Airport Security: Mitigating the insider threat
Posted: 24 May 2016 | Lauren Stover (Director of Security at Miami International Airport) | 1 comment
The ‘insider threat’ is emerging as one of airport security’s greatest nemeses. Lauren Stover, Director of Security at Miami International Airport, believes that the key to mitigation lies in behaviour detection training. After all, technology comes and goes but the ability to detect anomalies in behaviour will always be of value…
As security directors, we often find ourselves being contacted by various private companies looking to sell us the latest and greatest in security technology. As I sit and listen to the pitches of hundreds of companies out there touting their latest advances in security technology I regularly find my thoughts drifting to ‘I wish we could get this, but we don’t have the funds’. I have now learned to be up front and advise vendors that they are welcome to come to Miami International Airport (MIA) and show us their innovations, but that there is no funding in the budget for this wonderful product they are so eager to demonstrate.
As with any new technologies, what is here today is usually gone tomorrow and replaced by another emerging software or system. The Transportation Security Administration (TSA) has a lab in Atlantic City, New Jersey where they conduct research and development in testing new technology emerging in the marketplace. At one point there was much excitement over ‘Puffers’. This high-tech $150,000 Explosive Trace Detection machine was designed to analyse particles that it shook loose from a human in a glass portal with a blast of air. However, the dirt, debris and humidity commonly found in airports reportedly rendered it useless, causing the TSA to retire them in 2010 after spending nearly $30 million. The TSA then unveiled backscatter technology – its new ‘rave’ – but after a public outcry due to privacy concerns, the TSA replaced it with Advanced Imaging Technology (AIT) which is currently in use but does have its limitations and comes with its own share of controversy. The only constant is that aviation security is a continuous revolving door of change based on emerging threats.
Another struggle for airport security directors is the industry’s reputation for not being revenue generators for airports. We could argue that if we keep our airports safe it will result in the airport’s ability to operate which, in turn, results in increased revenues. However, that argument is intangible and difficult to quantify. Instead we find ourselves having to defend the budgets we have for personnel, salaries, maintenance and possibly a few extra goodies we want to acquire that won’t impact the landing fees for our airlines. Unfortunately, it is often the result of an exposed vulnerability, a security incident or a federal fine that gets the attention of those who hold the purse strings. We recognise that airports are a business and we have to watch the bottom line. MIA, however, is a residual airport which means we do not make a profit. We basically need to generate exactly what we need to operate a myriad of airport operations. Airlines’ fees must simply cover the support costs. The industry is cut throat and competitive so all of the great security technology available is considered a ‘nice to have’ rather than a ‘need to have’. Regrettably, security doesn’t come with an open chequebook.
A cost-effective solution
So what is an airport security director to do with a limited budget and growing threats? First, we need to define and calculate our threats: What are the threats to airports today and tomorrow? What are our vulnerabilities? And what are the consequences if we don’t mitigate those threats? That is the framework in which we operate at MIA.
First we must consider the threats. There are too many to list but to name a few: vehicle borne improvised explosive devices (VBIED), an active shooter, cyber threats, improvised explosive devices (IEDs), weapons and other prohibited items aboard an aircraft, assault within the aircraft, and – emerging as one of the greatest challenges – the ‘insider threat’, which fuels many of today’s threats. In addition, airports must be mindful of criminal activity and not just terrorist threats. Baggage pilfering, petit theft, cargo theft, drug smuggling, human trafficking and a myriad of other illicit activities are threats that we must address.
While there is no ‘silver bullet’, at MIA, we have found a cost-effective solution that makes a big difference in our security posture. It’s called ‘behaviour detection training’ and it is one of the best tools in our arsenal to help us combat these threats. It is our belief that technology comes and goes, but the ability to detect anomalies in suspicious behaviour never grows obsolete. It functions using human capital as a primary security asset. Although human capital can be considered as a great contributor to insider threat, we have found that teaching employees at an airport to be vigilant and look out for suspicious behaviour, even among themselves, is an effective and inexpensive methodology that helps us mitigate that threat.
Suspicious behaviour most always precedes an actual event, but is too often only recognised in hindsight. MIA is the first airport in the United States to mandate that all of its employees be trained in detecting suspicious behaviour. This is being coordinated through our Airport Police Department which is trained in behaviour detection. They, in turn, train every new employee at MIA using the credentialing process. Each employee that receives an airport credential is mandated to take this training. Employees watch a presentation on terrorism, learn about its history and mind-set, and are taught that the methodology is not about profiling a person’s race, ethnicity or religion, but rather their behaviour. We teach them what is suspicious behaviour and what to do when they see something that looks out of the ordinary.
Most humans operate from instinct and intuition, which is the foundation of behaviour detection, yet we do teach employees about methods and behaviours that are key indicators for those that wish to harm.
Rolling out the progamme
How does an airport launch the programme? Basically it takes an investment in its police or airport security personnel who, in turn, train the airport employees.
Our airport police received a full week of intensive training including detecting fraudulent documents and defensive measures (when engaging a hostile individual). Once we had a core group of officers trained, we started to get the word out by offering the classes to interested airport workers. For me, in 2006 when I decided to launch this programme I didn’t have the ability to click a ‘send’ button on my computer and get the word out to 40,000 employees that we were offering this training. Rather we used the media. An unlikely partner for a security initiative, but it worked. It was the fifth anniversary of the 9/11 attacks and we thought that by launching this programme, we were commemorating those who lost their lives on that day.
We took a group of janitors who worked in the terminal (knowing this would be a good visual for the press) and made them our first class. We invited the media to cover the beginning of the class (basic introduction) and before we knew it we had national television coverage from NBC, ABC, CNN and MSNBC, including publications and newspapers to provide international media exposure. It was a great way to send a message to our adversaries that MIA is watching. It was also useful to spread the word to our employees to inspire them to voluntarily sign-up for the programme. Eventually we were able to weave this training into our mandated TSA Security Awareness classes, thus ensuring every new employee at MIA takes this training before receiving an airport credential. The hour-long training is conducted in person by a trained police officer and covers the importance of being vigilant with some tips on how to engage with the public, including airport workers. For our employees who primarily work in public areas, we also offered classes that were four hours in duration with on-the-job training. This type of specialised training was customised to the domain in which the employees operate.
Within the first two years of the programme, the results were dramatic. Hundreds of calls would come into our police station with employees reporting suspicious behaviour. Our crime statistics were the lowest in MIA’s history. Over 100 cases were opened with many being referred to the Federal Bureau of Investigation and the Department of Homeland Security. Our employees were being encouraged to call in suspicious behaviour and were trained that it is more important to report suspicious behaviour than to be right about it.
While the media was helpful in launching our programme, it certainly is not the key to success for launching such a programme. Our programme was initially conducted on a voluntary basis, so getting the buy-in by the airlines and our business partners was critical for a successful permanent implementation. Once that was secured, it was a matter of getting the word out. Given the number of employees and companies that operate out of MIA, we decided to use the media. Other airports may want to employ a different approach. MIA is now acquiring a mass notification system which could have helped us at the onset of the programme.
Maintaining the programme and the interest of employees is also critical. Our employees feel appreciated as part of MIA’s security programme, with many receiving rewards and accolades at our monthly MIA Security Partners meeting for reporting suspicious behaviour. Our whole approach to security is to make our employees feel as though they are part of the aviation security community. Certificates of appreciation, recognition by the employer and commendations in an employee file, are all rewards that invigorate employees to continue their vigilance.
MIA is also in the midst of launching an enhanced Insider Threat Programme, geared toward tracking the patterns and behaviours of employees that may be involved in multiple incidences. An employee who may be stopped for speeding on our ramp, may have also had their airport access credential confiscated for a security violation. Monitoring employees activities on their computers as well as their performance record are key indicators in analysing an individual’s intentions. By evaluating their activities across the various systems of the airport, we can identify and flag potential threatening behaviours that will enable us to assign an appropriate risk rating to each employee. Another layer of security we use to mitigate the insider threat is the screening of all airport workers whose primary responsibilities require them to be on the ramp, in the secured areas of the airport. There is much debate about that among airports and rightly so. The controversy stems around its effectiveness against the backdrop of costs. However for us, the costs of not implementing such a programme could be catastrophic. MIA’s $3.4 million investment has been an effective means of controlling access and is part of our layered security approach. In minimising the costs for the programme, we were able to reduce the number of employee access portals from 36 access points to just five.
We have four employee screening portals (one as a back-up) and physically screen all the employees that operate in secured areas. In addition we have private security guards in elevators that have access from public to secured areas, to check employees and their personal belongings. All employees are required to go through screening at the beginning and the end of each shift. We also log electronics for each of the workers to ensure they haven’t acquired any additional items by the end of their shift.
For airports which cannot afford this type of solution, continuous random screening is also an effective means of mitigating the potential insider threat. While we do deploy an employee screening programme at MIA, we recognise our limitations and vulnerabilities, even with this approach. Through behaviour detection training we are able to mitigate even our exposures in the various layers of security we utilise.
While tomorrow promises to unveil ‘newer and better’ technology than today’s solutions, newer is not always better. Technology comes and goes but the methodology of detecting anomalies in human behaviour will never be fully replaced, for humans are the one common unchanging denominator.
Lauren Stover is Assistant Aviation Director, in charge of Public Safety and Security at Miami International Airport (MIA) and Miami-Dade County’s system of airports. She is the first woman in the history of MIA to direct the airport’s day-to-day security, police and fire rescue operations. Lauren joined MIA in 2006 from the Transportation Security Administration, where she was the first Communications Director for the TSA for the Southeastern United States. She later became the Eastern Field Director, overseeing security-related outreach programmes for more than 200 airports in 20 states. Lauren has been recognised for launching the Behaviour Pattern Recognition Programme for MIA employees, earning her a National Association of Counties award for the Aviation Department. During her career she has also received an Outstanding Law Enforcement Officer of the Year Award, an International Women’s Day Award and a Woman Extraordinaire Award. Lauren also serves on the Executive Board of the Southeast Regional Domestic Security Task Force as the first aviation security representative covering Monroe, Dade, Broward and Palm Beach counties.