• United States



sarah d_scalet
Senior Editor

C-TPAT and Cargo Security: Sea Change

Sep 01, 200315 mins
DLP SoftwareIT LeadershipSecurity

In an effort to prevent terrorists from turning container and cargo ships into weapons, Customs is counting on big business to goad partners into improving security through initiatives like C-TPAT.

Factories need fences. Eight-foot, maybe 10-foot, fences. Barbed wire. Imposing structures that not only mark a boundary but also keep intruders out and goods in.

At least that’s what Ken Wheatley had always assumed. That is, until he went on a whirlwind three-week tour of Asia in September 2002. As vice president of corporate security for Sony Electronics and a participant in a volunteer security program created by the U.S. Bureau of Customs and Border Protection, Wheatley helped conduct vulnerability inspections at a half dozen of Sony’s largest facilities shipping goods to the United States. Traveling with a six-person team from Japan to Malaysia to Singapore, Wheatley discovered that even things as seemingly straightforward as fences often lose something in translation.

He puzzled, for instance, over the kid-size boundary markers at some of the Asian manufacturing facilities of Sony Electronics (a U.S.-based division of Japan’s Sony Corp.). “Depending on the country, a really obtrusive fence communicates something negative to the community,” says Wheatley. “If I pointed out to local employees in an area with little crime that someone could easily climb over a 3-foot fence, they’d ask, Why would someone do that?” And then they’d wonder why the U.S. government was trying to impose its will upon them.

The Customs-Trade Partnership Against Terrorism, or C-TPAT, sets parameters for how member companies should protect cargo they import from being infiltrated by terrorists and used as a weapon of mass destruction—a scenario that many experts view as the nation’s biggest vulnerability. The guidelines start with the kind of fence that surrounds a company’s manufacturing facility and extend far out into the supply chain, to how business partners around the world order supplies and screen employees and seal containers laden with goods bound for the United States. Although C-TPAT is a voluntary program, for large companies that want their goods to get into the United States quickly, and for small companies that want those large companies’ business, joining is not really an option. It’s a necessity.

In fact, by issuing the guidelines Wheatley was trying to meet, the U.S. government itself is not trying to impose its will on importers—not directly, anyway. Instead, Customs is counting on companies such as Sony to do the enforcement, in perhaps the most ambitious of all the public and private partnerships that the government has made its rallying call since 9/11.

“It’s to some degree ‘voluntary’ with both arms tied behind my back,” is how Pinkerton Consulting & Investigations consultant Barry Wilkins describes the program, having helped more than 30 companies, mostly Fortune 100, through the C-TPAT process.

What remains to be seen is whether Customs can strike the right balance between making the guidelines stringent enough to actually improve security and flexible enough so that companies won’t balk at joining, even though participation means trying to wrap their arms around complex supply chains in a way they’ve never before contemplated. That when anything that might slow down commerce is viewed with skepticism, and when merely getting different divisions of your company to agree about the purpose of fences can be a struggle all its own.

“Clearly some countries think this is a U.S. problem and not their problem,” Wheatley says. “It’s a matter of sensitizing people to the fact that we’re in a global economy, and what affects one partner is going to have a ripple effect back to other countries. [C-TPAT] is a massive undertaking and a bit of a sales job.”

The truth is, the guidelines that Customs officials, and by extension C-TPAT members, are hawking are still very much on rough waters.Moving the Global EconomyEven as Wheatley speaks, 100 miles north of his office in San Diego, ships from all over the world are easing their way into the ports of Los Angeles and Long Beach, the largest port area in the United States and the third largest in the world. The ships are packed tight with the building blocks of the global economy: 20-foot-long and 40-foot-long containers full of TV sets, tennis shoes and tomatoes. Some 20,000 containers a day (45 percent of all loaded containers coming into the United States) make their way through these ports and on to the rest of the country by way of train and truck. If you wonder what that means for the nation’s economy, just ask William Ellis, director of security for the Port of Long Beach.

“Two billion dollars a day,” Ellis says, referring to the cost of a dockworkers strike at his port in late 2002, which brought cargo shipping there to a grinding halt. “In 10 days, we had a $20 billion impact on the U.S. economy. If all shipping was shut down, it would be devastating.”

Yet that’s precisely what many observers fear could happen if terrorists managed to sneak a dirty bomb, or even just the equivalent of a car bomb, into one of those containers and detonate it in the United States.

“After Sept. 11, we threw the globalization kill switch” by shutting down air transportation, says Stephen Flynn, a former U.S. Coast Guard commander who is widely recognized as the country’s leading expert on cargo security. “My fear is that something happens on a truck or a train or a ship, and we throw that transportation kill switch again to sort things out; and we don’t even start with the [security] baseline we had with aviation. The time it will take to restore public confidence will have an incredibly disruptive impact on the economy.”

That’s because the global shipping industry has evolved for speed, reliability and efficiency—not security. Consider this: An importer can move a container holding 30 tons of material from Asia to the West Coast for as little as $2,500. That’s about 4 cents a pound. “It makes the postage stamp look a little overpriced,” Flynn quips.

U.S. companies built empires on this system, moving manufacturing offshore and slashing inventories. They came to view a certain amount of cargo theft and drug smuggling the way department stores view shoplifting: not at all desirable, but nevertheless a cost of doing business. [See also DHS, Drug Interdiction and Common Sense.] Only about 2 percent of incoming containers are physically inspected by Customs. “We basically decided that given the benefits of the system, it wasn’t worth the hassle of going after all these activities,” says Flynn, a senior fellow in national security studies at the Council on Foreign Relations.

In post-9/11 waters, of course, the risks are different than routine theft and drug smuggling, and protecting against them is a daunting task. APL, one of the world’s largest shipping companies, estimates that an end-to-end supply chain can involve up to 25 partieseach with their own facility, staff and procedureand 35 to 40 shipping documents per container. “For a ship carrying 3,000 containers, more than 100,000 documents need to be managed to some degree,” says Earl Agron, director of port and container security of APL. Because of this tremendous complexity, no one has ever tried to secure the shipping supply chain from end to end.

That is, until now.Uncle Sam Steps InOn Sept. 24, 2001, former chief of the Drug Enforcement Administration Robert Bonner was sworn in as the commissioner of the U.S. Customs Service, now known as the U.S. Bureau of Customs and Border Protection. “Terrorism is our highest priority, bar none,” Bonner told the Chicago Tribune shortly after his appointment. The war on drugs was effectively over.

Since then, much of the attention in the press has been on Customs’ controversial 24-hour manifest rule, which requires companies to submit shipping information to Customs 24 hours before goods are loaded onto a vessel headed to the United States. But most of what Customsnow lodged within the Department of Homeland Securityhas done has been of a kinder, gentler sort.

The Container Security Initiative (CSI), for instance, is a program in which Customs officers are placed in ports around the world to search high-risk cargo headed to the United States. The program is voluntary, but an FAQ at the Customs’ website promises that “in the event of a terrorist attack using a cargo container, CSI ports would remain in operation because they have a security system, CSI, in place.”

C-TPAT, meanwhile, is the equivalent carrot-not-stick program for American businesses. Announced in April 2002, it requires member companies to conduct a security assessment of their entire supply chain, quiz business partners about security, outline plans for improvement, and eventually let Customs come in and validate those processes. In return, Customs promises members a “fast lane” through the border, along with other benefits such as the option to set up monthly billing rather than paying duties shipment-by-shipment.

“What we’re trying to do is get more detailed information [so we can] get the low-risk cargo out of the way and focus on the high-risk cargo,” says C-TPAT Director Robert Perez, who before 9/11 was one of Customs’ lieutenants in the war on drugs.

At first, the program was opened to importers onlythe General Motors and Targets of the world. “They had the most clout,” Perez explains. Carriers, including shipping and trucking companies and airlines, were brought on nextfollowed by the brokers and freight forwarders that serve as intermediaries between carriers and importers. Most recently, U.S. marine port authorities were added to the mix.

So far, more than 3,800 companies have signed memorandums of understanding stating their intention to join C-TPAT. Of those, more than 2,400 have filled out a security questionnaire detailing how they’re protecting their supply chain, and Customs has certified more than 1,400 of those applications.

Members are starting to see the benefits. When a new security alert is issued, “instead of peaks and valleys, we haven’t had any slowdowns,” says Randy Arnt, executive director of corporate security for paper company Kimberly-Clark. “Everybody else that’s part of this process has experienced the same thing. At this point, if you’re a large company and you haven’t been certified, you’re really at a competitive disadvantage.”

Observers also note that, as Customs had hoped, the program has cascaded far beyond the companies that are directly involved. Pinkerton’s Wilkins says that as part of the certification process, one client alone sent 1,200 letters to business partners asking about their security processes.

“It’s the domino effect,” says Agron, whose company, APL, has been on the receiving end of such letters. “They start out, ‘Dear Ocean Carrier, As part of the process of becoming C-TPAT certified, we need to know if you’re a member of C-TPAT. If you’re not, do you do the following?’ We don’t have to fill out the questionnaire because we just say we’re C-TPAT compliant.”

DHL Danzas Air & Ocean, a freight forwarder that contracts with shipping companies such as APL to move customers’ goods from one place to another, is starting to include the certification in its vendor contract negotiations. “We prefer that any company we hire as a service provider is compliant so there’s less chance of delay,” says Art Arway, director of security for the Americas. “We don’t require that at this point, and whether we will require it is a subject of some debate.”

But at DaimlerChryslerwhich is a C-TPAT charter member, along with BP America, Ford, General Motors, Motorola, Sara Lee and Targetthe debate is over. The program is becoming a requirement. By FY03, DaimlerChrysler will require trucking companies that transport its products across the U.S. and Canadian border to join C-TPAT.More Than Lip Service?That’s just what Customs wants to hear. The problem is that right now, Customs is just rubber-stamping applications that look good. As of July, of the 2,400 companies that have applied for the program, Customs went onsite to validate only about 20 companies’ security processes. Fifteen of those companies were importers, and it’s widely assumed that about half of those were charter membersthe very companies that helped Customs hammer out the guidelines in the first place.

“We’re in a very queasy period,” the Council on Foreign Relations’ Flynn says. “The challenge for C-TPAT is to move from a trust-based system to a trust-but-verify system. We have to get more policing.”

To do that, the program needs more funding than the $8.3 million it currently has. Customs has asked for an additional $12 million in C-TPAT funding for FY04 and is working on hiring more than 100 additional staff members, whose responsibilities will include helping the 30 who are currently plodding through the validations. Perez says 120 validations are in the pipeline and that he is aiming to have at least 100 done by November.

That may seem a pittance, but observers point out that the number of completed validations may be less important than the companies chosen for validation. “If the validations are done of 100 of the biggest companies, or the first 100 who sign up, then that’s not a valid sample,” says Stuart Seidel, a partner with law firm Baker & McKenzie, who has been helping clients interpret the guidelines. “If it’s an assortment of companies, then that goes a long way to validating the program, plus it keeps people on guard. I don’t think [the small number of validations is] a problem right now because the companies that have applied for participation probably are trying to do a good job of security. The problem is going to come in the future. If Customs can’t check on the filings, a lot of additional companies that may not be as responsible will try to get into the program without adopting the security procedures.”

Perez, not surprisingly, won’t comment on which companies are being validated, except to say that the first 100 validations will include more than importers.

What remains to be seen is whether the guidelines Customs is checking against will be strict enough to make a difference. In discussing the process of joining C-TPAT, people talk about the paperwork involvednot the security improvement they’ve made. And every care has been taken to assure companies that the process won’t slow them down, which seems to hold true right through to the end. DaimlerChrysler’s Bill Cook, senior manager of corporate customs, international supply and customs supply, brushes off the validation process. “It was a couple of days’ worth of visits,” he says. “We took them to some local facilities that could well display how our supply chain works.”

“Nobody has complained that it was difficult,” says Pinkerton’s Wilkins, who has worked with about a dozen of the companies that have been validated. “Those that have been through the validation process have found that Customs was fair and reasonable, and they sort of described it as painless. [Customs is] in and out in 10 days or less.”

But underlying such alleged painlessness is a question of whether Customs is going too far to keep the industry happy, at security’s expense. “I don’t want to be quoted as saying Customs should do a better job, but in some cases [the companies] wanted more suggestions than they got,” Wilkins says. “But Customs isn’t a consultant.”

In fact, that’s the whole problem with the concept of public and private partnerships that the Department of Homeland Security has been counting on as a way to improve the nation’s security: Guidelines have to be lenient enough that companies will volunteer, but strict enough to make a difference. “It’s a balance between the security that’s involved and business requirements, so that you don’t introduce initiatives that disrupt the economy,” DaimlerChrysler’s Cook says.

The lip service might be enough at some companies. “From time to time you’ll find [security] standards slipping, and when you go back to the business units, they say, Gee whiz, we’d like to do that but we’re in cost-cutting mode,” Kimberly-Clark’s Arnt says. “The thing I feel best about is that now we have a tool to say, ‘This is something we have to do to make sure that we remain on the fast-track program.’ That’s an easy argument to sell to management.”

The question: If there is some kind of terrorist attack involving cargo security before C-TPAT has the credibility that Customs hopes it will gain, will the entire program be sunk?

“If we don’t get enough muscle into the initiatives to make people confident, my fear is that the inherent good wisdom [of Customs’ voluntary programs] will get discredited,” Flynn says. “The trade industry has not come to grips with the fact that, post-event, the things they’re doing just aren’t going to pass the public confidence test.”

And that could mean that, for all the public and private partnerships kumbaya-ing, in the long run, C-TPAT will be nothing more than the groundwork for industry regulations. “Anything is possible,” Customs’ Perez admits. “I’m not going to say that that isn’t something that’s a possibility. But there is no serious talk to that end for now. The focus of this program from the get-go has been on self-policing.”

APL’s Agron, for one, is cheering him on. “We’re a Bob Perez fan, a C-TPAT fan, because if C-TPAT fails then we’re going to look at government mandates that are devised and defined by people who don’t understand security,” he says, noting that one law introduced in the U.S. House of Representatives last February essentially proposes that 100 percent of all cargo entering the United States be inspected. “Obviously you can’t do that,” Agron says. “The fact that the law has even been proposed says that we really have to make this work.”