Start discussing how realistically to secure the U.S. global supply chain and you are quickly confronted with the magnitude of the components involved and the extraordinary number of participants along the route. On the one hand, global supply chain experts stress the need for worldwide security standards regarding technology, equipment and best practices; on the other hand, developing such standards (to say nothing about actually implementing them) requires an unprecedented amount of cooperation among the world's different governments and corporations.

The experts we interviewed, highly astute participants with real-world expertise, well appreciate this dilemma. Their key message: in the near-term don't obsess about perfection and zero-tolerance; do what you can and keep improving. “Focus on what your real vulnerabilities are and have in place a safety-and-preparedness plan for all hazards,” suggests James G. Liddy, CEO of Liddy International (Alexandria, Virgina), an all-hazard mitigation firm. “When you enhance your safety procedures and integrate them into your security you create efficiencies,” he adds. “With this approach, you don't have to invest a lot of money. This approach to security is what I refer to as safety on steroids.”

A delicate balance

If experts agree that searching every piece of cargo is unrealistic and that excessive focus on security can slow the cogs of global commerce, what should be done? “The alternative is embodied in the World Customs Organization (169 countries including the U.S. accounting for 99 percent of global trade) standards (out last year), which state security begins at the origin of the global supply chain and ends at the point of destination,” says James Giermanski, PhD, director of the Center for Global Commerce at Belmont Abbey College, Charlotte, North Carolina. “Comprehensive end-to-end supply chain security like this automatically takes care of port security.”

Mike Mitre, director of port security for the International Longshore and Warehouse Union-a division of the AFL-CIO-headquartered in San Francisco, wishes things were that easy. He and his colleagues remain anxious; concerned that port security is just not happening. “Of course no one wants to slow down the supply chain-but we can't sacrifice security for commercial concerns either.”

Mitre is a player in Washington, a frequently consulted authority on Capitol Hill where he has the ear of many in Congress. He understands the problem he confronts. “Congress is heavily lobbied by large terminal operators and shippers who say anything that slows commerce or cargo delivery is not acceptable,” he notes. One possible source of the problem: some 80 percent of U.S. terminals are owned and operated by foreign entities, primarily shipping lines. Within the 15 major U.S. ports, only eight of approximately 100 terminals are operated by U.S. companies.

RILA-Retail Industry Leaders Association-lobbies on security policy with the goal of ensuring the efficient flow of commerce. As the largest group of users in the maritime supply chain, its members have a foot on either side of the fence as they monitor security and speed. “Our members invested millions of dollars into supply chain security,” notes Paul Kelly, senior vice president of government affairs for the Arlington, Virgina-based organization whose members include large retailers.

Home Depot is an example. The company is the third-largest importer of containerized volume into the U.S., with about 160,000 40-foot equivalent units annually and revenues of over $80 billion (2005). According to Benjamin Cook, senior manager for global trade service for the Atlanta-headquartered corporation, the company struggles with the question of how to balance commercial velocity with secure ports and global supply chains.

Follow your nodes

Compounding the inherent difficulty in multi-national collaboration is the enormity of the chain itself. Security is dependent upon trustworthiness beginning at the factory where goods are loaded, to the drayage companies carrying goods to ports, to ports and customs workers, to ocean carriers, to destination ports and customs workers, to destination drayage companies, to D/C and warehouse workers, to the final drayage companies. Experts call each of these interconnecting points critical nodes.

Securing those critical nodes, or at least enhancing their resiliency, can often seem overwhelming. The cascading effects caused by a catastrophic event, however, serve to stimulate the search for solutions. “Response and recovery is as important as your deterrent defense,” Liddy emphasizes. In working with clients he engineers events as would a terrorist to suggest necessary precautions. “I could exploit critical operational nodes to embarrass a corporation or destroy it,” Liddy explains. “Or I could create a liability issue and cause enormous public embarrassment.”

“Drop me in the middle of any country, show me a factory and in many cases I can tell you in as little as 30 minutes on the site what and where its vulnerabilities are. Then we can take the probability of a threat, convolve it with the vulnerability and provide solutions as to how the factory can protect itself. It is a reverse-engineering approach using my expertise in systems analysis and targeting,” he explains. “The point is, if you create layers in your safety and security plans and procedures, you can stop someone like me-and therefore you can stop just about anybody.”

The reflex response among most of those charged with security operations is to turn to new technology and equipment for protection. While not a mistake in itself, excessive reliance on hardware can have negative consequences. “You don't want to enclave an entire corporation against WMDs,” cautions Liddy. He suggests first determining what, statistically, are the most likely threats and then determine where the vulnerable areas are in order to mitigate them. “We do what's called 'critical nodes mapping' to discover where those single points of failure are that can initiate cascading effects.” They could be as innocuous-seeming as the computer program a company uses, or contract guards. “You take a threat versus a vulnerability and determine how to respond, based on the critical operational functions. If it's a huge vulnerability or has the potential for cascading, then you plug those gaps to create a deterrent.”

Home Depot follows this approach with risk-modeling techniques it developed. “We look at 35 global risk elements and one of those is threat of terrorism,” Cook says. “We use that technique to help us roll out a strategy that is most appropriate to the country we are sourcing from. When it's from a high-risk country, I step up my security procedures. There really are not a whole lot of high-risk countries.”

Joint ventures

Cooperation and understanding among all participants, including governments, is requisite to firm up the security landscape. But at present, warns Liddy, “Not enough is happening. We're in a new era where people are beginning to understand what the threats are and that they continue to evolve.” That's the first step, recognition. It's the second that is lagging according to Liddy. “There needs to be a new approach to prevent those cascading effects.”

RILA members, on the other hand, tend to endorse the current risk-assessment-based, multi-layered approach in place, through which the U.S. government assesses cargo information before containers are loaded onto ships heading to our shores. “This approach has worked, but it can be strengthened,” says RILA's Paul Kelly. “We support policies like the SAFE (Security and Accountability for Every) Ports Act that improves this approach. It would also strengthen C-TPAT, in which our members participate.”

They resist across-the-board mandated standards. Each RILA member experiments with technologies and security measures that work best for them, Kelly points out. “This is why we continue to work with Congress to educate them on why a one-size-fits-all approach is not the best approach.”

RILA continues to urge Congress against rushing into mandating any of the various 'technological silver bullets' out there. He cites the example of ISIS (Image and Scanner Interface Specification) scanning technology used in Hong Kong, which does radiation and density scans. “That process adds six or seven minutes to the movement of each container, according to testimony given in Congress this year,” Kelly says.

With 11 million to 12 million containers entering the country each year, lawmakers need to think about the implications this will have on the movement of goods and of the overall economy, cautions Kelly. Compounding this problem is the absence of a plan to handle or review such gathered information. “Mandates don't produce any greater security than the current risk-based approach, which pulls and inspects any container that doesn't appear to have enough information,” Kelly adds.

Ideally, the combined efforts of private and public sectors each working in their own domains would dovetail to provide a layered approach to global trade security. “Let the policy makers do the policy, but they shouldn't run the operational ground-level operations, because that just never works,” says Liddy.

It's the various layers of security that provide strength, continues Liddy. These layers include physical security; intelligence and communications; an understanding of how to follow the money and financial transfers; and data storage.

The southern U.S.-Mexico border offers a prime example of the need for such expanded public-private and inter-governmental partnerships. Mexico continues to present security challenges in over-the-road freight into the U.S. For instance, a container might be opened as many as 10 times along multiple checkpoints, not always being properly resealed according to Cook. “Often, the Mexican military will not sign off on the paperwork to validate they've opened the container,” he says. “This underscores how much we need global standards so foreign governments abide by the rules.”

On the waterfront

Serious students of global supply chain security advocate multiple 'eyes and ears' along the way to detect anomalies-kind of a lean manufacturing approach to security in which everyone in a corporation is charged with identifying potential problems before they become serious problems. “Anomalies are something we were always on the lookout for in my old business,” explains Liddy.

Ironically, it can be technological 'innovations' themselves that get in the way of this collective approach. “In the past when we saw a padlock instead of a seal on a container, we called Customs and opened it with them,” explains Mitre. “The things we used to do were just a way of doing business every day, and those things we did automatically took care of security. Now, every can is an anonymous steel box.”

A staunch advocate of established security practices which have evolved over time, Mitre is wary of the flood of new, untested solutions washing upon the landscape. “You will always need technology and a small percentage is valid,” he states. “However, some of the best practices we created over the years have been abandoned. Yet they are logical, they work and they are cheap approaches to port security.”

Such best practices include something as seemingly routine as having a receiving clerk on the ground checking to assure seals have not been tampered with; or that every seal is numbered and matches with manifest documentation.

About 20 different seals are used internationally, says Mitre, and often the destination port does not know what kind was put on at the port of origin. If particular seals were used by particular ports, it would expedite incoming cargo at U.S. ports. “But people refuse to do this,” he says.

As for technology, Mitre has a hands-on perspective through thirty years' experience. “I have a problem with security loopholes they create that were never there in the first place,” he states. He cites a case involving the shipment of a container of 95 bottles of camping propane and a small car (with an empty fuel tank) with a leaking battery. “There used to be a marine clerk at the gate who inspected the manifest and would placard such a container with a 'hazardous' sign,” he explains. “With automated systems now, all you have is a guy in a remote location watching a screen with what I call a 'dumbed-down' version of information. My point is the new technical gating systems inadvertently exclude some of the best-practices security measures we had adopted over years and years of experience.”

Empty containers pose another security concern. They return to the terminals with no seal to indicate they are empty and they are not opened to verify they are empty. “Someone could easily load an empty container with anything and know that it will be put onto a ship without being inspected. That is not acceptable to me,” Mitre says.

It's not the silver bullet…nevertheless

“Many people out there think security is as easy as putting a piece of technology on a container,” cautions Home Depot's Cook. But in light of the fact that the average international transaction involves 25 parties and 30 documents, the intent of the technology must be clarified at the outset. “The big question concerning technology is: 'What is the end goal?' Is it to determine if something is inside the container-or is it to determine whether the door of the container has been opened? That makes a difference.”

And door devices, even when installed, don't alert you if a hole is welded in one of the sides (a common technique with garden-variety thieves). “So technology still has a way to go,” says Cook. “The best thing companies can do is to visit their factories and talk about C-TPAT and encourage their suppliers to comply using contractual measures as incentives. It makes a huge difference when you are actually on the ground asking questions and documenting what you find. You can't run a cargo security program from corporate headquarters.”

In search of global standards

“It's all about pulling these things-equipment and technologies deployed throughout the chain--together in a choreographed plan,” Liddy says. He underscores the importance that systemic security be extended internationally and advocates a key mantra of Charleston, South Carolina-based Safe Ports that states cargo cannot move efficiently if it cannot move safely and globally. “I can tell you if I were going to infiltrate a U.S. port, I would first look for a vulnerability/opportunity overseas and work my way in. I would exploit the gaps that already exist-but that's a whole other story.”

Home Depot seeks such end-to-end security and responsibility. Working with its suppliers and other supply-chain partners overseas and in the U.S., Home Depot stipulates in its contracts that partners must follow minimum security standards established by U.S. Customs. “We reserve the right to audit overseas factories anytime and deficiencies must be addressed,” explains Cook. The corporation uses only carriers validated through C-TPAT, thereby reducing its stable of ocean carriers.

He concedes the biggest issue facing shippers is the sheer amount of manual labor required to check seals. The U.S. government has been working on a seal protocol that is expected to roll out in 2007. “The problem with the protocol is that it's unilateral,” Cook continues. “I have spoken with security directors at various ports around the world and most tell me that unless their own governments require them to do this, they will not comply with the U.S. protocol.”

One compliance technique Cook and his colleagues, working through the International Chamber of Commerce, are exploring is to tie cargo security with free trade agreements through the WCO. “We support the WCO framework of standards developed last year on cargo security,” Cook says.

Indeed, the U.S. could encourage other countries to adopt global security standards by embracing and adhering to the WCO framework. “Countries could still develop their own security protocols,” notes Cook, “but these would follow the agreed-upon elements within WCO. If they do this, we can treat certified companies as we do companies validated through C-TPAT.”

In the interim, however, security remains very much 'every company and country' for himself. And so long as this is the case, those 'critical nodes' remain exposed.

Sidebar:
Successful Public-Private Initiatives Through Voluntary Compliance

BASC (Business Alliance for Secure Commerce), with a presence in 15 countries, is a business-customs partnership promoting safe international trade in cooperation with governments and international organizations. “Our vision is to be a recognized world leader in securing and facilitating international trade,” says Ana María Carbo, executive director of BASC in Barranquilla, Colombia.

BASC, in operation for 10 years, operates 29 regional chapters and works with 1,934 BASC-certified companies. BASC works primarily with countries in Central and South America and is working to establish a stronger global presence. “Our relationships with businesses, governments, customs, law enforcement agencies and international organizations have made us a successful alliance,” Carbo says. Endorsing the broad use of universal risk-assessment tools, BASC developed standards and processes over the years that are beneficial to global trade, such as cargo traceability and faster cargo movement, Carbo says.

“We work with customs administrations and their counterparts from international businesses, giving them the opportunity to comment on the revised annexes and appendices of the WCO Framework of Standards,” Carbo says, adding BASC actively participates in WCO standards discussions.

Carbo sums up the need for governments to cooperate with their respective national businesses: “I think the reality of the world situation will force countries to be willing to do this because countries need to export their goods. You cannot live isolated in this world.”

Security on Steroids: Risky Business