In an effort to prevent terrorists from turning container ships into weapons, US Customs is counting on big business to goad partners into improving security. The result: public and private partnerships that might work — or fail completely.
Factories need fences. Barbed wire. Imposing structures that not only mark a boundary but also keep intruders out and goods in.
At least that’s what Ken Wheatley had always assumed. That is, until he went on a whirlwind three-week tour of Asia in September 2002. As vice president of corporate security for Sony Electronics and a participant in a volunteer security program created by the US Bureau of Customs and Border Protection, Wheatley helped conduct vulnerability inspections at a half dozen of Sony’s largest facilities shipping goods to the United States. Travelling with a six-person team from Japan to Malaysia to Singapore, Wheatley discovered that even things as seemingly straightforward as fences often lose something in translation.
He puzzled, for instance, over the kid-size boundary markers at some of the Asian manufacturing facilities of Sony Electronics (a US-based division of Japan’s Sony). “Depending on the country, a really obtrusive fence communicates something negative to the community,” says Wheatley. “If I pointed out to local employees in an area with little crime that someone could easily climb over a 1-metre fence, they’d ask: Why would someone do that?” And then they’d wonder why the US government was trying to impose its will upon them.
The Customs-Trade Partnership Against Terrorism, or C-TPAT, sets parameters for how member companies should protect cargo they import from being infiltrated by terrorists and used as a weapon of mass destruction — a scenario that many experts view as the US’s biggest vulnerability. The guidelines start with the kind of fence that surrounds a company’s manufacturing facility and extend far out into the supply chain, to how business partners around the world order supplies and screen employees and seal containers laden with goods bound for the United States. Although C-TPAT is a voluntary program, for large companies that want their goods to get into the United States quickly — and for small companies that want those large companies’ business — joining is not really an option. It’s a necessity.
In fact, by issuing the guidelines Wheatley was trying to meet, the US government itself is not trying to impose its will on importers — not directly, anyway. Instead, Customs is counting on companies such as Sony to do the enforcement, in perhaps the most ambitious of all the public and private partnerships that the government has made its rallying call since 9/11.
“It’s to some degree ‘voluntary’ with both arms tied behind my back,” is how Pinkerton Consulting & Investigations consultant Barry Wilkins describes the program, having helped more than 30 companies, mostly Fortune 100, through the C-TPAT process.
What remains to be seen is whether Customs can strike the right balance between making the guidelines stringent enough to actually improve security and flexible enough so that companies won’t baulk at joining, even though participation means trying to wrap their arms around complex supply chains in a way they’ve never before contemplated. That when anything that might slow down commerce is viewed with scepticism, and when merely getting different divisions of your company to agree about the purpose of fences can be a struggle all its own.
“Clearly some countries think this is a US problem and not their problem,” Wheatley says. “It’s a matter of sensitizing people to the fact that we’re in a global economy, and what affects one partner is going to have a ripple effect back to other countries. [C-TPAT] is a massive undertaking and a bit of a sales job.”
The truth is, the guidelines that Customs officials — and by extension C-TPAT members — are hawking are still very much on rough waters.
Moving the Global Economy
Even as Wheatley speaks, 160 kilometres north of his office in San Diego, ships from all over the world are easing their way into the ports of Los Angeles and Long Beach, the largest port area in the United States and the third largest in the world. The ships are packed tight with the building blocks of the global economy: six-metre-long and 12-metre-long containers full of TV sets, tennis shoes and tomatoes. Some 20,000 containers a day — 45 percent of all loaded containers coming into the United States — make their way through these ports and on to the rest of the country by way of train and truck. If you wonder what that means for the nation’s economy, just ask William Ellis, director of security for the US Port of Long Beach.
“Two billion dollars a day,” Ellis says, referring to the cost of a dockworkers strike at his port in late 2002, which brought cargo shipping there to a grinding halt. “In 10 days, we had a $US20 billion impact on the US economy. If all shipping was shut down, it would be devastating.”
Yet that’s precisely what many observers fear could happen if terrorists managed to sneak a dirty bomb, or even just the equivalent of a car bomb, into one of those containers and detonate it in the United States.
“After September 11, we threw the globalization kill switch” by shutting down air transportation, says Stephen Flynn, a former US Coast Guard commander who is widely recognized as the country’s leading expert on cargo security. “My fear is that something happens on a truck or a train or a ship, and we throw that transportation kill switch again to sort things out; and we don’t even start with the [security] baseline we had with aviation. The time it will take to restore public confidence will have an incredibly disruptive impact on the economy.”
That’s because the global shipping industry has evolved for speed, reliability and efficiency — not security. Consider this: An importer can move a container holding 30 tons of material from Asia to the West Coast for as little as $US2500. That’s about 4 cents a pound. “It makes the postage stamp look a little overpriced,” Flynn quips.
US companies built empires on this system, moving manufacturing offshore and slashing inventories. They came to view a certain amount of cargo theft and drug smuggling the way department stores view shoplifting: not at all desirable, but nevertheless a cost of doing business. Only about 2 percent of incoming containers are physically inspected by Customs. “We basically decided that given the benefits of the system, it wasn’t worth the hassle of going after all these activities,” says Flynn, a senior fellow in national security studies at the Council on Foreign Relations.
In post-9/11 waters, of course, the risks are different than routine theft and drug smuggling, and protecting against them is a daunting task. APL, one of the world’s largest shipping companies, estimates that an end-to-end supply chain can involve up to 25 parties — each with their own facility, staff and procedure — and 35 to 40 shipping documents per container. “For a ship carrying 3000 containers, more than 100,000 documents need to be managed to some degree,” says Earl Agron, director of port and container security of APL. Because of this tremendous complexity, no one has ever tried to secure the shipping supply chain from end to end.
That is, until now.
Uncle Sam Steps In
On September 24 2001, former chief of the Drug Enforcement Administration Robert Bonner was sworn in as the commissioner of the US Customs Service, now known as the US Bureau of Customs and Border Protection. “Terrorism is our highest priority, bar none,” Bonner told the Chicago Tribune shortly after his appointment. The war on drugs was effectively over.
Since then, much of the attention in the US press has been on Customs’ controversial 24-hour manifest rule, which requires companies to submit shipping information to Customs 24 hours before goods are loaded onto a vessel headed to the United States. But most of what Customs — now lodged within the Department of Homeland Security — has done has been of a kinder, gentler sort.
The Container Security Initiative (CSI), for instance, is a program in which Customs officers are placed in ports around the world to search high-risk cargo headed to the United States. The program is voluntary, but an FAQ at the Customs’ Web site promises that “in the event of a terrorist attack using a cargo container, CSI ports would remain in operation because they have a security system, CSI, in place”.
C-TPAT, meanwhile, is the equivalent carrot-not-stick program for American businesses. Announced in April 2002, it requires member companies to conduct a security assessment of their entire supply chain, quiz business partners about security, outline plans for improvement, and eventually let Customs come in and validate those processes. In return, Customs promises members a “fast lane” through the border, along with other benefits such as the option to set up monthly billing rather than paying duties shipment-by-shipment.
“What we’re trying to do is get more detailed information [so we can] get the low-risk cargo out of the way and focus on the high-risk cargo,” says C-TPAT Director Robert Perez, who before 9/11 was one of Customs’ lieutenants in the war on drugs.
At first, the program was opened to importers only — the General Motors and Targets of the world. “They had the most clout,” Perez explains. Carriers, including shipping and trucking companies and airlines, were brought on next — followed by the brokers and freight forwarders that serve as intermediaries between carriers and importers. Most recently, US marine port authorities were added to the mix.
So far, more than 3800 companies have signed memorandums of understanding stating their intention to join C-TPAT. Of those, more than 2400 have filled out a security questionnaire detailing how they’re protecting their supply chain, and Customs has certified more than 1400 of those applications.
Members are starting to see the benefits. When a new security alert is issued, “instead of peaks and valleys, we haven’t had any slowdowns”, says Randy Arnt, executive director of corporate security for paper company Kimberly-Clark. “Everybody else that’s part of this process has experienced the same thing. At this point, if you’re a large company and you haven’t been certified, you’re really at a competitive disadvantage.”
Observers also note that, as Customs had hoped, the program has cascaded far beyond the companies that are directly involved. Pinkerton’s Wilkins says that as part of the certification process, one client alone sent 1200 letters to business partners asking about their security processes.
“It’s the domino effect,” says Agron, whose company, APL, has been on the receiving end of such letters. “They start out, ‘Dear Ocean Carrier, As part of the process of becoming C-TPAT certified, we need to know if you’re a member of C-TPAT. If you’re not, do you do the following?’ We don’t have to fill out the questionnaire because we just say we’re C-TPAT compliant.”
DHL Danzas Air & Ocean, a freight forwarder that contracts with shipping companies such as APL to move customers’ goods from one place to another, is starting to include the certification in its vendor contract negotiations. “We prefer that any company we hire as a service provider is compliant so there’s less chance of delay,” says Art Arway, director of security for the Americas. “We don’t require that at this point, and whether we will require it is a subject of some debate.”
But at DaimlerChrysler — which is a C-TPAT charter member, along with BP America, Ford, General Motors, Motorola, Sara Lee and Target — the debate is over. The program is becoming a requirement. By FY03, DaimlerChrysler will require trucking companies that transport its products across the US and Canadian border to join C-TPAT.
More than Lip Service?
That’s just what Customs wants to hear. The problem is that right now, Customs is just rubber-stamping applications that look good. As of last July, of the 2400 companies that have applied for the program, Customs went onsite to validate only about 20 companies’ security processes. Fifteen of those companies were importers, and it’s widely assumed that about half of those were charter members — the very companies that helped Customs hammer out the guidelines in the first place.
“We’re in a very queasy period,” the Council on Foreign Relations’ Flynn says. “The challenge for C-TPAT is to move from a trust-based system to a trust-but-verify system. We have to get more policing.”
To do that, the program needs more funding than the $US8.3 million it currently has. Customs has asked for an additional $US12 million in C-TPAT funding for FY04 and is working on hiring more than 100 additional staff members, whose responsibilities will include helping the 30 who are currently plodding through the validations. Perez says 120 validations are in the pipeline and that he is aiming to have at least 100 done by November.
That may seem a pittance, but observers point out that the number of completed validations may be less important than the companies chosen for validation. “If the validations are done of 100 of the biggest companies, or the first 100 who sign up, then that’s not a valid sample,” says Stuart Seidel, a partner with law firm Baker & McKenzie, who has been helping clients interpret the guidelines. “If it’s an assortment of companies, then that goes a long way to validating the program, plus it keeps people on guard. I don’t think [the small number of validations is] a problem right now because the companies that have applied for participation probably are trying to do a good job of security. The problem is going to come in the future. If Customs can’t check on the filings, a lot of additional companies that may not be as responsible will try to get into the program without adopting the security procedures.”
Perez, not surprisingly, won’t comment on which companies are being validated, except to say that the first 100 validations will include more than importers.
What remains to be seen is whether the guidelines Customs is checking against will be strict enough to make a difference. In discussing the process of joining C-TPAT, people talk about the paperwork involved — not the security improvement they’ve made. And every care has been taken to assure companies that the process won’t slow them down, which seems to hold true right through to the end. DaimlerChrysler’s Bill Cook, senior manager of corporate customs, international supply and customs supply, brushes off the validation process. “It was a couple of days’ worth of visits,” he says. “We took them to some local facilities that could well display how our supply chain works.”
“Nobody has complained that it was difficult,” says Pinkerton’s Wilkins, who has worked with about a dozen of the companies that have been validated. “Those that have been through the validation process have found that Customs was fair and reasonable, and they sort of described it as painless. [Customs is] in and out in 10 days or less.”
But underlying such alleged painlessness is a question of whether Customs is going too far to keep the industry happy, at security’s expense. “I don’t want to be quoted as saying Customs should do a better job, but in some cases [the companies] wanted more suggestions than they got,” Wilkins says. “But Customs isn’t a consultant.”
In fact, that’s the whole problem with the concept of public and private partnerships that the Department of Homeland Security has been counting on as a way to improve the nation’s security: Guidelines have to be lenient enough that companies will volunteer, but strict enough to make a difference. “It’s a balance between the security that’s involved and business requirements, so that you don’t introduce initiatives that disrupt the economy,” DaimlerChrysler’s Cook says.
The lip service might be enough at some companies. “From time to time you’ll find [security] standards slipping, and when you go back to the business units, they say: Gee whiz, we’d like to do that but we’re in cost-cutting mode,” Kimberly-Clark’s Arnt says. “The thing I feel best about is that now we have a tool to say: ‘This is something we have to do to make sure that we remain on the fast-track program.’ That’s an easy argument to sell to management.”
The question: If there is some kind of terrorist attack involving cargo security before C-TPAT has the credibility that Customs hopes it will gain, will the entire program be sunk?
“If we don’t get enough muscle into the initiatives to make people confident, my fear is that the inherent good wisdom [of Customs’ voluntary programs] will get discredited,” Flynn says. “The trade industry has not come to grips with the fact that, post-event, the things they’re doing just aren’t going to pass the public confidence test.”
And that could mean that, for all the public and private partnerships kumbaya-ing, in the long run, C-TPAT will be nothing more than the groundwork for industry regulations. “Anything is possible,” Customs’ Perez admits. “I’m not going to say that that isn’t something that’s a possibility. But there is no serious talk to that end for now. The focus of this program from the get-go has been on self-policing.”
APL’s Agron, for one, is cheering him on. “We’re a Bob Perez fan, a C-TPAT fan, because if C-TPAT fails then we’re going to look at government mandates that are devised and defined by people who don’t understand security,” he says, noting that one law introduced in the US House of Representatives last February essentially proposes that 100 percent of all cargo entering the United States be inspected. “Obviously you can’t do that,” Agron says. “The fact that the law has even been proposed says that we really have to make this work.”
Port Boys Complaint
by Kathleen Carr
For years, the cargo supply chain has been encumbered by slow security checks. C-TPAT wants to change that
In the team-building portion at your last company offsite, you probably remember an exercise where group A led group B through an obstacle course. Presumably group B exited the course unscathed. The game is similar to the real-life scenario being played out at shipping ports around the world today: In an attempt to lead businesses through transport’s security maze, the US Bureau of Customs and Border Protection has created several programs to improve the inherent lack of trust in the cargo system so that things move more swiftly through the supply chain.
The Customs-Trade Partnership Against Terrorism, or C-TPAT, is a joint initiative between the US government and the private sector aimed at safely expediting containers through ports. Companies that promise to use good security measures and provide documentation of the containers’ contents to Customs officials will be rewarded with an accelerated shipping schedule — kind of like a fast lane for cargo. Those that enrol in the program must perform self-assessments of their supply chain security and implement a security program that follows C-TPAT guidelines, which focus on security compliance of facilities, access, procedures, personnel, documentation and training.
“Anyone at a terminal of a trucking company could infiltrate the cargo supply chain, especially overseas where background checks aren’t allowed,” says Ken Wheatley, vice president of corporate security for Sony Electronics. “The obvious difficulty lies in managing a coordinated effort between various government entities. If you have DEA, FDA and Customs independently coming up with regulations without communicating with each other, the end users will get caught in a vice with inconsistent standards.”
Another Customs initiative, called the Container Security Initiative, or CSI, was launched in January 2002, to ensure the security of containers in transit by using technology to prescreen and secure containers. Of the top 20 ports worldwide, 18 have already joined CSI. According to Wheatley, becoming a member of the initiative means you are “a trusted importer”. To attain that status, you must provide Customs with details of what you’re shipping and documentation that demonstrates that you are shipping it safely.
Bells, Whistles and High-Tech Seals
One GPS prototype persuades US Congress to research supply chain weaknesses
by Sarah Scalet
In the mid-2002, a container of lightbulbs made its way from an Osram Sylvania factory in Nove Zamke, Slovakia, through the German port of Hamburg and on to Montreal before getting waylaid on its way to Hillsboro in the US state of New Hampshire, by a truck driver who cruised through a few of Montreal’s grittier neighbourhoods and then took a long break at the first rest stop over the border in Vermont.
The extra six or seven hours between Montreal and Hillsboro probably wasn’t anything too unusual, in and of itself. What was unusual was that an onboard GPS device allowed a team of researchers to learn of the delay — just one of the many security risks along the complicated supply chains that bring imported goods to the United States every day.
“It took one prototype, to a large extent, to get people in the government more aware of what we’re talking about,” says Stephen Flynn, a former US Coast Guard commander who is an expert on the homeland security risks involved with cargo shipping.
This prototype for Operation Safe Commerce was enough of a success — and enough of a failure, between the truck driver’s tardiness, an improper seal on the container and a GPS device rendered useless while the container was in the hold of the ship — that it spawned $US58 million in funding from Congress to the Transportation Security Administration. The pilot program, which should be completed by July 2004, is intended to analyze not only supply chains and their weaknesses but also how technology might reduce those risks. The US’s three largest port areas — the ports of Seattle and Tacoma; Los Angeles and Long Beach; and the Port Authority of New York and New Jersey — are coordinating the importers, shippers, freight forwarders and technology providers that are participating.
“Nobody has really put together a supply chain security process and done a thorough analysis of it, primarily because there are so many different people involved,” says William Ellis, director of security for the Port of Long Beach. “It’s just a massive undertaking.”
The technology being tested, among other things, includes GPS for tracking shipments, intrusion detection technologies that monitor light and motion inside a sealed container, sensors for radioactive material and electronic seals that contain information about what the container holds and can also show evidence of tampering.
“We’re hoping that through Safe Commerce, we’ll find systems that work, and those systems will be applied to all cargo moving anyplace in the world,” says Jim Serrill, director of seaport security for the Port of Seattle
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.