Priva Technologies contributes "Info sharing is critical to supply chain security" article in July 2006 issue ofGSN....
Cupertino, Ca. - July, 2006 - Priva Technologies, Inc., a provider of advanced hardware and software-based authentication security platforms, authors the article titled Info sharing is critical to supply chain security for Government Security News (GSN) July 2006 issue.
The following is the article text :
Potential terrorist threats to the supply chain have created the possibility of bringing both U.S. and international economies to a grinding halt. Can we secure a supply chain that moves 24/7, is global and utilizes large volumes of assets between points of both origin and destination?
The answer is “Yes,” by using data analysis and information sharing between the commercial and private sectors as an adjunct to physical security. Making use of data to enhance security is a logical methodology for combating potential terrorist threats to the supply chain.
For successful enhancement of information sharing, a high level of trust must exist between the two sectors. This “trust model” is supported by (1) data security that meets national security requirements, and (2) the ability to authenticate system users with certainty. Simply put, the system transmitting the data must be impervious to hacking, and both sides must be able to audit unequivocally those who are transmitting and accessing that data.
While certain mandates demanding information sharing do exist – and others are being finalized -- companies exposed to the risks of sharing proprietary data will only grudgingly participate in such programs. Thus, the challenge is to make both public and private sector participants comfortable enough to share more information now, resulting in enhanced supply chain security.
Technology that provides a secure platform with which to transmit and access data, while authenticating users with certainty, currently exists, thus alleviating fears pertaining to unwanted third party access. This technology creates the “trust model” required to share data.
Hypothetical Example - Physical and Data Flows
As a purely theoretical example, Ann Taylor Retailer, Inc. ships women’s blouses from a manufacturing facility in Shenzhen, China, to one of its retail stores in Chicago, IL. First, finished goods are consolidated into an ocean container in Hong Kong. The container is then placed on a COSCO Hong Kong Group ocean ship, and off-loaded in Long Beach, CA. From there, the container moves via BNSF rail to the inter-modal yard in Joliet, IL. At that point, a local trucking company transports the container to a warehouse owned by DSC Logistics of Des Plaines, IL. The container is unpacked and the blouses are trucked to Ann Taylor’s store in Northbrook, IL.
During this example, Ann Taylor, COSCO, BNSF, local pick-up truckers and logistics intermediaries (mostly customs brokers and freight forwarders) will all contribute and access information through their respective computers. Customs and Border Protection (CBP), the Transportation Security Administration (TSA) and other security-minded agencies will mine these data flows to assess the load’s physical risk.
The data flows generated must be protected against unwanted third-party access, for both competitive and security reasons.
Information Sharing Mandates
Nearly five years after 9/11, the gap between measurable supply chain security and the actual extent of vulnerability has not changed very much. Conversely, the government is under pressure to show actual progress in protecting transportation infrastructures. During the past 18 months, formal mandates and back-channel requests for information sharing have been issued in an attempt to achieve with informally requested information what cannot be achieved physically.
For instance, TSA issued a final rule on May 26 mandating that those carrying freight on passenger aircraft accept shipments only from “known shippers”. TSA created this known shipper program shortly after 9/11 as a substitute for -- or a supplement to -- physical searches, and has maintained a voluntary known shipper database ever since. The May 26 rule requires participation in that TSA-controlled database.
Additionally, the maritime industry -- actually, all modes importing goods into the U.S. -- face CBP action as well as separate bills in both the House and Senate which would mandate new information sharing. They require data gathering via electronic sensors in containers, as well as disclosures by those who originate shipments, to provide CBP with information about a container’s contents, its routing and whether or not it has been free from tampering while en route.
A similar development is taking shape in the rail sector. Several House and Senate bi-partisan bills – along with strong predictions of a new rule related to rail freight from within TSA -- will encourage the trend toward greater data exchange as a means to enhance homeland security.
Major Issues Facing Information Sharing
Sharing data among parties not accustomed to doing so has raised major challenges.
The first are commercial concerns. For instance, feedback to TSA about its May 26 rule focuses largely on the risk of unwanted third party access to highly proprietary data. Citing this concern, both FedEx of Memphis, TN, and UPS, of Atlanta, GA, have stated publicly that they don’t want TSA operating a central database that contains details of their customers, what they ship, where to and how often.
In addition, industry leaders privately express concern about what they view as DHS’s large appetite for data. Informal remarks by members of the maritime community about CBP’s current or anticipated data demands sound similar.
The second challenge concerns national security. Many agree that it makes sense to substitute data flows for taking a direct look at assets, but how can we guarantee that terrorists won’t hack into those data flows? In the hypothetical example above, data security measures for Customs-Trade Partnership Against Terrorism (C-TPAT) -- together with the new networks of container security devices included in agency action and Congressional bills -- don’t call for more than rudimentary data security, such as user name/password. Stated differently, data flows that might be vulnerable to a reasonably talented college student pose an opportunity to “asymmetric attackers,” not a defense against them.
What Next?
If enhanced information sharing is to proceed expeditiously, the “trust model” described above is required. Ultimately, this model allows data to be shared in a highly secure and auditable environment.
When creating the “trust model,” commercial and public sector participants should make use of tools that (1) meet national security level standards, (2) authenticate users with certainty, (3) are off-the-shelf and readily available, (4) are fiscally prudent, and (5) can link with other applications easily.
Once the “trust model” exists, information sharing will be enhanced and will more reasonably supplement physical security. At that point, the supply chain will become far more secure, achieving the progress required by the White House, Congress and various federal agencies.
Fred Kaplan is a vice president at Priva Technologies, Inc., a company specializing in secured IT platforms and advanced user authentication. Kaplan can be contacted at:
Fred.Kaplan@Priva-Tech.com
ABOUT PRIVA TECHNOLOGIES
Founded in 1999, Priva Technologies is a privately-held Delaware Corporation that specializes in the development of advanced hardware and software-based authentication security platforms for the government, enterprise and consumer markets. Priva Technologies' flagship product, The Cleared® Security Platform, is the most comprehensive and powerful authentication solution available today. The company is headquartered in Washington D.C. with research and development in San Jose, CA. For more information, visit www.priva-tech.com