Featured, Features, frontpage, Online — April 24, 2017 at 2:46 pm

The Aviation Insider Threat: An Assessment of Vulnerabilities and Countermeasures

Daniel H. Siao*

Introduction

            Threats against aviation change constantly in this interminable war against terrorism. Countermeasures developed to combat emergent threats will become obsolete as new threats appear. Therefore, it is imperative for security practitioners to stay ahead of their enemies by identifying potential threats—a task that requires imagination. Unfortunately, according to The 9/11 Commission Report,[1] imagination is typically not the forte of bureaucracies. One area in which security practitioners seem to lack imagination is the insider threat, defined by the Transportation Security Administration (TSA) as “one or more individuals with access to insider knowledge that allows them to exploit the vulnerabilities of the Nation’s transportation systems with the intent to cause harm.” [2] This threat is considered by TSA as one of the “greatest threats to aviation.” [3]

Secure Area Access

            The problem of insider threats hinges upon access to secure areas of airports, and entrance into these areas is strictly controlled—at least theoretically and ideally. Title 49 C.F.R § 1542.207 stipulates secure area access, providing that there must be a way to differentiate between individuals who have access to all secure areas and those who have access to limited secure areas.[4] For example, aircraft maintenance personnel, baggage handlers, and caterers have access to more secure areas than travelers, who are typically confined to terminals and concourses. In both cases, people have access to secure areas, and there are procedures for that entrance. According to 49 C.F.R. § 1544.201, travelers must go through security screening checkpoints prior to entering secure areas. While travelers do not wear badges, aviation workers with security clearance wear Secure Identification Display Area (SIDA) badges, and with few exceptions, they are not screened.[5] The idea here is that someone with a SIDA badge is a trusted individual—having been pre-screened in times past—and they are trusted to adhere to security regulations.

Qualifying for a SIDA badge is in some ways similar to qualifying for trusted traveler programs like TSA Precheck, where members of the public apply for the program, undergo a background check, and if approved, receive reduced screening at airports.[6] The aviation worker must undergo a fingerprint-based criminal history record check (CHRC)[7] and a security threat assessment (STA),[8] which must be approved by the TSA.[9] Applicant data is sent electronically to a security clearinghouse, and the most popular—used by roughly 359 airports—is American Association of Airport Executives’ (AAAE) Transportation Security Clearance (TSC), a credentialing data exchange platform.[10] However, there are around ninety commercial airports that do not use AAAE’s TSC, which introduces the potential for inconsistencies. Regardless of the choice of provider, pursuant to 49 C.F.R. §1542.209 an applicant’s data must not contain any disqualifying offenses in the past 10 years.[11]

CHRC Deficiencies

The CHRC pre-screening process ostensibly rejects those who may be more prone to malfeasance; however, this is by no means a bullet-proof solution. Take, for example, someone who has committed a crime that resulted in a 10 year prison sentence: this person could have a clean CHRC without a single disqualifying offense.[12] Once a person has undergone a CHRC with an approved STA, that person must renew their badge at least every two years in accordance with a TSA Security Directive,[13] though some airports require annual reissuance or revalidation.[14] In the time between renewals, individuals must self-report any disqualifying offense within 24 hours of conviction and surrender their SIDA badge.[15] This is perhaps as effective as asking, “Are you a terrorist?”

All sarcasm aside, most people choosing to do harm make that decision fully understanding their intent to violate the law. And the law, requiring self-disclosure, is written from a position of trust. It is preposterous to expect someone with ill will to report any of the twenty-eight disqualifying offenses proscribed by §1542.209(d), where, for example, the seventh offense is “carrying a weapon or explosive aboard aircraft.”[16] If a person successfully averted authorities while carrying a weapon or explosive aboard an aircraft, what motivation is there for this person to self-report, even if it is inadvertent? And how does someone inadvertently carry explosives aboard an aircraft?

Initial and recurrent CHRC checks are woefully inadequate, and here is another reason why: two years between checks is a long time—long enough for terrorists to plot attacks. Some attacks are planned within a month and some longer, but any period over six months likely provides ample time to plot an attack.[17] What about the individual who radicalizes after undergoing a CHRC? After all, CHRCs are like Electrocardiograms (ECGs): just as an ECG cannot predict future heart attacks—though it can certainly reveal abnormalities that may elevate one’s risk—CHRCs do little to predict future motives or actions.[18] Both ECGs and CHRCs are largely retrospective. The simple, rather obvious, fact is just as every investor should know that past performance is not an indicator future outcomes, security practitioners should be aware of the limitations of CHRCs. Thus, CHRCs must be fortified with robust oversight.

Compounding CHRC weaknesses is the failure to account for SIDA badges issued to airport employees. While there should be no more than five percent[19] of badges that are unaccounted for—lost or stolen—the reality is grim: a recent report revealed that thousands of SIDA badges have gone missing all over airports in the United States, and the time it takes to deactivate a lost or stolen badge is concerning, where in one instance the gap was almost a year.[20] At one airport, seventeen former employees still possessed active SIDA badges.[21] Though they were not likely aware of the status of their badge, there is great potential for abusing active badges to cause harm.[22] There were also airports that had more than five percent of SIDA badges unaccounted for in certain nonpublic areas.[23] Though five percent represents a small minority of employees at airports across the United States, it is not as inconsequential of a number as it may appear. Chicago O’Hare International Airport (ORD) is home to approximately 41,000[24] badged employees, and five percent of that is 2,050.[25] So, it could take 2,050 unaccounted for badges before new badges are issued to every employee, and the fact that there are airports that have exceeded five percent is worrisome. Even if the lost or stolen badges are deactivated in a timely manner, there still exists a gap of time where individuals can carry out attacks against aircraft at ORD, and there are ample opportunities with approximately 2,400 daily aircraft operations at ORD.[26] The potential for harm is great if even one badge was used for malicious purposes.

Abuse of Secure Access Privileges

Examples of insiders exploiting vulnerabilities in aviation security abound, but for the most part, because insider threats and security breaches are not limited to acts of terror, many of these breaches pose no direct danger to the aviation system. The range of activities considered “insider threats” by the TSA is broad, consisting of “spying, release of information, sabotage, corruption, impersonation, theft, smuggling, and terrorist attacks.”[27]

Take theft, for example: from 2010 to 2014, the TSA received 30,621 claims of items stolen from checked luggage, and the most likely culprits are TSA agents.[28] Although theft does not in itself jeopardize the safety of the flying public, widespread theft by security personnel demonstrates poor management of insider threats, which means the possibility exists for other, perhaps more dangerous, threats to be overlooked due to mismanagement. Given the lax security measures, it is not surprising that there were 268 perimeter security breaches at major U.S. airports between the years 2004 and 2015.[29] One of these breaches, recorded by a bystander with a cellphone camera, occurred in 2012: a woman tossed a bag over the airport perimeter fence to an airport employee, and when the bag got stuck on the fence, the airport employee climbed the fence to retrieve the bag.[30] While no malicious intent was discovered, this otherwise innocent incident occurred within feet of airplanes and reveals a significant vulnerability in aviation security: the ease of breaching airport perimeter security with the help of an insider and the potential for disaster. What if the bag contained explosives or weapons? And what if this debacle took place in an area without bystanders to observe and report the incident?

In a Congressional Report, Congressman Marsha Blackburn details 50 crimes committed by TSA employees since 2005.[31] These crimes include theft, rape, child pornography, assault, bribery, drugs, and murder, raising questions regarding the efficacy of employee vetting. While most examples of insider threats are not matters of national security and do not imperil passenger safety, the TSA acknowledged in 2009 that the vulnerability of insider attacks on airports is very high, and they portended the potential for “very dangerous” insider threats.[32]

TSA’s acknowledgement of very dangerous threats would come to fruition shortly after 2009 in the global aviation community: In 2015, five men, suspected to be members of the Islamic State of Iraq and Syria (ISIS), carrying twelve luggage bags containing the equivalent of six million U.S. dollars in cash were stopped at the O. R. Tambo International Airport in Johannesburg, South Africa.[33] Since twelve bags exceed the maximum permitted for five individuals, insider involvement in this smuggling scheme was necessary. To make things worse, this was not the first such incident: It was a repeated offense in which one of the perpetrators allegedly smuggled money aboard aircraft once every two days for a year. This specific case, though shocking, did not pose a direct threat to aviation, but it raises significant concerns that ISIS has either infiltrated foreign airports—with its own operatives employed at the airport—or gained access to secure areas of an airport by bribing or threatening insiders for assistance. Either way, the difference is immaterial, as terrorist organizations could viably seek both methods to gain access to secure areas of an airport.

In 2013, Terry Loewen, an avionics technician working for Hawker Beechcraft at Wichita National Airport (ICT), plotted to use a weapon of mass destruction—a van loaded with explosives—at ICT.[34] As an avionics technician, Loewen possessed a SIDA badge. Fortunately, he was arrested by an undercover FBI agent who had aided him in assembling a fake explosive device while he was under investigation. While Loewen’s nefarious plans never materialized, he was one of an estimated 900,000 people in 450 U.S. commercial airports with a SIDA badge.[35] Najibullah Zazi was another: Zazi was arrested for plotting to bomb the New York subway on the anniversary of the 9/11 attacks.[36] Prior to his arrest, Zazi was a shuttle driver at Denver International Airport (DEN), where he possessed secure access privileges required for employment.[37] Even though he did not target aviation, he could have easily carried out an attack at DEN because of his insider access.

The list goes on: Abdisalan Ali worked at the Minneapolis St. Paul International Airport (MSP), where he worked in food service. In 2011, Ali blew himself up in a suicide attack in Mogadishu, targeting African Union Troops.[38] In 2014, Abdirahmaan Muhumed, who also possessed a SIDA badge at MSP, was successfully recruited to join ISIS.[39] In the same year, Moniteveti Katoa, who had secure access privileges at Dallas Fort Worth International Airport (DFW), bragged to an undercover FBI agent about the ease with which he could sneak a bomb aboard aircraft.[40] Beyond MSP and DFW, arrests have been made in connection to insider threats in Los Angeles, San Francisco, and Puerto Rico.[41] All of these individuals have at least one thing in common: access to secure areas in airports. And with privileged access, these individuals were in a better position to carry out attacks against aviation, making them an inherent security risk. They all provide illustrative examples of the inadequacy of CHRC.

While these examples of secure access abuse should be aberrations, they are not. They account for only a small percentage of all insider threats and help to illustrate the variety of insider threats facing aviation every day.

Countermeasures

            Addressing the insider threat requires the expeditious implementation of robust countermeasures. First, security practitioners must bolster both the initial and recurrent screening processes. The initial CHRC must account for criminal activities and prison sentences beyond ten years, because the current practice is ineffective and fails to detect potentially material risk indicators. As noted earlier, individuals serving a ten-year prison sentence could pass a CHRC, but an examination of the extended history of individuals could flag such people for further screening. Additionally, recurrent CHRCs should not be bookended by a maximum of two years’ time. In fact, the scheduled checks should be replaced by random checks. The element of surprise—a proven and effective tactic on the battlefield[42]—should be incorporated in insider threat mitigation, such that renewing one’s SIDA badge would become a random occurrence.

Second, employee screenings should focus on quality rather than quantity. Current random screenings of employees are generally located in heavily trafficked points of entry, screening the highest number of workers.[43] However, this strategy is a reincarnation of the Maginot Line. Employees may simply circumvent security screening by avoiding the crowd, which is typically the modus operandi of criminals. The focus on quantity—number of employees screened—might create an appearance of enhanced security, which in reality is only a false sense of security. Relatedly, employee screenings should be randomized, thus employing the element of surprise again and shifting the focus away from quantity. Since it is easier to exploit the routine or predictable, randomness must become the norm in aviation security.

Third, the onus of reporting disqualifying offenses found under 49 C.F.R. § 1542.209(d) should transfer from individuals to the TSA. Currently, the procedure of reporting disqualifying offenses committed by individuals possessing secure access badges is inconsistent across different entities in aviation. In many cases, individuals are responsible for self-reporting these offenses. As expected, this is not an effective policy, as it potentially opens a gap of two years before an individual’s disqualifying offenses are discovered through the renewal or revalidation process.[44] Instead of placing so much trust on individuals to self-report crimes, airport operators and air carriers should be required to use FBI’s RapBack service. The benefit of the RapBack service is that it continuously vets individuals after they have passed an initial background check.[45] Furthermore, if a “triggering event” is detected, relevant agencies will be alerted.[46] Currently, only the TSA and several operators are using this service.[47]

Finally, there must be consistency. Although it is difficult to standardize randomized procedures across 450 commercial airports in the United States, it is imperative to operate with consistency to mitigate the risk of exploitable weaknesses in the aviation system. Aviation security is only as strong as the weakest link in this 450-link chain.[48] The issue of consistency is magnified when considering the total number of airports in the United States: There are 19,476 public and private use airports serving general aviation (GA), including all aviation activities that are not military or commercial.[49] Even if private-use airstrips are excluded, there are still 5,178 public airstrips. Average daily aircraft operations of these GA airports vary drastically: from an average of 81 aircraft operations a day at the Max B. Swisher Skyhaven Airport in Warrensburg, MO,[50] to an average of 394 daily aircraft operations at the Dekalb-Peachtree Airport in Atlanta, GA.[51] Opinions of the risk posed by the GA sector are also varied. The 9/11 Commission Report indicated that there are major vulnerabilities in GA security,[52] but a Department of Homeland Security report stated that threats to aviation security posed by GA are limited and mostly hypothetical.[53] Regardless of the level of risk, security at many small GA airports is practically nonexistent, making GA vulnerable to terrorist attacks.[54] An example of GA airport security is fencing; however, most fencing was installed to deter wildlife from entering the airfield.[55] There is a dearth of literature addressing small and medium airport security strategies,[56] and more research is needed. Security challenges posed by GA—no matter how small or great—should not be overlooked. Consistency in the application of aviation security policies extends to both commercial and GA sectors.

Insider threat mitigation is a herculean task, but security practitioners and lawmakers should not wait to act—it may be only a matter of time until lives are lost.

 


*Daniel Siao is an assistant professor of aviation at the University of Central Missouri and a PhD student at Saint Louis University. He is a certificated aircraft mechanic (Airframe & Powerplant) and pilot (Commercial/Instrument). He may be reached at danielsiao@outlook.com. I would like to thank Allison Kempf and Aaron Marks for their exceptional assistance in reviewing this piece.

 

[1]  The 9/11 Commission Report, http://govinfo.library.unt.edu/911/report/911Report.pdf.

 

[2]  Office of the Inspector General, Dep’t. of Homeland Security, Transportation Security Administration Has Taken Steps to Address the Insider Threat But Challenges Remain (Sept. 2012), https://www.oig.dhs.gov/assets/Mgmt/2012/OIGr_12-120_Sep12.pdf.

 

[3]  Gov’t Accountability Office, Aviation Security: A National Strategy and Other Actions Would Strengthen TSA’s Efforts to Secure Commercial Airport Perimeters and Access Controls (Sept. 2009), http://www.gao.gov/assets/300/296396.pdf.

 

[4]  49 C.F.R § 1542.207 (West 2002).

 

[5] Scott Zamost, Drew Griffin & Curt Devine, A giant security gap at U.S. airports? Most workers not screened daily, CNN (Feb. 3, 2015),  http://www.cnn.com/2015/02/02/us/airport-security-investigation/

 

[6] See TSA Precheck, Transportation Security Administration, https://www.tsa.gov/precheck.

 

[7]  49 C.F.R. § 1542.209.

 

[8]  Id. § 1540.203.

 

[9]  Office of Inspector General, Dep’t of Homeland Security, TSA’s Oversight of the Airport Badging Process Needs Improvement (July 2011), https://www.oig.dhs.gov/assets/Mgmt/OIG_11-95_July11.pdf.

 

[10] Id. at 3.

 

[11] 49 C.F.R. §1542.209(d).

 

[12] U.S. House Homeland Security Committee, America’s Airports: The Threat from Within at 5 (Feb. 2017), https://homeland.house.gov/wp-content/uploads/2017/02/Americas-Airports-The-Threat-From-Within.pdf.

 

[13] Due to the sensitive nature of the information contained in this Security Directive, it is not made widely available for public viewing. However, some information in this Security Directive is found in Office of Inspector General, supra note 9, at 3.

 

[14] Jeffrey Price & Jeffrey Forrest, Practical Aviation Security 207 (2d ed. 2013).

 

[15] 49 C.F.R. §1542.209(l).

 

[16]  Id. §1542.209(l)(7).

 

[17] Brian A. Jackson et al., Assessing the Security Benefits of a Trusted Traveler Program in the Presence of Attempted Attacker Exploitation and Compromise, 5 J. Transp. Secur. 1, 25 (2012).

 

[18] See Candy Sagon, Can A Routine EKG Predict A Future Heart Attack?, AARP (July 31, 2012), http://blog.aarp.org/2012/07/31/can-an-ekg-predict-a-future-heart-attack/; see also U.S. Preventive Services Task Force, Coronary Heart Disease: Screening with Electrocardiography (July 2012), https://www.uspreventiveservicestaskforce.org/Page/Document/RecommendationStatementFinal/coronary-heart-disease-screening-with-electrocardiography.

 

[19]  Office of Inspector General, Dep’t of Homeland Security, TSA Could Improve its Oversight of Airport Controls Over Access Media Badges (Oct. 14, 2016), https://www.oig.dhs.gov/assets/Mgmt/2017/OIG-17-04-Oct16.pdf; see also 49 C.F.R. § 1542.211(a)(3)(iv).

 

[20] See U.S. House  Homeland Security Committee, supra note 12, at 12.

 

[21] Id.

[22] Office of Inspector General, supra note 19.

[23] Id. at 7.

[24] See Harriet Baskas, How many people does it take to run an airport?, USA Today (Mar. 30, 2016), https://www.usatoday.com/story/travel/flights/2016/03/30/airport-workers-employees/82385558/

 

[25] The numbers used here illustrate the maximum number of badges lost, stolen, or unaccounted for. There are three separate nonpublic areas in an airport: sterile, secured, and airport operations. The 5% threshold applies when any individual area exceeds 5% and not when an aggregate of the three areas exceed 5%. However, without specific numbers for each of the three areas, I use the aggregate method to demonstrate the upper limit of the 5% threshold. Office of Inspector General, supra note 19, at 7.

[26] Chicago O’Hare Int’l Airport, AirNav (Mar. 30, 2017), http://www.airnav.com/airport/KORD; see Ben Mutzabaugh, Chicago O’Hare retakes ‘world’s busiest’ title … sort of, USA Today (Sept. 1, 2015), https://www.usatoday.com/story/travel/flights/todayinthesky/2015/01/21/chicago-ohare-retakes-worlds-busiest-title–sort-/22125499/ (listing 881,933 flight operations in 2014, averaging approximately 2,400 daily).

[27] Office of Inspector General, Dep’t of Homeland Security, Transportation Security Agency Has Taken Steps to Address the Insider Threat, but Challenges Remain (Sept. 2012), https://www.oig.dhs.gov/assets/Mgmt/2012/OIGr_12-120_Sep12.pdf

[28] Scott Zamost, Drew Griffin & Curt Devine, Hidden cameras reveal airport workers stealing from luggage, CNN (Sept. 15, 2015), http://www.cnn.com/2015/04/13/us/airport-luggage-theft/.

[29] Major American airports report 268 perimeter security breaches since 2004 – though NYC data withheld for ‘security concerns’, Daily News (Apr. 9, 2015), http://www.nydailynews.com/news/national/airports-report-268-perimeter-security-breaches-2004-article-1.2179338.

[30] Scott Wise, Airport security breach caught on camera, CBS News (Nov. 28, 2012), http://wtvr.com/2012/11/28/airport-security-breach-caught-on-camera/.

[31] Congressman Marsha Blackburn, U.S. House of Representatives, ‘Not on my watch’: 50 Failures of TSA’s Transportation Security Officers, (May 30, 2012), http://blackburn.house.gov/uploadedfiles/blackburn_tso_report.pdf.

[32] Government Accountability Office, A National Strategy and Other Actions Would Strength TSA’s Efforts to Secure Commercial Airport Perimeters and Access Controls (GAO-09-399) (Sept. 2009), http://www.gao.gov/assets/300/296396.pdf.

[33] Paul Tilsley, Jihadist couriers? Suspect nabbed at Johannesburg airport with $6M were ISIS-bound, say cops, FOX News (Sept. 21, 2015), http://www.foxnews.com/world/2015/09/21/5-suspects-stopped-at-johannesburg-airport-with-6m-cash-headed-for-isis.html.

[34] Bill Chappell, Wichita Man Sentenced to 20 Years in Airport Bomb Plot, NPR (Aug. 31, 2015), http://www.npr.org/sections/thetwo-way/2015/08/31/436414417/wichita-man-sentenced-to-20-years-in-airport-bomb-plot.

[35] U.S. House Homeland Security Committee, supra note 12.

[36] A. G. Sulzberger & William K. Rashbaum, Guilty Plea Made in Plot to Bomb New York Subway, N.Y. Times (Feb. 22, 2010), http://www.nytimes.com/2010/02/23/nyregion/23terror.html.

[37] Michael Wilson, From Smiling Coffee Vendor to Terror Suspect, N.Y. Times (Sept. 25, 2009), http://www.nytimes.com/2009/09/26/nyregion/26profile.html.

[38] Josh Kron, American Identified as Bomber in Attack on African Union in Somalia, N.Y. Times (Oct. 30, 2011), http://www.nytimes.com/2011/10/31/world/africa/shabab-identify-american-as-bomber-in-somalia-attack.html.

[39] Michael Zennie, Somali-American who died fighting for ISIS cleaned planes for Delta Airlines at Minneapolis airport before he joined terrorist group, Daily Mail (Sept. 3, 2014), http://www.dailymail.co.uk/news/article-2742206/Somali-American-died-fighting-ISIS-cleaned-planes-Delta-Airlines-Minneapolis-airport-joined-terrorist-group.html.

[40] U.S. House Homeland Security Committee, supra note 12, at 9. See U.S. Immigration and Customs Enforcement, Dallas-area man sentenced to nearly 16 years in federal prison for smuggling cocaine on flights from DFW airport (Sept. 22, 2016), https://www.ice.gov/news/releases/dallas-area-man-sentenced-nearly-16-years-federal-prison-smuggling-cocaine-flights-dfw.

 

[41] U.S. House Homeland Security Committee, supra note 12.

 

[42] See generally Carl von Clausewitz, Principles of War (Hans W. Gatzke trans., 1942) (1812) (explaining that surprise attacks can be counterbalanced by unexpected elements created by the defender).

[43] See U.S. House Homeland Security Committee, supra note 12.

 

[44] See Office of Inspector General, supra note 9, at 13; see also Price & Forrest, supra note 14, at 205.

 

[45] Federal Bureau of Investigation, Privacy Impact Assessment for the Next General Identification Rap Back Service at 4 (Dec. 15, 2016).

 

[46] Id.

[47] See U.S. House Homeland Security Committee, supra note 12.

[48] Id.

[49] Aircraft Owners and Pilots Association, Airports and Landing Areas 1965-2009, https://www.aopa.org/about/general-aviation-statistics/airports-and-landing-areas.

 

[50] Skyhaven Airport, AirNav (Mar. 30, 2017), http://airnav.com/airport/KRCM.

 

[51] Dekalb-Peachtree Aiport, AirNav (Mar. 30, 2017) http://airnav.com/airport/KPDK.

 

[52] The 9/11 Commission Report, supra note 1, at 391.

 

[53] Office of Inspector General, Dep’t of Homeland Security, TSA’s Role in General Aviation Security at 1 (May 2009), https://www.oig.dhs.gov/assets/Mgmt/OIG_09-69_May09.pdf

 

[54] Bartholomew Elias, Airport and Aviation Security 366 (2010).

 

[55] Transportation Research Board, Airport Cooperative Research Program, General Aviation Safety and Security Practices 16 (2007).

 

[56] Duarte Amorim da Cunha et al., Keeping Cargo Security Costs Down: A Risk-Based Approach to Air Cargo Airport Security in Small and Medium Airports, 61 J. Air Transp. Mgmt. 115, 116 (2017).

 

Leave a Reply