Insider Threat Mitigation

With high profile events involving aviation workers at major airports, insider threat and insider threat mitigation measures remains a key focus for airports operators, TSA and Congress.  

Status

In March 2018, TSA Administrator Pekoske officially tasked the Aviation Security Advisory Committee (ASAC) to once again look at the security threat posed by airport insiders. ASAC referred the request to its newly formed Subcommittee on Insider Threat – a permanent subcommittee formed to assume the work and objective of the previous Employee Screening and Airport Access Control Working Group. That working group provided a report in 2015 with 28 recommendations related to employee screening, airport access control and insider threat mitigation that has driven efforts in this area for the past several years.

ASAC and its Subcommittee on Insider Threat delivered a series of reports to TSA throughout 2018 and 2019 addressing various aspects of the insider threat to aviation. In an interim report submitted late in 2018 that provided an unconstrained review of full employee screening, ASAC continued to recommend that TSA pursue a multi-layered, outcome focused, random, and robust approach to mitigating the insider threat, resulting in a reasonable expectation by aviation employees that they will be screened throughout their work day. The interim report to TSA included an analysis of 100 percent or full employee screening and a discussion of minimum performance standards.

The interim report refuted the existence of 100 percent employee screening at any airport in the world given screening exemptions, limited operating hours and terminal focused scope. The report also reinforced the ASAC finding from its 2015 report that 100 percent physical screening is not an effective solution to address the insider threat. The review of minimum performance standards echoed the TSA Administrator’s own comments at a ministerial meeting of International Civil Aviation Organization (ICAO) in December 2018 at which the U.S. pushed back on a proposal for an international standard on 100 percent employee screening. In statements to the press following the ICAO meeting, Pekoske said he believed the approach should be more outcome-based and that he was increasingly focused on outcomes and trying to step away from prescribed levels of activity.

In 2019, ASAC approved a third and final report that builds on previous work done by TSA’s Insider Threat Advisory Group (ITAG) and makes 21 recommendations in the areas of: threat detection, assessment and response; aviation worker vetting and evaluation; aviation worker screening and access control; training and engagement; information sharing; and, governance and internal controls. Screening related recommendations focus on TSA’s efforts under the Advanced Threat and Local Allocation Strategy (ATLAS) programs and do not include any new requirements for airport operators to conduct physical screening. Other recommendations focus on insider threat awareness training, enhanced vetting of aviation workers and best practices for establishing robust insider threat mitigation programs.

ASAC delivered its report to TSA in advance of an ICAO meeting where the United States is expected to continue to push back against efforts from countries like the United Kingdom advocating for more stringent international standards for full physical staff screening.

On Capitol Hill, Congress in 2018 approved the first-ever TSA authorization bill as part of a broader package that also included FAA reauthorization legislation. The measure, which was signed into law in October, included several items pertaining to the insider threat:

• A cost and feasibility study at a statistically significant number of airports of all sizes to determine the cost to both the federal government and airport operators of “enhanced employee inspections,” including equipping all employee access points to secure areas with physical screening equipment, specific access control measures and CCTV;

• A review by TSA, in consultation with airports and air carriers, of aviation credentialing standards, policies and practices;

• A national database of aviation credentials that have been revoked for failure to comply with security requirements;

• A requirement for aviation employees with airport-issued Security Identification Display Area (SIDA) media to submit their social security number for vetting purposes;

• An effort led by TSA to work with airport operators and air carriers to enhance the security awareness of employees, especially in regard to the insider threat;

• Mandatory participation in the FBI’s Rap Back program for all credentialed aviation worker populations;

• Direction to the TSA Administrator to ensure that TSA’s Advanced Threat and Local Allocation Strategy (ATLAS) physical employee screening efforts are “targeted, strategic, and focused on providing the greatest level of security effectiveness,” including covert testing of TSA’s employee screening operations; and

• TSA consultation with airport operators and airline operators to identify advanced technologies, including biometric identification technologies, which could be used for securing employee access to the secured areas and sterile areas of airports.

AAAE staff was highly engaged with the House and Senate as these provisions were being drafted and debated, and the final product removed all references to 100 percent employee screening and reflected significant input from airport operators and the leadership and members of the Transportation Security Services Committee. With certain Members of Congress intent on pushing toward 100 percent physical screening requirements, this engagement was important in producing a final product that focused on enhanced inspection measures and other requirements rather than employee screening mandates.

AAAE Views

• AAAE will continue to advocate for risk and intelligence based mitigation strategies to address the insider threat to aviation, avoiding one-size-fits-all solutions that do not add security value and drain limited resources. As an active member of the ASAC Subcommittee on Insider Threat, AAAE is also involved in the implementation of the group’s recommendations as well as TSA Modernization Act requirements related to employee screening, airport access control and insider threat.

• Airports take recent incidents and the prospect of the “insider threat“ very seriously. Airports are public entities with their own security responsibilities, and they meet those obligations with a focus on the need to protect public safety, which remains a fundamental mission.

• The layers of security that already exist to identify and address potential threats in the airport environment include extensive background checks for aviation workers, random physical screening of workers at airports, surveillance, law enforcement patrols, robust security training, and the institution of challenge procedures among airport workers.

• Detailed studies by both government and industry have shown that physical screening of all employees at airports around the country would cost upwards of $15 billion annually with very little, if any, security benefit. In a world of limited resources, we are concerned that placing so much emphasis on one approach – in this case physical screening – could divert significant funding from other critical security functions that are currently producing significant benefits.

• Congress and DHS should recognize and support the important work of the ASAC and avoid the temptation to pursue other approaches that could divert resources from other critical security functions.

• As efforts continue to address the insider threat and other potential vulnerabilities, Congress and DHS must work to minimize the financial and operational implications that new requirements – individually and collectively – will have on airports and the aviation industry.

Contacts

Stephanie Gupta
Senior Vice President, Security and Facilitation
(703) 671-8622

Colleen Chamberlain
Vice President, Transportation Security Policy
(703) 575-2460