GMISS 08 Summary Report

Tab 5: ODNI " Protecting the Global Supply Chain " Conference Materials

(Return to main report)

Summary Report

Protecting the Global Supply Chain II

Maritime Threat Warning and Incident Information Sharing Solutions

The views expressed in the discussions and in this summary are solely those of individual experts who attended the work-shop, and do not necessarily reflect the analysis, views, or opinions of any individual speaker, company, consortium or U.S. government agency.

June 2, 2008

Table of Contents

SUMMARY & FOLLOW-UP

Executive Summary

This event was part of a series of workshops initiated by the Office of the Director of National Intelligence (ODNI) and two private sector partners: the U.S. Chamber of Commerce and the Intelligence and National Security Alliance (INSA). The purpose of the workshops is to exchange views and perspectives on issues of common interest and concern to the private sector, U.S. government and the Intelligence Community. These events are unclassified, off the record and not for attribution.

The one-day event, held at the Army-Navy Club in Washington, D.C., was the second ODNI conference dealing with protection of the Global Supply Chain (GSC), the first (held in October, 2007) being an entrée to United States Government (USG) collaboration with the private sector on this issue and an

initial gathering of opinions and ideas to improve security of the GSC in the long term. This iteration focused specifically on short term ways to improve global maritime suspicious incident and threat warning information sharing between the USG and the maritime industry. Attendees included corporate leadership, domestic and international security firms, and US Intelligence Community and Interagency organizations that deal with the maritime domain. Although the conference was focused on improved communication, much of the discussion centered on the increasing vulnerability of the GSC and the potential economic impact of a serious disruption.

There were four predominant themes from speakers, panel members, and working groups:

• Bad actors can seriously affect whole economies by stopping a single node in the GSC, e.g., information, fuel, chemicals, food, products, components, money, etc.
• An attack on the GSC, whether kinetic, radiologic or cyber, is likely and could have significant effects on the US and global economy. There would be serious economic disruptions at the very least, as there is a lack of capacity for supplies to be rerouted.
• As complete defense is unattainable, infrastructure resiliency is critically important and should be combined with best security practices.
• Security communication between the USG and maritime industry can be improved, with strong preference for a single point of contact within the USG for maritime suspicious incident reporting and issuance of threat warning. This applies to State and Local governments as well.

We appreciate your continued participation and look forward to next year's GSC conference to further solicit your input. The topic being considered is maritime security and analytic training, in both the USG and private sector, to further strengthen our critical knowledge base and improve USG understanding of

the GSC. In the interim, your additional feedback and continued collaborative dialogue is highly valued.

An in-depth retrospective of the conference is provided in the following pages.

General Points of Discussion

• It was noted that over the past decade there has been an exponential increase in the flow of global trade, primarily due to the steady growth in the GDP of the U.S., European Union, China and India. Since 2000, the total value of international trade has risen by over 40 percent. The combined value of foreign trade (imports and exports) represented 13 percent of U.S. GDP in 1990, rising to nearly 22 percent in 2006.
• The world's economic engine is finely tuned to the "just-in-time" delivery process for not just finished goods, but also for intermediate materials and parts during assembly of final products.
• Any interruption, any slow down in this [conveyor belt] supply chain network, at any node globally, causes large and very expensive ripples throughout the entire network. Whether the interruption is foreign or domestic, there is no difference in its overall economic impact.
• 95 percent of America's foreign trade is transported by ship moving more than 2.3 billion tons of domestic and foreign cargo each year. There are now massive global hubs or "gateways" located on every continent, and any single port blockage affects trade world wide.
• There are 600 departure ports in the world that are shipping to U.S. ports every day.
• Chokepoint congestion is a growing problem with a 42% increase in annual ship traffic in less than 10 years.
• The number of containers transported continues to increase at almost 10% annually. In 2006, 31 million containers entered the ports of New York and New Jersey, with 15 million entering the Port of Los Angeles.
• The Container Security Initiative (CSI) was an outgrowth of 9/11. Under this program, about 5% of containers are examined by Customs & Border Protection (CBP). A new law [Implementation of 9/11 Recommendations] mandates 100% scanning of maritime cargo bound for the U.S. effective in 2012. However, the following facts need to be taken into account:
  • A one-month impact study was performed in the ports of Hong Kong and Yantian, China which together account for 40% of the total volume of containers arriving in Los Angeles
  • Using present CSI protocol, only a 5% inspection rate is possible in Hong Kong with the system becoming overloaded at 7% using one inspection station. With two inspection stations 10% is workable, but 14% overloads the system. Yantian was worse
  • In Hong Kong, if just 20% of containers bound for the U.S. were backed up [for whatever reason], they would cover 163.4 acres of land with attendant delay and cost increases
  • Congestion increases the likelihood that bad actors will be successful and ensures that effects will resonate well beyond the immediate target area
• The Customs-Trade Partnership Against Terrorism (C-TPAT) program was designed to improve security while increasing flow efficiency, but vulnerabilities exist that could be exploited.
  • Once a container has been tagged by a C-TPAT partner company it is given a complete pass all the way to its destination; a perfect target for terrorist exploitation
• The increased focus by the U.S. Coast Guard on port and off-shore security has affected its relationship with the maritime industry.
• Most domestic and global cargo control and tracking is now performed on-line. With the pervasive use of computers to choreograph this "just-in-time" arrival of goods, the GSC has become extremely vulnerable to cyber attack aimed at communications networks and automated control systems. Hacking skills are now even more professional and pervasive. Of major concern are insiders who would be well-positioned to accomplish cargo misrouting, or provide misinformation to derail customers, suppliers and "just-in-time" processes.
• A 2002 Booz Allen Hamilton study looked at the effects of shutting down one major U.S. port for 2 weeks. The result was a $58 billion impact on the economy. This was confirmed by a subsequent GAO study, although conference attendees felt strongly that the figure was far too conservative and that the economic impact would be much more severe.
• Resiliency [ability to quickly recover from a catastrophic event] decreases the risk to the GSC and must be pursued by both the private sector and government:
  • More cost-effective
  • It reduces overall risk and impact; reduces attractiveness of the target to terrorists
  • Adds value to the system by avoiding disruptions and delay ripple effects
• The 2005 National Strategy for Maritime Security (NSMS) represents a coordinated USG approach to maritime security.
  • The purpose of the NSMS is to continue the free flow of commerce while simultaneously screening out and interdicting bad actors who would use the maritime domain for illicit purposes or to cause catastrophic harm
  • The supporting Global Maritime Intelligence Integration (GMII) Plan was written to ensure a collaborative USG interagency effort and to specifically engage the maritime industry whose cooperation is integral to the mutually beneficial protection of the GSC
  • The Office of the Director of National Intelligence's (ODNI) Global Maritime & Air Intelligence Integration (GMAII) staff oversees implementation of the GMII Plan
    • ODNI/GMAII collaborates with the USG interagency entity Office of Global Maritime Situational Awareness (OGMSA) for holistic oversight and achievement of Maritime Domain Awareness to improve national security
      • Goal is to get the best possible information into the hands of decision makers so they can counter a threat as far away from the U.S. as possible in both distance and time
      • Engaging the private sector to build a Global Maritime Community of Interest (GMCOI) is essential to this effort
• Regarding the main topic of increasing the efficiency and effectiveness of threat warning and information sharing between the USG and maritime industry, there was general agreement that it could be improved; although at least one industry leader thought it was already adequate.
• Several alternatives for improvement were explored:
  • Adding a maritime specific section to the Department of State's (DOS) Overseas Security Advisory Committee (OSAC) which has been chartered since 1985 to perform threat warning to U.S. businesses operating abroad
    • Pro: well established with proven track record and trusted reputation within the private sector; on-line protected database with private sector contact information (email addresses and phone numbers); works with mainly unclassified information to allow for quick turn-around of warnings to private sector supplemented by U.S. Intelligence Community threat warning; no cost to industry
    • Con: OSAC's charter restricts it to supporting U.S. businesses, although there are some limited work-arounds
  • DOS has a signatory program (database) on nuclear threats and terrorism
    • 60 countries currently participate
  • An Information Security Advisory Committee (ISAC) [non-USG analysis center] approach could address private sector reluctance to voice information to the same government that can regulate and penalize it, as well as concerns about unintended consequences of cooperation. There are two main choices:
    • Expanding existing non-sector specific ISACs with a maritime element
      • Pro: minimal cost to expand maritime focus; no connection to USG that may impede international cooperation
      • Con: members must be U.S.-based or have U.S. offices that operate domestically or internationally; not truly global in nature; cost borne by industry
    • Creating a separate maritime specific ISAC
      • Pro: international in nature with foreign flag carriers and foreign seaports as members; no connection to the USG; global inclusion
      • Con: cost would be borne by industry
  • Establishing a Wikipedia-type model for maritime security reporting
    • Pro: real-time or near real-time information sharing from any source
      • Considered to be "low-hanging fruit"; near-term implementation possible
      • Extremely accurate, up to date and available to all audiences
        • Comprehensive; Wikipedia is already available in 150 languages
      • Self-healing/correcting nature of information from unlimited sources
        • "security through a million eyes"
        • anomalies are readily apparent and increase situational awareness
    • Con: credibility depends on accurate vetting of information using proper protocols [login and attribution]
      • Another part of the site could be available to non-vetted or anonymous users to file a report, albeit with attendant lower credibility. However this would ensure 100% online access and improve chances of reporting
      • Would require occasional "smart-push" of critical threat warning information vice organizational routine pull of information from website
• A good example of the benefits to be derived from a public-private partnership is the International Chamber of Commerce's International Maritime Bureau (IMB) which has a proven track record of gathering threat information on piracy and quickly broadcasting it to shipmasters and governments to enable the appropriate response and application of preventive measures.
  • IMB's knowledge of effective points of contact within the maritime industry enables its 24/7 staff to deliver the right information to the right people at the right time
• INTERPOL is another success story that could be emulated.
  • Pro:
    • It is looked at as non-threatening and not run by the USG
    • Many countries work closely with it
  • Con:
    • Can only receive and transmit information through its own agents, but this could be amended as there is precedent for change
• One example of a successful voluntary and anonymous reporting system is the Maritime Accident Reporting System (MARS) routinely used by shipmasters throughout the industry.
• Must solve the challenge of combining intelligence, law enforcement and proprietary information for release to international partners.
• Major concerns for the private maritime sector:
  • Complying with USG requests for information might leave the industry open to law suits
    • USG protection of private sector sources and reduction of exposure would be considered positive gestures
  • Private sector entities often stop providing information because of the time and effort expended for no apparent gain
    • Consistent and timely USG feedback could prevent this
• o Need to prevent system penetration by bad actors ( e.g., organized crime, etc.)
• The "Single Window" vision of an integrated, government-wide system for the electronic collection, use, and dissemination of international trade and transportation data [collected for the International Trade Data System (ITDS)], was strongly endorsed. CBP's Automated Commercial Environment (ACE), which embodies this solution, is being phased in and expected to be fully online in 2010. It is anticipated that all relevant customs information ( e.g., ship, crew, cargo, etc.) would be input to a single portal, then farmed out to, or accessed by, all interested USG agencies.
• o The U.S. Coast Guard does not support ACE

What We Heard You Say (Takeaways)

• Let the maritime industry know where the threat is and how we can help.
  • The private sector knows what is normal and what isn't
  • Government needs to clearly state what it wants in the first place
• There is still a split between domestic security organizations within the U.S. and the Intelligence Community.
• Historically, information sharing occurs at the local level; moving information from local to national level remains a challenge.
• USG unity of effort on maritime security issues can be improved.
  • There is a pressing need for the USG to speak with one voice when dealing with the maritime industry, especially from a security perspective, so as not to impede rapid and effective communication of suspicious activity or known threats
• There were diverging opinions on what mechanisms and protocols would support increased USG maritime private sector information sharing and collaboration on security issues, but all agreed it would be mutually beneficial, so long as businesses were protected from reprisal for cooperating, and could ensure protection of their proprietary information.
  • Voluntary participation vice mandatory would create more acceptance and flexibility
• Consortiums will lead to better data and standards.
• Information standards will lead to better and quicker exchange of data.
• Confidence in the validity of information will lead to better decisions.
• Remove the mystique of intelligence; keep it simple while ensuring that the essential elements of information are passed.
• Office of Naval Intelligence (ONI) and U.S. Coast Guard Intelligence Coordination Center (ICC) products tailored for the maritime community continue to be very useful, e.g., Threats to Commercial Shipping.
• Frankness of conference speakers and panelists, and a willingness on the part of the USG to listen was deemed a plus by attendees.
• USG needs to realize that most of the maritime industry is now run by foreigners.
• Poor/restrictive treatment of foreign seamen as a result of post-9/11 USG regulations directly impacts their willingness to cooperate and report suspicious activity.
  • Need to look at them as part of the solution and work to regain their trust
• Overly reactive/restrictive measures, taken based on unknown factors and fear, pose a threat to the GSC as well.
• We don't have the luxury of time. Government and the maritime industry need to pick some "low-hanging fruit" now to improve threat communications in both directions.

Proposals for Way Ahead

• Follow-on focus group with products posted on a website for further collaboration and transparency.
• Use of a central 800 number (USG or private sector) for maritime suspicious incident/behavior reporting.
• o Determine responsible agency/organization
• o Advertise to maritime industry and public
• Establish USG feedback (ONI/ICC) on information provided to highlight importance of collaboration and build credibility.
• o Prove information didn't fall into a black hole and was worth the time and expense of private sector reporting
• Develop an organizational point of contact list for a national recovery plan to increase resiliency.
• Web portal (Wikipedia) approach to streamline communication process.
  • See Near-term Activity below
• Consider use of on-line search tools to help the maritime private sector extract meaningful information from already available resources.
• Consider developing "global buy-in" for specific interests ( e.g., an International Maritime Organization (IMO) model.
• Determine appropriate ISAC solution and/or engage OSAC for potential maritime specific focus.
• Work to align priorities between the USG and the maritime private sector.
• Continue to refine CBP's ACE as one piece of an overall solution to improved information sharing.
  • Address U.S. Coast Guard concerns with ACE

Near-term Activity

• Your feedback and input is encouraged on the following initiative. There was general agreement during the conference that the internet is the primary means for domestic/international collaboration and information sharing within the maritime domain. One potential solution is ODNI/GMAII's collaboration with the Department of the Navy to use this medium to improve the sharing of maritime security threat information on illicit activities that include international supply chain disruptions, piracy, trafficking of controlled materials, trafficking of humans, and violations of exclusive economic zones. The Non-Classified Enclave (NCE) pilot project will explore the use of unclassified information to improve maritime security operations and greater awareness of all threats in the maritime domain. NCE will support the early detection, identification, and monitoring of threats to international maritime navigation, commerce, safety, and security using non-classified shareable information. The NCE pilot is scheduled to reach an initial operational capability by August 2008 and will leverage common web tools and provide a government portal to share information with our private sector partners.

The views expressed in the discussions and in this summary are solely those of individual experts who attended the work-shop, and do not necessarily reflect the analysis, views, or opinions of any individual speaker, company, consortium or U.S. government agency.

(Return to main report)

-- ChadHolmes - 26 Jan 2009