18 August 2002
Source: Hardcopy from the General Accounting Office, which states that this document "is not available in electronic form at this time."

See GAO Report, Port Security: Nation Faces Formidable Challenges in Making New Initiatives Successful, August 5, 2002.

US Coast Guard port security zones: http://cryptome.sabotage.org/uscg-sz.htm

See also Global Security's National Port Readiness Network

Port and Maritime Security Act of 2001: http://www.worldshipping.org/port_rail.pdf

House Passes Legislation to Boost Port Security: http://usinfo.state.gov/topical/pol/terror/02060507.htm

14 local Port Readiness Committees (PRC’s): (permanent Chairpersons- local USCG Commander of the Port (COTP)

PRC Houston/Galveston
PRC Jacksonville
PRC Northern California
PRC Beaumont
PRC New York
PRC Hampton Roads
PRC Baltimore
PRC Pacific Northwest
PRC Los Angeles/Long Beach
PRC Charleston
PRC Savannah
PRC Corpus Christi
PRC Wilmington/Moorehead City
PRC Honolulu

[12 pages.]

United States General Accounting Office

GAO

Testimony
Before the Subcommittee on National Security,
Veterans Affairs, and International Relations,
Committee on Government Reform, House of
Representatives

For Release on Delivery
Expected at 10:00 a.m., EST
Tuesday, July 23, 2002

COMBATING TERRORISM

Preliminary Observations
on Weaknesses in Force
Protection for DOD
Deployments Through
Domestic Seaports

Statement of Raymond J. Decker
Director, Defense Capabilities and Management

GAO-02-955TNI

Mr. Chairman and Members of the Subcommittee:

I appreciate the opportunity to participate in this hearing on security for military mobilizations through strategic¹ seaports. The October 12, 2000, attack against the Navy destroyer U.S.S. Cole in Aden illustrated the danger of unconventional threats to U.S. ships in seaports. The September 11 attacks heightened the need for a significant change in conventional anti-terrorist thinking. The new security environment assumes that all U.S. forces, be they abroad or at home, are vulnerable to attack, and that even those infrastructures we traditionally considered of little interest to terrorists, such as seaports in the continental United States, are now commonly recognized as highly vulnerable to potential terrorist attack. These seaports are vital to national security. During a major war, the Department of Defense (DOD) would transport more than 95 percent of all equipment and supplies needed for military operations by sea.

____________________

1 Strategic seaports are those that would be needed by the Department of Defense in case of a major war.

[Images added by Cryptome. From http://155.217.128.44/tcweek98/rsoi01/RSOI01.htm]

Source

Source

Military commanders are required to protect personnel, equipment, and assets. To achieve this, commanders are required to apply a risk management approach. "Risk management" is a systematic, analytical process to determine the likelihood that a threat will harm physical assets or individuals and to identify actions to reduce risk and mitigate the consequences of an attack. The principles of risk management acknowledge that while risk generally cannot be eliminated, enhancing protection from known or potential threats can se e to significantly reduce risk.

As requested, my testimony focuses on (1) the security environment at domestic strategic seaports used by DOD for military deployments and (2) DOD's process for securing military deployments through those ports. My comments are based on preliminary results of work we are currently conducting for the Subcommittee on force protection for deployments through commercial seaports in the United States. We plan to provide Subcominittee with a report in October that will include recommendations, as appropriate. To perform our analysis, we visited 6 of the 14 designated strategic commercial seaports in the United States, 2 military-owned ammunition ports, and 3 military installations from which unit equipment was deployed overseas in 2001. At the seaports and military installations, we reviewed planning documents, interviewed a broad range of officials from several executive departments, and observed security measures.

Summary

Uncertainties regarding the seaport security environment exist because comprehensive assessments of threat, vulnerability, and critical port infrastructure and functions have not been completed, and there is no effective mechanism to coordinate and disseminate threat information at the seaports. These conditions compound the already difficult t4sk of protecting deploying forces and increases the risk that threats -- both traditional and nontraditional² ones -- may not be recognized or that threat information may not be communicated in a timely manner to all relevant organizations. Recent efforts by the Coast Guard and other agencies at the ports have began to address many of these weaknesses. The Coast Guard has initiated assessments of port vulnerability and infrastructure and is deploying additional teams dedicated to seaport security functions. Further, legislation curTently before the Congress proposes steps that may assist these efforts and provides for additional measures that could improve the coordination and dissemination of threat information.

____________________

2 Nontraditional threats can include natural or man-made disasters, such as hurricanes, industrial accidents, and cyber attacks.

We identified two significant weaknesses associated with DOD's force protection process for deployments through domestic seaports. First, DOD lacks a central authority responsible for overseeing, coordinating, and executing force protection measures while military forces deploy from domestic installations through U.S. seaports. As a result, potential force protection gaps and weaknesses requiring attention and action might be overlooked. DOD has such an authority for the overseas portions of deployments and is therefore better able to identify and mitigate force protection gaps there. Second, during some stages of a deployment DOD relinquishes control over its military equipment to non-DOD entities, including foreign-owned ships crewed by non-U.S. citizens. Altho~igh these practices are consistent with curTent DOD policies and procedures, they limit DOD's ability to oversee security measures. As a result, equipment could fall into the hands of individuals or groups whose interests ran counter to those of the United States.

Background

DOD defines force protection as "security programs designed to protect service members, civilian employees, family members, facilities, information, and equipment in all locations and situations, accomplished through the planned and integrated application of combating terrorism, physical security, operations security, personal protective services, and supported by intelligence, counterintelligence, and security programs."³ Our review concentrated mostly on the physical security and related aspects of force protection that include measures to protect personnel and property and encompass consequence management, intelligence, and critical infrastructure protection.

____________________

3 DOD Instruction 2000.16, DOD Antiterrorism Standards, June 14, 2001.

We have identified a risk management approach used by DOD to defend against terrorism that also has relevance for the organizations responsible for security at commercial seaports. This approach can provide those organizations with a process to enhance levels of preparedness to respond to terrorist attacks or other national emergencies, whether man-made or unintentional in nature. The approach is based on assessing threat, vulnerability, and the importance of critical infrastructure and functions (criticality).

Threat assessments identify and evaluate potential threats on the basis of factors such as capabilities, intentions, and past activities. These assessments represent a systematic approach to identifying potential threats before they materialize. However, even if updated often, threat assessments might not adequately capture some emerging threats. The risk management approach therefore uses vulnerability and criticality assessments as additional input to the decision-making process.

Vulnerability assessments identify weaknesses that may be exploited by identified threats and suggest options that address those weaknesses. For example, a vulnerability assessment might reveal weaknesses in a seaport's security systems, police force, computer networks, or unprotected key infrastructure such as water supplies, bridges, and tunnels. In general, teams of experts skilled in areas such as structural engineering, physical security, and other disciplines conduct these assessments.

Criticality assessments evaluate and prioritize important assets and functions in terms of factors such as mission and significance as a target. For example, certain power plants, bridges, computer networks, or population centers might be identified as important to the operation of a seaport or the local public health and safety. Criticality assessments provide a basis for identifying which assets and structures are relatively more important to protect from attack. In so doing, the assessments help determine operational requirements and provide information on where to prioritize and target resources while reducing the potential to target resources on lower priority assets.

In the event of a major military mobilization and overseas deployment, such as Operation Desert Shield, a large percentage of U.S. forces (equipment and other materiel) would be sent by sea through a number of commercial seaports in the United States to their respective areas of operations. The military also uses commercial seaports for deployments such as the operations in the Balkans. The Departments of Defense and of Transportation have identified 14 seaports as "strategic," meaning that they are necessary for use by the military in the event of a major war. DOD has also identified two other commercial ports and three military-controlled ammunition ports as important for a mobilization surge.

Because the security activities that DOD may conduct outside its installations are limited, it must work closely with a broad range of federal, state, and local agencies to ensure that adequate force protection measures exist and are executed during deployments through strategic seaports. Force protection responsibilities for DOD deployments through commercial seaports are divided among a number of DOD organizations including the United States Transportation Command and its components (particularly the Military Traffic Management Command and Military Sealift Command), the U.S. Army Forces Command, and the individual deploying units.

A National Port Readiness Network provides a common coordination structure for DOD, the Coast Guard, and other federal, state, and local agencies at the port level. The network is comprised of Port Readiness Committees at each strategic port to provide the principal interface between DOD and other officials at the ports.

The issue of security at the nation's seaports has been the subject of a recent study, as has the broader issue of homeland security. In fall 2000, the Interagency Commission on Crime and Security in U.S. Seaports reported that security at seaports needed to be improved in a number of areas, including

• coordination and cooperation among agencies;

• establishing guidelines for commercial facilities handling military cargo; and

• assessments of threats, vulnerabilities, and critical infrastructure at ports.

In February 2001, the Commission on National Security/21st Century (commonly referred to as the Hart-Rudman Commission) reported that threats, such as international terrorism, would place the U.S. homeland in great danger and that direct attacks on the United States were likely in the next 25 years. In addition to recommending national action, the Hart-Rudman Commission urged DOD to pay closer attenion to operations in the United States.

Current Risk Management Approach Creates Uncertainties in the Strategic Seaports Security Environment

The security environment at strategic seaports is uncertain because comprehensive assessments of threat, vulnerability, and critical port infrastructure and functions have not been completed, and therefore, agencies at seaports lack the information necessary to effectively manage risk. Recent efforts by the Coast Guard and other agencies at the ports about have begun to address several important security issues, and maritime security legislation before the Congress may assist these efforts. Further, the proposed legislation may provide a framework for seaport security at organizations to improve the coordination and dissemination of threat information.

Weaknesses Exist in the Process to Assess Risk at Seaports

There is a wide range of vulnerabilities at seaports, including critical infrastructure such as bridges and refineries, shipping containers with unknown contents, and the enon-nous volume of foreign and domestic shipping traffic. Many of the organizations responsible for seaport security do not have the resources necessary to mitigate all vulnerabilities. To determine how best to address security at seaports, it is vital for responsible agencies involved to follow a risk management approach that includes assessments of threat, vulnerability, and critical infrastructure and furictions. The results of these assessments should then be used to develop comprehensive security plans.

The organizations responsible for security at strategic seaports have increased emphasis on security planning. However, in these planning efforts, the organizations we visited applied the elements of risk management differently. At only one of six ports we visited were the results of threat, vulnerability, and criticality assessments integrated into a seaport security plan that included all relevant agencies. Specific weaknesses in the risk management approach used at ports we studied include the following:

• Individual organizations at the seaports we visited condu!cted separate vulnerability assessments that were not coordinated with those of other agencies and were not based on standardized approaches. ]~e Coast Guard has taken the lead in developing a standard methodology for comprehensive port-wide vulnerability assessments that it plans to complete at 50 major ports, including all designated strategic, seaports.

• Assessments of the criticality of seaport infrastructure were not done at all the ports we visited prior to September 11. The Coast Guard has since addressed this shortcoming by conducting assessments of high-risk infrastructure at all major ports. It coondinated the assessments with commercial facilities at the ports.

• In some cases, threat assessment information received by affected agencies is based on higher-level regional assessments that do not focus on the local port facility. These regional assessments, while helpful in providing a broader view of the security environment, do not provide sitespecific local threat information to the port.

• Agencies involved with seaport security have different concepts of standards for threat assessments and the degree to which threat information should be shared and disseminated. Some agencies have not traditionally shared threat information as widely as may be necessary for comprehensive security measures at seaports.

In addition to these specific weaknesses, we found that there is no single entity at the seaports we visited to analyze, coordinate, and disseminate information on the broad range of threats at each port on a routine basis. Most threat information at the ports was coordinated on an informal basis, such as through personal contacts between law enforcement individuals and those at other agencies. The lack of such a mechanism compounds the already difficult task of protecting deploying military forces and increases the risk that threats -- both traditional and nontraditional ones -- may not be recognized or that threat information may not be communicated in a timely manner to all relevant organizations. Currently, interagency bodies that may exist at or near these ports, such as Port Readiness Committees, Joint Terrorism Task Forces, or the newly formed Antiterrorism Task Forces, do not routinely focus specifically on coordinating threat information focused solely on the ports, and they were not designed to do so.

The Interagency Commission on Crime and Security U.S. Seaports noted in 2000 the importance of interagency threat coordination. Officials at seaports need a means to analyze, coordinate, and disseminate information on the broad range of threats they face. ~his includes information on ships, crews, and cargo, along with criminal, terrorist, and other threats with foreign and domestic origins. Although the commission did not recommend centralizing threat information distribution into a single agency or regulating dissemination procedures at seaports, it did recommend improvements in integrating threat information systems and improved coordination mechanisms for law enforcement agencies at the seaport level.

In prior work, we reported that DOD uses Threat Working Groups at its installations as a forum to involve installation force protection personnel with local, state, and federal law enforcement officials to identify potential threats to the installation and to improve communication between these organizations.⁴ These coordination mechanisms can help coordinate as much information as possible on a broad range of potential threats. Given the limited information on threats posed by less struc~tured terrorist groups or individuals, such a mechanism assists the installation commander and local authorities in gaining a more complete picture of internal and external threats on a more continuous basis over and above an annual threat assessment.

____________________

Recent Efforts and Proposed Legislation May Assist Port Security

Since the September 11 attacks, the Coast Guard and other agencies at ports have made efforts to improve risk management and security measures. The Coast Guard, traditionally a multi-missiion organization, has improvements refocused most of its efforts on waterside seaport security. In so doing, it has diverted resources from other missions such as drug interdiction. Examples of additional recent efforts by the Coast Guard and other agencies include

• formation of Coast Guard Marine Safety and Security Teams based at selected ports to assist in providing port security personnel and equipment;

• Coast Guard escorts or boarding of high-risk ships, including cruise ships in ports;

• Coast Guard escorts for naval vessels;

• establishment and enforcement of new security zones and increased harbor security patrols; and

• port authority cost estimates for improving facility security and interim security improvement measures.

Legislation on maritime security currently before the Congress (in conference)⁵ may promote and enhance these seaport security efforts. Some of the major provisions include

• vulnerability assessments to be conducted at ports;

• establishment of Port Security Committees at each port, containing broad representation by relevant agencies, to plan and oversee security measures;

• development of standardized port security plans;

• background checks and access control to sensitive areas for ort workers;

• and federal grants for security improvements.

____________________

5 S. 1214 passed the Senate on December 20, 2001. The House of Representatives passed an amendment to S. 1214 on June 4, 2002.

On the basis of our discussions with agency officials at the ports we visited, we believe that if enacted and properly implemented, these and other provisions of maritime security legislation should assist these officials in addressing many of the weaknesses we have identified. For example, comprehensive vulnerability assessments and the proposed standardized security plans could provide a more consistent approach to identifying and mitigating security weaknesses. In providing for port security committees and interagency coordination, the legislation also provides a framework for organizations at seaports to establish a mechanism to coordinate, analyze, and dissen-dnate threat information at the port level. There may be challenges, however, to implementing this legislation, including opposition to provisions for background checks for port workers.

Weaknesses in DOD Force Protection Process Increase Risks for Deployments Through Domestic Seaports

During our review, we identified two weaknesses in DOD's force protection process. First, DOD lacks a central authority responsible for overseeing, coordinating, and executing force protection measures at the domestic stages of military deployments through U.S. seaports. As a result, potential force protection gaps and weaknesses requiring attention and action might be overlooked. Second, there are instances during some stages of a deployment in which the Department relinquishes control over its military equipment to non-DOD entities. At these stages, the equipment could fall into the hands of individuals or groups whose interests run counter to those of the United States.

DOD Lacks a Central Authority to Coordinate and Execute Domestic Force Protection Measures

Deploying units traditionally focus their force protection efforts primarily on their overseas operations. Before they arrive in an overseas region, the units are required to submit force protection plans to the unified combatant commanders,⁶ who are responsible for force protection of all the military units in their region. The tactics, techniques, and procedures in the units' plans must match the guidance developed by the unified commander, who coordinates and approves the individual plans. This allows the comi-nander to ensure that a unit's plan has taken into account all current threats that could affect the mission and to accept or mitigate any security risks that arise.

____________________

6 Previously called the Commanders-in-Chief.

The situation for the domestic stages of a deployment different: there is no designated commander with similar centralized force protection responsibilities as those of the overseas unified combatant commander. This creates gaps during the domestic stages of a deployment in DOD's ability to coordinate individual force protection plans, identify gaps that may exist, and mitigate or accept the identified risk. The one coordination mechanism that is in place -- the Port Readiness Committees I previously mentioned -- are focused solely on port operations and do not coordinate all stages of a deployment from an installation through a port.

In the deployments we reviewed, we found that service guidance and DOD antiterrorism standards, particularly those that emphasize the elements of risk management (such as Army major command force protection operations orders), were not always followed in all phases of a deployment from an installation through a port. For example, the Military Traffic Management Command prepared security plans for port operations during a deployment that were based on assessments of threats, vulnerabilities, and critical infrastructure. However, the transport of military equipment to the port by commercial carrier was not always accompanied by such detailed plans and assessments.

Military Equipment and Cargo Are Sometimes Not Under DOD Control

During deployments from domestic installations through commercial seaports, there are three phases in which DOD either relinquishes control of its equipment to non-government persons (in some cases foreign nationals) or does not have adequate information about who is handling its equipment.

• Private trucking and railroad carriers transport equipment and cargo from military installations to seaports.

• Civilian port workers handle and load equipment onto ships.

• Private shipping companies with civilian crews sometimes transport DOD equipment overseas.

The deployments we reviewed from three military installatio in calendar year 2001 involved the use of road and rail contract carriers transporting equipment from a military installation to a port of embarkation, and all transports took place in accordance with DOD regulations. Contract carriers are required to provide security for the equipment they transport, including sensitive items. Although we did not review the steps taken by DOD to evaluate the contractors' security measures, the transfer of accountability to these non-govemment agents creates a gap in DOD's oversight of its assets between installations and ports.

Once equipment arrives at a commercial seaport, it comes under the control of military units responsible for managing the loadijn process at the port. However, civilian port workers, stevedores, and Ion shoremen with limited screening and background checks by port authorities, or terminal operators-handle n-dlitary equipment and cargo, as well as the loading and unloading of ships used to transport the equipment overseas. This was the case in all the deployments we reviewed. The stevedores or longshoremen were in the same labor pool as the one used for conunercial port operations. Organizations at some of the ports we visited are now implementing or reviewing efforts to increase screening of port workers. Maritime security legislation before the Congress includes provisions for background checks and access control for port workers. These measures, if passed, may help address this issue.

DOD also relinquishes control of its equipment when the equipment is placed aboard a commercial ship for transport overseas. The Military Sealift Command sometimes contracts or charters foreign-flagged vessels to transport military equipment. The Command reviews charter vessel crew lists to determine whether any crewmembers are known security threats. The deployments we reviewed, however, use foreign-flagged vessels with non-U.S. citizen crewmembers, including some from countries with known terrorist activities, who received and transported sensitive military equipment. Although several of the ships used in the deployments we reviewed did have DOD maintenance personnel aboard, the ship manifests did not indicate that armed DOD personnel were aboard. Some of the items transported by these vessels included Bradley Fighting Vehicles, 155mm towed howitzers, and LTH-60 Blackhawk helicopters, as well as smaller items such as 50 caliber machineguns; night-vision equipment; body armor; and nuclear, biological, and chemical protective gear.

When DOD relinquishes control over its equipment, it relies on nongovernment third parties to protect its assets. In ad mon, when these third parties include foreign nationals, there may be an increased risk of the equipment being tampered with, seized, or destroyed by individuals or groups whose interests run counter to those of the United States and increased chance that those weapons or equipment might be used against military or civilian targets. Additionally, placing military equipment outside DOD's control complicates the steps needed 0 mitigate the higher risk and could disrupt military units from performing their intended rnissions. DOD officials told us that the reasons for the use of commercial contract carriers include, among others, economy and efficiency over using government owned and operated vessels, and the adequacy and availability of the U.S.-flagged merchant marine.

Conclusion

The events of September 11 highlighted the vulnerability of the U.S. homeland to unconventional attack, and the resulting new security environment warrants that more attention be paid to the domestic phases of military deployments. Uncertainties in the security environment at strategic seaports and weaknesses in DOD's force protection approach result in increased risks that military operations could be disrupted, successful terrorist attacks might occur, or sophisticated military equipment might be seized by individuals or organizations whose interests run counter to those of the United States.

When we conclude our evaluation, we plan to provide the Subcommittee with a report in October that will include recommendations addressing (1) threat coordination at strategic seaports, (2) DOD's oversight, coordination, and execution of force protection for deployments through seaports, and (3) DOD's control over its equipment.

Mr. Chairman, this concludes my prepared statement.

Contacts and Acknowledgments

For further information about this testimony, please contact lat (202) 512-6020 or Robert L. Repasky at (202) 512-9868. Willie J. Cheely, Jr., Brian G. Hackett, Joseph W. Kirschbaum, Jean M. Orland, Stefano Petrucci, Elisabeth G. Ryan, and Tracy M. Whitaker also made contributions to this statement.

Transcription and HTML by Cryptome.