GAO report, in FY2004 there were 1,442 airport security breaches. By FY2005 that number had risen to 2,073. By FY2006 it was at 2,258. By FY2007 it was at 2,758. And by FY 2008 it had increased once more to 2,819.

Though alarming, the numbers were accompanied by some important caveats. According to a TSA official, a breach of security did not necessarily mean a threat existed or was successful. Moreover, the rise in the number of breaches was in some respects attributed to more stringent reporting requirements as well as more attentive security personnel.

According to the report:

"In March 2007, in response to several incidents of insider criminal activity, TSA directed that ADASP [Aviation Direct Access Screening Program] be conducted at all commercial airports nationwide. For example, on March 5, 2007, two airline employees smuggled 14 firearms and 8 pounds of marijuana on board a commercial airplane at Orlando International Airport."

Meanwhile: "In its October 2008 report, the DHS Office of the Inspector General (OIG) found that ADASP was being implemented in a manner that allowed workers to avoid being screened, and that the program had been applied inconsistently across airports."

The chief concern raised by TSA officials was the possibility of their own security forces being breached. A 2008 Civil Aviation Threat Assessment from the agency characterized the insider threat as "one of the greatest threats to aviation." The TSA had "no knowledge of a specific plot by terrorists or others to breach the security of any domestic commercial airport." But the GAO concluded that a pilot program the agency had designed to assess such risk was far from complete.

"In fiscal year 2008 TSA pilot tested various methods to screen airport workers to compare the benefits, costs, and impacts of 100 percent worker screening and random worker screening. TSA designed and implemented the pilot in coordination with the Homeland Security Institute (HSI), a federally funded research and development center. However, because of significant limitations in the design and evaluation of the pilot, such as the limited number of participating airports--7 out of about 450--it is unclear which method is more cost-effective."

The findings were not entirely doom and gloom. The GAO reported that, in addition to the worker screening pilot program, the TSA, "also implemented a random worker screening program and is currently working to apply its screening procedures consistently across airports". In addition, TSA conduced more extensive worker background checks, began programs to identify and assess technologies to strengthen the security of airport perimeters and was taking steps to strengthen general airport security processes.

But, as of May 2009, "TSA officials had not yet completed a nationwide vulnerability assessment." Moreover, there was little sense about how much money the agency needed to make sure it was minimizing risk. The GAO reported that TSA had not identified how much it had specifically dedicated toward security measures out of the nearly $850 million it spent between FY2004 AND FY2008.

"[W]ithout attempting to identify total agency costs, it will be difficult for TSA to identify costs associated with individual security activities, and therefore it will be hindered in determining the resources it needs to sustain desired activity levels and realize targeted results," the GAO concluded.