Homeland Security

Preliminary Observations on Efforts to Target Security Inspections of Cargo Containers Gao ID: GAO-04-325T December 16, 2003

After the attacks of September 11, 2001, concerns intensified that terrorists would attempt to smuggle a weapon of mass destruction into the United States. One possible method for terrorists to smuggle such a weapon is to use one of the 7 million cargo containers that arrive at our nation's seaports each year. The Department of Homeland Security's U.S. Customs and Border Protection (CBP) is responsible for addressing the potential threat posed by the movement of oceangoing cargo containers. Since CBP cannot inspect all arriving cargo containers, it uses a targeting strategy, which includes an automated targeting system. This system targets some containers for inspection based on a perceived level of risk. In this testimony, GAO provides preliminary findings on its assessment of (1) whether CBP's development of its targeting strategy is consistent with recognized key risk management and computer modeling practices and (2) how well the targeting strategy has been implemented at selected seaports around the country.

CBP has taken steps to address the terrorism risks posed by oceangoing cargo containers. These include establishing a National Targeting Center, refining its automated targeting system, instituting a national training program for its personnel that perform targeting, and promulgating regulations to improve the quality and timeliness of data on cargo containers. However, while CBP's strategy incorporates some elements of risk management, it does not include other key elements, such as a comprehensive set of criticality, vulnerability and risk assessments that experts told GAO are necessary to determine risk and the types of responses necessary to mitigate that risk. Also, CBP's targeting system does not include a number of recognized modeling practices, such as subjecting the system to peer review, testing and validation. By incorporating the missing elements of a risk management framework and following certain recognized modeling practices, CBP will be in a better position to protect against terrorist attempts to smuggle weapons of mass destruction into the United States. CBP faces a number of challenges at the six ports we visited. CBP does not have a national system for reporting and analyzing inspection statistics and the data provided to us by ports were generally not available by risk level, were not uniformly reported, were difficult to interpret, and were incomplete. CBP officials told us they have just implemented a new module for their targeting system, but it is too soon to tell whether it will provide consistent, complete inspection data for analyzing and improving the targeting strategy. In addition, CBP staff that received the national targeting training were not tested or certified to ensure that they had learned the basic skills needed to provide effective targeting. Further, space limitations and safety concerns about inspection equipment constrained the ports in their utilization of screening equipment, which has affected the efficiency of examinations.

GAO-04-325T, Homeland Security: Preliminary Observations on Efforts to Target Security Inspections of Cargo Containers This is the accessible text file for GAO report number GAO-04-325T entitled 'Homeland Security: Preliminary Observations on Efforts to Target Security Inspections of Cargo Containers' which was released on December 16, 2003. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Testimony: Before the Subcommittee on Oversight and Investigations, Committee on Energy and Commerce, House of Representatives: United States General Accounting Office: GAO: For Release on Delivery Expected at 1:00 p.m. EST In Camden, New Jersey: Tuesday, December 16, 2003: HOMELAND SECURITY: Preliminary Observations on Efforts to Target Security Inspections of Cargo Containers: Statement of Richard M. Stana, Director Homeland Security and Justice: GAO-04-325T: GAO Highlights: Highlights of GAO-04-325T, testimony before the Committee on Energy and Commerce and the Subcommittee on Oversight and Investigations Why GAO Did This Study: After the attacks of September 11, 2001, concerns intensified that terrorists would attempt to smuggle a weapon of mass destruction into the United States. One possible method for terrorists to smuggle such a weapon is to use one of the 7 million cargo containers that arrive at our nation‘s seaports each year. The Department of Homeland Security‘s U.S. Customs and Border Protection (CBP) is responsible for addressing the potential threat posed by the movement of oceangoing cargo containers. Since CBP cannot inspect all arriving cargo containers, it uses a targeting strategy, which includes an automated targeting system. This system targets some containers for inspection based on a perceived level of risk. In this testimony, GAO provides preliminary findings on its assessment of (1) whether CBP‘s development of its targeting strategy is consistent with recognized key risk management and computer modeling practices and (2) how well the targeting strategy has been implemented at selected seaports around the country. GAO is completing its assessment and developing recommendations to address strategy development and implementation challenges. What GAO Found: CBP has taken steps to address the terrorism risks posed by oceangoing cargo containers. These include establishing a National Targeting Center, refining its automated targeting system, instituting a national training program for its personnel that perform targeting, and promulgating regulations to improve the quality and timeliness of data on cargo containers. However, while CBP‘s strategy incorporates some elements of risk management, it does not include other key elements, such as a comprehensive set of criticality, vulnerability and risk assessments that experts told GAO are necessary to determine risk and the types of responses necessary to mitigate that risk. Also, CBP‘s targeting system does not include a number of recognized modeling practices, such as subjecting the system to peer review, testing and validation. By incorporating the missing elements of a risk management framework and following certain recognized modeling practices, CBP will be in a better position to protect against terrorist attempts to smuggle weapons of mass destruction into the United States. CBP faces a number of challenges at the six ports we visited. CBP does not have a national system for reporting and analyzing inspection statistics and the data provided to us by ports were generally not available by risk level, were not uniformly reported, were difficult to interpret, and were incomplete. CBP officials told us they have just implemented a new module for their targeting system, but it is too soon to tell whether it will provide consistent, complete inspection data for analyzing and improving the targeting strategy. In addition, CBP staff that received the national targeting training were not tested or certified to ensure that they had learned the basic skills needed to provide effective targeting. Further, space limitations and safety concerns about inspection equipment constrained the ports in their utilization of screening equipment, which has affected the efficiency of examinations. What GAO Recommends: www.gao.gov/cgi-bin/getrpt?GAO-04-325T. To view the full product, including the scope and methodology, click on the link above. For more information, contact Richard M. Stana at (202) 512-8777 or StanaR@gao.gov. [End of section] Mr. Chairman and Members of the Subcommittee: I appreciate the opportunity to be here today to participate in this hearing on the security of oceangoing cargo containers. In the aftermath of the terrorist attacks of September 11, 2001, there is heightened concern that terrorists may try to smuggle weapons of mass destruction into a U.S. port using one of the millions of cargo containers that arrive at our nation's seaports each year. If terrorists did so and detonated such a weapon (e.g., a nuclear or radiological explosive device) at a seaport, the incident could cause widespread death and damage to the immediate area, perhaps shut down seaports nationwide, cost the U.S. economy billions of dollars, and seriously hamper international trade. The Department of Homeland Security and its U.S. Customs and Border Protection (CBP) are responsible for addressing the threat posed by terrorist smuggling of weapons in oceangoing containers. To carry out this responsibility, CBP uses a targeting strategy, which includes a computerized model called the Automated Targeting System, to help select (or "target") containers for additional review and/or inspection. Organizations that are involved in security matters, such as CBP, frequently employ certain risk management practices, including computer modeling, to help them prioritize their activities and use of resources. In essence, risk management is a systematic process to analyze threats, vulnerabilities, and critical assets to better support management decisions. This statement presents the preliminary results from our latest effort in a series of GAO reports that evaluate CBP's response to the terrorist threat.[Footnote 1] Based upon our ongoing assessment of CBP's targeting strategy for this subcommittee, I will provide our preliminary findings on (1) whether CBP's development of its targeting strategy is consistent with recognized risk management and computer modeling practices and (2) how well the targeting strategy has been implemented at selected seaports around the country. Our preliminary findings are based on extensive data collection and analysis at CBP, consultations with experts in terrorism and risk management, visits to six seaports, and related interviews with federal and local government and private sector officials responsible for port security and operations. Additional information on our scope and methodology can be found at the end of this statement. Our work focused primarily on the targeting system rather than the sufficiency of inspections at the ports once a container has been targeted. Summary: While CBP has taken steps to address the terrorism risks posed by oceangoing cargo containers, its targeting strategy neither incorporates all key elements of a risk management framework, nor is it consistent with certain recognized practices associated with modeling. To its credit, CBP established the National Targeting Center to serve as the national focal point for targeting imported cargo and for distributing periodic intelligence alerts to the ports. CBP has refined its targeting system, which was originally designed to identify narcotics contraband, to help identify containers posing potential terrorist threats for possible physical screening and inspection. It also instituted a national training program for its personnel that perform targeting. Further, CBP promulgated regulations aimed at improving the quality and timeliness of transmitted cargo manifest data for use in the targeting system. However, while its strategy incorporates some elements of risk management, CBP has not performed a comprehensive set of threat, criticality, vulnerability and risk assessments that experts said are vital for determining levels of risk for each container and the types of responses necessary to mitigate that risk. Regarding recognized modeling practices, CBP has not subjected the targeting system to external peer review or testing as recommended by the experts we contacted. CBP has a program to randomly select and inspect containers, to compare these results with those generated by the targeting system. However, because the inspections can be waived, randomly selected containers might not be inspected, which limits the usefulness of the program to help improve the targeting system By incorporating the missing elements of a risk management framework and following recognized modeling practices, CBP would have better information to make management decisions related to preventing terrorist from smuggling weapons of mass destruction into the United States. CBP faces a number of challenges in implementing the targeting strategy at the six ports we visited that could limit the strategy's effectiveness. First, CBP does not have a national system for reporting and analyzing inspection statistics and the data provided to us by ports were generally not readily available by risk level, were not uniformly reported, were difficult to interpret, and were incomplete. CPB officials told us they have just implemented a new module for their targeting system to better collect national data on the results of inspections, but it is too soon to tell whether it will provide consistent, complete inspection data for analyzing and improving the targeting strategy. In addition, CBP staff that received the national targeting training were not tested or certified to ensure that they had learned the basic skills needed to provide effective targeting. Further, we found that space limitations and safety concerns about inspection equipment constrain the ports in their utilization of screening equipment, which has affected the efficiency of examinations. Background: Maritime Cargo Containers Are Important and Vulnerable: Cargo containers are an important segment of maritime commerce. Approximately 90 percent of the world's cargo moves by container. Each year, approximately 16 million oceangoing cargo containers enter the U.S. carried aboard thousands of container vessels. In 2002, approximately 7 million containers arrived at U.S seaports, carrying more than 95 percent of the nation's non-North American trade by weight and 75 percent by value. Many experts on terrorism--including those at the Federal Bureau of Investigation and academic, think tank and business organizations--have concluded that the movement of oceangoing cargo containers are vulnerable to some form of terrorist action. A terrorist incident at a seaport, in addition to killing people and causing physical damage, could have serious economic consequences. In a 2002 simulation of a terrorist attack involving cargo containers, every seaport in the United States was shut down, resulting in a loss of $58 billion in revenue to the U.S. economy, including spoilage, loss of sales, and manufacturing slowdowns and halts in production.[Footnote 2] CBP Has A Layered Approach to Select and Inspect Cargo Containers: CBP is responsible for preventing terrorists and weapons of mass destruction from entering the United States. As part of its responsibility, it has the mission to address the potential threat posed by the movement of oceangoing containers. To perform this mission, CBP has inspectors at the ports of entry into the United States. While most of the inspectors assigned to seaports perform physical inspections of goods entering the country, some are "targeters"--they review documents and intelligence reports and determine which cargo containers should undergo additional documentary reviews and/or physical inspections. These determinations are not just based on concerns about terrorism, but also concerns about illegal narcotics and/or other contraband. The CBP Commissioner said that the large volume of imports and its limited resources make it impossible to physically inspect all oceangoing containers without disrupting the flow of commerce. The Commissioner also said it is unrealistic to expect that all containers warrant such inspection because each container poses a different level of risk based on a number of factors including the exporter, the transportation providers, and the importer. These concerns led to CBP implementing a layered approach that attempts to focus resources on potentially risky cargo containers while allowing other cargo containers to proceed without disrupting commerce. As part of its layered approach, CBP employs its Automated Targeting System (ATS) computer model to review documentation on all arriving containers and help select or "target" containers for additional documentary review and/or physical inspection. The ATS was originally designed to help identify illegal narcotics in cargo containers. ATS automatically matches its targeting rules against the manifest and other available data for every arriving container, and assigns a level of risk (i.e., low, medium, high) to each container. At the port level, inspectors use ATS, as well as other data (e.g., intelligence reports), to determine whether to inspect a particular container. In addition, CBP has a program, called the Supply Chain Stratified Examination, which supplements the ATS by randomly selecting additional containers to be physically examined. The results of the random inspection program are to be compared to the results of ATS inspections to improve targeting. If CBP officials decide to inspect a particular container, they might first use equipment such as the Vehicle and Cargo Inspection System (VACIS) that takes a gamma-ray image of the container so inspectors can see any visual anomalies. With or without VACIS, inspectors can open a container and physically examine its contents. Other components of the layered approach include the Container Security Initiative (CSI) and the Customs-Trade Partnership Against Terrorism (C-TPAT). CSI is an initiative whereby CBP places staff at designated foreign seaports to work with foreign counterparts to identify and inspect high-risk containers for weapons of mass destruction before they are shipped to the United States. C-TPAT is a cooperative program between CBP and members of the international trade community in which private companies agree to improve the security of their supply chains in return for a reduced likelihood that their containers will be inspected.[Footnote 3] Risk Management and Modeling Are Important Security Practices: Risk management is a systematic process to analyze threats, vulnerabilities, and the criticality (or relative importance) of assets to better support key decisions linking resources with prioritized efforts for results. Risk management is used by many organizations in both government and the private sector. In recent years, we have consistently advocated the use of a risk management approach to help implement and assess responses to various national security and terrorism issues.[Footnote 4] We have concluded that without a risk management approach that provides insights about the present threat and vulnerabilities as well as the organizational and technical requirements necessary to achieve a program's goals, there is little assurance that programs to combat terrorism are prioritized and properly focused. Risk management could help to more effectively and efficiently prepare defenses against acts of terrorism and other threats. Key elements of a risk management approach are listed below. * Threat assessment: A threat assessment identifies adverse events that can affect an entity, which may be present at the global, national, or local level. * Vulnerability assessment: A vulnerability assessment identifies weaknesses in physical structures, personnel protection systems, processes or other areas that may be exploited by terrorists. * Criticality assessment: A criticality assessment identifies and evaluates an entity's assets or operations based on a variety of factors, including importance of an asset or function. * Risk assessment: A risk assessment qualitatively and/or quantitatively determines the likelihood of an adverse event occurring and the severity, or impact, of its consequences. * Risk characterization: Risk characterization involves designating risk on a scale, for example, low, medium, or high. Risk characterization forms the basis for deciding which actions are best suited to mitigate risk. * Risk mitigation: Risk mitigation is the implementation of mitigating actions, taking into account risk, costs, and other implementation factors. * Systems Approach: An integrated systems approach to risk management encompasses taking action in all organizational areas, including personnel, processes, technology, infrastructure, and governance. * Monitoring and evaluation: Monitoring and evaluation is a continuous repetitive assessment process to keep risk management current and relevant. It includes external peer review, testing, and validation. Modeling can be an important part of a risk management approach. To assess modeling practices related to ATS, we interviewed terrorism experts and representatives of the international trade community who were familiar with modeling related to terrorism and/or ATS and reviewed relevant literature. There are at least four recognized modeling practices that are applicable to ATS as a decision-support tool. * Conducting external peer review: External peer review is a process that includes an assessment of the model by independent and qualified external peers. While external peer reviews cannot ensure the success of a model, they can increase the probability of success by improving the technical quality of projects and the credibility of the decision- making process. * Incorporating additional types of information: To identify documentary inconsistencies, targeting models need to incorporate various types of information to perform complex "linkage" analyses. Using only one type of information will not be sufficient enough to yield reliable targeting results. * Testing and validating through simulated terrorist events: A model needs to be tested by staging simulated events to validate it as a targeting tool. Simulated events could include "red teams" that devise and deploy tactics in an attempt to define a system's weaknesses, and "blue teams" that devise ways to mitigate the resulting vulnerabilities identified by the red team. * Using random inspections to supplement targeting: A random selection process can help identify and mitigate residual risk (i.e., the risk remaining after the model-generated inspections have been done), but also help evaluate the performance of the model relative to other approaches. Positive Steps Taken, But Targeting Strategy Lacks Key Components Of Risk Management And Modeling: CBP has taken several positive steps to address the terrorism risks posed by oceangoing cargo containers. For example, CBP established the National Targeting Center to serve as the national focal point for targeting imported cargo containers and distributing periodic intelligence alerts to the ports. CBP also modified its ATS, which was originally designed to identify narcotics contraband, to include targeting rules for terrorism that could identify high-risk containers for possible physical screening and inspection. In addition, CBP developed a training course for staff responsible for targeting cargo containers. Further, CBP also promulgated regulations aimed at improving the quality and timeliness of transmitted cargo manifest data for use in the targeting system. However, while its strategy incorporates some elements of risk management, CBP has not performed a comprehensive set of threat, criticality, vulnerability and risk assessments that experts said are vital for determining levels of risk for each container and the types of responses necessary to mitigate that risk. Regarding recognized modeling practices, CBP has not subjected ATS to external peer review or testing as recommended by the experts we contacted. Further, CBP has implemented a random inspection designed to improve its targeting rules, but officials at ports can waive the inspections. CBP Has Taken Several Steps to Improve Its Targeting Strategy: CBP has recognized the potential threat posed by oceangoing cargo containers and has reviewed and updated some aspects of its layered targeting strategy. According to CBP officials, several of the steps that CBP has taken to improve its targeting strategy have resulted in more focused targeting of cargo containers that may hold weapons of mass destruction. CBP officials told us that, given the urgency to take steps to protect against terrorism after the September 11, 2001, terrorist attacks, that they had to take an "implement and amend" approach. That is, they had to immediately implement targeting activities with the knowledge they would have to amend them later. Steps taken by CBP include the following: * In November 2001, the U.S. Customs Service established the National Targeting Center to serve as the national focal point for targeting imported cargo for inspection.[Footnote 5] Among other things, the National Targeting Center interacts with the intelligence community and distributes to the ports any intelligence alerts it receives. The National Targeting Center also assists targeters in conducting research on incoming cargo, attempts to improve the targeting of cargo, and manages a national targeting training program for CBP targeters. * In August 2002, CBP modified the ATS as an anti-terrorism tool by developing terrorism-related targeting rules and implementing them nationally. According to CBP officials responsible for ATS, these targeting rules were developed in consultation with selected intelligence agencies, foreign governments, and companies. CBP is now in the process of enhancing the ATS terrorism-related rules. The newest version of the ATS rules, which is still being tested, gives added risk points when certain rules apply collectively to the same container. CBP refers to this as the "bundling" of rules. In these circumstances, CBP would assume an elevated level of risk for the cargo. Related to this, CBP is currently in the process of developing and implementing further enhancements--known as the "findings module"--to capture additional information related to individual inspections of cargo containers, such as whether an inspection resulted in the discovery of contraband. * In 2002, CBP also developed a 2-week national training course to train staff in targeting techniques. The course is intended to help ensure that seaport targeters have the necessary knowledge and ability to conduct effective targeting. The course is voluntary and is conducted periodically during the year at the Los Angeles, Long Beach and Miami ports, and soon it will be conducted at the National Targeting Center. In fiscal year 2003, approximately 442 inspectors completed the formal training and CBP plans to train an additional 374 inspectors in fiscal year 2004. * In February 2003, CBP began enforcing new regulations about cargo manifests--called the "24 hour rule"--which requires the submission of complete and accurate manifest information 24 hours before a container is loaded on a ship at a foreign port.[Footnote 6] Penalties for non- compliance can include a CBP order not to load a container on a ship at the port of origin or monetary fines. The rule is intended to improve the quality and timeliness of the manifest information submitted to CBP, which is important because CBP relies extensively on manifest information for targeting. According to CBP officials we contacted, although no formal evaluations have been done, the 24-hour rule is beginning to improve both the quality and timeliness of manifest information. CBP officials acknowledged, however, that although improved, manifest information still is not always accurate or reliable data for targeting purposes. Targeting Strategy Does Not Incorporate Key Elements of Risk Management: While CBP's targeting strategy incorporates some elements of risk management, our discussions with terrorism experts and our comparison of CBP's targeting system to recognized risk management practices showed that the strategy does not fully incorporate all key elements of a risk management framework. Elements not fully incorporated are discussed below. * CBP has not performed a comprehensive set of assessments for cargo containers. CBP has attempted to assess the threat of cargo containers through contact with governmental and non-governmental sources. However, it has not assessed the vulnerability of cargo containers to tampering or exploitation throughout the supply chain, nor has it assessed which port assets and operations are the most critical in relation to their mission and function. These assessments, in addition to threat assessments, are needed to understand and identify actions to mitigate risk. * CBP has not conducted a risk characterization for different forms of cargo, or the different modes of transportation used to import cargo. CBP has made some efforts in this regard by characterizing the risk of each oceangoing cargo containers as either low, medium, or high-risk. But, CBP has not performed a risk characterization to assess the overall risk of cargo containers, or determine how this overall risk characterization of cargo containers compares with sea cargo arriving in other forms, such as bulk cargo (e.g., petroleum and chemical gas shipments) or break-bulk cargo (e.g., steel and wood shipments). Additionally, CBP has not conducted risk characterization to compare the risk of cargo containers arriving by sea with the risk of cargo containers (or other cargo) arriving by other modes, such as truck or rail. These characterizations would enable CBP to better assess and prioritize the risks posed by oceangoing cargo containers and incorporate mitigation activities in an overall strategy. * CBP actions at the ports to mitigate risk are not part of an integrated systems approach. Risk mitigation encompasses taking action in all organizational areas, including personnel, processes, technology, infrastructure, and governance. An integrated approach would help assure that taking action in one or more areas would not create unintended consequences in another. For example, taking action in the areas of personnel and technology--adding inspectors and scanning equipment at a port--without at the same time ensuring that the port's infrastructure is appropriately reconfigured to accept these additions and their potential impact (e.g., more physical examinations of containers), could add to already crowded conditions at that port and ultimately defeat the purpose of the original actions. We recognize that CBP implemented the ATS terrorist targeting rules in August 2002 due to the pressing need to utilize a targeting strategy to protect cargo containers against terrorism, and that CBP intends to amend the strategy as necessary. However, implementing a comprehensive risk management framework would help to ensure that information is available to management to make choices about the best use of limited resources. This type of information would help CBP obtain optimal results and would identify potential enhancements that are well- conceived, cost-effective, and work in tandem with other system components. Thus, it is important for CBP to amend its targeting strategy within a risk management framework that takes into account all of the system's components and their vital linkages. Targeting Strategy Not Consistent With Key Recognized Modeling Practices: Interviews with terrorism experts and representatives from the international trade community who are familiar with CBP's targeting strategy and/or terrorism modeling told us that the ATS is not fully consistent with recognized modeling practices. Challenges exist in each of the four recognized modeling practice areas that these individuals identified: external peer review, incorporating different types of information, testing and validating through simulated events, and using random inspections to supplement targeting. * With respect to external review, CBP consulted primarily with in- house subject matter experts when developing the ATS rules related to terrorism. CBP officials told us that they considered these consultations to be an extensive process of internal, or governmental, review that helped adapt ATS to meet the terrorist threat. With a few exceptions, CBP did not solicit input from the extended international trade community or from external terrorism and modeling experts. * With respect to the sources and types of information, ATS relies on the manifest as its principal data input, and CBP does not mandate the transmission of additional types of information before a container's risk level is assigned. Terrorism experts, members of the international trade community, and CBP inspectors at the ports we visited characterized the ship's manifest as one of the least reliable or useful types of information for targeting purposes. In this regard, one expert cautioned that even if ATS were an otherwise competent targeting model, there is no compensating for poor input data. Accordingly, if the input data are poor, the outputs (i.e., the risk assessed targets) are not likely to be of high quality. Another problem with manifests is that shippers can revise them up to 60 days after the arrival of the cargo container. According to CBP officials, about one third of these manifest revisions resulted in higher risk scores by ATS--but by the time these revisions were received, it is possible that the cargo container may have left the port. These problems with manifest data increase the potential value of additional types of information. * With respect to testing and validation, CBP has not attempted to test and validate ATS through simulated events. The National Targeting Center Director told us that 30 "events" (either real or simulated) are needed to properly test and validate the system. Yet CBP has not conducted such simulations to test and validate the system. Without testing and validation, CBP will not know whether ATS is a statistically valid model and the extent to which it can identify high- risk containers with reasonable assurance. The only two known instances of simulated tests of the targeting system were conducted without CBP's approval or knowledge by the American Broadcast Company (ABC) News in 2002 and 2003. In an attempt to simulate terrorist smuggling highly enriched uranium into the United States, ABC News sealed depleted uranium into a lead-lined pipe that was placed into a suitcase and later put into a cargo container. In both instances, CBP targeted the container that ABC News used to import the uranium, but it did not detect a visual anomaly from the lead-lined pipe using the VACIS and therefore did not open the container. * With respect to instituting random inspections, CBP has a process to randomly select and examine containers regardless of the risk. The program--the Supply Chain Stratified Examination--measures compliance with trade laws and refocused it to measure border security compliance. One aspect of this new program is random inspections. However, CBP guidance states that port officials may waive the random inspections if available resources are needed to conduct inspections called for by ATS targeting or intelligence tips. Accordingly, although the containers targeted for inspection may be randomly selected, the containers being inspected from the program may not be a random representation. Therefore, CBP may not be able to learn all possible lessons from the program and, by extension, may not be in a position to use the program to improve the ATS rules. Targeting Strategy Faces Implementation Challenges: Our visits to six seaports found that the implementation of CBP's targeting strategy faces a number of challenges. Specifically, CBP does not have a uniform national system for reporting and analyzing inspection statistics by risk category that could be used for program management and oversight. We also found that the targeters at ports that completed the national training program were not tested and certified, so there is no assurance that they have the necessary skills to perform targeting functions. Further, we found that space limitations and safety concerns constrain the ports in their utilization of screening equipment, which can affect the efficiency of examinations. CBP Lacks National System To Track Cargo Container Inspections By Risk Category: A CBP official told us that CBP does not have a national system for reporting and analyzing inspection statistics by risk category. While officials at all the ports provided us with inspection data, the data from some ports were generally not available by risk level, were not uniformly reported, were difficult to interpret, and were not complete. In addition, we had to contact ports several times to obtain these data, indicating that basic data on inspections were not readily available. All five ports that gave information on sources of data said they had extracted data from the national Port Tracking System. However, this system did not include information on the number of non- intrusive examinations or physical examinations conducted, according to risk category. Moreover, a CBP headquarters official stated that the data in the Port Tracking System are error prone, including some errors that result from double counting. One port official told us that the Port Tracking System was not suitable for extracting the examination information we had requested, so they had developed a local report to track and report statistics. Our findings are consistent with a March 2003 Treasury Department Inspector General Report which found, among other things, that inspection results were not documented in a consistent manner among the ports and examination statistics did not accurately reflect inspection activities.[Footnote 7] A CBP official said that they are in the process of developing a replacement for the Port Tracking System to better capture enforcement statistics but this new system is still in its infancy. Separately, CBP officials said that they are trying to capture the results of cargo inspections through an enhancement to ATS called the findings module. A National Targeting Center official stated that the findings module would allow for more consistency in capturing standardized inspection results and would also serve as a management control tool. National Targeting Center officials said that the module would be able to categorize examination results according to the level of risk. A CBP official told us the module was being implemented nationwide in late November 2003. While the ATS findings module shows potential as a useful tool for capturing inspection results, it is too soon to tell whether it will provide CBP management with consistent, complete inspection data for analyzing and improving the targeting strategy. Staff Testing and Certification Could Help Strengthen Targeting Process: While over 400 targeters have completed the new national targeting training, CBP has no mechanism to test or certify their competence. These targeters play a crucial role because they are responsible for making informed decisions about which cargo containers will be inspected and which containers will be released. According to National Targeting Center officials, the goal is for each U.S. seaport to have at least one targeter who has completed national targeting training so that the knowledge and skills gained at the training course can be shared with other targeters at their port of duty. To train other staff, however, the targeter who took the training must have attained a thorough understanding of course contents and their application at the ports. Because the targeters who complete the training are not tested or certified on course materials, CPB has little assurance that the targeters could perform their duties effectively or that they could train others to perform effectively. CBP could have better assurance that staff can perform well if CBP tested or certified their proficiency after they have completed the national targeting training. This would also increase the likelihood that course participants are in a position to effectively perform targeting duties and could train others at the ports on how to target potentially suspicious cargo. Further, it would lessen the likelihood that those who did not do well in class are placed in these important positions. Such testing and certification of targeting proficiency would demonstrate CBP's intent to ensure that those responsible for making decisions about whether and how to inspect containers have the knowledge and skills necessary to perform their jobs well. Space Limitations and Safety Concerns Constrain Use Of Inspection Equipment: One of the key components of the CBP targeting and inspection process is the use of non-intrusive inspection equipment. CBP uses inspection equipment, including VACIS gamma-ray imaging technology, to screen selected cargo containers and to help inspectors decide which containers to further examine. A number of factors constrain the use of non-intrusive inspection equipment, including crowded port terminals, mechanical breakdowns, inclement weather conditions, and the safety concerns of longshoremen at some ports. Some of these constraints, such as space limitations and inclement weather conditions, are difficult if not impossible to avoid. According to CBP and union officials we contacted, concern about the safety of VACIS is a constraint to using inspection equipment. Union officials representing longshoremen at some ports expressed concerns about the safety of driving cargo containers through the VACIS because it emits gamma rays when taking an image of the inside of the cargo container. Towing cargo containers through a stationary VACIS unit reportedly takes less time and physical space than moving the VACIS equipment over stationary cargo containers that have been staged for inspection purposes. As a result of these continuing safety concerns, some longshoremen are unwilling to drive containers through the VACIS. CBP's response to these longshoremen's concerns has been to stage containers away from the dock, arraying containers in rows at port terminals so that the VACIS can be driven over a group of containers for scanning purposes. However, as seaports and port terminals are often crowded, and there is often limited space to expand operations, it can be space-intensive and time consuming to stage containers. Not all longshoremen's unions have safety concerns regarding VACIS inspections. For example, at the Port of New York/New Jersey, longshoremen's concerns over the safety of operating the VACIS were addressed after the union contacted a consultant and received assurances about the safety of the equipment. Similar efforts by CBP to convince longshoremen's unions about the safety of VACIS have not been successful at some of the other ports we visited. In closing, as part of a program to prevent terrorists from smuggling weapons of mass destruction into the United States, CBP has taken a number of positive steps to target cargo containers for inspection. However, we found several aspects of their targeting strategy are not consistent with recognized risk management and modeling practices. CBP faces a number of other challenges in implementing its strategy to identify and inspect suspicious cargo containers. We are now in the process of working with CBP to discuss our preliminary findings and to develop potential recommendations to resolve them. We plan to provide the subcommittee with our final report early next year. This concludes my statement. I would now be pleased to answer any questions for the subcommittee. Contacts and Acknowledgments: For further information about this testimony, please contact me at (202) 512-8816. Seto Bagdoyan, Stephen L. Caldwell, Kathi Ebert, Jim Russell, Brian Sklar, Keith Rhodes, and Katherine Davis also made key contributions to this statement. [End of section] Appendix I: Scope And Methodology: To assess whether the CBP's development of its targeting strategy is consistent with recognized risk management and modeling practices, we compiled a risk management framework and recognized modeling practices, drawn from an extensive review of relevant public and private sector work, prior GAO work on risk management, and our interviews with terrorism experts. We selected these individuals based on their involvement with issues related to terrorism, specifically concerning containerized cargo, the ATS, and modeling. Several of the individuals that we interviewed were referred from within the expert community, while others were chosen from public texts on the record. We did not assess ATS's hardware or software, the quality of the threat assessments that CBP has received from the intelligence community, or the appropriateness or risk weighting of its targeting rules. To assess how well the targeting strategy has been implemented at selected seaports in the country, we visited various CBP facilities and the Miami, Los Angeles-Long Beach, Philadelphia, New York-New Jersey, New Orleans, and Seattle seaports. These seaports were selected based on the number of cargo containers processed and their geographic dispersion. At these locations, we observed targeting and inspection operations; met with CBP management and inspectors to discuss issues related to targeting and the subsequent physical inspection of containers; and reviewed relevant documents, including training and operational manuals, and statistical reports of targeted and inspected containers. At the seaports, we also met with representatives of shipping lines, operators of private cargo terminals, the local port authorities, and Coast Guard personnel responsible for the ports' physical security. We also met with terrorism experts and representatives from the international trade community to obtain a better understanding of the potential threat posed by cargo containers and possible approaches to countering the threat, such as risk management. We conducted our work from January to November 2003 in accordance with generally accepted government auditing standards. [End of section] Related GAO Products: Maritime Security: Progress Made in Implementing Maritime Transportation Security Act, but Concerns Remain. GAO-03-1155T. Washington, D.C.: September 9, 2003. Container Security: Expansion of Key Customs Programs Will Require Greater Attention to Critical Success Factors. GAO-03-770. Washington, D.C.: July 25, 2003. Homeland Security: Challenges Facing the Department of Homeland Security in Balancing its Border Security and Trade Facilitation Missions. GAO-03-902T. Washington, D.C.: June 16, 2003. Container Security: Current Efforts to Detect Nuclear Material, New Initiatives, and Challenges. GAO-03-297T. Washington, D.C.: November 18, 2002. Customs Service: Acquisition and Deployment of Radiation Detection Equipment. GAO-03-235T. Washington, D.C.: October 17, 2002. Port Security: Nation Faces Formidable Challenges in Making New Initiatives Successful. GAO-02-993T. Washington, D.C.: August 5, 2002. Homeland Security: A Risk Management Approach Can Guide Preparedness Efforts. GAO-02-208T. Washington, D.C.: October 31, 2001. Homeland Security: Key Elements of a Risk Management Approach. GAO-02- 150T. Washington, D.C.: October. 12, 2001. Federal Research: Peer Review Practices at Federal Science Agencies Vary. GAO/RCED-99-99. Washington, D.C.: March 17, 1999. FOOTNOTES [1] A listing of relevant GAO reports appears at the end of this statement. [2] The consulting firm Booz Allen Hamilton and The Conference Board sponsored the simulation in 2002. In the simulation, representatives from government and industry participated in a scenario involving the discovery and subsequent detonation of radioactive bombs hidden in cargo containers. [3] For more information on these programs, see U.S. General Accounting Office, Container Security: Expansion of Key Customs Programs Will Require Greater Attention to Critical Success Factors, GAO-02-770 (Washington, D.C.: July 2003). [4] For example, see U.S. General Accounting Office, Homeland Security: A Risk Management Approach Can Guide Preparedness Efforts, GAO-02-208T (Washington, D.C.: July 2003). [5] The commercial operations and inspection programs at the U.S. Customs Service (in the Department of the Treasury) were incorporated into CBP (in the new Department of Homeland Security) effective March 1, 2003. [6] This rule is also known as the Advance Manifest Regulation, 67 Fed. Reg. 66318 (2002). The final regulation was issued October 31, 2002, with implementation beginning February 1, 2003. [7] Office of Inspector General, Department of the Treasury, Protecting the Public: Security, Inspection and Targeting of Vessel Containers at U.S. Seaports Can Be Improved, OIG-03-074, March 28, 2003. This report summarized audit work done at a number of ports during 2001and 2002 on targeting, securing and inspecting cargo containers. The report was done by the Treasury Office of Inspector General because, at that time, inspections were done by the U.S. Customs Service.