Peering Into Your Supply Chain

The government wants you to share data about what's inside shipping containers. Right now, the C-TPAT program is voluntary. With all the attention to port security, it won't stay that way.

1 2 Page 2
Page 2 of 2

While it's important to keep information about shipments from people who don't need to know, it's equally important that the people who do need the details have access to them. This means integrating the systems used by the purchasing and supply chain organizations, and making sure that the system can capture information such as a country's security profile. The integration benefits both departments, says Ron Miller Jr., Customs compliance coordinator for P&G's Global Cross Borders Group. Making purchasing data available to the supply chain group allows it to identify low-risk partners and pass that information on to Customs. If, for instance, you can show that something is a regular shipment from a secure partner, it is less likely to be inspected, says Miller.

"When you force someone to type data in before it is normally available, you get errors. What good is information when its wrong?"

- Kevin Smith, GMs general director of global customs

Similarly, purchasing people need to have data on the security of the factories and countries to which they plan to source. If they don't have this data, a cheaper product may end up costing more if it's delayed for inspections.

Assuring that your suppliers are handling your cargo in a secure way will require greater visibility into the supply chain. Someday, this will be done through RFID, smart containers and other emerging technologies. But right now, many of these technologies are still too immature or expensive. Until then, companies will need to integrate systems with their overseas suppliers so that they can risk-manage the supply chain by spotting anomalous activity as it happens. Even secure processes "can be compromised," says Ken Konigsmark, Boeing's C-TPAT program manager. "[Overseas workers] get paid peanuts, and it would be very easy to bribe them." Companies need to be able to tell when a truck driver leaves a factory and when he arrives at a port so a security person can alert Customs if a four-hour trip turns out to take 12. This is a major challenge when the supply chain is global. "The things we take for granted may be very difficult for a coffee producer in Colombia," says P&G's Miller.

That's said, companies need to start setting up ways to access to their supply chain systems, since Customs is going to want that data, sources say, as early as next year.

Customs' ACE in the Hole

Since the late 1990s, Customs' Automated Targeting System (ATS) has identified which containers to inspect by feeding the data it has about a shipment into a risk algorithm. Last summer, the DHS inspector general released a report that was critical of ATS, saying it didn't have the information to accurately identify suspicious containers. The report made no reference to the Advance Trade Data Initiative, the targeting system that Customs is piloting.

ATDI has its roots in a conversation that took place shortly after 9/11 between Mike Laden, then president of Target's custom broker division, and late Assistant Commissioner of Customs Bonni Tischler. "We were talking about information that Customs needs," recalls Laden. "I looked at her and said, 'Do you want to know what we buy? Heck, sometimes we know months in advance.'" Shortly thereafter, Laden gave Customs a file with 1,000 purchase ordersincluding a description of the goods bought, their price and their factory of origin.

Pre-9/11, Customs' first encounter with a container was when it entered a U.S. port with a manifest describing its contents and port of origin. Tom Bush, director of targeting and analysis systems in Customs and Border Protection's IT office, says that from Customs' point of view, containers simply materialized in an American port.

"Sometimes we may think a container originated in a safe port, when it could have come out of Karachi," says Bush. On the other hand, "a purchase order gives you insight into the actual point of origin, as well as the buyer and seller relationship." In early 2003, Customs began to build a system to combine commercial data like purchase orders and shipment notifications with intelligence reports.

Today, Target and around 30 other companies are participating in the ATDI pilot. (Participation doesn't necessarily include sharing data with Customs.) Once past the pilot stage, ATDI participants will need to send Customs a copy of a purchase order as soon as one is filled out and a copy of the shipping notification they receive from a factory. Customs also plans to collect information about overland transport, a container's location within a terminal, its location on the ship, as well as notification when a container reaches its final U.S. destination.

Bush says that companies will need to share only what they can. But importers, who rely on truckers and shippers for some of this data, are concerned that just as C-TPAT requires companies to be responsible for parts of their supply chains for which they are not legally responsible, ATDI will demand that they provide all of the information Customs wants. One place to look for clues to how all this will work out is the ACE e-manifest program that Customs is piloting on the Canadian border in Washington state and Detroit, and at the Mexican border at Nogales, Ariz., among others.

The ACE pilot asks cargo carriers to share close to 100 pieces of information about their shipments, everything from the vehicle identification number on a truck to the address of the importer. If Customs does not receive all of this data by at least an hour before the truck reaches the U.S. border, there will be various penalties.

"The major difficulty for us was that the information for the driver, vehicle and cargo were in three different systems," says Janet Shearn, director of customs and trade compliance for UPS, which participated in the pilot program. (The pilot now has about 400 participating companies, 25 of which share data with Customs.)

UPS had to integrate these three systems in order to send a single timely EDI message to Customs. The information also had to be formatted so that Customs could read it. For example, Customs wanted information that UPS stored as address line one in address line two. In other cases, Customs wanted information that UPS simply didn't have, such as a driver's passport number. And if any of the information was left blank or entered incorrectly, the truck, hypothetically, could be held at the border.

Customs plans to publish requirements for the ACE program within the next few months, which means that companies will have 90 days to comply. It won't be easy. "We had all the systems in place, and it still took us more than 90 days," says Shearn.

The ACE program foreshadows how ATDI will likely collect data from companies. Customs' Bush says that the agency can handle either EDI or XML data, depending on what companies use.

Many questions remain about how Customs will protect the information it receives, how it will use it and how it will carry out such large-scale data mining. "I have a great deal of concern," says Smith of GM, which is advising Customs on ATDI but declined to participate in the trial. "ATDI is about commercial data that has never been given to the government before, and sometimes it is not available when they want it. When you force someone to type data in before it is normally available, you get errors. What good is information when it's wrong?"

Security is another concern. Purchase orders often contain competitive secrets, such as prices that factories charge importers. Not only would the government have to protect this data from hackers, it would also have to develop a way to protect it from Freedom of Information Act requests.

And even if it solves these problems, there's still the matter of making the system work. "It would take 20 supercomputers chained together just to go through the data from Target, Wal-Mart and Sears," says Laden, who left Target last May to start the consulting firm Trade Innovations. (Bush says the system will work but declined to discuss specifics, citing national security.)

Regardless of the difficulties, Shearn and Laden are convinced that ATDI will move forward. "Companies need to realize that this isn't going away," says Shearn. "There's a commitment from DHS, and they have the money to make this work."

The C-TPAT Payoff

One of the challenges that comes with securing the supply chain is measuring success. How do you know you've prevented something that hasn't happened? Chuck Winwood, a former deputy commissioner of Customs, now senior VP for border security at the trade consultancy Sandler & Travis, says companies should use traditional business metrics: "Improvements in safety, insurance liability, efficiencythese are outgrowths of a good security program."

The reduction in inspections promised by C-TPAT is another potential source of ROI. Toymaker Hasbro spent just under $200,000 on its up-front C-TPAT compliance and spends an additional $112,500 a year maintaining it. Since it became C-TPAT-certified in November 2002, its inspections have dropped from 7.6 percent of containers coming into the United States in 2001 to 0.66 percent in 2003. Given that in 2003 the company imported about 8,000 containers, and that port authorities charge around $1,000 per inspection, Hasbro saves about $550,000 a year in inspection costs alone, approximately a 5-to-1 return rate.

Members of the trade community expect that ATDI participation will be a requirement for Green Lane status. And while no one has a firm timetable for the merging of ATDI and C-TPAT, the funding is in place. In November, Sen. Murray introduced the Green Lane Maritime Cargo Security Act of 2005; expectations for its passage are high. In all likelihood, companies will have between 18 and 36 months to prepare for compliance, but a terror event looms as a wild card. If there's an attack, that timetable could telescope quickly.

Copyright © 2006 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies