Collaboration among companies plays two important roles in reducing the likelihood of disruptions. First, it allows them to learn from others so they can each use the best experience available to operate securely. Second, because many disruptions arise from outside the “four walls” of a company or propagate to and from others in the supply chain, collaboration allows for coordinated prevention efforts among trading partners. Collaboration is, of course, also crucial for resilience, providing early warning when something goes awry somewhere in the process and enabling coordinated mitigation efforts if the supply chain is disrupted.
The focus of this chapter is on collaboration for security—aiming to reduce the likelihood of a disruption. In addition to cross-industry cooperation, this chapter describes the role of public-private partnerships in preventing disruptions from crime and terrorism. Such partnerships are imperative given the role of government authorities in intelligence gathering, alerts, and deterrence.
Risk sharing between trading partners can mitigate the bullwhip effect, avoid costly misalignments, and increase the expected profits of all participants. To enhance security, however, companies should band together not only with suppliers and customers, but even with competitors. Such collaboration might include sharing information on threats, creating a coordinated interface with law enforcement agencies, sharing security best practices, and developing industry-wide security standards.
Intel’s efforts in freight security did not go unnoticed by other high technology companies. It started with several of Intel’s customers, the original equipment manufacturers (OEMs), who asked to learn from Intel’s experience. The result was that in 1997, Intel joined with other high technology companies to form TAPA, the Technology Asset Protection Association.1 The nonprofit TAPA provides a venue for sharing knowledge about cargo security and developing standards for freight security in the high-tech industry. Overall, TAPA had in 2004 some 450 members representing all echelons of the high-tech supply chain, including chip makers like Intel, AMD, and Xilinx; device makers like Apple, Cisco, and Dell; and contract manufacturers like Celestica and Solectron.
In the late 1990s, the benefits of business collaboration were well established. Companies were working together with their trading partners to combat the bullwhip effect and working together with competitors to coordinate lobbying efforts, invest in basic research, and participate in standard-setting bodies. Working together to coordinate security was a logical extension.
Collaboration and information sharing, however, are not the natural tendencies of security professionals. Most senior security officers in large multinational companies are veterans of law enforcement agencies and the military. Befitting its global presence, Intel hires not only ex-FBI, CIA, and U.S. Customs personnel, but also veterans of other respected security services such as Israel’s Mossad, the British MI5, and the Hong Kong police. Steve Lund, Intel’s director of corporate security, had 15 years of law enforcement experience, including six years as an FBI special agent, prior to joining Intel. Such operatives are not always inclined to share processes and methods with each other, and they are even less inclined to collaborate with people outside the security community. Consequently, it took some time for TAPA to coalesce and for its members to realize the value of sharing security methods as well as data and metrics on disruptions, attacks, and losses. The most potent argument for cooperation was probably that such sharing allowed the security professionals to make the business case for security investments inside their own companies.
TAPA first created standards for freight security. For example, TAPA created a set of contractual terms and conditions that members may use to ensure that freight carriers protect shippers’ high-tech, high-value goods. In 2001, TAPA created standards for auditing freight carriers and even created an independent audit program. The methodology includes risk scoring and a set of riskdependent compliance criteria; to attain certification for serving the highest-risk facilities (those carrying large volumes of expensive products), transportation carriers must meet 70 freight security requirements.2 TAPA explicitly avoids blacklisting carriers; it only highlights which carriers are compliant and provides a basis for understanding the security strengths and weaknesses of each carrier.
Unfortunately, TAPA’s prescriptive approach to carrier security created some tensions with the carrier community. For example, many large carriers think that they know better how to secure their own operations and should not be subject to their customers’ ideas of security, particularly because shippers do not shoulder the cost of increased security. In addition, carriers complained that several shippers used the TAPA security guidelines in order to obtain price concessions from carriers who were not in complete compliance. Such frictions may be part of the normal commercial environment between carriers and shippers, and many of these frictions may subside as carriers are able to integrate security processes in their regular operations, finding business benefits in such measures.
In 1999, a regional TAPA organization was formed for Europe, the Middle East, and Africa (the EMEA region). TAPA EMEA created a confidential incident information web space, called eTAPS, for reporting losses. This enables TAPA members and European law enforcement officials to spot emerging patterns in supply chain crimes without giving away confidential data.3 Building on this success, in 2000, TAPA Asia and the TAPA Worldwide Council were formed.
Coordination with local authorities has yielded results. For example, in May 2004, a cooperative effort between TAPA EMEA and London’s Metropolitan Police led to a substantial number of arrests involving organized crime gangs who were targeting high technology components being transported through Heathrow Airport4 (affectionately known as “Thiefrow Airport” among security professionals).
Additional lessons in the value of collaboration among direct competitors can be learned from service industries, even though they do not handle physical products.
When Kevin Lewis sat down at the high-stakes blackjack table inside an Atlantic City casino in 2003, he planned to win big. In the 1990s, the former member of an infamous group of MIT students5 had helped his team win millions of dollars at blackjack by keeping track of the aces and face cards played. (Card counting can substantially change the odds of blackjack in favor of the player; that is why casinos refuse to allow card counters in.)
But winning was not in the cards that day. Moments after Mr. Lewis sat down, the pit boss got word of Lewis’s card counting past. “It was obvious that somewhere and somehow I had been made,” said the 30-year-old Lewis, who bolted before the pit boss could summon help.6 Kevin’s departure was a result of close cooperation among many of the world’s casinos.
Unwelcome gamblers come in all shapes and sizes. They include card counters, false shufflers, bottom-dealers, and card switchers. They also include users of gadgets designed to change the winning probabilities of slot machines, force them into free game mode, or even empty them altogether. The MIT students’ team used pairs of blackjack players. One would play for low stakes but count cards without drawing any attention to himself. Halfway through the dealer’s card shoe, the player could tell how many aces and face cards were left in the shoe. If the shoe was “rich” with aces and face cards, making for higher winning probability, a signal would be given to the other member of the team, who would start betting heavily. With the odds thus tilted, the team made millions of dollars.
While not illegal, card counting can cause casinos heavy losses and “bring down the house.” Casinos are entitled to deny privilege to anybody, even if the only reason is that the person wins too often. To avoid such losses, casinos share information about known card counters to ensure that any card counter expelled from one casino in Atlantic City or Las Vegas cannot simply go to the next casino on the strip.7 With the advent of high-speed pattern recognition software, card counters’ faces can be captured by surveillance cameras and recognized automatically as they enter the casino, if they match the face of a known card counter in the database.8 Naturally, the most important part of the system is the information stored in the database. Cooperation between several of the world’s leading casinos means that a card counter would be recognized as soon as he or she entered any of the 140 casinos around the world that participated in the system in 2004.
Another example of data pooling is the joint activities of sixteen Scottish whisky distillers who decided to collaborate on preparedness for disasters and on security problems plaguing them all. In 2002, they hired a single security firm and reported all their theft data to it. The data revealed that all sixteen had consistent losses on one particular delivery route. But since the losses were all “below the radar”—that is, too small to engender insurance claims—the pattern did not surface without the collaboration.9
Other industries have formalized collaboration to avoid supply chain disruptions. The Critical Materials Council (CMC) monitors the semiconductor materials supply chain, watching for shortand long-term potential materials shortages.10 Sematech, a global consortium of semiconductor makers, created the CMC after a 1993 fire at a Sumitomo chemicals factory threatened 50 percent of the world’s supply of the black plastic used to encase silicon chips. The council also helped the industry rally its resources after a 2000 explosion at a Nisshin Chemical factory created a potential shortage of hydroxylamine, a specialty chemical needed for cleaning silicon wafers. The CMC assessed the impact on the integrated circuit manufacturing community and worked with hydroxylamine suppliers and other industry associations to ensure an adequate supply. The efforts resulted in other suppliers, including BASF and EKC, agreeing to increased production in order to make up for shortages.
The CMC models the myriad facets of the semiconductor and electronic component supply chains, with special emphasis on the raw materials, specialized chemicals, and equipment used to make semiconductors. The group created its own software package to analyze trends in the chip industry, including supplier capacity, supplier markets, product demand trends, business dynamics, and assumptions regarding the productivity of technology.
As part of monitoring twelve critical materials used by semiconductor makers, the council has, over the years, examined the impact of political instabilities in Zaire11 on the supply of cobalt; the potential need to develop new helium supplies in Russia; and the impact of changing manufacturing technologies of xenon gas supplies. Although the CMC works at the behest of the chip industry, the council looks at the impacts of other industries on critical supplies. For example, the 2000 shortage of tantalum was due to extremely high demand for small electronics (e.g., cellphones and PDAs) and was exacerbated by a simultaneous growth in demand for the metal by the aerospace and power plant industries.
The CMC does more than watch for potential shortages resulting from suppliers’ problems. It also looks at shifting patterns of R&D investment and capital expenditures to understand future material supply. For instance, as semiconductor manufacturing becomes more capital intensive and suppliers merge with each other, the CMC assesses the vulnerability of the industry that may result from a disruption at one of the decreasing number of suppliers, and it works to develop alternative sources of supply.
The consortium provides a venue for information-sharing between materials suppliers and materials customers (chip makers). Confidential workshops help members of the semiconductor industry share technological roadmaps, capacity investment decisions, and forecasts, helping all participants plan and avoid disruptions.
An employee-based “community watch” program enlists all the employees of a business to watch for and report security-related anomalies. Similarly, bringing together multiple companies in an industry to share data leverages the experience and resources of every member company.
Industry associations play a similar role to that of TAPA’s in many industries. The Toy Industry Association developed comprehensive safety standard for toys; the American Chemistry Council developed Responsible Care, including a set of guidelines for handling chemical products from inception in the research laboratory through manufacturing and distribution to ultimate disposal; the Automotive Industry Action Group has launched training in 2004 for crisis management and business recovery for its 850 members; UPS, FedEx, the USPS, and DHL, together with smaller parcel carriers, formed the Postal and Shipping Coordination Council, aiming to foster communications and quick response in the event of a large-scale disruption; and Limited Brands and Nike address common security issues through the Retail Industry Leaders’ Association (RILA).
In a fashion similar to the corporate-employee alignment created by internal safety and security programs, external collaboration also aligns corporate interests with those of the government, trading partners, and the community: The collaborative security dialogue often leads to other areas of collaboration.
Alan Fletcher, group manager for global operations and investigations at Target Stores, says that security concerns not only brought deeper collaboration between Target and its suppliers, they also served as the basis for initial collaboration between Target Stores and Wal-Mart, who are bitter rivals in the marketplace. He says, “One of the committees I have been working on is developing a ‘Best Practices’ guide for all shippers bringing merchandise into the U.S. The committee is made up of, for want of a better term, competitors who work together to design the guide for the rest of the industry.” Fletcher expects the standards not only to improve security but also to simplify work with all suppliers, forwarders, and customs officials.12
One of the fundamental differences between past conflicts and the war on terror is that with the latter, “the private sector is on the frontline of the homeland security effort: Its members are holders of information that may prove crucial to thwarting terror attacks; stewards of critical infrastructure that must be protected and dangerous materials that could be used to do harm; and important actors in responding to attacks.”13 Nowhere is the challenge more evident than in securing maritime commerce.
Every year, almost 12 million maritime containers pass through U.S. borders, on board more than 200,000 ships. Anonymous, ubiquitous, and carrying upward of 25 tons each, these containers move seamlessly, without being opened, from factories to trucks, to ships and trains, and ultimately to their final destinations throughout the United States. Although owners of the containers do have some information on where the containers are and where they are going, such operations-oriented information is not enough. To assess how secure these containers are, the needed information includes the containers’ histories: Where they have been, who handled them, and what has been in them. During the eight-year lifespan of a shipping container, it might have traveled to more than 100 different ports all over the globe from Addis Ababa, Jeddah, or Lagos to Montreal, Los Angeles, or New York, and it may have been handled by hundreds of operators. In the past, such information was not a concern; when a carrier needed to load a container, it simply picked the next empty box off the stack.
After 9/11, the vulnerability of the United States to containerbased attacks became evident, as the Customs Service admitted that its inspectors examined fewer than 2 percent of the containers entering the United States. Containers could be used to transport bombs or to carry chemical weapons or radioactive materials. Or the shipment carried inside could be contaminated with biological agents.14
The devastating results of an explosion on board a ship at port were made evident in Halifax on December 6, 1917, when the Belgian relief ship Imo collided with the small French ship Mont Blanc, carrying a full cargo of explosives. The Mont Blanc exploded in the largest manmade blast before the nuclear age. The barrel of one of her cannons landed three and a half miles away and part of her anchor shank—which weighed more than half a ton—flew two miles in the opposite direction. More than 1,900 people were killed immediately and 9,000 more were injured, many permanently. Nearly 325 acres, including almost all of Halifax’s north end, were destroyed.15 The effects of a port explosion were also made evident on April 16, 1947, when a ship loaded with ammonium nitrate exploded in the port of Texas City. The explosion caused on-shore fires at chemical and other industrial plants, a devastating tidal wave, and two more ship explosions. The Texas City disaster caused 600 deaths and 3,500 injuries, representing a casualty rate of over 20 percent for the 16,000 residents of the city. One-third of the city’s houses were condemned as a result of the damage from the explosion and the fiery aftermath.
Containers have also been used by terrorist groups, especially Al Qaeda, to transport people as stowaways. On March 14, 2004, two suicide bombers entered the Israeli port of Ashdod in a container, and ten port workers lost their lives before the attackers were killed. And on October 18, 2001, a 43-year-old Egyptian stowaway named Amid Farid was caught at Italy’s Gioia Touro port aboard the German vessel Ipex Emperor. He was comfortably installed in a container converted into a luxurious suite complete with a soft bed, a small kitchen, cellular telephones, and enough food, water, and batteries to last him three weeks.
Although container security occupies the minds of government officials, the majority of the international transportation infrastructure is in the hands of the private companies that own the shipments, containers, ships, railroads, trucks, and terminals around the world. Government agencies, therefore, need private cooperation in order to reduce the probability of terrorist attacks. And private companies need the benefits of the intelligence and enforcement resources owned by governments. Both public and private sectors need each other to secure trade lanes and infrastructure.
In addition to the large number of containers entering the United States every year, there are 12 million trucks, almost a million planes, and over two million cars entering the country annually. Searching each and every one of these conveyances is not practical. Relying on the principle of identifying outliers from existing patterns, the U.S. Bureau of Customs & Border Protection (CBP) has launched its C-TPAT (Customs-Trade Partnership against Terrorism) Program. C-TPAT invites companies to apply and become “known entities” to the CBP. Companies must pass a four-step certification process, after which they are entitled to reduced import inspections at the various ports of entry. This amounts to a significant advantage to C-TPAT certified companies, with estimated pass-through times of two to three days compared to 12 to 14 days for non-certified companies’ imports. The principle behind the system is that when shipments from a certified importer are transported by a trusted carrier, the probability that those shipments are suspect is much lower than for shipments from noncertified companies, and hence these shipments do not need to be checked as often.
C-TPAT is focused not only on each company’s security but on the security of its suppliers. It states that companies that apply for C-TPAT certification have to “develop and implement a program to enhance security throughout the supply chain in accordance with C-TPAT guidelines, and communicate C-TPAT guidelines to other companies in the supply chain and work toward building the guidelines into relationships with these companies.”16
To make sure that its processes do not hinder commercial activities, the U.S. government incorporated certain industry initiatives into its programs. For example, after 9/11, the government approved many of the TAPA certification processes as C-TPATcompliant and built on the processes developed by the TAPA companies.17 As with TAPA, the key is collaboration. “From the agency side, what compelled the agency early on to take this route of C-TPAT is again a recognition of a need to get the private sector—just about anyone and everyone who moves something through the border—involved in the protection of the border alongside us,” said Robert Perez, of the Bureau of Customs and Border Protection and a director of C-TPAT.18 He then added, “The certified partners in this arrangement are afforded more efficient and predictable flow of goods—that’s a huge benefit for . . . everyone involved . . . and protection of their brand names and their product. I don’t think anyone wants their name associated with the next terrorist action in the United States.”
Although 9/11 sent a wake-up call for authorities about the deadly seriousness of container security, the war on narcotics trafficking has already driven long-running efforts to improve the security of ocean shipping. Companies in the Toy Industry Association (TIA) have a history of partnering with the government to prevent the use of toy shipments for smuggling drugs. Mattel was among the first companies to join the Business Anti-Smuggling Campaign (BASC).19 BASC works with 1,000 manufacturers in selected foreign countries to prevent the smuggling of drugs inside commercial goods. Such initiatives have shifted their focus and added efforts to prevent the import of dangerous materials as part of C-TPAT.20
To complement C-TPAT, the U.S. CBP has launched the Container Security Initiative (CSI), aimed at detecting and intercepting risky cargo before containers can reach U.S. ports where they can be detonated or activated. To this end, CSI mandates advance notice of the manifests of all shipments bound for U.S. ports 24 hours prior to loading. Each incoming container is then scored by various algorithms, which assess the shipper, consignee, payment methods, and the previous routing history of the container to come up with the potential threat posed by the shipment and the container itself. The program lets customs officials direct interdiction efforts to the highest-risk containers.
Such processes can be highly effective. For example, in 2001 German authorities complained to UPS, the giant parcel and logistics company, that drug seizures among German-bound UPS international shipments were an order of magnitude higher than drug seizures on other carriers. The German authorities were factually correct; what they did not account for was that UPS used its own scoring algorithms based on shipping documentation to identify international shipments that were likely to contain drugs. The information was then transmitted to the German Federal Customs Administration, which used the results to direct their searches, resulting in a very high rate of drug seizures.
In addition to mandating advanced shipping notices, CSI calls for changes at foreign ports—increasing the security of the facilities that store, handle, and load U.S.-bound goods. Based on mutual agreements with international ports, US CBP inspectors have been placed at participating foreign ports to help identify and interdict suspicious cargo and containers prior to loading and departure.21 This is analogous to quality control practices that are aimed at detecting defects early, before they become a significant problem.
As of February 2004, 5,500 companies were C-TPAT-certified, representing all aspects of the global supply chain—major U.S. importers, carriers, brokers, forwarders, foreign manufacturers, and terminal operators. Over 3,000 U.S. importers have joined CSI, representing approximately 40 percent of all goods imported into the United States by value. All of these C-TPAT partner companies have entered into agreements to work with CBP to implement specific security measures and best practices, in order to protect their supply chains, from the factory loading docks of their foreign vendors to their arrival in the United States.22
In many cases, cooperation between the government and the private sector is not part of any particular program. For example, CSX Railroad has its own security force that coordinates its effort routinely with local, state, and federal security personnel. This is the case with many of the companies interviewed by MIT for this study—their security personnel seems well connected with government security and law enforcement agencies—in part because these security personnel include many former employees of such government agencies.
An example of multiparty public-private joint operation takes place every week in the port of Boston. It starts with a short radio notice for all ships in Boston harbor that dangerous cargo is on the way. The dangerous cargo is about 35 million gallons of highly flammable liquefied natural gas (LNG) contained in a hulking tanker more than 900 feet long. As the tanker moves through the harbor and the narrow channel, it is turned by tug boats under the Tobin Bridge and towed into the Mystic River to its berth in Everett. This movement is coordinated by more than 40 federal, state, and local law and safety agencies, as well as private sector companies. A boarding party on deck works with a helicopter in the air, a police cruiser on the shore, and armed coast guard patrol boats and cutters front and aft to orchestrate the move, which requires shutting down operations at Logan Airport as the ship passes under the glide path. Similarly, the Tobin Bridge is closed to traffic as the ship is turned underneath.
But the operation itself is just the tip of the iceberg. The ships are built to the highest standards of structural soundness and manned by experienced crews. The Norwegian facility in which the crews train has developed special instruction sessions on the approaches to Boston Harbor and ways to deal with various disaster scenarios there. The loading takes place in Point Fortin in Trinidad, a facility that has been certified by the coast guard. Coast guard officers routinely ride with the ship from Trinidad to Boston—the high seas equivalent of air marshals.
Other programs developed in cooperation with private sector carriers and shippers in the United States include the following:
Free and Secure Trade (FAST) allows C-TPAT-qualified importers and carriers who use pre-screened drivers to move low-risk cargos freely at selected border crossings between the United States and Canada and the United States and Mexico.23
Operation Safe Commerce (OSC) funds business initiatives for developing security technologies. Much of the initial work has focused on the potential of incorporating radio frequency identification (RFID) tags in shipments and low-cost GPS receivers and wireless networking systems in containers to track shipments.
Smart and Secure Trade Lanes Initiative (SST) is an industrydriven supply chain security program. A combination of secure business processes and advanced technologies (anti-intrusion sensor devices and satellite tracking systems combined with a backbone of RFID technologies and networked software),24 it aims to provide end-to-end shipment visibility and security.25
The Maritime Transportation Security Act of 2002 (MTSA) requires vessels and port facilities to conduct vulnerability assessments and develop security plans that may include passenger, vehicle, and baggage-screening procedures; security patrols; establishing restricted areas; personnel identification procedures; access-control measures; and/or installation of surveillance equipment.
Like the United States, many countries and international organizations around the world have recognized the security threat posed by the movement of containers. Established in 1948, the International Maritime Organization (IMO) is a U.N. agency responsible for improving the safety and security of international shipping and preventing maritime pollution. It is the author of Safety of Life at Sea (SOLAS), the most important of all treaties dealing with maritime safety.26 Following 9/11, the IMO adopted amendments to SOLAS in the form of an International Ship and Port Facility Security (ISPS) Code, designed to parallel U.S. requirements, making these in essence world-wide standards. The ISPS Code requires ships on international voyages and the port facilities that serve them to conduct security assessment, develop a security plan, designate security officers, perform training and drills, and take appropriate preventive measures against security breaches. Vessels must carry the International Ship Security Certificate (ISSC) and may be denied entry into a port if they do not have a valid ISSC. Many of these requirements and conventions went into effect on June 1, 2004.
The World Customs Organization (WCO) is an independent, intergovernmental body with 164 member countries. In December 2004, the WCO accepted the first draft Framework of Standards to Secure and Facilitate Global Trade, based on the following principles:
harmonizing advance electronic manifest information among all member countries to allow a common and consistent risk assessment
using non-intrusive detection equipment to affect examinations
focusing on the accrual of benefits to nations, customs and business
In a fashion similar to the US C-TPAT and CSI initiatives, the WCO convention allows for companies that fulfill their criteria to be classified as “authorized traders” and receive tangible benefits, such as faster movement of low-risk cargo through Customs.
The European Commission introduced in July 2003 a series of measures to address security issues and manage the European Union’s external borders based on a harmonized risk assessment system. The commission proposed a number of measures to tighten security around goods crossing international borders, which are similar in nature to the C-TPAT and CSI and the SOLAS/ISPS and WCO initiatives and standards. It requires information on goods prior to import or export from the European Union; it provides reliable traders with trade facilitation measures under the “Authorized Economic Operator” program; and it introduced a mechanism for setting uniform community risk-selection criteria for controls, supported by computerized systems.
The Asian Counter Terrorism Task Force, begun in October 2002 by the Asia-Pacific Economic Cooperation (APEC) organization, is a similar initiative to secure and enhance the flow of goods and people and to protect cargo, ships, international aviation and people in transit throughout the Asian trade corridors. The program follows similar U.S., E.U., and international guidelines. It calls for identifying and examining high-risk containers, requiring provision of advance electronic information on container content to customs, port, and shipping officials as early as possible in the supply chain, while taking into consideration the facilitation of legitimate trade. The APEC August 2004 Private Sector Security Guidelines provide voluntary standards for supply chain security.
Unfortunately, the December 26, 2004, tsunami served as a sad example of the consequences of the failure to establish international collaboration and cooperation processes. The tidal wave, resulting from a huge undersea quake in the Indian Ocean, took hours to reach certain parts of Asia and many more hours to reach Africa. Even though they had time, the affected countries had no monitoring or detection systems in place (see chapter 9), resulting in massive loss of life, property, and infrastructure. But other countries knew of the impending disaster.
The Japanese main earthquake observatory detected the quake and alerted its emergency-management system. That system ascertained within minutes that Japan faced no tsunami risk. Japanese officials didn’t do much else with the information.
An Australian seismology officer in Canberra detected the quake and predicted a tsunami only 30 minutes after the quake. He sent warnings to Australia’s national emergency system and the foreign ministry, but no messages were given to foreign governments “for fear of overstepping diplomatic protocol.”27 Had a formal process been established between first responders, or a communication networks established among the appropriate emergency management agencies of the countries involved, the death toll might have been significantly lower.
Collaboration is a crucial requirement in the effort to secure shipment custody across supply chains that span many companies all around the globe. Suppliers, carriers, customers, port operators, and the government all have a stake in avoiding disruptions. Cooperation ensures a layered defense by instituting multiple checks of shipments while they are variously in the custody of the shipper, the logistics company, the port operator, or the consignee, using diverse government agencies in the process to enforce safe practices and secure trade lanes.
Industry associations create opportunities for benchmarking and adopting security processes that work well in each industry. They also facilitate security problem-solving at the system level, unlike the efforts of a single company that may only shift vulnerability rather than increase all partners’ security.
Even before the Department of Homeland Security (DHS) was created in the United States, an advisory council of leaders from business, academia, and state and local governments was created by an executive order in March 21, 2002. Its members have been meeting monthly to advise the White House on how to strengthen domestic security and how to engage the private sector with all levels of government on this issue. The council was headed by Joseph Grano Jr., chairman and CEO of PaineWebber and a Special Forces veteran.28
The U.S. government’s efforts in fighting terrorism are focused on two fronts: (i) disruption of terrorist activities overseas (through the overthrow of the Taliban in Afghanistan, the war in Iraq, and many clandestine operations around the world), and (ii) increasing security at home, including supply chain security. Another element of preparedness, however, is not yet getting the same attention from the government. This element is resilience—developing the capability to recover quickly after an attack.
In July 2004, the U.S. Department of Agriculture received an anonymous e-mail that containers of Argentine lemons loaded on the New Jersey-bound CSAV29 container ship Rio Puelo were contaminated with a “harmful biological substance.” Dozens of federal, state, and local agencies sprung into action and the coast guard boarded the ship on July 29 at the Ambrose Anchorage, 11 miles out of New York harbor. It took over a week for everybody involved to agree that there was no contamination and the ship could proceed to its destination at Port Elizabeth. By then all the lemons had rotted.
The government actions in this incident raised alarms in the maritime shipping community. It demonstrated to vessel and port operators that the government has not yet balanced the commercial needs of the nation with its security needs and may be “overreacting” to threats, leaving to imagination the extent of “overreaction” following an actual port incident. The incident highlighted the fact that while the government does security, it does not do resilience. In other words, most of the government’s effort is directed toward thwarting a terrorist attack. “The problem is that the U.S. government has not worked out protocols for how to restart the trade and transportation system after an event. That’s the reality.”30 said Steve Flynn, senior fellow at the Council of Foreign Relations and author of the excellent 2004 book America the Vulnerable.31 If the government were to close the nation’s ports after finding a lethal cargo, for example, or even following a port explosion, the economic damage could be incalculable without clear reopening procedures. Developing such procedures will require another cooperative public-private effort. It may even involve a part of the government dedicated to “getting back to business” in addition to the Department of Homeland Security.