Container Security: Is the Layered Approach Working?

Guest columnist Jim Giermanski says the government's five-layered approach to container security is on the right track, but needs significant improvements

On April 2, Deputy Commissioner of Customs and Border Protection Jayson P. Ahern made a statement before the Committee on Appropriations, Subcommittee on Homeland Security, U.S. House of Representatives. One of the topics included in his statement was an explanation of the layers of security used by Customs and Border Protection (CBP) to protect the nation against potential terrorism connected to commerce through U.S. ports.

"CBP uses a multi-layered approach to ensure the integrity of the supply chain from the point of stuffing through arrival at a U.S. port of entry," he said, citing five layers:

  • The 24-hour manifest;
  • Screening through the Automated Targeting System (ATS) and National Targeting Center (NTC);
  • Customs Trade Partnership Against Terrorism (C-TPAT);
  • The Container Security Initiative (CSI) the Security Freight Initiative (SFI); and
  • The Non-Intrusive Inspection (NII) program.

The goal of this layered approach, he said, is to combine each of the layers while limiting their combined affect on "hindering the movement of commerce through our ports."

Some of those in the trade community might take issue with this statement, believing that the layered approach has already hindered commerce. Others might take issue with the value of the layered approach in preventing a terrorist attack on a port of entry or interior target within the United States. I think that looking at each layer is important in appreciating this approach to security. Understanding the basics of each layer will indicate the knowledge CBP will likely have of the actual contents of containers reaching the United States.

Layer-1: The 24-hour Manifest

In general, a cargo manifest is a document that indicates the identity and description of the cargo contained in a shipment. There is certainly no problem using data from the manifest to determine contents. However, the manifest is made by vessel carriers, shipping lines that have no idea of actual contents. Therefore, any problem will always be linked to the person or firm that completes the manifest and their real knowledge of the contents of a container. CSI's 24-hour rule places the responsibility of sending the manifest to CBP with the shipping line, specifically the liner that loads the cargo into the vessel at the foreign port, carrying it to the United States, and discharging the cargo in the United States. "Carriers and/or automated NVOCC's will be required to submit a cargo declaration 24 hours before cargo is laden aboard the vessel at a foreign port for any vessel beginning the voyage on or after Dec. 2, 2002." Originally, there were 14 types of data placed on the manifest; today there are 21:

  • 1. Carrier SCAC code (standard carrier alpha code)
  • 2. Last foreign port
  • 3. Vessel name
  • 4. Voyage number
  • 5. IMO vessel ID number
  • 6. Date of departure from port
  • 7. Container number
  • 8. Commodity description (with HTS-6)
  • 9. Commodity Weight
  • 10. Bill of loading number
  • 11. Shipper name and address
  • 12. Consignee name and address
  • 13. Hazmat code
  • 14. Seal Number
  • 15. Numbers and quantity
  • 16. Foreign port of loading
  • 17. First foreign place of receipt
  • 18. Vessel country
  • 19. Date of arrival at first U.S. port
  • 20. Port of unloading
  • 21. Time of departure from port

Furthermore, there's an expectation that CBP will announce in August or September the requirement to submit additional data contained in the "10-Plus-Two Program." There will be 10 pieces of data the shipper will have to submit, and an additional two pieces that the vessel carrier has to submit. From reviewing only six customs forms connected to inbound shipments, there were 122 distinct pieces of information. Of these bits of information there were 26 pieces that were repeated in the six forms. If that is any indication, there are hundreds of pieces of information-data that are CBP's mainframes that may or may not really be necessary or accurate. Regardless of how many elements are in the manifest today, the fundamental reality is that all elements represent what the shipper, not an individual, said to be true. In effect, the manifest states what is "alleged" to be in the container.

But the purpose of the 24-hour rule is to enable U.S. Customs to analyze container content information before a container is loaded and thereby decide on its "load/do not load" status in advance. An NVOCC is a non-vessel operating common carrier. In reality that entity can be a motor carrier leasing space on liners. For instance, Yellow Roadway trucking company is an NVOCC. Therefore, it accepts cargo from a shipper and provides the shipper a bill of lading to destination, including ocean travel, but Yellow Roadway does not own or operate an ocean-going vessel. Yet, it still is the carrier to its shipper and then it's the shipper to the vessel carrier. But only those NVOCCs who are authorized to communicate with CBP through an approved electronic portal can file a manifest as the liner can.

There is a flaw in this layer. How does a carrier know what's in the container? The carrier does not open the container to inspect it. The carrier simply takes the word of the shipper. Who is the shipper? Does the carrier really know? Even if the carrier really knows, the carrier is still relying on the shipper's word for the contents of the container. What if we have a perfectly honorable and well recognized shipper? Does that mean that between the stuffing of the container at origin and its arrival at the port of export, no surreptitious entry was made into that container and no weapon of mass destruction placed in the container before it arrived at the port of export? Since the carrier does not know what is really in the container that arrived at the port, how would CBP know what was really in the container if CBP relied only on the carrier's manifest? Assuming the shipper has historically been honest and trustworthy, the likelihood of CBP suspecting foul play is remote or non-existent under this layered approach. Thus, any positive or special treatment given this container can be deadly to either the recipients of the container, the United States, or to the exporting port where the explosive could really have been meant to detonate.

Layer-2: Screening through the Automated Targeting System (ATS) and National Targeting Center (NTC)

CBP says that the ATS is one of the most advanced targeting systems in the world. "CBP uses ATS to improve the collection, use, analysis, and dissemination of information that is gathered for the primary purpose of targeting, identifying, and preventing potential terrorists and terrorist weapons from entering the United States. Additionally, ATS is utilized by CBP to identify other violations of U.S. laws that are enforced by CBP." Basically, CBP through ATS collects various data from itself through CBP's own systems, except for one, the Treasury Enforcement Communications System. These systems as they relate to cargo are the:

  • Automated Commercial System (ACS)
  • Automated Manifest System (AMS)
  • Automated Export System (AES)
  • Automated Commercial Environment (ACE)
  • Treasury Enforcement Communication System (TECS).

The data obtained "includes electronically filed bills, entries, and entry summaries for cargo imports; shippers' export declarations and transportation bookings and bills for cargo exports; manifests for arriving and departing passengers; land-border crossing and referral records for vehicles crossing the border; airline reservation data; nonimmigrant entry records; and records from secondary referrals, incident logs, suspect and violator indices, and seizures."

Although AMS and ACE are CBP-based, AES is not. "The Automated Export System (AES) is a joint venture between CBP, the Foreign Trade Division of the Bureau of the Census (Commerce), the Bureau of Industry and Security (Commerce), the Directorate of Defense Trade Controls (State), other Federal agencies, and the export trade community." It's a central point through which exporters and/or their agents identify the products they are selling abroad. It serves primarily for export compliance and export data used by the Bureau of Census. However, ATS does draw more data from one source that is not its own: TECS. TECS has access to the National Crime Information Data Base (NCIC) which allows further access to the National Law Enforcement Telecommunications System (NLETS). TECS also includes names of individuals on terrorist watch lists. The next obvious question is who analyzes the data. CBP uses the National Targeting Center.

The NTC was established in 2001 and provides target-specific information to CBP field offices. With more than 100 employees, the center works around the clock. According to CBP, "The NTC has given CBP the ability to identify previously unknown, as well as known, persons involved in terrorism." Analysts or targeters, as they are called by CBP, are CBP personnel. These targeters also do data mining to develop potential targets. CBP says that the targeting center looks at any resource that could support a terrorist effort, ranging from individuals to raw materials that could be used in constructing nuclear and chemical weaponry.

However, like most of the layered approach, the center does not have active "boots on the ground" collecting intelligence. Instead, it analyzes the same and similar data obtained from the 24-hr. manifest and from its numerous other Customs Forms. If the paper is wrong or incomplete, however, targeting can also be wrong or incomplete. In other words, while this NTC is very important, it still is a data center, relying on data, and not knowing what is really in any container coming to the United States.

Layer-3: Customs Trade Partnership Against Terrorism (C-TPAT)

In this layer, electronic data and paper data are also essential elements of CBP's security. However, the C-TPAT layer is different. C-TPAT, as announced in 2001, "is an import-oriented program that provides incentives to shippers, such as reduced cargo exams and first-in-line priority for inspections, in exchange for adopting tight internal shipment processes for themselves and overseas business partners to prevent terrorists or criminals from slipping contraband or weapons into a container. CBP checks that companies follow approved security plans that meet minimum guidelines by visiting a company's headquarters and conducting sample audits of some foreign suppliers and transport providers." It was and is a voluntary program for industry, initially focused on large U.S. importers and exporters, ports/terminal operators, and carriers. Other participants were added, and today it has 12 different categories of participants. It began with only seven major importers. In 2008 it has over 8,000 certified members. In the beginning, it had only seven security areas of concern with respect to the supply chain: business partner requirements, physical access security, personnel security, procedural security, personnel security, container security, and education/training security. Now it has more.

With C-TPAT, CBP accepts as true the data furnished by its participating entity unless it learns or knows otherwise. Like the ATS/NTC layer, and to some degree the CSI/SFI layer, information provided is only as good as the providers' knowledge or integrity. With C-TPAT, there are clear and mandated physical requirements for the C-TPAT participants, which, if followed, can and do contribute to the security of this nation. Additionally, in C-TPAT there are auditors who review actual participant procedures at real locations around the world. With C-TPAT there are "boots on the ground" actions, not only data acceptance.

Layer-4: Container Security Initiative (CSI); the Security Freight Initiative (SFI)

CSI addresses the threat to border security and global trade posed by the potential for terrorist's use of a maritime container to deliver a weapon. CSI proposes a security regime to ensure that all containers that pose a potential risk for terrorism are identified and inspected at foreign ports before they are placed on vessels destined for the United States. Its core elements are:

Identify high-risk containers. CBP uses automated targeting tools to identify containers that pose a potential risk for terrorism, based on advance information and strategic intelligence.

Prescreen and evaluate containers before they are shipped. Containers are screened as early in the supply chain as possible, generally at the port of departure.

Use technology to prescreen high-risk containers to ensure that screening can be done rapidly without slowing down the movement of trade.

Through CSI, CBP officers work with host customs administrations to establish security criteria for identifying high-risk containers. Those administrations use non-intrusive inspection (NII) and radiation detection technology to screen high-risk containers before they are shipped to U.S. ports. CSI, as a reciprocal program, also offers its participant countries the opportunity to send their customs officers to major U.S. ports to target ocean-going, containerized cargo to be exported to their countries. Likewise, CBP shares information on a bilateral basis with its CSI partners. Japan and Canada currently station their customs personnel in some U.S. ports as part of the CSI program.

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)