Summer 2014 Bulletin

The Risk of Nuclear Terrorism from Insider Threats

Global Nuclear Future

A Worst Practices Guide to Insider Threats: Lessons from Past Mistakes The risk of nuclear terrorism has guided and informed the work of the Academy’s Global Nuclear Future Initiative since its inception in 2008. The project’s most recent publication, A Worst Practices Guide to Insider Threats: Lessons from Past Mistakes, by Scott D. Sagan (Stanford University) and Matthew Bunn (Harvard University), highlights one particular aspect of nuclear terrorism: the problem of insider threats. In the past decade, thanks to the enormous efforts of the United States, working in cooperation with the leaders of many other governments, NGOs, think tanks, and international organizations, there has been some success in preventing non-state actors from acquiring nuclear material.

In 2004, the Bush administration garnered consensus for the adoption of United Nations Resolution 1540 on Nuclear Terrorism. The resolution, sponsored jointly by the United States and France, and approved unanimously by the UN Security Council, states that the proliferation of nuclear, chemical, and biological weapons and their means of delivery constitute a threat to international peace and security. As such, the resolution requires all states to adopt legislation to prevent the proliferation of nuclear, chemical, and biological weapons, and their means of delivery, and to establish appropriate domestic controls over related materials to prevent their illicit trafficking. Two years later, the United States, in cooperation with Russia, launched the Global Initiative to Combat Nuclear Terrorism (GICNT), a multilateral initiative to strengthen the global capacity to prevent, detect, and respond to nuclear terrorism.

The Obama administration has endorsed the nuclear security agenda launched by President Bush and has worked to expand its mission and outreach. In his historic speech in Prague in April 2009, President Obama stated, “One terrorist with one nuclear weapon could unleash massive destruction. To protect our people, we must act with a sense of purpose without delay.” In the same speech, the president launched the idea of a new global initiative, the Nuclear Security Summit, to secure all vulnerable nuclear material around the world within four years. The Nuclear Security Summit has met every two years and operates on principles that are based on “Gift Basket Diplomacy,” meaning only invited governments can participate in the summit and those governments are expected to bring to the summit national pledges and commitments of their respective countries to ameliorate, enhance, and improve the enforcement and implementation of their national nuclear security regime.

Three Nuclear Security Summits have been held so far, and the list of invitees has grown together with the importance and relevance of the gift baskets that countries have been willing to commit to. The first meeting was held in Washington, D.C., in 2010 and forty-seven countries attended; the second meeting took place in Seoul, South Korea, in 2012 with fifty-three countries in attendance; and the third and most recent meeting was held in 2014 in the Netherlands with fifty-eight countries participating. The next (and perhaps final) summit is planned for 2016 in Washington, D.C.

These three Nuclear Security Summits have made significant progress toward forging global awareness on the issue of nuclear terrorism and creating international and domestic consensus to adopt costly yet necessary measures to protect countries from the threat of nuclear terrorism. Most notably, several countries attending the summits pledged their intention to convert civilian nuclear facilities from highly enriched uranium (HEU) to non-weapons useable materials. Included among these countries are some legacy countries, such as Mexico, Kazakhstan, Ukraine, Belgium, United Kingdom, and Norway, and some nuclear newcomers, such as Vietnam, whose nuclear energy program is only in its infancy. In addition, the countries in attendance, including Indonesia, which previously opposed the nuclear security agenda because it was seen as a way to discriminate between developed and developing countries, pledged to adopt more stringent borders and export control laws and to design better transportation, accounting, consolidation, and storage practices for nuclear material.

Despite geopolitical crises such as the one unfolding in Ukraine and the increasingly tense territorial disputes in East Asia among regional and great powers, global commitment and international cooperation focused on combating and eliminating the threat of nuclear terrorism have not been weakened. This development may suggest that leaders of countries with otherwise conflicting national priorities and strategic objectives acknowledge the need to work collectively to prevent terrorist organizations from gaining access to nuclear material.

Yet much remains to be done to address this danger. Most of the efforts to reduce the risks of nuclear terrorism focus on preventing external attacks that could create a Chernobyl-like event or would enable a terrorist to steal fissile material to make a nuclear bomb. Speculation that terrorist groups may orchestrate such an assault grew exponentially after the 9/11 attacks, with the continued U.S. entanglement in Iraq and Afghanistan, and with ongoing acts of violence on targets in other parts of the globe, including Pakistan and the Middle East.

This mindset, and the perception of the nature of the threat, has resulted in a widespread response that has focused on strengthening and enhancing the physical protection of nuclear facilities and reducing the amount of highly enriched uranium and plutonium that exists at vulnerable locations. The adoption of more sophisticated monitoring devices and the deployment of better equipped and trained armed guards have become the immediate strategy implemented to address the threat of nuclear terrorism.

The recent Academy paper, A Worst Practices Guide to Insider Threats: Lessons from Past Mistakes, by Bunn and Sagan, argues that one major component missing in a long-term strategy to reduce the risks of nuclear terrorism is one that addresses “the insider threat.” Sagan and Bunn demonstrate how difficult it is to address hidden dangers that come from within nuclear facilities, from insiders who might steal critical material, assist terrorist groups, or engage in sabotage attacks. The authors write that the history of nuclear materials theft supports this concern about insider threats: “all of the cases of theft of nuclear materials where the circumstances of the theft are known were perpetrated either by insiders or with the help of insiders.”

There have been a number of “best practices guides” issued by the International Atomic Energy Agency (IAEA) and the World Institute for Nuclear Security (WINS) to address insider threats. To complement these recommendations, Bunn and Sagan’s “worst practices guide” identifies a series of common mistakes that organizations have made, drawing on episodes involving intelligence agencies, the professional military, secret service bodyguards for political leaders, security measures for banking and financial institutions, and the gambling industry, among others.

Some of the specific cases that Bunn and Sagan examine include the assassination of Indian President Indira Gandhi by her two Sikh bodyguards, the organizational failures that led to the first Ford Hood shooting by U.S. Army Major Nidal Hasan, and the case of Robert Hansen, who was found responsible for fifteen counts of espionage while serving within the FBI.

The overarching message of the paper is clear: “when it comes to protecting organizations from insider threats, do not assume, always assess – and assess and test as realistically as possible.”

Among the lessons learned that are discussed in the paper, three are particularly important. First, do not assume that serious insider problems are not in your organization. According to Sagan and Bunn, “Organizational leaders should never assume that their personnel are so loyal that they will never be subject to ideologies, shifting allegiances or personal incentives that could lead them to become insider threats.”

Second, do not assume that background checks will solve the insider problem: these programs are effective but they are not bulletproof. Measures to complement these strategies should be put in place when these strategies fail.

Third, do not assume that security rules are followed. Establishing clear policies is an indispensable element for organizations to work effectively; an over-reliance on rules, however, may weaken the ability of an organization to think strategically and anticipate insider threats. Further, not all employees may apply rules universally. Several studies, in fact, show that when employees encounter rules that “they consider senseless, they typically do not comply with them. This can contribute to a broader culture in which people follow security rules only when they find it convenient.” Managers must continue to provide incentives for employees to follow rules, but they must also implement a regular search process that identifies and eliminates redundant or obsolete rules.

The paper was distributed widely to key nuclear laboratories, military organizations, international organizations, and to more than 100 nuclear experts around the world currently involved in devising strategies and implementing policies to protect against the peril of insider threats. Several nuclear laboratories are using the paper as a training resource.

The GNF project is continuing its work in this area. Four new papers that will identify the causes and drivers of insider threats in different sectors have been commissioned. These papers will be published in an edited volume that will offer additional analysis and recommendations on how to make American and international nuclear installations safer.

At a recent workshop held in Cambridge in May, thirty senior officials from nuclear laboratories and international and military organizations, as well as nuclear experts from academia and think tanks explored different dimensions of the insider threat problem, in contexts as different as nuclear plants, military operations, and laboratories. The participants shared challenges in facing and overcoming complacency. They discussed how the risk of nuclear terrorism is changing and growing more complex in an era of cyber-attacks and increasing competition between the United States and rising powers.

In June, leaders of the GNF Initiative traveled to Istanbul, Turkey, to participate in a capacity-building training workshop for journalists from the Middle East. Organized by the Academy, the Center for Non-Proliferation Studies, and the Stanley Foundation, the workshop trained twenty journalists from the Middle East on how to write in a more informed way about nuclear risks and threats in their region. In addition, the Academy hosted two events in cooperation with EDAM and the Global Relations Forum, two think tanks in Istanbul, at which leaders of the GNF Initiative met with policy-makers, the media, and leading academics; they discussed challenges that nuclear newcomers face when establishing a nuclear energy program, including protecting their own nuclear facilities from outside and inside threats.

The Academy’s work on insider threats, and on other nuclear related issues throughout the course of its GNF Initiative, is supported by Carnegie Corporation of New York, The William and Flora Hewlett Foundation, The John D. and Catherine T. MacArthur Foundation, The Alfred P. Sloan Foundation, The Flora Family Foundation, and The Kavli Foundation. More information about the Global Nuclear Future project is available online at