Insider Threat Mitigation

With high profile events involving aviation workers at major airports, insider threat and insider threat mitigation measures remains a key focus for airports operators, TSA and Congress.

Status

In 2018, TSA Administrator David Pekoske tasked the Aviation Security Advisory Committee (ASAC) and its then newly formed Subcommittee on Insider Threat with a number of items related to how to address the aviation insider threat. ASAC responded with a series of reports, including an interim report submitted to TSA in December 2018 that included an analysis of 100 percent or full employee screening and a discussion of minimum performance standards. The interim report refuted the existence of 100 percent employee screening at any airport in the world given screening exemptions, limited operating hours and terminal focused scope. Specifically, ASAC wrote “Fundamentally, a multi-layered security program that is designed to mitigate risk, dynamic, intelligence-driven, and random is far more effective than a program based on arbitrary percentages of activity that is static, predictable, costly and easily defeated.” The report also reinforced the ASAC finding from its 2015 report that 100 percent physical screening is not an effective solution to address the insider threat. 

On May 21, 2019, ASAC approved its third and final report -- Review of TSA’s Insider Threat Aviation Group Findings. The final report built on previous work done by TSA’s Insider Threat Advisory Group (ITAG) and made 21 recommendations in the six focus areas of: threat detection, assessment and response; aviation worker vetting and evaluation; aviation worker screening and access control; training and engagement; information sharing; and, governance and internal controls.

In a letter dated September 3, 2019 to the ASAC chairman, TSA Administrator David Pekoske concurred with all 21 recommendations submitted to TSA by ASAC in the May report. While concurrence with the recommendations was expected, Pekoske caught industry and many in his own agency off-guard by also including the following in the September 3 ASAC letter (the last sentence is highlighted here for emphasis): “To supplement the implementation of the ASAC recommendations, TSA will take additional measures to mitigate the insider threat. Specifically, we will establish a baseline percentage for staff screening.”

Pekoske’s reference to a baseline percentage of employee screening was likely added to demonstrate that the United States is committed to robust insider threat mitigation measures, including but not limited to employee screening, given the International Civil Aviation Organization’s (ICAO) effort to require 100 percent staff screening.

On November 25, 2019, the ICAO Council officially adopted an amendment to Annex 17 to require full screening of all non-passengers entering restricted areas of airports by a vote of 31 to 5. The U.S. will likely file a difference to the new security standards, which is essentially a request for modified compliance. There is no penalty for filing a difference but other countries or foreign air carriers may require additional measures from the U.S. and U.S. air carriers.

Speaking at the AAAE Aviation Security Summit in December, TSA Acting Deputy Administrator Cogswell expressed disappointment that ICAO adopted an approach to insider threat mitigation that focused on a single data point. Cogswell stated that she recognized the importance of screening as part of an insider threat mitigation program but that screening alone will not detect or deter the type of insider threat that is most concerning. Instead, Cogswell recommended that the focus be placed on creating a security culture that promotes safety and security and deters the insider threat.

As of December, TSA was still considering its options for a response to ICAO. As part of these efforts, TSA Executive Assistant Administrator for Operations Support Stacey Fitzmaurice conducted a listening tour at several airports to discuss employee screening efforts and its impact on operations, particularly at smaller airports. In addition, TSA renewed its focus on the adoption and implementation of the 2015 Information Circular on Insider Threat, which recommended insider threat assessments and mitigation plans be updated every two years. The Information Circular also recommended a random employee screening rate of 20 percent. AAAE expects continued dialogue with TSA and ASAC on the U.S. response to ICAO and how that response may inform a baseline percentage for employee screening at U.S. airports.

AAAE Views

• AAAE will continue to advocate for risk and intelligence based mitigation strategies to address the insider threat to aviation, avoiding one-size-fits-all solutions that do not add security value and drain limited resources. As an active member of the ASAC Subcommittee on Insider Threat, AAAE is also involved in the implementation of the group’s recommendations related to insider threat mitigation. 

• Airports take incidents and the prospect of the “insider threat“ very seriously. Airports are public entities with their own security responsibilities, and they meet those obligations with a focus on the need to protect public safety, which remains a fundamental mission. 

• The layers of security that already exist to identify and address potential threats in the airport environment include extensive background checks for aviation workers, random physical screening of workers at airports, surveillance, law enforcement patrols, robust security training, and the institution of challenge procedures among airport workers. 

• Detailed studies by both government and industry have shown that physical screening of all employees at airports around the country would cost upwards of $15 billion annually with very little, if any, security benefit. In a world of limited resources, we are concerned that placing so much emphasis on one approach – in this case physical screening – could divert significant funding from other critical security functions that are currently producing significant benefits.

• Congress and DHS should recognize and support the important work of the ASAC and avoid the temptation to pursue other approaches that could divert resources from other critical security functions. 

• As efforts continue to address the insider threat and other potential vulnerabilities, Congress and DHS must work to minimize the financial and operational implications that new requirements – individually and collectively – will have on airports and the aviation industry. 
 

Contacts

Stephanie Gupta
Senior Vice President, Security and Facilitation
(703) 671-8622

Colleen Chamberlain
Vice President, Transportation Security Policy
(703) 575-2460