Security Compliance - Customs Rattles the Supply Chain

Between 2002 and 2005, the Department of Homeland Security spent $75 million to track several companies’ cargo containers coming into the seaports of Seattle/Tacoma, Los Angeles/Long Beach, and New York/New Jersey. The project, called Operation Safe Commerce, used GPS technology and radio frequency identification to monitor cargo from a handful of major importers (including Sara Lee and Motorola) as it made its way from overseas factories to its final destination in the United States.

The goal of Operation Safe Commerce was to identify weak links in the global supply chain. A report summarizing its findings was due more than a year ago, in February 2005. To date, for a variety of reasons, no report has been released. But sources close to the project have told CIO that Operation Safe Commerce revealed that companies actually know very little about what goes on in their supply chains.

Among common unsafe practices identified by these sources were: truckers dropping off containers without ever encountering terminal security, containers left in unsecured areas, and containers bypassing a port that’s considered safe (even if scheduled to pass through that port) and traveling instead through a country that poses a greater threat—without either the company or U.S. Customs and Border Protection being informed.

According to Steve Schellenberg, a senior consultant at the trade advisement company IMS Worldwide who worked on Operation Safe Commerce for the port of Seattle, the project "showed us that there needs to be a quantum leap in the information we possess about the supply chain."

Companies will have to find a way to make that leap—possibly within the next year—because soon the government will make sharing this information a cost of doing business for every company that engages in international commerce.

The mechanism for the government’s initiative is already in place: the Customs-Trade Partnership Against Terrorism, or C-TPAT, which requires that companies take responsibility for the security of their supply chains. C-TPAT is currently voluntary, but program members say that the benefits of compliance—which include reduced wait time at borders and fewer inspections—will make participation an unavoidable cost of doing business.

"There’s really very little that Customs can do to speed things up," says Schellenberg. "But they can sure as heck slow you down."

Furthermore, members of the trade community believe that the government will eventually make C-TPAT participation mandatory, although a spokesman for Customs disputes that. CIOs need to begin preparing now, or they could find themselves facing a massive last-minute hurry-up, comparable to their Sarbanes-Oxley travails, if they don’t want to watch their company’s containers get held up at Customs while their competitors’ crates sail through.

"There’s no doubt that this is going to happen," says Kevin Smith, general director of global customs for General Motors. "This is an inevitability."

The Nightmare Scenario: When, Not If

Right now, information about any given supply chain is hard to come by. And that’s by design. The goal of supply chains is to get something that’s needed—a part, a product—to where it’s needed as quickly and cheaply as possible. If a container arrives too late to be loaded onto one ship, it’s rerouted and loaded onto another. And as long as the container arrives on time—or close to it—no one need be the wiser. In fact, historically, each person or entity that handles a shipment collects and shares information only to the extent necessary to guard against liability.

Similarly, Customs was created to enforce tariffs and calculate import taxes. And while Customs’ role expanded to combat drug trafficking in the 1980s, regulating trade was the department’s primary job until September 11, 2001. Now, says Robert Bonner, former commissioner of U.S. Customs and Border Protection (he resigned in November), "The priority mission of U.S. Customs is national security."

Experts say that Bonner, who was sworn in at Customs on Sept. 24, 2001, was right to change the agency’s focus. Most agree that the likelihood of terrorists attacking the United States through the global supply chain is so high that it’s a matter of when, not if. Such an attack (most analyses focus on a dirty bomb) won’t primarily be designed to kill a lot of people, but to cause panic. "It isn’t the event but the sudden lack of faith in the system that it causes," says Stephen Flynn, senior fellow for national security studies at the Council on Foreign Relations.

If a bomb goes off, Flynn says, there will be huge pressure on the government to close all the nation’s ports until every container on every site in the country is inspected. An October 2002 war game that mimicked that scenario found that closing the nation’s ports for as many as 12 days created a 60-day container backlog and cost the economy roughly $58 billion. "Any incident would shut down commerce," Sen. Patty Murray of Washington told CIO. Murray is the ranking member of the Senate Appropriations Committee Subcommittee on Transportation, Treasury, the Judiciary, Housing and Urban Development and Related Agencies.

Securing the Supply Chain: Sox and C-TPAT

Customs has developed a two-pronged strategy to prevent the dirty-bomb scenario. First, it’s asking companies to assume responsibility for their supply chain security.

Legally, a company is responsible for a container only when it formally purchases it, which—precisely for that reason—usually doesn’t occur until it reaches a port, either in the United States or abroad. Target, for example, typically does not legally purchase the clothes it orders from China until they arrive in the terminal. But the government wants importers to take responsibility for everything that occurs prior to purchase, even if the container is in the custody of a trucker in China or a longshoreman in Rio de Janeiro. The principle vehicle for this is C-TPAT. This so-far voluntary program gives certain benefits, such as reduced inspections, to companies that can show they meet a minimum level of supply chain security. The better a company’s security (as judged by Customs auditors), the more benefits it receives. There are currently three tiers of C-TPAT compliance, and containers belonging to members in the top tier sail through Customs virtually uninspected.

If C-TPAT is the carrot, then the Sarbanes-Oxley Act (Sox)—which requires that companies put in place reasonable safeguards against events that could materially affect the company’s value—is the stick. There’s little doubt, experts agree, that events in the supply chain fall under the Sox umbrella. (See "Sox and the Supply Chain," Page 44.)

With both C-TPAT and Sox, IT’s job is the same: Secure the data, make sure that purchasing and security have access to one another’s information, and collect more data about what is happening in the extended global supply chain.

The second prong of Customs’ strategy is to collect as much information as it can about what’s happening in the supply chain so that, through data mining, it can spot anomalies. The key to this is the Automated Commercial Environment, or ACE, a $3 billion-plus trade processing system begun in 2000, which Customs plans to complete by 2010. ACE has modules that do everything from serving as Customs’ ERP system to targeting containers for inspection. Within the next six months, carriers entering the United States through land-border crossings in seven states will be required to send close to 100 data elements to Customs, including information about the vehicle, its driver and its cargo. If they don’t, they don’t get in. Customs is also piloting an ambitious ACE add-on called the Advance Trade Data Initiative (ATDI), which requires importers to share with Customs every bit of information about a shipment, including the purchase order, which ports it passes through, proof of delivery and its final destination within the United States.

"ATDI will make companies collect information that they haven’t collected before, share information they haven’t shared and provide information earlier than they’ve been required to provide it before," says GM’s Smith. For example, it’s the rare company that knows where on a ship its container is located, but ATDI will require it.

Eventually, experts say, Customs plans to make ATDI participation a requirement for tier-three C-TPAT certification. (Customs says that ATDI participation qualifies participants for tier-three status, but that it will not be a requirement.) Soon, companies that achieve this level of compliance will be rewarded with a Green Lane designation—essentially a "get out of Customs free" card that will do for borders what E-ZPass does for highways.

"A huge number of containers come into our country," says Sen. Murray—about 9 million a year. "Right now, we don’t know what’s in them, who’s handled them, if they’ve been opened."

If the government gets this information, it can clear most containers before they even reach the United States. This will allow Customs to focus its limited resources on the containers it knows the least about.

As Murray puts it, "We’re trying to reduce the size of the haystack."

The Secure 10,000

After 9/11 there were calls by some members of Congress to inspect each and every one of those 9 million containers coming into the country. But the vast majority of those containers are filled with legitimate goods from legitimate sources heading to legitimate companies. "The question we faced was, Can you risk-manage for terrorism?" says Bonner. "If the answer is yes, you can spot-inspect." (For more on the issue of risk-managing onetime events, see "Managing the Terror Risk," this page.)

In July 2002, Bonner unveiled C-TPAT, which, by shifting that burden onto the importers, was designed to reduce the need for the government to inspect containers. Since then, over 10,000 companies have applied for C-TPAT membership. In 2005 C-TPAT members accounted for 42 percent of all imports by volume.

There are three tiers of C-TPAT membership, each of which comes with progressively fewer inspections. The first level simply requires an attestation that your company has performed a risk analysis of its supply chain and has taken steps to mitigate any vulnerabilities. So far, 5,757 of these attestations have been accepted by Customs. Tier-two members have had this attestation validated by Customs officials. Right now, 1,511 companies have achieved tier two (another 2,273 validations are in progress). Tier-three members are companies that Customs has determined follow supply chain security best practices (although Customs has not yet defined any). These are the companies that will be eligible for the Green Lane. Only 126 companies to date have qualified for tier three, including Boeing, General Motors and Target.

How to Get Your Green Lane Ticket Punched

Securing your supply chain data is the most obvious step to reach at least tier-two C-TPAT status (although eventually, sources say, there will be only a tier three; everyone else will be treated the same—poorly). And no one should be surprised that it’s important to encrypt and protect information about the schedule and location of your shipments. But securing supply chain data goes beyond that. Importers have to attest to their partners’ security. "We had an audit [at a partner’s factory] in South Africa, and they grilled them about IT security," says Jim Wigfall, VP of supplier management for Boeing Shared Services. Customs auditors checked the partner’s firewall, backup systems and access controls. (The company passed.) Now Boeing does the same every time it vets a potential partner against C-TPAT requirements.

It’s also important to limit access to supply chain information. "If the bad guys know that IBM is going to ship products from point A to B on a particular Tuesday, it gives them a leg up," says Debbie Turnbull, IBM’s program manager for supply chain security. A bad actor inside a company could alter the information attached to a container from Karachi, Pakistan (which might raise an alarm), so it looked like it was coming from a factory in Hong Kong (which might not). Or that bad actor could pass scheduling information to a crony outside the company. IBM uncovered one such plot a few years ago. A worker in a plant in Mexico noticed that one container he was about to load was 53 feet long on the outside, but only 50 feet long on the inside. Upon inspection, it was found that the container had a false back, behind which was hidden several million dollars in narcotics.

While it’s important to keep information about shipments from people who don’t need to know, it’s equally important that the people who do need to know the details have access to them. For CIOs, this means integrating the systems used by the purchasing and supply chain organizations, and making sure that the system can capture information such as a country’s security profile. The integration benefits both departments, says Ron Miller Jr., Customs compliance coordinator for P&G’s Global Cross Borders Group. Making purchasing information available to the supply chain group allows it to identify low-risk partners and pass that information on to Customs for C-TPAT validation. If, for instance, you can show that something is a regular shipment from a secure business partner, it is less likely to be inspected, says Miller.

1 2 Page 1
Page 1 of 2
7 secrets of successful remote IT teams