The September 2012 meeting of National Maritime Security Advisory Committee (NMSAC) was typical in that the original agenda was immediately altered as the order of topics changed and some switched meeting days. It was also distressingly atypical in that the audio for the audience attending by webcast and teleconference was among the worst in living memory. As a consequence, there are both major and minor gaps (not necessarily noted) in this report notwithstanding the length of the post. I have also occasionally placed comments out of chronological sequence in order to keep all the discussion of a particular topic in one place.
After introductory remarks by NMSAC’s new Executive Director, USCG Captain Andrew Tucci (the spelling of all names in this post represents my best guesses), the September 11th session dealt with Cybersecurity, Maritime Domain Awareness (MDA) and Information Sharing, Requirements for foreign Detain On-Board seamen, US/Canadian Regulatory Harmonization, Integration of Facility Security Plans and Systems, and Radiation Portal Monitoring Replacement and Relocation. The session on September 12th would deal with Using the Maritime Highway for Hazardous Cargo and Port Security Grants.
MDA and Information Sharing
A briefer, presenting by telephone, reported that she had compared NMSAC’s list of types of information needed by private industry and found that items on the NMSAC needs list are more at the tactical/operational level, whereas the cognizant DHS office is looking at information sharing more strategically. As a result, she felt that improving the sharing of information of concern to NMSAC was a matter for the USCG. For example, obtaining more regular threat assessments and more content usable for private sector threat assessments would lie mostly with the Area Maritime Security Committees and to lesser extent with state and local fusion centers. Another issue was how to include Facility Security Officers in notifications of observed suspicious or criminal behavior. Current alerts and warnings notification capabilities include the USCG website Homeport and the Facilities Office at USCG Headquarters. These capabilities will be used until DHS gets something better. Facilities that have 24/7 operations centers should ensure that they’re subscribers. In response to a question, she clarified that DHS is looking at how to implement change in the long run. The questioner pointed out that although the Area Maritime Security Committees and Homeport were good tools, they were not presently being used for significant information sharing. The briefer responded that the NMSAC list was composed predominantly of real-time and near-real-time information items. Current USCG capabilities provide an immediate solution to get this information out now; we should not wait for improvements in DHS capabilities. The USCG needs to get guidance out to sector commanders to accomplish this. Another question concerned the termination of funding for Interagency Operations Centers. The briefer responded that major acquisition funding “is gone for now,” but Watchkeeper implementation funds are still available. In addition, the Coast Guard can (and will have to) use funds in its operating budget to sustain the capability. The information sharing program is not just an information technology issue. It also involves policy development to support information sharing, as well as outreach and training. These are areas that are “alive and well.” Another question alluded to problems during Hurricane Isaac. NMSAC’s Alternate Designated Federal Official (Mr. Ryan Owens) responded that protocols had been activated to get information out, but not a lot of people had participated in the teleconference. The absence of people suggested that there wasn’t an issue. The USCG, Customs and Border Protection (CBP), and Immigration and Customs Enforcement (ICE) work, both nationally and locally, on protocols such as Rules of Engagement (RoE), safety, law enforcement, and other aspects of how to work together in ports. A final questioner asked if the hot wash ups of maritime security exercises identified short comings in information sharing that could be shared with NMSAC. The answer was that the USCG would most likely not have a problem with it, but other partners would have to be consulted. A major problem was getting the feedback in the first place.
Cybersecurity
Mr. Brett Rouzer with the USCG Cyber Command next presented a brief on Cybersecurity and the Cyber Command. The Command has the mission of protecting the Coast Guard’s internal networks, but also has a role in protecting cyber systems in the Maritime Transportation System. Various Presidential and Departmental documents come into play–from the National Security Strategy and the Cyberspace Policy Review down to Critical Infrastructure and Key Resources Sector-Specific Plans. The Cyber Command’s goal is to provide, with 17 personnel attached to USCG Headquarters, the various Captains of the Port with the tools they need to raise awareness of maritime cyber issues and develop proactive public-private partnerships through existing structures such as the Area Maritime Security Committees. In 2007, cyber risks were not on anyone’s radar. Now, cyber-attacks are ranked as the fourth highest global risk in terms of likelihood. Some of the threats include persons available for hire to take down competitors’ websites, dangers from non-malicious acts like clicking on links in emails, and the vulnerability of industrial control systems and wireless networks. Asked how the US could bring about a cybersecurity culture in a maritime logistics chain that is primarily owned by foreign industry, Mr. Rouzer replied that DHS reaches out to foreign governments and industry. Captain Tucci pointed out that there are different types of cyber threats, such as those to industrial controls systems, against personal information, and sabotage of communication systems in conjunction with physical attacks. The NMSAC Chair (Captain Jeff Monroe) suggested that the simultaneous sabotage of two or three large container lines that prevented them from complying with the 24-hour advance manifest rule and the 10 + 2 security filing could paralyze the US economy. The original questioner asked how cyber issues were being merged with the critical infrastructure sector information sharing councils, noting his concern that work that has already been done by others would be ignored. The Chair noted that no one really had their arms around the whole cybersecurity issue; everyone in DHS is looking at it in their own sphere. NMSAC would form a working group in response to the USCG tasking. The questions include what systems are most vulnerable and how to reconstitute after an incident. A NMSAC member commented that the Committee would need to define what MDA means in the context of this tasking—government systems or industry systems. The Chair replied that it would include all systems regardless of ownership. Mr. Owens added that the Coast Guard was looking to find out whether there were systems so maritime-specific as to require particular USCG attention, or do general cybersecurity programs cover them. A member of the public asked how secure TWIC threat assessment data is. A USCG representative responded that it was shared with agencies (including Canadian ones) with a need to know, but is not readily available to outsiders. Mr. Rouzer added that he was not aware of any compromise of this background information and not many people have access to it.
Detain on Board Requirements
USCG Lieutenant Russell Amacher then updated NMSAC on developments regarding detain on board requirements for certain foreign mariners. Detention on board can result from either administrative or security issues. New guidance had been issued to the field in an August ALCOAST message. The USCG worked with CBP to develop the details. There is no specific guidance on number of guards versus number of crew members just that guards are required to ensure crew members designated as high risk from a security standpoint do not leave the vessel. Guards are not required when CBP determines a crew member must remain on board the ship for administrative reasons. The CBP in Jacksonville has already redrafted their local policy to align with the ALCOAST. They understand that a crew member has a job to do on board and can move around the ship. NMSAC member Ms. Bethann Rooney (Manager, Port Security, Port Authority of NY & NJ) asked for comment on a feature of the original guidance issued “in Admiral Collins’ day” (2002-2006) requiring the guards to be armed “if allowed by local rules.” LT Amacher responded that the guidance was that all guards had to be certified under state law. Ms. Rooney stated her appreciation for the improvement in the guidance, but noted that inconsistent treatment from port to port still exists. On the East Coast it has become a competitive issue for ports and a management issue for shipping companies. LT Amacher replied that the guidance was designed to produce consistency. Problems of this nature should be first addressed to the pertinent Captain of the Port and then escalated if not resolved. The main point of the ALCOAST is that if it’s only a visa issue, guards are not required. Noting that Jacksonville was only one port, another NMSAC member expressed the hope that all ports had started to reflect the revised guidance in their policies. The Chair expressed disappointment that no one from CBP had been at the meeting. (CBP Officer Tia Won was on the telephone at one point, but technical difficulties precluded any meaningful participation). A representative of a security guard company in Tampa, FL questioned the migration in Tampa “over the last few months” from employing his company’s guards to using only law enforcement personnel. The change had reduced the company’s business by 50 percent. LT Amacher said he knew of no mandate for the change. The NMSAC Chair speculated that it might be an issue of local police union agreements.
Regulatory Harmonization with Canada
LCDR Loan O’Brien provided an update on developments since NMSAC’s meeting in May, concentrating on the marine transport work plan. The idea is to align regulatory requirements wherever possible. The first action item was to develop priorities for regulatory harmonization. Both sides performed gap analyses and identified 56 gaps, which were then prioritized. The second action item was to align the Canadian definition of certain dangerous cargo (CDC) with the US version. The Canadians have their proposal out for stakeholder feedback. The third action item was to reference Alternate Security Agreements in Canadian regulations. The Canadians are working an amendment to authorize Transport Canada to enter into such agreements (which is a good idea, since it already has entered into several with the USCG). The fourth action item deals in some fashion with the regulatory process, but the audio went out at this point, so was lost on me. The audio returned in time for a discussion of working with the Canadians on resilience/trade recovery through the one side’s ports in the event of a disaster or attack that put the other’s port out of commission. The other two work plans for the marine area involve life preserver standardization and pleasure craft construction.
Integration of FSPs and Systems
Next, LCDR Ramirez briefed NMSAC on the USCG’s efforts to implement section 822 of the Coast Guard Authorization Act of 2010. This section mandates that MTSA-regulated facilities share their FSAs with the port authority and appropriate state and local law enforcement, as well as integrate, “to the maximum extent practical,” any security system for the facility with compatible systems of state and local law enforcement and the USCG. (Note: Although the section header says “integration of security plans,” the actual text of the provision refers only to vulnerability assessments.) With the web audio totally out and the teleconference sound intermittently on the fritz and otherwise of low quality, coverage of this item is particularly suspect. Here is what I think I heard: The USCG is developing regulations. The first proposal for a cost-effective and cohesive strategy to bring industry and law enforcement into conformity with section 822 was finalized last year. A forthcoming Federal Register notice will request comments from industry to identify any shortfalls in the strategy. The USCG is looking for better standard practices to deal with feasibility and cost issues to inform regulations that aren’t burdensome to industry and eliminate impediments to responding to transportation security incidents.
RadiApparently NMSAC was unable to line up an appropriate briefer for this item. The Chair noted that the program for the Advanced Radiation Portal Monitoring (ARPM) had been scrapped and asked what other Committee members had heard. One member noted that RPM equipment had historically been bought by and paid for by the US Government. In the current austere budget environment CBP and the Domestic Nuclear Detection Office (DNDO) have been seeking to have ports to partially fund installations through proposed cost sharing agreements that some consider unbalanced. For example, for one project, the government proposed that it pay $750,000, while industry would fund $2.5 million. There is no budget for replacing the older equipment and something better is needed. The Chair summed the issues as 1) the appropriate cost share and 2) the ARPM program scrapped and no budget for replacing old RPMs that are past their useful life. Another member said it was more than just a cost share issue. Major ports are anticipating larger volumes will result from the Panama Canal expansion and have no confidence that CBP will increase the number of RPMs and people to handle the increased traffic. The increased traffic will come in more concentrated humps on larger ships. Ports are reconfiguring for efficiency and to reduce environmental impact. A first generation RPM just tells you there is radiation. The container then has to be diverted for a secondary inspection by a person with a hand-held device to determine the isotope. On-dock rail also creates problems. New investment is needed, but there is no government money. A representative of the American Association of Port Authorities (AAPA) commented that CBP was supposed to have a pilot project on on-dock rail, which more ports want to use for efficiency. CBP did a study, but says it has no money for anything else. If a port is reconfiguring, it is theoretically possible to get Port Security Grant money, if a letter is obtained from CBP stating that the relocation of RPMs is not a federal responsibility. New RPMs are not eligible for Port Security Grant funding because RPMs are federal assets. Given risk-based decision-making, the expectation is that the larger ports will continue to get it funded, but that smaller ports won’t or will be asked to pay more. Asked if the old RPMs will die before replacements are available, the AAPA representative said DNDO has some that can be used to replace like with like. She added that DHS needs to study what is needed where. Construction projects for expanded trade will come to a grinding halt while the RPM issue is sorted out. A NMSAC member pointed out it was not just a funding issue. It’s a productivity issue as well. Ports can’t expand and become more efficient. Another member suggested it was in CBP’s interest to make the process more efficient as a lot of time is wasted on secondary inspections. The Chair noted that at least 10 ports are trying to construction to deal with the post-Canal expansion trade upwelling. Although crunch time is two years away, the RPM issue is a problem now. It was agreed to seek a briefing on the RPM issue from CBP and DNDO at the March NMSAC meeting, with a view to providing a NMSAC recommendation to the Secretary of DHS.
Miscellaneous End Mattersation Portal Monitoring Replacement & Relocation
At this point there was an extensive discussion on how to organize the Working Group on Cybersecurity in response to the USCG tasking, including what it ought to address. After that, Mr. Owens commented that the identities of reappointed and new NMSAC members should be available by the next meeting. The White House had done whatever it needed to do and the names were out of the Coast Guard and up to the Secretary of DHS. One comment from the public was that MARAD had been working with the USCG and the Seafarers International Union on information security training for mariners that would be available on a DVD. The AAPA representative stated that two main items on her organization’s agenda were RPMs and the Port Security Grant Program. They were very concerned about the funding level and she urged NMSAC to weigh in against the Administration’s idea of bundling all DHS grant programs into one pot to be parceled out by the individual States. DHS should also develop performance standards for port security grants. It’s hard to defend the program on the Hill if you can’t answer the question “what are we getting for our money? Additionally, DHS should revisit FEMA’s two-year limit on grants this year. This policy was designed to get the money out into the economy faster, but two years is too short for the ports sector. Three years should be allowed. Another member of the public requested that the list of NMSAC members and their organizational affiliations be restored to the NMSAC area of Homeport and asked if the Committee’s business plan could be made available to the public. Mr. Ownes said he would look into what happened to the membership list and the Chair agreed to the latter request.
NOTE: This post, or any section of it, may be copied, distributed, and displayed and derivative works may be based on it, provided it is attributed to Maritime Transportation Security News and Views by John C. W. Bennett, http://mpsint.com.
