Mitigating Insider Threats in the Domestic Aviation System: Policy Options for TSA

Brian Bean


The Transportation Security Administration (TSA) defines insider threat as “one or more individuals with access and/or insider knowledge that allows them to exploit the vulnerabilities of the nation’s transportation systems with the intent to cause harm.”[1] Well-placed insider threats are ideally positioned within the nation’s aviation system to further terrorist plots, carry out illegal smuggling operations, and conduct espionage. The literature demonstrates TSA operates several security programs designed to mitigate this threat, but these programs have some notable limitations. Recent terrorist plots within the national and international aviation systems have leveraged or attempted to leverage trusted insiders, thus highlighting the urgency of the issue for TSA.

TSA and the Federal Bureau of Investigation (FBI) agree insider threats represent one of aviation security’s “most pressing concerns.”[2] TSA employees alone account for over 50,000 aviation workers nationwide with access to sensitive areas and information at domestic airports. A 2017 House Homeland Security Committee report cites approximately 900,000 aviation workers at approximately 450 federalized airports.[3] Herein lies the potential insider threat within the aviation system from both TSA employees and other workers. Trusted insiders are familiar with weaknesses in internal policies and procedures, physical security, and information technology systems.[4] Many of these employees are granted secure identification display area (SIDA) badges, which give them physical access to many of the most sensitive areas of an airport, including planes on the runway and passenger baggage transiting areas.[5]

The severity of this threat to the domestic aviation system is significant and demonstrated by the following incidents. In 2013, avionics technician Terry Lee Loewen of Wichita, Kansas attempted to detonate a vehicle-borne improvised explosive device outside the passenger terminal of Mid-Continent Airport from the secure (runway) side of the airport.[6] Another example is the 2009 case of Rajib Karim who worked as an information technology employee with British Airways and was in regular contact with an overseas, al-Qaida terrorist leader of significant stature. Mr. Karim used his employee access to identify vulnerabilities and opportunities to attack the aviation system, including the recruitment of baggage handlers to place an explosive device onboard a U.S. bound aircraft.[7] In 2014, Mark Quentin Henry, an employee of Delta Airlines, smuggled 153 firearms on 17 different flights between Atlanta and New York City using his employee access to avoid scrutiny.[8] These cases illustrate serious vulnerabilities to insider threats within the aviation system.

This thesis reviews and analyzes the insider threat programs of four organizations in addition to TSA: the Department of Homeland Security’s Office of Intelligence and Analysis (I&A), the FBI, the Centre for the Protection of National Infrastructure (CPNI, part of MI5 in the United Kingdom), and private company / federal defense contractor Lockheed Martin. Identifying the best practices from these organizations helps analyze the effectiveness of TSA’s insider threat measures. This thesis also explores whether TSA can be more effective at insider threat prevention with additional intelligence collection authorities.

TSA currently mitigates insider threat issues through a variety of security measures and employee training initiatives.[9] These measures include the agency’s Insider Threat Working Group and Insider Threat Section, which are responsible for developing an integrated strategy for addressing these threats. TSA also performs airport vulnerability assessments and monitors information technology systems for indicators of insider threat behavior. Finally, TSA conducts name-based vetting for concerning criminal or terrorism records for all TSA employees and aviation workers. The gap in these measures is that despite initial and recurring employee vetting, some insider threats are not being detected during the planning stages. It is worth considering whether more can be done to detect radicalized or criminal insiders before they have a chance to act. More specifically, is there a role for counterintelligence in TSA’s insider threat programs?

The literature reveals that I&A, the FBI, and Lockheed Martin are operating or developing internal counterintelligence programs to mitigate insider threats. Counterintelligence is inherently an offensive measure as compared to security programs, which are defensive in nature. Additionally, counterintelligence is often clandestine activity conducted for national security purposes against a target with suspected or known affiliations with a foreign intelligence service or foreign persons, or an international terrorist organization.[10] Some of the more aggressive counterintelligence measures include double-agent operations and controlled source operations with the intent to collect intelligence on a target.[11]

Ultimately, the research demonstrates there are three key aspects of a model insider threat program: security, counterintelligence, and organizational culture. One of the weaknesses of the TSA insider threat program is its focus on detection and response. The program assumes there will be an ideologically or criminally driven individual lurking in the shadows and waiting for an opportunity to leverage legitimate employee access to further a plot. While this scenario is plausible, TSA’s program tends to ignore the ability of an organization’s cultural factors to prevent an insider threat from acting due to an established security awareness ethos. CPNI and Lockheed Martin are two organizations that heavily emphasize an organizational culture of security awareness as an insider threat mitigation cornerstone.

This research also suggests the first goal of an insider threat program should be prevention by not employing someone as an insider who poses a threat in the first place. The next goal is to deter the insider threat from acting through the perceived likelihood of discovery. Finally, if an insider cannot be deterred, TSA should have the ability to detect and investigate the insider threat. A comprehensive insider threat program must incorporate all three of these goals.

Successful insider threat programs require a strong balance between security, counterintelligence, and organizational culture. The end goal should be to intersect security and counterintelligence programs. In the words of Robert Hanssen, arguably the most damaging American spy for the Soviet Union, “CI [counterintelligence] attacks the actor. It attacks the opposition intelligence structure. It is not speculative. CI feeds security because it helps them focus on meaningful measures and safeguards. Using CI to help security is just smart security.”[12] This thesis recommends focusing on identifying methods for TSA to develop a counterintelligence program, creating a more visible security presence in the SIDA areas of the airport, and improving the security ethos among TSA employees and aviation workers.






[1] Frank Deffer, Transportation Security Administration Has Taken Steps to Address the Insider Threat but Challenges Remain (Washington, DC: U.S. Department of Homeland Security, Office of the Inspector General, 2012), 2.

[2] Jennifer A Grover, Aviation Security: Airport Perimeter and Access Control Security Would Benefit from Risk Assessment and Strategy Updates (Washington, DC: U.S. Government Accountability Office, 2016), 22.

[3] John Katko, America’s Airports: The Threat from Within (Washington, DC: House Homeland Security Committee, 2017), 2.

[4] Deffer, Transportation Security Administration, 4.

[5] John Roth, TSA Can Improve Aviation Worker Vetting (OIG-15-98) (Washington, DC: U.S. Department of Homeland Security, Office of Inspector General, 2015), 8.

[6] Cassandra Lucaccioni, “61st Terrorist Plot Against the U.S.: Terry Lee Loewen Plot to Attack Wichita Airport,” The Issue Brief, no. 4110 (December 2013),

[7] “Terror Plot BA Man Rajib Karim Gets 30 Years,” BBC News, March 18, 2011,

[8] Katko, America’s Airports, 9.

[9] Deffer, Transportation Security Administration, 28–29.

[10] Exec. Order No. 12333, 46 Fed. Reg., 3 CFR, § 2.4 (1981),, 24.

[11] Mark L. Reagan, ed., Terms and Definitions of Interest for Counterintelligence Professionals (Washington, DC: Department of Defense, 2014), 52.

[12] Mark L. Reagan, Introduction to U.S. Counterintelligence-CI 101, a Primer (Washington, DC: U.S. Department of Defense, 2005), 11.

No Comments

Post a Comment