The U.S. Government Accountability Office (GAO) has published a report examining efforts by the Transportation Security Administration (TSA) and aviation stakeholders at U.S. airports to address “insider threat,” or the risk that “an aviation worker uses their access privileges and knowledge of security procedures to exploit vulnerabilities of the civil aviation system and potentially cause harm.” While TSA plays a critical role in insider threat mitigation, the issue is a major concern for aviation security stakeholders, including airlines, airports, and security service providers. In recent years, there have been cases of airline employees using special security access to circumvent regulatory security requirements, such as for purposes of facilitating the transport of illegal contraband. As a result, prevention and detection of insider threat — and associated legal concerns — remain a high priority for government and industry alike.
Airport operators, airlines, and other regulated entities are required to implement security procedures pursuant to TSA-approved security programs, which cover day-to-day security operations. In addition to government-mandated measures, GAO found that aviation stakeholders “choose to implement security measures beyond those required by TSA.” TSA, for its part, establishes and implements measures such as insider threat awareness and training, dissemination of intelligence information, and vetting of aviation workers seeking unescorted access to security-restricted airport areas. TSA also conducts inspections and assessments of regulated entities like airlines and airport operators to assess compliance.
Insider threat raises significant legal and regulatory compliance concerns for airlines, airports, and other regulated entities. First, regulated entities that do not comply with TSA regulatory requirements risk enforcement action, which could result in significant penalties. Proper review of security threats and vulnerabilities can help reduce legal liability and strengthen compliance. Second, airlines enter into “exclusive area agreements” with airport operators whereby airlines assume responsibility for specified security measures for all or portions of an airport’s security-restricted areas, including access points. Regulated entities entering into such agreements, which effectively expand their regulatory responsibilities, can enhance security while reducing potential liability for regulatory compliance violations by carefully drafting these agreements to establish a proper framework to meet these expanded obligations. Third, if improperly addressed, insider threat presents a risk of significant litigation-related liability in the event of an incident.
GAO concluded that TSA needs to adopt a more strategic approach to combatting insider threat and recommended that TSA (1) develop and implement a strategic plan that has specific strategic goals and objectives and (2) develop performance goals to assess progress achieving objectives in the strategic plan. TSA agreed with GAO’s recommendations, and is drafting a “2020 Insider Threat Roadmap” that will outline the agency’s strategic goals and objectives and guide TSA’s implementation of specific measures to combat insider threat. Such an approach should strengthen the collective effort of government and industry to combat insider threat. Such an approach should strengthen the collective effort of government and industry to address this critical area of aviation security.