In its recent report, America’s Airports: The Threat from Within, the U.S. House of Representatives’ Homeland Security Committee pulls no punches in a clear conclusion: “America’s airports and aircraft remain vulnerable to attack and exploitation by nefarious individuals.”
The vulnerability persists in part because current security practices do not stack up well against potential threats. “Current security standards will likely fail to prevent a determined adversary with inside access from causing harm to an airport or aircraft,” continues the report.
And when one considers the number of people who could be affected, the problem seems especially daunting. Last year, more than 900 million domestic and international U.S.-bound air passengers traveled through the roughly 450 U.S. airports that are under federal supervision and control. As air travel becomes increasingly popular around the world, that 900 million is expected to continue to rise significantly in the foreseeable future.
Those airports are staffed by more than a million workers, and since 9/11, officials have struggled with establishing an adequate screening system for employees.
The first such screening system, the Aviation Direct Access Screening Program (ADASP), was implemented in 2005. The system was deemed insufficient, and it was shut down at the end of 2009. Since then, the U.S. Transportation Security Administration (TSA) has implemented various programs for screening airport workers. It also issued the National Strategy for Airport Perimeter and Access Control Security in 2012.
But not long after the national strategy was released, an avionics technician at Wichita Mid-Continent Airport in Kansas was arrested in December 2013 and charged with attempting to detonate a vehicle bomb. The suspect later said he was able to acquire bomb materials from the airport, and his employee badge allowed him access to the terminal and tarmac.
After other incidents involving airport insiders occurred the following year, then-U.S. Department of Homeland Security (DHS) Secretary Jeh Johnson announced increased security measures for airport workers in 2015. These included biennial fingerprint-based background checks and increased random screenings.
These new measures have been insufficient, the new report finds: “These actions did not address larger problems in the vetting process.” In fact, two months after Johnson’s announcement, the DHS Office of the Inspector General (OIG) released a report stating that 73 aviation workers who held sensitive jobs at airports were found to have possible ties to terrorism, which their background checks did not reveal. Moreover, thousands of TSA employee records were incomplete or contained inaccurate information, the OIG report finds.
The failures associated with these measures are alarming, given incidents perpetrated by insiders at airports. Recent examples discussed in the report include an attempt to detonate a bomb at an airport, incidents of gun and drug smuggling, and cases of airport employees who later became involved in terrorist activities overseas. In all these instances, the workers in question had access to secure areas of the airport. “Much more needs to be done to improve the state of access controls and mitigate the insider threats,” the report finds.
But gaps in the vetting process persist. Only three U.S. airports—Miami International Airport, Orlando International Airport, and Hartsfield-Jackson Atlanta International Airport—have implemented full screening of employees before they can access secure areas of the airport. And TSA still checks employee criminal records only every two years, instead of concurrently, according to the report.
Justin Oberman, a former senior executive with TSA, says it will be crucial for officials to focus on improving security measures for airport workers moving forward. Oberman was one of the three founding managers of TSA in 2001; in a year’s time, he helped the agency grow from three to 65,000 employees, and take over security at 429 U.S. airports. He is now in the private sector, as vice president of identity strategy with SureID.
“We’ve got to get better—better vetting, better background checks, better physical security in the back of the airport. We’ve got a million-and-a-half people with badges in secure areas of the airport around the country. So there’s a lot of potential risk there,” Oberman tells Security Management in a recent interview.
In the committee report, investigators find that one of the main problems is lack of proper security knowledge on the ground level: “Adequate awareness…has yet to trickle down from corporate security officers, TSA, and law enforcement to the frontline workforce where vulnerabilities are most-often exploited.” To illustrate, the report mentions one site visit to an airport where “an airport security director could not cite the number of access points at their airport—a number that most airport security personnel should be intimately familiar with.”
To combat this lack of awareness, the report recommends that airport operators and air carriers better educate employees on their roles in mitigating insider threats and securing access to the sensitive areas of the airport. It also recommends efforts to ensure that credentialing practices remain stringent and are regularly reassessed, and an examination of the feasibility of expanded screening. In addition, the report recommends that TSA implement the FBI’s Rap Back Service, which provides round-the-clock vetting of those who hold credentials.
But one of the main challenges in this area, Oberman explains, is finding the added resources required to implement expanded practices and better security. Airport workers (or their employers) now pay for screening and vetting administrative costs, and “that doesn’t leave a lot of room to continue turning the dial to the right for more funding,” Oberman says.
“If we decide we should be physically screening those workers every day—you can’t do that by just turning up the fees, because it would go from $50 to $1,000. So Congress would have to say, ‘We have to figure that out,’” he says.
In the end, Oberman adds, it is important to realize that there is no silver bullet for airport security; even a system that is standardized across all U.S. airports can be exploited. The best defense, he says, is to have strategic multiple layers of security.
“Standardization cuts both ways. You don’t want to make it so standardized where it becomes predictable,” Oberman says. “Multiple layers of security includes having a certain element of unpredictability, so people could not figure out how to game the system.”
For more information on how the TSA is training airport workers, check out the video “TSA Offers Hands-On Training for New Hires” by Holly Gilbert Stowell on the SM website.