February 10, 2016

TSG IntelBrief: The Insider Terror Threat

• The February 2, 2016 suicide bombing onboard a Daallo Airlines flight from Mogadishu to Djibouti appears to have been an inside job

• An employee is also suspected to be responsible for the October 31, 2015 bombing of a Russian MetroJet flight from Sharm al-Sheikh, Egypt to St. Petersburg

• The threat of extremist insider plots is not just confined to the aviation industry or to unstable countries; the global spread of support for groups like the Islamic State means the threat of insider attacks spans across the world

• Better background checks and more comprehensive security procedures are important, but preventing a cleared employee from carrying out a terrorist attack is a considerable challenge.


One of the main concerns about the dispersed nature of support for groups like the so-called Islamic State and al-Qaeda is that some proponents of violent extremism may have access to critical infrastructure such as transportation or energy networks. Assault-style terror attacks like those in Paris or San Bernardino may be more common, but the risk of insider terror attacks is quite real. While these attacks are relatively rare, the spread of bin-Ladinism among such a broad population suggests they could increase. 

There are two types of insider terror threats: those that exploit poor or insufficient security systems, and those that exploit the assignment of trust and access within an otherwise well-run system. There have been two recent examples of terrorists exploiting the combination of poor security and employee access, both involving aviation. Aviation remains an obsession for terrorists; few attacks demand the same level of international attention as the downing of commercial airliners. 

The February 2 suicide bombing aboard a Daallo Airlines flight from Mogadishu to Djibouti was reportedly an insider attack. CCTV footage from the airport waiting area shows an individual beyond the security checkpoint handing what is believed to be an explosive device to the bomber. The negligible death toll—the bomber alone was killed—would have been far greater had the plane reached cruising altitude before detonation. The difference between one death and 74 was evidently the result of bad timing by the bomber—something no security system should rely upon.

On October 31, 2015, a bomb brought down a MetroJet flight heading from Sharm al-Sheikh, Egypt, to St. Petersburg, Russia, killing all 224 people on board. The bomb, which went off at 31,000 feet to ensure catastrophic decompression, was reportedly placed in the cargo hold by someone with access to the plane at the Sharm al-Sheikh airport. In both this and the Daallo Airlines bombing, passengers and transiting flight crews reported paltry security standards at the respective airports. At Sharm al-Sheikh, passengers reported lax security procedures and claimed that bribes were paid to avoid security lines. The pilot who safely landed the Daallo flight described the situation around the Mogadishu airport as chaotic, with too many people appearing to have access to the tarmac and aircraft. It is likely these airports are not the only ones operating under the assumption of security.

Even well-run systems are vulnerable to a trusted employee determined to commit an act of violence or sabotage. On September 26, 2014, an employee accessed a radar facility that provided coverage for Chicago-O’Hare, one of the world’s busiest airports. He set a small fire that damaged cables and computers, resulting in massive flight cancelations that spread across the United States. Though the culprit may have had no links to terrorism, his ability to cause such extensive damage in the course of a normal routine was significant. 

Aviation is far from the only hardened target on terrorists’ radars. Power grids, water supplies, and other critical infrastructure are always under threat. The threat is easy to both exaggerate and underestimate, given the level of trust placed in the background clearance process and the monitoring of trusted employees. In a report sent to the U.S. Congress on February 9, 2016, the Director of National Intelligence James Clapper stated, ‘the perceived success of attacks by HVEs (Homegrown Violent Extremists) in Europe and North America, such as those in Chattanooga and San Bernardino, might motivate others to replicate opportunistic attacks with little or no warning, diminishing our ability to detect terrorist operational planning and readiness.’ That some of these potential attacks could emanate from inside of the systems they target is a possibility that warrants reviews of applicable security protocols.


For tailored research and analysis, please contact:


Subscribe to IB