Nuclear security is a challenge in the best of circumstances. Those challenges may increase many times over amid the COVID-19 pandemic because government may not fully grasp the consequences and spillover effects of policies they adopt to deal with the pandemic on seemingly unrelated issues. For example, COVID-19 has undoubtedly resulted in enormous economic and social pressures across many societies and consequently, is likely to lead to greater psychological stresses. There is no doubt this will also directly or indirectly affect personnel in sensitive nuclear facilities, leading to potential insider threats. The Review Conference of the Parties to the Amendment to the Convention on the Physical Protection of Nuclear Material (CPPNM) in Vienna this July is a good opportunity to review the status of Personnel Reliability Programs (PRPs) while locating insider threats as part of broader physical protection measures as well.
In September 2020, the International Atomic Energy Agency (IAEA) held discussions over the impact of the pandemic on nuclear plant operations, safety, and security during operations under COVID-19 circumstances, radiation protection, and emergency preparedness. These discussions occurred in the context of the annual meeting of the International Nuclear Safety Group (INSAG), a group of top experts from around the world who debate and advise on nuclear safety issues. The experts highlighted issues like resilience and information exchange as key during these unprecedented times. The discussions also reiterated the importance of human resources, physical restrictions, and rules about maintaining appropriate distancing and emergency preparedness. The participants apparently also shared best practices for mitigation measures through a number of steps including “quarantine of new workers, temporarily halting construction work at nuclear power plants, [and] operating with reduced workforce.”
Even as these are important in addressing the physical protection and operation of nuclear plants, these discussions missed out on how some of these steps could aggravate insider threats, another important aspect of nuclear security. Insider threats could possibly worsen during extremely stressful conditions like the ongoing pandemic. The COVID-19 pandemic and related lockdowns in various countries have affected those countries’ overall economic conditions, leading to the scaling down of operations, employees being laid off, reduced staff presence in physical premises, and a certain proportion of the staff working in virtual mode. These may all be causes of possible resentment and disgruntlement among employees and thus could possibly increase the threat of insider attacks.
Why are insider threats a particular concern? Employees of nuclear installations and power plants, as well as security personnel posted at such sites, depending on the level of access, have a fair understanding of the functioning of nuclear facilities, their security systems, and their established security protocols, as well as any loopholes and security vulnerabilities that may exist. That these employees are authorized to go through the multiple layers of security systems in place increases the vulnerabilities. Because insiders are known and trusted colleagues, it is almost impossible for others within a facility to spot any odd or suspicious behavior. Institutional security culture-related practices need to be strengthened to ensure early reporting of potential dangers from insiders. Given the natural reluctance to report on friends and colleagues, especially in the middle of a job-killing pandemic, individuals need to be incentivized by institutions to report on warning indicators.
Even though insider threats may be rare, the consequences are serious when they do occur. Almost all the recent incidents of nuclear thefts or losses of Highly Enriched Uranium (HEU) and Plutonium (Pu) have occurred with the help of an employee, or even worse, the crime has itself been committed by an employee. This highlights the vulnerabilities and the salience of this growing threat. Such incidents happen because of many reasons, including an employee being unhappy with their employer or being tempted by financial and other perks. Writing about these issues, Matthew Bunn and Scott Sagan argue that “sabotage by disgruntled employees” has long created concerns in the nuclear industry.
One of the most effective means in checking insider threats has been by executing extensive background checks on possible employees before they are employed. These checks are repeated on a periodic basis or when an employee is being transferred to a more secure installation or is given a higher security project. But these are not foolproof measures and they provide no guarantees against security breaches. A more comprehensive and thorough approach – these could include ways to address a disgruntled employee’s problems, undertake better inventory management, and more stringent material accounting processes – is required. It should be noted that it is easier for employees to steal small quantities of materials in facilities handling materials in powder or liquid form because pilferage of small quantities can easily go unnoticed.
While such incidents may be isolated and occur within a particular security context, the experiences and lessons learnt from such incidents need to be widely disseminated. These are neither new nor specific to any country or region. Back in 1982, there was an incident at the Koeberg nuclear power plant in South Africa in which “an insider placed explosives directly on the steel pressure vessel head of a nuclear reactor and then detonated them.” The incident occurred prior to the plant becoming operational. There are also cases of rapid political radicalization that can wipe out the best of personnel reliability programs (PRPs) designed to address insider threats. Take the case of Ilyass Boughalab, a safety technician who had high level security clearance to the Doel nuclear power plant in Belgium. Around late 2011 or early 2012, Boughalab had become radicalized, joined the Islamic State, left for Syria, and was killed there. Although there is little indication that he actually sought to use his security clearance to threaten the plant itself, that his radicalization went undetected is troubling. Curiously, in 2014, there was an insider attack at the Doel-4 nuclear power plant which drained all the lubricant from the turbine, shutting the plant for months and causing hundreds of millions of dollars in economic damage, though the culprit was not caught and the attack itself has not been linked to Boughalab.
Often, insider threats are looked at in the context of a disgruntled employee having an incentive to strike out of anger and resentment at their employer. While many atomic energy managers have said that they have “managed to keep operating safely” even during the pandemic, one can never be complacent about employee contentment. The IAEA has been proactive in this regard, and launched a COVID-19 Operational Experience Network, a pilot peer-to-peer network aimed as a “repository for planned or implemented response actions” during the pandemic. This is a useful step, but there are no perfect or foolproof solutions to this problem. The fact that such insider threat possibilities in the context of the pandemic have not figured prominently in national or international discussions should be of concern. The July Review Conference of the Parties to the Amendment to the CPPNM is a useful opportunity to highlight the importance of insider threats and take appropriate steps both at the global and national levels.