Aviation leaders need to take a holistic approach by creating an insider threat program across the aviation industry, according to a new report from experts at Deloitte. Photo: London Gatwick Airport
Insider threats have long existed in the airline industry, such as when a Horizon Air employee commandeered a turboprop passenger plane from Seattle-Tacoma International Airport in August 2018, or an American Airlines mechanic tampered with an aircraft’s air data module (ADM) system in 2019. These same threats are amplified in 2020 as the aviation industry faces a global pandemic that has forced airlines to upend every part of their business and increased the risk of negligent or malicious insiders.
Aviation leaders need to take a holistic approach by creating an insider threat program across the aviation industry, according to a new report from experts at Deloitte. The report, Aviation Insider Threat Mitigation, offers ten recommendations that make up a holistic approach for aviation leaders to use when creating insider threat programs.
“You want to set up an insider threat program based on looking at a variety of different aviation incidents and then foundationally insider threat incidents as a whole because many of these insider threats are cross-industry things that you should begin to do, not to say that you’re not already doing them, because in many instances, you may be doing some of these, but you may not be doing all of them,” Mike Gelles, director at Deloitte and intelligence and national security expert, told Avionics International.
The first consideration the report suggests is defining the threat. Gelles said defining the airport’s threat and risk tolerance is key to creating a successful insider threat program.
“If you’re just starting an insider threat program, you’ve got to define what you’re trying to protect,” Gelles said. “What is your risk appetite? And then what’s your risk tolerance? That’s kind of one in two. What is it that you really are trying to protect? And what are you willing to do and not willing to do as relates to the business? … If you haven’t done that, honestly, it’s very hard for the rest of this to fall in place because it’s almost as like you’re building an organization without any real defined strategy.”
After establishing the insider threats, the aviation industry needs to engage a broad set of stakeholders, according to the report. This is challenging within the aviation industry in particular because of how many stakeholders exist within the ecosystem, Gelles said.
“I do think it’s important to recognize when we look at insider threats across industries that aviation is a very complex industry and probably one of the most challenging,” Gelles said. “There needs to be layers of cooperative insider threat programs to mitigate an insider threat within the ecosystem, meaning there needs to be components at the airport, there needs to be components within the airlines, there needs to be components that exist with the vendors and that all needs to be integrated at some point in time.”
The complexity increases when you consider ownership structures and ultimately responsibility for mitigating insider threats, Elizabeth Krimmel, senior manager in Deloitte’s government and public services practice, told Avionics.
“So, I, as an airport, might have eight terminals, and I might have five different terminal operators managing those, I’m acting as the landlord and where does my control start and stop and where does that hand over to the terminal operator,” Krimmel said. “We start to talk about working groups, then it becomes who’s responsible? Who owns this piece of it, and ultimately, who owns responsibility? I think that gets really fuzzy in a large airport system and even more so now when airports are so focused on how we recover from COVID, that’s the right time for these blind spots to open up.”
From there, the report recommends looking for precursors, creating vetting programs and periodic vetting practices, connecting the dots when risky behaviors arise and setting behavioral expectations.
“What am I willing to do and not willing to do to keep the business going and that’s where there’s a very significant balance between what an organization is willing to do to compromise security and then if there’s too much security, it compromises the business,” Gelles said.
All of these vulnerabilities existed before 2020 when the COVID-19 pandemic hit and they have only been amplified by the furloughs and layoffs that have occurred as a result.
According to Gelles, separating employees from any organization, those who may be furloughed, those who are separating voluntarily or involuntarily rise to the top of being one of the highest risks as a potential insider threat. This can occur both in terms of whether they’re disgruntled, but also in terms of what they want to take with them and the type of information they can take either to sell for personal gain or to exploit elsewhere in obtaining a new job or a new position.
However, layoffs and furloughs are not the only vulnerabilities presented by the pandemic. Gelles said because of the particular circumstances presented by COVID-19, insiders with malicious intent could cause significant damage by tampering with health and safety measures.
“If I want it to be an insider with some malicious intent, then I could really compromise some of the health and safety practices that are going on in the on the aircraft in some form or fashion, could that be the air filtration system could that be the methods that are there to protect the passengers, and I could compromise the brand and reputation of an already struggling company,” Gelles said.
In the aviation industry, COVID-19 has become a top priority, understandably, however, the time and attention that has had to be dedicated to disease mitigation have diverted resources from insider threat priorities. The aviation industry has had to add another item to an already full list of priorities while working with fewer resources.
“Airport operators are thinking about so many different things and it just dilutes the number of things that they have time to spend executing,” Krimmel said. “Something like this requires focused and coordinated attention and as the threats get more challenging and our adversaries get more creative, it only becomes harder; But resources are not expanding at that same rate. So, airports are really doing a lot more with a lot less than they were 5, 10, 20 years ago. It’s just very challenging and especially even more so now with COVID.”