In 2018, TSA Administrator David Pekoske tasked the Aviation Security Advisory Committee (ASAC) and its then newly formed Subcommittee on Insider Threat with a number of items related to how to address the aviation insider threat. ASAC responded with a series of reports, including an interim report submitted to TSA in December 2018 that included an analysis of 100 percent or full employee screening and a discussion of minimum performance standards. The interim report refuted the existence of 100 percent employee screening at any airport in the world given screening exemptions, limited operating hours and terminal focused scope. Specifically, ASAC wrote “Fundamentally, a multi-layered security program that is designed to mitigate risk, dynamic, intelligence-driven, and random is far more effective than a program based on arbitrary percentages of activity that is static, predictable, costly and easily defeated.” The report also reinforced the ASAC finding from its 2015 report that 100 percent physical screening is not an effective solution to address the insider threat.
On May 21, 2019, ASAC approved its third and final report -- Review of TSA’s Insider Threat Aviation Group Findings. The final report built on previous work done by TSA’s Insider Threat Advisory Group (ITAG) and made 21 recommendations in the six focus areas of: threat detection, assessment and response; aviation worker vetting and evaluation; aviation worker screening and access control; training and engagement; information sharing; and, governance and internal controls.
In a letter dated September 3, 2019 to the ASAC chairman, TSA Administrator David Pekoske concurred with all 21 recommendations submitted to TSA by ASAC in the May report. While concurrence with the recommendations was expected, Pekoske caught industry and many in his own agency off-guard by also including the following in the September 3 ASAC letter (the last sentence is highlighted here for emphasis): “To supplement the implementation of the ASAC recommendations, TSA will take additional measures to mitigate the insider threat. Specifically, we will establish a baseline percentage for staff screening.”
Pekoske’s reference to a baseline percentage of employee screening was likely added to demonstrate that the United States is committed to robust insider threat mitigation measures, including but not limited to employee screening, given the International Civil Aviation Organization’s (ICAO) effort to require 100 percent staff screening.
On November 25, 2019, the ICAO Council officially adopted an amendment to Annex 17 to require full screening of all non-passengers entering restricted areas of airports by a vote of 31 to 5. The U.S. will likely file a difference to the new security standards, which is essentially a request for modified compliance. There is no penalty for filing a difference but other countries or foreign air carriers may require additional measures from the U.S. and U.S. air carriers.
Speaking at the AAAE Aviation Security Summit in December, TSA Acting Deputy Administrator Cogswell expressed disappointment that ICAO adopted an approach to insider threat mitigation that focused on a single data point. Cogswell stated that she recognized the importance of screening as part of an insider threat mitigation program but that screening alone will not detect or deter the type of insider threat that is most concerning. Instead, Cogswell recommended that the focus be placed on creating a security culture that promotes safety and security and deters the insider threat.
As of December, TSA was still considering its options for a response to ICAO. As part of these efforts, TSA Executive Assistant Administrator for Operations Support Stacey Fitzmaurice conducted a listening tour at several airports to discuss employee screening efforts and its impact on operations, particularly at smaller airports. In addition, TSA renewed its focus on the adoption and implementation of the 2015 Information Circular on Insider Threat, which recommended insider threat assessments and mitigation plans be updated every two years. The Information Circular also recommended a random employee screening rate of 20 percent. AAAE expects continued dialogue with TSA and ASAC on the U.S. response to ICAO and how that response may inform a baseline percentage for employee screening at U.S. airports.