Airline Alliances: Security Challenges

Alliances in the airline industry have been around since the 1930s when Panair do Brazil and its parent company Pan American World Airways agreed to exchange routes in Latin America. Those who proposed that alliance could never have dreamed of the global alliance environment of today’s industry. Geoffrey D. Askew AM explores the impacts on security and other issues raised by the alliance culture that is now such an integral part of the global aviation community.

Originally conceived as small-scale agreements of co-operation, airline alliances have grown into large, ambitious businesses that aim to deliver benefits to member airlines, as well as to the traveling public. Today there are six alliance groups, namely: Star Alliance; Sky Team; Oneworld; Value Alliance; U-Fly Alliance, and Alliance Vanille. The largest global alliance group, Star Alliance has 27 members and was founded in 1997, which prompted competing airlines to form Oneworld in 1999, which now has 13 members, and SkyTeam in 2000, which now has 20 members.

Many of these alliances have incorporated the practice of code sharing, which involves one airline selling seats on a flight operated by another airline. According to Oneworld, the three main airline alliances now account for almost two-thirds of the total world airline capacity (ASKs) – and more than 75% of air travel spend between the world’s top 100 business cities. In fact, all but one of the world’s 20 biggest full-service network airlines are now signed up to one of the three global alliances, and Flight Global reported in May 2017 that those three global alliances were operating to 3,206 destinations in 526 countries.

Aware of the changing global and regional market conditions, all three alliances have been working on new affiliate membership options aimed at accommodating strong local carriers without the need for full membership of an alliance group.

There are several reasons for the emergence of global airline alliances: More people want to fly to more places more easily and for greater value – but government restrictions and business economics make it impossible for any one airline to serve all these markets by itself. Allying with like-minded partner airlines enables carriers to provide their customers with global travel solutions. Passengers have access to extended networks, which makes booking and moving between connections more efficient and streamlined.

In the drive to reduce costs, airlines can achieve substantial efficiencies through working more closely together. On the ground this can be achieved by utilising one supplier like a ground handling service or by sharing an alliance partner’s lounge.

Individual passengers and corporate customers are increasingly recognising the value, convenience and benefits that alliances can offer them. Frequent flyer rewards can be accumulated across airlines within the same alliance and round-the-world tickets can be purchased more easily and cost a lot less as alliance partners work together to maximise connectivity and formulate improved travel experiences and benefits for the passenger both on the ground and in the sky. Extra baggage allowances and access to fast track security lanes at selected airports are just some such benefits.

Although revenue enhancements and cost reductions were always identified as benefits of airline alliances, carriers were also cognisant of the risk that could be associated with such alliances. From day one, there has been a programme of assessing the suitability of carriers wishing to join alliances. This assessment included safety and security management systems, which preceded the development and introduction of the IATA Operational Safety Audit (IOSA), which now requires each of IATA’s 240 members to pass and maintain the 900+ crucial standards.

In 1998, when the Oneworld alliance was being established, the security heads of the founding carriers (Larry Wansley of American Airlines, Iain Jack of British Airways, Cliff Hooper of Canadian Airlines, Peter Kedward of Cathay Pacific and Geoffrey Askew of Qantas Airways) met secretly in New York the day before an IATA Security Committee meeting and established the Oneworld Security Working Group.

In addition to developing criteria for assessing the security management and operations of a prospective alliance member airline, the working group was tasked with identifying ways in which security could enhance the operation of the alliance. Dealing with inflight behaviour incidents, the carriage of persons in custody, theft from baggage, airport risk assessments, joint airport security audits, the carriage of valuable cargo, the carriage of firearms both in the hold and in the cabin, security training for tech and cabin crew and the sharing of experiences from the occurrence of security incidents were all part of the agenda for the bi-annual meetings of the security working group.

One of the initial challenges was the endeavour to align the carry-on baggage restrictions within national regulatory requirements, thereby supporting the alliance’s objective of a seamless transfer of passengers from one carrier to another. Due to the uniqueness of the USA’s legislation at the time, firearms were an obvious stumbling block, however progress was achieved with regards to musical instruments and some sporting equipment.

Other areas of information exchange at that time was on kidnap, extortion and hijacking processes. As with code share agreements, airline alliances follow the industry practice that the operating carrier is responsible for the operation of the flight, and partner and/or marketing airlines will offer support and assistance whenever necessary. Communication and operational support arrangements regarding emergency response procedures were established early in the history of the Oneworld alliance.

Following the tragic events of 9/11, the strength of the collective voice of the alliance membership base at Oneworld, which had added Iberia and Finnair to its membership by then, was instrumental in supporting the endeavours of the individual airlines in negotiations with governments around the world as those governments scrambled to introduce new, enhanced security obligations on the industry; a lesson that is as valuable today as it was then.

Alliances offer a unique opportunity for airlines to leverage the influence of the collective group with regulators, airport operators and organisations in their supply chain, including security providers. They provide an opportunity for airlines with a common position on a particular issue to establish a strong collaborative and consultative culture amongst its members, and be used to influence and inform regional and international industry associations like Airlines 4 America, Association of European Airlines, Association of Asia Pacific Airlines, Airports Council International and the International Air Transport Association.

There is no doubt that the security challenges facing airlines continue to change and evolve on a regular basis, along with the industry itself. With the ever-growing dependence on technology to improve operations, performance and efficiencies, the entire aviation industry has become increasingly exposed to security risks and cyber-criminality.

In addition to unlawfully accessing operating systems, cybercriminals have also shown a willingness to exploit news of tragic events. In the past, security experts have seen several scams and threats that leveraged news like the Boston marathon, the 2011 tsunami/earthquake in Japan, and the crash of the Malaysia Airlines Flight MH17. These events provide excellent occasions for cybercriminals to deceive internet users and exploit the public’s attention to carry out illegal activities such as spam campaigns and phishing attacks to collect victims’ personal information.

There have also been recent claims that some major airlines have been caught up in serious security incidents involving their passenger booking systems. Reports have surfaced that suggest that several carriers are investigating whether paparazzi are stealing passenger lists and itineraries. Flight information and sensitive passenger details are reportedly being handed between agencies and photographers.

Alliances can develop joint mitigation strategies to combat such criminality so long as there is a desire to collaborate for the benefit of the collective membership. Nothing will damage an airline or alliance’s reputation more than the suggestion of poor safety/security standards and the lack of protection for the personal information of passengers.

Fraud within the airline industry is not new. It traditionally involved criminality by travel agents or the purchasing of tickets with stolen credit cards or other fraudulent payment formats. The expansion of loyalty programmes has now created new vulnerabilities for airlines, and opportunities for criminals to gain access to legitimate customers’ accounts through hacking weak login credentials, phishing campaigns or even by compromising a less-than-trustworthy internal employee.

As Justine Levitte, senior director for channel management and sales at 41st Parameter recently explained, once they have access to an account, there are a number of ways that fraudsters take advantage of loyal customers’ earned airline miles or points. The most direct method is to use pilfered miles or points to purchase tickets. Once purchased, these tickets can either be used by the fraudsters themselves or sold to a third party. Once they’ve traded the tickets for cash, the fraudster is in the clear. Either the unsuspecting purchaser or the carrier will bear the loss.

With the new ways of converting miles or points into sellable goods or cash, fraudsters can even more quickly turn stolen miles or points into profit. The complexity of these programmes has made them both increasingly appealing to fraudsters and more difficult for carriers to monitor and protect. Accounts for loyal travellers need to be treated as the valuable and vulnerable assets that they are. While financial institutions have employed sophisticated security measures for some time, the changing nature of loyalty programmes now requires the same of the travel industry.

The earning and burning of miles or points across the membership of an alliance is one of its marketing headlines, which can only be protected by a concerted and collaborative effort by each carrier and the alliance collectively.

Another serious risk for airlines as well as alliances is from the ‘insider threat’, also called the ‘trusted insider’. This represents a real and enduring risk to the industry. An insider threat is a threat to an organisation that comes from people within the organisation, such as employees, former employees, contractors, suppliers or even business associates who have inside information or access to IT, financial and other operating systems and infrastructure.

There can be a no more tragic example of a possible ‘insider threat’ than the possible hijacking of Malaysian flight MH370 by its own captain before it seemingly crashed killing all 239 passengers and crew on board in March 2014. Whilst it was Malaysian’s aircraft lost, as a member of Oneworld, its alliance partners also had booked their passengers on the flight and such reservations could well have been made without the passenger realising they were even going to be flying on a Malaysian aircraft; any safety or security incident impacting one member of an alliance affects all the other partners.

The potential risk to an alliance demands that each member airline is alert and proactively develops and employs strategies to combat this real and increasing threat.

Advancements in technology could also provide progressive alliances with the opportunity to lead the industry in addressing contemporary challenges such as the better tracking of aircraft.

2014 was an extremely tragic year for Malaysian Airlines. After the disappearance of MH370 in March, on 17 July MH17 was shot out of the sky over Hrabove, in the eastern part of Ukraine killing all 283 passengers and 11 crew onboard. This was also a KLM codeshare flight and the aircraft was flying in unrestricted airspace at 33,000 feet. The Ukrainian authorities had restricted the upper airspace for civil aviation to 32,000 feet over an armed conflict zone.

The Dutch Safety Board conducted an independent investigation into the incident, the results of which pose some interesting questions for international carriers but also codeshare partners and alliances, particularly regarding risk assessments, flying over conflict zones and the exchange of information.

The Dutch Safety Board confirmed that, in any code share arrangement, the responsibility for safety and security is borne fully by the operating carrier. It also commented that although the Malaysia Airlines and KLM code share agreement established that the partners exchange safety and security information as well as technical and material support in the area of safety and security, there was no specific reference to the flight route.

The report makes several recommendations for ICAO, IATA and carriers, all of which should be considered and discussed by code share partnerships and alliances. Specific risk assessments for flight paths over conflict zones, even if the airspace is open to civil aviation, and the timely and structured exchange of information between interested parties is at the core of their recommendations. Another interesting and challenging comment worthy of discussions between carriers and their national security agencies is the recommendation that the safety of passengers, crew and aircraft can be improved if states that have relevant threat information regarding airspace shared that information with operators and other interested parties, and not only the operators under their control.

The challenges are great, however, by applying a security and commercial approach that is intelligence-led, risk-based, and outcome-focused, and that utilises the collective experience and skills of the alliance partners while being committed to open communication and collaboration, security can be a valuable contributor to any alliance’s operation and reputation.

Geoffrey D. Askew AM was the inaugural chairman of the Oneworld Security Working Group.