Aviation workers who use their access privileges to exploit vulnerabilities and potentially cause damage to the country's airports represent an internal threat. As of October 2019, there were an estimated 1.8 million aviation workers at the nation's airports. The Transportation Security Administration (TSA), airport operators and airlines share the responsibility of mitigating all internal threats at airports.
The Government Accountability Office (GAO) was asked to review the efforts of TSA and aviation stakeholders to mitigate internal threats at airports. To do this, GAO reviewed the TSA guide; analyzed the TSA data of a questionnaire sent to a representative sample of airport operators; and obtained information from TSA officials, officials of larger US-based airlines. UU. and a non-generalizable sample of seven airport operators, selected, in part, based on the number of aircraft takeoffs and landings.
An internal threat includes direct risks to TSA security operations, as well as indirect risks that may compromise critical infrastructure or undermine the integrity of the aviation security system. For example, a worker may use their access for contraband contraband or intentionally damage the equipment, or the threat may arise from a complacent or negligent approach to potential policies, procedures and risks.
From fiscal year 2017 to fiscal year 2019, there were an average of 138 internal threat references per month, with an average of 14 (again per month) that require further investigation. Examples included a mechanic at Miami International who tried to sabotage a component of the aircraft on board; a ground service agent who used his access to bard and fly an empty plane from Seattle-Tacoma Internationals; and a arms smuggling operation at Hartsfield-Jackson Atlanta International.
Currently, the TSA, airport operators and airlines mitigate internal threats through a variety of efforts. For example, the TSA Internal Threat Program comprises several TSA offices with ongoing internal threat mitigation activities, including long-standing requirements that address access controls and background checks, and compliance inspections. TSA also initiated additional activities more recently, such as social network analysis and implementation of random evaluations of workers led by TSA in 2018.
Meanwhile, airport officials and airlines implement security measures in accordance with programs approved by the TSA and can implement additional measures to further mitigate threats. For example, many airport operators reported that they use biometric access control technologies. In addition, some airlines reported having performed more rigorous background checks before issuing identification credentials to employees.
Airports, airlines and the TSA have come a long way in recent years to secure their infrastructure and passengers against the internal threat, but these strengths are weakened by the lack of a strategic plan. And this could be due to the lack of continuity in leadership, which the agency has suffered in recent years.
As the GAO report of February 10 says: "The TSA Internal Threat Program is not guided by a strategic plan with strategic goals and objectives nor has performance goals."
The TSA does not have an updated strategic plan that reflects the current status of the Program, and TSA officials told the GAO review that the plan was not updated due to the rotation of the top executives. When the Internal Threat Program began in 2013, TSA initially developed a 2014-2016 Internal Threat Action Plan, which described TSA's vision of an integrated internal threat program in TSA and included strategic goals, each with a set of objectives. However, according to TSA officials, TSA did not fully implement this Action Plan, and TSA did not renew or revise the Action Plan after 2016 due to the departure of the key sponsoring lead leader. TSA officials also told the GAO review that the Action Plan does not reflect all existing activities that the TSA Internal Threat Program currently covers because the Program has changed since 2014.
In January 2020, TSA was in the early stages of developing a roadmap that could serve as a new strategic plan for the Program. However, GAO discovered that officials had not finalized the content and were not sure when it would be completed and implemented.
GAO recommends that TSA develop and implement a strategic plan for its Internal Threat Program that includes strategic goals and objectives. The Department of Homeland Security (DHS) agreed and noted the 2020 Internal Threat Roadmap, which, when completed, will include strategic goals and objectives to guide the TSA in its efforts to mitigate internal threats.
The GAO report also notes that the TSA "has not defined performance objectives with objectives and deadlines to assess progress in achieving the Program's mission." Without a strategic plan and performance objectives, says the GAO, it is difficult for the TSA to determine if its approach is working and if progress is being made to deter, detect and mitigate internal threats to the aviation sector.
The review found that some TSA offices have developed indicators to measure the characteristics of their internal threat activities, but these do not exhibit the characteristics of the performance objectives defined by the Office of Administration and Budget. For example, the TSA Security Operations office developed Key Performance Indicators for its ATLAS operations, which are operational indicators for TSA personnel carrying out countermeasures. This includes that teams must evaluate a percentage of workers who pass through the control point and must comply with the assigned evaluation time allocation. However, operational indicators such as these do not include baselines and deadlines for their completion, which are characteristic of the performance objectives described by the Office of Administration and Budget.
GAO says that the TSA must develop performance objectives for its Internal Threat Program that assess progress to achieve the strategic objectives in the internal threats strategic plan. DHS agreed with this recommendation and said that the TSA 2020 Internal Threat Roadmap will include performance measures.
While there was no date available to complete the roadmap during the GAO review, DHS responded that it expects to complete it by June 30, 2020. It will be submitted to the Executive Steering Committee for Internal Threats for approval and planned implementation.
(Visited 10 times, 15 visits today)