Preliminary Thoughts on the Role of Insiders in Attacks on Transportation Targets

The alleged involvement of ground staff who were jihadist sympathizers in planting the bomb that brought down Metrojet Flight 9268 in Egypt in October 2015, the involvement of a former Brussels Airport employee in a bombing at the airport and the subsequent allegation by Belgian police that as many as 50 sympathizers of the Islamic State worked at the airport, some with security passes that allowed them access to aircraft cockpits, have heightened concerns about the use of insiders in attacks on air and surface transportation.1

This report presents a preliminary examination of the role of insiders in such attacks, based on the Mineta Transportation Institute (MTI) database of attacks on public surface transportation, which includes incidents from 1970 to the present, and our own preliminary compilation of attacks on air transportation targets since 9/11. We also used material derived from earlier research and information provided by a former U.S. aviation security official.2 The report presents some initial conclusions, but they may be modified to reflect the findings of further research.

Insiders are persons who, as a result of their position, possess confidential knowledge about or have privileged access to facilities and operations. Criminal insiders decide on their own or are suborned by others to use such knowledge or access to threaten, carry out, or assist others to carry out theft, armed robbery, extortion, sabotage, and espionage. Their decision to betray the trust placed in them by the government or an employer may reflect personal motives, such as greed, revenge, or mental disorder, or group grievances related to labor demands or ideological causes. Insiders may become criminals after they become insiders, or they may try to infiltrate a target organization or facility with the intention of committing a crime.

Insiders pose a special problem for those charged with security. Although knowledge and access can be restricted according to levels of trust, even menial positions require access and knowledge of how things work. Responding to the news that one of the bombers at the Brussels Airport had previously been employed at the headquarters of the European Union, one Belgian official said that low-level cleaning jobs went to poor immigrants who were vulnerable to radicalization and who changed jobs a lot, making pre-employment vetting a continuing and costly challenge.3 The status of such employees may be regularly reviewed, but that is costly, and even in intelligence services where individuals are subjected to the most rigorous background investigations and continuing surveillance, there is still no guarantee of continuing fidelity. Insiders can be dangerous adversaries.

Insiders are not all killers. Although they may be willing to betray the trust placed in them, their actions may be constrained by reluctance to harm innocent people or fellow employees. In terms of the threat to human life, the most dangerous insiders are those who are in a position to create disasters and who, because of mental disorder or powerful beliefs, have no such constraints. For example, there have been five incidents of a commercial pilot crashing a plane filled with passengers since 1982, crashes that have resulted in 539 deaths.

The role of insiders in criminal activity

It should be noted that few incidents of terrorism have involved insiders, and this is not surprising. Insiders are seldom necessary in terrorist attacks, because more than 80 percent of such attacks are directed against unprotected targets—targets with no guarded perimeters to penetrate—or involve tactics such as firing rockets or mortars from a distance, obviating the need to get past security.

However, research on the role played by insiders in other areas of crime allows us to derive hypotheses regarding potential attacks on transportation targets.

Traditional industrial sabotage (which may occur, for example, during labor disputes or as part of resistance struggles) often involves insiders, motivated by either collective grievances or individual hostility. Incidents of industrial sabotage have occurred in the transportation sector during past railroad and bus labor disputes. Although sabotage is historically associated with actions by workers to slow or disrupt production, saboteurs are not necessarily insiders. Research on industrial sabotage published by the RAND Corporation in the 1970s showed that employees were responsible for roughly one-third of the incidents of industrial sabotage. A review of 78 incidents of sabotage or “malicious tampering” on American railroads between 1914 and 1958 found that “the stimulus for nearly all of the cases of sabotage was either revenge [which could involve insiders] or ‘evil thrills and pleasure.’”4 Half of the cases of sabotage involving insiders in the MTI database are related to labor strife.

A RAND examination of “high-value heists”—sophisticated thefts and robberies—found that insider assistance was suspected in at least one-third of the cases.5 (The high-value cyber thefts that occur today also appear to require some inside knowledge.) Thieves had inside assistance in penetrating airport security in the infamous 1978 Lufthansa heist at JFK Airport, in which millions of dollars worth of cash and jewelry were stolen, and a 2013 diamond heist at Antwerp Airport. Insiders can be particularly useful in this type of crime, which is characterized by high rewards and tight security.

Finally, an analysis by Kroll Associates showed that more than 90 percent of the cases of economic espionage in the 1990s were carried out by insiders who had access to the information stolen.6

The role of insiders in terrorist attacks

Insiders have generally played only a small role in terrorist plots and attacks. Examples of insider participation in terrorist activities include the following:

• In 2004, a self-radicalized U.S. soldier was arrested for offering al Qaeda information about U.S. capabilities and weapons and volunteering to join the terrorist organization.

• In 2007, another self-radicalized U.S. Navy veteran offered al Qaeda information about the locations and vulnerabilities of U.S. naval vessels.

• In 2008, a homegrown terrorist and former employee of the Long Island Rail Road joined al Qaeda and provided detailed information to help in planning the bombing of a commuter train at New York’s Penn Station.

• In 2009, an employee of a florist located in the lobby of the Marriott Hotel in Jakarta, Indonesia, was recruited by a jihadist terrorist group and used his access to smuggle two bombs into the Marriott and the Ritz Carlton Hotel, which were connected by a tunnel. The two devices exploded, killing nine people and injuring more than 50.

• In 2009, a self-radicalized U.S. Army major whose active duty status enabled him to easily enter Ford Hood Army Base in Texas shot 44 fellow soldiers.

• In 2011, a self-radicalized AWOL U.S. Army private was arrested before he could carry out his plan to shoot fellow soldiers at Fort Hood.

• In 2015, a radicalized government employee and his wife shot and killed 17 persons at his office in San Bernardino, California. The couple did not have to penetrate any security, but the husband was aware of an ongoing office party, which was his target.

In general, however, ease of access to unprotected targets and terrorists’ own determination to participate in attacks generally make the recruitment of insiders unnecessary. No insiders were involved in the terrorist attacks on the Madrid commuter train in 2004, the attack on London Transport in 2005, the attacks in Paris in January and November 2015, or the March 2016 attacks on the Brussels Airport and Metro.

It is interesting to note that according to a press account, one of the Brussels Airport attackers, Najim Laachraoui, the terrorist group’s principal bomb maker, had worked at the airport for five years (until 2012) and “was well informed about security at Zaventem [the municipality in which the airport is located].”7 Despite this knowledge, the terrorists attacked the relatively unprotected public check-in area of the airport, rather than attempting to design a bomb and smuggle it on board an airliner or to detonate a bomb in the sterile area of the terminal. A later report suggested that the bombers had intended to attack the check-in counter at El Al or an American airline, but these were not in the area where the bombs went off.

The role of insiders in attacks on aviation

Some deadly attacks on aviation have been carried out by insiders, including a number of crashes that were caused by pilots, but none of these incidents were related to terrorism. Rather, the attackers appear to have been clinically depressed or otherwise emotionally disturbed:

• In 1982, the pilot of a Japanese airliner deliberately caused the plane to crash, killing 24 people.

• In 1987, David Burke, a former airline employee, shot the pilot and co-pilot during a commuter flight in California, causing the plane to crash with all 43 persons on board. Although this incident was initially perceived as a revenge killing of Burke’s former boss, who was on the flight, a later investigation showed that it was an elaborate suicide–insurance fraud scheme.

• In 1994, the pilot of a Royal Air Maroc flight caused his plane to crash, killing 44 people. However, this cause was later disputed.

• In 1997, the pilot of a Silk Air flight deliberately crashed his plane, killing all 104 people on board.

• In 1999, the first officer of an EgyptAir plane deliberately crashed the plane into the Atlantic, killing 217 people. Egyptian authorities dispute this conclusion.

• In 2014, Brian Howard, a telecommunications technician, set fire to the electrical systems and their backups at the flight control center in Chicago where he worked, seriously disrupting air travel in the Midwest. Howard had detailed insider knowledge of the facility and control systems. He posted a rant against the U.S. government just before the attack, saying it was guilty of immoral and unethical acts, and he was attempting suicide when apprehended.

• In 2015, a suicidal pilot deliberately crashed his Germanwings flight into the French Alps, killing all 150 people on board.

  The role of insiders in terrorist plots against aviation

  Although none of the insiders involved in attacks on aviation have been associated with terrorism, a number of terrorist plots to attack airports or other airline targets have involved insiders:

• In 1984, a Haitian soldier guarding the airport in Port-au-Prince took over an American Airlines flight and ordered the plane to fly to New York, where he was arrested.

• In May 1986, an Air Lanka flight exploded on the ground in Colombo, Sri Lanka. A bomb was left in the cargo hold of the plane by a person who was believed to be a customs official at the airport and a member of the Tamil Tigers, a separatist group engaged in a long terrorist campaign.

• In 1986, four armed passengers rushed the cockpit of an Iraqi Airways flight. When security personnel aboard the flight tried to intervene, the assailants threw a hand grenade into the cabin. As the plane went into an emergency descent, another hand grenade exploded in the cockpit, causing the plane to crash. Although it was never proven, investigators strongly suspected that insiders had helped smuggle the weapons on board the flight.

• In 1987, a customer services supervisor for Air New Zealand, armed with a bomb and using his security pass, boarded an Air New Zealand plane during a refueling stop on a flight between Auckland and Tokyo. He intended to hijack the airplane and have it flown to Libya, but he was eventually overpowered.

• In 1988, three Haitian soldiers on security duty at the airport in Port-au-Prince commandeered an American Airlines flight and flew it to New York, where they surrendered.

• In 1988, the sabotage of Pan Am 103 was alleged to have involved an employee of Libyan Airlines in Malta who ensured that the suitcase with the bomb that brought down the plane would be loaded on a connecting flight and transferred to flight 103. He was arrested but was later acquitted.

• In 1990, a Haitian military guard at the Port-au-Prince airport attempted to take over an American Airlines flight to the United States. After a long standoff, the guard gave up, but he later escaped.

• In 1995, a scheme by Ramzi Yousef to plant bombs aboard 11 U.S.-bound airliners flying across the Pacific was foiled by the intervention of various intelligence and aviation security agencies. Yousef was suspected of further plotting to smuggle bombs aboard U.S.-bound cargo planes. Speculation about how this might be accomplished included scenarios involving the use of insiders. (After Yousef’s arrest, his uncle and co-conspirator, Khalid Sheikh Mohammed, remained at large and continued to explore ways to attack U.S. aircraft. Mohammed eventually abandoned the sabotage route and became the architect of the 9/11 attacks.)

• In 2006, Rajib Karim, a radicalized computer engineer who had once worked for British Airways as a computer specialist, offered to provide information to al Qaeda in the Arab Peninsula that would assist it in attacking the airline. He also applied for a job as a flight attendant in order to carry out a suicide attack, and he sought to recruit other ground-crew members to smuggle a bomb aboard an airliner.

• In 2007, a terrorist plot to blow up jet fuel supply tanks at New York’s JFK Airport involved a former employee who had worked at the airport.

• In 2009, a plot by an Indonesian jihadist terrorist group to bomb airliners flying out of Jakarta’s airport involved a radicalized former Garuda mechanic.

• In 2013, Terry Lee Loewen, a self-radicalized technician employed at the Wichita Dwight D. Eisenhower National Airport in Kansas, offered his knowledge and access to the airport to an undercover FBI agent posing as an al Qaeda operative who planned to carry out a terrorist attack at the airport. Loewen was provided with fake explosives for a suicide vehicle bombing and was then arrested.

• In 2015, insiders linked to jihadist extremists were reported to have assisted in placing a bomb on board Metrojet Flight 9268 in Egypt, which crashed, killing all 224 persons on board.

• In 2016, Somalia’s transport minister said that an employee at the country’s civil aviation office had aided the bombing of a Djibouti-bound Daallo Airlines flight, 8 reinforcing concern that insider attacks pose a major threat to commercial flights.

• In 2016, following the terrorist attacks in Brussels, Belgian police said that as many 50 Islamic State supporters were working at the Brussels Airport as baggage handlers, cleaners, and catering staff. (This raises the problem of how to identify and deal with extremists in jobs that involve access to sensitive areas. For example, in some cases, identification badges can be pulled. Beliefs generally are not a basis for denial of employment, but extremist sympathies can create enormous vulnerabilities.)

Insider participation was suspected but not proven in four cases: the 1984 Iraqi Airways hijacking, the 1988 Pan Am 103 and 2015 MetroJet crashes, and the 2016 explosion on the Daallo Airlines flight. Insiders clearly were involved in smuggling bombs on board aircraft in two other cases, and insiders clearly carried out the three hijackings out of Haiti. However, the bulk of attacks against commercial airliners and the airports and other facilities that service them, including airline offices, navigational aids, and Air Traffic control towers, do not contain any direct evidence of insider involvement.

A preliminary review of 125 attacks since 9/11 on targets connected with commercial aviation outside areas of active military conflict—such as Somalia and Syria—shows that 78 percent of these took place in the developing world, where airport and airline security can be porous and where insiders may not be needed or valuable.

The data also show that the methods used in attacks on airports generally made insiders unnecessary. Approximately 25 percent of those attacks involved automatic weapons, rocket-propelled grenades, and mortars fired from outside the airport; 15 percent involved bombs left in front of or mailed to airline offices or attacks against navigational systems; 15 percent involved armed assaults on airports; and 12 percent involved vehicle-borne improvised explosive devices (VBIEDs) or other bombs left outside the terminal.

There have been relatively few airline hijackings or bombings. Only eight hijackings have been recorded, and five of these were conducted by individuals who had poorly thought-out plans or were mentally unbalanced. Only eight attacks indicating an attempt to bomb an airliner or an actual airline bombing were found, and of these, only three—all on Russian airliners—created any fatalities.

Finally, the way packages or containers will be transported on passenger airliners or in all-cargo aircraft is unpredictable, and additional security measures for cargo handling have been mandated by the U.S. Transportation Security Administration or generated by the industry itself. As a result, it is very difficult for an outsider to predict exactly how to get a bomb onto a particular airplane. This understandably leads to concerns about insiders. While it is probable that insiders in the cargo chain have used their status to transport drugs and other illegal goods, we have found as yet no confirmed case of an insider placing an explosive device in the cargo to bring down an airplane. Nevertheless, the use of insiders seems key to a successful attack involving airborne cargo and therefore needs to be an area of focus for governments and industry alike.

Insider involvement in attacks on surface transportation

Between 1914 and 1958, there were 78 cases of probable sabotage on the U.S. rail system. Forty-five of these involved tampering with switches to cause derailments or collisions. In some cases, signal lights were disabled as well to prevent oncoming trains from seeing that a switch was in the wrong position. There were also some incidents involving tampering with brakes. Only 12 of these cases have been solved. The motive in most cases was individual revenge rather than labor strife. In some cases, deranged individuals or thrill seekers were the perpetrators.

The MTI database of attacks on surface transportation currently does not code for insiders as participants in terrorist attacks. However, a review of the narratives shows that an insider was clearly indicated in only eight of 4,700 incidents. Two of the attacks were made by hostile or deranged employees:

• In 2010, a hostile bus driver opened fire on a company bus carrying fellow workers, killing six and wounding 16.

• In 2012, a deranged Pakistani bus driver pulled out a weapon and killed eight passengers and wounded 27 others.

  Several incidents of sabotage, some resulting in fatalities, were motivated by labor strife:

• Between 1963 and 1964, during a protracted and bitter labor dispute between the railway brotherhoods and the Florida East Coast Railway, striking workers reportedly carried out 250 acts of harassment, vandalism, and sabotage, some of them serious. The targets were freight rather than passenger trains; however, rifle shots were fired at the non-union engineer of a train. A small group of extremists escalated the campaign in 1964, when multiple explosions destroyed a trestle bridge as a freight train passed over it. The crane sent to recover the wrecked train was destroyed by a bomb planted in its boiler. Later, a 50-car freight train was dynamited, and a bomb on the tracks derailed five diesel engines and 27 cars of another freight train. In all, sabotage caused four derailments. The campaign ended in March 1964, when the FBI arrested four union members observed planting dynamite on another trestle bridge.9

• In 1992, a striking worker in Bangladesh threw a Molotov cocktail at a bus, injuring 20 people.

  9 Personal notes from Brian Michael Jenkins, citing research done at RAND by Eleanor Wainstein.

• In 2007, during a national rail strike in France, arsonists set fires and vandalized signal systems, disrupting France’s high-speed rail system. The saboteurs may have been an extreme faction of a union that was resisting settlement talks.

• In 2013, rail employees striking in Pakistan detonated 30 small explosive devices at rail stations. There were no injuries.

• In 2015, a striking bus-company employee in South Africa threw Molotov cocktails at a bus, killing two people and injuring 17.

• In 2016, striking employees in South Africa were believed responsible for damage to Metrorail trains.

  In two instances, former employees carried out acts of sabotage as part of extortion schemes:

  • In 1994, a former employee of the New York Metropolitan Transit Authority (MTA) set off two small incendiary devices on the subway in an attempt to extort money from the company.

  • In 1998, Klaus-Peter Sabotta, a former employee of German railways, sabotaged the railway and threatened to do more damage unless he was paid a large ransom.

    Thus far, no insider-involved terrorist attacks on surface transportation targets have been identified. And the only plot that involved inside assistance was Vinas’s offer to provide his knowledge of the LIRR to al Qaeda for use in planning a terrorist attack.

    Preliminary conclusions

    • Insiders may, for a variety of personal and group motives (e.g., greed, ideology, vengeance), decide to carry out or be suborned to participate in criminal or terrorist activity. However, in only a very few cases have insiders carried out or assisted terrorist attacks.

    • Deranged or hostile insiders bent upon revenge have proved to be deadly attackers.

    • Insiders are likely to play a more important role in attacks on targets that have heavy security—for example, attacks that involve getting weapons or bombs onto airliners or into the sterile area of a terminal or the secure area of the tarmac— particularly in the developed world.

    • Conversely, insiders are less likely to play a role in attacks on targets that provide easy access for reconnaissance and for the actual assault. Such targets include almost all areas of public surface transport, and they may also include areas of airports that are more open and less guarded than the sterile area or the airliners themselves, such as parking areas and areas outside terminals. Carrying out an attack in these accessible areas does not require penetrating a security perimeter and therefore is little different from carrying out an attack on public surface transportation. If there is no “inside,” there is no need for insiders.

• Given the determination of contemporary terrorists to kill in quantity and their willingness to kill indiscriminately, inside assistance is not a prerequisite to success. Public places are plentiful.

• Espionage and theft can now be accomplished remotely via the internet, and these forms of cybercrime have increased. Insiders may play a significant role in these crimes, but this is uncertain. Physical sabotage theoretically may be carried out remotely via the internet, but few cases have been seen thus far. For now, the current threat to passenger rail remains that of low-tech physical attacks carried out with guns and bombs.

• The greatest danger to transportation systems would be the development of terrorists’ ability to disrupt rail control systems, especially those involving high- speed passenger traffic, to replicate the kinds of deadly accidental collisions and derailments that have resulted from human error.

  ###

  PREVIOUS TRANSPORTATION SECURITY PERSPECTIVES

  All papers are available for free download and no registration:

• Transit is a Terrorist Target

• Long-Term Trends in Attacks on Public Surface Transportation in Europe and North America

• The High Speed Rail Attack in France: What are the security challenges for protecting rail systems?

• Troubling Trends Emerge in Terrorism and Attacks on Surface Transportation

• By the Numbers: Russia’s Terrorists Increasingly Target Transportation

• Mineta Transportation Institute Says Subways Are Still in Terrorists’ Sights

• The Breach of Security at San Jose’s Airport Raises Broader Issues

• The Terrorist Attack in Kunming, China: Does It Indicate a Growing Threat Worldwide?

• A Terrorism Analysis of the April 14, 2014, Bus Terminal Bombing in Abuja,Nigeria

• Suicide Bombings Against Trains and Buses Are Lethal but Few in Number

For MTI’s peer reviewed research reports on transportation security, go to

http://transweb.sjsu.edu/MTIportal/security/Security_Research_Pub.html

7 “Brussels Bomber Worked at Zaventem Airport for 5 Years – Report,” RT, April 21, 2016, https://www.rt.com/news/340464-bomber-worked-brussels-airport/.

8 Robert Wall, “Somali Plane Revelations Add to Fears of Insider Attacks: Minister Says an Aviation Worker Was Involved in Daallo Airlines Attack,” The Wall Street Journal, February 9

2016, http://www.wsj.com/articles/somali-plane-revelations-add-to-fears-of-insider-attacks- 1455032543 

ABOUT BRIAN MICHAEL JENKINS

Mr. Jenkins directs the Mineta Transportation Institute’s National Transportation Safety and Security Center, which focuses on research into protecting surface transportation against terrorist attacks. He is an international authority on terrorism and sophisticated crime. He has authored several books, chapters, and articles on counterterrorism, including International Terrorism: A New Mode of Conflict and Will Terrorists Go Nuclear? and When Armies Divide, a discussion about nuclear arms in the hands of rebelling armies.

ABOUT BRUCE R. BUTTERWORTH

Mr. Butterworth is a research associate at the Mineta Transportation Institute. He has worked at congressional, senior policy, and operational levels, including with the House Government Operations Committee, Department of Transportation, and the Federal Aviation Administration, where he was senior level Director of Policy, and then Director of Operations. Amongst other tasks, he helped managed the resolution of aviation security crises and launched a program of dangerous goods regulation and cargo security after the 1995 ValuJet crash. He has published extensively on transportation security.

ABOUT THE MINETA TRANSPORTATION INSTITUTE

The Mineta Transportation Institute (MTI) conducts research, education, and information transfer programs regarding surface transportation policy and management issues, especially related to transit. Congress established MTI in 1991 as part of the Intermodal Surface Transportation Efficiency Act. MTI won national redesignation competitions in 2002, 2006 and 2012. The Institute is funded by the US Department of Transportation, the US Department of Homeland Security, the California Department of Transportation, and public and private grants. The internationally respected members of the MTI Board of Trustees represent all major surface transportation modes. MTI, the lead institute for the nine university Mineta National Transit Research Consortium, is affiliated with San Jose (CA) State University’s College of Business.

Visit transweb.sjsu.edu. Contact:

Karen E. Philbrick, Ph.D. MTI Executive Director 408.924.7562 karen.philbrick@sjsu.edu