Recently Senator Jay Rockefeller (D-WV) who has been seeking improved security procedures to better protect against biological and chemical threats, reportedly, said it is “crucial we determine which pathways into America pose the highest risk of biological and chemical weapons, release and use the most cutting edge, proven technologies for interdiction.”

Former Congressman Bilirakis (R-FL) also shares these sentiments and recently stated that, “maritime security is a very real concern and escalating problem. Both the Congress and Senate need to prioritize their efforts to address this issue and find a viable solution for what are, apparent gaps in Homeland Security. Billions of dollars of taxpayer funds have already been spent on failed efforts and technology that do not provide a solution. Congress needs to get behind cutting edge technologies that can improve National Security.”

One of the first to publicly speak out on the matter was Senator Frank R.Lautenberg (D-NJ). Senator Lautenberg had brought forth a bill to protect seaports by screening 100 percent of all cargo containers entering the United States. This, in response to and after the Bush Administration admitted to Senator Lautenberg that it will miss a deadline to screen 100 percent of the nation’s cargo for radiological and nuclear weapons. Their bill would, for the first time, create minimum-security standards for all containers entering the United States. “If we can screen every passenger who boards an airplane, we can screen every cargo container that enters our ports,” said Senator Lautenberg. “Screening only one container out of twenty is a recipe for disaster. My amendment will protect our nation by ensuring that each and every container is scanned before it even leaves its port of origin.”

“It’s a simple expression of frustration to a not so simple problem,” stated James Wishart, President of GateKeeper USA. ”While it is apparent that billions of dollars have been spent, what’s not obvious is the protection that amount of money should have bought. “There are technology and solutions that exist now. Getting someone in Washington DC to pay attention seems to be the problem.” continued Mr. Wishart. CAMS (Container Automated Monitoring System) offered by GateKeeper USA, Inc., offers real solutions to real problems that continue to concern America and its allies.

GateKeeper USA’s management plans to meet with several members of the Senate and Congress, in the weeks to come, in order to discuss a viable solution that can insure 100% screening of all cargo containers entering the United States. The Honorable Mr. Bilirakis is assisting the management in these efforts in an advisory capacity to GateKeeper USA.

”While new (RFID) technology seems likely to” “become a fiasco if officials don’t pay attention to the work of hackers and security researchers. These people try to expose weaknesses before they can be exploited maliciously. It’s much less painful to swallow the news from them than to wait until a problem becomes embarrassing — or devastating.”

In a paper co-authored with staff at the University of Washington and internet security firm RSA, the team detailed how the RFID chips can be cloned from distances of up to 50 metres. They also found that a key anti-cloning technique recommended by the Department of Homeland Security (DHS) had not been used on the tags.

Hackers can use an ordinary laptop computer to clone information on RFID tags and even “smart cards” and reprogram them.

The problem is a serious one, the conclusion that a single RFID based one approach is the sole solution is, in almost every case, flawed. The solution must involve a new set of technologies with enhanced, well thought out security protocols.

“We are not going to continue to invest and have suspended operations,” a spokeswoman for GE’s Security business tells TR2 regarding the company’s decision to halt work on CommerceGuard. “We will retain our ability to produce CommerceGuard.”

CommerceGuard is a device that is mounted inside the doors of shipping and trucking containers and can record unauthorized door openings. At key points along a supply chain, such as a seaport or land point of entry, radio frequency identification readers communicate with CommerceGuard and any event information is relayed to a command center regarding the door opening events. There has been interest in this technology by the Department of Homeland Security (DHS) and private industry for security and even quality control reasons.

At one time DHS’ Customs and Border Protection agency felt that if the container security devices worked with a very low false alarm rate, that would mean users might test expedited processing at ports of entry for quicker passage to their destinations inside the U.S. Later CBP decided that it would seek a more capable type of security device, one that could also detect tampering with any side of the container including the doors. Then in late 2007 CBP decided to focus efforts again on detecting unauthorized door openings using container security device (TR2, Jan. 9, 2008).

Early this year CBP was going to conduct a field evaluation of CommerceGuard on a sea container carried by an 18 wheel truck during a cargo trip from a supplier in Mexico into the U.S. After completing site surveys
for the RFID infrastructure and making all the necessary contacts, GE in January withdrew from the evaluation, Patrick Simmons, director of Non-Intrusive Inspection Technologies at CBP, tells TR2.

Simmons said he didn’t know why GE withdrew from the program. GE is the only company CBP has been working with the past few years and has twice previously tested the system to help move the technology forward so that it could meet the agency’s performance requirements, he says. The earlier tests were focused on things like vulnerabilities and false alarm rates, he says.

However, Simmons says the evaluation that GE pulled out of was to be a crucial test for the system to see if it was adequate as an interim solution for a part of the container security problem. CBP published a requirements document for CSDs in 2007 and CommerceGuard was the only solution that appeared to meet all the requirements, Simmons says. Still a demonstration of CommerceGuard inthe “stream of commerce” would be necessary before deciding if it could be the “potential stopgap” until better technology came along, he says.

Since the first test in 2004 run by CBP, CommerceGuard’s capabilities kept improving, Simmons says. Where it had been falling short had been in the communications, specifically sending data back to CBP and achieving
interoperability with other communications systems, he says.

Relatively high costs associated with the system have also been a challenge, Simmons says. While the business model has assumed that shippers would pay a service fee for using the device, Simmons says the trade community hasn’t embraced it, which could be due to additional security-related charges that industry has been paying since 9/11.

If the test GE pulled out of had ultimately showed that CommerceGuard was sufficient to meet the minimal requirements, then CBP would have considered establishing incentives in the trade community to adopt the CSD technology, Simmons says. These may have included “extra consideration” at the border, although not a “green lane,” he says. Another incentive might be making it a requirement for members achieving a certain level within the Customs-Trade Partnership Against Terrorism (C-TPAT) program, he says.

C-TPAT is a voluntary program that allows members of the trade community, typically shippers, importers, freight consolidators and others, to take specific measures to improve the security of the supply chain in return for benefits such as expedited processing for shipments entering the U.S.

Simmons says that another challenge in creating CSDs has been having the devices fit onto both standard shipping and trucking containers. CBP originally looked at the devices to better secure shipping containers but evolved its thinking towards having a “conveyance security device,” he says. “This is
not an easy fix,” he says.

GE has had several customers using CommerceGuard in limited applications, including Starbucks Coffee Co. If any, or all, of those customers are still using the container security device, they’ll being doing so without GE’s help.

“I do not have any comment on customers, like Starbucks, other than we have suspended our operations,” the company spokeswoman says.

CBP will be reviewing its options but will basically be going back out to see what is available in the market space for CSDs, Simmons says.

DHS’ Science and Technology branch currently is working with vendors to advance the development of CSD technology.

Context of concern
Powers International, an international transportation security company, developed a container security system in 2002 (see Cargo Security International, February/March 2006, page 40). It obtained a patent on its system in 2006 which has now been issued in 37 countries. Initially, the company believed that radio frequency identification (RFID) technology approved by the Federal Communications Commission (FCC) for use with shipping containers should be considered for incorporation into Powers International’s satellite based

Vulnerability as an IED trigger
Recently, however, concerns about RFID usage in seaports and land ports have developed. Engineers at Powers International now believe that RFID usage, as approved for use in the United States, is a serious vulnerability because of the ease of detecting these RFID system. emissions. RFID emissions can serve as the trigger-mechanism for detonating an explosive device within the container. Because an explosive device can be easily wired to detonate with the proper RFID frequency signal, all US ports that employ the approved RFID frequency for shipping containers become more vulnerable to terrorist attack.

A review of the literature seemed to confirm what was suspected. There were conflicting claims and the process of selecting a frequency for container security was contentious. Ultimately, a decision was made by the FCC to set aside a frequency of 433.5 to 434.5 MHz spectrum band, and their rule would allow these RFID systems to transmit for 60 seconds, rather than only 1 second. Against objections, especially those of the amateur radio sector, the spectrum and transmission time were approved by the FCC for use with shipping containers and in commercial and industrial areas.

As a result, the US government mandated and published the specific frequency for RFID use with shipping containers. The fact that only approved and published RFID signals are required to be transmitted on a given frequency at US ports by both the private and public sectors, in effect, makes government policy usable as an instrument of terrorist s tactics. The need for surreptitious port penetrations, elaborate electronics, intricate timing, or other specialised terrorist tradecraft or operations in the United States becomes diminished, if not eliminated. The US private sector and government agencies, such as the Customs and Border Protection (CBP), and the Department of Defense (DoD), can themselves, through routine and normal procedures, detonate those explosive devices carried in containers entering our ports.

Decision to test
To test the validity of its concerns, Powers International constructed controller boards to serve as relays or detonators using off-the-shelf, over-the-counter products. Using these detonators, Powers International simulated multiple explosions at varying distances using the frequency required by the US government. Further work on this vulnerability revealed that signals emitted to detonate explosive devices could be made at significant distances from locations even outside the port facilities with the use of high-gain antennas. However, since Powers International had not used an actual RFID tag to verify its concerns nor actually detonated explosives in this manner, the company approached experts in the area of IEDs and relevant government agencies to examine these concerns. These included municipal bomb squads, and engineers with blast contracts with the DHS, the DoD and the CBP. All but the DoD, DHS, and CBP initially responded and concurred with Powers International’s assessment that RFID usage as approved for containers in US ports appears to be dangerous. Powers International also contacted members of the US House Homeland Security Committee to inform them of our concerns and to be on record of doing so.

Blast demonstration
In order to expose this vulnerability in an irrefutable fashion and transparent format, Powers International and Raytheon Homeland Security Division, with the cooperation of Zapata Engineering, the University of North Carolina at Charlotte College of Engineering, the City of Gastonia Bomb Squad, and the 321 Equipment Co., ran a demonstration on 13 November 2007. The demonstration showed how an actual RFID tag could send a signal to a receiving circuit (detonator) prepared from over-the-counter components. The detonator was made by an undergraduate college student for a cost of approximately $20. The RFID signal detonated a very small amount of live explosives in a container by means of a simple emission of a radio signal traveling on the approved RFID frequency. The demonstration was ‘brand agnostic’. At no time during the demonstration was any port, political subdivision, manufacturer, distributor, or user of RFID for container security promoted or criticised for its use.

Government interest and support
Because of the serious and potentially controversial nature of this demonstration, many government officials and personnel of the US Administration were invited, including the DoD. Due to its interest in and extensive use of RFID, the DoD sent two people, the chief engineer of an RFID DoD programme and his supervisor. So, representatives from the US Army were among the attendees at the 13 November event. They observed the preparation and demonstration of an RF-detection and triggering device utilised to detonate explosives in a shipping container at the City of Gastonia Ordinance Range. Subsequently, the US Army confirmed in writing that its representatives examined the device and wiring and validated that a commercial RFID interrogator was used to ‘wake up’ a commercial RFID tag. When the RFID tag responded on the 433 MHz frequency, the relay closed and the blasting cap set off the explosive charge. Thus, the DoD representatives recognised and confirmed the validity of Powers International’s concern over the routine RFID use, its vulnerable nature, and the accuracy and relevance of the demonstration to homeland security. In the DoD’s own words, the
“US Army representatives examined the device and wiring and confirm that a commercial RFID interrogator was use to ‘wake up’ a commercial RFID tag. When the RFID tag responded on the 433 MHz frequency, the relay closed and the blasting cap set off the explosive charge.” Other witnesses were invited to attend and verify the process used at, and the results obtained from, the demonstration. The demonstration was filmed and is available for review. The demonstration was 100% successful, and it showed empirically the vulnerability of RFID transmissions as approved for use with containers passing through international ports-of-entry.

Governmental responses
Unfortunately, Powers International met resistance from both the DHS and the CBP, who refused to attend or to indicate any recognition of the demonstration’s value, even though both had local offices and personnel within 20 minutes of the demonstration site. The CBP actually attempted to put obstacles in the path of the demonstration by not allowing its transceiver or activators to be used at the demonstration, even by their own personnel. Ten major US ports and the American Association of Port Authorities (AAPA) were also invited. None of these entities responded or attended. The US Coast Guard (USCG) refused to at tend. The Government Accountability Office (GAO) was invited but did not respond to the invitation nor attend. A total of approximately 50 invitations were sent with marginal results. Finally, invitations were made to some members of US Congress in those states which have seaports. Only one staff member of one US Congressional representative attended. There were, however, followup calls made by a southern border Congressman, personally indicating an interest in and an acknowledgment of the importance of the demonstration.

Conclusion and recommendation
First, this demonstration proved beyond doubt that RFID usage can become a trigger of container IEDs in our ports. Second, this demonstration produced agreement among those present that because this vulnerability is real, it must be recognised by those government entities whose mission it is to protect the United States. Pointing out the vulnerability was relatively easy. Fixing it may be more difficult.

Nevertheless, this vulnerability is proven, and must be addressed without delay. In light of the potential impact on the US economy of closing one or more US seaports or land ports-of-entry and the cost of human life at and around those ports, it seems imperative that cooperative steps be taken by both the public and private sector to remove or minimise this recognised, demonstrable vulnerability and potential threat to the
United States.

In January 2008, two months after the demonstration, the DHS made an official statement regarding it. It is self-explanatory and represents the thinking and management posture of the DHS:

DHS recognises and benefits from the use of RFID technology to ensure the smooth and secure movement of both people and cargo into the United States. It is accurate that RFID systems are in use at US ports of entry (air, sea and land) and have been adopted by a number of private-sector companies for supply chain management, asset and shipment tracking and inventory purposes. While RFID systems used in maritime ports rely upon a variety of transmission frequencies for port and terminals operations, there is currently no one common RFID frequency in use throughout the global supply chain.

While it is technically feasible that the detection of RFID emissions could be used to trigger an explosive device within a container, DHS does not agree with the report’s assessment that ports that employ RFID technology become more vulnerable to terrorist attack.

The DHS admits in writing that using this frequency to trigger an explosive device is technically feasible (capable of being carried out) but we shouldn’t worry about it. The logic is indicative of the DHS. It seems that DHS is saying: “We know this can happen, but let’s wait until it happens.”

Authored by Dr. Jim Giermanski, Professor of International Business and Director of the Centre for Global Commerce at Belmont Abbey College. He is also Chairman of the Board of Powers International Inc., an international transportation security company. Originally published in October/November 2008 issue of Cargo Security International.

In January 2009, Customs and Border Protection (CBP) will conduct a pilot program to test a type of container security device (CSD) used to make containers smart. The test will take place with containers crossing the border into the United States from Mexico. That sounds like a good thing. A deeper look will suggest something else.

It is truly incredible that container security as the U.S. government sees it, that is, as the Department of Homeland Security (DHS) and the Department of Defense (DOD) see it, seems to be focused on Radio Frequency Identification (RFID), probably the worst technology for that use. It also seems that, in spite of all the money available to these two giant agencies, and the research entities used by them or could used by them, they seem to have little appreciation for the value of not just smart container usage, but also CSD technology. I hope in this short treatment of two CSD technologies, that the reader will see the stark differences between RFID and Satellite Communications technology. I will take the essential and specific elements of each and make a comparison.

RFID
RFID is a radio frequency based technology. As such, it is regulated by the Federal Communications Commission (FCC). The FCC has decided that for container security, certain frequencies must, not should, but must be used. These frequencies are published. Anyone who desires to transmit or receive these signals can do so by purchasing an off-the-shelf transmitter and receiver. Without getting into the difference between active and passive RFID, the essential issue is that its use requires the transmission and reception of a radio frequency (RF) signal. The FCC also specifies the strength or amplitude of that signal, and the duration of that signal. All of this information is publicly available.

1. RFID Benefits
   In general, RFID has been in use for a long time. Its hardware and its application in certain environments are hallmarks of efficiency and effectiveness in the control of handling and warehousing products, specifically in conditions and settings where antennas and transponders, and environmental conditions are controllable. Bar-coding, pallet control, and item-control such as that used by retailers in attaching RFID tags to garments, electronic equipment boxes, and other selected products are a few examples. In these settings, the RF frequencies are the same and are used in the same way a very good profitable application of RFID.
2. RFID Weaknesses
   While its benefits in controlled environments are obvious, its weaknesses in container security within a global supply chain are just as obvious. The very nature of a global supply chain brings lack of control, the antithetical condition of effective and efficient usage. Its application to international transportation across the U.S. land border with Canada and Mexico was tested by the government in the mid 1990s with the involvement the U.S. Department of Transportation (USDOT) and U.S. Customs (now Customs and Border Protection, an agency of the Department of Homeland Security). The test was called the North American Trade Automation Prototype (NATAP) and it took place at six of our U.S. land ports. As a participant in the NATAP test along the southern border, this writer can state unequivocally that the test failed, both because of institutional and RFID-technology reasons.

   a) Infrastructure Access, Maintenance, and Costs
   With containers, there is a fundamental requirement: antennas at fixed locations. There is a need for physical infrastructure and equipment on the ground, either fixed, or handheld. Handheld transceivers bring in the human element with the resulting higher costs, damage, maintenance, or loss. Regardless, they are needed so when changes in the container status are, they can be transmitted by RF signals when, and only when, the container is interrogated by a transceiver physically positioned or used in the case of handhelds. somewhere along the global supply chain. The fixed transceiver, through an antenna, sends the triggering frequency, which carries a request for a return transmission of any change of status of the container since the last time it passed an antenna and transceiver. The message could be that the container was breached somewhere in-route.

   Since the transmission of these data is by radio frequency, the successful transmission is subject to not only the use of government-approved frequencies or waves, but also the absence of distortion like noise or same-frequency emissions from competing antennas whose direction (footprint) unintentionally or intentionally obstructs or interferes with the intended RFID transmissions of the intended transponder. Thus, so far there are some very clear weaknesses: first, the need to own or lease property to place an antenna; second the absence of interfering RF signals which cannot be guaranteed; and third the historical nature of what information is transmitted, a very critical weakness. For instance, the last place one wants to learn that the container was surreptitiously accessed and an explosive device placed in it destined for the United States is at the foreign port of departure or at the U.S. port of arrival since these ports are where most of the transmissions take place. Finally, all these multiple antennas and transponders at fixed sites must first be permitted to be installed and then must be maintained and functional.

   b) Frequencies and Protocols
   There are no global standards for frequencies or protocols. Protocols are basically the instructions on how the messages are transmitted over a certain frequency or carrier of the message. Imagine the lack of standardized instructions for a container and its transponder on a global voyage, i.e. China to South Africa to Europe and then to the U.S. Different regions will have different standards. There are national standards like ANSI (American National Standards Institute), international standards like ISO (International Organization for Standardization), and industrial standards like EPC (EPCglobal, Inc. which alone is in about 100 countries).

   For instance, RFID frequencies on which the data ride in the United States will not work in another part of the world. The foreign transceiver cannot trigger the data transmission because the U.S. may use a different frequency or protocol. Therefore, RFID for container security is applicable only to those areas of the world which have agreed on the same frequency. This weakness is in addition to the corresponding need for a land-based infrastructure of antennas and readers. Unlike RFID tags used in products and pallets that are read in controlled distribution systems, active RFID devices in containers that move around the world through uncontrolled environments, require the construction of antennas at global chokepoints where containers are interrogated. Who determines the number and location of these points?

   Constructing a controlled distribution path globally is really impossible. Typically, chokepoints are locations where readers could be positioned that cannot be avoided by the carrier of the container. They include the spot where a truck is loaded or unloaded, on a crane that transfers containers, a weigh station, the port of loading, or at the port of discharge. Only for these obvious chokepoints at origin and destination, is a land-based system a reasonable option. In areas along the route of the container’s movement, a land-based system is virtually impossible to establish.

   c) The IED Connection
   Recently, concerns about RFID usage as a vulnerability at seaports and land ports have surfaced, suggesting that the use of RFID can constitute an Improvised Explosive Device (IED). In fact, it is true that RFID emissions can serve as the trigger-mechanism for detonating an explosive device within the container. Because an explosive device can be easily wired to detonate with the proper RFID frequency signal at any of our nation’s seaports and land ports, all out nation’s ports that employ the approved RFID frequency for shipping containers become more vulnerable to terrorist attack.

   To verify this vulnerability, in November 2007 a Southern city’s police department’s bomb squad, and three business firms connected to RFID usage demonstrated how RFID can be employed for that purpose. The demonstration was 100% successful, and it showed empirically the vulnerability of RFID transmissions as approved for use with containers passing through our international ports-of-entry. Present at that demonstration were representatives of the Department of Defense. In DOD’s own words, the U.S. Army representatives examined the device and wiring and confirm that a commercial RFID interrogator was use to ‘wake up’ a commercial RFID tag. When the RFID tag responded on the 433 MHz frequency, the relay closed and the blasting cap set off the explosive charge.

   Months later DHS responded to the demo:
   DHS recognizes and benefits from the use of RFID technology to ensure the smooth and secure movement of both people and cargo into the United States. It is accurate that RFID systems are in use at U.S. ports of entry (air, sea and land) and have been adopted by a number of private-sector companies for supply chain management, asset and shipment tracking and inventory purposes. While RFID system used in maritime ports rely upon a variety of transmission frequencies for port and terminals operations, there is currently no one common RFID frequency in use throughout the global supply chain.

   While it is technically feasible that the detection of RFID emissions could be used to trigger an explosive device within a container, DHS does not agree with the report’s assessment that ports that employ RFID technology become more vulnerable to terrorist attack.

   DHS admits in writing that using the FCC-approved frequency for shipping containers as a trigger mechanism for detonating an explosive device is technically feasible (capable of being carried out). In summary, the weaknesses of RFID use in container security are linked to significant problems:
   1. The acquisition of or access to real property;
   2. The cost of installing fixed antennas and transceivers;
   3. The maintenance of these fixed sites;
   4. The absence of a common global frequency;
   5. The existence of diverse RF protocols;
   6. The age of data transmitted ( distance between choke points); and
   7. Its use as and IED.

Satellite and Tracking Communications
In general, there are two broad categories of satellite systems. The first and most widely known is geostationary or high-orbit satellites in equatorial orbit that appear to be stationary. Geostationary or geosynchronous satellites are approximately 36,000 kilometers or 23,320 miles above the Earth and rotate along with the earth. The second category is a low-earth-orbit (LEO) system which consists of satellites approximately 800 kilometers or 496 miles above the earth; these do not rotate with the earth. Both LEO and geosynchronous systems offer tracking and communications throughout a supply chain.

1. Satellite Benefits
   Smart containers and their CSDs using satellite tracking and communications can provide a virtual chain of custody from foreign origin to U.S. destination. The container can send information and data in real time or close to real time 24 hours per day, 7 days a week. Messages from to and from the container can be simultaneously sent to multiple links in that chain, importer, exporter, carrier, or government agency. Unauthorized access into the container can be detected and reported as it happens. Diversions of the container can be detected, to include the container’s reporting of its own hijacking. Identification of the person supervising its stuffing, verifying contents and arming the container’s satellite security system at origin will be recorded. The identity of the person authorized to open the container at destination will also be recorded and included in all the electronic records of the container’s movement. Satellite equipped containers not only can utilize these sensors and transmit immediately what was detected, but also send signals to make changes like temperature adjustments in the container as the need arises. Satellite applications even allow for remote unlocking of the doors.

   Perhaps the best way to summarize its benefits is in relationship to the weaknesses of RFID smart containers. First, there is no need to acquire infrastructure for antennas or transceivers. Second, there is no need to install that infrastructure and equipment at these points around the world. Third, since there are no land-locked, global chokepoints, there is no need for their maintenance. Fourth, there is no concern for a common global frequency for transmissions. A single satellite provider can accommodate all transmissions in the licensed areas worldwide. Fifth, there is no need to have common global protocols. Sixth, all transmissions are in real time or close to real time and are not historical and delayed as with RFID. In other words, one knows about an unauthorized access to the container at the time it happens and before it arrives at the port of departure. Seventh, and probably most significant, it does not serve as a potential IED since it is not equivalent to random RF emissions. Instead, it is a programmed transmission within an established system for which there is a method of defeating its use as an IED transmission.

2. Satellite Weaknesses
   There are very few, if any weaknesses especially compared to RFID. Perhaps one most commonly pointed out is that to transmit globally, one needs a license from the countries over which the satellite transmits. This has not been shown to be a significant weakness. For instance Iridium can just about transmit in over every international trade lane. Another weakness is its inability to transmit from dead spots like below deck in the vessel. The fact is, it can if the carrier cooperates and joins with the shipper in providing the technology to do so. It is a matter of cost, not capability.

The Mystery
There cannot be any serious comparison between RFID container applications and container Satellite tracking and communications applications. In every way satellite is superior. Yet government agencies like DHS and DOD continue to use and/or approve RFID for container control in a global supply chain, knowing that it can even serve as an IED. They do so at a time when the other trading nations of the world are developing satellite systems for container security. Just recently China began movement to test container satellite security systems, and it is rumored that China may even ban RFID for container security at its ports. The EU has instituted a special program called the Seventh Framework Program, a major component of which is to test and evaluate satellite container security systems

Yet, in January 2009, CBP on behalf of the OFO-INDUSTRY PARTNERSHIP will conduct their field test of only a single source provider (GE) of radio frequency CSDs with shipping containers crossing the U.S. Mexican border. It does this while knowing the failure of RFID usage in the North American Trade Prototype tests done in the mid 1990s. It has excluded other technology and is testing a sole-source RFID system only, even though a firm employing a container satellite system has offered to participate in the pilot at only the cost of some travel and the cost of the container satellite units needed for and utilized in the field test. The satellite security firm would provide volunteer C-TPAT certified Mexican shippers and carriers without cost to the pilot or CBP. Yet, there has been no response by CBP to the offering of a head-to-head comparison of RFID and Satellite, this in the face of Mexicos own interests in seeing a satellite container security system, and at the official request in writing of a member of the U.S. House of Representatives to modify the pilot by accommodating the request of the satellite security system firm.

Does CBP really not want to know what other systems can do? Is its choice of a single-source product political? If not political, did CBP not know of the differences between RFID and Satellite? Does not CBP know of the movements in the EU, and China in recognizing the obvious superiority of satellite monitoring and control? Certainly, CBP knows of GMs Onstar capabilities with automobiles. Or can it not relate the concept of Onstar and container security? It is a mystery to many in and out of Congress why CBP does what it does, or fails to do what it should in the area of container security. It is clearly behind the rest of the trading world in this regard. There is certainly a challenge for the new Administration to improve CBPs level of awareness in this area.

Wal-Mart and Target are just two of the giants discussed in the literature. Recently, an A. T. Kearney report entitled Smart Boxes lauded the potential and actual use of RFID for certain supply chain applications.

However, the application of RFID to container security and port security is less laudable, less effective, more costly, and certainly questionable as a primary means of international transportation security for containers. RFID applications, whether active or passive, have very clear weaknesses and impediments to usage in a world-wide context. The impediments are these: the absence of agreement on RFID world-wide standards; its land-based character; and the rights to acquisition, cost, and control of required RFID infrastructure.

Protocols and standards
RFID applications require the carriage and transmission of data through a wireless system. Data can be loaded into a device called a transponder, and can then be transmitted via radio waves when the transponder is triggered by a corresponding device called a transceiver or reader. The transponder is a slave RFID unit that reacts to a triggering radio frequency message from the master transceiver. The transceiver, through its antenna, sends the triggering frequency, which produces a return transmission of the data pre-loaded into the transponder like manifest or shipping data or information acquired by the RFID device like the opening of the container door. Since the transmission of these data is by electromagnetic waves, the successful transmission is subject to the use of the proper frequencies or waves and the absence of distortion like noise or same-frequency emissions from competing antennas whose direction (footprint) unintentionally or intentionally obstructs or interferes with the intended RFID transmissions of the intended transponder.

In order for the transponder and reader to talk to each other, they need to speak in the same way. In other words, they must follow a protocol or a set of instructions. While no analogy is perfect, assume it is something like one person speaking Spanish and the other English and at different speeds, with different volumes, and both talking at the same time. In our analogy, protocols tell each person (in the real world, the container and the reader) when to start and stop, what language to use, how fast to talk etc. Unless the instructions are clear to each, communication may not take place. There are no global protocols or standards, however. Imagine the lack of standardized instructions for a container and its transponder on a global voyage: different regions will have different standards.

There are national standards like those from the American National Standards Institute (ANSI), international standards from the International Organization for Standardization (ISO), and industrial standards like the Electronic Product Code (EPC) from EPCglobal Inc. ISO has 12 standards related to RFID. In other words, until there is some universal or global protocol or set of instructions, RFID usage on shipping container security is unlikely.

Frequencies, too, have different bands, like low, intermediate, and high. Each band is more appropriate for unique usage. For instance, low-frequency RFID is used for short to medium distances, low speed, and simple applications such as access controls. Intermediate frequency bands can also be used for access control also but offer a little faster read speed. High-frequency RFID is used for fast read speeds and if the specific standard allows high wattage output, longer range can be obtained.

The major problem is the frequency approved for use by different governments. Like protocols, RFID approved frequencies differ globally. Thus, RFID on which the data ride in the United States will not work in another part of the world. The foreign transceiver cannot trigger the data transmission because the US may use a different frequency. For example, the United States Federal Communications Commission (FCC) issued a final rule effective on 23 June 2004 that only 433 MHz RFID systems can be used for commercial shipping containers. Likewise, other countries in other RFID frequency regions have approved different frequencies for different uses. Therefore, RFID for container security is applicable only to those areas of the world which have agreed on the same frequency for the same usage, precluding a standardized global use of RFID for shipping containers.

Land-based character
In addition to the frequency problem exemplified by a lack of world-wide standardisation, an equally troublesome area for RFID usage in container security is the overland movement of containers and the corresponding creation of a landbased infrastructure of antennas and readers. Unlike RFID tags used in products and pallets which are read in controlled distribution systems, active RFID devices in containers which move around the world through uncontrolled environments require the construction of antennas at chokepoints (those points along the journey of the container which cannot be circumvented by the carrier). Constructing a controlled distribution path globally is really impossible. The A.T. Kearney report defines chokepoint location this way: ‘Chokepoints where readers might be positioned include the spot where a truck is loaded or unloaded, on a crane that transfers containers, a weigh station, the port of loading, or at the port of discharge.’ Only for these obvious chokepoints, at origin and destination, is a land-based system a reasonable option.

RFID generally requires line-of-sight transmissions. In the case of container security, each RFID transponder connected to a container would have to ‘see’ the transceiver that triggers the transmission of data from the container. The approved 433 MHz frequency requires line of sight. How close the reader is to the container is also a troublesome issue. Geography and topography are consequently a potential issue in constructing antenna systems close enough to the container but far enough away to see the antenna of the transponder connected to the container.

Cost of RFID infrastructure
Although the land-locked constraint can probably be overcome by proper use of topography and construction techniques, there is another problem related to a land-based system of security, particularly container security. The issue for RFID technology on containers is that the user will probably not own the land on which readers (transceivers) would have to be installed as fixed sites, nor have rights to install its antenna system along the routes the container and chassis travel. This is a problem for commercial motor carriers using public roads. Railroads, in contrast, are much better candidates for RFID usage because they have ‘rights of way’ and own their own track infrastructure. However, there is some concern about whether 433 MHz (the low end of the high frequency band) is good enough for reading rail-carried containers and railcars at the speed they pass a fixed transceiver or antenna. Another good candidate for RFID container security usage is the US Department of Defense (DOD). Like the railroad, the DOD can often, although not always, control its chokepoints in a manner superior to that of a commercial motor carrier.

To construct fixed-position readers one needs access rights to the land or the equipment on which one installs the reader. Take, for example, a seaport. Who owns the port? Is it the property of the city in which it is located? Is it managed by a port authority? Who owns the gantry cranes on which a user of RFID technology wants to place the transceiver? The same scenario is applicable to US land ports-of-entry. In the case of Laredo, Texas, on the US-Mexican border, the city owns the bridges. Therefore the city would have to give or lease the right to erect an antenna or fixed-position reader on its bridge for a single shipper or carrier. Since private or government property will be on each end of the bridges between Mexico and the US, will the governments or landowners provide proprietary usage to individual shippers or carriers?

Finally, how does one control the footprint problems at busy ports with multiple transceivers, transponder-fixed containers, and antenna footprints? As mentioned previously, the protocol or instructions for the container and transceiver to communicate have to be clear. Who talks first and what bandwidth is used are critical. The combination of finding the corresponding talkers (transceivers outside and transponders inside containers), instructions on which talks first, the speed of talking, and the volume of data transmitted make for increased distortion and interference, especially at congested ports and landbased chokepoints. In the mid 1990s, the North American Trade Automation Prototype (NATAP) tests, of which I was a part, were conducted at a few selected land ports-of-entry along the Mexican and Canadian borders using RFID. These tests encountered these exact problems.

At major modern seaports like Rotterdam, everything is moved by RFID applications. There are no drivers in the tractors that pull the containers. There are multiple gantry cranes seemingly working on their own in coordination with moving trucks and chassis. Superimpose on this RFIDlayered sea port RFID frequency and protocol differences between the US and the Netherlands, for example, and one will see immediately that RFID applications to container security would be quite difficult, if not impossible.

Associated with the access and cost of RFID infrastructure is the cost of container modification. An inexpensive passive RFID tag can be hung on the outside of the doors and respond to a transceiver as to whether the doors have been opened in the normal manner. A more expensive active RFID device can also be hung on the outside of the doors and send a signal on its own at a chokepoint indicating whether the doors have been opened (assuming the doors can be read at the chokepoint). However, an active RFID device placed inside the container that can sense access to the container through means other than the doors is an expensive proposition compared to the inexpensive passive tag. Not only does the active device, itself, cost more, but also the container has to be structurally modified to accommodate the internal RFID transponder and its antenna. Since the RFID frequency approved for containers does not emit through steel, the RFID device internal to the container must have access through the steel to the outside in order to function – a required modification to the container. Permanently modifying a container for only RFID may be unacceptable to the owners.

Conclusion
RFID alone is certainly not the ‘silver bullet’. It is not an ideal method, nor even necessarily the least expensive method, for delivering container security. So far, the literature on this subject has focused not on a solution to the problem of security, but on a communication device which is one part of the solution. The security solution requires a complete system of end-to-end coverage, a solution from origin to destination, one without the disparate protocols and frequencies, and the problems of access to and cost of land-base infrastructure.

The future of container security is a satellite solution which by its nature avoids the limitations and infrastructure costs of RFID configurations. The global movement of containers requires a global solution, not encumbered by the constraints inherent in current RFID applications and lack of standards. The apparent rush to RFID applications for container security in a global market is premature and limited as a land-based system.

Authored by James Giermanski, Director for the Center for Global Commerce, Belmont Abbey College. Originally published in the Cargo Security International August/September 2005 issue.

Here’s what is known and can be demonstrated factually.

Fact No. 1: In the latest Request for Information, an information-gathering and planning vehicle used by DHS in support of Customs and Border Protection, Johns Hopkins University’s Applied Physics Laboratory (under contract with DHS) sent a letter dated Nov. 8 to potential vendors. The letter stated in part, “The purpose of this request is to gather information to identify and evaluate available state-of-the-art container and trailer tracking devices suitable for in-bond shipments.” That statement, alone, poses two serious questions. What does DHS believe is “state-of-the-art,” and why has it taken this long after 9/11 for DHS to realize CBP had little or no knowledge of or control over containers coming into the United States and moving throughout the U.S. under bond.

The level of “state-of-the-art” for DHS is the following:

1. Sensing
a.The container and trailer security device must be able to electronically detect closing and opening of either door of the container/trailer. Monitoring the door status must be continuous from time of arming to disarming by authorized personnel.

Fact No. 2: In April 2005 a North Carolina firm demonstrated to national and foreign attendees, including the news media and the Defense Department, the capacity and ability to breach a container, and insert contents into the container without ever opening the doors. Additionally, that same firm through the cooperation of EADS in Bremen, Germany, repeated successfully on multiple occasions that same demonstration.

Fact No. 3: Under a contract from the U.S. Energy Department, that same North Carolina firm in 2004 demonstrated in Laredo, Texas, the nation’s largest southern border port-of-entry, the capacity and ability to insert clandestinely RFID antennas not detectable from outside the container which would trigger an electronic signal within a locked container when energized by an RFID transceiver located outside the container.

Fact No. 4: In June 2004 the Federal Communications Commission issued a final rule authorizing the use of 433 MHz for commercial shipping containers. Since each nation or region approves and utilizes different frequencies and communication protocols, frequency identification is easily obtained through published government documents. Even wattage is specified. In the United States, 433 MHz used in commercial shipping containers must use less than 100 milliwatts, necessitating the need for cutting in an antenna into the container (Fact No. 3). Although the frequency is low enough to penetrate the steel of the container, its limited wattage requires the use of an antenna.

Fact No. 5: The large-firm entrants into the smart containermarket have been identified as IBM-Maersk, GE-NYK, Siemens- GE, Motorola and SAVI. It has been reported that each is dedicated to and has developed smart container devices employing RFID technology. This technology will require the use of an RFID transceiver at certain foreign and U.S. ports. In U.S. ports these transceivers will interrogate inbound containers equipped with their devices by using 433 MHz, the only U.S.-approved frequency for the commercial shipping container market (Fact No. 4). Because they are published, the identification of U.S.- approved frequencies like 433 MHz used in the commercial shipping containers is available to any terrorist.

Fact No. 6: The combination of these factors provides the model and means of detonating explosive devices surreptitiously placed into locked RFID-equipped containers which when interrogated, transmit a “breach” or “non-breach” signal at destination in a U.S. seaport or in the case of motor carriage, at land port-of-entry.

Assume a container departs a foreign factory en route to a foreign port for sea carriage to the United States. En route the container is breached without opening the doors (Fact No. 2) and shielded nuclear waste along with an explosive device are placed into the container. An RFID antenna is cut into the wall of the container by a terrorist unseen from the outside, a 15-minute process (Fact No. 3). The container continues its journey into the foreign seaport for lading into a U.S.-bound vessel. The dirty bomb device can then be automatically armed by the interrogation signal of an RFID transceiver placed at the foreign port. The transceiver signal rides on an RFID frequency approved by the government of the foreign nation from which the container will be carried to the United States (Fact No. 4). However, given the additional differences of communication protocols among different regions of the world, it would even be simpler to insert an explosive device already armed. Even simpler would be to breach the container, place the explosive device and install a door switch to detonate the bomb when the doors are opened.

The container is subsequently loaded into the vessel which sails to the United States. Upon its discharge from the vessel, the locked container is interrogated in the U.S. seaport, responds with “safe condition” and then explodes. It explodes because the bomb was set to detonate upon receiving the mandated 433 MHz signal from the RFID transceiver, properly approved, installed, and used by those companies depending on RFID for container security.

This scenario can happen because we let it. DHS policies specifically are responsible for this scenario. Additionally, ’industries’ concern over costs, the degree of influence by industry lobbyists, and the lack of congressional oversight of a department with questionable experience and knowledge in container security all seem to share the blame.

What can we learn? First, door-only security is not only inadequate, but also dangerous. It represents a lack of either knowledge or sophistication, or both. It may even represent the acquiescence of DHS to industry lobbyists representing companies who have committed, perhaps foolishly, many dollars to RFID door-only applications. We must switch to end-to-end security applications that help monitor the security of the container at stuffing, which detect breaches through any part of the container and transmit the breach notification via satellite in real time, not delayed RFID time. Second, RFID for many other reasons should not be the preferred technology for global container security. Third, we must realize that essential characteristics of radio signals can serve as the very means of detonating explosives placed in the container. Finally, the current leadership and the quality of decision making of DHS personnel assigned to container security suggest a need for serious review and re-evaluation.

Authored by James Giermanski, Director for the Center for Global Commerce, Belmont Abbey College. Originally published in the American Shipper March 2006 issue.

Diverging from his predecessor, the head of U.S. Customs and Border Protection (CBP) says any device developed to monitor the security of a shipping container must be able to detect unauthorized intrusions anywhere on the container, not just through the doors, to be part of a layered defense strategy in securing the global supply chain.

“I’m not suggesting that you skip over a device that’s going to secure the doors,” Ralph Basham, commissioner of CBP, told reporters at the annual CBP Trade Symposium last week. “I’m saying that just because you have a device that secures the doors does not mean that the container is secure. It just means that the doors are secure and not the whole container. If technology is being developed it should be toward making sure the entire container is tamper proof.”

Basham said his visits to ports, where he has seen “half the containers” with pieces welded on to them, have convinced him it’s too easy to create an opening in a container to smuggle something and then close it back up without ever using the doors.

Basham, formerly chief of the U.S. Secret Service, became CBP Commissioner in June, succeeding Robert Bonner, who left CBP late last year.

Bonner advocated more of a two-track approach to container security devices.

He believed that technology was just about ready to reliably monitor whether doors on shipping containers were being opened when they weren’t supposed to be during transit.

The concern with the unauthorized openings is that terrorists could place some sort of weapon of mass destruction (WMD) inside a container bound for the United States.

Bonner felt that the technology that could provide more comprehensive and real-time container security, such as whether someone was cutting a hole in the box i to hide a WMD, was still years from being ready.

Basham agrees that a device that provides comprehensive security isn’t ready.

“At this point I have not been convinced that there is a device out there that is reliable and dependable enough to stake our confidence in it,” he said.

“That is the challenge. Not just the doors on the container but the entire container,” he said. “We have not reached, at least I’m not familiar with, any device out there that’s meeting that requirement.”

Several companies have been developing container security solutions, including General Electric [GE], IBM [IBM], L-3 Communications [LLL], Lockheed Martin [LMT] and SAIC [SAI].

Earlier this year the Science and Technology branch of the Department of Homeland Security (DHS) awarded phase two development contracts to L-3 and SAIC that require the delivery of Advanced Container Security Devices shortly for testing.

Those devices would provide the enhanced security Basham would like to see, if they work.

Authored by Calvin Biesecker. Originally published on January 3rd, 2007 in Security Info Watch.

I am particularly honored to be sharing the stage with my good friend and predecessor, Rob Bonner.

Those of you who are familiar with Rob know that we are here today talking about many of the concepts he put forward – and the actions he took after 9/11 to secure the borders of our nation.

A list of what he set in motion as Commissioner of U.S. Customs in the days following 9/11 is, to say the least, very impressive:

• Getting advance information,
• Creating a center to analyze that information for risk of terrorism,
• Partnerships with other countries – through the Container Security Initiative, which as he mentioned, he announced right here at CSIS, and
• Our partnership with the trade community – C-TPAT, the Customs-Trade Partnership Against Terrorism.

These initiatives were soon followed by a push to install sophisticated technology at our ports of entry to detect radiation and imaging equipment to detect anomalies.

And, he didn’t stop there. He knew the U.S. would not be safe if other countries didn’t adopt those same security principles. So he began reaching out to our international trading partners and to the World Customs Organization—and two years ago, the WCO adopted the Framework to Secure and Facilitate Trade—which effectively internationalizes the strategy.

And last October, Congress gave the final nod of approval to the “house that Rob built” when it passed the SAFE Port Act, which embraces and codifies many of the concepts and initiatives that Customs instituted under Rob’s leadership.

And we are fortunate he is still lending his guidance and advice on issues of national security. He is truly someone who has left indelible footprints on this important issue of securing global trade.

The Strategy: The Next Generation
While our accomplishments to secure the international shipping lanes are remarkable, today we face other hurdles to meet the mandates of the SAFE Port Act, to further strengthen the major programs of our strategy, and more importantly, to envision and plan for challenges we will face down the road.

Today, those of you in this room—the thinkers and doers on the issue of homeland security—must be every bit as forward thinking as our colleagues were in 2001.

The strategy we have today and the strategy U.S. Customs developed after 9/11 is a layered, risk-based strategy. A strategy that extends our borders beyond our physical borders. A strategy that allows us to target for risks—and inspect, if necessary—cargo and passengers arriving in the U.S. A strategy that established twin goals of securing our borders without stifling trade and the economy.

Since 9/11, we’ve accomplished a lot to build that layered defense. When I came on board, I felt that this was a sound strategy. I believed it was the right strategy and that CBP was moving in the right direction. In the year I’ve been Commissioner, I haven’t had any epiphanies that change those initial thoughts.

Coming on board, I knew—and the SAFE Port Act soon confirmed—that my task would be to take those initiatives to the next level—and to plan for the long term.

The SAFE Port Act also came with many requirements that effectively defined this year’s agenda for CBP.

And, before I get into a discussion on the issue of today’s meeting—Container Security Devices—let me mention some of the progress we’ve made to ratchet up our strategy by collecting more information, working with our partners overseas and working with the trade community.

Advance Information – 10+2
As you know, the SAFE Port Act mandates that we collect more detailed information prior to cargo lading to improve our risk targeting, and that we consult with COAC—the Commercial Operations Advisory Committee—and the trade community in general—on an extensive list of issues, programs, and plans. And, we are doing just that.

We have long recognized the need to go beyond the 2002 Trade Act data requirements to gain greater transparency into the supply chain—back to the point of stuffing.

Better information, means better risk management. And better risk management, leads to improved security and improved facilitation of legitimate trade.

For three years now, we’ve been engaged in discussions with the trade over what additional data elements would improve our ability to assess the risk for terrorism.

The work originated in the Trade Support Network‘s Supply Chain Security Committee, which worked diligently on this issue, to identify and define specific data elements that could enhance CBP’s targeting efforts.

In November 2006, this effort moved under the banner of the Commercial Operations Advisory Committee—COAC—to help us refine the definitions of the 10 data elements, to identify potential operational challenges, and to provide advice on the best means of reporting the information to CBP.

COAC presented its recommendations to CBP in February of this year, and we have been working internally on developing the Notice of Proposed Rule Making since then. We’ve made great progress on this initiative, and we have submitted a draft to the Department for its review and comment. We hope to complete this process in the near future.

Like the Trade Act, and many of the new security measures we have implemented over the past five years, 10 + 2 will be phased in. With these new reporting requirements, we will continue to work with the trade to make sure all issues are resolved before we go to full compliance.

Container Security Initiative and Secure Freight Initiative
We’re also making exciting progress overseas, as well. CSI will soon be deployed in 58 foreign ports, which will cover 85 percent of the maritime containerized cargo coming to the U.S. And, we are now implementing the next generation of CSI—the Secure Freight Initiative—or SFI—which integrates radiation detection and container imaging.

Information from this technology, combined with our normal analysis of manifest data, will provide a comprehensive, real-time approach to assessing the risk of every container bound for the U.S.

SFI meets the SAFE Port requirement to conduct an overseas integrated scanning pilot program.

SFI will be fully deployed in three ports around the world—Port Qasim, Pakistan; Port Cortes, Honduras; and Southampton, United Kingdom, with some limited capacity in four additional ports. This project creates an integrated network of radiation detection and container imaging equipment.

This initiative is the culmination of our work with other Government agencies, foreign governments, the trade community, and vendors of leading edge technology. And, like all our security initiatives, this increased information will help facilitate trade because questions about shipments that appear to be high risk can be resolved quickly and effectively.

100 Percent Scanning
Here, let me make a few observations about discussions underway in Congress about 100 percent overseas scanning.

At CBP, we believe this concept is fundamentally flawed.

As I have described, since 9/11, we have created a risk management system that is currently performing the task of separating high risk from low risk shipments very credibly.

We believe there is no other viable alternative to making informed decisions about which of the more than 11 million containers entering the U.S. each year by sea poses a security risk, and therefore, required further inspection.

Trying to legislate a requirement that all 11 million plus containers undergo image scanning and radiation detection monitoring prior to leaving a foreign port just does not make sense. The impact on the flow of commerce would be enormous and the result would be lower profits and higher transportation costs for U.S. importers.

It would hand the terrorists a victory on one of their key aims—inflicting serious damage on the U.S. economy—without them having to take any action whatsoever.

At a minimum, Congress should be willing to wait until we have the results of the overseas scanning pilot currently underway in the three ports I mentioned.

The pilot will give us information on the technical feasibility of 100 percent scanning, the impact on supply chains, the security gains, if any, and the costs to both the public and private sectors.

I am also concerned about our credibility with our international partners. When several nations agreed to partner with us in testing the 100 percent concept, it was done with the understanding that the findings would drive further discussions regarding a logical path forward. Mandating 100 percent scanning prior to concluding this first phase, will undermine the credibility of our current initiative.

C-TPAT
C-TPAT, our partnership with the trade, continues to evolve with refined security criteria, three tiers of benefits for importers, and more supply chain security specialists to conduct validations.

C-TPAT’s more than 7,000 members account for 45 percent of imports into this country. And, in the next few years, C-TPAT will evolve even further to respond to the widespread demand for participation.

We’ve validated 78 percent of those certified partners and expect to reach 100 percent by the end of the year.

Once we finish the first validations this year, we will begin to re-validate companies, and we will conduct revalidations on certified C-TPAT partners once every three years. We will also be conducting yearly revalidations on all U.S./Mexico highway carriers, our riskiest enrollment sector. This will ensure that our partners have adopted stronger supply chain security measures across their international supply chains.

The SAFE Port Act authorizes C-TPAT and provides guidance on how the program will evolve in the future. COAC, too, is conducting discussions on implementation of SAFE requirements in this area.

These discussions included the development of a 3rd Party Validation Pilot Program, and on June 29, CBP announced the 10 companies that were selected to participate in the program.

We will also continue to pursue mutual recognition between C-TPAT and foreign business partnership programs through the WCO Framework. Several countries are pushing their programs toward higher standards, and I am pursuing the possibility of partnerships with these countries.

In fact, two weeks ago, at a meeting of the World Customs Organization in Brussels, I signed the first Mutual Recognition Agreement with New Zealand. We are actively engaged with Jordan and the EU in developing a mutual recognition regime. Japan and Canada have also expressed interest in the concept.

Container Security Devices and Challenges Ahead
But, for all that we have accomplished in so many areas, here we are nearly six years after 9/11, and one of our fundamental goals for improving homeland security still lies just beyond our grasp.

Since the terrorist attack on our soil, one of our most-feared scenarios has involved terrorists hiding the components for a nuclear or radiological bomb inside one of the shipping containers that enter into and pass through our seaports each year.

When C-TPAT and the layered strategy were conceived, CBP envisioned the development of a container security device to detect whether containers have been tampered with while being transported.

This capability would be the vital link that would close the loop between CBP’s trusted partnership program with the trade, information-based risk assessment, and secure ports. What we’ve called “Smart Box” has yet to be developed.

CBP is currently working with the Science and Technology Directorate of the Department of Homeland Security to determine the technical and administrative requirements for the Container Security Device, the “CSD.”

It’s important that this device be part of a fully integrated process that will support its use.

I expect to set forth CBP’s requirements for CSDs soon. Shortly thereafter, we expect to test CSD technology to see if the available technology meets our requirements. We intend to move quickly, because CSDs have the promise to truly increase security of cargo shipments. The testing phase would be completed within about 60 to 90 days, and we intend to promptly evaluate the results.

The use of “Smart Boxes,” that is, the use of CSDs, if they meet our requirements, will become part of the C-TPAT program.

And, for the first time, this will link C-TPAT security at point of stuffing, with a more secure container while it travels from the point of stuffing to the foreign seaport, ultimately to the port of arrival in the United States. Some U.S. importers are already doing this.

Think of it: CSDs hold the promise of securing a container during its journey from a C-TPAT compliant manufacturer’s loading docks overseas, all along the inland dray or transport to the foreign seaport, to the U.S. seaport.

If the container has been breached or opened along this journey, CBP will know.

CBP will be able to detect containers that have been tampered with en route, which are by definition “high risk.”

We have never been able to do this before.

But, first, we need to test and see that there is a CSD that meets our requirements.

I am cautiously optimistic.

When we have an effective device that meets our requirements, then we will have to answer a number of policy questions about how we employ this technology. Some of this is fairly clear.

As part of C-TPAT’s dynamic improvement of supply chains, use of such a device should, at a minimum, be viewed as a C-TPAT best practice.

But do we make it part of C-TPAT’s Tier 3 or is the use of a CSD that meets CBP requirements Tier 3 Plus? Or do we create a 4th Tier?

Will we require its use or will its use be an incentive or pre-condition for greater C-TPAT benefits?

To be effective, the device would be activated at the point of stuffing of a container overseas.

There would be little increase in the security of a supply chain unless CSDs are linked to C-TPAT security criteria required at the point of stuffing.

Although I expect that there will be relatively few false positives, still we will need to figure out how we will deal with them.

CBP’s Office of Field Operations has done an outstanding job of establishing protocols and responding to large numbers of radiation reads from our Radiation Portal Monitors, so I am confident we will be able to handle what likely will be less than 1 or 2 percent false positives from CSDs.

CSD readers will be deployed at US ports of arrival, but if CSDs prove themselves, will we position readers overseas at CSI ports?

These are questions that we will need to address as we go forward.

The main point here is: CBP has a long history of successfully rolling out programs that minimize trade impact. We did that with the 24-Hour and Trade Act Rules and with the Automated Commercial Environment—ACE.

CSDs will be no exception.

We will make sure that there is a sound and sensible rollout strategy for CSDs and their incorporation as a best C-TPAT practice.

But we also know that implementing the Container Security Device—or Smart Box—adds another layer to our defense and is a case where we should not allow the perfect to be the enemy of the good. The perfect technology is probably a long way off and may prove to be far too expensive.

CBP’s original vision involved a device that sent a signal when a container’s doors had been opened or breached in transit, a signal that could be read by CBP with either a fixed or handheld reader. The signal would tell CBP which containers pose a potential security issue, warranting an inspection.

It is important to note that the deployment of CSD technology is part of a broader C-TPAT supply chain security process that ensures the integrity of the shipment before the CSD is activated.

CSDs will help provide the supply chain security “envelope” that Secretary Chertoff has talked about, and it will close a gap in C-TPAT’s secure supply chain criteria.

And CSDs will move us one step closer to realizing the “Green Lane.” Use of CSDs is an important element of the “Green Lane” concept, and the fact of the matter is, there can be no “Green Lane” without CSDs, without “Smart Boxes.”

And the beauty of CBP’s Smart Box system is that it is voluntary. Companies can choose the relatively small cost of simple container security devices, approved by CBP, that will lead to faster, more predictable customs processing, or they can choose the cost of less predictable customs clearances and potential delays.

Device manufacturers have an incentive to keep the price low, because companies will not be required to use the devices. But those who do will be entitled to greater benefits and it will narrow the haystack of what CBP needs to inspect.

The good news is that CBP will be publishing its requirements for Container Security Devices soon.

This means that we will soon have a roadmap for completing CBP’s vision for a secure loop between trusted companies, trusted ports, and trustworthy transportation.

We could soon realize better port security using today’s technology, and at reasonable cost, without slowing down the continuous flow of global maritime trade.

No Silver Bullet
That being said, we all know that there is no silver bullet—no one fix or solution that is 100 percent sure.

But taken together—more information, more overseas scanning and inspections, more integrated targeting, more sophisticated technology, including a Smart Box, and more partners in the trade community around the world—add multiple layers to our defense and provide a more effective defense of our homeland and of the entire global supply chain.

All these initiatives work together as a deterrent, making it harder for terrorists to penetrate security and put a bomb—or components for a bomb—in one of the millions of containers that move in and out of ports around the world on a daily basis.

We still face significant challenges and limitations about what we can humanly do to secure the containers, the ports, and our nation.

As we work toward the green lane concept of no inspections once companies have satisfied certain rigorous requirements, we also know in the United States—and in ports around the world—our infrastructure can only handle so much traffic.

Our ports were built in—and for—another age—certainly not the age of global terrorism. And as we go forward, we know that what we are planning for today—and in the future—is only a snapshot in time.

Six years ago, roughly the time when Commissioner Bonner came onboard, the U.S. imported 7 million containers. Today that number has increased to almost 12 million. And with the prediction of a 5 to 6 percent annual growth rate, those numbers could double to 24 million containers by 2015—and triple by 2025.

But, as I said at the outset, I believe we are on the right track. We have been able to provide increased security, despite increasing trade volumes, and that is because we are working with our partners here in the U.S. and around the world to protect the global supply chain.

The consensus on the seriousness of the terrorist threat—and the willingness of countries to join us in taking action is an amazing feat unto itself.

Conclusion
Since I raised my hand and took the oath of office as Commissioner of Customs and Border Protection, the constant nagging question in my mind is: have we done everything possible to protect our nation, the American people, and our economy from terrorism.

Every program, every improvement, every partnership we’ve instituted has been designed to achieve that balance of security and trade facilitation.

Everyday we walk a tightrope to achieve that balance.

Every time we look at security, we look at facilitation.

Because we know that if security disrupts trade, it impacts our economy—and that means the bad guys have won.

And the terrorists don’t care how they win—whether it’s flying planes into buildings or blowing up a commuter train or detonating suicide vests in a crowded mall. They are smart enough to know that stopping trade, by any means, hurts the economy, and thereby hurts America and our allies—and that’s their goal.

Six years after 9/11, with no terrorist attack on U.S. soil, it’s tempting to let the urgency of this threat fade to the background with all the other news swirling around our nation and the world.

I know I don’t have to remind you that the threat is ever present. It is real and the enemy is constantly looking for any loophole, any vulnerability, any weakness in our defense. The recent incidents in the UK and Glasgow certainly prove that point.

I frequently tell our employees that as dedicated and committed as we are, our enemies are just as dedicated, just as committed, and just as passionate about achieving their goal—which is to attack us in our homes, in our workplaces, in our places of worship, and to attack our leaders.

Our mission is to ensure that the terrorists don’t succeed in their mission.

Although our strategy has made us safer, we are not yet safe. And, we should never allow ourselves to be lulled into a false sense of security.

For me—and I’m sure for Rob and many of you here, too—it’s about our children, our grandchildren, and their future. I assure you I will do everything within my power to make sure that my grandchildren—and yours—inherit a free America.

An America that is safe, secure and open.

An America where all our children can grow up to realize their hopes and dreams.

For me, anything less is unacceptable.

Remarks by U.S. Customs and Border Patrol Commissioner, W. Ralph Basham. Originally published on July 11, 2007 on CBP.gov.