The Insider Threat: what will it take to be taken seriously?

By Dr. Erroll G. Southers

Albert Einstein defined insanity as, “doing the same thing over and over again and expecting different results.” After more than a decade of layered security enhancements consisting of policies, processes and technology focused on reducing the risk of passengers smuggling explosives or other prohibited items on board, we have largely failed to respond to the most dangerous threat: the insider. Although this is not something unknown to aviation security professionals and airport security authorities, most airport countermeasures have not evolved to respond to the adaptive and intelligent nature of the threat. We know we need 100% and randomised methods of employee screening. Yet, we are still doing the same thing over and over again, and expecting different results.

Aviation Remains the Target of Choice

If one were to think as our adversary thinks, it would seem logical to move onto a ‘soft’ target, instead of continuing to focus on the aviation domain. Terror incidents such as the Charlie Hebdo attack in Paris, in which 12 people were killed and 11 others were injured, would seem a logical choice. The targets, including the offices of the French satirical weekly newspaper, a signage production company and a kosher supermarket, are indicative of the likely locations that would garner terrorists’ attention. In a further demonstration of capacity and capability, ISIS-inspired or directed gunmen and suicide bombers hit Paris again, targeting a concert hall, a stadium, bars and restaurants almost simultaneously, leaving 130 people dead and hundreds wounded. While these operations were successful, the aviation domain remains highly desirable, according to the online periodicals produced by some of the organisations considering an attack.

The main objective of an asymmetrical assault is to achieve a desired ‘attack utility’ regarding how and where to strike. The ‘utility’ of an attack is the estimate of the consequences with respect to the intended target’s value as a domestic or international interest, and the political impact the attack will have on the intended audience. Routine pronouncements of responsibility for attacks are illustrative of organisations’ goals of increased notoriety and global recognition.

The most effective utility for the terrorist is fear. This is particularly evident as we consider airports and aircraft as potential targets. Billions have been invested to protect aviation, yet the notion of a successful attack encourages societies to believe that, regardless of security investments, they will never be safe. The intent is to encourage a population to demand a change in whichever political activity a terrorist opposes, up to and including luring countries into a war. Always mindful of the consequential outcomes, utility weighs heavily in the decision-making process of terrorist target selection, possible attack paths, methodologies and execution.

Every issue of al-Qaeda in the Arabian Peninsula’s (AQAP) online magazine Inspire details methodologies to compromise layered airport security countermeasures and technology. In a recent article entitled “The Hidden Bomb – What America Does Not Expect,” the piece offered instructions for “Breaching Security Barriers” stating, “Any security system, be it human or mechanical, has weak points through which it can be breached as long as you know its details and mechanism.” Procedures to compromise metal detectors (handheld and walk-through), scent detectors (both biological, such as explosive detection canines, and non-biological, such as explosive detections swabs), pat-down searches and imaging/screening machines were offered, with explicit instructions and illustrations. All of these operational penetration considerations are provided to the reader with the assumption that the most effective and efficient option is not available: an insider with knowledge and access.

Lessons Learned

Two separate attacks in 2010 revealed two new security considerations: the presence of the insider threat and the vulnerability of cargo as well as passenger aircraft to attack. In September, AQAP claimed responsibility for the downing of a UPS cargo plane after take-off from Dubai airport. Shortly after that incident, two bombs disguised within a printer cartridge were slipped into the supply chain and discovered at Britain’s East Midlands Airport and in Dubai. In both cases, the devices likely compromised layered security as a result of access and knowledge of the airport’s countermeasures, suggesting the involvement of someone uniquely familiar with the security systems in place.

The threat of Americans enlisting in the ranks of foreign fighters is also of increasing concern. Three men recruited from Minnesota intending to join ISIS or al-Shabaab were arrested and disclosed that all once held jobs at the Minneapolis-St. Paul Airport. As a result, each of them were provided security clearances granting them access to what is known as the ‘sterile’ or most sensitive area of the airport. These are the areas for aircraft, cargo, baggage and locations that passengers never see. Fortunately, the airport was not the target and these men were more determined to fly overseas than to inflict damage at their point of departure. We may not be as lucky next time.