BDG Postal Terrorism White Paper

The Business Development Group

Providing accelerated processes designed for rapid results, strategic development, franchise development, business stabilization and coaching since 1992.

Postal Terrorism White Paper

Economical Early Stage Controls and Countermeasures for Effective Management of Terrorism in Domestic Postal Systems

October 15th 2001

(Revised edition November 7, 2001)

By Peter C. Lytle

Some information contained herein is patent protected / some names are registered trademarks.

Economical Early Stage Controls and Countermeasures for Effective Management of Terrorism in Domestic Postal Systems

By: Peter C. Lytle

About the author:

Mr. Lytle is Chairman of St. Croix Advanced Computing, Inc. and its subsidiary, The Intelligent Kiosk Company, (IQk) (IQKCORP.COM), a mail security technology company where he directs research and product development. He is the founder and former Chairman and CEO of United Shipping & Technology, Inc., the largest same-day postal delivery company in North America. He has also managed and directed one of the county’s largest sterilization projects, focusing on biological hazard management using technology to create safe foods and pharmaceutical products. Mr. Lytle has extensive knowledge of the postal industry and technologies to detect and manage high-risk mail. He can be reached at his office in Minneapolis: 952-473-3831 or by e-mail at: plbdg@aol.com

SUMMARY

Terrorism is long-term threat to the United States postal systems *, both public and private. Few if any of today’s postal organizations are well prepared to manage security related to terrorists’ activities. The economic issues related to a terrorist attack using the postal system are far ranging and more serious than credit is generally given. Although it is possible to do fundamental later stage management of packages, the potential for higher death and injury counts is significantly greater. Using early-stage, inexpensive, and existing technology, terrorist acts using domestic mail systems can be effectively reduced. These methods can also institute trust in the United States postal systems by the American public and prevent the erosion of revenues and profits.

This paper will address the issues, impact, some solutions and conclusions regarding acts of terrorism involving public and private postal systems in the United States.

*Note: the use of the terms postal system/organization refers to the many hundreds if not thousands of postal and delivery companies that manage mail for both business and the public and should not be confused as only the United States Postal Service (USPS). Federal Express is referred to as FedEx and United Parcel Service is referred to as UPS in this paper. These names are registered trademarks and service marks of these companies.

I. BACKGROUND

The economies of today’s industrial nations are very much tied to the efficiency and success of their postal delivery systems. From exchanges of written and signed contracts to sending bills, moving merchandise and receiving payments, much of commerce in the twenty-first century is still very dependent upon the nations’ postal systems’ to inexpensively and accurately complete these transactions.

With so much commerce dependent upon domestic and international mail, it is a ripe target for terrorists looking to disrupt large segments of society for their own gains. The concerning factor is that comprehensive postal security has been largely ignored in most countries because it is seen as a daunting task that, heretofore, was not economically feasible. To pay for increased security without a demonstrated need would require increased postage, which would mean decreased revenues, and so on and so forth.

Times have changed.

A) Why Security Hasn’t Been Addressed

Postal security is a monumental task in all postal organizations, The security issues that face postal organizations in the United States and Europe begin with their ability to control vast and complex systems that differ greatly in size, scope, culture, customer needs and basic competitive economics. These countries postal systems can be broken down into both public and private companies, which occupy a variety of niches (i.e. USPS, UPS, FedEx, Deutsche Post, etc.). These organizations often partner or utilize third party providers for collection, sorting, forwarding, transporting, clearing, chain of control of secured mail, mailroom management and final delivery. Each segment may have a different security need and a vastly different take on the security process. There have been no consistent standards for mail security in the developed countries. Security related to loss and fraud, not as it related to safety, has been the primary focus of most inspection and security divisions of postal organizations. Security controls related to terrorism are both expensive and have not been considered by senders, recipients, or the postal systems themselves, to be of significant value since little activity related to terrorism has occurred in the US over the last several decades.

B) Current Lack of Controls

The U.S. public and private postal systems are the world’s largest. The USPS alone handles over 200 billion letters per year and provides a Universal Service Network that impacts up to 8% of the domestic economy and touches up to 9 million American jobs. This mailing system is based on trust, speed, competitive economics, privacy, freedom, and legislated equal access policies. Mail is generated by individuals, government agencies, corporations, and from both overseas and domestic senders. The vast majority of the senders cannot be verified or identified beyond a return address, which is not required on all mail. These pieces of mail are sent from thousands of different portals, each managed with differing levels of security. They come from grocery stores, printers, direct mailers, individuals, drop boxes and post offices. Security ranges from totally ignoring postal guidelines to managing a full range of controls. For the most part private and public front line postal workers and couriers are underpaid, and under trained for handling high-risk mail. They do not possess the skills necessary to identify a terrorist, a terrorist package or envelope or manage the secure collection of high-risk mail. UPS may require a check of mail in one of its drop off locations, but it does not look at all mail picked up from customers. FedEx will take anything a direct shipper (customer) gives it as long as the package fits their standard package control requirements. A test of FedEx and UPS recently demonstrated the ability to ship a package to a critical location without a check of the sender’s identification or verified knowledge of the package content, even though the forms request this data. The USPS will attempt to send all posted mail that comes from a mailbox. Small town post offices often receive mail with scant recipient and sender information, yet they do get the mail delivered. What other postal organization would even attempt this task? Quaint yes, customer-oriented and service-oriented yes, high-risk yes. Recent window tests of the USPS demonstrated a lack of upfront security, where “no questions asked” appeared to be the policy, even when the sender asked about the Anthrax issues.

Further, beyond all these points of entry, another security risk-compounding factor is that up to 26 separate steps may be involved in the collection, processing and delivery of a package or envelope. With each step a package or envelope takes in the postal management chain, the prospect of a security breach grows geometrically. UPS, FedEx and the like do have some logistical controls that are based on package size, weight, and knowledge of a large percentage of their customers, but not all. They also have the ability to tighten control of packages being shipped when a crisis occurs. This gives them a security control advantage over the USPS. But overall, they are equally unprepared for a terrorist threat.

C) The USPS as a Target

The USPS, because of its liberal and universal mailing policy (i.e.,“open”), will likely make it a target for terrorism. The USPS brand represents the United States government and terrorism against the USPS can more directly attack U.S. government policy. It could be construed that by using the USPS to deliver tainted mail, a terrorist is more effectively damaging the government than if they use FedEx to deliver the same mail. The USPS is not only a symbol, but also a likely target for repeat actions. While all domestic and European postal organizations are vulnerable to non-standard security breaches, no postal organization is better predisposed to take the lead and establish controls for safe mail management than the USPS, and no organization has more at stake. Like the Tylenol scare of some years ago, if the USPS acts quickly and decisively to lead the industry to establish better safety and security standards, it will be able to secure and regain the trust of the public and maintain its dominance, perhaps even expand it, even while temporarily sustaining a decline in shipping. If the USPS does not lead decisively, it faces becoming another Firestone, where customers’ confidence in the system deteriorates and they begin to reject the product in favor of other solutions. Companies like FedEx need to protect their brand differently than USPS must. FedEx is only subject to their own missteps in the next day and ground postal wars. The USPS brand on the other hand is the American Flag, and the postal uniform worker. It is subject to a far more complex set of negative brand impressions related to government actions and issues and thus must be constantly upgrading systems, public image, and focus on brand and image leadership to survive.

II. THE SECURITY RISK: TERRORISM

The ability to utilize the mail systems for transportation and delivery of products ranging from controlled substances to lethal and disruptive substances is well documented. In the U.S., the “Uni-bomber” demonstrated how easy it was to utilize the mail as a weapon of death. Most postal systems, particularly those in the United States, are very open to potential abuse. Smaller “anonymous” portals are the most vulnerable and pose the greatest risk to a postal organization. Clerks in stores and dumb package collection boxes offer absolutely no first level defense for terrorism. These portals can actually increase the risk of terrorism and increase the cost of managing terrorism in a postal system by up to 20%.

An astute terrorist organization with cells throughout the U.S. and Canada could easily send any variety of high-risk items through all our postal organizations from various locations. To be most effective it would seek a small town, maybe the local drug store mail center. From there the mail must pass through several major sort centers in populated areas. Depending on what is being sent, numerous high-risk mailings could cause significant financial damage, disrupt public stock markets and create a reign of terror to frighten the average individual. What company would not be concerned about letter bombs, what individual about contracting Brucellosis or Anthrax, or government worker about skin absorbed dioxins or poisons from letters or packages?

It would appear high-risk mail is going to be part of our future; it can be used as a weapon against the developed nations as well as the poor nations. Postal systems are relatively cheap to use, effective in what they do, allow a user to remain anonymous and have limited security measures to prevent terrorist activities. When high-risk mail is processed, the probability of increased exposure to the handlers and the public can multiply (depending on the mailed item) by up to a factor of four at each step of the process, making it a terrorist’s dream. With dozens and dozens of steps in a mail transaction, the risks related to mail processing of specific items can be far more significant than anyone has been willing to publicly discuss. These risk factors are derived from the highly automated and unsecured environment in which mail in developed countries is handled. It is also derived from the fact that mail often tends to flow unchecked/uncontrolled from small collection portals (i.e., home mail boxes, collection boxes, courier pick up, local postal facilities, direct mail facilities) into progressively larger, essentially uncontrolled (“low security/unsecured”) environments (central sorting systems) and is often processed through airports or major metropolitan locations.

This means that in the case of biological weapons, the more steps a terrorist can find in a mailing system, the more impact the biologics can have on the audience. That is the more points of contact, the greater chances to infect at the next point. There are a number of other items which also can become major security risks for the postal worker and the public. These range from drugs, volatile solutions, poisons, gases, chemicals, environmental hazardous materials, designer pathogens, radioactive materials, and bombs to suspect packages and letters. The environment in which a postal facility is operated is also subject to the creation of hazards. Postal facilities in both public and private organizations utilize high-speed sorters and moving systems. Postal organizations do not use positive pressure building systems, N95 central or personal air filters, equipment vacuums for “mail dust”, create ion charged packages or letters to control dust, and workers are generally not supplied with gloves, masks or goggles or have access to detection equipment.

In the United States postal organizations, customers are either identified by account or they can be anonymous. Senders wanting to breach existing mail security can do so by sending a package through an authorized customer (account) name or by sending an anonymous package or letter dropped in a public mail facility or private pick up location. The primary limitations are package size, weight and packaging materials. Bombs can be small and biologics even smaller. The mail is an ideal tool to send weapons long distances. Unfortunately, in this instance, the mail almost always gets there, or at least somewhere. So, the mail can be an effective and a mass method to spread weapons of fear and death anonymously.

III. CURRENT INABILITY TO SECURE THE MAIL

It can be assumed that both public and private mailing systems for years have been used to get controlled substances and destructive devices from a sender to a recipient. Most terrorist actions have gone unreported at the public level. Few have had lethal side effects at the handler level. Well-publicized cases have seen the terrorist caught.

A) Current Restrictions Are Weak

Competitive postal systems have allowed for anyone in a free state to utilize their delivery systems for whatever purpose they wanted as long as the customer followed the basic rules. (Rules, which were very, loose and not designed for security.) Developed countries have embraced the economics of physical and electronic delivery as a necessity of both commerce and communication. Because developed countries have encouraged “free trade” among their businesses and “freedom of access” to their citizens, security of mailed items has been both limited and minimally “budgeted.” Some European and Middle Eastern countries that have been the victim of terrorist activities in the past have installed more rigorous systems for review of mailed items both at the point of mail origin and at the recipient level. As one example, the sender has far fewer options of when and where to mail and lacks basic privacy. Controls by private enterprise in these countries have been more selective with customers and focus on creating a “known secure customer.” Managing mail in these countries has created a significant number of freedom restrictions, time delays in receipt of mail and impaired economic growth via these delays. These systems may not work well in our domestic and competitive environment.

In the United States, however, security of mail is very fundamental and based on past profiles of customer abuse, mailing locations, and certain known information about the package weight, dimensions and content. Customers are asked to follow mailing guidelines. Deterrence on the belief that “someone is watching” is the primary first line of security defense for postal organizations in the U.S. Fraud and theft have been by far the biggest issues, followed by damage, and mailing of controlled or hazardous materials. Terrorism has not been a top priority until recently. Even though most postal companies have plans or test systems related to terrorism, it does not mean the systems are in place to effect the control of terrorist activities. This author estimates that the cost of terrorist security and decontamination systems for domestic postal organizations would exceed $10 billion. The USPS alone would need to invest between $4 billion to $6 billion over a three to four year period in initial equipment and systems and up to another $1 to $1.5 billion annually in maintenance. To stop terrorist activities you need to identify, isolate and eliminate the terrorist. And adequate security controls need to be put in place to prevent terrorist use of the mails. To do that the government may have to reduce some personal freedoms. Further, in the case of domestic postal systems, consumer behavior will need to change to meet the needs of a safer mailing system.

B) Economic Issues

The goal of most businesses and individuals in the U.S. is to mail faster, at a lower cost, with a guarantee of an undamaged delivery and on time. We live in a free world where postal companies need to compete, and to make a profit. Postal organizations are expected to be fast, economical, and get the product to its destination on time and in good condition. If we analyze these factors, however greater speed means postal organizations have fewer chances to perform complete security checks of package content or customer verification. And, profit means postal organizations have fewer incentives to improve security and safety of the mail. Cost-effectiveness means postal organizations have fewer opportunities to institute complex technical security checks, to provide decontamination, or to selectively screen packages and envelopes and yet remain competitive. Many mail/package handlers work in cost-controlled, highly automated work environments which attempt to manage mail in the fewest possible steps with the greatest possible speed. Security is at best a secondary concern to the economics and efficiency of the entire mailing process. One postal organization will not do something all other organizations are not doing unless there is a distinct economic and competitive advantage. This may suggest a collaboration of postal companies be formed to develop and implement a terrorist security program, including shared data bases, screening and decontamination centers. If mail were critical to the national economy, military and public interests, it would make sense for competitors to come together and work on security issues collectively.

C) Few Government and Private Requirements / Standards or Controls Related to Terrorism in Postal Systems

The Federal government has few specific mail management regulations or guidelines that it imposes on domestic postal organizations to protect workers or the public from terrorists that may use their organization as a tool. Most regulations that do exist are fragmented and managed by an exceedingly vast collection of Federal, State and local government offices To manage a terrorist action effectively you need forensic/detailed information about the package content, destination and, if you can get it the sender. The possibility of any larger postal organization knowing sufficient details about all of their customers or the actual content of every package is an impossibility with the current technology employed. To coordinate all the various regulations and package them under terrorism guidelines and then tie them to customer and package content is a nightmare. Federal standards/guidelines for the management and control of terrorism in postal systems could take the mail out of the reach of terrorist activities.

While most postal organizations do try and provide some minimal level of control over the mail, it is not enough. They may try to have some knowledge of who the customer is or what the package content is, especially if they interact with the USPS or send mail on commercial air carriers. Many postal organizations, especially small ones, only have bare bones DOT or local regulations they must adhere to. The lack of corporate controls related to mail handling, lack of government-imposed laws and guidelines for safe mail management in private postal organizations (other than, FAA, EPA, OSHA or DOT) combined with competitive economics has made postal organizations unwittingly accept potentially higher levels of risk with mail in order to remain or become profitable.

Major postal organizations have also expanded into long-haul trucking, air, boat and electronic shipping. . There has been a rapid international expansion to grow more revenues. More third party relationships have been developed. More consolidation via acquisition has occurred. Creating a secure mail path has become more complex.

The USPS postal inspections division, mail handling divisions and unions do have stated policies, procedures and contracts that are supposed to control commercial users and provide the public with basic mailing guidelines. One reason mailing abuses occur is because these policies are not always understood. This can allow for breaches of security and constant pressure on the staff of the USPS to track, manage and control security on a limited budget. With the USPS losing both money and market share, it must be careful how it treats its customers or lose them to the competition. The USPS has a large intelligence gathering and security system. Fraud and theft have been a significant focus of this division thus far. Terrorism will likely be the focus of this division in the future. Because of their size and the information they will have access to, other major and minor postal organizations should consider partnering with USPS on terrorism security management. With the “not invented here” issues that face many postal organizations, this may be an unrealistic suggestion unless forced by a government branch.

Although it is difficult to put a number to the cost to our GNP from terrorist activities in the postal industry, it is possible to estimate what the cost would be to postal organizations. If a terrorist act stopped the shipment of all air-related mail, postal companies would lose between 5 to 25% of their revenues. The loss of productivity to the businesses they supply would be calculated in the billions of dollars. We have built a domestic postal system focused on speed. Business has developed an operational competency on speed. In the case of the mail, time is money. Yet our security methods / controls and regulations are such that “fast” has opened us up to fewer security checks and the greater potential of terrorism by mail. In the past, these risks were seen as acceptable and insurable. It is likely, however, that the cost of insurance for acts of terrorism will be so considerable in the future that all postal organizations will be forced to institute new safety and security procedures. If these procedures increase the cost of mail, and they will, revenues in postal organizations will drop and our economy will suffer. The USPS directly effects over $900 billion in the domestic economy. As the USPS suffers so will the rest of the postal organizations and economy suffer.

D) Right of Access

Various freedoms of access, privacy, nondiscrimination laws, and a need to be competitive have prevented the USPS from taking some of the steps its private competitors have with respect to security management. Simply put, the USPS is rarely allowed to refuse customers access to the mail and this has inhibited further advances in security screening and safety. UPS and its other private counterparts have some screening and competitive profiling security. They also have the ability to deny a customer access to their systems without the issues that face a quasi-governmental agency. FedEx, UPS and other carriers have taken advantage of focusing on higher margin products and customers, letting less profitable services and less identifiable customers go to the USPS. It may be no surprise then, that the USPS may have a bigger terrorist issue than other carriers. Because of this it will likely be dependent on congress for additional financial support to implement higher levels of security and still provide a universal service network. Will FedEx and others be given the same support; Likely no, unless they lobby together with their industry to create a standard safety program focused on terrorism security? Federal support money could be given out as a loan, intended to be paid back sometime in the future. The Senate Appropriations Committee under Senator Byrd and Dorgan are strong supporters of a safer mail system and the fight against terrorism and could be influential in helping this cause.

E) Security Vs. Organization Scale

The larger carriers such as USPS, UPS, FedEx, and Deutsche Post have security and postal inspection divisions that create security policy, implement random checks and police the security of the sorting and transporting and delivery systems. But, due to the large volume of mail sent each day, these checks are both inadequate and inefficient to stop the terrorist use of mail for the purpose of creating chaos. With smaller postal / mail delivery companies (ranging from couriers, air delivery, newspapers and direct mail), active security checks are far more limited and in many cases non-existent. Yet, the irony of size is that the smaller courier industry may actually provide better security than the largest of mail delivery companies. This is because the smaller providers tend to have a consistent customer base, they know the recipient and the package content, and know the sender and their employee on a personal basis.

F) Future USPS and UPS Union Issues Emerging From Security / Safety

The unique security issues a postal organization will face as the result of terrorist activities related to their service will significantly impact unionization issues and costs. Either a postal organization will become proactive in providing a safe work environment or the unions will force it on the organization. The cost of these union demands could well shift to a variety of potentially non-productive and higher levels of security requirements than is practical or economical. Strong union shops like UPS and USPS may be the losers if they do not become proactive in their security measures. Bigger issues may exist for unions as the postal organizations incorporate irradiation type technologies (a hot topic with consumer and fears to match) or create specialized handling jobs that might be considered dangerous and require specialized training. UPS may redesign their systems and force more high-risk packages onto FedEx, USPS or couriers if the UPS unions fear that they are being exposed to safety issues. This action might either disenfranchise some customers or could force bigger losses on USPS.

G) Level of Acceptable Risk

It is neither possible nor practical to achieve a 100% safe postal environment with today’s postal infrastructures. Risk is inherent in all occupations and all activities. You can get burned from a cup of coffee at McDonald’s, lose your finger in a Cusinart at home while making lunch, break a leg at the gym doing aerobics, or get hit by a car as you walk the dog. Considering the quantity of mail that exchanges hands in the U.S. and Europe every day, the lethal risk associated with handling, sending or receiving a package is lower than what? It is still lower than driving a car, being hit by lightening, dying from the flu, having heat stroke, having an allergic reaction to a vaccine, or even getting cancer. Does terrorism then change the risk factor for consumers? Terrorism is usually executed by a single or small group of invisible individuals, who create fear by doing something frightening and unthinkable. Sometimes that action can get out of hand and the little incident has a way of swelling into something enormous like exposing the public to smallpox with a “free gift promotion” from Publisher ‘s Clearing House, or managing to get a dirty radioactive package bomb to explode in an irradiation sterilization unit in Washington D.C. The risk may be small in fatalities, but large in gross impressions. Enough risk impressions could destroy the brand identity of the postal organization and perhaps put it out of business. In the case of a public company traded on the market, risk impressions (the number of times a consumer sees the same event in the media) could instantly collapse stock prices and create collateral damage for the competitive base.

H) The Marketing Constraints - “the Message that Sells is Faster / Cheaper; Not Safety or Security.”

Postal organizations have been in a significant battle for customers since the early 1980’s. With FedEx taking a run at the higher profit segments of the next-day mail business and stealing customers from UPS and USPS, branding and marketing focus has taken on greater importance. Brand leverage has been growing in all segments of the postal business with the most money going into advertising of new products and services over the last decade.

The primary branding initiatives of major postal organizations have been focused on “Guaranteed Delivery, Fast Delivery, Economical Delivery, Undamaged Delivery,” not on “Safe Delivery.” A review of available electronic and print consumer directed advertisements by postal organizations using the U.S. media has not found any ads in the last ten years that focused on safety for the postal workers, safety for the recipient, or safety for the sender.

This lack of safe mail advertising indicates postal organizations may believe this is a motivating concern for the consumer, or that consumers have no concerns for postal workers. Further, it is exacerbated by the fact that they do not have the ability to prove a high level of security exists. As a society, we have tended to accept the notion that there is inherent in everything some risk and that the risk is acceptable as long as it does not affect us and that U.S. postal systems are safe. Up to this point, everyone assumed that there was virtually no risk associated with mail delivery.

Although the current thinking about terrorists using any mail system for wide scale deadly activities has been downplayed, it is a logical and opportunist place for terrorist activities to occur. The United States and European postal systems are so focused on easy access and low cost to promote commerce, that they have become part of our underlying economies.

Both governments and postal organizations know there is no such thing as “acceptable death” or injury from the sending, handling, or receipt of mail in the US. The relatively insignificant cost of instituting higher levels of security should be considered a very easy thing for executives of postal companies to decide. But, will they? This author believes that “Safe mail” will be the selling proposition for all surviving postal organizations within the next two years. It may become a new service and also a reason for a customer to select a specific mail carrier. Creating a “safe mail” program should generate offsetting revenues of implementation cost for early adopters of safe mail security systems.

IV. DEVELOPING SOLUTIONS FOR EARLY STAGE SECURITY

A) Background

On the simplest level, postal or mail management can be broken down into four primary stages. The four stages are:

-Stage 1: The sender takes mail to a collection station or it is picked up.

-Stage 2: The collection station forwards the mail to a sort location(s).

-Stage 3: The mail may be transported to a distribution/customs location.

-Stage 4: The mail is delivered to the recipient.

Each Stage has multiple sub-steps, which are broken down into both manual and automatic tasks. Importantly, as mail moves from Stage 1 to Stage 4, the increased points of contact in mail handling geometrically expose the mail piece, the postal workers, and the recipient to more potential hazards. While each of these stages can become a security control point, making Stage 1 the most rigorous control point is by far the most effective strategy, as will be discussed below.

B) Decontamination at Stages 2 &3

Pathogenic organisms are one of the scariest of the weapons that the domestic and international terrorist has access to. They frighten us because we know little about them, who made them, what they look like or how to control them. They can be hidden in a small envelope or dusted on the outside of a package. We also know they can be indiscriminate killers used by individuals with little or no ethical or moral conviction.

Common biological organisms that have been discussed and reviewed by the government and Universities for weapons are Small Pox, Anthrax, Tularemia, Typhus, Tick-borne encephalitis, Bruccellosis, Rift Valley fever, and Q fever. There are a number of designer pathogenic microorganisms, which are located in universities, Russia, Iraq and potentially other countries, which could also be sent through the mail. Few if any of these organisms would be effective as a “traveling bio bomb” if they were just on the surface of a package or letter (due to the nature of the organism) but some could, nonetheless, do unthinkable damage in transit, moved through high speed sorters, or when opened.

Current security practice by postal companies is focused on the limited use of screening and automated managing techniques (such as decontamination) for mail once it has been captured, (i.e., at Stages 2 or 3). There are very limited systems, which are in use for proactive screening of mail in the United States, and virtually no proactive decontamination mail systems currently in use in the United States (except a few utilized in customs cases). Typical biological decontamination technologies are designed primarily for the food and pharmaceutical industry. Many postal companies in the U.S. and Europe have looked at non-invasive techniques for screening and decontamination of mail at stage 2 and 3 such as x-ray, CAT, and ultrasound. The quickest mass security measures to institute for biochemical threats would be at these stages. The most expensive measures are likely to also occur at these stages and do not solve the issue of stopping terrorism.

In the event of significant biological terrorist activity where a postal service is involved, decontamination of mail and selective sorting of mail will likely be the first major activity to occur in conjunction with heightened internal alertness. Decontamination would typically be done by exposing a package or envelope (once it has already been received into the mail system) to UV light, fumigating it, irradiating it (several methods exist), destroying the mail to control the threat, or presorting it to avoid destruction of non-decontamination compatible products. It is falsely believed that decontamination is both an effective and cost controllable solution for all of the potential organisms that could be sent through the mail.

Decontamination technologies are an impractical overall solution. Their misuse or a customer inability to accurately identify content will result in the destruction of hundreds of billions of dollars of products, exposing postal organizations to liabilities far in excess of their insurance limits or the customer’s desire to continue using these systems.

There are also limitations to other decontamination technologies: UV light is limited in density of penetration; fumigation chemicals like Chlorine Dioxide (CD), or pressurized CD, is less expensive, but dangerous, and requires extensive exposure time. Most other chemical sterilization focuses on exteriors and is less invasive, Microwaves works on limited products and with the presence of water, if at all; Ohmic processing requires the suspension of products in saline fluids, and light beam technology can cause extensive burning. There are also numerous environmental issues we face related to the chemical and irradiation technologies. Informed consumers will want to know if the technology causes a change in the chemical structure of an untested product, especially medications-- could it for instance cause cancer? Further, might the solution of “long-term decontamination” through irradiation and the like be of even greater risk (or greater perceived risk) to the population than the risk of bioterriorism? People may shun irradiated mail out of fear of being “irradiated” themselves unless significant information is provided via the media on the safety factors of this technology. Homeowners and local communities may issue concerns about being located near postal irradiation facilities. With all decontamination facilities, postal companies and sterilization companies will need to address the fear factors related to clean the mail. It is possible these facilities may need to be located in remote areas if there is sufficient public debate.

The ability to destroy some of these organisms is both difficult and untested and would require all mail go through a complete decontamination process to achieve maybe a 98% success rate. A 100% decontamination rate could be achieved on some products but would require extensive testing, and no one has ever done this on all the variations of mail and not using organisms like Anthrax or Smallpox. A 2% failure rate is a significant failure breach and repeated failures of this size could become paramount to a national crisis. To overcome this failure rate postal organization will need to develop a strong forensics trail that is built into their security plan.

If the chemical substance were something like prions, no level of discussed decontamination would be effective that would not also destroy the mail. Other organisms such as a designer ones, i.e., a smallpox virus attached to an Ebola virus, could be deadly enough to contaminate even collection boxes and any user of the collection box. Decontamination or sterile collection may need to begin at Stage 1.

So with just a decontamination approach at Stage 2 or 3, one is using a system that is extremely expensive, will destroy some of the mail it is supposed to “cleanse,” may cause consumer fear/concerns, and may not work on some organisms and ignores all the non-organism weapons. It may be a system that is the equivalent of locking the barn door after the horse has run away. Anthrax the current weapon of choice is not an uncontrolled contaminate, future organisms may be. Terrorists, like a virus will evolve as the technology to stop them evolves. Postal security investments must be made in anticipation of this, and that cost will be significantly higher than most organizations can tolerate.

C) Economics

The scope of problems related to terrorist attacks can be even more dire as you look at other weapons such as gas, poisons or explosives, or radioactive compounds. Use of decontamination technologies such as irradiation, as a final solution is not effective for these weapons and could in some cases trigger an explosive reaction. Irradiation has limits it cannot be used on various foods, candies, medical products, film, technology products, adhesives, and many chemicals without damaging these items. These products may comprise up to 20% of all mailed packages.

The cost of creating a risk acceptable stage 2 and 3 mail security program for USPS, UPS or FedEx could be as high as $28 per user, per year according to some security experts. Others believe total costs could easily reach over $10 billion in initial investment at the domestic level alone. That figure includes additional staff and training, additional equipment, insurance, and loss of revenues and capital expenses for environmental containment and management insurance and marketing. To lower the cost of terrorism security, postal organizations must think differently than they have in the past about mailing procedures, methods and rights. The mail industry has changed very little in its sending and receiving methods for over 150 years. Changing the security methods of the postal systems in the U.S, requires thinking based more on survival of the organization and serving the customer, and less on strictly the cost of delivery.

D) Stage 1 Controls – The More Effective Approach

With stage 1 Security Management, it is possible to create a cost-effective “safe” postal system that keeps mailing costs as low as possible and routes specific products to the least damaging security solutions in Stage 2 and 3, if necessary. This requires shifting some of the burden of the mailing and security process onto the customers. Existing automation and technology like those developed by the Intelligent Kiosk Company (IQk) and Visionics, Inc. can be used to actually create a safer and lower cost mailing environment than currently exists. Direct mailers/commercial mailers should be required to verify package content and perhaps run their mail through UV systems to sterilize the exteriors of packages. This group should have established standardized mailing guidelines for “safe mail” and be certified as a secure shipper. International shipments will need to be screened and if necessary decontaminated. The selected use of “smart” automated self-service mail machines will control the biggest volume of retail consumer packages and or letter, screening senders and package content and collecting mail in sterile collection bins.

Stage 1 security would only be a portion of the entire postal security system for terrorism and would be effective and cost efficient. To further reduce risks Stage 1 security would also require a variety of related screening technologies and follow-on decontamination technologies at Stage 2 and 3. Effective use of Stage 1 security would however reduce the need for extensive later systems, which are more costly. There would also be a need to communicate mailing options to the customer and identify all the methods available for mailing.

V. RECOMMENDED SOLUTIONS

A) The Problems and Causes

The underlying causes contributing to the lack of security and safety in the current mail management system make it very vulnerable to tampering and potentially terrorist activities. The interaction between both the public and private postal and delivery companies leaves the potential for terrorists to use one organization to penetrate the operations of another organization and still damage both brands (i.e.: FedEx moving next-day mail for USPS). To review, a number of security-related problems exist with the current postal systems both between differing companies and across country borders, but especially within the U.S. postal systems:

1. There are limited security / safety standards and regulations governing the domestic mailing process as it relates to terrorism. Laws that exist are inconsistent and lack coordination among controlling agencies.

2. There are multiple portals (points of entry) for mail that flows uncontrolled into various larger and also often uncontrolled collection points for consolidation prior to disbursement. (There can be up to 26 separate steps involved in collecting and then distributing a specific piece of mail).

3. There is often no knowledge of a huge number of customers, meaning anonymous mail is being mixed in throughout the process. These packages and letters lack printed or written labels with specific sender / receiver information, and their contents are not usually known. A postal organization will still do partial processing and hold mail which is not properly labeled.

4. There is limited tracking capability with most retail mail. At best it can be traced back to a route or a post office of the commercial mail location through which it was processed. A return address is no guarantee of the actual sender. With many postal / delivery organizations there is no way to quickly trace all mailed items back to the physical point of origin. Tracking forensics can take days and weeks for most mail. Private postal organizations are far more controlled but may lack verifiable customer identification information when items are mailed from a local non-company pick-up location or dumb collection box.

5. There has been little economic incentive to institute strict security measures. While there is awareness that insurance costs could rise and that a terrorist incident could have a large financial impact on a company and its brand, terrorist-related economic factors are still fairly small. The industry still has two key driving incentives: deliver the mails as fast as possible for as little as possible (faster/cheaper).

6. The mail is easy to contaminate with low levels of technology. Higher levels of technology can cause cross-contaminate of other mail. Once this mail is introduced into a system it can spread geometrically throughout the system as it comes into contact with more and more mail. The advanced technology necessary to create terrorism in postal systems is easy to acquire.

7. In the U.S., there is the possibility of violating specific and implied freedoms including the right of access to the mails and discrimination related to customer profiling. This may limit some of the potential security measures necessary to reduce the overall risk associated with safe mail processing.

8. When a postal company introduces a high-risk mail management system and makes this information public, it will allow a terrorist the opportunity to evolve their technology and strategies necessary to circumvent the management system.

B) Potential Alternative Solutions

With these problems in mind, there are specific steps that can be undertaken to make our mail management process significantly safer and more secure. It must be understood that there is probably no such thing as 100% secure and safe mail. There is always the possibility someone will find a way around even extremely rigorous security measures. However, there are steps that can and should be taken to tighten the security of our mail, steps which will significantly diminish the ability for the postal organizations to be unwittingly used as a terrorist tool. These steps can ensure we have a significantly safer mail system and will reassure a concerned public. Specific steps should include the following:

1. Focus on Early/First Stage Security Efforts and Develop a Forensics Trail

To best improve security and safety, the strongest effort should be made at establishing the most rigorous controls in Stage 1 of mailing. This will prove to be the least expensive route (versus having to completely recheck mail at every subsequent stage) and will enable suspect or dangerous mail to be caught early and either not allowed into the system or kept isolated before it contaminates or is lost in the rest of the mail as it goes through the collection/sort process. It also reduces geometric escalation of problems when suspect mail is not allowed to enter the system or can be tracked through the system, thus significantly reducing both cost and impact of high-risk mail. This helps to eliminate the problem of multiple portals of entry because all mail entering the system (no matter where it comes from) would be subjected to similar security controls, increasing safety for the whole system. At Stage1 a postal security measure will be focused on identifying the sender and the package or envelope contents.

The first line of defense in security for a postal organization must occur at Stage 1 of the process. Although it may be considered “unfriendly” to implement Stage 1 Security, it is a relatively low cost and a very effective step in the management of potential terrorism related to package delivery. With a Stage 1 Security effort, some of the burden of mailing will be put onto the consumer/user. But, with automation, this can be done with very little extra effort required by the consumer. Implementation of security at Stage 1 could cut by 15% - 30% the overall security costs for a postal organization. Stage 1 security measures would require more information about the sender for tracking, forensics, and evaluation purposes; more information about what is in the package; and a greater ability to isolate the original mailing location to avoid contamination of larger facilities and sterile collection containers.

2. Set Specific Standards

Standards and guidelines for postal security could be issued by either the government or by a collective collaboration of the major postal carriers, to which ALL system-wide users must adhere. Closing the current loophole of nonconforming/inconsistent procedures and standards will go a long way to preventing terrorists from finding easy entry points into the system. Introduction of new technologies could advance security measures greatly and should focus on providing easy, fast, convenient methods to assure these standards could be managed in retail, business, and commercial environments.

Specific mail security standards could include:

-Photo / Fingerprint (biometrics) identification of all individual senders/users of retail mailing locations.

-Cross-check of a national biometrics ID database against which these

images or information could be electronically compared and retail / public senders approved or denied the ability to ship if they are on a watch list.

-Certification IDs for commercial and business users.

-A printed label bar-coded with additional security information from both retail and business locations (similar to UPS or FedEx systems).

-A return address required verified by some form of identification (driver’s license, business location, etc.).

-Standard-sized envelopes or packages with material technology that allows non-invasive scanning to examine the contents.

-Proof of contents / listing of contents for packages.

-Standard tracking factors and a standard tracking system.

-Mail that has been security screened should contain a standard
“Security Cleared” stamp/sticker to confirm clearance and

making any invasive postal use more obvious. (All carriers should be

required to utilize the same seal, but contain their own registration

number for tracking back to the portal source.)

-Tighter controls of “dumb” and non-sterile collections boxes with a migration to “smart collection systems.”

- Develop sterile mail collection methods at the point of origin

- Create safer handling environments, using filtration, ventilation systems, etc.

These measures would help to ensure the mail is made consistently secure no matter where it comes from. The use of biometrics alone will significantly cut down on potential abuse of the mail at the retail level. For example the sender’s facial image could be compared within several seconds to a database of several million photos on file. With a match, the sender could immediately be denied the right to send their letter/package. Additionally for particularly dangerous suspects, a silent alarm could be sent to police or other law enforcement officials so they could apprehend this person. Biometrics would also aid in the forensics trail.

3. Separate Treatment for Business / Commercial vs. Private Individual’s Mail

Business mail would need to be pre-sorted from individuals’ mail. The company of origin would need to be certified and would be made responsible for ensuring its bulk mail is safe in Stage 1. (It is simply not practical for a direct mail company (like Amazon, or a Bank issuing Visa card offers) to have an actual person’s photo on each and every letter of solicitation. Instead, these mailing customers would be subject to industry or government prescribed security standards. Their mail may or may not receive the same processing as other mail collected allowing for postal organizations to reduce the cost of security management.

4. Increase Awareness/Information of Who the Sender Is

By example, use a printed label with a bar code on more mail, where each item sent can have its own transaction number along with up to 80 facts on file. High- risk mail will be more quickly isolated and a suspect traced. The information on file can be cross-referenced to any biometrics data collected; the sender’s name, return address, and package contents (among other things) can be identified if a problem occurs creating verification systems.

5. Maintain Customer Access

Retail and business customers have become accustomed to easy access to their postal companies. In order to provide continued access, security can be easily managed through intelligent or smart mail collection boxes. These intelligent collection boxes like those produced by IQk Corporation in Minnesota would use fair and basic criteria to screen for high-risk mail and suspect mailers. If the item listed is potentially dangerous or does not match the content metrics (weight or size), the transaction would be denied. If the sender’s photo matches a suspect photo on file in the criminal databanks, the transaction would be denied. If the sender refuses to give their complete information (name/mailing address/return address/etc.) or refuses to allow a biometrics image be captured, or tries to hide their face in the photo to avert detection (via hats/scarves/sunglasses/fake pictures/etc.) they would be denied the ability to mail a package from this location. They would, however, have access to the postal organization via a staffed location or a collection system that screens content and decontaminates everything.

Thus, the system grants access to those who volunteer all proper forms of information and identification. It is ideal for mail that contains easily damaged products or contents. Those who do not wish to divulge personal information are not forced to divulge this information. They are simply denied the privilege to use this specific mail system. This system becomes a deterrent and funnels high-risk mail to specifically trained staff or specially managed collection locations.

The use of “smart collection boxes or kiosks” primarily in retail and some business locations should help to keep security costs down and postage costs under control. The software and some of the hardware utilized in these systems could also be adapted to business and commercial locations.

Airlines, Banks and car rental agencies, have found that a significant number of customers have migrated to electronic kiosks for ticketing, banking, renting and related services, and consumers have readily adapted to these kiosks. IQk, Inc. a division of St. Croix Advanced Computing, Inc. the worlds largest provider of self-service intelligent mailing kiosks, has tested systems in over 500 location throughout the U.S. and with millions of packages mailed from these kiosks found that consumers accepted the technology. The use of automation and biometrics identification will minimize the involvement of labor and potentially speed up the process at later reception points, saving money (with proper / easily readable labels, etc.) so the process remains cost efficient and adds another layer of security to the postal system.

C) How It Could Work

To move to a Stage 1 Security program, postal companies need to begin with an automatic certification and verification process (for business) and a simple electronic identification process for consumers.

1. For Business Mailing

For business mailing the process would begin with the business being certified as a mail sender. This could involve identification of who at the company was responsible for overseeing the mailing process, training them in what to look for and for adhering strictly to the newly established mailing procedures. It could also involve ensuring that the mail area was a restricted area at the company. An automatic shipping kiosk or customized software run from a PC could be placed within the company to handle individual items or individual employee transactions. All bulk mailing could be subject to separate treatment which would involve review by the overseer, bundling the mail in separate bags, and tagging each with identification of time/date/company source/person responsible at the facility/etc. (All this information again could be entered into the automated shipping kiosk which would print out a bar-coded label for each bag.) Then these bundles would be picked up by the mail carrier and taken to a bulk mail handling facility. The operator there would log in all bundles, assigning each an identification number. These bundles would go through a screening process, if necessary. Once certified as “safe,” they would then go into the general mail and be ready to be sent to a collation facility to get ready for delivery to the final destination.

2. For Individual, Small Business and Retail Mailing

For individual, small business and retail mailing the process could start with an automated electronic shipping kiosk or computer station. These self-service kiosks or computers could be located anywhere and used by customers to ship a package or mail an envelope. (The unit also has the capability of servicing a courier route or providing counter assistance in post office lobbies via a postal window or wall deposit system.) This kiosk would include photo ID verification (biometrics), along with a magnetic card-license swipe, fingerprint, or passport number being entered into the system and compared vs. a national database.

The mailing process would work as follows. A customer would approach the kiosk and using both touch screen (for selecting functions) and keyboard (for inputting information), would begin the shipping process by selecting what function they wanted to perform (i.e. send a next-day package or letter) on the touch screen. The system would ask them to key in their name and address, as well as the destination address of the letter/package, use of account cards or face recognition would fill in sender data automatically and provide them a data list of all past mail destinations. The system’s touch screen and voice prompt would continue to walk them through the shipping process. Next, it would begin the biometrics identification process. It would ask them to swipe their driver’s license (or enter a passport number or green card number). The system would compare this with what they had keyed in. Using digital biometrics imaging it would already have captured their picture and be on-line comparing their photo against a criminal/suspect databank set up by the postal organization(s). In about 5-15 seconds their photo image would be scanned and compared against a databank as large as one million photos. Assuming they are not in the databank, they would proceed to choose their level of mail service, pay via credit card, receive a printed label from the machine, place it on the item, and then complete the mailing process by depositing the item into the drop box as it unlocks and laser scans the single item. If they were in the criminal databank, the kiosk would deny them the ability to ship a package and could send them to the window for further help, or in the event of a wanted terrorist, notify the police on-line.

This system would be able to readily screen out identified terrorists/criminals and deny them the use of the mail, making it much more secure. It would also record up to 80 different factors related to the transaction for any future tracing or identification needs, further contributing to making the system more secure. Utilizing this system would also be an easy way to create a preferred shipper / mailer status for easier future billing and credit transactions using a facial imprint as the sender verification to speed all future transactions.

In the mailing process, the kiosks or a window or wall mounted mail machine would ask the customer the content by voice or print. These machines can be designed to fully ADA compliance. Although no content information would be considered accurate, it would route packages or letters to specific screening technologies allowing for a reduction of product damage during security handling. If no content information is provided, the mailed item may be screened by non-invasive technologies and/or if necessary decontaminated. Self-service intelligent mailing kiosks, software, face identification technologies and related hardware are all tested, currently manufactured and available to manage this early stage security process with only a minimal need for customization. Test units could be in place in as little as 30 days.

Finally, a system capable of tracking the mailed item from its point of origin will need to be implemented for later forensic needs, or for decontamination, or for management of the mailed item. All technologies at this stage are also presently available, economical to set up and tested to work. All systems can be designed to isolate and hold mail in a sterile environment for decontamination if necessary.

At Stage 2 or 3, a system would be created for evaluating package content/identification (i.e., x-ray, Ultra Sound, CAT scans, some laser technology). For high-risk mail this could be followed by specific decontamination technologies for specific portions of the mail. Again all technologies at this stage are available and on a piece basis can be financially acceptable. By example IQk also makes a wall mounted system and remote collection office the size of a truck that can collect, do non-invasive screening of package content and deliver the package to a sterile collection bin.

At Stage 4 the recipient should have the ability to know if the mail received was decontaminated and has a method to identify the sender if necessary via information on the label. At the time the label is created from a self-service mail machine a web site address and security code can be added to allow a recipient the opportunity to view a photo of the sender. Since not all senders are individuals, a record of the inspected certification and mail origination verification would be shown.

D) Biometrics / Internet and Computer Technologies

A variety of biometrics identification and verification systems could, as options, be installed in all off-site or postal drop off centers. Couriers can hand carry systems (as simple as digital cameras and wireless connections to a central server) for customer pick-up locations. Home computers, or fully automated mail center computers with voice activated, touch screen monitors or keyboards (or all three) can create labels and print tracking codes indicating the point of mail origin and if the sender desires, adding their photo for the recipient. Printed labels eliminate misdirected mail and allow a (biometrics) image (face, fingerprint etc.) to be attached to the postal database. This biometrics data and other collected data can also be used for future tracing, and/or immediate screening of sender against a data base of know criminals. Its very use is a deterrent for use of mail for terrorism, creating a higher level of security for the recipient. Using face and fingerprint data in combination with account cards and licenses will also speed up use for repeat users. It would fill in the sender information, give senders/business users access to their previously mailed addresses and do automatic billing.

VI. CONCLUSIONS

· It is necessary for postal organizations to have better controls and understanding of who is mailing a product at the start of the process (Stage 1). It is the least expensive way to achieve security and prevent problems from multiplying once a “contaminated/problem” letter becomes mingled with other mail. It also creates a deterrent for terrorist activities where anonymous mailings no longer exist, giving postal workers and recipients a higher level of faith in the “system.”

· To create cost effective security measures for controlling terrorist activities, it is necessary to better understand what is in the posted package or envelope at the time it is initially mailed and to begin sorting mail at the point of mail origin to define what kind of screening or decontamination may be required.

· Once terrorism begins in a postal organism, it will continue for as long as that organization exists, unless checked with speed and extensive front-end controls.

· If a postal organization intends to add security measures to control terrorist activities, these measures must add value to the sender and the recipient. The measures must also be profitable for the postal organization.

· The burden of added security should be shifted (as much as is possible) to the sender preferably using technology such as self-service mailing kiosks, certification programs, and additional easily adapted screening and decontamination technologies for bulk mail. Self-service mailing kiosks or computer systems can help to reduce costs by lowering added labor at the postal organizations to handle security system, to increase efficiency by more accurately printing address labels, and to increase speed since the customer enters the information on their own.

· The technologies exist now to make an effective and safer mail management system.

· The largest survival threat will be to the USPS, (however UPS, FedEx, etc. with their focus on profits and rapid international expansion may also be targets). Postal organizations that do not adapt quickly will perish as customers go elsewhere.

· Brands will become focused on “safe mail.” Those organization that do not recognize this will and the fact that the mail is now part of the war on terrorism will have a significant problem with customers, profits, survival and employees going forward.

· The amount of money required to improving and securing the U.S. postal systems are so significant that it will require increases in postage costs, government loans, and Federal investments in organizations like USPS. Increased postage alone will not be significant enough to provide for a complete security program, and a terrorist will not wait for postal organizations to upgrade their systems.

· Safety guidelines written to manage terrorism security in all segments of the postal industry are needed. It is unlikely that companies such as FedEx will share their confidential security systems with companies like Edina Courier, thus governments or associations need to provide this service. We need a total domestic cure not just a bandage and shared use of security experts/information will provide even four man courier companies with safer mail handling procedures.

· The postal industry needs to focus on its own workforce and creating safe work facilities along with early stage security management to form a secure working environment.

Other revision notes: Since this paper was first written Anthrax has continued to spread in the USPS system and into five federal government buildings. The 15th case was confirmed on October 29th, one of the individuals was not connected to the USPS, the death toll continues to rise. The ability of these anthrax spores to spread is of considerable concern. It may appear that a terrorist is testing various methods to best utilize a limited supply of the organism or examine the extent to which the technology for controlling the organism has evolved.

The USPS using a facility in Ohio has successfully tested the use of irradiation on pathogenic organisms (not anthrax organisms) for the purpose of sterilizing mail. They intend to install units in postal facilities on the East Coast. The time required to install and upgrade the necessary security systems could take over two years and cost around $3 billion or more.

Attachments:

· Design for free standing, intelligent, self-service mail kiosks for collection of mail and mail/sender control

· Designs for intelligent, wall mounted mail collection unit and screening/detection systems (tested and

· Designs for clean mail collection house

· Early Stage security system flow chart

Note: Attachments are not sent with e-mail documents