Homeland Security: Summary of Challenges Faced in Targeting	 
Oceangoing Cargo Containers for Inspection (31-MAR-04,		 
GAO-04-557T).							 
                                                                 
After the attacks of September 11, 2001, concerns intensified	 
that terrorists would attempt to smuggle a weapon of mass	 
destruction into the United States. One possible method is to use
one of the 7 million cargo containers that arrive at our seaports
each year. Addressing the potential threat posed by the movement 
of oceangoing cargo containers falls to the Department of	 
Homeland Security's U.S. Customs and Border Protection (CBP).	 
Since CBP cannot inspect all arriving cargo containers, it uses a
targeting strategy, including an Automated Targeting System. This
system targets containers for inspection based on perceived level
of risk. In this testimony, GAO summarizes its work on (1)	 
whether the development of CBP's targeting strategy is consistent
with recognized key risk management and modeling practices and	 
(2) how well the strategy has been implemented at selected	 
seaports.							 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-04-557T					        
    ACCNO:   A09642						        
  TITLE:     Homeland Security: Summary of Challenges Faced in	      
Targeting Oceangoing Cargo Containers for Inspection		 
     DATE:   03/31/2004 
  SUBJECT:   Cargo security					 
	     Counterterrorism					 
	     Deep water ports					 
	     Homeland security					 
	     Inspection 					 
	     International trade regulation			 
	     Terrorism						 
	     Terrorists 					 
	     Weapons						 
	     Weapons of mass destruction			 
	     Customs Service Automated Targeting		 
	     System						 
                                                                 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-04-557T

   

     * [1]Summary
     * [2]Background

          * [3]Maritime Cargo Containers Are Important and Vulnerable
          * [4]CBP Has Layered Approach to Select and Inspect Cargo Contain
          * [5]Risk Management and Modeling Are Important Security Practice

     * [6]Positive Steps Taken, but Targeting Strategy Lacks Some Key

          * [7]CBP Has Taken Several Steps to Improve Its Targeting Strateg
          * [8]Targeting Strategy Does Not Incorporate Some Key Elements of
          * [9]Targeting Strategy Not Fully Consistent with Key Recognized

     * [10]Targeting Strategy Faces Implementation Challenges

          * [11]CBP Lacks National System to Track Cargo Container Inspectio
          * [12]Staff Testing and Certification Could Help Strengthen Target
          * [13]Space Limitations and Safety Concerns Constrain Use of Inspe

     * [14]Conclusions and Recommendations
     * [15]Contacts and Acknowledgments
     * [16]Development and Application of Risk Management Framework
     * [17]Importance, Benefits, and Limitations of Risk Management
     * [18]Risk Management Framework
     * [19]GAO's Mission
     * [20]Obtaining Copies of GAO Reports and Testimony

          * [21]Order by Mail or Phone

     * [22]To Report Fraud, Waste, and Abuse in Federal Programs
     * [23]Public Affairs

Testimony before the Subcommittee on Oversight and Investigations,
Committee on Energy and Commerce, House of Representatives

United States General Accounting Office

GAO

For Release on Delivery Expected at 10:00 a.m. EST Wednesday, March 31,
2004

HOMELAND SECURITY

Summary of Challenges Faced in Targeting Oceangoing Cargo Containers for
Inspection

Statement of Richard M. Stana, Director
Homeland Security and Justice Issues

GAO-04-557T

On January 19, 2007, we revised footnote 3 appearing on page 5 to
correctly reference GAO-03-770 instead of GAO-02-770.

Mr. Chairman and Members of the Subcommittee:

I appreciate the opportunity to be here today to provide a summary of our
recent report for you on the Department of Homeland Security's (DHS)
programs to target oceangoing cargo containers for inspection. This
testimony represents a publicly available summary of that report, which
DHS designated as Limited Official Use due to the sensitive and specific
nature of the information it contains. My prepared statement today also
includes appendixes that detail the risk management framework that we
developed and the recognized modeling practices that we identified to
evaluate DHS's program to target oceangoing cargo containers for
inspection.

In the aftermath of the terrorist attacks of September 11, 2001, there is
heightened concern that terrorists may try to smuggle weapons of mass
destruction into a U.S. port using one of the millions of cargo containers
that arrive at our nation's seaports each year. If terrorists did so and
detonated such a weapon (e.g., a nuclear, or radiological, explosive
device) at a seaport, the incident could cause widespread death and damage
to the immediate area, perhaps shut down seaports nationwide, cost the
U.S. economy billions of dollars, and seriously hamper international
trade.

DHS and its U.S. Customs and Border Protection (CBP) are responsible for
addressing the threat posed by terrorist smuggling of weapons in
oceangoing containers. To carry out this responsibility, CBP uses a
targeting strategy, which includes a computerized model called the
Automated Targeting System, to help select (or target) containers for
additional review and/or inspection. Organizations that are involved in
security matters, such as CBP, frequently employ certain risk management
practices, including computer modeling, to help them prioritize their
activities and use of resources. In essence, risk management is a
systematic process to analyze threats, vulnerabilities, and critical
assets (e.g., port facilities) to better support management decisions.

This statement presents a summary of our latest effort in a series of GAO
reports that evaluate CBP's response to the terrorist threat.^1 Based upon
our ongoing assessment of CBP's targeting strategy for this subcommittee,
I will provide a summary of our findings on (1) whether CBP's development
of its targeting strategy is consistent with recognized risk management
and computer modeling practices and (2) how well the targeting strategy
has been implemented at selected seaports around the country. Our findings
are based on extensive data collection and analysis at CBP, consultations
with experts in terrorism and risk management, visits to six seaports, and
related interviews with federal and local government and private sector
officials responsible for port security and operations. Additional
information on our scope and methodology can be found at the end of this
statement. Our work focused primarily on the targeting system rather than
the sufficiency of inspections at the ports once a container has been
targeted. We conducted our work from January 2003 to February 2004 in
accordance with generally accepted government auditing standards.

^1A listing of related GAO reports appears at the end of this statement.

Summary

While CBP has taken steps to address the terrorism risks posed by
oceangoing cargo containers, its targeting strategy neither incorporates
all key elements of a risk management framework nor is consistent with
certain recognized practices associated with modeling. To its credit, CBP
established the National Targeting Center to serve as the national focal
point for targeting imported cargo and for distributing periodic
intelligence alerts to the ports. CBP has refined its targeting system,
which was originally designed to identify narcotics contraband, to help
identify containers posing potential terrorist threats for possible
physical screening and inspection. It also instituted a national training
program for its personnel that perform targeting. Further, CBP promulgated
regulations aimed at improving the quality and timeliness of transmitted
cargo manifest data for use in the targeting system. However, while its
strategy incorporates some elements of risk management, CBP has not
performed a comprehensive set of threat, criticality, vulnerability, and
risk assessments that experts said are vital for determining levels of
risk for each container and the types of responses necessary to mitigate
that risk. Regarding recognized modeling practices, CBP has not subjected
the targeting system to external peer review or testing as recommended by
the experts we contacted. In addition, CBP has a program to augment the
targeting strategy by randomly selecting and inspecting containers in
order to compare the results of the random inspections with those
generated by the targeting system. However, our review disclosed
methodological problems with the random inspection program. By
incorporating the missing elements of a risk management framework and
following recognized modeling practices, CBP would have better information
to make management decisions related to preventing terrorists from
smuggling weapons of mass destruction into the United States.

CBP faces a number of challenges in implementing the targeting strategy at
the six ports we visited, and these challenges could limit the strategy's
effectiveness. First, we found deficiencies in CBP's national system for
reporting and analyzing inspection statistics. CPB officials told us they
have just implemented enhancements to their targeting system to better
collect national data on the results of inspections, but it is too soon to
tell whether it will provide consistent, complete inspection data for
analyzing and improving the targeting strategy. In addition, we found
deficiencies in CBP's national targeting training program. Further, we
found that space limitations and safety concerns about inspection
equipment constrain some ports in their utilization of screening
equipment, a fact that has affected the efficiency of examinations.

Our Limited Official Use report contains several recommendations to DHS on
how to better incorporate elements of a risk management framework and
recognized modeling practices. Additionally, the report contains
recommendations to improve management controls to better implement the
targeting strategy at seaports.

DHS provided us with written comments on a draft of our Limited Official
Use report. In commenting on that report, DHS stated that in general the
report was constructive and that CBP has taken corrective actions and will
take further corrective actions to address the issues that we identified.
DHS also outlined completion dates to implement these corrective actions.

Background

Maritime Cargo Containers Are Important and Vulnerable

Cargo containers are an important segment of maritime commerce.
Approximately 90 percent of the world's cargo moves by container. In 2002,
approximately 7 million containers arrived at U.S seaports, carrying more
than 95 percent of the nation's non-North American trade by weight and 75
percent by value. Many experts on terrorism--including those at the
Federal Bureau of Investigation and at academic, think tank and business
organizations--have concluded that oceangoing cargo containers are
vulnerable to some form of terrorist action. A terrorist incident at a
seaport, in addition to killing people and causing physical damage, could
have serious economic consequences. In a 2002 simulation of a terrorist
attack involving cargo containers, every seaport in the United States was
shut down, resulting in a simulated loss of $58 billion in revenue to the
U.S. economy, including spoilage, loss of sales, and manufacturing
slowdowns and halts in production.^2

CBP Has Layered Approach to Select and Inspect Cargo Containers

CBP is responsible for preventing terrorists and weapons of mass
destruction from entering the United States. As part of its
responsibility, it has the mission to address the potential threat posed
by the movement of oceangoing containers. To perform this mission, CBP has
inspectors at the ports of entry into the United States. Inspectors
assigned to seaports help determine which containers entering the country
will undergo inspections, and then perform physical inspections of such
containers. These determinations are not just based on concerns about
terrorism, but also concerns about illegal narcotics and/or other
contraband.

The CBP Commissioner said that the large volume of imports and CBP's
limited resources make it impossible to physically inspect all oceangoing
containers without disrupting the flow of commerce. The Commissioner also
said it is unrealistic to expect that all containers warrant such
inspection because each container poses a different level of risk based on
a number of factors including the exporter, the transportation providers,
and the importer. These concerns led to CBP implementing a layered
approach that attempts to focus resources on potentially risky cargo
containers while allowing other cargo containers to proceed without
disrupting commerce.

As part of its layered approach, CBP employs its Automated Targeting
System (ATS) computer model to review documentation on all arriving
containers and help select or target containers for additional scrutiny.
The ATS was originally designed to help identify illegal narcotics in
cargo containers, but was modified to help identify all types of illegal
contraband used by smugglers or terrorists. In addition, CBP has a
program, called the Supply Chain Stratified Examination, which supplements
ATS by randomly selecting additional containers to be physically examined.
The results of the random inspection program are to be compared with the
results of ATS inspections to improve targeting. If CBP officials decide
to inspect a particular container, they might first conduct a nonintrusive
inspection with equipment such as the Vehicle and Cargo Inspection System
(VACIS), which takes a gamma-ray image of the container so inspectors can
detect any visual anomalies. With or without VACIS, inspectors can open a
container and physically examine its contents.

^2The consulting firm Booz Allen Hamilton and the Conference Board
sponsored the simulation in 2002. In the simulation, representatives from
government and industry participated in a scenario involving the discovery
and subsequent detonation of radioactive bombs hidden in cargo containers.

Other components of the layered approach include the Container Security
Initiative (CSI) and the Customs-Trade Partnership Against Terrorism
(C-TPAT). CSI is an initiative whereby CBP places staff at designated
foreign seaports to work with foreign counterparts to identify and inspect
high-risk containers for weapons of mass destruction before they are
shipped to the United States. C-TPAT is a cooperative program between CBP
and members of the international trade community in which private
companies agree to improve the security of their supply chains in return
for a reduced likelihood that their containers will be inspected.^3 A
supply chain consists of all stages involved in fulfilling a customer
request, including stages conducted by manufacturers, suppliers,
transporters, retailers, and customers.

Risk Management and Modeling Are Important Security Practices

Risk management is a systematic process to analyze the threats,
vulnerabilities, and criticality (or relative importance) of assets in a
program to better support key decisions linking resources and program
results. Risk management is used by many organizations in both government
and the private sector. In recent years, we have consistently advocated
the use of a risk management approach to help implement and assess
responses to various national security and terrorism issues.^4 We have
concluded that without a risk management approach that provides insights
about the present threat and vulnerabilities as well as the organizational
and technical requirements necessary to achieve a program's goals, there
is little assurance that programs to combat terrorism are prioritized and
properly focused. Risk management helps to more effectively and
efficiently prepare defenses against acts of terrorism and other threats.
Key elements of a risk management approach are listed below.

^3For more information on these programs, see U.S. General Accounting
Office, Container Security: Expansion of Key Customs Programs Will Require
Greater Attention to Critical Success Factors, [24]GAO-03-770 (Washington,
D.C.: July 2003).

^4For example, see U.S. General Accounting Office, Homeland Security: A
Risk Management Approach Can Guide Preparedness Efforts, [25]GAO-02-208T
(Washington, D.C.: July 2003).

           o Threat assessment: A threat assessment identifies adverse events
           that can affect an entity, and may be present at the global,
           national, or local level.

           o Criticality assessment: A criticality assessment identifies and
           evaluates an entity's assets or operations based on a variety of
           factors, including importance of an asset or function.

           o Vulnerability assessment: A vulnerability assessment identifies
           weaknesses in physical structures, personnel protection systems,
           processes, or other areas that may be exploited by terrorists.

           o Risk assessment: A risk assessment qualitatively and/or
           quantitatively determines the likelihood of an adverse event
           occurring and the severity, or impact, of its consequences.

           o Risk characterization: Risk characterization involves
           designating risk on a scale, for example, low, medium, or high.
           Risk characterization forms the basis for deciding which actions
           are best suited to mitigate risk.

           o Mitigation evaluation: Mitigation evaluation is the
           identification of mitigating alternatives to assess the
           effectiveness of the alternatives. The alternatives should be
           evaluated for their likely effect on the risk and their cost.

           o Mitigation selection: Mitigation selection involves a management
           decision on which mitigation alternatives should be implemented.
           Selection among alternatives should be based on preconsidered
           criteria.

           o Systems approach: An integrated systems approach to risk
           management encompasses taking action in all organizational areas,
           including personnel, processes, technology, infrastructure, and
           governance.

           o Monitoring and evaluation: Monitoring and evaluation is a
           continuous repetitive assessment process to keep risk management
           current and relevant. It includes external peer review, testing,
           and validation.

Modeling can be an important part of a risk management approach. To assess
modeling practices related to ATS, we interviewed terrorism experts and
representatives of the international trade community who were familiar
with modeling related to terrorism and/or ATS and reviewed relevant
literature. There are at least four recognized modeling practices that are
applicable to ATS as a decision support tool.

           o Conducting external peer review: External peer review is a
           process that includes an assessment of the model by independent
           and qualified external peers. While external peer reviews cannot
           ensure the success of a model, they can increase the probability
           of success by improving the technical quality of projects and the
           credibility of the decision-making process.

           o Incorporating additional types of information: To identify
           documentary inconsistencies, targeting models need to incorporate
           various types of information to perform complex "linkage"
           analyses. Using only one type of information will not be
           sufficient to yield reliable targeting results.

           o Testing and validating through simulated terrorist events: A
           model needs to be tested by staging simulated events to validate
           it as a targeting tool. Simulated events could include "red teams"
           that devise and deploy tactics in an attempt to define a system's
           weaknesses, and "blue teams" that devise ways to mitigate the
           resulting vulnerabilities identified by the red team.

           o Using random inspections to supplement targeting: A random
           selection process can help identify and mitigate residual risk
           (i.e., the risk remaining after the model-generated inspections
           have been done), but also help evaluate the performance of the
           model relative to other approaches.

Positive Steps Taken, but Targeting Strategy Lacks Some Key Components of Risk
Management and Modeling

CBP Has Taken Several Steps to Improve Its Targeting Strategy

CBP has recognized the potential vulnerability of oceangoing cargo
containers and has reviewed and updated some aspects of its layered
targeting strategy. According to CBP officials, several of the steps that
CBP has taken to improve its targeting strategy have resulted in more
focused targeting of cargo containers that may hold weapons of mass
destruction. CBP officials told us that, given the urgency to take steps
to protect against terrorism after the September 11, 2001, terrorist
attacks, they had to take an "implement and amend" approach. That is, they
had to immediately implement targeting activities with the knowledge they
would have to amend them later. Steps taken by CBP include the following:

           o In November 2001, the U.S. Customs Service established the
           National Targeting Center to support its targeting initiatives.^5
           Among other things, the National Targeting Center interacts with
           the intelligence community and manages a national targeting
           training program for CBP targeters.

           o In August 2002, CBP modified the ATS as an antiterrorism tool by
           developing terrorism-related targeting rules and implementing them
           nationally. CBP is now in the process of enhancing the ATS
           terrorism-related rules.

           o In 2002, CBP also developed a 2-week national training course to
           train staff in targeting techniques. The course is intended to
           help ensure that seaport targeters have the necessary knowledge
           and ability to conduct effective targeting. The course is
           voluntary and is conducted periodically during the year at the Los
           Angeles, Long Beach, and Miami ports, and in the future it will
           also be conducted at the National Targeting Center.

           o In February 2003, CBP began enforcing new regulations about
           cargo manifests--called the "24 hour rule"--which requires the
           submission of complete and accurate manifest information 24 hours
           before a container is loaded on a ship at a foreign port.^6
           Penalties for non-compliance can include a CBP order not to load a
           container on a ship at the port of origin or monetary fines. The
           rule is intended to improve the quality and the timeliness of
           manifest information submitted to CBP, which is important because
           CBP relies extensively on manifest information for targeting.
           According to CBP officials we contacted, although no formal
           evaluations have been done, the 24-hour rule is beginning to
           improve both the quality and timeliness of manifest information.
           CBP officials acknowledged, however, that although improved,
           manifest information still is not always accurate or reliable data
           for targeting purposes.

^5The commercial operations and inspection programs at the U.S. Customs
Service (in the Department of the Treasury) were incorporated into CBP (in
the new Department of Homeland Security) effective March 1, 2003.

^6This rule is also known as the Advance Manifest Regulation, 67 Fed. Reg.
66318 (2002). The final regulation was issued October 31, 2002, with
implementation beginning February 1, 2003.

Targeting Strategy Does Not Incorporate Some Key Elements of Risk Management

While CBP's targeting strategy incorporates some elements of risk
management, our discussions with terrorism experts and our comparison of
CBP's targeting system with recognized risk management practices showed
that the strategy does not fully incorporate all key elements of a risk
management framework. Elements not fully incorporated are discussed below.

           o CBP has not performed a comprehensive set of assessments for
           cargo containers. CBP has attempted to assess the threat of cargo
           containers through contact with governmental and nongovernmental
           sources. However, it has not assessed the vulnerability of cargo
           containers to tampering or exploitation throughout the supply
           chain, nor has it assessed which port assets are the most critical
           to carrying out its mission--and therefore in the most need of
           protection. These assessments, in addition to threat assessments,
           are needed to understand and identify actions to mitigate risk.

           o CBP has not conducted a risk characterization for different
           forms of cargo or the different modes of transportation used to
           import cargo. Further, CBP has not performed a risk
           characterization to assess the overall risk of cargo containers.
           These characterizations would enable CBP to better assess and
           prioritize the risks posed by oceangoing cargo containers and
           incorporate mitigation activities in an overall strategy.

           o CBP actions at the ports to mitigate risk are not part of an
           integrated systems approach. Risk mitigation encompasses taking
           action in all organizational areas, including personnel,
           processes, technology, infrastructure, and governance. An
           integrated approach would help ensure that taking action in one or
           more areas would not create unintended consequences in another.
           For example, taking action in the areas of personnel and
           technology--adding inspectors and scanning equipment at a
           port--without at the same time ensuring that the port's
           infrastructure is appropriately reconfigured to accept these
           additions and their potential impact (e.g., more physical
           examinations of containers), could add to already crowded
           conditions at that port and ultimately defeat the purpose of the
           original actions.

We recognize that CBP implemented the ATS terrorist targeting rules in
August 2002 because of the pressing need to utilize a targeting strategy
to protect cargo containers against terrorism, and that CBP intends to
amend the strategy as necessary. In doing so, implementing a comprehensive
risk management framework would help CBP ensure that information is
available to management to make choices about the best use of limited
resources. This type of information would help CBP obtain optimal results
and would identify potential enhancements that are well conceived,
cost-effective, and work in tandem with other system components. Thus, it
is important for CBP to amend its targeting strategy within a risk
management framework that takes into account all of the system's
components and their vital linkages.

Targeting Strategy Not Fully Consistent with Key Recognized Modeling Practices

Interviews with terrorism experts and representatives from the
international trade community who are familiar with CBP's targeting
strategy and/or terrorism modeling told us that ATS is not fully
consistent with recognized modeling practices. Challenges exist in each of
the four recognized modeling practice areas that these individuals
identified: external peer review, incorporating different types of
information, testing and validating through simulated events, and using
random inspections to supplement targeting.

           o With respect to external review, CBP had limited external
           consultations when developing the ATS rules related to terrorism.

           o With respect to the sources and types of information, ATS relies
           on the manifest as one of its sources of data, and CBP does not
           mandate the transmission of entry data before a container's risk
           level is assigned. Terrorism experts, members of the international
           trade community, and CBP inspectors at the ports we visited
           characterized the ship's manifest as one of the least reliable or
           useful types of information for targeting purposes. In this
           regard, one expert cautioned that even if ATS were an otherwise
           competent targeting model, there is no compensating for poor input
           data. Accordingly, if the input data are poor, the outputs (i.e.,
           the risk assessed targets) are not likely to be of high quality.
           Another problem with manifests is that shippers can revise them up
           to 60 days after the arrival of the cargo container. These
           problems with manifest data increase the potential value of
           additional types of information.

           o With respect to testing and validation, the only two known
           instances of simulated tests of the targeting system were
           conducted without CBP's approval or knowledge by the American
           Broadcast Company (ABC) News in 2002 and 2003. In an attempt to
           simulate a terrorist smuggling highly enriched uranium into the
           United States, ABC News sealed depleted uranium into a lead-lined
           pipe that was placed in a suitcase and later put into a cargo
           container. In both instances, CBP targeted the container that ABC
           News used to import the uranium, but it did not detect a visual
           anomaly from the lead-lined pipe using VACIS and therefore did not
           open the container.

           o With respect to instituting random inspections, CBP has a
           program to randomly select and examine containers regardless of
           their risk, titled the Supply Chain Stratified Examination.
           However, our review disclosed methodological problems with this
           program.

Targeting Strategy Faces Implementation Challenges

CBP Lacks National System to Track Cargo Container Inspections by Risk Category

We found a number of deficiencies in CBP's national system for reporting
and analyzing inspection statistics. While officials at all the ports we
visited provided us with inspection data, we observed problems with the
available data. In addition, we had to contact ports several times to
obtain these data, indicating that basic data on inspections were not
readily available.

Separately, CBP officials said that they are trying to capture the results
of cargo inspections through an enhancement to ATS. These enhancements
were not implemented to an extent that we could evaluate their potential
effectiveness.

Staff Testing and Certification Could Help Strengthen Targeting Process

CBP does not have an adequate mechanism to test or certify the competence
of targeters in their national targeting training program. The targeters
taking the training must have a thorough understanding of course contents
and their application at the ports. Because the targeters who complete the
training are not tested or certified on course materials, CPB has little
assurance that the targeters could perform their duties effectively or
that they could train others to perform effectively.

Space Limitations and Safety Concerns Constrain Use of Inspection Equipment

One of the key components of the CBP targeting and inspection process is
the use of nonintrusive inspection equipment. CBP uses nonintrusive
inspection equipment, including VACIS gamma-ray imaging technology, to
screen selected cargo containers and to help inspectors decide which
containers to further examine. A number of factors constrain the use of
inspection equipment, including crowded port terminals, mechanical
breakdowns, inclement weather conditions, and the safety concerns of
longshoremen at some ports. Some of these constraints, such as space
limitations and inclement weather conditions, are difficult if not
impossible to avoid.

According to CBP and union officials we contacted, concern about the
safety of VACIS is a constraint to using inspection equipment. Union
officials representing longshoremen at some ports expressed concerns about
the safety of driving cargo containers through VACIS because it emits
gamma rays when taking an image of the inside of the cargo container.
Towing cargo containers through a stationary VACIS unit reportedly takes
less time and physical space than moving the VACIS equipment over
stationary cargo containers that have been staged for inspection purposes.
As a result of these continuing safety concerns, some longshoremen are
unwilling to drive containers through VACIS. CBP's response to these
longshoremen's concerns has been to stage containers away from the dock,
arraying containers in rows at port terminals so that the VACIS can be
driven over a group of containers for scanning purposes. However, as
seaports and port terminals are often crowded, and there is often limited
space to expand operations, it can be space-intensive and time-consuming
to stage containers. Not all longshoremen's unions have safety concerns
regarding VACIS inspections. For example, at the Port of New York/New
Jersey, longshoremen's concerns over the safety of operating VACIS were
addressed after the union contacted a consultant and received assurances
about the safety of the equipment. Similar efforts by CBP to convince
longshoremen's unions about the safety of VACIS have not been successful
at some of the other ports we visited.

Conclusions and Recommendations

One legacy of the September 11, 2001 terrorist attacks is uncertainty. It
is unclear if, where, when, and how other attacks might occur and what
steps should be taken to best protect national security. In the context of
possible smuggling of weapons of mass destruction in cargo containers at
our nation's seaports, it is vital that CBP use its resources to maximize
the effectiveness of its targeting strategy to reduce this uncertainty.
Without incorporating all elements of a risk management framework and
utilizing recognized modeling practices, CBP cannot be sure that its
targeting strategy is properly focused and prioritized. In addition, risk
management and the use of recognized modeling practices will not ensure
security if there are lapses in implementing these practices at the ports.
Finally, without instituting a national inspection reporting system,
testing and certifying CBP officials that receive the targeting training,
and resolving the safety concerns of longshoremen unions, the targeting
system's effectiveness as a risk management tool may be limited.

Our Limited Official Use report contains several recommendations to DHS on
how to better incorporate key elements of a risk management framework and
recognized modeling practices. Additionally, the report contains
recommendations to improve management controls to better implement the
targeting strategy at seaports.

This concludes my statement. I would now be pleased to answer any
questions for the subcommittee.

Contacts and Acknowledgments

For further information about this testimony, please contact me at (202)
512-8816. Seto Bagdoyan, Stephen L. Caldwell, Kathleen Ebert, Jim Russell,
and Brian Sklar also made key contributions to this statement. Additional
assistance was provided by David Alexander, Katherine Davis, Scott
Farrrow, Ann Finley, and Keith Rhodes.

Appendix I: Scope And Methodology

To assess whether CBP's development of its targeting strategy is
consistent with recognized risk management and modeling practices, we
compiled a risk management framework and a list of recognized modeling
practices, drawn from an extensive review of relevant public and private
sector work, prior GAO work on risk management, and our interviews with
terrorism experts. We selected these individuals based on their
involvement with issues related to terrorism, specifically concerning
containerized cargo, ATS, and modeling. Several of the individuals that we
interviewed were referred from within the expert community, while others
were chosen from public texts on the record. We did not assess ATS's
hardware or software, the quality of the threat assessments that CBP has
received from the intelligence community, or the appropriateness or risk
weighting of its targeting rules.

To assess how well the targeting strategy has been implemented at selected
seaports in the country, we visited various CBP facilities and the Miami,
Los Angeles-Long Beach, Philadelphia, New York-New Jersey, New Orleans,
and Seattle seaports. These seaports were selected based on the number of
cargo containers processed and their geographic dispersion. At these
locations, we observed targeting and inspection operations; met with CBP
management and inspectors to discuss issues related to targeting and the
subsequent physical inspection of containers; and reviewed relevant
documents, including training and operational manuals, and statistical
reports of targeted and inspected containers. We used these statistical
reports to determine the type of data available; we did not assess the
reliability of the data or use it to make any projections. At the
seaports, we also met with representatives of shipping lines, operators of
private cargo terminals, the local port authorities, and Coast Guard
personnel responsible for the ports' physical security. We also met with
terrorism experts and representatives from the international trade
community to obtain a better understanding of the potential threat posed
by cargo containers and possible approaches to countering the threat, such
as risk management.

We conducted our work from January 2003 to February 2004 in accordance
with generally accepted government auditing standards.

Appendix II: Risk Management Framework for Homeland Security and Terrorism

Development and Application of Risk Management Framework

This appendix details the risk management framework that GAO developed in
order to assess CBP's overall targeting strategy. In recent years, GAO has
consistently advocated the use of a risk management approach as an
iterative analytical tool to help implement and assess responses to
various national security and terrorism issues.^1 We have concluded that
without a risk management approach, there is little assurance that
programs to combat terrorism are prioritized and properly focused. Risk
management principles acknowledge that while risk cannot be eliminated,
enhancing protection from known or potential threats can help reduce it.
Drawing on this precedent, we compiled a risk management
framework--outlined below--to help assess the U.S. government's response
to homeland security and terrorism risk. One way in which the Department
of Homeland Security's U.S. Customs and Border Protection has already
begun to manage risk is by developing and implementing the Automated
Targeting System to target high-risk oceangoing containerized cargo for
inspection.

Applied to homeland security and terrorism risk, the framework assumes
that the principal classes of risk from terrorism are to (1) the general
public; (2) organizational, governmental, and societal infrastructure; (3)
cyber and physical infrastructure; and (4) economic sectors/structures.
Terrorism risk is framed by and is a function of (1) a strategic intent of
inflicting extreme damage and disruption; (2) operational, logistical, and
technological capabilities including the ability to obtain and deploy
various classes of weapons against targets of least resistance (targets
are chosen and prioritized according to their attractiveness or utility,
based, in turn, on the potential for economic or human loss, their
symbolic value, and name recognition); and (3) rational responses to moves
designed to counteract them. This last aspect includes the identification
and exploitation of loopholes in the response. A principal example of
potential homeland security or terrorism risk is the global supply chain,
a complex system of multiple interacting components with interdependent
risk, and with the potential for this risk to be transferred from any weak
links in the chain. The risk posed to the supply chain at the operational,
or tactical, level is manifested, for example, in the movement of
oceangoing containerized cargo.

^1U.S. General Accounting Office, Homeland Security: A Risk Management
Approach Can Guide Preparedness Efforts, [26]GAO-02-208T (Washington,
D.C.: October, 31, 2001) and U.S. General Accounting Office, Key Elements
of a Risk Management Approach, [27]GAO-02-150T (Washington, D.C.: October
12, 2001).

Importance, Benefits, and Limitations of Risk Management

In terms of the importance of risk management, an entity exists to provide
value for its stakeholders in an environment of uncertainty, which is a
function of the ability to determine the likelihood of events occurring
and quantify the resulting outcomes. As applied to homeland security,
"value" is realized as protection (security) provided by the U.S.
government against terrorism risk at an acceptable cost (function of time
and money) for the recipients of the valued service (for example, the
general public and the business community). This value might, on occasion,
be at risk (worst-case loss scenario) that needs to be managed, thus risk
management can be viewed as an integral part of managing homeland
security.

In terms of its benefits, risk management enables entities to operate more
effectively in environments filled with risks by providing the discipline
and structure to address them; risk management is not an end in itself but
an important means of an entity's management process. As such, it is
interrelated with, among other things, an entity's governance, performance
management, and internal control. Further, risk management provides the
rigor necessary to identify and select among alternative risk responses
whose cumulative effect is intended to reduce risk, and the methodologies
and techniques for making selection decisions. Also, risk management
enables entities to have an enhanced capability to identify potential
events, assess risks, and establish integrated responses to reduce
"surprises," and related costs and losses.

In terms of its limitations, ultimately, risk management cannot eliminate
risk and the environment of uncertainty that helps sustain it, but risk
management can help reduce risk, with a goal of providing reasonable
assurance that an entity's objectives will be achieved. Risk management
combines elements of science and judgment (human dimension to conflict),
and ultimately relies on a set of estimates about risk that lies in the
future, which is inherently uncertain. Accordingly, the results of risk
management might be called into question because of, among other things,
the potential for human errors in judgment and the potentially poor
quality of information driving the risk management process.

Risk Management Framework

The framework is a composite of risk management best practices gleaned
from our interviews with terrorism and risk-modeling experts and our
extensive review of relevant reports on risk management, such as those by
GAO, the Congressional Research Service, Booz Allen Hamilton (on contract
to the U.S. intelligence community), and the Committee of the Sponsoring
Organizations of the Treadway Commission (in conjunction with
PricewaterhouseCoopers).^2

For purposes of the risk management framework, we used the following
definitions:

           o Risk--an event that has a potentially negative impact, and the
           possibility that such an event will occur and adversely affect an
           entity's assets and activities and operations, as well as the
           achievement of its mission and strategic objectives. As applied to
           the homeland security context, risk is most prominently manifested
           as "catastrophic" or "extreme" events related to terrorism, i.e.,
           those involving more that $1 billion in damage or loss and/or more
           than 500 casualties.

           o Risk management--a continuous process of managing, through a
           series of mitigating actions that permeate an entity's activities,
           the likelihood of an adverse event happening and having a negative
           impact. In general, risk is managed as a portfolio, addressing
           entity-wide risk within the entire scope of activities. Risk
           management addresses "inherent," or pre-action, risk (i.e., risk
           that would exist absent any mitigating action) as well as
           "residual," or post-action, risk (i.e., the risk that remains even
           after mitigating actions have been taken).

           The risk management framework--which is based on the proposition
           that a threat to a vulnerable asset results in risk--consists of
           the following components:

           o Internal (or implementing) environment--the internal environment
           is the institutional "driver" of risk management, serving as the
           foundation of all elements of the risk management process. The
           internal environment includes an entity's organizational and
           management structure and processes that provide the framework to
           plan, execute, and control and monitor an entity's activities,
           including risk management. Within the organizational and
           management structure, an operational unit that is independent of
           all other operational (business) units is responsible for
           implementing the entity's risk management function. This unit is
           supported by and directly accountable to an entity's senior
           management. For its part, senior management (1) defines the
           entity's risk tolerance (i.e., how much risk is an entity willing
           to assume in order to accomplish its mission and related
           objectives) and (2) establishes the entity's risk management
           philosophy and culture (i.e., how an entity's values and attitudes
           view risk and how its activities and practices are managed to deal
           with risk). The operational unit (1) designs and implements the
           entity's risk management process and (2) coordinates internal and
           external evaluation of the process and helps implement any
           corrective action.

           o Threat (event) assessment--threat is defined as a potential
           intent to cause harm or damage to an asset (e.g., natural
           environment, people, man-made infrastructures, and activities and
           operations). Threat assessments consist of the identification of
           adverse events that can affect an entity. Threats might be present
           at the global, national, or local level, and their sources include
           terrorists and criminal enterprises. Threat information emanates
           from "open" sources and intelligence (both strategic and
           tactical). Intelligence information is characterized as "reported"
           (or raw) and "finished" (fully fused and analyzed).

           As applied to homeland security and terrorism risk, and from the
           perspective of the source of the threat (for example, a
           terrorist), beginning with intent (the basis of the threat),
           adverse event scenarios consist of six stages, as shown in table
           1.
			  
^2The framework is adapted from primary sources, including reports by GAO;
the Congressional Research Service; Department of Energy's Office of
Science and Technology; National Academies/National Research Council;
Committee of the Sponsoring Organizations of the Treadway
Commission/PricewaterhouseCoopers; Risk Management Solutions, and
RiskMetrics (private risk management consulting firms advising insurance,
reinsurance, and financial services companies on terrorism and other
catastrophic events); Booz Allen Hamilton, on contract to the U.S.
government intelligence community; academic and think-tanks (e.g.,
Brookings Institution, Council on Foreign Relations) papers on responses
to terrorism, including risk management; and interviews with terrorism and
risk modeling experts.

           Table 1: Adverse Event Scenario Stages

Stage              Description                                             
Intent             The terrorist develops malice and an intent to harm     
Target acquisition The terrorist chooses specific target(s) among assets   
Planning           The terrorist researches the targets and various attack 
                      options                                                 
Preparation        Full commitment stage--the terrorist prepares to launch 
                      the attack                                              
Execution          The terrorist carries out the attack                    
"Grace period"     Depending on the nature and success of the attack,      
                      there could be a time lag between the attack and its    
                      impact                                                  

           Source: GAO Analysis

           o Criticality assessment--criticality is defined as an asset's
           relative importance. Criticality assessments identify and evaluate
           an entity's assets based on a variety of factors, including the
           importance of its mission or function, the extent to which people
           are at risk, or the significance of a structure or system in terms
           of, for example, national security, economic activity, or public
           safety. Criticality assessments are important because they
           provide, in combination with the framework's other assessments,
           the basis for prioritizing which assets require greater or special
           protection relative to finite resources.

           o Vulnerability assessment--vulnerability is defined as the
           inherent state (either physical, technical, or operational) of an
           asset that can be exploited by an adversary to cause harm or
           damage. Vulnerability assessments identify these inherent states
           and the extent of their susceptibility to exploitation, relative
           to the existence of any countermeasures. As applied to the global
           supply chain, a vulnerability assessment might involve, first,
           establishing a comprehensive understanding of the business and
           commercial aspects of the chain (as a complex system with multiple
           interacting participants); and, second, "mapping" the chain and
           identifying vulnerability points that could be exploited.

           o Risk assessment--risk assessment is a qualitative and/or
           quantitative determination of the likelihood (probability) of
           occurrence of an adverse event and the severity, or impact, of its
           consequences. Risk assessments include scenarios under which two
           or more risks interact creating greater or lesser impacts.

           o Risk characterization--risk characterization involves
           designating risk as, for example, low, medium, or high (other
           scales, such as numeric, are also be used). Risk characterization
           is a function of the probability of an adverse event occurring and
           the severity of its consequences. Risk characterization is the
           crucial link between assessments of risk and the implementation of
           mitigation actions, given that not all risks can be addressed
           because resources are inherently scarce; accordingly, risk
           characterization forms the basis for deciding which actions are
           best suited to mitigate the assessed risk.

           o Mitigation evaluation. Mitigation evaluation is the
           identification of mitigation alternatives to assess the
           effectiveness of the alternatives. The alternatives should be
           evaluated for their likely effect on risk and their cost.

           o Mitigation selection. Mitigation selection involves a management
           decision on which mitigation alternatives should be implemented
           among alternatives, taking into account risk, costs, and the
           effectiveness of mitigation alternatives. Selection among
           mitigation alternatives should be based upon preconsidered
           criteria. There are as of yet no clearly preferred selection
           criteria, although potential factors might include risk reduction,
           net benefits, equality of treatment, or other stated values.
           Mitigation selection does not necessarily involve prioritizing all
           resources to the highest-risk area, but in attempting to balance
           overall risk and available resources.

           o Risk mitigation--Risk mitigation is the implementation of
           mitigation actions, in priority order and commensurate with
           assessed risk; depending on its risk tolerance, an entity may
           choose not to take any action to mitigate risk (this is
           characterized as risk acceptance). If the entity does choose to
           take action, such action falls into three categories: (1) risk
           avoidance (exiting activities that expose the entity to risk), (2)
           risk reduction (implementing actions that reduce likelihood or
           impact of risk), and (3) risk sharing (implementing actions that
           reduce likelihood or impact by transferring or sharing risk). In
           each category, the entity implements actions as part of an
           integrated "systems" approach, with built-in redundancy to help
           address residual risk (the risk that remains after actions have
           been implemented). The systems approach consists of taking actions
           in personnel (e.g., training, deployment), processes (e.g.,
           operational procedures), technology (e.g., software or hardware),
           infrastructure (e.g., institutional or operational--such as port
           configurations), and governance (e.g., management and internal
           control and assurance). In selecting actions, the entity assesses
           their costs and benefits, where the amount of risk reduction is
           weighed against the cost involved and identifies potential
           financing options for the actions chosen.

           o Monitoring and evaluation of risk mitigation--Monitoring and
           evaluation of risk mitigation entails the assessment of the
           functioning of actions against strategic objectives and
           performance measures to make necessary changes. Monitoring and
           evaluation includes, where and when appropriate, peer review and
           testing and validation; and an evaluation of the impact of the
           actions on future options; and identification of unintended
           consequences that, in turn, would need to be mitigated. Monitoring
           and evaluation helps ensure that the entire risk management
           process remains current and relevant, and reflects changes in (1)
           the effectiveness of the actions and (2) the risk environment in
           which the entity operates--risk is dynamic and threats are
           adaptive. The risk management process should be repeated
           periodically, restarting the "loop" of assessment, mitigation, and
           monitoring and evaluation.
			  
			  Appendix III: Recognized Modeling Practices Applicable to the
			  Review of ATS

           This appendix details the recognized modeling practices that GAO
           used to assess CBP's computerized targeting model, known as the
           ATS. CBP characterized ATS as a knowledge, or rule-based, expert
           system or model that serves as a "decision support tool" in
           implementing its targeting strategy.^1 Accordingly, for purposes
           of this report, we identified four practices that are applicable
           to our review of ATS as such a tool. We identified these practices
           through our interviews with terrorism experts and representatives
           of the international trade community--who were familiar with
           modeling related to terrorism or to ATS--and GAO's chief
           scientist; and our review of relevant literature, such as reports
           by the U.S. Department of Energy's Office of Science and
           Technology and the National Research Council (part of the National
           Academies)^2 and GAO.^3 The four practices are

           o Initiating an external peer review of ATS. Many agencies conduct
           various types of internal reviews of projects and programs.
           However, these reviews are usually conducted by managers or
           supervisors and thus are not independent. Peer review is a process
           that includes an independent, documented, critical assessment of
           the technical, scientific merit of research or programs by
           external peers who are highly qualified scientists with knowledge
           and expertise equal to that of those whose work they review. In
           this regard, peers must be capable of making independent judgments
           about the merit and relevance of what they are reviewing and have
           no conflicts of interest. If the results are to be used in
           programmatic decision making, peer reviews can improve the
           technical quality of projects by recognizing technical weaknesses
           and suggesting improvements that might be overlooked by those too
           close to the project; peer review can also enhance the credibility
           of the decision-making process by offering frank assessments not
           constrained by organizational concerns and by avoiding the reality
           and the perception of conflicts of interest. Peer review cannot
           ensure the success of a program, but it can increase the
           probability of success.

           o Instituting a process of random inspections to supplement
           targeting. The experts we spoke with told us that the absence of a
           process to randomly select containerized cargo for screening or
           physical examination to supplement ATS was a shortcoming of CBP's
           targeting strategy. Randomness pertains to a process whose outcome
           or value depends on chance or on a process that simulates chance,
           with the implication that all possible outcomes or values have a
           known, non-zero probability of occurrence--for example, the
           outcome of flipping a coin or executing a computer-programmed
           random number generator. A random selection process would not only
           help mitigate residual risk (i.e., the risk remaining after the
           original risk mitigation actions have been implemented), but also
           help evaluate the performance of targeting relative to other
           approaches.

           o Enhancing the sources and types of information input into ATS.
           Terrorism experts and representatives of the international trade
           community told us that ATS needed to incorporate additional types
           of information in order to be able to perform complex "linkage"
           analyses in an attempt to identify documentary inconsistencies
           that must be detected to target suspicious containers. They also
           told us that the ship's manifest (or transportation document that
           lists a summary of the cargo on board) does not contain enough
           information in sufficient detail to be useful, by itself, in
           targeting suspicious containers. These individuals further told us
           that the movement of containers through the global supply chain
           generated an additional amount of commercial documentation that
           could be used for this purpose.^4 Examples of commercial
           documentation that could be used include purchase orders,
           commercial invoices, shippers' letters of instruction, and
           certificates of origin.

           o Testing and validating ATS by staging simulated terrorist
           events. The experts we spoke with emphasized the need to test ATS
           by staging simulated terrorist events in order to validate it as a
           targeting tool.^5 Simulated events could include "red teams"
           attempting to smuggle a fake WMD into the United States hidden in
           an oceangoing cargo container. Red teaming is an approach to
           "model" a system's adversary and define its weaknesses by devising
           attack tactics. A blue team may also be used to devise ways to
           mitigate vulnerabilities in an attempt to defend against the red
           team. Simulated events would determine whether ATS targeted the
           suspicious container for screening and/or physical examination,
           and whether the subsequent screening or examination actually
           detected the fake WMD.
			  
^1An expert system is a knowledge collection combined with an inference
engine capable of interpreting queries and chaining together separate
items of knowledge to develop new inferences; a model is the physical,
mathematical, or otherwise logical representation of a system, entity,
phenomenon, or process. The knowledge is typically represented as a system
of rules or algorithms. An algorithm is a prescribed set of well-defined
unambiguous rules or processes for the solution of a problem in a finite
number of steps.

^2The National Academies brings together committees of experts in all
areas of scientific and technological endeavor. Four organizations
constitute the academies: the National Academy of Sciences, the National
Academy of Engineering, the Institute of Medicine, and the National
Research Council. The National Research Council was organized by the
Academy to associate the broad community of science and technology with
the academy's purpose of furthering knowledge and advising the federal
government.

^3U.S. Department of Energy's Office of Science and Technology, Peer
Review in Environmental Technology Development Programs, (Washington,
D.C., 1998); U.S. General Accounting Office, Federal Research: Peer Review
Practices at Federal Science Agencies Vary, [42]GAO/RCED-99-99
(Washington, D.C.: March 1999).

^4International trade is a tremendously complex business. A typical trade
will involve multiple parties--for example, importers, exporters, ocean
carriers, financiers, and governments--and may generate 30 to 40
documents.

^5Validation is the process of determining the degree to which a model or
simulation is an accurate representation of the real world from the
perspective of the intended uses of the model or simulation.
			  
			  Related GAO Products

           Maritime Security: Progress Made in Implementing Maritime
           Transportation Security Act, but Concerns Remain. [28]GAO-03-1155T
           . Washington, D.C.: September 9, 2003.

           Container Security: Expansion of Key Customs Programs Will Require
           Greater Attention to Critical Success Factors. [29]GAO-03-770 .
           Washington, D.C.: July 25, 2003.

           Homeland Security: Challenges Facing the Department of Homeland
           Security in Balancing its Border Security and Trade Facilitation
           Missions. [30]GAO-03-902T . Washington, D.C.: June 16, 2003.

           Container Security: Current Efforts to Detect Nuclear Material,
           New Initiatives, and Challenges ( [31]GAO-03-297T . Washington,
           D.C.: November 18, 2002.

           Customs Service: Acquisition and Deployment of Radiation Detection
           Equipment. [32]GAO-03-235T . Washington, D.C.: October 17, 2002.

           Port Security: Nation Faces Formidable Challenges in Making New
           Initiatives Successful. [33]GAO-02-993T . Washington, D.C.: August
           5, 2002.

           Homeland Security: A Risk Management Approach Can Guide
           Preparedness Efforts. [34]GAO-02-208T . Washington, D.C.: October
           31, 2001.

           Homeland Security: Key Elements of a Risk Management Approach.
           [35]GAO-02-150T . Washington, D.C.: October. 12, 2001.

           Federal Research: Peer Review Practices at Federal Science
           Agencies Vary. [36]GAO/RCED-99-99 . Washington, D.C.: March 17,
           1999.
			  
			  GAOï¿½s Mission

           The General Accounting Office, the audit, evaluation and
           investigative arm of Congress, exists to support Congress in
           meeting its constitutional responsibilities and to help improve
           the performance and accountability of the federal government for
           the American people. GAO examines the use of public funds;
           evaluates federal programs and policies; and provides analyses,
           recommendations, and other assistance to help Congress make
           informed oversight, policy, and funding decisions. GAO's
           commitment to good government is reflected in its core values of
           accountability, integrity, and reliability.
			  
			  Obtaining Copies of GAO Reports and Testimony

           The fastest and easiest way to obtain copies of GAO documents at
           no cost is through the Internet. GAO's Web site ( www.gao.gov
           ) contains abstracts and full-text files of current reports and
           testimony and an expanding archive of older products. The Web site
           features a search engine to help you locate documents using key
           words and phrases. You can print these documents in their
           entirety, including charts and other graphics.

           Each day, GAO issues a list of newly released reports, testimony,
           and correspondence. GAO posts this list, known as "Today's
           Reports," on its Web site daily. The list contains links to the
           full-text document files. To have GAO e-mail this list to you
           every afternoon, go to www.gao.gov and select "Subscribe to
           e-mail alerts" under the "Order GAO Products" heading.
			  
			  Order by Mail or Phone

           The first copy of each printed report is free. Additional copies
           are $2 each. A check or money order should be made out to the
           Superintendent of Documents. GAO also accepts VISA and Mastercard.
           Orders for 100 or more copies mailed to a single address are
           discounted 25 percent. Orders should be sent to:

           U.S. General Accounting Office 441 G Street NW, Room LM
           Washington, D.C. 20548

           To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax:
           (202) 512-6061
			  
			  To Report Fraud, Waste, and Abuse in Federal Programs

           Contact:

           Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail:
           [email protected] Automated answering system: (800) 424-5454 or
           (202) 512-7470
			  
			  Public Affairs

           Jeff Nelligan, Managing Director, [email protected] (202)
           512-4800 U.S. General Accounting Office, 441 G Street NW, Room
           7149 Washington, D.C. 20548
(440307)

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

www.gao.gov/cgi-bin/getrpt?[43]GAO-04-557T .

To view the full product, including the scope
and methodology, click on the link above.

For more information, contact Rich Stana at (202) 512-8777 or
[email protected].

Highlights of [44]GAO-04-557T , testimony before the Subcommittee on
Oversight and Investigations, House Committee on Energy and Commerce

March 2004

HOMELAND SECURITY

Summary of Challenges Faced in Targeting Oceangoing Cargo Containers for
Inspection

After the attacks of September 11, 2001, concerns intensified that
terrorists would attempt to smuggle a weapon of mass destruction into the
United States. One possible method is to use one of the 7  million cargo
containers that arrive at our seaports each year. Addressing the potential
threat posed by the movement of oceangoing cargo containers falls to the
Department of Homeland Security's U.S. Customs and Border Protection
(CBP). Since CBP cannot inspect all arriving cargo containers, it uses a
targeting strategy, including an Automated Targeting System. This system
targets containers for inspection based on perceived level of risk. In
this testimony, GAO summarizes its work on (1) whether the development of
CBP's targeting strategy is consistent with recognized key risk management
and modeling practices and (2) how well the strategy has been implemented
at selected seaports.

[45]What GAO Recommends

GAO recommends that CBP incorporate all the key elements of a risk
management framework and recognized modeling practices in its targeting
strategy and the Automated Targeting System. GAO also recommends, among
other things, that CBP improve management controls to better implement the
targeting strategy at seaports.

The department cited corrective actions taken or planned to address the
issues GAO identified.

CBP has taken steps to address the terrorism risks posed by oceangoing
cargo containers, but its strategy neither incorporates all key elements
of a risk management framework nor is it entirely consistent with
recognized modeling practices. Actions CBP has taken included refining the
Automated Targeting System to target cargo containers that are a high risk
for terrorism, or other smuggling, for physical inspection. CBP has also
implemented national targeting training and sought to improve the quality
and timeliness of manifest information, which is one of the inputs for its
Automated Targeting System. However, regarding risk management, CPB has
not performed a comprehensive set of assessments vital for determining the
level of risk for oceangoing cargo containers and the types of responses
necessary to mitigate that risk. Regarding recognized modeling practices,
CBP has not subjected the Automated Targeting System to adequate external
peer review or testing. It has also not fully implemented a process to
randomly examine containers in order to test the targeting strategy.
Without incorporating all key elements of a risk management framework and
recognized modeling practices, CBP cannot be reasonably sure that its
targeting strategy provides the best method to protect against weapons of
mass destruction entering the United States at its seaports.

GAO's visits to selected seaports found that the implementation of CBP's
targeting strategy faces a number of challenges. Although port officials
said that inspectors were able to inspect all containers designated by the
Automated Targeting System as high-risk, GAO's requests for documentation
raised concerns about the adequacy of CBP's data to document these
inspections. CBP lacks an adequate mechanism to test or certify the
competence of students who participate in their national targeting
training. Additionally, CBP has not been able to fully address
longshoremen's safety concerns related to inspection equipment. Addressing
these concerns is important to ensure that cargo inspections are conducted
safely and efficiently. Challenges to both the development and the
implementation of CBP's targeting strategy, if not addressed, may limit
the effectiveness of targeting as a tool to help ensure homeland security.

A container ship docks at the Miami seaport.

Source: U.S. Customs and Border Protection

References

Visible links
  24. http://www.gao.gov/cgi-bin/getrpt?GAO-03-770
  25. http://www.gao.gov/cgi-bin/getrpt?GAO-02-208T
  26. http://www.gao.gov/cgi-bin/getrpt?GAO-02-208T
  27. http://www.gao.gov/cgi-bin/getrpt?GAO-02-150T
  28. http://www.gao.gov/cgi-bin/getrpt?GAO-03-1155T
  29. http://www.gao.gov/cgi-bin/getrpt?GAO-03-770
  30. http://www.gao.gov/cgi-bin/getrpt?GAO-03-902T
  31. http://www.gao.gov/cgi-bin/getrpt?GAO-03-297T
  32. http://www.gao.gov/cgi-bin/getrpt?GAO-03-235T
  33. http://www.gao.gov/cgi-bin/getrpt?GAO-02-993T
  34. http://www.gao.gov/cgi-bin/getrpt?GAO-02-208T
  35. http://www.gao.gov/cgi-bin/getrpt?GAO-02-150T
  36. http://www.gao.gov/cgi-bin/getrpt?GAO/RCED-99-99
  42. http://www.gao.gov/cgi-bin/getrpt?GAO/RCED-99-99
  43. http://www.gao.gov/cgi-bin/getrpt?GAO-04-557T
  44. http://www.gao.gov/cgi-bin/getrpt?GAO-04-557T
*** End of document. ***