CHAPTER 6

Supply-Chain Security

A 2007 column in the Wall Street Journal urged executives to focus on four priorities based on the events of the summer of 2007. At the top of the list was “make supply-chain management a top priority.” The story went on to say, “Don’t wait for a crisis.”¹ Much of the story focused on supply-chain security. In 2011, Janet Napolitano, the U.S. secretary of homeland security, wrote an op-ed piece in the Wall Street Journal titled “How to Secure the Global Supply Chain.”²

There has been a lot written on supply-chain vulnerability during crises or disasters such as the 9/11 terrorist attack in 2001 or natural disasters such as Hurricane Katrina.³ Not much attention, on the other hand, has been paid to day-to-day supply-chain security. As supply chains reach around the globe, potential security concerns are present every day. The focus of this chapter will be on developing a framework for global supply-chain security. With this framework, the supply-chain manager can develop strategies and tactics for maintaining security in the global supply chain.

Supply-chain security has four dimensions:

1. Security of the product or service
2. Security of the information flows
3. Security of the money flows
4. Security of the logistics systems

This chapter will look at each dimension in turn, provide a description, and give examples both good and bad.

The Product or Service

Security of the product or service itself has several dimensions. Underlying all of them is the question customers (meaning each successive link in the supply chain) must ask continually: “Am I getting what I ordered or expected?” Pharmaceutical companies are particularly at risk. Pills are small, easily counterfeited, valuable, and easy to conceal. If the customer does not receive the genuine item, lives and the company’s reputation are at risk. The more people who handle the drug before it reaches the consumer, the greater the risk of a security breach. According to the Pharmaceutical Security Institute, from 2000 through 2009, the number of seizures globally of counterfeit, illegally diverted, and stolen pharmaceuticals grew from about 200 to over 2,000. (Keep in mind that these are the shipments that were detected.) Over a third of the seizures in 2009 were in Asia. Pfizer Inc. reported that it “confirmed fake versions of its drugs in at least 75 countries, and in the legitimate supply chain in at least 25 countries.”⁴ In Europe alone, the so-called gray market for drugs (those obtained through illicit channels) is over €10 billion. Counterfeit drugs are estimated to kill at least 100,000 people per year.⁵ Of the drugs in circulation globally, 30%–50% are fakes with a value of $45 billion.⁶

Tracking Products

Pharmaceutical companies, for example, have elaborate procedures to insure that cheap generics or even placebos are not substituted for high-value drugs at some point in the distribution system.⁷ Their efforts are intended to insure that the end customer receives the medication that he or she is expecting. Oracle has developed tracking software to insure the integrity of the supply chain. IBM, 3M, and Abbott Laboratories have developed radio-frequency identification (RFID) tracking systems for drugs. Johnson & Johnson has developed verification software. A firm in Ghana has introduced a verification system based on validation codes and mobile phones.⁸ PharmaSecure, a New Hampshire start-up company, has developed a similar system and introduced it in India, where most of their employees are located.⁹

Outside the pharmaceuticals industry, Walmart has taken the lead in tracking products with RFID technology. They expect to tag all their products in their more than 3,750 U.S. stores. RFID tags not only help control inventory and especially inventory “shrinkage” (loss by theft) but can insure that the items they put on the shelves are indeed genuine and not counterfeits.¹⁰

Specifications

A company may receive the products it ordered from a supplier, but the products may not be made to specifications. Stories of toys painted with lead-based paint from China have made for sensational headlines.¹¹ Again, people’s health and lives as well as companies’ reputations are at risk from such a security breach. Ironically, the lead in the paint came largely from recycled electronic goods shipped to China from the United States.¹² Drywall from China has turned out to be a health threat because of unpleasant odors.¹³ Commercial products are not the only ones at risk. The defense supply chain has been contaminated with counterfeit, defective computer chips from China. The Department of Defense reported 115 such incidents between 2002 and 2008. Weapon systems from the F-15 fighter jet to the aircraft carrier USS Ronald Reagan have been affected.¹⁴

Quality

Products might not be made to the quality standards that have been specified or cheaper substitute raw materials or components might have been used. Products received could contain illegally obtained components through either outright theft or the theft of intellectual property. You may think you have an original product but find that you have a knockoff instead. Colgate warned consumers about authentic-looking tubes of their toothpaste that were labeled “Made in South Africa” (where Colgate does not manufacture toothpaste). The toothpaste was contaminated with diethylene glycol (DEG), the same poison found in Chinese toothpaste.¹⁵ Or suppliers may simply cheat. One businessman told the author he had received a container full of rocks instead of steel from a Korean supplier. Each holiday season, reports appear of gift recipients finding rocks wrapped in Chinese newspapers in the boxes supposedly containing video devices.

Long Supply Chains

Sometimes the length or complexity of the supply chain makes security difficult. China accounts for 53.8% of U.S. imports of ginger. In July 2007, ginger contaminated with the pesticide aldicarb sulfoxide, a chemical that can cause adverse reactions in humans, was discovered in a California food store. The investigators uncovered seven links in the supply chain from the farmers in China to the retail store. Discovering the actual source of the contamination was virtually impossible since for any given shipment arriving in a food store, the links in the supply chain could be different each time.¹⁶ Even in the highly regulated pharmaceutical industry, problems can arise with contaminated products. Shipments of Heparin from China, made from pig intestines and used in blood thinners, were contaminated.¹⁷ Estimates of the number of deaths resulting from the contamination range from 3 to 80.¹⁸ It took months to trace the source of the contamination. Heparin is not the only problem. The United States does not have the authority to regulate overseas suppliers of pharmaceuticals even though 80% of the active ingredients in U.S. drugs originate overseas.¹⁹ Can one depend on international partners to insure the safety of the global supply chain? The U.S. Food and Drug Administration (FDA) reported that their investigation into the contaminated Heparin was “severely hampered” by the Chinese government and that the Chinese government had done no investigating itself.²⁰

Services

The service industry is not exempt from security issues. Many companies have found themselves in trouble with the immigration authorities because their suppliers were using undocumented workers.²¹ Or sometimes subcontractors will not have the skills they claim to have. Countries such as Germany with a long history of guilds are stricter about the licensing of service providers than is the United States. The United States has an array of licensing and bonding procedures to try to ensure integrity (but not necessarily competence) in the service supply chain, but these vary widely from locality to locality, and in fact, how often are credentials actually checked? The problem is exacerbated in global supply chains because the supply-chain manager may not even know what to ask for in the way of credentials.

The Customer

In addition to these upstream issues, downstream, the customer wants to feel secure that he or she is receiving the service expected. Often this may involve communication or miscommunication with no fraud involved. For example, anyone who has opened a bank account in another country knows the feeling of insecurity as to what exactly is involved. The Citizens Bank in New England (a subsidiary of the Royal Bank of Scotland) addressed this in Boston by printing their marketing materials and account information in Chinese. They wanted the large number of Chinese students in Boston universities to feel secure as customers in the supply chain.²²

Information

Security of information flows is a persistent problem. Since much of the information these days flows by electronic means, the data must be protected from corruption, malicious altering, or theft. Fortunately, electronic transactions are now so ubiquitous that this problem is being worked on constantly, although with varying degrees of success. In global supply chains, there are so many issues other than security related to information flows—such as timing, measurement systems, language, and so on—that security is often a relatively low priority. As a result, one hears stories of customer information (which is processed in offshore facilities) being stolen and sold to competitors. Electronic information gathering is ubiquitous.²³ Information, however, is not always electronic. The Boston Globe wrapped its newspapers and those of a sister newspaper (both are owned by the New York Times Company) in papers containing the names and credit card information of 240,000 of their subscribers and left them on street corners (intended for the distributors) for anyone to pick up.²⁴

From 2006 to 2007, the theft of personal data tripled. More than 162 million records were reported lost or stolen in 2007, most in the Unites States, where disclosure laws make it easier to track incidents. Arrests or prosecutions were reported in only 19 of these cases. The source of the losses ranged from schools, to private companies, to government agencies and health organizations.²⁵ A 2010 report by NetWitness disclosed that hackers had broken into the computer systems at 2,411 companies over 18 months, gaining access to a variety of information from credit card data to intellectual property.²⁶

In addition to the problem of organizations failing to protect their data adequately, a major problem is that of employees not taking security seriously. Employees tend to value data according to the cost of the medium on which it is stored. For example, workers in the British tax agency sent (and lost) two computer disks (of nominal intrinsic value) through interoffice mail. The data on the disks had a street value of $2.5 billion.²⁷ To make things worse, the apology letter sent to the “victims” contained unnecessary confidential information. (They sent 25 million letters, which means that many of them did not get to the intended recipient.) A further review showed that data had been lost from the same office eight times since in the previous 2 years.²⁸

The proliferation of laptop computers in organizations is increasing the problem of security. Laptops are routinely taken out of the office (exposing them to the risk of outright theft) and connected to the home organization’s central computer through a variety of sources from home connections to Wi-Fi connections in hotels and airports (increasing the chances of the data being intercepted). Booz Allen Hamilton, for example, supplied most of its 20,000 employees with laptops. Parts of the U.S. Treasury Department have up to 80% notebook computers in their computer mix. Millions of laptops are lost or stolen every year; 1 in 20 is recovered. Eighty percent of businesses report losing one or more laptops with sensitive information yearly.²⁹ External threats are not the only problem. In the past 10 years, the IRS has opened 4,700 investigations into the illegal use of taxpayer information by its employees. The cases ranged from simple curiosity, to the sale of information to third parties, to blackmail and extortion.³⁰ IT shops are having to rethink how they maintain the security of their hardware and the data contained in their machines in an environment in which it is increasingly easy to lose the data through theft or negligence.

Protecting Data

The primary methods of electronic data protection are passwords and PINs. Both are subject to an array of problems ranging from forgetting and sharing to outright theft. A recent poll in the United States, for example, found that the most commonly used password is “password.”³¹ More-advanced biometric methods, such as fingerprints and retina scans, have a higher degree of security but require specialized (and relatively expensive) equipment.³² The most recent development that shows great promise is the methodology requiring the user to type in a string of characters (such as a sentence). This is matched with a profile the user has entered earlier. If there is a match, the user is allowed access to the system. The Psylock method developed in Germany is based on 17 different biometric parameters.³³ It cannot be shared with others because the user cannot verbalize the parameters. Psylock can even do ordinary tasks such as resetting passwords to avoid the practice of stealing passwords by falsely requesting a new one.³⁴ In addition to its high degree of security and simplicity, the other advantages are that it requires no specialized equipment and works anywhere there is a connection back to the central computer.

Money

Security of money flows is often mixed in with information flows. A prime example of this is credit cards. The use of credit cards exposes the users (both payer and payee) to the risk of the payment being diverted. Additionally, the use of credit cards exposes the payee to the risk that the personal data required to complete the transaction will be stolen and used to make purchases without the owner’s knowledge or even used to steal the owner’s identity. The largest publicized case of this happening recently is the 2007 TJX security breach. Through poor security measures, TJX exposed at least 45.7 million credit-card users to loss of personal information. The encryption protocol at TJX was weaker than that recommended for home Wi-Fi systems, and TJX retained the data too long (increasing the probability of a security breach).³⁵ Even if none of the data is used illegally, there is a significant cost to the banks, which must reissue credit cards to their customers at a cost of around $20 per card. TJX agreed to pay Visa and its banks up to $49.5 million to cover these costs.³⁶ For a relatively small investment in better security measures, management could have avoided not only the payment to Visa but also the continuing bad publicity. Unfortunately, in global commerce, security breaches such as the one at TJX have become commonplace as data thieves continue to improve their methods faster than companies install methods to protect themselves. The 2011 Epsilon Data Management LLC security breach by hackers resulted in the loss of customer identification data by a number of large U.S. firms, including Kroger, J. P. Morgan, Chase, Walgreens, and Marriott.³⁷ Other significant data breaches involving personal information and credit card information have been Heartland Payment Systems (2009), Sony (2011), the National Archives and Records Administration (2009), and the U.S. Department of Veterans Affairs (2006). No one, it seems, is immune to electronic theft of data.³⁸

Elaborate systems have evolved to protect both the buyer and the seller in international commerce. Devices such as letters of credit and contract protocols were developed in an age when communication was by written document or telex and funds were transferred from bank to bank as a result of manual instructions from bank employees. In the electronic age, individuals are able to make transfers around the world from their banks to virtually any other banks. This ease of access to the system means there is a greater chance of misdirected transactions, lost transactions, or fraudulent transactions. Letters of credit and contract protocols are still important but are not guarantees of security. Both the buyers and sellers must have confidence that they will receive their goods and payments if a system of international commerce is to work.

The problem of money security is becoming exacerbated as more nontraditional organizations function as banks. In parts of the developing world, for example, the mobile phone companies are performing functions, such as transferring funds, that are traditionally done by banks. At times, even the medium of exchange is mobile-phone minutes.³⁹ As funds flow through media such as mobile-phone networks instead of traditional channels, security of money flows becomes an increasing problem. For the global supply-chain manager, this phenomenon is not just a curiosity; it is one he or she must be prepared to deal with to insure security of money flows.

Supply chains do not always operate within the legal system. The flow of drugs from South America to the United States is through a complex, well-organized supply chain. To keep the flow of money back to Columbia secure, the organizations have begun using the legitimate banking system. They hire teams of workers to take bundles of cash to automatic teller machines (ATMs) in New York, making small deposits in each to avoid detection by the system. The organization then uses the ATMs in Columbia to withdraw the funds.⁴⁰ This avoids the problem of having to carry large amounts of cash out of the United States (which must be reported) or engaging in complicated laundering operations. In other words, they have found a secure method of letting their money flow through the supply chain. Legitimate businesses would benefit from being half as clever as those operating illegally.

The Logistics System

Security of the logistics system is becoming ever more important. The most blatant of the problems is piracy. In addition to normal commerce, relief organizations are affected. A ship with relief supplies for Somalia, for example, never left the port in Kenya after being warned of pirates.⁴¹ Vacationers face the same risks. A French cruise ship and multiple private yachts have been seized by pirates in the same region. Despite the efforts of multiple governments, piracy off the shores of Somalia continues to be highly profitable for the pirates. Piracy is also common in the narrow straits between Singapore and the Philippines. Many heavily traveled shipping routes pass through areas where war or violence is common or a threat. Examples are the Strait of Hormuz between Iran and Oman (a major passageway for petroleum) or the Horn of Africa (at the southern exit to the Suez Canal). Ninety-five percent of the world’s trade, valued at $6 trillion in 2007, travels by water. The annual cost of piracy is estimated to be between $3.5 and 8 billion.⁴² “Ships and their crews disappear on the high seas and coastal waters every year, never to be seen again.” The problem is bad enough that the International Maritime Bureau has established a piracy reporting and rescue center in Kuala Lumpur. The U.S. Navy is active in responding to calls for help both directly and through the center.⁴³ Because of the threat of terrorism in the logistics system, the U.S. Department of Homeland Security has formed the Customs-Trade Partnership Against Terrorism (C-TPAT). They provide statistics, suggestions, guidelines, and procedures regarding risk in the logistics system. For example, in a 2009 study of security breaches, they found the following:

34%	Conveyance Security: Conveyances not inspected
35%	Business Partner Requirements: Failure to Screen Business Partners
41%	Instruments of International Traffic (containers, trailers, pallets, etc.) not secured/properly inspected prior to loading
44%	Seal Controls: Lack of Seal Procedures
53%	Transportation Monitoring: Inadequate transportation Monitoring
68%	Security Procedures not followed (lack of checks, balances, accountability)44

In other words, the firms involved were not following even the most basic of precautions for protecting their shipments.

Ship Sizes

Another change that is causing increasing security problems is the size of ships. Larger ships are unable or have difficulty navigating traditional shipping routes. Ships that cannot go through the Panama Canal (opened in 1914 with locks to accommodate the ships of that era), for example, must go around Cape Horn or through the Strait of Magellan, both treacherous. (Panama is currently widening the locks in the canal.) Ships sailing from the U.S. West Coast or Canada to Asia travel a great circle route through the Aleutian Islands, again treacherous. Or the East Indies, in addition to harboring pirates, have waters that are shallow and passages that are narrow. Larger ships also run the risk of losing more cargo if there is an accident. Examples are oil spills from running aground or containers falling off ships. Estimates of the number of containers that fall off ships each year range from 2,000 to 10,000. An example so well known that it appeared in Ripley’s Believe It or Not happened in 1992, when one container full of 28,800 bathtub toys fell off a ship in the Pacific Ocean.⁴⁵ Oceanographers have used the toys to track ocean currents. Some of the toys actually floated to the Atlantic Ocean.

The basic problem seems to be that shippers consider only the economies of scale in increasingly larger ships. If they considered the trade-off between size and security, they might prefer smaller ships, which are less at risk from treacherous waters because they draw less water and less at risk from pirates because they are faster and more maneuverable.

Another alternative for larger ships is to avoid routes such as the Panama Canal altogether. For example, containers may be off-loaded on one side of Panama and transported to the other side, where they can be reloaded on another ship; or they may be transported across the United States by train. On the other hand, this involves additional handling, which implies greater cost, security risk of loss, or risk of damage.

Summary

All supply chains, internal or external, domestic or global, have four dimensions of security. As supply chains expand around the globe and firms know less about their suppliers and customers and have less contact with them, the supply-chain manager must be aware of these security dimensions and devise ways of managing them. Overlooking any one of these dimensions can result in anything from a minor inconvenience to injury or death. How deeply into the supply chain one should exercise some control is a real question. The just-in-time philosophy, for example, says that a firm should trust its suppliers. The appropriate level of trust for a supplier in the same town or country, however, may not be appropriate for one halfway around the world. Should a firm care if its container is traveling around the Cape of Good Hope or going through the Suez Canal as long as it arrives when promised? Or should it be involved in these day-to-day decisions? What is the cost if your cargo is captured by pirates?

In the Wall Street Journal, Mark Vandenbosch and Stephen Sapp provide a four-point checklist for managing a global supply chain:

• Constantly monitor potential risks from suppliers.
• Make suppliers responsible and accountable.
• Change the ways you test and measure to be more appropriate in the global arena.
• Use government and industry regulation where it will reduce risk.⁴⁶

With the framework of the dimensions of supply-chain security, an organization can divide its security concerns into manageable units and organize its efforts to protect itself, its customers, and its suppliers. In today’s global supply chains, not doing so amounts virtually to gross negligence. Take actions to protect yourself:

• Use existing mechanisms to protect yourself against product and payment fraud. Examples are letters of credit and trade protocols in contracts.
• Use tracking systems such as those involving RFID chips to ensure that the goods you order or ship are the goods that arrive.
• Secure your financial transactions.

  ° Do not rely on passwords!

  ° Use biometric security methods.

• Treat information and the media on which it is stored as you would any other valuable asset. Protect it, encrypt it, and limit access to it.
• Assess the risks in your logistics system, assign costs to those risks, and take measures to mitigate against them. Use resources such as the C-TPAT 5 Step Risk Assessment Process Guide.⁴⁷