GCN Special Report: Port insecurity
- By Patience Wait
- Jul 18, 2005
Limited funds, jurisdictional questions and the sheer scope of the job hinder plans for a layered, IT-driven defense
'The whole idea of putting personnel overseas is so that when we do find a problem with advance data, we can take action.'
' Rod MacDonald, CBP
In the late-night hours of April 3 at the Port of Los Angeles, 29 Chinese nationals were apprehended as they tried to sneak out of two containers that had been unloaded from the NYK Artemis.
They weren't caught by Customs inspectors tipped off by intelligence analysts, or by nonintrusive screening equipment, or by digital surveillance cameras, or by any other sophisticated security techniques. They were caught by observant private security guards for one of the terminal's commercial operators, who happened to spot them.
There is no way to know how often smuggling operations succeed in getting illegal goods through the more than 350 seaports and 3,200 cargo and passenger terminals in the United States each year. But it is easy to imagine that if human cargo can slip through layers of security, so can terrorists, explosives, bioweapons or even nuclear materials.
For all the security and technology put in place at the nation's airports since Sept. 11, seaports remain distinctly vulnerable'both as portals to the U.S. economy and as potential targets themselves. The complexity of securing them is as daunting as the economic stakes in protecting them.
U.S. ports are the gateways to the global supply chain. They handle 95 percent of the nation's trade goods, worth nearly $1 trillion a year.
When U.S. airports were closed for a week following the attacks on Sept. 11, 2001, the airline industry lost more than $1 billion, and the ripple effects cost as much as $5 billion over the next month, according to the Air Transport Association.
But if the seaports were closed in the event of an attack, the cost to the economy would be in excess of $1 billion a day, according to Jean Godwin, executive vice president and general counsel of the American Association of Port Authorities. The nation's economy'with its increasing reliance on just-in-time inventories'would grind to a halt in a matter of a few weeks if ports were unable to resume operations. The Brookings Institution has estimated the costs of closure resulting from a detonated weapon of mass destruction could amount to $1 trillion.Back of the line
Despite the magnitude of the economic risk, the federal government has spent relatively little on improving security at the nation's ports. The Government Accountability Office reported in May that government grants for security since 2002 had totaled just $560 million, only a fraction of the amount requested. (To read the full report, go to www.gcn.com
and enter 448 in the GCN.com/search box.)
'Over 90 percent of the nation's $5.3 billion annual investment in the Transportation Security Administration goes to aviation,' said the authors of the 9/11 Commission report, warning of investment skewed to 'fight the last war. The current efforts do not yet reflect a forward-looking strategic plan systematically analyzing assets, risks, costs and benefits.'
'We think of the individual in very high terms in our [national] psyche, so we look at protecting people,' said John Hensley, former assistant commissioner for enforcement and operations at Customs and Border Protection. Hensley, a vice president at San Diego-based Science Applications International Corp., said many people still think 'seaport security is 'only' protecting cargo.'' '
Despite chronic underfunding, local, state and federal authorities are taking steps to manage the risks, with the help of a variety of emerging technologies.
Federal officials say the only practical way to approach port security is to build a layered defense, starting as close to a container's point of origin as possible and subjecting it to numerous checks as it approaches and then enters the country.
Existing and emerging technologies are expected to play a central role in how government agencies develop and integrate these layers. Among the technology strategies now gaining traction:
- Using integrated databases of shipping, passenger and crew data, and analytical software to screen for cargo at high risk of being infiltrated or tampered with
- Switching to the use of so-called 'smart' containers that record if they have been inappropriately opened, or that use Global Positioning System signals to show where they are at all times
- Issuing identity and access control cards that confirm workers' identities and control where they are allowed to go inside a port
- IT-based physical security and access control systems that supplement or even replace human monitoring for intrusions
- Nonintrusive inspection (NII) technologies that scan container contents and seek anomalies such as radiation.
Some of these technologies, such as database software and analytical tools, are established. The challenge is in applying them to a multinational maritime industry, with its myriad customs and traditions.
Others, such as the use of 'smart' containers, remain challenging because they use technologies that are still emerging and they pose immense implementation problems.
Customs and Border Protection commissioner Robert C. Bonner claimed a partial victory last month, at least, when 166 member nations of the World Customs Organization adopted a new framework for securing trade and aligning customs procedures.
The global trade pact, reached in Brussels June 23 (see related story, Page 16), includes provisions to harmonize advanced electronic manifest requirements on inbound, outbound and transit shipments. It also allows inspection of outbound cargo using nonintrusive detection equipment.
But in almost every case, adopting new technologies represents huge financial investments. The Coast Guard has estimated it will cost a minimum of $7 billion to implement port security measures at all U.S. ports. That cost would be passed on to American taxpayers one way or another, through government programs or higher costs for the goods being shipped. But debate over initial funding has delayed implementing a number of logical security programs.Who's in charge here?
Compounding the breadth of the problem is that ports are governed by numerous agencies at the federal, state, and local levels'layers of control that have built up literally over centuries.
At the federal level alone, the Homeland Security Department oversees numerous agencies with port responsibilities, including the Coast Guard and such elements of the Border and Transportation Security directorate as Customs and Border Protection. The departments of Energy, Justice, State and Transportation also have responsibilities.
'There are 17 agencies coming together' to administer port security, said Jay Grant, a spokesman for the Port Security Council. 'Theoretically, there are 17 different databases, but it's really more than that.'
Within DHS alone, the first fissure in lines of responsibility occurs between security and commerce.
The Coast Guard has primary responsibility for maritime safety and security. But the seagoing agency's authority basically ends with the physical protection of facilities and ships. Customs has responsibility for the security of the contents of those ships.
The pre-Sept. 11 customs agency has since been split into two units'Customs and Border Protection, and Immigration and Customs Enforcement. Both sit within the Border and Transportation Security directorate.
CBP has primary responsibility for inspecting cargo, crews and passengers, while ICE undertakes investigations and intelligence. The former Immigration and Naturalization Service was dissolved as part of DHS' creation, and its responsibilities and staff allocated between ICE and CBP.
Now, barely two years after the creation of DHS and the shuffling of these agencies, DHS Secretary Michael Chertoff's announcement last week of a reorganization (See story, Page 1) could alter how ICE and CBP are to tackle their respective duties.
Another DHS arm, the Transportation Security Administration, also has a primary role in port security, at least on paper. Congress created the agency as the lead organization for protecting all modes of transportation, though to date it has focused almost exclusively on airport security.
Outside DHS, several other departments have more than a passing interest in'and responsibility for'port security.
The Navy has security responsibility for its ships and facilities at the commercial ports it uses. Different agencies within Transportation have authority over the rail, trucking and pipeline industries that enter ports.
Transportation's Maritime Ad-ministration is responsible for the health of the merchant marine fleet; State has a voice because of international interests; and Justice, which conducts terrorism investigations and trials, has to be kept in the information loop.
Meanwhile, state and local law enforcement agencies have first-responder responsibilities if something should happen, while other state agencies frequently have governance over the ports as commercial entities. In a recent GAO report on port security, released in April (gcn.com
, GCN.com/453), the watchdog agency found that attempts to work with first responders have been hamstrung by the federal requirement that state and local officials obtain security clearances in order to gain access to intelligence information.
'It's a grand crazy quilt in terms of how it's structured,' said SAIC's Hensley.
Adding another layer of complexity for security experts: Each of the nation's ports faces unique constraints'from financial to governance to geography'which have dictated different approaches to common challenges.
The nation's 50 largest customs ports handled the equivalent of more than 23 million 20-foot-long containers last year. But Los Angeles, the country's largest port, processed 4.9 million container-units, 100 times the volume of the country's 26th largest port, San Diego. The disparities of cargo volumes, configurations of waterways, and the impact on local economies, all play significant roles in determining how much security each port can reasonably afford.Security starts 'over there'
Increasingly, the battle for security at ports like Los Angeles'and facilities elsewhere along America's coasts'is taking place on two fronts: Gathering more timely information about the cargo and crews arriving at ports; and ensuring tighter access controls over those who work within ports.
Customs and Border Protection, the unit within the Homeland Security Department with many'though not all'of the responsibilities for cargo security, has outlined a five-part approach to address the risk of terrorist attack in or by way of a port:
1. Requiring shipping information in advance, drawing upon integrated databases
2. Using that information to target high-risk cargo before it leaves foreign ports
3. Keeping containers secure in transit, in part through investment in 'smart' containers, but also through tightened access control and employee screening
4. Inspecting any suspect containers that do arrive in the United States, using nonintrusive inspection equipment, much of which uses digital imaging and software to look for anomalies
5. Developing contingency plans for recovering if an incident does happen.
CBP's goal is to push the identification of probable threats as far back through the supply chain as possible, preferably before high-risk cargo is ever loaded onto a ship in a foreign port.
Information gathering, sharing and analysis serve as the first line of defense.
Numerous reports'by GAO, various inspectors general, even the 9/11 Commission'document the government's struggles to share information and analysis. Customs processing, however, has made genuine progress due in part to an overarching initiative put in place long before Sept. 11, but being adapted for the new environment. The Automated Commercial Environment initiative mandated the overhaul of customs procedures. Awarded to IBM Corp. in April 2001, ACE modernized information processing related to cargo.
One result: The supply chain information system now starts in other countries.
Last summer, CBP commissioner Robert Bonner announced another information-gathering project, the Advanced Trade Data Initiative. The principles of the program are to identify as early as possible the true port of origin and all intermediate stops, all the parties associated with the shipment, and confirm the accuracy of descriptions of the contents, all to improve risk analysis and targeting.
Another program, the Container Security Initiative, already has information-gathering elements in place. U.S. Customs officials are based in 36 of the world's largest ports, where they use intelligence and data analysis to monitor cargo traffic for at-risk containers.
'The whole idea of putting personnel overseas is so that when we do find a problem with advance data, we can take action at that foreign port,' said Rod MacDonald, acting CIO of CBP.
A 24-hour Advance Manifest rule requires carriers to submit their manifests at least 24 hours before cargo is loaded onto ships. This gives customs agents at the CSI ports, and officials at the National Targeting Center in the United States, time to analyze the information and determine which containers need closer inspection.
'Our officers use the automated targeting system, which plays off the 24-hour rule,' MacDonald said. 'A weighted scale is placed against the information. ... Once we determine a cargo has a higher risk, we have the host government perform' nonintrusive inspection.
Unfortunately, GAO reported to Congress in May that 35 percent of the cargo heading for the United States from these ports was not targeted and not subject to inspection. As of September 2004, 28 percent of the containers that CBP officials asked their foreign counterparts to inspect were not checked out, for a variety of reasons, including that they had already been loaded onto the ships.Sharpening the system
When he testified before the Senate Homeland Security Permanent Subcommittee on Investigations May 26, Bonner said that the algorithms used by the targeting system are constantly refined to improve the system's ability to identify at-risk containers.
'The scores are divided into thresholds associated with further action by CBP, such as document review and inspection,' he said in his written statement.
The Coast Guard assumes authority for ships while they are en route. The vessels are required to submit 96-Hour Advance Notice of Arrival forms, which provide manifests for cargo, passengers and crew. This information is sent to the Coast Guard's National Vessel Movement Center, which analyzes the data and other intelligence, including reviewing previous security problems with the ship or illegal activities by crew members.
Based on the center's conclusions, ships will be greeted by different levels of security when they dock at U.S. ports.
The Coast Guard recently awarded a contract to SI International Inc. of Reston, Va., design electronic transmission of the data required for the notices. The application lets ship operators download the forms to an onboard computer, enter the data offline, save it and either e-mail or directly transmit the form to the Coast Guard center in Extensible Markup Language format. The system went live in early March, according to Mike Hughes, vice president of enterprise applications.
'This will cut down on redundant data entry, [which] can be huge,' Hughes said. 'If it's a cruise ship, it has to have every passenger on the ship.'
Meanwhile, CBP's automated targeting system at the National Targeting Center is re-evaluating all the data and making its own risk assessments to determine which containers will receive closer inspection when the ship docks.Missing links
Identifying containers for stateside inspection still falls short, however. Despite standing orders from CBP that any high-risk cargo not inspected at its point of origin must be inspected at U.S. ports, GAO could not get confirmation of inspections for 7 percent of these containers.
In addition, the inspections occur after the container has been offloaded. It may have been transported to an area some distance away from the docks, and left for perhaps hours or days before the inspection.
Using 'smart' containers could alleviate some of these problems.
At any given time, there are literally millions of containers circling the globe and piling up in port storage yards.
Finding ways to pinpoint the location of a container, and having ways to ensure that it has not been entered or otherwise tampered with during transit, could provide one part of the security solution.
There are a variety of pilot programs under way. For instance, Operation Safe Commerce is a Customs and Border Protection pilot program conducted at the nation's three largest seaport destinations'New York/New Jersey, Los Angeles/Long Beach and Seattle/Tacoma.
Using federal grant money, the ports worked with vendors to identify best practices along the supply chain and to identify ways to improve processes. As part of the program, vendors looked at smart container technologies.
Some of the most commonly considered are electronic seals, container security devices, sensors, Global Positioning System and radio frequency identification (RFID) tags. Each has its advantages and drawbacks.
'For security, none of those have any value except the container security device,' said Randy Koch, a partner in Unisys Corp.'s supply chain practice. 'Sensor technologies are not ready yet, [and] GPS satellite doesn't work well and is too expensive.'
RFID tags have won a lot of attention in this area, but they only address what the contents of a container are supposed to be, not whether they have been tampered with, he said. And RFID tags emit very-low-power signals that could be picked up by anyone equipped with the right device.
Koch said container security devices that detect if a door has been opened are the closest to being market-ready, perhaps in three to six months.
'We had very good success with [them] in our pilots. Their only role in the world is to detect door-open events; that's the hard measure,' he said. 'The soft measure is that it's simple and can be deployed globally.'
But even these kinds of electronic seals have drawbacks, Koch noted. For instance, if the devices are sent to China, to be placed on containers before they're shipped to the U.S., Chinese authorities will charge an import duty, raising the cost. Then there is the concern that workers there will have to be conscientious about installing them, turning them on and tracking them before they leave harbor.
'We tried to export some to Brazil,' Koch recalled. 'They got caught up in Brazilian customs for months and we had to pay an ungodly sum to get them out. When you start calling something a security device, no country is going to trust the United States' on the purpose and capabilities of the devices.
Depending on the specific device used and its capabilities, the cost could range from $10 to $100 per container, Koch said. The industry uses about 7 million containers a year, each with a useful life of about 10 years. If security devices were built into new containers as old containers are removed from circulation, it would still take a decade to completely deploy the technology.
Other drawbacks include persuading other countries'where the containers are made'to make the change to smart boxes, and getting the private sector in this country to pay for the technology to support it here.
'The government has been very clear that it's not going to pay for' putting the technology in place, Koch said. 'The question is, once it becomes real and deployable, who pays for that?'Does C-TPAT work?
With all of the cargo information that has to be analyzed for possible targeted inspections, the vast majority of containers still don't get scrutiny.
One way the various supply chain entities can cut down on inspections'which are time-consuming and inefficient'is to sign up for the Customs-Trade Partnership Against Terror.
This program, also administered by CBP, lets businesses at every stage of the supply chain apply to conduct self-assessments, which the agency reviews and certifies for compliance with CBP's standards. The agency then validates the applications, which involve on-site reviews to make sure the security actions have been taken.
At each step along the way'application, certification and validation'the companies get the benefit of streamlined customs processing, including far fewer inspections.
'CBP awards benefits which reduce or possibly eliminate the chances of detailed inspection at the ports without verifying that members have accurately reported their security measures and that they are effective,' Richard Stana, GAO's director of Homeland Security and Justice Issues, said before the Senate subcommittee. (< ahref="http://gcn.com">gcn.com, Quicjfing 450.)
In addition, though almost 9,100 companies have applied to C-TPAT as of April, less than 5,000 have been certified, and just 564 have completed the validation process.
But C-TPAT has also resulted in a few victories. Nippon Yusen Kaisha, the Japanese company whose ship, the NYK Artemis, delivered the containers of smuggled Chinese immigrants, had been linked to a previous smuggling incident. In January, another ship owned by the same company had delivered containers ferrying 32 illegal Chinese immigrants later caught in Los Angeles.
A CBP official, who asked that his name not be used, said the containers in the April incident had been targeted for inspection, in part because of the earlier discovery; customs officers had just not yet gotten to them.
The ship line, he said, has since been kicked out of C-TPAT.Next week: The challenge of documenting 6 million workers; using IT to augment physical security systems; one prospective road map to long-term solutions.