Aviation workers using their access privileges to exploit vulnerabilities and potentially cause harm at the nation’s airports pose an insider threat. As of October 2019, there were an estimated 1.8 million aviation workers at the nation’s airports. The Transportation Security Administration (TSA), airport operators, and air carriers share the responsibility to mitigate all insider threats at airports.
The Government Accountability Office (GAO) was asked to review TSA’s and aviation stakeholders’ efforts to mitigate insider threats at airports. In order to do this, GAO reviewed TSA guidance; analyzed TSA data from a questionnaire sent to a representative sample of airport operators; and obtained information from TSA officials, officials from selected larger U.S.-based air carriers, and a nongeneralizable sample of seven airport operators, selected, in part, based on the number of aircraft take-offs and landings.
An insider threat includes direct risks to TSA’s security operations, as well as indirect risks that may compromise critical infrastructure or undermine the integrity of the aviation security system. For example, a worker may use their access to smuggle contraband or intentionally damage equipment, or the threat may arise from a complacent or negligent approach to policies, procedures, and potential risks.
From fiscal year 2017 through fiscal year 2019, there were an average of 138 insider threat referrals per month, with an average of 14 (again per month) requiring further investigation. Examples included a mechanic at Miami International who sought to sabotage an onboard aircraft component; a ground service agent who used his access to bard and fly an empty plane from Seattle-Tacoma Internationals; and a weapons smuggling operation at Hartsfield-Jackson Atlanta International.
Currently, TSA, airport operators, and air carriers mitigate insider threats through a variety of efforts. For example, TSA’s Insider Threat Program comprises multiple TSA offices with ongoing insider threat mitigation activities, including long-standing requirements addressing access controls and background checks, and compliance inspections. TSA also initiated additional activities more recently, such as social media analysis, and implementing TSA-led, randomized worker screenings in 2018.
Meanwhile, airport and air carrier officials implement security measures in accordance with TSA-approved programs and may implement additional measures to further mitigate threats. For example, many airport operators reported using biometric access control technologies. Additionally, some air carriers reported conducting more rigorous background checks prior to issuing identification credentials to employees.
Airports, airlines and the TSA have come a long way in recent years to secure their infrastructure and passengers against the insider threat but these strengths are weakened by the lack of a strategic plan. And this could be because of a lack of continuity in leadership, which the agency has suffered from in recent years.
As GAO’s February 10 report states: “TSA‘s Insider Threat Program is not guided by a strategic plan with strategic goals and objectives nor does it have performance goals.”
TSA does not have an updated strategic plan that reflects the Program’s current status, and TSA officials told the GAO review that the plan was not updated due to turnover of key senior leadership. When the Insider Threat Program began in 2013, TSA initially developed a 2014-2016 Insider Threat Action Plan, which described TSA’s vision of an integrated insider threat program at TSA, and it included strategic goals, each with a set of objectives. However, according to TSA officials, TSA did not fully implement this Action Plan, and TSA did not renew or revise the Action Plan after 2016 due to the departure of the key sponsoring senior leader. TSA officials also told the GAO review that the Action Plan does not reflect all the existing activities that TSA’s Insider Threat Program currently encompasses because the Program has changed since 2014.
In January 2020, TSA was in the early stages of developing a roadmap that could serve as a new strategic plan for the Program. However, GAO found that officials had not finalized the contents and were uncertain when it would be completed and implemented.
GAO recommends that TSA develop and implement a strategic plan for its Insider Threat Program that includes strategic goals and objectives. The Department of Homeland Security (DHS) concurred and pointed to the 2020 Insider Threat Roadmap, which, when completed, will include strategic goals and objectives to guide TSA in its efforts to mitigate insider threats.
GAO’s report also notes that TSA has “not defined performance goals with targets and timeframes to assess progress achieving the Program’s mission”. Without a strategic plan and performance goals, GAO says, it is difficult for TSA to determine if its approach is working and progress is being made toward deterring, detecting, and mitigating insider threats to the aviation sector.
The review found that some TSA offices have developed indicators for measuring characteristics of their insider threat activities, but these do not exhibit the characteristics of performance goals as defined by the Office of Management and Budget. For example, TSA’s Security Operations office developed Key Performance Indicators for its ATLAS operations, which are operational indicators for the TSA staff carrying out the countermeasures. These include that teams must screen a percentage of workers who pass through the checkpoint and must meet their assigned screening time allotment. However, operational indicators such as these do not include baselines and timeframes for completion, which are characteristics of performance goals as described by the Office of Management and Budget.
GAO says TSA should develop performance goals for its Insider Threat Program that assess progress achieving the strategic objectives in the insider threat strategic plan. DHS concurred with this recommendation and said the TSA 2020 Insider Threat Roadmap will include performance measures.
While no date was available for the completion of the roadmap during GAO’s review, DHS has since responded that it expects to complete it by June 30, 2020. It will be delivered to the Insider Threat Executive Steering Committee for endorsement and planned implementation.