Peering Into Your Supply Chain

The government wants you to share data about what's inside shipping containers. Right now, the C-TPAT program is voluntary. With all the attention to port security, it won't stay that way.

Long before this winter's firestorm about a United Arab Emirates company taking over the management of six American ports, the Department of Homeland Security was concerned with the issue of port security. Over the past several years, the government has spent $75 million to track several companies' cargo containers coming into the seaports of Seattle/Tacoma, Los Angeles/Long Beach, and New York/New Jersey.

The Operation Safe Commerce project, carried out between 2002 and 2005, used GPS technology and radio frequency identification (RFID) to monitor cargo from a handful of major importers (including Sara Lee and Motorola) as it made its way from overseas factories to the United States.

The goal of Operation Safe Commerce was to identify weak links in the global supply chain. A report summarizing its findings was due more than a year ago. To date, for a variety of reasons, no report has been released. But sources close to the project say that Operation Safe Commerce revealed that companies actually know very little about what goes on in their supply chains.

Common unsafe practices identified by these sources were: truckers dropping off containers without encountering terminal security, containers left in unsecured areas, and containers bypassing a port that's considered safe (even if scheduled to pass through that port) and traveling instead through a country that poses a greater threatwithout informing the company or U.S. Customs and Border Protection.

Steve Schellenberg, a senior consultant at the trade advisement company IMS Worldwide who worked on Operation Safe Commerce for the port of Seattle, says the project "showed us that there needs to be a quantum leap in the information we possess about the supply chain."

These insights confirmed what security practitioners and experts said during the DP World controversy: No matter who runs the port, the government and private sector's work of securing these container shipping hubs has a long way to go. In fact, experts like Stephen Flynn, a former Coast Guard commander, expressed hope that the issue would focus on the urgent need to fix the sieve that is port security. (DP World eventually bowed out of the deal, pledging to cede control of the ports to American companies.)

Whoever takes over the ports, companies will have to find a way to make that quantum leap of supply chain visibilitypossibly within the next yearbecause soon the government will make sharing this information a cost of doing business for every company that engages in international commerce.

The mechanism for the government's initiative is already in place: the Customs-Trade Partnership Against Terrorism, or C-TPAT, which requires companies to take responsibility for the security of their supply chains. C-TPAT is now voluntary, but program members say that the benefits of compliancewhich include reduced wait time at borders and fewer inspectionswill make participation an unavoidable cost of doing business.

"There's really very little that Customs can do to speed things up," says Schellenberg. "But they can sure as heck slow you down."

Furthermore, members of the trade community believe that the government will eventually make C-TPAT participation mandatory, although a spokesman for Customs disputes that.

Companies need to prepare now, or they could find themselves facing a last-minute hurry-up similar to their Sarbanes-Oxley travails, with the added insult of watching their cargo get held up at Customs.

"There's no doubt that this is going to happen," says Kevin Smith, general director of global customs for General Motors. "This is an inevitability."

The Nightmare Scenario

Right now, information about any given supply chain is hard to come by. And that's by design. The goal of supply chains is to get something that's neededa part, a productto where it's needed as quickly and cheaply as possible. If a container arrives too late to be loaded onto one ship, it's rerouted and loaded onto another. And as long as the container arrives on timeor close to itno one need be the wiser. Historically, each person or entity that handles a shipment collects and shares only information needed to guard against liability.

Initially, Customs was created to enforce tariffs and calculate import taxes. And while Customs' role expanded to combat drug trafficking in the '80s, regulating trade was the department's primary job until 9/11. Now, says Robert Bonner, former commissioner of U.S. Customs and Border Protection (he resigned in November), "The priority mission of U.S. Customs is national security."

Experts say that Bonner, who was sworn in at Customs on Sept. 24, 2001, was right to change the agency's focus. Most agree that the likelihood of terrorists attacking the United States through the global supply chain is so high that it's a matter of when, not if. Such an attack (most analyses focus on a dirty bomb) won't be designed to kill people, but to cause panic. "It isn't the event but the sudden lack of faith in the system that it causes," says Flynn, who's now senior fellow for national security studies at the Council on Foreign Relations.

If a bomb goes off, Flynn says, there will be huge pressure on the government to close all the nation's ports until every container on every site in the country is inspected. An October 2002 war game that mimicked that scenario found that closing the nation's ports for as many as 12 days created a 60-day container backlog and cost the economy roughly $58 billion. "Any incident would shut down commerce," Sen. Patty Murray of Washington said in an interview. Murray is the ranking member of the Senate Appropriations Committee Subcommittee on Transportation, Treasury, the Judiciary, Housing and Urban Development and Related Agencies.

Sarbanes-Oxley Compliance and C-TPAT

Customs has a two-pronged strategy to prevent the dirty-bomb scenario. First, it's asking companies to assume responsibility for their supply chain security.

Legally, a company is responsible for a container only when it formally purchases it, whichprecisely for that reasonusually doesn't occur until it reaches a port, either in the United States or abroad. Target, for example, typically does not legally purchase the clothing it orders from China until it arrives in the terminal. But the government wants importers to take responsibility for everything that occurs prior to purchase, even if the container is in the custody of a trucker in China or a longshoreman in Rio de Janeiro. The principal vehicle for this is C-TPAT. This so-far voluntary program gives certain benefits, such as reduced inspections, to companies that can show they meet a minimum level of supply chain security. The better a company's security (as judged by Customs auditors), the more benefits it receives. There are now three tiers of C-TPAT compliance, and containers belonging to members in the top tier sail through Customs virtually uninspected.

If C-TPAT is the carrot, then the Sarbanes-Oxley Act (Sox) is the stick. It requires that companies put in place reasonable safeguards against events that could materially affect the company's value. There's little doubt, experts agree, that supply chain events fall under the Sox umbrella.

With both C-TPAT and Sox, a company needs to secure the data, make sure that purchasing and security have access to one another's information, and collect more data about what is happening in the extended global supply chain.

The second prong of Customs' strategy is to collect as much information as it can about what's happening in the supply chain so that, through data mining, it can spot anomalies. The key to this effort is the Automated Commercial Environment, or ACE, a $3 billion-plus trade processing system begun in 2000, which Customs plans to complete by 2010. ACE has modules that do everything from serving as Customs' ERP system to targeting containers for inspection. Within the next six months, carriers entering the United States through land-border crossings in seven states will be required to send close to 100 data elements to Customs, including information about the vehicle, its driver and its cargo. If they don't, they don't get in. Customs is also piloting an ambitious ACE add-on called the Advance Trade Data Initiative (ATDI), which requires importers to share with Customs shipment data including the purchase order, which ports a container passes through, proof of delivery and its final destination within the United States.

"ATDI will make companies collect information that they haven't collected before, share information they haven't shared and provide information earlier than they've been required to provide it before," says GM's Smith. For example, it's the rare company that knows where on a ship its container is located, but ATDI will require it.

Experts say Customs plans to make ATDI participation a requirement for tier-three C-TPAT certification. (Customs says that ATDI participation qualifies participants for tier-three status, but that it will not be a requirement.) Soon, companies that achieve this compliance will be rewarded with a Green Lane designationessentially a "get out of Customs free" card that will do for borders what E-ZPass does for highways.

"A huge number of containers come into our country," says Sen. Murrayabout 9 million a year. "Right now, we don't know what's in them, who's handled them, if they've been opened."

If the government gets this data, it can clear most containers before they reach the United States. This will allow Customs to focus its limited resources on the containers it knows the least about.

As Murray puts it, "We're trying to reduce the size of the haystack."

The Secure 10,000

After 9/11 there were calls by some members of Congress to inspect each and every one of those 9 million containers coming into the country. But the vast majority of those containers are filled with legitimate goods from legitimate sources heading to legitimate companies. "The question we faced was, Can you risk-manage for terrorism?" says Bonner. "If the answer is yes, you can spot-inspect."

In July 2002, Bonner unveiled C-TPAT, which, by shifting that burden onto the importers, was designed to reduce the need for the government to inspect containers. Since then, more than 10,000 companies have applied for C-TPAT membership. In 2005 C-TPAT members accounted for 42 percent of all imports by volume.

There are three tiers of C-TPAT membership, each of which comes with progressively fewer inspections. The first level simply requires an attestation that your company has performed a risk analysis of its supply chain and has taken steps to mitigate any vulnerabilities. As of January, Customs had accepted 5,757 of these attestations. Tier-two members (1,511 companies as of January) have had this attestation validated by Customs officials. Another 2,273 validations are in progress. Tier-three members are companies that Customs has determined follow supply chain security best practices (although Customs has not yet defined any). These are the companies that will be eligible for the Green Lane. Only 126 companies to date have qualified for tier three, including Boeing, General Motors and Target.

Getting a Green Lane Ticket

Securing your supply chain data is the most obvious step to reach at least tier-two C-TPAT status (although eventually, sources say, there will be only a tier three; everyone else will be treated the samepoorly). And no one should be surprised that it's important to encrypt and protect information about the schedule and location of your shipments. But securing supply chain data goes beyond that. Importers have to attest to their partners' security. "We had an audit [at a partner's factory] in South Africa, and they grilled them about IT security," says Jim Wigfall, VP of supplier management for Boeing Shared Services. Customs auditors checked the partner's firewall, backup systems and access controls. (The company passed.) Now Boeing does the same every time it vets a potential partner against C-TPAT requirements.

It's also important to limit access to supply chain information. "If the bad guys know that IBM is going to ship products from point A to B on a particular Tuesday, it gives them a leg up," says Debbie Turnbull, IBM's program manager for supply chain security. A bad actor inside a company could alter the information attached to a container from Palembang, Indonesia (which might raise an alarm), so that it looked like it was coming from a factory in Hong Kong (which might not). Or that bad actor could pass scheduling information to a crony outside the company. IBM uncovered one such plot a few years ago. A worker in a plant in Mexico noticed that one container he was about to load was 53 feet long on the outside, but only 50 feet long on the inside. Upon inspection, it was found that the container had a false back, behind which was hidden several million dollars in narcotics.

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)