(FORTUNE Magazine) – Tom Ridge's Aug. 1 warning of an imminent terrorist strike on America, followed by reports that terrorists may be planning to hijack chartered helicopters in New York City, invites some fundamental questions about the current state of our national security. Nearly three years after 9/11, what exactly has been done to prevent terrorists and their weapons from breaching our borders? How have those measures affected the flow of goods essential to American and international trade? And will they be enough to protect us when the next attack arrives?

Even though there is widespread concern about the inability to crack terror cells and discover when the next strike is going to be, a close look shows that there actually have been some significant improvements to the safety of our borders. They include new initiatives that rely on information sharing from--and security enhancements by--big businesses. But there are also some troubling gaps, particularly in programs that aim to expedite the movement of goods across borders and monitor the contents of cargo ships.

The government's fundamental strategy is to erect a "virtual" border outside our geographic boundaries--a primary layer of security that begins at the point of origin of every foreign visitor, truck, and container, so that the physical border becomes the last line of defense instead of the first. "The key is knowing in advance who and what is on its way," says Reginald Boudinot, a border-security specialist at consultancy Booz Allen Hamilton, "stretching the borders so we know what is coming before it gets here."

Consider the U.S. Visitor and Immigrant Status Indicator Technology program, better known as US-VISIT, the border initiative on which the government is spending the most money. (Remember that mammoth $10 billion contract Accenture won a few months ago?) A computerized tracking system for the more than 40 million foreign travelers who visit the U.S. each year, US-VISIT aims to collect biometric data--a facial photograph and fingerprints--for every visitor who enters the country and store it on a database, which can be cross-referenced with criminal, intelligence, and immigration databases from numerous federal agencies.

But that data gathering doesn't happen only at the U.S. border. When a foreigner applies for a travel visa to the U.S. at a consulate overseas, his biometric data are collected there. When he arrives in the U.S., if the fingerprints or photo don't match, customs officers at the airport see a flashing red light on their computer screen. Last fall U.S. Customs and Border Protection also began to receive advance information from airlines about the passengers on every international flight bound for the U.S. so that they can check it against terrorist watch lists before the flights arrive. Robert Bonner, the commissioner of U.S. Customs and Border Protection, says that US-VISIT has already prevented several hundred people wanted for serious crimes from entering the U.S. (though he won't say whether any of them were suspected terrorists).

Unfortunately, though US-VISIT was launched in 115 airports at the beginning of this year (at a cost of more than $300 million), it won't be in place at all border crossings until the end of 2005. The rollout at busy land borders promises to be a logistical nightmare. Tens of thousands of manual laborers commute to work across some Mexican border crossings every day, for example. What's more, only foreigners who require travel visas to visit the U.S. are currently being enrolled. (By next month all visitors from Britain, France, and other so-called visa-waiver countries will have to be photographed and fingerprinted. Canada is exempt.)

US-VISIT has another serious limitation: If a terrorist were to enter the country for the first time under an assumed name with an expertly forged passport, there would be no way to verify his identity. As a result, in the future the U.S. government says it will require all foreign visitors to carry passports with biometric indicators. However, the U.S. is unlikely to have much success convincing foreign governments to adopt such passports until American passports meet the same rigorous standards--a step experts predict is still several years away.

Monitoring the flow of goods across the border is even more complicated and difficult than monitoring people. Everyone who enters the U.S. is interviewed and his baggage X-rayed. But only 2% of containers get the same level of inspection. Raising the frequency of cargo inspections would lead to the kind of border gridlock that nearly crippled the U.S. economy after 9/11, says commissioner Bonner. "The issue we've been dealing with," he says, "is how to increase security against terrorism without choking off legitimate trade."

To address the problem, the U.S. government is relying heavily on its virtual border--and on information sharing from American businesses--in a program called the Customs-Trade Partnership Against Terrorism (C-TPAT). Companies certified by the program receive a seal of approval that entitles them to expedited processing at the border. To qualify, all the stakeholders in the global supply chain--manufacturers, air, land, and sea carriers, brokers, and importers--need to submit a security profile outlining the steps their organizations have taken to protect their operations from terrorism. Importers, for example, need to demonstrate that they supervise all cargo that is introduced or removed from their supply chain; that they have procedures to verify the seals they place on containers; that they secure their warehouses and loading docks with perimeter fences, locks, and access controls; and that they perform periodic background checks on employees. Once a company is approved, its containers and trucks get to take the fast lane. "The system allows us to facilitate low-risk shipments so we can concentrate more intense security on high-risk shipments," says Asa Hutchinson, undersecretary for border and transportation security at the Department of Homeland Security.

So far more than 3,800 companies, including Motorola, Ford, and Target, have joined C-TPAT--representing half of all the goods that enter the U.S. The program has dramatically reduced wait times at the border for its participants--in many cases to below what they were before 9/11. Consider the U.S. land border with Canada, our largest trading partner. There, C-TPAT-certified companies get access to FAST (Free and Secure Trade), an initiative launched in 2003 that provides expedited processing and in some cases even a dedicated lane. Border processing for a truck carrying goods from multiple shippers can take more than two hours because both CBP officers and the brokers clearing the goods need to compare each item on the manifest with invoices provided by each shipper. But certification in the FAST program cuts processing to just a few minutes. Drivers get a FAST card and a transponder in their truck that transmits its manifest electronically to the customs agent as the truck approaches the border. Similar expedited programs also exist for people (see table).

So far C-TPAT hasn't proved to be a burden for most large companies. Multinationals have had sophisticated systems to track the flow of goods through their supply chain for years, and recent advances in RFID (radio-frequency identification) have made that even easier. "GM and a lot of other large companies were already spending a lot of time and money protecting their goods, plants, and employees," says Kevin Smith, the director of Customs Administration for General Motors. "C-TPAT brought a lot of divergent interests within the company--logistics, security, manufacturing, HR--to focus on that issue."

But critics have serious reservations about how the program is being run. "Customs doesn't even have the people to process all the C-TPAT applications, never mind to inspect and verify the applicants," says Stephen E. Flynn, a retired U.S. Coast Guard commander and a senior fellow at the Council on Foreign Relations, who recently published a book called America the Vulnerable: How Our Government Is Failing to Protect Us From Terrorism. Because of the shortage of personnel, more than 2,000 companies that have applied for C-TPAT certification are still waiting for a green light. Of those that have been certified, the government has validated less than 10% of the security claims. Flynn believes most companies won't make investments in the security of their supply chain if they know they probably won't have to pass inspection. "Before you offer someone a fast lane," he says, "you have to find mechanisms to validate that low risk is really low risk." A U.S. Customs spokesperson says that CBP has focused first on validating the claims of those companies that are perceived to have the highest-risk supply chains.

The virtual-border concept could be especially useful when it comes to cargo containers, which transport 90% of the world's goods. With the Container Security Initiative (CSI), launched in 2002, the U.S. government has placed its own customs officers in ports around the world. These Americans work with local customs agents to supervise inspections of containers bound for the U.S., identifying those likely to pose a threat well before they arrive on our shores. A so-called 24-hour rule requires manifests from all ships to be sent to customs officers a day before arrival. So far, 25 of the world's largest seaports have signed on, representing more than 70% of all goods shipped to the U.S.

The theory behind CSI is sound. But critics say CSI hasn't yet received the funding and manpower it needs to operate effectively. Of the Department of Homeland Security's $40 billion budget for fiscal year 2005, which begins in September, only $25 million has been allocated to CSI. In comparison, the government plans to spend $9 billion next year on missile defense, despite warnings from the Central Intelligence Agency that an attack on American soil is far more likely to come through a cargo container than a missile.

Meanwhile, government policy states that the American officers assigned to most foreign ports can't be out of the U.S. for more than a year, so there is constant turnover. And only about 100 officers are monitoring overseas ports at any given time. That means little inspection actually takes place. In Hong Kong, for example, one of the busiest harbors in the world, eight U.S. customs officers were able to inspect just a fraction of the 19 million containers that left port last year. More troubling, cargo containers typically make numerous stops at ports around the world before arriving in the U.S.; the average one from China makes 17 stops before it gets to its final destination. U.S. officers are not policing all those ports--allowing for many points of vulnerability along the way.

Although the U.S. government has made impressive progress in securing our borders, just about everyone agrees on one thing: It must do better. There's no time to waste.

Research Associate Joan Levinstein FEEDBACK nstein@fortunemail.com