Original article from Security Management – ASIS Online, February 1, 2015, by Lilly Chapa (Also appears in February 2015 print issue
It was Christmas Eve in Tampa, Florida, and Laura Hains, CPP, a Customs and Border Protection (CBP) supervisor, was awoken by a phone call: “Laura, we have an anomaly. You need to come in.” She drove to Port Tampa Bay, the largest port in Florida, where she worked as a cargo and port security specialist. When she arrived, the crew filled her in on the details: a shipping container of crackers from Italy had arrived at the port, and a standard scan had revealed a large, dark mass in the center of the container. The mass was recorded on the scanners as possible radiological material.
Oh gosh, this is it, Hains thought.
By the time Hains had called all the people who needed to know, it was Christmas Day. Officials were hopping on expensive last-minute flights to Tampa, and local law enforcement was called to the scene. Hains and her team opened the back of the container and began unloading it. As the supervisor, Hains offered to climb in first. It took almost two hours of rearranging and removing boxes to reach the center of the container, and each step Hains took destroyed the cargo beneath her feet. She dug down, looking for the anomaly…and discovered a crate of wine the shippers had sent as a Christmas present.
Hains has seen a lot in her 20-plus years in the port security industry, and fortunately most of her experiences have been as benign as the Christmas incident. However, she says it’s only a matter of time until some group takes advantage of the maritime supply chain to debilitate a U.S. port, or worse.
“The fear is that out of the 4 million containers that arrive in U.S. ports each year from around the world, all it takes is one to bring a dirty bomb,” Hains said during a maritime security session at the ASIS International 60th Annual Seminar and Exhibits.
And Hains is not the only one with concerns about port security. The Government Accountability Office (GAO) recently published reports and testified before Congress about the challenges faced by port security programs, as well as the need for the U.S. Department of Homeland Security (DHS) to address port cybersecurity.
Stephen Caldwell—who last month retired as director of homeland security and justice at GAO—spearheaded the two reports, Progress and Challenges with Selected Port Security Programs and DHS Needs to Better Address Port Cybersecurity. He says that one issue plaguing U.S. ports is the failure to assess various security programs.
“There are a lot of challenges in developing meaningful performance measures,” Caldwell says. “In terms of the security measures you have in place and your ability to measure the things you have in place, there are real difficulties in measuring things like deterrents and security.”
That’s not surprising, considering the activity that takes place at U.S. maritime ports. More than $1.3 trillion in cargo enters the country by sea annually, and approximately 90 percent of the goods consumed in the United States come by vessel, Hains said. Two ports, the Port of New York and New Jersey and the Port of Los Angeles and Long Beach, receive half of all those containers.
“As security experts, that should be a little alarming to you, because that means that if those two ports got hit, 50 percent of our container traffic would go down,” Hains noted.
DHS is the lead federal department when it comes to port security. The Transportation Security Administration (TSA) controls who can enter the ports. The U.S. Coast Guard conducts facility and vessel inspections at ports, and the CBP is involved in screening throughout the global supply chain process.
Port security, and maritime supply chain security in particular, is dictated by a number of laws and regulations intended to enhance security. Some of these regulations were analyzed in the GAO reports. The Security and Accountability for Every Port Act (SAFE), along with the 9/11 Commission Act, requires DHS to implement 100 percent screening of all cargo that enters U.S. ports, as well as 100 percent physical scanning of high-risk cargo. And the Container Security Initiative (CSI) places CBP officials at selected foreign ports to assess the risks of shipping out of that country.
Here’s how a shipping container moves from overseas to a U.S. port under the various shipping regulations: Before the cargo container is loaded onto a vessel, its manifest—the list of cargo in the container—is screened by CBP and a risk score is assigned to the container by an automated targeting system. Where it’s coming from, whether it’s from a trusted shipping company, and the type of cargo being shipped are all factors considered. If the score passes a certain threshold, it’s flagged for extra radiation and x-ray scanning, in accordance with the SAFE Port Act. If it passes, the vessel is then sent on its way and eventually arrives in a U.S. port, where, depending on the targeting system score, it may undergo another x-ray or radiation scan.
This current method concerns Hains. The risk score is based on the manifest, not the cargo itself, and it doesn’t necessarily account for a stop in another country before arriving in the United States. For example, a container could be shipped from Pakistan to Spain, then from Spain to England, put on a new boat in England, and sent to the United States. The CBP officials at the receiving port will only know that the container came from England and may not screen it as thoroughly, Hains explained.
“These containers and ships move by trust, based on what’s on the manifest, passenger list, and port assessments,” Hains said. “Every day in the United States, vessels arrive and containers arrive, and we believe what it says on the manifest.”
The GAO also found flaws in the current system. The agency notes that the automated targeting system used to rate containers is based on outdated intelligence information, and Caldwell says the organization is auditing the ranking program to learn more about how effective the practice is.
Another concern the GAO raised in its reports is the effectiveness of screening mandated by the SAFE Port Act. The law was initially supposed to be implemented in July 2012, but in May 2014 the secretary of homeland security extended the deadline until May 2016. However, only an estimated 4.1 percent of containers are currently x-rayed before they come to the United States.
“DHS’s position is that this is not doable and not something that really makes sense, but it’s still a statutory requirement and will remain so until the law is revised,” Caldwell explains.
GAO found that some international privacy laws prevent the sharing of screening information, which makes the SAFE Port Act challenging to implement, Caldwell says. After a container is scanned overseas, communicating the findings becomes difficult due to issues such as who owns the data, whether it can be shared with the United States, and even whether CBP, a private company, or the host government should do the scanning. DHS believes that scanning all cargo, including trusted or low-risk containers, is not the best use of its resources, he explains.
“Even if you went to that 100 percent scanning, until you look at the details of the implementation, it’s hard to know if it would even improve security,” Caldwell asserts. “If there’s no training standard, then you get the Pakistanis or Indonesians, as well as others, like the Brits and New Zealand, and do they have the same training? Do they have the same level of skill in interpreting those x-ray images?”
The CSI, which places border patrol officials in foreign ports to conduct risk assessments, is “the biggest boondoggle that the CBP has,” Hains said. According to the GAO report, CBP has not assessed the risks posed by foreign ports that ship cargo to the United States since 2005, which means that many of the 58 foreign ports that participate in the initiative haven’t been assessed for threats in a decade. Both Caldwell and Hains question how well the foreign ports are managed by CBP officials.
Another concern Caldwell has is the sustainability of the current port security systems. Budget cuts have caused both CBP and Coast Guard personnel to be pulled from port security.
In June of last year, the GAO released an entire report on port cybersecurity. Like most critical infrastructure, maritime stakeholders rely on numerous types of information and communications technologies to manage cargo, the report states. Port owners and operators are responsible for the cybersecurity of their operations, but the report found that ports are receiving little to no guidance from the federal government.
The report cites a 2011 cyberattack on the Port of Antwerp as an illustration. In that incident, hackers accessed the computer systems of two container terminals, which allowed them to track and control the movements of certain containers. Criminals in another country would place illegal goods in a container, and once it arrived in Antwerp the hackers could divert it so it would not be screened before it left the port. This went on for two full years until officials arrested nine members of the criminal group in 2013 and seized almost a ton of heroin, as well as firearms and other contraband.
Caldwell says he was surprised at how weak maritime cybersecurity initiatives are. “There have been national-level strategies and presidential directives that have clearly said, ‘Hey, federal government, you need to start looking at the cyber as well as the physical aspects of security.’ And yet the Coast Guard was not moving smartly.” Since the cybersecurity report came out, Caldwell says the Coast Guard has agreed to take steps to address the cybersecurity threat.
One way to make the supply chain more secure and consistent is proper training, Hains said.
Due to budget cuts and CBP reorganization, it’s increasingly common for immigration officials with little to no customs and shipping training to be put in charge of interpreting the cargo risk assessments.
A well-trained official should be able to consider not only the manifest and the automated risk assessment score, but the origin of the products, the weight of the crate, and more. Hains said that an experienced official may notice that the container weighs more than it should as indicated by the manifest, or that it’s from a first-time shipping company, even though it’s from a trusted country. These would make the container high-risk, and officials could further scan the cargo before it gets to U.S. shores.
Another solution Hains advocates for is the implementation of container security devices. She notes that the technology is still new and expensive, but the sensors can be retrofitted onto any container and would alert officials to the presence of numerous chemical tracers, as well as carbon dioxide to detect humans, light sensors to detect whether the container has been compromised, and geofencing to make sure the container or its contents aren’t stolen.
“It’s the only way we’re going to make ourselves safe,” Hains said.