Native New Yorker Kenneth J. Egan, 59, the former deputy director of the Coast Guards International Ship and Port Facility Security Code (ISPS) compliance program, is the security services project manager for the Houston-based ABS Consulting, which helps companies worldwide design, build, operate, and maintain offshore, port and terminal facilities.
PSN caught up with Egan last month at the American Association of Port Authorities convention in Long Beach, Calif., and talked with him about progress on implementing ISPS and the Congressionally-mandated Maritime Transportation Security Act of 2002 (MTSA). The blunt-spoken Egan also offered some interesting views the problems of maritime sector information-sharing with the government, and the roles to be played, or that should be played, in port security by the banks, the insurance industry, and still non-existent technology “test beds.”
For Egan, part of the problem is that port security perspectives are still bogged down in the bureaucratic morass of “regulatory compliance,” rather than viewed from the commanding heights of strategic planning
PSN: How do you think the ports are doing in terms of meeting their homeland security responsibilities?
Egan: To a large extent, port security in this country has been driven by the need for regulatory compliance, not whether or not the ports are, in fact, more secure.
And one of the things lacking on the government side is that it needs to do a better job of understanding the private sector mindset. Effective port security without the private sector is “Mission Impossible.” When the private sector is approached by a regulatory agency, they’re going to tell them what they want to hear. But really understanding what is going on requires some relationship building.
To be a genuine business partner you’ve got to be able to talk to them in an open way and say, “Does this make sense?” or “Does that make sense?” For example, the government required private sector entities to give them a vulnerability assessment of their facilities. Attorneys have told me that an acknowledgment of a vulnerability is equal to legal liability.
PSN: Under the circumstances, a rational decision would be to share much less information, rather than more
Egan: I tend to think a lot of vulnerabilities went unreported because of liability issues. And beyond that, you also have a security issue. Even if a company, say a chemical plant, with significant vulnerability based on certain conditions, they’re concerned about the confidentiality—what happens to this information after I give it to a government agency? They are not comfortable with the security of the data. In some cases it is true, in others it is a false perception, but these are the things that government really has to make an effort to understand. If they are going to get real results, they have to have a real relationship—not just lip service for the private sector.
PSN: What role do you assign to the market in port security?
Egan: The government does not know how to use market forces to get what they want. For example, for a vessel arriving in U.S. waters that is not ISPS-compliant., a typical violation results in a $10,000 fine. I’ve been told that it costs $8,100 to administer that $10,000 fine. That same vessel is generating $70,000 a day in freight revenue for the owner of the vessel. If the vessel is detained, even for a morning, it costs the owner $35,000 in lost freight, because the freight goes with the time, and he has to eat the freight loss for the day. That’s a bigger motivator to him than the fine. And there are a lot of owners who are just playing wait and see, to see what the Coast Guard is going to do. When the Coast Guard starts delaying entry to vessels, or even delaying vessels, the owners will feel it in their pocket and they will put the pressure on the foreign ports to comply. It’s simple market forces.
And even if the government did a brilliant job of identifying all the vulnerabilities, there’s the question of who’s going to pay the bill. The “Who” is the private sector, and they have to have the business case to come up with the money.
PSN: How do you make that case?
Egan: If you go out and talk to a facilities manager, typically you’ll hear, “What are the odds they are going to hit my facility?” The odds are infinitesimal, that’s really the threat-risk factor, and they consider that very, very low. And when you talk to them about the consequences, which are the other side of the equation, they’ll say, “Well, we’re insured for that, we’re insured for the premises.” Even when I ask them about the interruption of their business, they say, “Well, we’re insured for business interruption.”
PSN: So how do you motivate them?
Egan: The thing that strikes a chord is when you bring up the fact that if they are out of commission for 18 months, they’ve lost that market share—forever. That resonates. Talk to them about consequence management. Even a mega-retailer will tell you, if a ship blows up and it sinks with all my golf clubs, I’ve got three dozen stores that are not going to have golf clubs, and I am going to lose market share, even if the golf clubs were insured. But you have to understand private sector thinking and carry it a step further, to get to the motivating factor that turns them on to addressing security funding.
PSN: What else are you finding?
Egan: We have to do a better job with the (port security) grant money. It is getting better and better, but right now grants are issued where they can be replicated—that is, to do a particular project for a security measure in a specific port. The grant is designed in such a way that, if Company A does something, it can show other companies that it is feasible. And they could hopefully copy that on their own nickel.
We have to take another iteration of the concept. We have to talk to the private sector in advance of doing grants. And talk to them about: “If we, as the government, were to fund a grant to do X, Y and Z, we’ll fund the proof of the concept, because we don’t want you putting up your money to do the R&D. If we prove that concept, do we have your buy-in to implement it afterwards?”
PSN: What other private sector interests need to be brought in to create a more dynamic security situation?
Egan: The insurance industry. Traditionally, the insurance industry has played a big role in reducing costs and risk for safety and theft issues, because they had a vested interest. With homeland security, it is very difficult for the industry to get their hands around measuring the damage, measuring the risk. If they want to insure a facility for terrorism, how can they begin to understand the costs or the consequences? Until that is resolved the government is in effect giving them a pass, and saying, “You don’t have to insure this, because you can’t calculate what the damage would be, therefore you can’t calculate what the premium would be.” But I think that over the course of time, insurance people will play a bigger role involved in helping to mitigate risks.
ISPS, MTSA, ABS, and art of compliance
PSN: ABS Consulting has had a rather unique role in terms of port security, doesn’t it, particularly concerning the implementation of the Maritime Transportation Safety (Security) Act?
Egan: ABS Consulting has had a heavy concentration on preparing ports for the MTSA—whose deadline past last July 1. We were involved in doing vulnerability assessments for ports, and ports facilities, and then doing the security plans that resulted from the vulnerabilities that were identified. We did that in the domestic marketplace and then, quite extensively, overseas. That’s because we have a large international network, we have presence in more than 80 ports around the world. We have done a number of major port projects
PSN: But the overseas ports are not subject to MTSA, are they?
Egan: In those cases, we were dealing with ISPS, which is different--and a common misconception, because the standards for ISPS Code are not as rigid as the MTSA’s. The other big difference is that ISPS standards are left up to the designated authority of the host country to define. So we pay particular attention in understanding the host country’s interpretation of ISPS before doing the port security plans in the international markets.
The ISPS is written in such a way that it is subject to the interpretation of the host country. ISPS calls, for example, for “adequate perimeter security.” Well, “adequate” is one thing in Alexandria, Egypt, another in Manila, and yet another in Piraeus.
PSN: Certification of compliance with the MTSA standards were largely left up to the Coast Guard, so therefore there was less room for “interpretation” within the U.S.
Egan: Facilities had to file their vulnerability assessments and then their plans with the Coast Guard, because they are the primary law enforcement authority within the ports.
PSN: On ISPS, tell me a little bit about ABS Consulting’s role vis-à-vis that of the Coast Guard
Egan: The Coast Guard will be doing ISPS compliance “surveys” in the 140 countries which were signatories to the ISPS treaty on a three-year cycle. There are a number of countries that are not compliant, so far. This early in the game, non-compliance for ISPS means the country has not filed a plan with the IMO in London. We can’t say that they are non-compliant for other reasons because we haven’t gone out to do the inspections. The Coast Guard policy is that non-filing is non-compliance.
Because ISPS allows for members to make reciprocal visits and inspect each others’ ports, the U.S. Coast Guard has taken the initiative (to do that). But when they go out—they don’t want anyone to fail, ideally, they’d like everyone to be in a position to pass—so they welcome initiatives
to help countries become compliant and to take advantage of best practices and to form a communications bridge to them by the Coast Guard about what works and what doesn’t.
PSN: And ABS Consulting’s role?
Egan: For ISPS, we have been appointed by the Coast Guard as a “designated third party,” specifically, we have been designated to do port “surveys” (domestically it is called an “assessment”—a “survey” is not as rigorous as an “assessment”). ABS does ISPS compliance surveys for compliant facilities in non-compliant countries. For example, if a major oil company had a facility in a country where they were exporting oil to the U.S., and their facility was compliant, but the country was not, they could call upon ABS Consulting and we will do an assessment in lieu of the Coast Guard assessment. For diplomatic reasons, the Coast Guard will not go into a country unless that country is compliant.
As in most things with ISPS, many of the situations I anticipate that will occur will be driven by the receiver of the goods—the mega-retailers, for example, who face being cut off from their products; by the petroleum industry, with the demand for crude particularly critical, which flies in the face of denying entry. There are a lot of compliance issues that will be decided by the State Department in conjunction with the Coast Guard.
PSN: How many countries are non-compliant right now?
Egan: There are about 18. There will be more as the Coast Guard goes out to inspect and finds that there are shortcomings—things like inadequate physical security at a terminal, or very lax control points or procedures by personnel--and they will be added to the list. The shortcomings can also be the result of intel intercepts—the intelligence community is going to have input into when a country may be compliant or not, or where particular attention should be paid.
PSN: So ABS Consulting personnel are fully badged as well?
Egan: Those of us involved in projects requiring security clearances have the same clearance level as our counterparts in the Coast Guard.
PSN: What other port security projects is ABS Consulting working on with the Coast Guard?
Egan: We are helping them design a database to collect information from international ports in a way that will lend itself to trend analysis. For example, it is not enough to capture data about a rail yard that’s adjacent to a port and say that there were X number of rail cars of a certain cargo. You’ve got to say it was a designated type, an X-17 rail car, so that you capture it in a common way. When someone else wants to query the database, simply saying “rail car” doesn’t tell you anything. W-17 tells you that you have an analogy. So we’re looking at common data elements, so that they can capture the data in their surveys in an organized way and populate the database automatically as a by-product of the field work that they do. And then enable them to do the analysis to come up with best practices and trends, so they can measure across the board what they’ve done, and then share this information collectively with all these countries to help them do a better job.
Gates, guns, guards
PSN: Is ISPS basically about older security concepts—“gates, guns and guards”—or is there a technology component, too?
Egan: No, there is no specific technology function. ISPS is more generic than that. It refers to things like “adequate security,” and “proper monitoring of cargo loading.” It is very general in nature, intentionally, because it’s a U.N. function and they wanted to get a maximum number of signatories. I think there will be a slow evolution over the next five years, with the ISPS tightening up and becoming more specific and having more specific standards, which will be pretty regimented and pretty easy to follow. That will actually make it easier for countries, because there will be less interpretation and more direct guidance about what is expected.
PSN: The technologies have to be appropriate and sustainable
Egan: And they have to be affordable. You have to be able build the business case. When I was out on the road speaking as a Coast Guard official, invariably audiences from developing countries would come up to me afterwards and say, “What you said was great, but we don’t have the money for this.” Or they would come up and ask me—a typical question—“Which optical scan technology does the Coast Guard endorse?” To which my answer was: “Do you have ID cards yet? Stick with the fundamentals.”
The wisest money spent on security is money that is spent first on the fundamentals. And of the fundamentals, the most important is awareness training for people that are in the front lines. Not security people—baggage handlers, waitresses, snack bar employees--because good security is spotting anomalies. In order to spot an anomaly, you must have an intimate knowledge of normal. In doing port assessments, many times I learn more from baggage handlers than I do from security experts, because the baggage handlers are there, day after day, seeing what’s going on. They have a real good sense for what doesn’t belong there: “Something’s wrong, that guy shouldn’t be there, that truck is different.” That’s a very, very important starting point.
PSN: So the perspective is
Egan: You want to be doing the work of a freight forwarder—you want to spot anomalies. If I want to take a dirty bomb from Karachi to the Sears Tower, I am going to transship it three or four times in duty-free zones, sell the cargo in the duty-free zone, have a new consignee to appear in all of the documentation as if it actually originated in that port, so I have five new originations on one voyage.
PSN: What is the role of the banks, what is their responsibility in all of this?
Egan: What we have to look at is how we can get our hands around this problem of the switching of cargos. There are a couple of things that happen when a cargo is sold, then re-sold. First, there is a government entity involved, because the sale has to be reported some place, plus the governments never pass up a chance to collect revenue, so there are tax stamps involved, and so forth. So, if governments are willing to participate, simply reporting on a central system, all transfers of cargo ownership for all cargo that is en route would be a major step towards spotting anomalies.
The banks, which issue the letters of credit for cargo in transit, should report it. Now, if they all do this electronically, it is a relatively easy task. It would be a tremendous resource for identifying cargos in transit that were out of the ordinary. When you spot the fact that there have been three or four sales of that cargo, there should be a red flag.
PSN: Which U.S. agency would be responsible for monitoring the information?
Egan: I’m not sure it should even be the U.S.; it probably should be an international organization that does it, perhaps Interpol. We think too much of this as a U.S. thing; this is an international problem.
PSN: What can be done to help developing countries?
Egan: Developing countries have a problem, in part because they don’t understand ISPS in all cases. It’s getting better rather quickly, but there is a major misconception that they have to comply to MTSA standards, so MTSA will say, “You must have an 8-foot chain link fence around your property, no gaps, galvanized fittings, etc.” ISPS will say, “You must have adequate perimeter security.” There’s a big difference.
The other thing is that developing countries seem to think that because we are a technology mecca, that we are looking for sophisticated technology—the “we” in this case being the Coast Guard. The Coast Guard is looking for reasonable efforts that are fairly stringent. The Coast Guard policy says, “We will accept the guidance and interpretation of ISPS of the host country—we reserve the right to say that it is totally inadequate, but if we feel it is adequate, we accept their guidance.”
We are also helping them to fashion the business case to get funding. The World Bank has funding, the International Monetary Fund has funding, the various development banks—the Inter-American Development Bank, the Asian Development Bank—there are pockets of funding and there are countries with needs, and there’s a gap. We look to fill that gap on behalf of our clients.
Try the technology test beds
PSN: Some say that, in terms of port security, no real test beds exist for technologies, impeding the more effective and efficient use of resources. Do you agree?
Egan: Absolutely, and this brings us back to the private sector. If you want to understand maritime security, I think you need to start with the ship owner/operator. Can you imagine running a container ship around the world on a 45-day schedule, and in that time, you are stopping at 22 ports with 22 different technologies that you had to interface with? It’s maddening. In order to get them to participate, there has got to be consistency. People are focused on the security of a particular port, and there is not enough attention to the interface with the vessel--a very, very important component to port security.
After all, an attack is going to be launched, directly or indirectly, through the vessel—whether it’s the cargo, the crew, or the vessel itself being the vector.
Martin Edwin Andersen can be reached at Mick_Andersen@portsecuritynews.us.
Copyright (C) 2004 Port Security News, All rights Reserved.