Insider Threat – Challenges for an Established System


Imagine the following situation: in a sports competition, say skiing or cycling, two physically and mentally equal athletes using the same equipment have to compete. The only difference between the two is that one of them was able to train on the slope or circuit later used in the race while the other did train elsewhere. Who do you think will eventually take home the trophy?

Knowledge is among the most valuable resources. If you know what to expect from a specific situation, like the above-mentioned race, you can prepare yourself, establish the ideal track, know where to slow down to cut a corner to safe some seconds and where to be ready for a jump.

It is undisputed among the intelligence community that on a global scale terrorist groups have a persistent interest to recruit persons with specific aviation security knowledge. There are several cases documented, such as the incident involving Daallo Airlines in February 2016, which show an active involvement of so-called insiders in the plotting and execution of acts of unlawful interference against civil aviation.

In addition, law enforcement entities, such as Europol, are noting an increased number of persons which are self-radicalized, often in a rather short period of time, and which are therefore difficult to discover.

In recent years cases occurred in several countries where radicalized persons worked for air transport companies or airports with direct access to sensitive areas or were even employed by security providers.

Furthermore, thinking for example about the secure supply chain and IT (cyber security) sector, the footprint of the aviation security system is expanding and thus opening new access points for individuals with malicious intent. Staff of entities involved in these areas are not necessarily directly linked to an airport operator or air transport company and therefore might not be subjected to the same rigorous background checks.

It is for such reason that the aviation community is recognizing the potentially severe threat posed by insiders. In an address to the UN Counter Terrorism Committee Dr. Fang Liu, the Secretary General of ICAO specifically listed the threat posed by insiders and airport staff as a significant concern and urged relevant entities to be prepared to deter, detect and prevent attacks by such individuals.

What is the insider threat and why is it a serious challenge for the aviation security system?

The US Transportation Security Administration (TSA) defines the threat as “one or more individuals with access to insider knowledge that allows them to exploit the vulnerabilities of the Nation’s transportation system with the intent to cause harm.” More generic, it is described as a threat to an organization’s security or data that comes from within.

The Software Engineering Institute of Carnegie Mellon University concludes, “Insiders have a significant advantage over external attackers”. They are not only aware of existing policies, established processes and deployed technology, but often know existing vulnerabilities and shortcomings of the security system in place.

It is obvious that in general many of the implemented measures are rather static, repetitive in nature and often based on detailed and prescriptive requirements.

Today’s aviation security system is often based on the principles of harmonization, uniformity and measurability. These are important advantage both from a user (passenger) perspective as well as from the perspective of operators and oversight entities. Especially in common area systems, such as the One-Stop Security Regime (OSS) in Europe, such a set-up facilitates the oversight through check-list based quality control regimes as it establishes comparable performance indicators and common levels of applied measures throughout the participating States.

At the same time, this creates a considerable vulnerability. It is obvious that in general many of the implemented measures are rather static, repetitive in nature and often based on detailed and prescriptive requirements. They become predictable and especially vulnerable to exploitation by persons with the relevant insider knowledge.

Why the concept of unpredictability can be an answer.

Like in other areas of aviation security, only a layered approach will be effective. To counter the insider threat a vivid security culture, relevant awareness of staff, thorough background checks and availability of intelligence information are key. An important additional element can be the concept of unpredictable security measures, which I will focus on hereafter.

Predictable measures are assuring, however, this is not only the case for passengers and inspectors but also for the adversaries. Predictable measures are more easily by-passed, especially by persons with specific knowledge. Adversaries work on the principle of opportunity and want to succeed in their endeavors. The more a successful outcome becomes unlikely, the more likely the endeavor will not be pursued.

In light of the ever-changing threat landscape and the threat posed by insiders in particular, the aviation security community should move away from a routine and reactive approach and pro-actively and dynamically address these issues.

It is therefore a natural step to think of possible means capable of disturbing hostile plotting and reconnaissance and forcing adversaries to take a higher risk of exposure. A possible way forward is the introduction of a framework of unpredictable security measures. Such a concept allows for an effective, efficient and pro-active implementation of security measures and offers additional deterrence and complexity.

In order to be effective, both externally and internally, the following core elements need to be encompassed: confidentiality and a defined (limited) group of people with access to full details, methods of unpredictability, such as changes in frequency, measure applied, different actors, locations etc. and additional or alternative security measures. Especially the latter point offers room for a “creative” path to new ideas and unconventional solutions.

The concept of unpredictability will not only enhance the deterrence effect of the security regime in general, moreover, it can also help to maximize the use of already available equipment and tools, increase effectiveness and by breaking routine tasks might even increase staff motivation levels. In addition, it can bridge gaps remaining in current security systems even if intelligence information is available and baseline security measures are implemented carefully.

Unpredictability is, of course, not a new concept. It is well established in areas outside aviation, such as for example the gaming industry. It has also been included in current aviation security measures to a certain extent, such as for measures applied on a random base. Furthermore, ICAO is providing a related recommendation and a definition in Annex 17. The EUR/ NAT Aviation Security Group did discuss the concept and endorsed a relevant Working Paper presented by Switzerland in 2016. The meeting subsequently encouraged States and involved entities to consider establishing concepts of unpredictable security measures.

In light of the ever-changing threat landscape and the threat posed by insiders in particular, the aviation security community should move away from a routine and reactive approach and pro-actively and dynamically address these issues. I do understand that both industry players and regulators are in general reluctant to add new requirements to an already complex and burdened system. Keeping this in mind, the concept of unpredictability can offer a win-win solution to address present and emerging threats: flexible approach with a potentially higher degree of deterrence, greater efficiency of existing measures, a more motivated workforce and fewer insiders with knowledge of the overall picture.

To conclude I quote Arthur Schopenhauer: „Der Wechsel allein ist das Beständige“ (Nothing is stable but change). Let us interpret it for once as follows: only if we are prescient, creative and innovative, we will endure.

Florin Hungerbühler is a Security Inspector with the Federal Office of Civil Aviation (FOCA) in Switzerland. His primary field of responsibility covers aviation security measures at Swiss airports. He is representing FOCA in national and international working groups, conferences, workshops and seminars.

From 2009 to 2012 he was seconded by the Swiss administration to ICAO HQ as an Audit Team Leader in the framework of the USAP programme.

In 2017 he was elected as Vice-Chairman of the ICAO European/ Northatlantic AVSEC Group.

This article was originally written for the ICAO EUR/NAT Office’s Newsletter (Issue 3) on May 2018. A full list of their newsletters can be found here