In 2011, a former British Airways worker was convicted on four counts of preparing acts of terrorism. Inspired by the preaching and teaching of al Qaeda’s late propaganda minister, Anwar Al-Awlaki, Rajib Karim, a software engineer, told Awlaki he had access to British Airways servers and could erase all data, causing massive flight disruptions and huge financial loss for the airline. In testimony, airline personnel noted that such an insider attack could have resulted in losses exceeding the equivalent of nearly 30 million US dollars a day, but also noted that Karim did not have access to such systems in his position at the airport.
The “insider threat,” to aviation is well known, and many major attacks on aviation have included either an insider as the attacker, or a facilitator. But what about when the insider threat, comes from so deep in the system, that it’s barely detectable by conventional means? Who’s watching those that are trusted to watch for the insider threat?
Airport workers are extended an extraordinary amount of trust. Through their personnel identification badges, many employees are able to bypass passenger-screening checkpoints to access secure areas of the airport, including passenger aircraft. While there are recent developments that have caused some airports to begin screening airport personnel in the same manner as passengers are screened, or conducting random physical inspections of workers and their personal property, the access badge remains the primary form of “screening,” for airport and airline employees. It is therefore critical that the personnel responsible for issuing what the airport industry calls, access/ID or access media, can be trusted.
There are 450 commercial service airports in the United States, with the top 30 pushing through nearly 70% of the passenger traffic on an annual basis. At these airports, known demographically as large-hubs, badged employee population’s number 30,000 to 80,000, and include hundreds of companies. Employees from the airlines, tenants, contractors, airport operator personnel, FAA and TSA workers and vendors must all go through the airport’s badging office, before being granted access to anywhere in the airport.
The individuals handling identification badge applications are known as Trusted Agents. Trusted Agents work for the airport operator or airline, and are responsible for the processing of airport and airline workers personally identifiable information, sensitive personally identifiable information, fingerprint and sometimes other biometric related information, and ultimately, affect whether the worker is able to receive an access-identification badge.
In addition to processing the background checks of thousands of airport workers, Trusted Agents also perform critical functions such as cancelling out badge access for workers who’ve lost their identification, or have been terminated from employment and have not returned their badge. Trusted Agents also conduct data entry on company and individual access to the airfield, inputting which companies and personnel have access to various parts of the airport. They do the data entry once it’s been decided who gets to go where, throughout the entire airport.
In two notable cases, airline employees facilitated attacks against their own airlines by using their access badges, which should have been deactivated and confiscated. In 1987, a US Air employee shot and killed his supervisor who was commuting on board PSA Flight 1771. He also killed the flight crew and forced the aircraft down, causing the death of all 44 on board. He had recently been fired but still possessed his airline identification, which granted him access to the aircraft, without going through screening. In 1994, a FedEx employee, who was under investigation, was still in possession of his airline identification. He used the badge to access the ramp area and boarded a FedEx DC-10, in order to catch a ride with the crew (a common air crew process known as jumpseating). At cruise altitude, the employee tried to overpower the flight crew, attempting to crash the aircraft into the ground. He was unsuccessful, but just barely.
In both cases, these insider threats were conventional approaches – and could have been easily avoided if proper procedures had been followed. The challenge of the insider threat today, is the ability to use the airports’ computer systems to commit or facilitate an attack. What if former British Airways employee Karim, had been a Trusted Agent?
Computer insider threat activity can be difficult to detect if you’re not using the proper insider threat detection tools. The airport and airline badging offices use a series of passwords assigned to individuals, along with other standard security protocols, but with the stakes that are at risk, and the hundreds of Trusted Agents logging in every day, more protection is needed.
In 1998, as the director of a large general aviation airport in Denver, Colorado, I was presented with options from our county IT department, that would allow me to monitor the Internet usage of my staff. At the time, I laughed it off. I figured I would know if my employees were spending too much time online, because their work wouldn’t be getting done. Today, unauthorized Internet usage is no laughing matter.
TSA uses their secure website, the Homeland Security Information Network, to connect airport and airline Trusted Agents to the databases, in order to conduct background checks. But, the security of an airport badging office cannot stop at just a username and password. Additional robust computer protections and processes must be put into any airport badging office. It should include software that can identify abnormal user behavior, attempts to gain access to sensitive data, particularly when there has not been a valid request made for such information, and early detection of viruses, and infiltration attempts.
Insider threats to aviation have led to some of the most devastating attacks on our nation’s airways, but in most cases the insider activity was detectable by conventional means. However, an insider threat, from within the ranks of the personnel who approve the access of thousands of airport workers on a daily basis, could lead to the most devastating attack ever.
Disclosures: some blogs may feature hyperlinks or direct comments/ads related to certain products or services, and for which I occasionally will receive some level of compensation. The editorial content on this page and my other blogs are not provided by any product or service provider, with the exception of certain clarifications as to the operation and/or performance of a product or service, often gathered through the course of my research, which may include interviews with individuals related to the product or service. In some cases, a blog that includes a link or ad to a product or service and that I received compensation to include in the blog, may have been reviewed by the advertiser in advance, but the final say on the content of the blog, is mine. Outside of banner ads, which are sometimes paid for directly, or placed by an ad placement service, any compensation does not impact my perspective on a product or serve, nor does it serve as an endorsement. However, I rarely will allow an ad or hyperlink to a product or service if I fundamentally don’t support said product or service.