‘Strange Occurrences’ highlight insider threats to aviation security, TSA warns
The Transportation Security Administration (TSA) recently issued a special bulletin in which it raised concerns about insider threats following the theft of aircrafts in two seperate incidents in August. The first incident saw an airline ramp worker steal a 76-seat turboprop from Seattle-Tacoma International Airport and crash it on a remote wooded island, was followed by a corporate pilot on bail following a domestic violence arrest stealing a business jet and crashing it into his Utah home.
TSA said these threats involve “an individual with the intent to cause harm and with access and/or insider knowledge that would allow the individual to exploit vulnerabilities of the nation’s transportation systems.”
These individuals, TSA pointed out, “potentially includes current or former TSA employees and contractors, airline employees, cleaning and catering crews, construction and maintenance workers, law enforcement, military and security forces, taxi cab drivers or transportation specialists, or other airport personnel who have access and/or insider knowledge.”
“While the only fatalities in these three incidents were to the individuals who commandeered the aircraft, the events raise concerns about mitigating the risk of aircraft thefts carried out with the intent of causing harm on the ground,” TSA said, noting, however, that, “A common factor in all of these incidents was that the perpetrators exploited their knowledge of the aviation system and their access to aircraft to steal and crash them, highlighting long-standing concerns about what has been commonly referred to as the ‘insider threat.’”
The TSA notice specifically expressed concerns about access controls and surveillance technology, noting, “Commercial airports are required to implement access control and credentialing systems to control entry to secured areas.” But, “While access control measures vary from airport to airport, most large airports implement a layered system in which workers have limited access to only those areas relevant to their job functions. Analysis of video and access logs may be used to detect and highlight certain activities and events, such as accessing areas not authorized by an individual’s clearance level, accessing areas not related to the individual’s job functions, or accessing areas during non-work hours. Monitoring and analysis of surveillance and access system data may help detect potential threats in some cases. Detecting security incidents as they unfold nonetheless may be difficult, particularly in a busy airport environment, because threat actions may be quite subtle and may not stand out from routine airport activities. At small general aviation airports, on the other hand, suspicious activities may go undetected because few individuals may be present, particularly at odd hours, and access control measures and surveillance resources and capabilities are often more limited.”
The Director of National Intelligence (DNI) emphasized in its Aviation Insider Threat Team 2017 report, Aviation Insider Threat: What We Know, Our Findings, and What We Recommend, that its Analytic Exchange Program Aviation Insider Threat Team “believes with a high degree of probability, that insiders pose a great risk to the safety and security of the aviation industry by challenging security countermeasures, exploiting potential vulnerabilities and increasing their knowledge of security procedures for nefarious purposes. These findings are made with significant confidence based upon past incidents, survey results related to the insider threat, and information provided by the public and private sector during the course of the study.
Potential insider threats within the aviation industry include a wide variety of individuals involved with the aircraft and passenger, including, but not limited to, the following categories:”
• Airline employees;
• Concession and restaurant employees;
• Cleaning and catering crews;
• Construction and maintenance crews;
• Law enforcement, military and/or security personnel;
• Taxi cab, shuttle bus and/or other transportation specialists;
• Current and/or former TSA employees;
• Current and/or former contract government employees; and
• Air Traffic Controllers
For example, the DNI report stated: “In early 2011, a former British airline employee, acting under orders from a ‘major terrorist planner.’ was convicted of four counts of preparing acts of terrorism for offering to help a foreign terrorist organization (FTO) disrupt or damage airline computer systems. The airline employee bragged to the FTO that he had access to the airline’s computer systems and could erase data that could cause massive disruption and financial loss for the airline. The airline employee also suggested to the FTO that he knew two individuals that may be willing to assist, one worked in baggage handling, and the other in security.”
The DNI report said indicators of insider threats include the following – most, in not all of which, can be detected by a variety of specialized biometrics-based security detection systems:
• Displays of nervous or secretive behavior; sweating; lack of eye contact;
• Apparent monitoring of access points;
• Body language/movement consistent with “photo panning” with a hidden camera;
• Avoidance of security cameras;
• Misusing credentials;
• Misusing cyber systems;
• Conducting unauthorized searches; and
• Allows access badge sharing and “piggy backing” at security gates and doors.
Historically, security background checks and insider threat assessments have been dealt with at airports through background checks, credentialing, and access control measures. TSA requires all airport and airline workers undergo criminal history records checks and security threat assessments before being issued credentials granting them unescorted access to secured areas of commercial airports and airline aircraft.
Meanwhile, the Department of Homeland Security (DHS) has also proposed to modify and reissue a current DHS system of records notice (SORN), titled, DHS/Transportation Security Administration-001 Transportation Security Enforcement Record System System of Records. This system of records allows DHS/TSA to collect and maintain records related to TSA’s screening of passengers and property, as well as records related to the investigation or enforcement of transportation security laws, regulations, directives, or federal, state, local, or international law, such as “records relating to an investigation of a security incident that occurred during passenger or property screening.”
DHS is also updating this system of records notice to “cover records relating to the TSA Insider Threat program, modify the category of individuals and category of records, reflect an approved records retention schedule for records covered by this system, and modify two existing routine uses. Additionally, this notice includes non-substantive changes to simplify the formatting and text of the previously published notice. This modified system will be included in DHS’s inventory of record systems.
According to the notice, DHS explained that this modification more clearly identifies … records relating to the TSA Insider Threat program “in order to deter, detect, and mitigate insider threats to TSA’s personnel, operations, information, critical infrastructure, and transportation sectors subject to TSA authorities.
“For purposes of this TSA system of records, ‘insider threats’ are, or present themselves to be, current or former transportation sector workers (including both TSA and private sector personnel) and individuals employed or otherwise engaged in providing services requiring authorized access to transportation facilities, assets, or infrastructure who intend to cause harm to the transportation domain,” DHS said.
This system of records is being modified to “cover records relating to the TSA’s Insider Threat program [which includes] a new category of individuals and category of records; reflect an approved records retention schedules for records covered by this system; and change existing routine uses,” and that, “The category of individuals … will be modified to reflect that the system may contain information on, “Current and former owners, operators, and employees, including TSA personnel, in all modes of transportation for which DHS/TSA has security-related duties; individuals reported or investigated as insider threat risks (that is, individuals who are, or present themselves to be, current or former transportation sector workers (including both TSA and private sector personnel) and individuals employed or otherwise engaged in providing services requiring authorized access to transportation facilities, assets, or infrastructure who intend to cause harm to the transportation domain); individuals who have access to Sensitive Security Information [SSI], and are ‘covered persons’ under the Sensitive Security Information regulation, 49 CFR part 1520; witnesses and other third parties who provide information; individuals undergoing screening of their person (including identity verification) or property; individuals against whom investigative, administrative, or civil or criminal enforcement action has been initiated for violation of certain TSA regulations or security directives, relevant provisions of 49 U.S.C. 449, or other laws; and individuals who communicate security incidents, potential security incidents, or otherwise suspicious activities.”
The category of records will be modified to include place of birth; government-issued identification; citizenship; results of any law enforcement, criminal history record, or open source checks; employment information and work history; and security and access clearances and background investigation information.
DHS said the categories of records in the system include all “information related to the screening of property and the security screening and identity verification of individuals, including identification media and identifying information such as:
• Individual’s name;
• Date and place of birth;
• Contact information (e.g., email addresses, phone numbers);
• Social Security number;
• Government-issued identification (e.g., Passport information, Driver’s License number, Alien Registration number);
• Fingerprints or other biometric identifiers;
• Physical description, photographs or video;
• Travel information or boarding passes;
• Results of any law enforcement, criminal history record, intelligence, immigration, public records or open source checks;
• Military status (branch, traveling on orders);
• Employment information and work history;
• Security and access clearances and background investigations information [which also includes a variety of biometrics and PII;
• TSA Information technology network activity information; and
• Information from other agencies (e.g., FBI, Financial Crimes Enforcement Network.
“Additionally,” DHS explained, the system will include “information related to the investigation or prosecution of any alleged violation; place of violation; Enforcement Investigative Reports; security incident reports, screening reports, suspicious-activity reports, and other incident or investigative reports; statements of alleged violators, witnesses, and other third parties who provide information; proposed penalty; investigators’ analyses and work papers; enforcement actions taken; findings; documentation of physical evidence; correspondence of TSA employees and others in enforcement cases; pleadings and other court filings; legal opinions and attorney work papers; and information obtained from various law enforcement or prosecuting authorities relating to the enforcement of laws or regulations.”
DHS assured that it and TSA “safeguards records in this system according to applicable rules and policies, including all applicable DHS automated systems security and access policies. TSA has imposed strict controls to minimize the risk of compromising the information that is being stored. Access to the computer system containing the records in this system is limited to those individuals who have a need to know the information for the performance of their official duties and who have appropriate clearances or permissions.”
Recent enhancements to the vetting process incorporates regular checks against the FBI’s RapBack service to provide notification of criminal and terrorist activity involving individuals in positions of trust, including credentialed airport and airline workers, and pilots and mechanics are continuously checked by the Federal Aviation Administration (FAA) against the Terrorist Screening Database.
Nevertheless, as both the DNI and FBI have stated openly, it remains concerned about “corrupt employees who exploit their credentials, access, and knowledge of security procedures” to carry terroristic or other criminal acts.
Indeed, the DNI stated, “The insider threat to the aviation sector spans across all realms of the threat vector to include cyber, criminal, and terrorism. Some of the more notable examples of aviation insider threat across the globe include:”
• Use of insider access to facilitate an act of violence as a means of disruption or coercion for political purposes;
• Use of insider access to obtain sensitive information for exploitation;
• Security compromise;
• Use of insider access to facilitate and circumvent security controls;
• Use of insider access to destroy equipment or materials;
• Information/intellectual property theft;
• Use of insider access to steal information or intellectual property; and
• Use insider access to conduct violence in the workplace.