Good morning, Mr. Chairman, Mr. Vice Chairman, and members of the Committee.  Thank you for the opportunity to present testimony today.  My name is Lisa Himber, and I am Vice President of the Maritime Exchange for the Delaware River and Bay.  The Maritime Exchange is a non-profit trade association representing the members of the commercial maritime industry in Southern New Jersey, Southeastern Pennsylvania, and Delaware, and our mission is to promote commerce at Delaware River ports.  We accomplish this by engaging on issues and developing programs to support the safety, security, economic viability and environmental health of the tri-state port complex.  Included among our 300 members are those companies and individuals who operate, or provide service to, the 2,800 vessels calling Delaware River ports each year.  Our membership includes regulated vessels, port authorities and private maritime facilities as well as the many businesses and individuals who need access to one or multiple facilities to do their jobs on a daily basis – such as tug and barge companies, steamship agents, labor organizations, surveyors, line handlers, and trucking companies, just to name a few.

 

Although the Maritime Exchange is focused on activity at Delaware River ports, we address issues of national significance with our sister maritime organizations under the umbrella of Maritime Information Services of North America, known as MISNA, as well as through NAMO, the National Association of Maritime Organizations. 

 

In addition, I serve as Vice-Chair of the National Maritime Security Advisory Committee (NMSAC), which as you are aware was established under the Maritime Transportation Security Act (MTSA) of 2002.  NMSAC has been actively engaged with the Department of Homeland Security on the Transportation Worker Identification Credential (TWIC) program since its initial meeting in March of 2005, and I’ll talk more about our recent in a few minutes.

 

I appreciate this opportunity to discuss the TWIC program and issues associated with implementation of the final rule issued in January of this year.  TWIC has long been one of the priority federal projects for my organization and our members in the Delaware River maritime community. 

 

 

The Exchange role in the port – Like most associations, the Maritime Exchange is an advocate on issues of concern to its members, much like a Chamber of Commerce.  However, what sets the Exchange apart from a traditional trade association is its operating role in the port.  The Exchange operates on a 24/7 basis, and one of our primary responsibilities is to collect, store and disseminate information on all commercial cargo ships moving through the port.  We also serve as a maritime information and communications hub for the region, conveying messages between ships and their shoreside service providers as well as distributing federal safety, security, operational, and procedural bulletins to the maritime businesses community.  Because of the importance of this function, which we have been providing since 1875, coordinating information through the Maritime Exchange communications center has been incorporated into the Area Maritime Security Plan for Coast Guard Sector Delaware Bay. 

 

In addition to our traditional Ship Reporting function, in the mid-1980s the Exchange began the development of what is now known as Maritime On-Line (MOL).  This system is a community-based information network which provides a mechanism not only to obtain anticipated, current and historical vessel movement information but also offers a tool for steamship carriers and their agents to submit cargo manifest data to U.S. Customs and Border Protection and advance electronic notice of vessel arrival and departure information to the U.S. Coast Guard.  Through MOL, the Exchange provides Delaware River port operators with a cost-effective means to both comply with federal information reporting requirements as well as to share information, such as manifest data or cargo release status, with local public and private sector transportation partners through a centralized maritime intelligence system.

 

Development of a regional standard ID –Because the Exchange had demonstrated its ability to bring together the various maritime stakeholders to develop, implement, and use a community information system, several members approached us in the late 1990s to discuss the feasibility of developing a system under Maritime On-Line which could be used to identify truck drivers accessing the various cargo facilities in the three states.

 

The Exchange organized a working group of system users and developed a set of requirements for what would become known as the Electronic Driver Identification (EDID) System.  By September of 2001, the system design was complete, and the Exchange was working to identify a means of funding the initial program development.  The premise behind this system was a centralized database and the issuance of an ID card that would be accepted at all participating Delaware River maritime terminals. 

 

Immediately after the events of September 11, 2001, Exchange members asked whether the system we had designed to identify truck drivers could be expanded to include anyone requiring access to maritime facilities.  Like truck drivers in the state of Florida, those doing business in the Delaware River were required to obtain multiple identification cards, and the maritime community agreed that development of a single, standard ID card would be a critical program under new heightened security programs at maritime facilities.

 

As a result, by December of 2001, the Exchange, in partnership with the Port of Wilmington, Delaware, had identified funding to develop a pilot program, and successfully programmed and tested what would become the Delaware River ID (DRID) system.  We subsequently received a Port Security Grant to expand this program.

 

It was because of this effort that the Delaware River was selected as one of the TWIC pilot program locations.  It was generally agreed that if such a system could work effectively at Delaware River ports, with three states and multiple private and public port facilities, it could work at all U.S. ports.

 

 

 

Having been involved in the TWIC program even prior to the establishment of the TSA and the August 2002 launch of the east coast TWIC pilot project, my organization and its members have been keenly interested in the successful deployment of this program. 

 

Members of the Delaware River port community participated in all three phases of the TWIC Pilot program, beginning with the Planning Phase which spanned the fall of 2002 through the spring of 2003, the Technology Evaluation from May to October of 2003, and the Prototype Phase, which started in November of 2004 and officially ended in June of 2005, although TSA continued to support Delaware River sites well into 2005. 

 

I believe everyone is aware that there were a great number of setbacks which plagued the TWIC pilot program, which was originally scheduled for completion in December of 2003.  Despite some of the problems encountered by the Transportation Security Administration, some of which were discussed at a hearing before this Committee last May, it seems clear that the pilot program did afford TSA with the opportunity to gain an understanding of what would be required to implement a program of this magnitude.

 

 

Program Deployment – Card Issuance – The Final Rule published in January is an extremely complex document which many maritime professionals are still working to comprehend.  However, we cannot emphasize enough that we believe the Department of Homeland Security made the right decision in separating the card application and issuance processes from the reader installation and usage processes.  Taken separately, each of these components of the TWIC program is extremely intricate and creates multiple possibilities to unduly hamper maritime operations if not implemented in a thoughtful and deliberate manner; we appreciate that DHS is allowing sufficient time to address the challenges of card issuance prior to attempting to introduce the component of accessing and communicating with a central TWIC database, which was never tested during the pilot program.  There is no doubt that had both phases been implemented concurrently, the transition to full program deployment would have been fraught with multiple unanticipated problems.

 

In drafting its final rule, it is evident that DHS took into consideration the thousands of comments submitted by maritime stakeholders in response to the Proposed Rule published last May.  Several of the issues cited have been addressed, such as the need to accommodate temporary and seasonal workers, and the elimination of the formal employer sponsor relationship.  In addition, the Coast Guard drafted a very clearly-written and helpful Navigation and Vessel Inspection Circular (NVIC) guidance document; and we appreciated the opportunity to comment on the draft document prior to its finalization.  This is not an opportunity the regulated public often enjoys.  

 

Needless to say, however, in a program of this scope, there still remain some additional questions and concerns about the regulation.

 

First, the rule is silent on the issue of casual labor, which is such an integral part of efficient maritime operations that it must not be overlooked.  While the regulation and the draft NVIC provide accommodation to escort non-TWIC holders, there is no clear pathway to implementing the escort requirement.  Foremost among the challenges is the fact most facilities operators within the Delaware River and elsewhere have determined that the secure and restricted areas defined in their security plans will be contiguous, such that the entire facilities are restricted.

 

The effect of that decision directly relates to the numbers of non-TWIC holders who may be escorted by any one-TWIC holder.  As outlined in the draft NVIC, escorting in a restricted area is limited to five non-TWIC holders for every one TWIC-holding escort.  In addition, unless this guidance changes in the final version, the escort must be constant and side-by-side (i.e., no monitoring via video or random patrol).  The impact of this can be seen in the following scenarios:  at the hiring hall, a longeshoreman offers to drive three or four of day laborers to the pier to report for work.  Upon arrival, these individuals may be assigned to work different ships, and therefore the TWIC holder is no longer in a position to serve as an escort for the others.  Or perhaps one of the workers is a female and the TWIC holder is male; surely he cannot be expected to stay by her side during the entire workday.  In any case, it is not conceivable that one worker could escort even one individual, let alone several others, on a constant basis while still fulfilling his own responsibilities.  In addition to the practical difficulties, in some cases the physical layout of the marine facility prohibits the ability of the card holder to fulfill his/her obligations.  For example, while it is obvious where the vessel berthed, the final resting place of the cargo is sometimes several hundred yards – or even miles – away from the vessel in a storage yard, warehouse or transit shed.

 

Further questions have arisen about the escort's liability and responsibility.  If an individual under escort causes a Transportation Security Incident or otherwise violates existing laws, regulations or facility/vessel policies, what is the ramification to the escort?  This question has yet to be resolved, and depending on the answer, it may be difficult, if not impossible, to identify willing escorts. 

 

Similar issues arise as they relate to truck drivers.  Many drivers arrive at Delaware River ports from other parts of the country.  Of necessity, until the program is fully implemented, these drivers will not have their TWIC cards, and with the sheer volume of trucks moving through facility gates every day, it is not feasible that facilities, importers, or others could provide resources to escort these drivers.  Even after initial TWIC rollout is completed, there will always be random arrivals by drivers who had never previously hauled cargo to or from maritime facilities.

 

The card application and issuance processes are not designed to accommodate long-haul truck drivers.  For example, during initial rollout, if a driver arrives at the Port of Wilmington, he can, and should, apply for his TWIC card at that time.   Yet the processes require that he return to the place of issuance to retrieve and activate his card after the security threat assessment has been completed.  Needless to say, the driver may be long gone from the area with no immediate opportunity to return.

 

Suggestions for addressing the above issues include:  allow TWIC applicants to designate that cards be returned to a different enrollment center than that where the individual originally applied, or include a mechanism to mail a card to an applicant’s office or home – or other appropriate location – after which the individual could return to a convenient enrollment location to activate the card.

 

In addition, facilities should be given the option to create a “temporary” credential or visitor’s pass in lieu of requiring escorts.  If appropriate, when the individual’s identification documentation is validated, his photograph could be taken and other information entered into the facility access control system.  If necessary, this information could be submitted to DHS.  Such a mechanism might be designed along the lines of the Florida “5 in 90” rule:  Florida State regulation allows for a temporary credential, and if an individual presents himself for access to a regulated facility more than 5 times in 90 days, he or she would no longer be eligible for a visitor’s card and would be required to obtain a Florida card.  Needless to say, both DHS and the maritime industry would need to agree to mutually acceptable details to implement such a program within TWIC, but the idea bears consideration.

 

A second major concern relates to the cost of the TWIC card.  Simply stated, the cost is too high.  Although we anticipated there would be a significant cost saving associated with DHS centralizing the purchasing and production of the cards, these do not appear to have been realized.  Again, keeping in mind that the maritime industry is highly reliant on casual, seasonal and temporary workers, there is little incentive for these individuals to seek employment at maritime facilities and vessels when the cost of such employment may exceed his wages for the day.  Non-profit organizations, such as the Seamen’s centers are also greatly impacted by the high price tag.  At the Seamen’s Center of Wilmington, where I serve on the Board of Trustees, the estimated cost to obtain TWICs for volunteers is $8,000; this represents an 8% increase in operating expenses for the upcoming year.  Also, of particular concern is the fact that an applicant is required to pay the full price at application, even if he/she is subsequently denied a card and it is never produced.  TSA should charge only the cost of processing the enrollment application and for the security threat assessment, with the balance to be paid only after the card is produced and activated. 

 

Third, one additional question has recently surfaced in our region:  how can we process TWIC applications for individuals who for religions reasons may not have their pictures taken or require that their heads be covered when photographed?  While I would not hazard a suggestion on how to address such an issue, it may not have previously been considered and is certainly a challenge DHS will need to address. 

 

These are just a few of the questions and concerns which have been raised over the last several months; there are countless others – far too many to address today.  However, we expect that many of these will be resolved when the final NVIC is released. 

 

In addition, there are a few issues the Maritime Exchange and others have raised in the past as preventing successful TWIC implementation, and we compliment DHS on the steps taken to address them.

 

Predominant among these has been the problem of successfully communicating information to the maritime industry – particularly as it relates to program setbacks and delays.  We appreciate that that the Lockheed Martin contracting team has established a TWIC Stakeholder Communications Committee specifically to address the issues of communications.  To date, the Committee has held only one meeting, so we are not yet in a position to evaluate its effectiveness; however we remain optimistic and look forward to working with the TWIC team toward a successful and smooth implementation.

 

In addition to efforts underway at the national level, our local Coast Guard personnel, who are responsible for coordinating activities between TSA, the contractors and the maritime community, have done an excellent job over the last several months in facilitating outreach sessions, helping identify enrollment center locations, and providing maritime stakeholders with information as it becomes available.  We are confident that local Coast Guard will approach the implementation and, ultimately, enforcement of the TWIC program with the flexibility it demands.

 

In addition, during the last five years, many have held the belief that the constant turnover in DHS, TSA and TWIC program office leadership has contributed significantly to the ongoing delay in implementing the program.  Over the last year, the personnel roster has been completely stable, and we are pleased to note that DHS seems to have addressed some of the internal issues associated with employee turnover.

 

Finally, the Exchange and others have expressed concerns about the fact that many of the critical technologies, such as communication with the database, use of biometrics, or individual (vs. corporate) program enrollment were not tested, or tested insufficiently, during the original TWIC pilot program.  We appreciate that DHS, as required by the SafePort Act, will conduct a TWIC pilot program to test reader technology and processes.

 

Installation and Usage of Card Readers – As stated previously, DHS elected to defer this component of TWIC implementation.  We enthusiastically applaud this decision and appreciate the efforts of DHS to work with industry to determine the appropriate technology for use in the maritime environment.

 

One of the key concerns expressed by those commenting on the Proposed Rule last spring related to the use of contact cards.  Requiring that a card be swiped at a TWIC reader would not only significantly delay maritime operations, but contact readers are more susceptible to failure due to environmental elements, and they also present an easy and attractive target to vandals.  In response, last November DHS asked the National Maritime Security Advisory Committee to develop recommendations for a contactless card reader which could be used at ports and vessels.

 

NMSAC agreed to accept this challenge, and it was my pleasure to co-chair the working group established to develop the recommendations.  The Working Group included approximately 130 individuals, not including the federal government participants, and was organized into a maritime team and a security technology industry team.  The maritime group was comprised of public and private terminal owners and operators, vessel owners and operators, maritime labor and employer organizations, trade associations, and a host of others.  These individuals, with counsel of the security industry team members spent the months of December 2006 and January 2007 developing a series of operating requirements which would guide the development of the technical documentation.  This document was completed by mid-February in advance of the February 28 deadline established by DHS.

 

For the most part, the technical team was able to meet the requirements outlined by the maritime industry representatives, and the technical specification endorsed by NMSAC reflects the combined efforts of the full working group.

 

However, there remains one critical area where the DHS and the maritime industry could not come to terms.  This relates to the level of protection which should be placed on the fingerprint template transferred between the TWIC card and the reader.  This is one of the single most important issues DHS will have to address as it enters the second phase of the TWIC rulemaking process. 

 

In its simplest form, DHS has stated that the fingerprint template is to be encrypted; the maritime industry holds that individual privacy is more than sufficiently protected simply by virtue of the fact that the TWIC will not contain a full fingerprint image but only a minutiae template which cannot be re-generated if it is “stolen” during contactless transmission.

 

The following text is excerpted directly from the NMSAC recommendations:

 

A.  Privacy and Security Considerations – NMSAC supports the inclusion of measures to protect individual privacy and acknowledges that this prerequisite, along with the need to enhance commerce and improve transportation security, has been included as a required goal of the TWIC program since it was announced in February of 2002.

 

It is our understanding that all personally identifiable information about an individual gathered during enrollment will be retained by TSA in its central data bank.  The card itself is expected to show and/or contain a photo, a unique cardholder identification number, and the individual’s biometric fingerprint template. 

 

In its design, TSA wisely elected to utilize the fingerprint template rather than a full fingerprint image specifically to address both privacy and operational efficiency concerns.  Since only a fingerprint template will be passed between the card and the TWIC reader, the information cannot be reverse-engineered to a full fingerprint image. 

 

Even if the template were “stolen” during contactless transmission to a TWIC reader, and even if somehow it could be used to replicate the original fingerprint, for which we understand no technology currently exists, the “thief” would not be able to use this illegal TWIC as the fingerprint image would not match his own when presented to a biometric reader in conjunction with a TWIC.  In addition, an individual interested in “stealing” a fingerprint would meet much less technical resistance and obtain a more accurate representation by lifting it from an object in a public place such as a car door, window or drinking glass.

 

B.  Operational Considerations – There are several concerns with encrypting the fingerprint template.  First, every transaction will require encryption and decryption, each of which affords time and opportunity for a problem to arise.  In addition, prior to encryption and decryption, some form of authentication or “handshake” between the card and reader is necessary to validate that the transaction about to take place is legitimate.  In order for such authentication to take place, some form of key management must be in place.  Thus, if a key is compromised at one instance, it affects every reader in that “key community.” 

 

In summary,

 

·        Adding encryption generally makes the TWIC system more complex and therefore more difficult to develop, use, manage, and maintain.

·        Adding encryption will slow processing time to read cards at vessels/facilities.

·        The use of keys places an administrative burden and certain liabilities (e.g., responsibility to ensure the key is not compromised) on those charged with key management.  Vessel and facility operators are neither prepared nor able to accept these responsibilities.

·        Adding encryption will increase TWIC costs.

 

Therefore . . . “Given the limited amount of information transmitted between the TWIC and the reader, the Working Group does not believe encryption will provide any additional security benefit, but it will increase both cost and processing time.” The NMSAC TWIC Working Group (TWG) closely studied the issue and as a group concluded that the operational complexities increase by a level of magnitude and to the point where they are not proportionate with any perceived benefit of encrypting the biometric template.   In short, there is no empirical evidence that encrypting the fingerprint template affords any additional protection of personal privacy.  

 

DHS published the NMSAC recommendations for public comment, approximately 30 organizations or individuals responded, and an overwhelming majority agreed with the NMSAC on this critical issue.

 

While it is possible that a compromise solution to this challenge may be identified, the NMSAC group was unable to explore these opportunities given the fact that DHS did not provide any indication that it would expressly require encryption of the biometric until February, after the maritime team had completed its work.  Further, DHS has not effectively presented rationale for taking this position; indeed, the original task statement presented by DHS stated that the recommendations shall incorporate “reasonable security and privacy controls,” which we believe the NMSAC-endorsed recommendations did. 

 

There are several other outstanding questions and concerns surrounding the selection and use of card reader technology.  These include the use of a PIN during the TWIC verification procedures, integration with legacy access control systems, and future expansion of the card.  However, we believe DHS will work effectively with the pilot program participants and the National Maritime Security Advisory committee to meet the challenges associated with this phase of the rulemaking process.

 

In addition to addressing the above, we suggest that DHS reverse its approach to the TWIC reader implementation.  Specifically, rather than first developing a TWIC reader specification and subsequently finalizing policy decisions and promulgating a rulemaking on reader usage, we recommend that DHS first resolve the TWIC policy questions (e.g., the requirement for use of readers at low risk facilities and vessels, processes for enrolling individuals who’s fingerprint can not be captured, access record keeping, etc), and then incorporate the appropriate technology to support them. 

 

Finally, we suggest that DHS work with industry in the pilot program design phase as well as its evaluation and subsequent rulemaking activities.

 

 

Over the years, the maritime sector perhaps more than any other has recognized the need to implement new programs and practices in an effort to enhance the security of our homeland.  We have dramatically altered business processes and worked closely with DHS agencies to help them achieve their missions.  As with many federal programs, we want to continue to work with TSA on the TWIC program to ensure there are no unintended consequences, such as those which might arise if we are unable to credential casual labor, and that the TWIC will be deployed in the safest, most secure, and efficient manner possible.

 

Thank you for the opportunity to speak today.  I will be happy to answer any questions you may have.