Wednesday, March 01, 2006

Supply Chain, the Next Sarbanes-Oxley

I have spent most of my I/T architect career working on customer service and sales & marketing type applications in the industrial sector. I will admit a lack of real-world experience in the area of supply chain. However, when I read Security Compliance: Customs Rattles the Supply Chain I found myself wondering how long it would be before my first supply chain project.

It seems that the recent political spat over the safety of US ports and public discussion of how ports could be used by terrorists has shined a bright spotlight on something called the Customs-Trade Partnership Against Terrorism, or C-TPAT. There is now some widespread speculation that this currently voluntary program might become mandatory and have as big an impact on US corporate life (and I/T Architects) as Sarbanes Oxley.

In a program called Operation Safe Commerce, it seems that the Department of Homeland Security has been quietly using GPS and RFID technology to track the cargo containers enroute to some major US importers and the results have been unsettling. A few quotes:

....companies actually know very little about what goes on in their supply chains.
Among common unsafe practices identified by these sources were: truckers dropping off containers without ever encountering terminal security, containers left in unsecured areas, and containers bypassing a port that's considered safe (even if scheduled to pass through that port) and traveling instead through a country that poses a greater threat—without either the company or U.S. Customs and Border Protection being informed.”
Some other randomly selected quotes:

Right now, information about any given supply chain is hard to come by. And that's by design. The goal of supply chains is to get something that's needed—a part, a product—to where it's needed as quickly and cheaply as possible. If a container arrives too late to be loaded onto one ship, it's rerouted and loaded onto another. And as long as the container arrives on time—or close to it—no one need be the wiser. In fact, historically, each person or entity that handles a shipment collects and shares information only to the extent necessary to guard against liability.
Similarly, Customs was created to enforce tariffs and calculate import taxes. And while Customs' role expanded to combat drug trafficking in the 1980s, regulating trade was the department's primary job until September 11, 2001. Now, says Robert Bonner, former commissioner of U.S. Customs and Border Protection (he resigned in November), "The priority mission of U.S. Customs is national security."
Experts say that Bonner, who was sworn in at Customs on Sept. 24, 2001, was right to change the agency's focus. Most agree that the likelihood of terrorists attacking the United States through the global supply chain is so high that it's a matter of when, not if. Such an attack (most analyses focus on a dirty bomb) won't primarily be designed to kill a lot of people, but to cause panic. "It isn't the event but the sudden lack of faith in the system that it causes," says Stephen Flynn, senior fellow for national security studies at the Council on Foreign Relations.

If a bomb goes off, Flynn says, there will be huge pressure on the government to close all the nation's ports until every container on every site in the country is inspected. An October 2002 war game that mimicked that scenario found that closing the nation's ports for as many as 12 days created a 60-day container backlog and cost the economy roughly $58 billion.

Legally, a company is responsible for a container only when it formally purchases it, which—precisely for that reason—usually doesn't occur until it reaches a port, either in the United States or abroad. Target, for example, typically does not legally purchase the clothes it orders from China until they arrive in the terminal. But the government wants importers to take responsibility for everything that occurs prior to purchase, even if the container is in the custody of a trucker in China or a longshoreman in Rio de Janeiro. The principle vehicle for this is C-TPAT. This so-far voluntary program gives certain benefits, such as reduced inspections, to companies that can show they meet a minimum level of supply chain security.

The second prong of Customs' strategy is to collect as much information as it can about what's happening in the supply chain so that, through data mining, it can spot anomalies. The key to this is the Automated Commercial Environment, or ACE, a $3 billion-plus trade processing system begun in 2000, which Customs plans to complete by 2010. ACE has modules that do everything from serving as Customs' ERP system to targeting containers for inspection. Within the next six months, carriers entering the United States through land-border crossings in seven states will be required to send close to 100 data elements to Customs, including information about the vehicle, its driver and its cargo. If they don't, they don't get in. Customs is also piloting an ambitious ACE add-on called the Advance Trade Data Initiative (ATDI), which requires importers to share with Customs every bit of information about a shipment, including the purchase order, which ports it passes through, proof of delivery and its final destination within the United States.

Soon, companies that achieve this level of compliance will be rewarded with a Green Lane designation—essentially a "get out of Customs free" card that will do for borders what E-ZPass does for highways.

It's also important to limit access to supply chain information. "If the bad guys know that IBM is going to ship products from point A to B on a particular Tuesday, it gives them a leg up," says Debbie Turnbull, IBM's program manager for supply chain security. A bad actor inside a company could alter the information attached to a container from Karachi, Pakistan (which might raise an alarm), so it looked like it was coming from a factory in Hong Kong (which might not). Or that bad actor could pass scheduling information to a crony outside the company. IBM uncovered one such plot a few years ago. A worker in a plant in Mexico noticed that one container he was about to load was 53 feet long on the outside, but only 50 feet long on the inside. Upon inspection, it was found that the container had a false back, behind which was hidden several million dollars in narcotics.

Even secure processes "can be compromised," says Ken Konigsmark, Boeing's C-TPAT program manager. "[Overseas workers] get paid peanuts, and it would be very easy to bribe them." CIOs need to be able to tell when a truck driver leaves a factory and when he arrives at a port. The CIO can then alert Customs if a four-hour trip turns out to take 12.

For example, Customs wanted information that UPS stored as address line one in address line two. In other cases, Customs wanted information that UPS simply didn't have, such as a driver's passport number.

The postings on this site are my own and don't necessarily represent IBM's positions, strategies, or opinions.