Insider threats are the most serious challenge confronting nuclear facilities in today's world, a Stanford political scientist says.
In every case of theft of nuclear materials where the circumstances of the theft are known, the perpetrators were either insiders or had help from insiders, according to Scott Sagan and his co-author, Matthew Bunn of Harvard University, in a research paper published this month by the American Academy of Arts and Sciences.
"Given that the other cases involve bulk material stolen covertly without anyone being aware the material was missing, there is every reason to believe that they were perpetrated by insiders as well," they wrote.
And theft is not the only danger facing facility operators; sabotage is a risk as well, said Sagan, who is a CISAC senior fellow and professor of political science.
While there have been sabotage attempts in the United States and elsewhere against nuclear facilities conducted by insiders, the truth may be hard to decipher in an industry shrouded in security, he said.
"We usually lack good and unclassified information about the details of such nuclear incidents," Sagan said.
The most recent known example occurred in 2012, an apparent insider sabotage of a diesel generator at the San Onofre nuclear facility in California. Arguably the most spectacular incident happened at South Africa's Koeberg nuclear power plant (then under construction) in South Africa in 1982 when someone detonated explosives directly on a nuclear reactor.
In their paper, the authors offered some advice and insights based on lessons learned from past insider incidents:
Don't assume that serious insider threats are NIMO (not in my organization).
Don't assume that background checks will solve the insider problem.
Don't assume that red flags will be read properly.
Don't assume that insider conspiracies are impossible.
Don't assume that organizational culture and employee disgruntlement don't matter.
Don't forget that insiders may know about security measures and how to work around them.
Don't assume that security rules are followed.
Don't assume that only consciously malicious insider actions matter.
Don't focus only on prevention and miss opportunities for mitigation.
The information for the research paper emanated from an American Academy of Arts and Sciences project on nuclear site threats, Sagan said.
"It was unusual in that it brought together specialists on insider threats and risks in many different areas – including intelligence agencies, biosecurity, the U.S. military – to encourage interdisciplinary learning across organizations," he said.
Sagan explained that the experts sought to answer the following questions: "What can we learn about potential risks regarding nuclear weapons and nuclear power facilities by studying insider threat experiences in other organizations? What kinds of successes and failures did security specialists find in efforts to prevent insider threats from emerging in other organizations?"
He noted that only a few serious insider cases in the U.S. nuclear industry have arisen, thanks to rigorous "personal reliability" programs conducted by the Nuclear Regulatory Commission and the U.S. military for people with access to sensitive nuclear materials.
But there is room for improvement, Sagan said.
"These programs are effective," he said, "but they are not perfect. And relative success can breed overconfidence, even complacency, which can be a major cause of security breaches in the future."
For example, the nuclear industry needs to do more research about how terrorist organizations recruit individuals to join or at least help their cause. It also needs to do a better job on distributing "creative ideas and best practices" against insider threats to nuclear partners worldwide.
Sagan said the U.S. government is not complacent about the danger of insider threats to nuclear security, but the problem is complex and the dangers hard to measure.
"Sometimes governments assume, incorrectly, that they do not face serious risks," he said.
One worrisome example is Japan, he said.
"Despite the creation of a stronger and more independent nuclear regulator to improve safety after the Fukushima accident in Japan, little has been done to improve nuclear security there," said Sagan.
He added, "There is no personal reliability program requiring background checks for workers in sensitive positions in Japanese nuclear reactor facilities or the plutonium reprocessing facility in Japan."
Sagan explained that some Japanese government and nuclear industry officials believe that Japanese are loyal and trustworthy by nature, and that domestic terrorism in their country is "unthinkable" – thus, such programs are not necessary.
"This strikes me as wishful thinking," Sagan said, "especially in light of the experience of the Aum Shinrikyo terrorist group, which launched the 1995 sarin gas attack in the Tokyo subway."