Reports & Papers
from Belfer Center for Science and International Affairs, Harvard Kennedy School

Revitalizing Nuclear Security in an Era of Uncertainty

Full Report Policy Brief 1 Policy Brief 2
A member of the Czech Army takes part in an anti-terrorism drill at the Temelin nuclear power plant near the town of Tyn nad Vltavou, Czech Republic, April 11, 2017.
A member of the Czech Army takes part in an anti-terrorism drill at the Temelin nuclear power plant near the town of Tyn nad Vltavou, Czech Republic, April 11, 2017.

Downloads & Further Reading

Full Report (PDF)

Policy Brief 1: A Vision for Nuclear Security

Policy Brief 2: Combating Complacency about Nuclear Terrorism

Additional Policy Briefs will be released in the coming weeks.


Acknowledgments

The authors would like to thank Tom Bielefeld, Anthony Wier, and the many U.S. government officials who provided helpful comments on this paper. The authors are grateful to Jacob Carozza, Andrew Facini, Melissa Kappotis, and Ralph Grossmann for their help with the editing and preparation of the report.

Research for this paper was sup­ported by grants from the Carnegie Corporation of New York and the John D. and Catherine T. MacArthur Foundation.

Table of Contents:

Executive Summary
I. Introduction: The Search for Nuclear Security Excellence    
  • A Vision for Nuclear Security
  • Assessing Nuclear Security Progress: An Uncertain Enterprise
II. The Nuclear Terrorism Threat
  • Overview
  • Types of Nuclear Terrorism
  • Box: Debating the Probability of Nuclear Terrorism
  • Means, Motive, and Opportunity for Nuclear Terrorism
  • Box: Incidents Related to U.S. Nuclear Weapons in Europe
  • Box: The Hatton Garden Heist
  • Trends and Threat Vectors Affecting the Risk of Nuclear Terrorism
  • Net Assessment
III. Global Nuclear Security Since 2016: A Progress Assessment
  • Measuring Nuclear Security Progress
  • Protecting Against the Full Spectrum of Plausible Threats
  • Box: Demonstrated Adversary Tactics and Capabilities
  • Comprehensive, Multilayered Protection Against Insider Threats
  • In-Depth Vulnerability Assessment and Realistic Performance Testing
  • Strong Security Cultures
  • Consolidating Nuclear Weapons and Weapons-Usable Nuclear Material
  • Nuclear Security in Selected Countries: 2018
    • Russia
    • Pakistan
    • India
IV. International Frameworks for Strengthening Nuclear Security
  • Impact of the Nuclear Security Summits
  • The International Atomic Energy Agency
  • The United Nations
  • The Global Initiative to Combat Nuclear Terrorism
  • Interpol
  • The Global Partnership Against the Spread of Weapons and Materials of Mass Destruction and the G7 Summits
  • The Nuclear Security Contact Group
  • International Legal Nuclear Security Frameworks
  • Bilateral Nuclear Security Cooperation
  • Industry and Civil Society Organizations
  • Nuclear Security Education and Training
  • Good Practice Exchanges
V. Assessing National-Level Inputs to Nuclear Security
  • Effective Nuclear Security Leadership
  • Sustained, High-Level Political Attention to Nuclear Security
  • Designated Officials With Responsibility for Nuclear Security Progress
  • Plans for Strengthening Nuclear Security
  • Funding for International Nuclear Security
  • Leading by Example
VI. Next Steps to Regain the Momentum
  • Combating Complacency
  • Strengthening Nuclear Security Implementation on the Ground
  • Bolstering Frameworks for Nuclear Security Cooperation
  • Sustaining Nuclear Security Leadership
  • Beyond Nuclear Security
  • Revitalizing Nuclear Security
Notes

Executive Summary

Few tasks could be more important than keeping nuclear weapons and their essential ingredients out of terrorist hands. The world community has made substantial progress in improving security for such stocks since the early 1990s, including through the nuclear security summits in 2010-2016.

Since the 2016 Nuclear Security Summit, countries have continued to take measurable steps to improve nuclear security, from requiring protections against cyber attacks to launching programs to strengthen security culture in nuclear organizations. But momentum is slowing, raising serious doubts as to whether national leaders are fulfilling their commitment to continue to make nuclear security a priority. High-level political attention to nuclear security and overcoming obstacles has largely faded, international mechanisms for fostering nuclear security action and cooperation have not managed to fill the gap created by the absence of nuclear security summits, and political disputes continue to impede efforts to sustain or expand cooperation in crucial areas. At the same time, stockpiles of nuclear weapons and materials in unstable regions continue to grow and to shift in directions that increase risks. Terrorist threats and important nuclear security weaknesses exist that must be addressed. Additionally, rapidly evolving technologies such as cyber and drones could increase adversary threats to nuclear facilities and stocks in the years to come. If nuclear security improvements do not keep pace, the risk of nuclear terrorism is likely to grow.

 

A Vision for Nuclear Security

What end goals should nuclear security programs be striving for? We envision a world in which all countries with nuclear weapons, highly enriched uranium (HEU), separated plutonium, and nuclear facilities whose sabotage could cause a major radiation release are committed to a continuous process of striving for excellence in nuclear security performance. In particular, strong programs in five key areas could lead to more effective nuclear security for nuclear weapons, HEU, separated plutonium, and nuclear facilities worldwide:

  1. Broad protection. All of these items should be effectively and sustainably protected against the full range of plausible adversary threats, including evolving threats such as cyber attacks and drones.
  2. Comprehensive insider protection. All of these items should have comprehensive, multilayered protections against insider threats in particular.
  3. Strong security cultures. All of these items should be managed by organizations whose leaders and staff are committed to achieving excellence in nuclear security, are effectively trained, and remain constantly on the lookout for potential threats or vulnerabilities to be addressed.
  4. Realistic assessment and testing. All operations handling these items should be regularly subjected to in-depth, creative assessments of their vulnerabilities and realistic, challenging tests of their ability to defend against intelligent adversaries looking for their weak points.
  5. Consolidation. The use, bulk processing, transport, and number of locations with nuclear weapons, HEU, and separated plutonium should be reduced to the absolute minimum whose continued civilian and military benefits outweigh their costs and risks—as confirmed by regular high-level review.

Achieving this vision is likely to require combating complacency at all levels of nuclear security decision-making and implementation; effective engagement that bolsters frameworks for international cooperation; committed national-level nuclear security leadership; and programs with effective plans and adequate resources.

 

The Nuclear Terrorism Threat

The risk that terrorists could get and use a nuclear bomb—turning the heart of a modern city into a smoldering radioactive ruin—remains very real. Sabotage of major nuclear facilities or dispersal of radioactive material in a disruptive “dirty bomb” also remain real risks.

Motive. Apocalyptic visions or global ambitions drove groups such as al Qaeda and the Japanese terror cult Aum Shinrikyo to seek nuclear weapons. From the 9/11 attackers to Chechen rebels, who killed hundreds of children and their parents at a school in Beslan, Russia, to the Islamic State, which regularly televised its atrocities, it is clear that some terrorist groups seek to inflict as many casualties as possible, as cruelly as possible.

Means. There have been repeated cases of seizure of stolen HEU or plutonium. While there have been no such seizures since 2011, security assessments and tests continue to reveal important vulnerabilities, in the United States and elsewhere. Moreover, non-nuclear criminal thefts and terrorist attacks continue to occur that use tactics and capabilities that the security systems at many nuclear facilities would be hard-pressed to defend against—ranging from substantial teams of heavily armed, well-trained attackers, to insider conspiracies, to the use of vehicles such as helicopters to get past multiple layers of site security systems.

Opportunity. Government studies in multiple countries have concluded that sophisticated terrorist groups could plausibly make a crude nuclear device. Stopping such a device from being brought into a country and detonated remains a very challenging task, given the huge length of national borders, the immensity of normal traffic across them, and the small size and weak radiation of the materials needed for a nuclear bomb.

Since our last report in 2016:

  • Al Qaeda and particularly the Islamic State have suffered numerous defeats which must necessarily make it more difficult for them to mount the organized effort necessary to perpetrate nuclear terrorism, although their intent to inflict massive damage abides;
  • Rapid and clandestine radicalization of insiders has continued to present a threat that most personnel reliability programs have been unable to address successfully;
  • The pace of seizures of fissile material outside of authorized control appears to have slowed, although what is known publicly about earlier cases offers little confidence that the leaks have been plugged;
  • New technologies such as drones and cyber, expanded deployments of small, mobile nuclear weapons, and construction of bulk processing facilities will offer new opportunities for terrorists to strike and present new challenges for those attempting to defend against them.

On balance, the combination of nuclear terrorist means, motives, and opportunities presents somewhat less of a threat than it did two years ago. But as past experience makes clear, the future is highly uncertain; the world has likely not seen the last of powerful terrorist groups bent on mass destruction. And as adversaries make increasingly sophisticated use of technologies such as cyber and drones in the future, the threat to nuclear weapons, materials, and facilities could increase. To minimize risk in this uncertain future, continuous and determined efforts to improve security remain essential.

 

Global Nuclear Security Since 2016: A Progress Assessment

Global efforts to reduce the risk of nuclear terrorism continue. Countries are strengthening national regulations, enhancing security culture at nuclear facilities, and taking further steps to protect against both insider and outsider threats. Additional countries continue to join international nuclear security legal instruments and initiatives. This report documents important progress in each of the five key areas of nuclear security described above.

But this progress appears to be slowing. In the past two years, few national leaders have focused on improving nuclear security and international political interest in nuclear security is waning. Russia and some other countries with substantial nuclear stocks have sharply constrained their international nuclear security cooperation, arguing that what they do about nuclear security is their business. The “action plans” agreed to at the 2016 summit have led to little action. Existing international forums for discussing nuclear security have not filled the gap left by the end of the nuclear security summits.

In the United States, while President Trump has continued to offer strong rhetorical support for nuclear security, there are few signs of high-level attention to the subject. Under both President Obama and President Trump, funding for nuclear security programs has been declining for years, some to the lowest levels since these programs were first beginning in the 1990s. Trump administration officials have argued that planned funding is sufficient for their limited current nuclear security plans, but proposed budgets are not enough to fund the more comprehensive nuclear security agenda that is needed. At the same time, while the United States has some of the world’s most stringent nuclear security requirements, there are a series of steps the U.S. government has advocated for other countries that it is not taking itself, from targeted programs to strengthen nuclear security culture to strong security for radioactive sources.

Despite these declines in high-level attention and resources, there is clearly more nuclear security work to be done. Serious security vulnerabilities remain in nuclear facilities around the world. Not all nuclear facilities are protected against all plausible threats; many do not have comprehensive, multilayered defenses against insiders; some nuclear security systems are not exposed regularly to rigorous vulnerability assessments and testing; the culture within many nuclear organizations is still not focused sufficiently on security; and nuclear materials remain in far too many locations. The regime underpinning global nuclear security efforts has major weaknesses.

Requested and Allocated Funding for U.S. Department of Energy Nuclear Theft Prevention Programs

 

Next Steps to Regain the Momentum

The international community needs to take steps to regain the momentum—or face a risk of nuclear and radiological terrorism that could begin to rise again. The U.S. government in particular needs to fill gaps in its nuclear security efforts, ensuring that all relevant stocks of material are covered, all potentially effective policy approaches are included, and adequate resources are available. Action is needed in several areas. (Each of these recommendations is elaborated in more detail in the report.)

1. Combating complacency

  • Recommendation 1.1: Prepare detailed reports and briefings on the nuclear terrorism threat and the need for additional improvements in nuclear security.
  • Recommendation 1.2: Establish regular sharing of incidents and lessons learned.
  • Recommendation 1.3: Conduct creative, realistic vulnerability assessment and testing.
  • Recommendation 1.4: Carry out intelligence agency dialogues.
  • Recommendation 1.5: Assign focused teams to search for weapons-usable nuclear material or information that could lead to it.

2. Strengthening nuclear security implementation on the ground

  • Recommendation 2.1: Protect against all plausible adversary capabilities and tactics.
  • Recommendation 2.2: Establish comprehensive, multilayered defenses against insider threats.
  • Recommendation 2.3: Conduct realistic performance testing and vulnerability assessments.
  • Recommendation 2.4: Implement targeted programs to strengthen security culture.
  • Recommendation 2.5: Consolidate nuclear weapons-usable material to fewer locations.
  • Recommendation 2.6: Strengthen nuclear security organizational governance and incentives.
  • Recommendation 2.7: Ensure that all nuclear security management and staff are adequately trained for their jobs.

3. Bolstering frameworks for international nuclear security cooperation

  • Recommendation 3.1: Establish an additional forum for discussing next steps in nuclear security at a senior level, and work to take maximum advantage of existing forums.
  • Recommendation 3.2: Launch a new initiative in which states with weapons-usable nuclear material commit to implement a range of key nuclear security steps while continuing to work to expand participation in existing agreements and commitments and ensure they are implemented effectively.
  • Recommendation 3.3: Find ways to launch reformed, partnership-based approaches to U.S.-Russian nuclear security cooperation, and broader cooperation among U.S. and Russian nuclear experts.
  • Recommendation 3.4: Pursue bilateral cooperation with all willing states with nuclear or radiological materials and facilities whose security affects U.S. interests, focused on convincing countries to do more themselves and advising them on how best to do it.
  • Recommendation 3.5: Continue to strengthen nuclear security efforts by states, industry groups, and civil society organizations, and cooperation among them.
  • Recommendation 3.6: Establish an experts group to work out approaches to providing information about nuclear security progress that would build real confidence without unduly compromising sensitive information.

4. Sustaining nuclear security leadership

  • Recommendation 4.1: Focus sustained, high-level attention on strengthening nuclear security.
  • Recommendation 4.2: Develop a comprehensive U.S. government plan for achieving effective and sustainable security for nuclear stocks worldwide and assign a senior official to take full-time charge of the effort. The United States and other interested countries should direct knowledgeable teams from their intelligence agencies to conduct dialogues with other countries’ intelligence agencies to build common understandings about the threat—and, where practicable, to undertake cooperative actions against the threat.
  • Recommendation 4.3: Under the comprehensive plan just described, revitalize U.S. international nuclear security programs, seeking to work with all countries with nuclear weapons, HEU, separated plutonium, or major nuclear facilities that might be sabotaged to convince them to put effective and sustainable nuclear security measures in place, focusing on the five key areas of nuclear security outlined above.
  • Recommendation 4.4: Provide the budgets and people needed to implement the nuclear security plan, so that improvements that could significantly reduce the risk of nuclear terrorism are never slowed for lack of money or people.
  • Recommendation 4.5: Lead by example, implementing at home the nuclear security proposed for other countries.

 

Revitalizing Nuclear Security

Nuclear security around the world has improved dramatically over the last three decades—which demonstrates that with focused leadership, major progress is possible. But important weaknesses remain, and the evolution of the threat remains unpredictable. The danger that terrorists could get and use a nuclear bomb, or sabotage a major nuclear facility, or spread dangerous radioactive material in a “dirty bomb,” remains too high. The United States and countries around the world need to join together and provide the leadership and resources needed to put global nuclear security on a sustained path of continuous improvement, in the never-ending search for excellence in performance.

   


 

I.  Introduction: The Search for Nuclear Security Excellence

← previous section  |  ↑ Table of Contents  |  next section →
Sensors and fencing at Japan's Integrated Support Center for Nuclear Nonproliferation and Nuclear Security. (Dean Calma / IAEA)
Sensors and fencing at Japan's Integrated Support Center for Nuclear Nonproliferation and Nuclear Security. 
(Dean Calma / IAEA)

Few tasks could be more important than keeping nuclear weapons and their essential ingredients out of terrorist hands. President Trump, like Presidents Obama, Bush, and Clinton before him, has emphasized the dangers of nuclear terrorism and the need for nuclear security action to address them. For example, the Trump administration’s 2018 Nuclear Posture Review (NPR) warned that “[n]uclear terrorism remains among the most significant threats to the security of the United States, allies, and partners,” and enunciated a “multilayered” response, with key emphases on “securing nuclear weapons, materials, related technology, and knowledge, to prevent their malicious use,” and enhancing “cooperation with allies, partners, and international institutions to prevent nuclear terrorism.”1

The world community has made substantial progress in improving security for nuclear weapons and the materials needed to make them since the early 1990s, including through the nuclear security summits in 2010-2016. We all owe a debt of gratitude to the countless men and women who labored to make those improvements happen.

But as this report will describe, dangerous terrorist threats and important nuclear security weaknesses remain that must be addressed. The goal must be excellence in nuclear security performance. But excellence is not a fixed finish line that will be reached at a set time, but a never-ending journey; nuclear security must always be improving, to respond to evolving threats, changing technologies, and newly uncovered vulnerabilities.

 

A Vision for Nuclear Security

What end goals should nuclear security programs be striving for?2 We envision a world in which all countries with nuclear weapons, highly enriched uranium (HEU), separated plutonium, and nuclear facilities whose sabotage could cause a major radiation release are committed to a continuous process of striving for excellence in nuclear security performance.

There are five areas of nuclear security we see as particularly critical:

  1. Broad protection. All of these items should be effectively and sustainably protected against the full range of plausible adversary threats, including evolving threats such as cyber attacks and drones.
  2. Comprehensive insider protection. All of these items should have comprehensive, multilayered protections against insider threats in particular.
  3. Strong security cultures. All of these items should be managed by organizations whose leaders and staff are committed to achieving excellence in nuclear security, are effectively trained, and remain constantly on the lookout for potential threats or vulnerabilities to be addressed.
  4. Realistic assessment and testing. All operations handling these items should be regularly subjected to in-depth, creative assessments of their vulnerabilities and realistic, challenging tests of their ability to defend against intelligent adversaries looking for their weak points.
  5. Consolidation. The use, bulk processing, transport, and number of locations with nuclear weapons, HEU, and separated plutonium should be reduced to the absolute minimum whose continued civilian and military benefits outweigh their costs and risks—as confirmed by regular high-level review.

We envision a world in which all countries with nuclear weapons, HEU, separated plutonium, or nuclear facilities whose sabotage could cause a major radioactive release have strong programs in place in each of these five areas.

Achieving this vision is likely to require:

  • Steps to combat complacency at all levels of nuclear security decision-making and implementation, and to increase awareness of nuclear terrorism threats and potential vulnerabilities;
  • Effective engagement that bolsters frameworks for international cooperation, including:
    • Effective implementation of, and broadened participation in, key nuclear security agreements, commitments, and institutions, such as the amended Convention on Physical Protection and the Strengthening Nuclear Security Implementation Initiative (INFCIRC/869);
    • Strengthened International Atomic Energy Agency (IAEA) nuclear security programs;
    • Revitalized nuclear security cooperation programs sponsored by the U.S. government and other interested governments, with a comprehensive approach to working with as many of the relevant countries as possible on continuous improvement of each of the five key areas of nuclear security just described, and with the necessary leadership, budgets, and personnel to do so;
    • In particular, renewed nuclear security cooperation between the world’s largest nuclear complexes, in the United States and Russia;
    • One or more effective international forums for discussing and agreeing on next steps in nuclear security and promoting effective implementation of past commitments;
    • Expanded and strengthened international nuclear security peer reviews;
    • Increased participation in and support for approaches to exchanging information on nuclear security progress, to spread best practices, build confidence that effective security is in place, and identify areas for additional action;
    • New political commitments to stringent nuclear security measures designed to minimize the risk of nuclear theft or sabotage.
  • Committed national-level nuclear security leadership and programs, including:
    • Targeted programs focused on each of the key elements of the vision;
    • Sustained attention from high-level officials;
    • Designated officials with responsibility for achieving nuclear security progress;
    • Effective plans to strengthen nuclear security;
    • Adequate funding and staffing for nuclear security;
    • Efforts to lead by example, with countries advocating particular nuclear security measures undertaking those steps themselves;
    • Effective nuclear security regulation and other measures to structure incentives to motivate action to strengthen nuclear security;
    • Training and certification programs to ensure that all managers and staff related to security, management, and operations of these stocks and facilities are demonstrably competent;
    • Programs to seize synergies and manage conflicts between nuclear safety, security, and safeguards; and
    • Measures or indicators to assess progress, coupled with approaches to learning from experience and improving nuclear security efforts over time.

 

Assessing Nuclear Security Progress: An Uncertain Enterprise

In the remainder of this report, more than two years after the end of the nuclear security summits, we offer an assessment of the evolving nuclear terrorism threat; the current state of progress in achieving this vision of nuclear security; and the remaining weaknesses to be addressed. We then offer recommendations for action to revitalize progress toward the vision of excellence in nuclear security performance.

Complacency, secrecy, bureaucracy, concerns over national sovereignty, competing priorities, political disputes, organizational challenges, and limited resources all pose important obstacles to nuclear security progress. We hope that our recommendations will help in overcoming those obstacles, but they will remain constraints on what can be done for many years to come.

Our conclusions offer both good news and bad news. When more than 50 national leaders convened in 2016 for the fourth and final nuclear security summit, they unanimously pledged to “continue to make nuclear security an enduring priority.”3 In the years since then, many countries have continued to take measurable steps to improve their nuclear security arrangements. That conclusion parallels those of other assessments. The Nuclear Threat Initiative’s 2018 Nuclear Security Index, for example, concludes that “since 2016, countries with weapons-usable nuclear materials have taken 82 specific actions to improve nuclear security conditions.”4

But momentum is clearly slowing, raising serious doubts as to whether national leaders are fulfilling their commitment to continue to make nuclear security a priority. High-level political attention to driving nuclear security forward and overcoming obstacles has largely faded, international mechanisms for fostering nuclear security action and cooperation have not managed to fill the gap created by the end of the nuclear security summits, and political disputes continue to impede efforts to sustain or expand cooperation in crucial areas (especially between the United States and Russia). At the same time, stockpiles of nuclear weapons and materials in countries such as North Korea, Pakistan, and India continue to grow and to shift in directions that increase dangers—such as expanded numbers of tactical nuclear weapons. Additionally, new and evolving technologies and capabilities in the hands of those who wish to steal weapons-usable nuclear material present increasing threats to many nuclear facilities around the globe. If countries do not take urgent action to make strengthening nuclear security a priority, performance will falter and the risk of nuclear terrorism will likely grow in the coming years.

Our approach is complementary to other recent assessments of nuclear security progress.5 Rather than giving each country a rating based on the presence or absence of certain rules or policies, or assessing fulfillment of their summit commitments, we assess the overall effectiveness of nuclear security around the world. First, we focus on how countries are implementing the five key areas described above. Second, we assess how international initiatives and organizations related to nuclear security are contributing to progress in these areas. Third, we evaluate the inputs countries are putting in to strengthen global nuclear security, from budgets to the time and attention of senior officials. Finally, we recommend strategies for regaining nuclear security momentum. That recommendations section includes recommendations for strengthening national implementation in the five key elements of our vision for nuclear security; bolstering international cooperative frameworks; expanding inputs to global nuclear security—and, crucially, for countering complacency about nuclear security—perhaps the most serious impediment to nuclear security action.

Assessing progress in nuclear security is a difficult and uncertain business. Many of the specific security measures for nuclear weapons, weapons-usable materials, and major nuclear facilities are understandably secret—no one wants terrorists to get information that would help them succeed in carrying out nuclear theft or sabotage. What is more, there are no agreed measures of the effectiveness of nuclear security at particular sites.6 Some steps—such as eliminating the nuclear material at a particular site entirely—are easy to count. Others, such as improving training and strengthening security culture at a facility, may be equally important but are much more difficult to assess.

In the past, when the United States was paying to install major upgrades in security measures in various countries, an obvious measure was the fraction of the relevant buildings or bunkers where the upgrades had been completed.7 But with the completion of many projects, the suspension of nearly all U.S.-Russian nuclear cooperation, and the end of the nuclear security summits, nuclear security cooperation has entered a new era. In most (though not all) cases, the U.S. government will no longer serve as the bankroller of progress but, as one National Nuclear Security Administration (NNSA) official aptly put it, as an “evangelist and consultant”—working to convince other countries to do more to strengthen nuclear security themselves, and advising them on how best to do it. Assessing progress in this new era will require deeper thought about the best progress indicators to use, and greater tolerance for uncertainty.

Moreover, in the absence of nuclear security summits, data from progress reports by summit participants will no longer be available, adding to the difficulties of assessment.8 At the same time, the end of U.S.-Russian nuclear security cooperation eliminated an important mechanism for understanding nuclear security in Russia, the country with the most nuclear weapons and material.9

As discussed in the next section, the evolution of the threat is also highly uncertain. At the time of the 2016 Nuclear Security Summit in Washington, the Islamic State had control of major portions of Iraq and Syria. Its rapid rise, coupled with the real but modest nuclear security progress since the 2014 summit, made it appear that nuclear security progress might not be keeping up with the evolving threat. This sense was reinforced by the collapse of U.S.-Russian nuclear security cooperation in 2014 and by events in Belgium, where terrorists had been caught spying on a high-ranking official of Belgium’s major nuclear research center and an insider had recently sabotaged a nuclear reactor, leading to investigations that revealed that cleared employees of the reactor had left to fight for terrorists in Syria.10

Both the threat and nuclear security progress have changed again in the more than two years since then, but in ways that make net judgments as to whether risk is increasing or decreasing highly uncertain. On the one hand, as discussed in the next section, the Islamic State’s geographic caliphate has largely been defeated; at the same time, however, the Islamic State still has thousands of fighters in many countries and a significant ability to recruit around the world. Rather than clear progress in risk reduction, we have an uncertain picture, with continuing but slowing nuclear security progress, ongoing expansion of nuclear programs in Pakistan, India, and North Korea, and a threat picture whose current state is murky and whose future evolution is unknown. Where the future threat is uncertain—but potentially substantial—it is all the more important to take action to ensure that those future adversaries cannot get their hands on the devastating power afforded by nuclear weapons or their essential ingredients.

 

 


 

II.  The Nuclear Terrorism Threat

← previous section  |  ↑ Table of Contents  |  next section →
A building at a Pakistani naval aviation base burns during an attack by a substantial group of well-armed, well-trained militants, apparently with insider help, in May 2011. Nuclear weapons and materials must be protected against comparable adversary capabilities and tactics. ​​​​​​​AP Photo/Shakil Adil
A building at a Pakistani naval aviation base burns during an attack by a substantial group of well-armed, well-trained militants, apparently with insider help, in May 2011. Nuclear weapons and materials must be protected against comparable adversary capabilities and tactics.
(AP/Shakil Adil)

Overview

Two months after the September 11th terrorist attacks, standing beside Russian President Vladimir Putin, U.S. President George W. Bush declared, “Our highest priority is to keep terrorists from acquiring weapons of mass destruction” and cited the importance of nuclear materials security.11 Fifteen years later, President Barack Obama called nuclear terrorism, “one of the greatest threats to global security.”12 From the Bush Administration’s first year to the Obama Administration’s final one, many changes occurred affecting the threat of nuclear terrorism. Some argue that the absence of a nuclear detonation during those years is evidence that the threat has been exaggerated.13 Others see it as largely a matter of luck.14 We would argue that while there may have been some luck and some misperception of the threat, policy successes—in strengthening security for nuclear stocks, breaking up terrorist nuclear plots, and countering high-capability terrorist groups—have significantly reduced the risk.

Assessing the danger of an unprecedented event is tricky. An act that has never occurred is literally vanishingly rare, but is it impossible? The 9/11 Commission cited failures of imagination as the primary factor in the U.S. government’s inability to prevent the attacks;15 thus, some willingness to imagine unprecedented events is justified. Answering several questions can add structure to the analysis, and objectivity to necessarily speculative reasoning. What could be plausible acts of nuclear terrorism and what would be their consequences? What means, motive, and opportunity exist for nuclear terrorism? What trends affect the threat, to what net effect versus our state of security in the recent past?16

 

Types of Nuclear Terrorism

A terrorist bent on a nuclear or radiological attack could choose among several options. Each poses different challenges for the attacker and consequences for the target:

  • Detonation of a nuclear explosion, caused either by a weapon acquired from a state arsenal or an improvised device fashioned from stolen fissile material;
  • Sabotage of a nuclear facility resulting in a large release of radiation;
    or
  • Dispersal of radioactive material by a “dirty bomb” or other means, to deny access to an area and create panic and disruption.

Detonating a nuclear explosive, while the most difficult for terrorists to accomplish, would also be by far the most devastating. The consequences of such an attack have been detailed many times. For public policy purposes, it suffices to understand that they very likely would be more momentous than any other single act of violence in human history. Depending on the location, size, and efficiency of the weapon, tens or even hundreds of thousands of people might die; as many or more would be seriously injured. One coarse but plausible estimate held that half a million people might be killed in such an attack on Manhattan.17 A city—perhaps a world capital along with its treasures—would be devastated. Depending on the international response, economic disruption could be massive; Kofi Annan, while Secretary-General of the United Nations, warned that the reverberations of such an attack could push “tens of millions of people into dire poverty” causing a “second death toll throughout the developing world.”18 That means that inadequately secured nuclear material is not just a threat to the United States or a few other countries who believe they might be likely targets of a terrorist nuclear bomb; it is a threat to everyone, everywhere.

The radiation from a dirty bomb, by contrast, might not kill anyone immediately, but could make an extraordinarily expensive mess, imposing tens of billions of dollars in economic disruption and cleanup costs. The widespread availability of radioactive sources—used in hospitals, industrial sites, and other locations worldwide—and the relative simplicity of dispersing the dangerous radiation from them make a “dirty bomb” far easier for terrorists to accomplish than an actual nuclear explosive.

The effects of sabotage of a nuclear facility would depend on the nature and success of the attack, but would likely range between the other two types of attack in severity, in a worst case contaminating large areas in ways that could require evacuating them for decades, as the Chernobyl accident did. The difficulty of successful and high-impact sabotage would also be intermediate. This report focuses primarily on preventing the potentially most catastrophic form of nuclear terrorism—detonation of a nuclear device—but action is needed to reduce the other dangers as well, and the most important preventative steps are parallel, in many cases.19 The consequences of sabotage or a dirty bomb may be lower, but the greater ease of accomplishing them means the overall risk from those threats is also significant, justifying significant international efforts to prevent and prepare for them.

 

Box: Debating the Probability of Nuclear Terrorism

No one knows what the real odds of nuclear terrorism are. Graham Allison recently reiterated his 2004 view that the probability of a nuclear detonation caused by terrorists within ten years is slightly better than 50-50.i In 2006, John Mueller argued that the odds of any particular terrorist attempt at nuclear terrorism succeeding were between one in a million and one in three billion; he ridiculed believing that nuclear terrorism was a serious risk as comparable to believing in the “tooth fairy.”ii In addition to these speculative estimates, one of this paper’s authors (Bunn) has posited a mathematical model of the risk of nuclear terrorism—albeit one intended to serve as a tool for systematic thinking about the problem, rather than as a means to reach “the answer,” as the model’s input parameters are largely unknown.iii

While it is useful to try to clarify the plausibility of the threat, the debate about probability can be misleading in two ways. First, the laws of probability were developed to describe random events—not malicious, intelligent, and determined human beings.iv Without focused adversary action, the probability of nuclear terrorism is zero.  If, on the other hand, terrorists took such focused action and were successful in surmounting the physical and technological obstacles—which would not be random or independent occurrences—as well as in avoiding determined efforts by governments to stop them, a nuclear detonation would occur.  Similarly, the odds of a nuclear detonation at Alamogordo in July 1945 were zero before the Manhattan project, and certain (or close enough for public policy purposes) after it.  (In their Ten Great Ideas About Chance, Diaconis and Skyrms note that Newton grappled with this paradox, writing that, “It is impossible for a Die, with such determin’d force and direction, not to fall on such determin’d side, only I don’t know the force and direction which makes it fall on such determin’d side, and therefore I call it Chance . . .”)v

Thus, while some intelligent human actions intuitively are more likely than others, the concept of the “probability” of a non-random event like nuclear terrorism is a metaphor. It is designed to help analysts communicate the plausibility of the threat—to reduce a series of complex ideas to a single number.

But given that the actual chance of nuclear terrorism is unknown, it may be more helpful to assess whether or not the conditions necessary for nuclear terrorists to succeed exist, or may develop in the future, and if so, what can be done to redress them. That is the approach we take in the remainder of this chapter. In any case, given the scale of the consequences—which would be almost unimaginably catastrophic—even a small risk of the occurrence should be mitigated.vi

Whether one metaphorically believes the odds of a terrorist nuclear detonation are closer to even or to one in a hundred, from a public policy perspective, action is warranted, especially given that preventive activity is cheap, when compared to what states routinely spend to guarantee their security.


Box Notes:
i Allison, “Nuclear Terrorism: Did We Beat the Odds or Change Them?.”
ii    John Mueller, Atomic Obsession: Nuclear Alarmism from Hiroshima to Al-Qaeda (Oxford: Oxford University Press, 2010), pp. 185-187, 210. The flaws in Mueller’s arguments—from including allegedly “necessary” steps that do not exist in any of the historical cases of nuclear theft to pulling his probabilities out of the sky with no justification for them to assuming independence of closely correlated activities to ignoring the fact that for many steps, adversaries can simply try again if they do not succeed the first time—render his arguments invalid.  Indeed, he manages to commit most of the common rookie mistakes in probabilistic risk analysis in the course of a couple of pages, making his analysis a useful tool for teaching students how not to perform risk assessments.
iii Matthew Bunn, “A Mathematical Model of the Risk of Nuclear Terrorism,” Annals of the American Academy of Political and Social Science, Vol. 607 (September 2006).
iv Probability can certainly be used effectively when large numbers of people are involved, as in the likely outcome of elections, or the fraction of times a task will be performed successfully when thousands of people perform it.  In such cases, individual non-random variables can be combined into a random variable.  But probability was not designed to describe the actions of small numbers of determined individuals.
v  Persi Diaconis and Brian Skyrms, Ten Great Ideas About Chance (Princeton University Press, 2017). vi    For a recent summary of the potential consequences, see Matthew Bunn and Nickolas Roth, “The Effects of a Single Terrorist Nuclear Bomb,” Bulletin of the Atomic Scientists, September 28, 2017, https://thebulletin.org/effects-single-terrorist-nuclear-bomb11150 (accessed March 9, 2018).

     

    Means, Motive, and Opportunity for Nuclear Terrorism

    One method of assessing the danger of nuclear terrorism is to employ the forensic technique analyzing means, motive, and opportunity, prospectively instead of retrospectively.20

     

    Means

    The most likely means for detonating a nuclear explosion would be theft of weapons-usable nuclear material, either HEU or plutonium. Several lines of evidence suggest that this is a serious concern.

    First, we have empirical evidence of past security failures for such material, as there are nearly 20 well-documented cases in the public record from 1992-2018 in which stolen plutonium or HEU has been seized.21 While none of these incidents involved quantities large enough to make a nuclear weapon (though one attempted theft was in the ballpark), they constitute empirical confirmation of nuclear security failures resulting in loss of control of fissile material. Moreover, because in all but one of the cases the site from which the material was stolen has not been publicly confirmed, there can be no independent certainty that the leaks have been permanently plugged (indeed it is not clear that the missing material was even noticed at the facilities from whence it came). In some cases, the seized material was described as a sample of a larger quantity for sale that was never recovered and which may still be available.22

    While many of these cases occurred in the 1990s, when nuclear security was undermined by the dissolution of the Soviet Union, governments in Europe also seized stolen HEU or plutonium in 2003, 2006, 2010, and 2011. The absence of publicly disclosed seizures for seven years is encouraging, but it is too early to infer that the problem is solved.

    In addition to instances of nuclear theft, there have been also important security incidents in recent years indicating there continue to be threats to nuclear facilities around the world.

    • In 2012, explosives were found under a truck at the Ringhals nuclear power plant, the largest in Sweden. Fortunately, the explosives were not connected to a detonator.23
    • In 2013, two people scaled the fence at Belgium’s HEU research reactor, broke into the facility, and stole equipment.24
    • In 2014, a computer in the control room (though not one actually controlling the reactor) at Japan’s Monju nuclear reactors was hacked.25
    • In 2016, the Belgian nuclear agency’s computer system was hacked and forced to briefly shut down.26
    • In 2017, Greenpeace activists twice penetrated security barriers at French nuclear power plants to protest nuclear energy and highlight what they asserted were security weaknesses.27
    • Also in 2017, the commander of U.S. Strategic Command, Gen. John Hyten, told Congress that recent incidents of unauthorized drones overflying both Navy and Air Force nuclear facilities “represent a growing threat to the safety and security of nuclear weapons and personnel.”28

    Second, security assessments and tests continue to reveal important vulnerabilities, in the United States and elsewhere. At one nuclear facility in Europe, for example, a clever adversary plan involving an insider bringing in explosives and the rest of the attack team arriving disguised as the emergency responders succeeded in totally penetrating the facility’s security system.29 In the United States, failures to protect against adversary teams representing the design basis threat (DBT) occur more rarely than in past decades, but still happen. Moreover, in many countries, weaknesses exist in one or more of the five key areas of nuclear security described in this report, ranging from relying on only one or two measures to protect against insider threats rather than having a comprehensive program to failing to carry out realistic tests of security performance to lack of any focused effort to assess and strengthen the staff’s security culture.

    Third, non-nuclear criminal thefts and terrorist attacks continue to occur that use tactics and capabilities that the security systems at many nuclear facilities would be hard-pressed to defend against—ranging from substantial teams of heavily armed, well-trained attackers, to insider conspiracies, to the use of vehicles such as helicopters to get past multiple layers of site security systems.30

    Fissile material is not the only plausible target. In theory, it would also be possible for terrorists to attempt to steal a nuclear weapon from a state arsenal. Nuclear weapons, however, are large, countable objects that are generally very well secured (and often equipped with electronic locks or other features that would make it difficult to detonate them without authorization, though thieves might ultimately be able to overcome those features or use the nuclear material in the weapon to build a bomb of their own).31 Unlike fissile material, there are no known cases of theft of a nuclear weapon.

    There have, however, been worrisome incidents. In the early 2000s, Colonel-General Igor Valynkin, then commander of the force that guards Russia’s nuclear weapons, confirmed two incidents involving terrorists carrying out reconnaissance at Russian nuclear weapon storage sites, and the Russian state newspaper reported two more terrorists monitoring nuclear weapon transport trains—the most vulnerable part of the nuclear weapon life-cycle.32 In August 2007, “a breakdown in training, discipline, supervision, and leadership”33 led to the unauthorized transfer of six nuclear-armed air-launched cruise missiles from Minot Air Force Base to Barksdale Air Force Base. (The bomber’s crew thought they were carrying only unarmed training missiles.) In the incident, “the intricate system of nuclear checks and balances was either ignored or disregarded.”34 While it would not have been possible to arm or launch the missiles without launch codes,35 the systems were outside of the special security procedures attendant to nuclear weapons for about 24 hours on the ground at Minot and Barksdale.36 And as described in the accompanying box, there have been a series of incidents in the last 15 years that suggest terrorist interest in, and some continuing security weaknesses at, bases where U.S. nuclear weapons are stored in Europe, though as far as is publicly known none of these incidents ever put those weapons at serious risk of theft or sabotage.

    As those incidents suggest, tactical nuclear weapons systems present a particular risk of theft, especially when they are out of garrison. Pakistan and India are both fielding tactical nuclear weapons, and as will be discussed later in this report, the terrorist threat environment in both countries is severe, particularly in Pakistan. While neither India nor Pakistan have suffered major terrorist attacks on nuclear weapon storage facilities, in both countries, large terrorist teams with apparent insider help have succeeded in seizing portions of major military bases for hours at a time. Speaking of Pakistan in 2016, a White House official noted, “we’re concerned by the increased security challenges that accompany growing stockpiles, particularly [of] tactical nuclear weapons that are designed for use on the battlefield. And these systems are a source of concern because they’re susceptible to theft due to their size and mode of employment.”37 The Trump Administration apparently concurs, as the 2018 Worldwide Threat Assessment noted dryly that: “[Pakistan’s] new types of nuclear weapons will introduce new risks for escalation dynamics and security in the region.”38

     

    Motive

    The motive for nuclear terrorism is also well established. Forty years ago, terrorists may have wanted “a lot of people watching, not a lot of people dead,” reasoning that their political objectives would be defeated by revulsion to mass casualties.39 Today, however, while it remains true that most terrorist groups have no interest in the nuclear level of violence, a few do. The most dangerous types of terrorist organizations appear to be apocalyptic groups seeking to bring about the end of the world (such as the Japanese terror cult Aum Shinrikyo) and groups with immense political ambitions, in some cases including the defeat of superpowers, for which very powerful weapons might be needed (such as al Qaeda, some Chechen terrorists, and the Islamic State). From the 9/11 attackers to Chechen rebels, who killed hundreds of children and their parents at a school in Beslan, Russia, to the Islamic State, which regularly televised its atrocities, it is clear that some terrorist groups seek to inflict as many casualties as possible, as cruelly as possible. Ours is an age of unlimited terrorist ambition.

    Aum Shinrikyo released sarin nerve gas in Matsumoto and in the Tokyo subway in 1995 and attempted to acquire both nuclear and biological weapons.40 Al Qaeda, whose leader declared acquisition of nuclear and chemical weapons to be a “religious duty,” had a focused nuclear weapons effort that reported directly to Ayman al-Zawahiri (now the group’s leader), included repeated attempts to get nuclear material and recruit nuclear expertise, and progressed as far as carrying out crude but sensible tests of conventional explosives for the nuclear program in the Afghan desert.41 Chechen terrorists planted a stolen radiological source in a Moscow park as a warning, repeatedly threatened to sabotage nuclear reactors—and, as noted earlier, reportedly carried out reconnaissance at both nuclear weapon storage sites and on nuclear weapon transport trains.42 So far, there is no public evidence of a focused Islamic State effort to acquire nuclear weapons, despite hints such as Islamic State operatives’ video monitoring of the private home of a top official of Belgium’s leading nuclear research center.43

     

    Opportunity

    Opportunity, in the case of nuclear terrorism, would be created by assembling the technical means to fabricate, transport, and detonate a device, once sufficient nuclear material or a weapon had been stolen. Government studies in multiple countries have concluded that sophisticated terrorist groups could plausibly make a crude nuclear device.44 Unfortunately, taking already-produced nuclear material and fashioning it into a bomb does not take a Manhattan Project. As early as 1986, U.S. National Intelligence Estimates assessed that sophisticated terrorist groups would be capable of causing a nuclear explosion, were they able to steal sufficient fissile material or a state-produced weapon.45 Those conclusions were reinforced by a specific finding in October 2001 that building a crude nuclear weapon was “well within” al Qaeda’s capabilities if it obtained sufficient fissile material.46 Some argue that an inability to organize a serious effort to accomplish the complex tasks necessary to effect a nuclear detonation—in addition to lack of access to fissile material—would be a serious barrier to a terrorist nuclear weapons effort, and there is undoubtedly some truth to this. The disruption caused by relentless military and covert operations against them has certainly made it more difficult for either al Qaeda or the Islamic State to pursue complex, sustained efforts like a nuclear program.

    Figure 1: Sunni Violent Extremists' Primary Operating Areas as of 201747

    Source: Office of Director of National Intelligence
     

    Trends and Threat Vectors Affecting the Risk of Nuclear Terrorism

    Violent Extremist Groups. It is now seven years since the death of Osama bin Laden, and many see al Qaeda as too damaged to have any hope of obtaining fissile material and fabricating it into a workable nuclear bomb. In recent years, there has been little evidence of core al Qaeda actively directing even much simpler large-scale conventional attacks against the United States, as opposed to merely lending its brand and advice to regional affiliates that are now more powerful. As for the Islamic State, with its geographic caliphate in Iraq and Syria largely defeated, some see it as not capable of implementing attacks that go much beyond suicide bombings or driving vehicles into crowds of people. As far as is publicly known, the Islamic State never did anything with the dangerous radiological sources in the territory under its control (which have since been recovered), even as it manufactured both conventional and chemical weapons.

    There is certainly an element of truth to these perspectives. Several troubling caveats should, however, be remembered. First, both of these organizations may be motivated to find ways to carry out a spectacular attack to reestablish themselves as leaders of the global jihadist movement. Indeed, they may become more accepting of risk out of desperation.

    Second, unfortunately, the number of people involved in a project to make a crude terrorist nuclear bomb might be relatively small.48 Such a project might take place far from the drones and airstrikes of known battlefields, making it far more difficult to detect.

    Third, it is worth remembering that several key figures of al Qaeda’s nuclear program, such as Abdel Aziz al-Masri (the al Qaeda “nuclear CEO”), Sayf al-Adl (the al Qaeda operations chief, reportedly released from Iran in a prisoner swap with al Qaeda in the Arabian Peninsula), and the “Pakistani expert” al Qaeda relied on in 2003 to check whether items it was trying to buy really were nuclear bombs, remain at large, and publicly unaccounted for. Both al Qaeda and the Islamic State have regional affiliates in several countries, any one of which could be home to a small team working to fashion a nuclear device—and both have more than once proven to be resilient in the face of sustained attacks.

    Fourth, it is worth remembering the speed with which new threats can arise, and the difficulty of detecting and addressing them before it is too late. In January 2014, the U.S. Director of National Intelligence did not mention the Islamic State in his summary of the threats facing the United States.49 At about the same time, President Barack Obama likened the group to junior varsity players.50 Later that year, the group seized major portions of Iraq and Syria and declared a global caliphate, and at one time controlled territory encompassing thousands of square miles, the cities of Raqqa, Mosul, and Sirte (in three different countries), and about ten million people, which gave the group access to billions of dollars in revenue. In another significant example of intelligence failure regarding terrorists bent on mass destruction, little attention focused on the Japanese cult Aum Shinrikyo's pursuit of nuclear, biological, and chemical weapons until after it launched a nerve gas attack on the Tokyo subway system in 1995.

    In short, it is reasonable to believe that the blows dealt to al Qaeda and to the Islamic State over the past decade have reduced the chance that a terrorist group will combine the intent and the capability to pursue nuclear or radiological terrorism. They have not, however, eliminated that risk, and the risk could increase again in the future, potentially with little warning. The 2018 Worldwide Threat Assessment notes the “staying power” of al Qaeda’s five affiliates, and maps significant areas in many countries where they or the Islamic State are continuing to operate.51

    Rapid Radicalization and Insider Threats. The internet has changed how individuals and groups communicate and learn. It gives instantaneous global reach to ideas and information—both benign and malign. Regarding the latter, the problem applies broadly to societies defending themselves from violent extremism, but also specifically to guarding against attacks by once trusted individuals. According to one study:

    The most prominent example is the late Anwar Al Awlaki, the Yemen-based, U.S.-born cleric whose entire strategy revolved around inspiring, inciting, and directing Americans to attack their own country. He did so by using e-mail, blogs, discussion forums, chat rooms, video, and the English-language online magazine Inspire, which told its readers “how to build a bomb in the kitchen of your mom.” Awlaki was the inspiration behind a dozen terrorist plots, and he was closely involved with Major Nidal Hasan, who killed 13 people at Fort Hood in November 2009, the most devastating terrorist attack on U.S. soil after the 11 September 2001 attacks.52

    A German intelligence study of German citizens who left Germany to fight for terrorists found that of those for whom the German government could get data (about half), over 40 percent left within one year of when their radicalization began, rising to 60 percent after the Islamic State declared its caliphate. The development of an interest in political violence rarely relied on the internet alone, however—like-minded friends and people the budding radicals met at mosques were usually quite important in the process.

    The revolutionary transformation in the nature and severity of the insider threat caused by rapid radicalization is particularly important to nuclear security because:

    “Employees are the Achilles’ heel of nuclear installations. Skilled insiders can cause more damage and steal radioactive material more easily than outsiders can. All known cases of nuclear theft appear to have involved insiders, as did several cases of sabotage. The prospect of a terrorist insider has therefore long worried governments and should continue to do so.”53

    These dangers were underscored by two incidents at the Doel-4 nuclear power reactor in Belgium. In the first to be discovered in 2014, an unknown insider opened a locked valve and allowed the lubricant for the turbine to drain out, wrecking the turbine and shutting down the plant for months. As the investigation of that sabotage proceeded, investigators discovered that two years earlier (and hence unrelated to the sabotage), two employees had left to fight in Syria. One of the two, Ilyass Boughalab, left after his background checks were completed and following three years of work at the plant, including access to sensitive areas.54

    As incidents of espionage within the U.S.—and other countries’—military and intelligence services attest, insider threats are not new. However, rapid and difficult-to-detect radicalization fostered by internet communications has presented new challenges—ones which personnel reliability programs so far have failed to address reliably.

    New Technologies. In the struggle between would-be nuclear terrorists and those that seek to thwart them, new technologies, or novel applications of old ones, present significant challenges. These technologies in the hands of adversaries will likely pose an increasing threat to nuclear facilities over the next decade. For self-evident reasons, this report will not detail specific ways new technologies could be employed against nuclear facilities. Nonetheless, technologies of concern include:

    • Small drones which have been used to deliver thermite grenades to attack and destroy multiple ammunition depots in Ukraine;55
    • Artificial Intelligence and machine learning capabilities, which are becoming cheaper and more ubiquitous and may be used to “complete tasks which would otherwise be impractical for humans” or to “exploit vulnerabilities of AI systems deployed by defenders,”56 and,
    • Cyber-attacks, which can be used to undermine control systems, physical security, materials accountability, and personnel reliability programs employed to protect nuclear installations.57

    New Fissile Material Bulk Processing Facilities. Material in bulk form, particularly powders presents particularly difficult security challenges. Materials accountability measures must be very stringent to detect diversions of small quantities over time. All but one of the cases in which fissile material has been seized outside of authorized control involved relatively small amounts of material in bulk form. Hence, a growing number of bulk processing facilities increases the threat of diversion. New such facilities are planned, under construction, or newly on line in China, India, Japan, and Pakistan.

     

    Box: Incidents Related to U.S. Nuclear Weapons in Europe

    In the years since the 9/11 attacks, a series of incidents, each individually minor, have highlighted concerns over security for U.S. nuclear weapons in Europe. An estimated 150 U.S. air-delivered nuclear bombs reportedly exist at six airbases in five countries in Europe (Belgium, Germany, Italy, the Netherlands, and Turkey).i

    Worrisome events include:

    • A few days after 9/11, al Qaeda operative and former professional soccer player Nizar Trabelsi was arrested in Belgium. Trabelsi was later convicted of planning to bomb Kleine-Brogel airbase in Belgium, where U.S. nuclear weapons are reportedly stored; at trial, he testified that an insider at the base had provided al Qaeda with photos of the facility.ii
       
    • In 2008, a U.S. Air Force review team concluded that a “consistent theme” of its visits to bases where U.S. nuclear weapons were stored in Europe was that “most sites require significant additional resources to meet [Department of Defense] security requirements.”iii Several sites received substantial security improvements since then.
       
    • Three times in 2010, peace activists penetrated the Kleine-Brogel airbase that Trabelsi had planned to bomb, in one case penetrating deep into the area of aircraft vaults (though Belgian authorities disagree with the activists over whether they reached the area where the nuclear weapons are stored).iv
       
    • In 2015, two suspected terrorists were arrested in Italy and charged with planning to bomb the Ghedi air base in Italy, another site where U.S. nuclear weapons are reportedly stored.v
       
    • In 2016, at Incirlik air base in Turkey, only 70 miles from war-torn Syria, where U.S. nuclear weapons are also reportedly stored, local authorities cut off power to the base and arrested the base commander and others for alleged participation in a coup attempt. Security concerns at the base are so high that spouses and children of U.S. personnel have been ordered to leave, but the nuclear weapons remain.vi
       
    • In 2017, five peace activists gained access to the Büchel Air Base in Germany where U.S. nuclear weapons are reportedly stored.vii A similar intrusion occurred in 2018, when two U.S. peace activists wearing “weapons inspector” signs cut through the base fencing. They wandered around the facility and climbed atop one airplane hanger with radiation detectors looking for signs of nuclear weapons.viii Security at the base is particularly important, as in 2014 it was one of the targets a German Islamic State activist urged followers to attack.ix
       
    • Finally, as recently as June 2018, peace activists were again arrested for penetrating the fences at Kleine-Brogel.x

    Box Notes:
    i Hans M. Kristensen and Robert S. Norris, “Worldwide Deployment of Nuclear Weapons, 2017,” Bulletin of the Atomic Scientists, Vol. 73, No. 5 (2017), pp. 289-297.
    ii “Al Qaeda Suspect Tells of Bomb Plot,” BBC News, May 27, 2003, http://news.bbc.co.uk/2/hi/europe/2941702.stm (accessed January 12, 2019).
    iii Quoted (and linked to) in Hans M. Kristensen, “USAF Report: ‘Most’ Nuclear Weapon Sites in Europe Do Not Meet U.S. Security Requirements,” FAS Strategic Security Blog, June 19, 2008, https://fas.org/blogs/security/2008/06/usaf-report-most-nuclear-weapon-sites-in-europe-do-not-meet-us-security-requirements/ (accessed January 9, 2019).
    iv Jeffrey G. Lewis, “Another Kleine Brogel Bombspotting,” Arms Control Wonk, October 8, 2010, https://www.armscontrolwonk.com/archive/203017/another-kleine-brogel-bombspotting/ (accessed January 12, 2019); Hans M. Kristensen, “U.S. Nuclear Weapon Site in Europe Breached,” FAS Strategic Security Blog, February 4, 2010, http://www.fas.org/blog/ssp/2010/02/kleinebrogel.php (accessed November 9, 2018).
    v Hans M. Kristensen, “U.S. Nuclear Weapons Base in Italy Eyed by Alleged Terrorists,” FAS Strategic Security Blog, July 22, 2015, https://fas.org/blogs/security/2015/07/ghedi-terror/ (accessed January 9, 2019).
    vi See, for example, Eric Schlosser, “The H-Bombs in Turkey,” The New Yorker, July 17, 2016, https://www.newyorker.com/news/news-desk/the-h-bombs-in-turkey (accessed January 9, 2019).
    vii “Atomwaffengegner Dringen in Fliegerhorst Büchel Ein” [Nuclear weapons opponents penetrate into airbase Büchel], Pfälzischer Merkur, July 26, 2017, https://www.pfaelzischer-merkur.de/region/atomwaffengegner-dringen-in-fliegerhorst-buechel-ein_aid-2485053 (accessed December 18, 2019). We are grateful to Tom Bielefeld for bringing the Büchel incidents and relevant references to our attention.
    viii John LaForge, “Two from US Detained Inside Büchel Air Base During ‘Nuclear Weapons Inspection,’” Duluth Reader, August 9, 2018, http://duluthreader.com/articles/2018/08/09/14231_two_from_us_detained_inside_b_chel_air_base_during (accessed December 19, 2018).
    ix Klaus Brandt, “Bei Allah, Ich Bin Noch Nicht Fertig” [By Allah, I’m not finished yet}, Der Westen, August 7, 2014, https://www.derwesten.de/region/rhein-und-ruhr/bei-allah-ich-bin-noch-nicht-fertig-id9675095.html (accessed December 20, 2018). Quoted in Tom Bielefeld, “Dangerous Radioactive Materials in Reach of Jihadist Militants in Syria and Iraq: Risk Mitigation Options for Governments in Europe and the United States,” unpublished memorandum, October 12, 2014.
    x “Anti-Nuclear Protesters Breach Belgian Air Base,” Agence-France Press, June 10, 2018.

     

    Box: The Hatton Garden Heist

    Burglaries of non-nuclear facilities believed to be highly secure often reveal important lessons for protecting nuclear weapons-usable material against theft. The audacious Hatton Garden Safety Deposit Company heist in downtown London, thought to be one of the largest burglaries in British history, is a good example.i

    The criminal group that carried out the heist spent months planning at a nearby pub. They devoted substantial resources to intelligence collection, spending hours observing the Hatton Garden Safety Deposit Company from across the street, and apparently recruiting an insider who worked at the facility. They even studied the book Forensics for Dummies, looking for tips on how to avoid leaving DNA evidence. On the evening of Thursday, April 2, 2015, four men in their 60s and 70s stole $20 million worth of jewels and other valuables.

    It was Easter weekend, so nobody was expected to be in the bank for days. At around 8:20 pm, the crew, who were disguised as workmen, parked in a white van around the corner from Hatton Garden. At around 9:00, an insider within the bank who the gang referred to as “Basil”—who one of the thieves later claimed was an eccentric ex-policeman who had spent years planning the heist—let them into the facility through the fire escape.

    They descended toward the basement through the building’s elevator shaft. Once in the basement, they disabled one set of alarms so they could retrieve their equipment from their van parked outside, but they accidentally set off another alarm. Security guards arrived at the scene but did not detect the burglars, since they did not look in the elevator shaft; the guards declared it a false alarm.

    Just past midnight on Friday, the thieves began cutting through the vault wall. After breaking through the concrete, they hit the back of the metal vault. About eight hours later, unable to penetrate the metal, they left the facility, but they had not given up.

    On Saturday, April 4, the gang returned after having purchased new equipment. They descended the elevator shaft once again and resumed drilling. The hole they finally drilled to gain access to the vault was 20 inches deep, 10 inches high, and 18 inches wide. They raided 73 safety deposit boxes, stealing nearly $20 million worth of valuables. The gang also took the security camera that monitored the area and the hard drive where its images were stored—but another camera the gang did not notice recorded them entering and exiting the area.

    The gang was under police surveillance mere days after the heist because one of the robbers had used his own white Mercedes car to scout the location on the night of the crime. The gang was arrested within weeks when they tried to gather to divide what they had stolen. Nevertheless, only about a quarter of the stolen items have been recovered.

    This incident offers several lessons for nuclear security. First, theft or attack attempts by a group of well-equipped, well-trained outsiders, with active assistance from an insider and months of intelligence collection and planning, are a credible threat. Second, detection, in the form of an alarm being triggered, is not enough if guards fail to assess correctly that an intrusion is underway. Third, protected areas (such as vaults) require ongoing surveillance. Fourth, once material is out of regulatory control, it can be very difficult to recover it.


    Box Notes:
    i This account is based on Martin Evans, and Tom Morgan, “Hatton Garden Heist: Three Men Found Guilty Over £14m Jewelry Raid - Here’s the Full Story of How They Did It,” The Telegraph, March 7, 2016, https://www.telegraph.co.uk/news/uknews/crime/12094884/Hatton-Garden-jewellery-heist-verdicts.html (accessed January 9, 2019); Martin Evans, “Inside the Hatton Garden Heist Vault: Incredible 360 Photograph Shows the Aftermath of Britain’s Biggest Burglary,” The Telegraph, January 15, 2016, https://www.telegraph.co.uk/news/uknews/crime/12102436/Inside-the-Hatton-Garden-heist-vault-360-photograph-shows-the-aftermath-of-Britains-biggest-burglary.html (accessed November 30, 2018); and Richard Spillett, “Elusive Hatton Garden Lynchpin Known as ‘Basil the Ghost’ is ‘Back in the UK’ Two Years After He Fled Abroad Leaving his Gang to Get Locked Up for the £29million Raid,” Daily Mail, September 12, 2017, https://www.dailymail.co.uk/news/article-4875474/Hatton-Garden-s-mystery-thief-Basil-UK.html (accessed December 1, 2018).

     

     

    Net Assessment

    As discussed earlier, it is very difficult to assess the likelihood of an event that has never occurred. It is, however, easier to analyze relative dangers. Since our last report in 2016:

    • Al Qaeda and particularly the Islamic State have suffered numerous defeats which must necessarily make it more difficult for them to mount the organized effort necessary to perpetrate nuclear terrorism, although their intent to inflict massive damage abides;
    • Rapid and clandestine radicalization of insiders presents a threat that most personnel reliability programs have been unable to address successfully;
    • The pace of seizures of fissile material outside of authorized control appears to have slowed, although what is known publicly about earlier cases offers little confidence that the leaks have been plugged;
    • New technologies, deployments of small, mobile weapons, and construction of bulk processing facilities will offer new opportunities for terrorists to strike and present new challenges for those attempting to defend against them.

    On balance, the combination of nuclear terrorist means, motives, and opportunities presents somewhat less of a threat than it did two years ago. But as past experience makes clear, the future is highly uncertain; the world has likely not seen the last of powerful terrorist groups bent on mass destruction. And as adversaries make increasingly sophisticated use of technologies such as cyber and drones in the future, the threat to nuclear weapons, materials, and facilities could increase. To minimize risk in this uncertain future, continuous and determined efforts to improve security continue to be essential.

     

     


     

    III.  Global Nuclear Security Since 2016: A Progress Assessment

    ← previous section  |  ↑ Table of Contents  |  next section →
    A drone carrying a black box flies near reactor 3 at the Ikata nuclear power plant in Ehime Prefecture, Japan in the nation's first counterterrorism drill to simulate a drone attack on a nuclear facility.  Kyodo
    A drone carrying a black box flies near reactor 3 at the Ikata nuclear power plant in Ehime Prefecture, Japan in the nation's first counterterrorism drill to simulate a drone attack on a nuclear facility. 
    (Kyodo)

    The nuclear security summit process that took place from 2010 through 2016 resulted in unprecedented international cooperation focused on reducing nuclear theft and terrorism risks. That effort built on two decades of previous work, with many countries and international organizations or political groupings taking part.

    Global efforts to reduce the risk of nuclear terrorism have continued after the summits ended. As described below, countries are strengthening national regulations, enhancing security culture at nuclear facilities, and taking further steps to protect against both insider and outsider threats. Despite overall weaknesses in the regime, support for international legal instruments underpinning the global nuclear security efforts continues to grow. Additional countries continue to join international nuclear security legal instruments and initiatives.

    But this progress appears to be slowing. In the past two years, few national leaders have focused on improving nuclear security; international political interest in nuclear security is waning. Some of the countries that face particularly substantial risks have sharply constrained their international nuclear security cooperation, arguing that what they do about nuclear security is their business. The “action plans” agreed to at the 2016 summit have led to little action. Since 2016, existing international forums for discussing nuclear security do not appear to have made substantial steps in broadening acceptance of existing commitments and initiatives; strengthening implementation of those commitments and initiatives; or developing and launching new nuclear security ideas.

    There is clearly more nuclear security work to be done. Serious security vulnerabilities remain in nuclear facilities around the world. Not all nuclear facilities are protected against all plausible threats; many do not have comprehensive, multilayered defenses against insiders; some nuclear security systems are not exposed regularly to rigorous vulnerability assessments and testing; the culture within many nuclear organizations is still not focused sufficiently on security; and nuclear materials remain in far too many locations. The regime underpinning global nuclear security efforts has major weaknesses.

     

    Measuring Nuclear Security Progress

    As the saying goes, not everything that can be counted counts, and not everything that counts can be counted.58 It is easy enough to count how many states have joined particular treaties and initiatives, how many HEU-fueled reactors have converted to less-dangerous low-enriched uranium (LEU), or how many sites have eliminated their HEU or separated plutonium. But it is much harder to assess the real, on-the-ground effectiveness of security and accounting measures for particular nuclear facilities or transports. As discussed in the first section of this report, lack of agreed measures of nuclear security, lack of consensus on how much nuclear security is enough, secrecy, and other issues make nuclear security progress difficult to assess.59

    The purpose of nuclear security should be to sustainably reduce the risk of nuclear theft and terrorism to the lowest practicable level. But we have no direct measure of that risk—which involves the interplay of the effectiveness of security and accounting measures and the capabilities and tactics adversaries might deploy to defeat them. No one really knows what the chances are that adversaries would try to steal nuclear material or cause a major radioactive release from any particular nuclear site or transport. No one really knows what the chances are that such adversaries would use particular tactics or capabilities. No one really knows what the chances are that the security system in place would succeed in stopping such an attempt. No one really knows what the chances are that if adversaries managed to steal nuclear material they would make and detonate a nuclear bomb, or what the chances are of different levels of radioactive release resulting from sabotage or attack.60

    Various types of analysis, assessment, and testing can help in making estimates of what the answers to these questions might be, but the uncertainties are high. Since resources for security are inevitably limited and it is impossible to protect against every imaginable threat, a substantial element of judgment is involved in trying to assess whether additional security investments are needed.

    Though effective nuclear security is needed for all nuclear weapons, weapons-usable nuclear materials, and facilities whose sabotage could cause a major radioactive release, a “one size fits all” approach is not likely to work. Nuclear security systems have to be designed to take different threat environments and national contexts into account. A nuclear security system that reduced risk to a low level in Canada, for example, might leave substantial risks unaddressed if applied to identical nuclear operations in Pakistan, given the different threat environment there. Nevertheless, it is important to come up with indicators of nuclear security progress that are as related as possible to real risk reduction, to guide nuclear security efforts and priorities.

     

    An imperfect overall indicator—and some important sub-indicators

    The best overall indicator of nuclear security progress—though still quite an imperfect one—would be the percentage of sites with nuclear weapons, HEU, or separated plutonium that have either (a) been eliminated entirely, or (b) have sustainable nuclear security systems in place that have demonstrated, using in-depth vulnerability assessments and realistic performance tests, that they can protect against the full spectrum of plausible threats. That indicator assesses, in essence, the fraction of the relevant sites whose risk has either been eliminated or reduced to a low level.

    Several sub-indicators would be useful in assessing how far sites had come toward having strong, sustainable nuclear security systems in place, based on the five key areas of nuclear security outlined in the introduction to this report. In particular, what fraction of the sites and transports around the world with nuclear weapons or weapons-usable nuclear materials, or whose sabotage could cause a major radioactive release have:

    • Security systems in place designed to be effective against the full spectrum of plausible adversary threats at that location?
    • Protections against insider threats that are comprehensive and multi-layered?
    • Focused programs to assess and strengthen security culture?
    • Regular programs for in-depth vulnerability assessment and realistic testing of performance?
    • Been eliminated, or are regularly assessed as to whether their continued benefits outweigh their costs and risks?

    Increases in the fraction of locations that could genuinely answer “yes” to such questions would represent real progress in strengthening nuclear security around the world. International nuclear security programs such as those sponsored by the U.S. government could be targeted on working to increase these fractions over time.

    Governments should seek to assess nuclear security progress with this overall indicator and these sub-indicators. Unfortunately, however, the publicly available information is insufficient for the authors of this report to do so fully. Indeed, no government or international organization in the world currently has complete information for making assessments in these areas for all the world’s nuclear weapons, weapons-usable nuclear materials, or major nuclear facilities.

    Nevertheless, states have made public some information about actions they have taken or plan to take in each of these five key areas of nuclear security. In this section, therefore, this report will assess progress in national-level nuclear security implementation in each of these five areas. After that discussion, the report will assess how international frameworks for nuclear security cooperation and elements of nuclear security leadership are contributing to progress in these areas. While we offer assessments of the overall state of progress, we focus particularly on the progress and obstacles encountered in the two years since the last nuclear security summit.

     

    Protecting Against the Full Spectrum of Plausible Threats

    A range of international instruments calls on states to provide security for their nuclear stocks and facilities that will provide effective protection against their estimate of the adversary threats their nuclear operations might face.61 UN Security Council Resolution (UNSCR) 1540 legally obligates all states to provide “appropriate effective” security and accounting for all nuclear weapons and related materials.62 A strong case can be made that a nuclear security system is only “appropriate” and “effective” if it would be effective in protecting against the full spectrum of threats adversaries might realistically pose—including both insider and outsider threats, and a wide range of potential tactics, from brute force to deception.63 Similarly, the amended Convention on Physical Protection of Nuclear Materials and Facilities requires that all participating states provide security for nuclear materials and facilities “based on their current evaluation of the threat,” while the IAEA’s nuclear security recommendations, INFCIRC/225/Rev. 5, suggest that states base their security systems on regularly updated assessments of the threats those systems face, and design them to provide enough protection to reduce risk to an acceptable level given those threats.64 As this latter thought is a fundamental element of the IAEA’s nuclear security recommendations, it is part of the commitment states make in joining the Strengthening Nuclear Security Implementation Initiative (INFCIRC/869).65

    How are states doing in following these calls for nuclear security measures commensurate with the threat? Most nations with nuclear weapons-usable material have a process in place for assessing the threat and establishing what particular tactics and capabilities operators of different types of nuclear facilities or transports should be required to defend against (known in some cases as the "design basis threat" or DBT). But there is no international agreement on what adversary capabilities and tactics should be included in DBTs. The result is that DBTs differ widely from country to country, and some would clearly not be able to defend against some of the tactics and capabilities thieves and terrorists have demonstrated in non-nuclear thefts and attacks at guarded facilities (see “Demonstrated Adversary Tactics and Capabilities”). Moreover, countries typically keep their DBTs confidential, even from each other, so that strengthening DBTs to cover the full spectrum of plausible threats has not been a major focus of nuclear security cooperation to date.66

    Nonetheless, some governments have made some information about how they have strengthened their DBTs public. To demonstrate transparency and good practices, Canada openly published most of the report of its 2015 International Physical Protection Advisory Service (IPPAS) mission, which highlighted as a good practice Canada’s approach of embedding a unit with access to all-source intelligence on the threat within its nuclear regulatory agency; this helps to ensure that Canada’s DBT, described as “comprehensive,” is up to date.67

    In progress reports at the 2016 Nuclear Security Summit, Finland announced it was revising its national DBT to include cyber threats; Hungary announced that it had already made such a revision; the Netherlands announced that it was implementing a new DBT, and would update its DBT for cyber threats; Nigeria, Ukraine, and Switzerland all announced that they were updating their DBTs; and Poland announced that it was updating its regulations related to its DBT, which were expected to enter into force in 2017.68 At the 2017 IAEA physical protection conference, South Korea announced that in 2015 it had amended its DBT to include air attacks by drones and sea attacks.69 Germany has recently strengthened its DBT and related guidance for protection of nuclear facilities, making them more specific.70

    Sweden, like Canada, released a version of the report from its October 2016 IPPAS follow-up mission report.71 The report noted that Sweden had revised its DBT in 2015, though it did not specify what areas were revised. At the time of the team’s visit, it appeared that the protection in place might not be broad enough, as the report warned that “there continue to be issues regarding police response to nuclear facilities. There is a potential that the current system may not meet the goal of preventing sabotage.” The report noted progress in this area, however, reporting that the Swedish regulator was taking “measures to mitigate this by requiring the [nuclear power plants] to use armed guards.” The Swedish government has also assigned the armed forces to support the police unit protecting nuclear facilities “with a helicopter capability.” The team’s other major concern was that the Swedish regulator had “not been able to completely fulfill all its functions in the areas of development of regulations, conduct of regular inspections, reviews of security plans and reviews of evaluations.” As a result, the team warned, “current regulations do not fully address protection of nuclear facilities from acts of sabotage and protection of nuclear material in transport.” Since then, Sweden has been updating its regulations and has required armed guards at nuclear power plants.72

    Perhaps most important, in 2016, China published a draft of strengthened nuclear security regulations for public comment, after review by the State Council.73 The new regulations would establish a national-level DBT for the first time, replacing a previous system in which each operator developed its own DBT for review by regulators. The new security regulations include a variety of other strengthened requirements as well. In recent years, China has continued to make a variety of physical protection improvements, clearly improving its nuclear facilities' ability to protect against a broad spectrum of threats, though more remains to be done.74

    These announcements reveal that countries have made progress in requiring operators to protect against evolving threats in recent years. But the scale of progress is uncertain. In many countries, the security presence at nuclear facilities is clearly more modest than it is in the United States, and nuclear security expenditures appear to be significantly lower than those in the United States, suggesting that their nuclear facilities and materials are not protected against as broad a spectrum of adversaries as U.S. materials and facilities are. The 2018 Nuclear Threat Initiative (NTI) Nuclear Security Index concludes that many countries remain “poorly prepared” to cope with cyber attacks on nuclear operations, with a third of the countries with weapons-usable nuclear materials not having demonstrably implemented any of the cyber controls the index examined.75 Beyond cyber, it is unclear to what extent DBTs have been amended to incorporate some of the other realistic threats discussed in this report. There are no multilateral (and few bilateral) forums where states discuss threats their nuclear security systems may face. Moreover, in the case of cyber vulnerabilities, risks may be increasing as nuclear facilities transition from analog to digital systems and cyber attacks become more frequent and sophisticated.76

     

    Box: The Hatton Garden Heist

    Demonstrated Adversary Tactics and Capabilities

    Thieves and terrorists have used a wide range of tactics and capabilities in non-nuclear thefts and attacks around the world. Nuclear weapons, HEU, separated plutonium, and major nuclear facilities should be protected against similar tactics and capabilities—as well as emerging threats that are plausible for the near-term future. Adversary tactics and capabilities in recent incidents include:

    • Well-armed, well-equipped teams with military-style training and tactics and access to aerial vehicles such as drones or helicopters (e.g., the 2009 Västberga cash depot heist in Sweden);i
       
    • Employing deception with fake uniforms, identification cards, or vehicles intended to look like police or security vehicles (e.g., the 2017 Tambo Airport heist in South Africa, where a group of armed robbers wearing police uniforms, driving a car disguised as a police vehicle, and carrying “Airports Company South Africa” identification cards stole millions of dollars from the airports “highly secure” cargo area);ii
       
    • Use of prolonged intelligence collection, planning, and specialized tools and skills to overcome many layers of security (e.g., the 2003 Antwerp Diamond Center heist in Belgium and the Hatton Garden heist);iii
       
    • Insider-outsider and insider-insider conspiracies (e.g., the 2004 Swissport Heathrow heist);iv
       
    • Tunneling to bypass security systems (e.g., multiple prison breaks and bank heists);v and
       
    • Cyber-attacks (including on nuclear facilities), including cyber-attacks used in conjunction with physical thefts (e.g., a case in which pirates used a cyber attack to identify which shipping containers on which ships held the items they wanted to steal).vi

    Unfortunately, experts in many countries are skeptical that these tactics could be used on nuclear facilities.vii Sharing information on incidents that reveal potential adversary capabilities and tactics, and DBT information that is either non-sensitive or can be shared confidentially, can help dispel this skepticism, help states learn from each other about how to strengthen their nuclear security systems, and provide assurances about the effectiveness of those systems. In some industries—such as casinos, civil aviation, and cybersecurity—sharing of information on incidents and lessons learned to improve security is widespread. Unfortunately, little such sharing about nuclear security incidents takes place today.


    Box Notes:
    i See Matthew Bunn, Martin B. Malin, Nickolas Roth, and William H. Tobey, Advancing Nuclear Security: Evaluating Progress and Setting New Goals (Cambridge, Mass: Project on Managing the Atom, Belfer Center for Science and International Affairs, Harvard Kennedy School, March, 2014), https://www.belfercenter.org/sites/default/files/legacy/files/advancingnuclearsecurity.pdf (accessed June 13, 2018), p. 8.
    ii See “The Shocking Inside Story of the R200m OR Tambo Heist,” Rand Daily Mail, March 9, 2017, https://www.news24.com/SouthAfrica/News/7th-suspect-charged-in-connection-with-or-tambo-heist-20170328 and Jeanelle Greyling, “7th Suspect Charged in Connection with OR Tambo Heist,” News 24, March 28, 2017, https://www.news24.com/SouthAfrica/News/7th-suspect-charged-in-connection-with-or-tambo-heist-20170328 (accessed January 9, 2019).
    iii See Jarret M. Lafleur, Liston K. Purvis, and Alex W. Roesler, The Perfect Heist: Recipes From Around the World, Vol. SAND-2014-1790 (Albuquerque, N.M.: Sandia National Laboratories, April 2014), p. 83.
    iv See Lafleuer, Purvis, and Roesler, The Perfect Heist, p. 97.
    v See Bunn, Malin, Roth, and Tobey, Preventing Nuclear Terrorism, pp. 72-73.
    vi This case is described in Verizon, Data Breach Digest: Scenarios From the Field (New York: Verizon, 2016), http://www.verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf (accessed November 14, 2018), pp. 55-57. In combined cyber and physical thefts and assaults, cyber means could be used to disable key elements of physical protection systems (which are now increasingly digital); to alter nuclear material accounting and control records; to turn off key intrusion detection systems; to sabotage facilities; to create confusing and distracting events to disrupt security forces; and more.
    vii For example, see Matthew Bunn and Eben Harrell, Threat Perceptions and Drivers of Change in Nuclear Security Around the World: Results of a Survey (Cambridge, Mass: Project on Managing the Atom, Belfer Center for Science and International Affairs, Harvard Kennedy School, March 2014), http://belfercenter.ksg.harvard.edu/files/surveypaperfulltext.pdf (accessed October 29, 2018), pp. 22-23.

     

    Comprehensive, Multilayered Protection Against Insider Threats

    Nuclear security systems should be designed to protect against all threats, but insider threats, in particular, pose the gravest dangers and the most challenging ones to address. Nearly every publicly documented case of nuclear theft and sabotage at a nuclear facility where the specifics are known was carried out by insiders or with the help of insiders.77 Insiders have authorization to pass through many of the layers of the security system; they may have detailed knowledge of the security system and its weaknesses; they are known and trusted by other employees, making them less likely to be suspected and more able to recruit others; and they may have months or years to observe vulnerabilities and plan their efforts to exploit them. As INFCIRC/225/Rev. 5 puts it, insiders “could take advantage of their access rights, complemented by their authority and knowledge, to bypass dedicated physical protection elements or other provisions, such as safety procedures.”78

    As with broad protection, effective protection against insiders is already the subject of IAEA recommendations (and hence part of the INFCIRC/869 commitment). INFCIRC/225/Rev. 5 calls for physical protection systems to protect against both insider and external adversaries.79 The IAEA also offers technical guidance on steps to protect against insider threats, as does the World Institute for Nuclear Security (WINS).80

    At the 2016 Nuclear Security Summit, more than two dozen nations, including more than half the countries with nuclear weapons-usable material on their soil, signed onto the “Mitigating Insider Threats” gift basket, now formalized as INFCIRC/908. INFCIRC/908 lists a wide range of steps that states might take to address insider threats, though participants are not committed to implement each one. Participants also pledge to help develop “an advanced, practitioner-level training course on preventive and protective measures against insider threats.”81 Only one country, Malaysia, has joined this initiative since 2017, however, and little public data is available on particular steps states have taken to implement it.

    While insider incidents at nuclear facilities are not a common occurrence, there have been examples in recent years that highlight the potential. For example, in 2014, an insider at the Doel-4 nuclear power plant in Belgium—still unidentified as of 2018—opened a locked valve and allowed all the turbine’s coolant to drain out, causing the turbine to overheat and destroy itself. Investigations revealed that long before the incident—and therefore unrelated to it—two plant employees had left to fight for terrorists in Syria. In early 2018, scientists at a Russian nuclear weapons lab were arrested for using the facility’s supercomputers to mine bitcoins.82 While that case did not involve any nuclear material, it raises the question of what else these insiders might have been willing to do for money. Data on major non-nuclear thefts from guarded facilities suggests that most cases involve an insider and that cases involving more than one insider are common.83

    A truly effective nuclear security system must be able to protect against sophisticated individuals, multiple insiders working together, and insiders working with outsiders. This requires a comprehensive, multilayered approach, rather than relying on only one or two protections; the goal should be to maximize the scale and complexity of the challenges insiders would have to overcome to achieve their aims. Effective strategies for preventing insider threats include background checks before granting access and ongoing monitoring after access is permitted; strong incentives for staff to report any concerning behavior, or any potential vulnerabilities they observe; effective programs to address employee disgruntlement; regular training programs focused on protecting against insider threats, including real stories of insider incidents, to give management and staff a feel for the reality of the problem; nuclear material accounting that is accurate and timely enough to detect either a rapid or a protracted theft, identify when and where it happened, and establish who had access then; constant surveillance of nuclear material, and of vital areas that might be sabotaged; two-person or three-person rules whenever people have access to weapons-usable nuclear materials or vital areas, so that nobody is ever alone with weapons-usable nuclear material or in a vital area; physical protection systems consciously designed to handle both insider and outsider threats (including insiders and outsiders working together); and regular tests, assessments, and inspections to ensure the effectiveness of the insider protection program in place.

    What progress are countries making in improving protection against insider threats? Several countries have approved new laws or regulations to address insider threats since early 2016.

    Japan, for example, adopted new regulations in 2016 requiring private operators of nuclear power facilities to implement background checks before giving employees access to weapons-usable nuclear material or sensitive nuclear security information. But the checks, to be done by each company, rather than by the government, will be based on information reported by the employees themselves, with limited ability for the companies to get information from the government on employees criminal records or connections to terrorists (and with no prior experience on the companies’ part in performing such checks).84 It is voluntary, not mandatory, for employees to provide the information needed for the check.85 Labor unions strongly opposed more effective background checks on privacy grounds, though much more extensive reviews have long been in place for Japanese citizens wanting a license for a gun.86 Beyond background checks, Japan’s new regulations also require two-person rule and security cameras in sensitive areas, to help protect against insider adversaries.

    Canada has published new regulations on controlling alcohol and drug use among nuclear workers at high-security sites and has updated other fitness for duty requirements.87 This appears in part to have been a response to a suggestion in the 2015 IPPAS review of Canada’s nuclear security practices, which “strongly encouraged” drug and alcohol testing for people gaining access to secure areas.88

    In Germany, in September 2016, German regulators updated the DBT for nuclear transports in 2016, and the guidance for licensees on required protection measures against those threats in 2018. The new transport guidelines include new requirements for personnel, including trustworthiness checks. As of early 2018, German regulators were reviewing the DBT requirement for fixed nuclear facilities; that review could result in more specific insider threat requirements there as well.89

    In the United States, after the Chelsea Manning and Edward Snowden leaks of classified information, President Obama directed all agencies to meet minimum standards for insider threat protection and established a national-level group to assist agencies in strengthening their insider threat programs. For the Department of Energy (DOE) nuclear complex, DOE issued a new order on insider threat protection in 2014.90 Since then, DOE has required each major facility to establish a “Local Insider Threat Working Group,” including officials handling security, counter-intelligence, human resources, legal affairs, and more.91 These efforts have led to a significant increase in focus on insider threats at DOE facilities.

    Dealing with the insider threat is a complex question requiring further analysis. Hence, the Swedish Radiation Safety Authority established a working group with the Swedish Defense University “to assess and implement ways to deal with insider threat[s].”92

    After the insider sabotage at the Doel-4 nuclear power plant in 2014, Belgium strengthened its requirements for insider threat protection substantially, including additional security cameras in sensitive areas, enhanced screening, and more use of two-person rule.93 At the 2016 summit, Spain announced that it had amended and updated its regulations for the physical protection of nuclear materials and facilities to address insider and cyber threats.94

    At the 2016 nuclear security summit, Belgium, Egypt, Finland, and Israel reported conducting courses or workshops on countering insider threats; the Centers of Excellence in several countries provide regular courses on insider issues; and both U.S.-sponsored nuclear security programs and the IAEA provide insider threat training in many countries.

    In short, there has clearly been progress in strengthening protection against insider threats since the end of the nuclear security summit process. But there are still significant gaps that must be addressed. Serious incidents involving either insider threats or inadequate protection against insider threats at nuclear facilities continue to occur. For example, in October 2014 at the Madras Atomic Power Station in India, a nuclear security officer shot and killed three men and wounded two others using a 9mm sub-machine gun that he had obtained from the facility’s armory.95 Moreover, many of the countries with enough weapons-usable nuclear material for a bomb did not sign the non-binding summit commitment on insider threats, including six of the nine countries with nuclear weapons.96

     

    In-Depth Vulnerability Assessment and Realistic Performance Testing

    Many security systems look to be effective on the surface, but could actually be defeated by intelligent adversaries looking for their weak points. There have been numerous non-nuclear cases in recent years where apparently formidable security systems were proven to be more vulnerable than previously thought, and mock adversaries in tests at nuclear facilities have often found ways to defeat the security systems in place.97 As security expert Roger Johnston has argued, “the ease of defeating a security device or system is proportional to how confident/arrogant the designer, manufacturer, or user is about it.”98

    Here, too, the issue of realistic assessment and testing is already the subject of IAEA recommendations (and hence is part of the INFCIRC/869 commitment for states participating in that initiative). INFCIRC/225/Rev. 5 recommends that nuclear operators have quality assurance programs to ensure that security systems can effectively protect against the design basis threat. Further, it recommends that these programs should include force-on-force exercises conducted at least annually.99

    To be genuinely effective, such quality assurance programs should include several other key elements. First, nuclear operators should carry out regular, in-depth vulnerability assessments. These should be done by “red teams” whose job is to find security vulnerabilities and propose solutions. These teams should include individuals with a creative, “hacker” approach. They should have incentives to find vulnerabilities and be protected from potential organizational backlash.

    Second, operators and regulators should carry out a variety of forms of performance testing, from testing whether particular pieces of equipment are functional to testing whether the entire system can defend against intelligent adversaries (insiders and outsiders) trying to find ways to defeat it.

    Realistic performance testing is a particularly important tool at nuclear facilities, where guards can go their entire career without witnessing an actual threat. Such tests can expose weaknesses, combat complacency, strengthen security culture, foster better understanding of threats, and in some cases can convince policymakers of the need for stronger security arrangements.100

    There are many ways to conduct performance tests. For example, table-top exercises using “battle boards” are sometimes used to help security officers think through how they would respond to different types of threats. Table-tops or computer simulations are particularly appealing because they are less expensive and time-consuming and make it easier to examine scenarios that go beyond a facility’s DBT.

    But table-top exercises are not an effective method of testing how guards would react in a realistic situation. For that and other reasons, as INFIRC/225 suggests, full-scale force-on-force exercises, in which groups pretending to be adversaries attempt to defeat the security system, are also needed. A realistic force-on-force exercise is an opportunity to see how a security system would actually respond to an intelligent, well-equipped, insider or outsider threat employing a range of tactics. Unlike table-tops, a force-on-force can be expensive and time-consuming to plan, require dozens of people, and interfere with normal facility operations. It can also expose embarrassing security deficiencies. As a result, some nuclear operators argue against requirements for regular, realistic force-on-force exercises, or try to make them less realistic; recently, the U.S. nuclear industry succeeded in convincing the Nuclear Regulatory Commission (NRC) to slim such exercises from testing three possible attack scenarios to only one, and from two NRC-conducted exercises every three years to one, with another licensee-conducted exercise that would be reviewed by the NRC.101 (In one recent U.S. case, an operator complained that they had not been warned in advance of the possibility that an attacker would throw a rock at the defenders—as though real adversaries would provide such warnings.)102 It was not until 2010, in the fifth revision, that INFCIRC/225 recommended regular force-on-force exercises, though such tests had been regular practice in some countries for decades.

    Many countries have been slow to adopt force-on-force exercises as a tool, but there has been some evidence of progress in recent years. In 2008, the Canadian Nuclear Safety Commission created the Canadian Adversary Testing Team to serve as adversaries during force-on-force exercises, and this force carries out force-on-force exercises every two years at each major nuclear facility.103 China’s draft nuclear security regulations, released for public comment in 2016 but not yet in force, call for annual assessments of the effectiveness of security systems for sites with weapons-usable nuclear material, and also for conducting realistic security exercises (interpreted by Chinese experts as meaning force-on-force exercises) regularly.104 China, however, has not yet begun a substantial program of force-on-force exercises. In 2014, Slovenia conducted unannounced force-on-force exercises—where the defenders did not know it was only an exercise—at its nuclear power plant, something rarely done because of safety concerns.105 It then conducted an announced force-on-force exercise in 2015. These tests identified seven areas for improvement and fourteen recommendations, resulting in a new security training program. In 2015, South Korea began conducting force-on-force exercises at its nuclear power plants.106 This followed Japan’s beginning to require such exercises after 2010.107 At the 2016 Nuclear Security Summit, the Netherlands and Austria emphasized force-on-force exercises in their progress reports.108

    These are positive indicators, but several countries that possess weapons-usable nuclear material have not yet adopted force-on-force exercises (including India and, for the moment, China, among others), and for those that have, too little public data is available to assess how realistic or rigorous these tests actually are.109

     

    Strong Security Cultures

    A strong security culture, in which everyone is vigilant and constantly on the lookout for threats, vulnerabilities, and opportunities to improve security, is crucial to preventing nuclear theft or sabotage. Gen. Eugene Habiger, the former commander of U.S. strategic nuclear forces and security “czar” at the DOE said, “good security is 20 percent equipment and 80 percent culture.”110

    The now-famous July 2012 break-in at the Y-12 nuclear facility in the United States, involving an 82-year-old nun and two other protesters in their 60s, provides a good example of the vulnerabilities that can be created by a weak organizational security culture. The facility had recently installed a new security system but had tried to save money by leaving some of the old system in place. The result was a tenfold increase in false alarms. Normally the compensatory measure would have been to use cameras to check whether the alarms were false or real—but the cameras in some areas had been broken for months without being placed on the priority list to be fixed. Instead, guards were supposed to go out and check each alarm—but it appears they had gotten tired of doing so. The intruders set off alarm after alarm, but they were able to proceed directly to the building where most U.S. HEU is stored, pour blood on it, pound on it with sledgehammers, and sing protest songs before finally being accosted by a single guard. (The heavily armed guards inside the building heard the pounding but assumed it was pre-dawn construction and did not bother to check.)111

    Security culture, too, is already a major focus of IAEA recommendations (and therefore included in the commitments states make in joining INFCIRC/869). INFCIRC 225 Rev. 5 recommends that “[a]ll organizations involved in implementing physical protection should give due priority to the security culture, to its development and maintenance necessary to ensure its effective implementation in the entire organization.”112 To achieve this “due priority,” every organization handling nuclear weapons or weapons-usable nuclear material, or managing a major nuclear facility, should have in place a targeted program to (a) assess their security culture regularly; and (b) seek to strengthen their security culture over time.

    Virtually no data are available to assess progress in strengthening security culture in nuclear organizations all over the world. Indeed, it is difficult for organizations to assess the strength of their own security cultures.113 Possible indicators of security culture progress could include:

    • Whether organizations managing nuclear weapons, separated plutonium, HEU, or major nuclear facilities potentially vulnerable to catastrophic sabotage have targeted programs in place to strengthen security culture and to assess their progress in doing so;
    • The degree of improvement in attitudes and behavior of staff such programs have achieved, as measured in surveys and self-assessments; and
    • The degree to which national policymakers involved in nuclear security decisions express belief in the threat and the need for action to improve nuclear security—and the degree to which they back that up by allocating resources and approving stringent nuclear security requirements.114

    By these measures, there has been important progress in recent years on security culture in key countries with nuclear facilities and weapons-usable materials:

    • Japan’s Nuclear Regulation Authority (NRA) has made strengthening nuclear security culture a priority in recent years. Japanese regulations now require operators to have programs to strengthen security culture within their organizations. In January 2015, the NRA developed a “Code of Conduct on Nuclear Security Culture” for NRA staff. It emphasized, among other things, awareness of threats, senior management involvement, education, and self-improvement. As one initiative, NRA commissioners themselves walk through facilities with senior plant executives to discuss opportunities for strengthening security culture. The NRA has also distributed self-assessment questionnaires to all operators, who then develop their own self-evaluation procedures.115
    • Similarly, the Republic of Korea established policies and guidelines on strengthening nuclear security culture.116
    • In 2016, Indonesia opened the BATAN Center for Security Culture and Assessment that conducts research, training, and outreach related to security culture; assesses nuclear and radiological facilities; and promotes sharing of best practices. Indonesia (which no longer has any weapons-usable nuclear material) was the first country to pilot the IAEA’s security culture self-assessment approach.117
    • The Canadian Nuclear Safety Commission appointed a dedicated officer responsible for security awareness. The Canadian company Bruce Power has recognized security culture as a priority. Bruce Power provides security awareness training to all personnel. Emergency and Protective Services provide regular intelligence briefings for safety personnel to ensure managers from different departments understand the importance of security for all operations.118
    • The British National Nuclear Laboratory received an average score of 62 out of 100 in the security culture survey conducted in 2013. When the same survey was conducted again in 2017, the average score was an 84, which meant that “employees believe the mechanisms that shape security culture are working well.”119
    • Indian nuclear facilities have begun conducting periodic seminars and workshops focused on security culture. This has caused some to observe that nuclear facility personnel are becoming more thoughtful about security and potential threats, including insiders.120

    Despite this laudable progress, there is significant work to be done to strengthen nuclear security culture around the globe. Most nuclear organizations have no specific program in place to strengthen security culture, or to assess whether and where it needs to be strengthened.

    In Germany, for example, an IAEA-led review suggested that the state “consider promoting nuclear security culture and encouraging all organizations involved in nuclear security to establish and maintain one.” The mission also recommended that Germany “develop nuclear security culture guidelines applicable to all organizations and based upon existing practices at the operator’s level.”121 (The regulator in one of the German states, however, has been requiring operators to put in place programs to strengthen security culture.)122

    Brazilian nuclear security experts have identified challenges to promoting nuclear security culture that include lack of resources and personnel; inadequate management commitment; limited staff involvement; and lack of national regulations and standards with “explicit requirements and goals” for nuclear security.123 The very identification of these issues—which are widespread, and by no means unique to Brazil—provides the basis for action to address them.

    The United States, which has long been a leader on many nuclear security issues, has few programs in place to strengthen nuclear security culture within its own facilities. Asked at IAEA nuclear security conference why the NRC was not doing more on security culture, as some other regulatory agencies are, an NRC commissioner pointed to the NRC’s policy statement on safety culture, which notes also the importance of security and of integration of the two.124 Although the Y-12 incident clearly reflected a major breakdown in security culture, NNSA has not launched a major security culture improvement program.

    In addition, complacency about the threat, and the security measures already in place—the enemies of strong security cultures—remains widespread. As just one example of a broader global phenomenon, while there have been major security incidents at Indian nuclear facilities, the Indian government released a document during the nuclear security summit process declaring that “not a single serious security incident has taken place in more than five decades of the Indian nuclear programme.”125

    In short, what little information is available on nuclear security culture suggests noticeable continuing progress, but considerable need for further action around the world.

     

    Consolidating Nuclear Weapons and Weapons-Usable Nuclear Material

    One of the most effective strategies for reducing the risk of nuclear theft is to consolidate nuclear weapons and nuclear weapons-usable material to fewer sites. Every facility that eliminates its nuclear weapons, HEU, or separated plutonium is one less potential target that needs to be protected against theft. Thus, eliminating excess facilities with nuclear weapons and weapons-usable material helps to strengthen nuclear security and reduce its cost.

    The participants in the nuclear security summit process recognized the importance of consolidating nuclear weapons-usable material. During the 2014 summit, they agreed that it was of “great importance” that plutonium and HEU be “appropriately secured, consolidated, and accounted for” (emphasis added), and they encouraged all states to minimize their use and stocks of HEU and “to keep their stockpile of separated plutonium to the minimum level.”126 The focus on consolidation was reaffirmed at the 2016 Nuclear Security Summit, where nearly two dozen countries committed in a gift basket to concrete steps to consolidate HEU and minimize its use, with the eventual goal of eliminating its use altogether. The gift basket identified that “HEU minimization is a form of permanent threat reduction and an integral component of the global effort to combat the threat of nuclear terrorism.”127 That gift basket has been opened to all states, as INFCIRC/912.128

    Global stocks of weapons-usable material—both civilian and military—remain high. By early 2017, there were some 1,340 (+/-125) tons of HEU and 520 (+/- about 10) tons of separated plutonium in the world, for a total of roughly 1,860 tons (with an estimated range from 1,725-2000 tons, located in some two dozen countries.129 Stocks of separated plutonium continue to grow (mainly in the civil sector), and with the end of the U.S.-Russian HEU Purchase Agreement in 2013, HEU stocks are only declining very slowly.130

    While a total of 57 countries have possessed nuclear weapons-usable materials at some point during the nuclear age, 32 countries plus Taiwan have eliminated all of the weapons-usable material from their soil. See Table 1.

     

    Table 1: Country Cleanouts by Year131

     

    Scores of locations where HEU or separated plutonium once existed have been cleaned out. Nevertheless, nuclear weapons, HEU, or plutonium are still located in hundreds of buildings in the remaining 24 countries, and the pace of consolidation appears to be in decline, in several categories discussed below.132 See Table 2.

     

    Table 2: Countries with Weapons-Usable Nuclear Material on Their Soil133

    Note: Bolded countries either acknowledge possessing nuclear weapons or are reported to possess them.

    * As noted earlier, it is uncertain whether less than two kilograms of plutonium may remain in Switzerland.

    ** Turkey does not have any HEU or separated plutonium under its control. It reportedly does, however, host U.S. nuclear weapons.
     

    Nuclear weapons and military-purpose nuclear materials. There are an estimated 14,500 nuclear weapons remaining in the world, located at 107 sites in 14 countries.134 Moreover, roughly 85 percent of the world’s stocks of fissile material is in military programs—though only a fraction of that is contained in the assembled nuclear weapons themselves. The majority of these weapons, just over 9,300, remain in military stockpiles, either deployed and ready for use or in reserves; the rest are retired and awaiting dismantlement.

    During the Cold War, the United States and the Soviet Union both possessed dramatically larger numbers of nuclear weapons, at much larger numbers of locations around the world. Since then, both the United States and Russia have substantially reduced both their numbers of nuclear weapons and the number of locations where they are stored. France and Britain have also reduced their much smaller nuclear weapons stockpiles. Today, with the exception of approximately 150 U.S. nuclear bombs in Europe, all nuclear weapons are in the countries that own them or on submarines at sea.135

    The United States, Russia, and other nuclear powers are modernizing their nuclear arsenals. India and Pakistan’s stockpiles of nuclear weapons and materials are growing, and India and Pakistan are increasingly shifting to tactical nuclear weapons. North Korea may now have enough nuclear weapons-usable material for dozens of nuclear weapons and appears to be continuing to produce more, despite the vague Singapore summit statement about denuclearization.136 (Almost nothing is known about North Korea’s nuclear security arrangements.)

    The urgency of consolidating and strengthening security for military-purpose stocks is evident, even in countries that are thought to have high levels of security. For example, in April 2018, seven activists broke into the Kings Bay Naval Submarine Base in the United States, which houses six ballistic missile submarines, carrying hammers and baby bottles of their own blood and smeared either red paint or blood on the walls of buildings. According to one account, they went to three locations on the base, including nuclear weapons storage bunkers.137 In 2017, the deputy director and Chief Engineer of Elektroprimbhor, one of the two remaining Russian nuclear weapon assembly and disassembly plants, was arrested and convicted for taking bribes to the tune of millions of dollars.138

    Despite the continuing need for work to improve security for military-purpose stocks, there has been relatively little international cooperation focused on them. Most international agreements and recommendations related to nuclear security apply only to civilian materials. Although military stocks were referenced in summit communiques, the nuclear security summit process did not focus on protection or consolidation of them. The United States and Russia once had extensive cooperation on security for nuclear weapons and weapons-usable materials, including military-purpose stocks, but that cooperation is almost entirely suspended. The United States continues to cooperate with Pakistan on nuclear security; has closed-door dialogues on the subject with both Britain and France (allies with whom the United States has agreements for sharing classified information related to nuclear weapons); and has broader nuclear security dialogues, not specifically focused on military-purpose stocks, with China and, to a lesser extent, India.

    Unfortunately, while both the United States and Russia continue to reduce their total nuclear weapons stockpiles slowly even as they modernize their nuclear forces, there appear to be no current plans for further consolidation in any of the states that possess nuclear weapons. The United States and Russia, the countries with the world’s largest stocks of nuclear weapons and fissile materials for military use, deserve more detailed examination.

    Consolidation of U.S. stocks. The remaining locations for U.S. nuclear weapons include intercontinental ballistic missile (ICBM) silos, submarines, and a reported 18 storage locations, 12 in the United States and six in five countries in Europe.139 The United States has also consolidated its nuclear weapons-usable material in recent decades. Only two privately owned sites—HEU fabrication facilities producing naval fuel in Erwin, Tennessee and Lynchburg, Virginia—still have licenses to handle Category I quantities of weapons-usable nuclear material.140 Only four NRC-licensed civilian reactors still use HEU fuel.141

    Government-owned material is handled by DOE and the Department of Defense (DOD).142 DOD has only a few naval training reactors and testing reactors with weapons-usable nuclear material. DOE, which manages the U.S. nuclear weapons complex, the U.S. naval reactor program, and major nuclear research facilities, currently has eight sites with Category I and II weapons-usable nuclear material: the Los Alamos National Laboratory, the Pantex Plant, the Y-12 National Security Complex, the Nevada National Security Site, the Hanford Site, the Idaho National Laboratory, the Savannah River Site, and the Oak Ridge National Laboratory. DOE eliminated Category I and II material from Lawrence Livermore and Sandia National Laboratories; from the now-closed Rocky Flats facility that once produced plutonium weapons components; and from a substantial number of the buildings at remaining DOE sites. In particular, all HEU was removed from the difficult-to-defend TA-18 facility at Los Alamos to the highly secure Device Assembly Facility in Nevada.

    It appears, however, that consolidation of weapons-usable nuclear materials in the United States has effectively come to a halt, or at least to a prolonged pause. As discussed below, the remaining U.S. HEU-fueled research reactors are not expected to be converted to LEU for more than a decade, because of delays in developing the high-density LEU fuels that would make conversion possible—and some in Congress have tried to block spending money on the conversion.143 Consolidation in the U.S. nuclear weapons complex has effectively ceased—though NNSA does plan to remove all HEU from one aging and difficult-to-defend building at Y-12 in fiscal year 2022.144 NNSA recently announced a plan to carry out production of plutonium “pits” for nuclear weapons at two sites rather than one, arguably expanding rather than contracting the number of locations processing weapons-grade plutonium.

    The U.S. HEU downblending program has slowed to a pace of roughly two tons per year, and the U.S. program to reduce its plutonium stockpiles remains mired in controversy. Both the Trump and Obama administrations have sought to cancel the project to build a MOX fuel fabrication plant to turn 34 tons of plutonium into reactor fuel, due to its exorbitant costs. Both administrations have instead supported a less expensive alternative called “dilute and dispose” that involves blending the plutonium with inert material to make it harder to recover and then storing the result until it can be disposed of in a nuclear waste repository like the WIPP in New Mexico. This proposal would mean fewer jobs in South Carolina, however, and the state’s government and congressional delegation have pushed back, introducing legislation intended to block the dilute-and-dispose strategy, while the state government has sued DOE. In 2018, Secretary of Energy Rick Perry certified to Congress that the dilute-and-dispose process would cost less than half as much as MOX—as Congress had required before MOX could be canceled. In October 2018, an appeals court lifted a lower court’s injunction that had blocked DOE from canceling the MOX program, and DOE quickly informed the contractor it was terminating work.145 MOX supporters have not given up on blocking the termination, however, and there are major controversies over whether WIPP will have enough room to accommodate the blended material. In the meantime, however, MOX construction workers are already being laid off.146 The shift from MOX to dilute-and-dispose will mean less complex bulk processing of plutonium, less transport of fabricated MOX, and less storage of fabricated MOX at reactor sites.

    Consolidation of Russian stocks. While Russia has also eliminated many nuclear weapon sites, it continues to have nuclear weapons at ICBM silos, on submarines, and stored at an estimated 48 separate locations—almost three times as many as the United States, its nearest competitor.147 Russia appears to have no plans for further consolidation of its nuclear weapons stockpile.

    Russia has declined further cooperation with the United States on consolidating nuclear materials within Russia or blending down more HEU, but it continues limited consolidation on its own. For example, weapon-grade uranium metal was removed from the BFS critical assembly at the Institute for Physics and Power Engineering (IPPE) in Obninsk.148 The U.S.-Russian HEU purchase agreement has ended, Russia terminated joint work on converting Russian HEU-fueled reactors to LEU, and Russia suspended their participation in the plutonium disposition agreement.149 Russia continues to have the world’s largest number of buildings with HEU or separated plutonium, and Russia has no focused programs in place to consolidate these stocks to fewer locations.

     

    Bulk processing facilities

    Almost all of the confirmed thefts of plutonium and HEU have taken place at facilities that process large quantities of weapons-usable nuclear material. Because it is incredibly difficult to accurately measure the enormous quantities of nuclear material that flow through such bulk processing facilities each year, it is easier for insiders to remove material without detection at a bulk processing facility. Hence, reducing the scope of bulk processing and the number of bulk processing facilities in the world should be a key part of the nuclear security agenda.

    Since the end of the Cold War, the United States and Russia have each closed some bulk processing facilities and ended the production of military plutonium. (Their military HEU production ended earlier.) The end of the HEU Purchase Agreement ended the bulk processing and rail transport of tens of tons of HEU every year in Russia (though it also ended large-scale reductions in Russia’s HEU stockpile).

    But, with the important exception of the United Kingdom, this consolidation of bulk processing also appears to have largely come to an end. The United States has no HEU or plutonium production, but is working to reestablish fabrication of plutonium and HEU weapons components and continues to operate two HEU fuel fabrication operations for naval fuel and HEU research reactor fuel. As noted above, the dilute-and-dispose approach, if it moves forward, would involve less complex bulk processing than the MOX approach would have required, along with less transport of plutonium, but it does involve ongoing bulk processing of plutonium for many years to come. Russia continues to operate a large plutonium reprocessing plant and plutonium and HEU weapons component fabrication facilities at Mayak, HEU fuel fabrication operations elsewhere, and has restarted small-scale production of new HEU for export as research reactor fuel.150 Russia has completed a MOX plant for fueling its BN-600 fast neutron reactor and plans a nuclear future based on reprocessing and a closed fuel cycle, which would require bulk processing on a large scale.

    Japan still plans to open the Rokkasho plutonium reprocessing plant in 2021, a major step to expand, rather than reduce, bulk processing of plutonium.151 This plan comes despite a recent pledge to reduce its stockpile of roughly 47 tons of separated plutonium (nearly 10 tons of which is in Japan, with the rest stored at reprocessing plants in Britain and France); despite huge delays and cost overruns at Rokkasho; despite the lack of any actual need for the plutonium Rokkasho would produce; despite the existence of cheaper and safer alternatives for spent fuel management; and despite widespread public and international criticism.152 Japan is also building a MOX plant next to the Rokkasho reprocessing plant, to make use of the plutonium separated there; the MOX plant, if successful, will involve additional bulk processing of plutonium.

    France continues to operate its large reprocessing operation at La Hague and its MELOX MOX fabrication facility. (France is the only country successfully fabricating MOX fuel for light-water reactors today.)

    Pakistan continues to operate four plutonium production reactors and associated reprocessing plants, and Islamabad appears to be expanding its uranium enrichment capacity. India, similarly, continues to expand its plutonium production and reprocessing capacity and its enrichment facilities.153

    The Chinese government, in 2015, approved construction of a “demonstration” reprocessing facility that will process 200 tons of heavy metal per year. The facility is scheduled to go on-line in 2025. China has also been in negotiations for more than a decade with the French company Orano (formerly Areva) to purchase a commercial reprocessing plant capable of reprocessing 800 tons of spent fuel annually. China and Orano have not reached an agreement on price. If the facility moves forward, planners are envisioning construction beginning in 2020, though siting has been problematic because of protest from Chinese citizens.154

    The one country with a major consolidation of bulk processing is the United Kingdom. The Thermal Oxide Reprocessing Plant (THORP) finally shut down in November 2018, after producing tens of tons of separated plutonium with no clear path forward for its use and millions of curies of high-level radioactive waste. The Magnox reprocessing plant at Sellafield is also scheduled to be shut down in 2020, ending a reprocessing program that bankrupted British Nuclear Fuels, Limited; the plants are now owned by the Nuclear Decommissioning Authority, whose name provides an indication of the next steps for reprocessing in the United Kingdom.155 The British MOX plant failed, and while the official British policy is to build another in order to use its large stock of plutonium as fuel, planned reactors in Britain have no intention of using MOX fuel, leaving the future of the U.K.’s plutonium stock unclear.156

     

    Civilian HEU

    The international community has made substantial progress over the decades in converting research reactors so that they no longer need HEU fuel, and in reducing the number of locations where civilian HEU exists. Here, too, however, the pace appears slated to decline, as the work remaining to be done faces substantial obstacles, either technical or political.

    While some HEU has been removed from sites where it was simply not being used, often removing HEU requires converting or shutting down an HEU-fueled research reactor first, so that the HEU is no longer needed. Since 1978, the United States has supported the conversion of research reactors from HEU to LEU fuel. In that time, 71 reactors have converted to LEU and 126 reactors have shut down. NNSA, however, only began counting the HEU-fueled reactors that shut down rather than converting in 2004, so its shutdown figures are substantially lower. During 2009-2015, corresponding roughly to the era of the nuclear security summits, the United States helped to convert 16 research reactors and confirmed that 21 more had shut down.157

    From 2016 through 2018, four HEU-fueled reactors converted to LEU fuel, one each in China, Ghana, Kazakhstan, and Nigeria. The reactors in Ghana and China were the first Chinese Miniature Neutron Source Reactors (MNSRs) to be converted. The next, in Nigeria, was converted in 2018—the second of five outside of China to be converted.158 One reactor—a Canadian Slowpoke, similar to the MNSRs—was shut down prior to conversion during this period. Additionally, the Fast Critical Assembly in Japan was defueled in 2016 and will either be converted or shut down. Three isotope production facilities also converted from the use of HEU or shut down.159 Hence, a total of eight facilities using HEU fuel or HEU targets converted, closed, or had their HEU removed during this three-year period, a pace of 2.7 per year—significantly slower than during the summit period. Four of the eight were MNSRs or Slowpoke reactors, each of which contains just under one kilogram of HEU in their cores, so the risk reduced by their closure or conversion was modest. By contrast, the Fast Critical Assembly contained hundreds of kilograms of very high-quality potential weapons material in readily portable forms, so the cleanout of that site contributed substantially to risk reduction.

     

    Figure 2: Research Reactor Conversion/Shutdown, 1978-2017160

    There are still an estimated 109 reactors using HEU fuel or HEU targets for isotope production worldwide, not counting naval or icebreaker reactors.161 NNSA only hopes to convert or confirm the shutdown of about half of these.162 Over half of the global total, 58 reactors, are in Russia; with Russia having terminated U.S.-Russian conversion cooperation in 2016 and having no indigenous plans for reducing its fleet of HEU-fueled reactors, there is little near-term likelihood that most of the Russian facilities will convert, but NNSA still includes 17 of them on its target list for conversion.163 In addition, current programs do not generally target military-purpose reactors for conversion. For example, in the United States alone, four naval prototype and training reactors, three pulse reactors, and six critical assemblies use HEU and only one of the pulse reactors is currently slated for conversion.164

    Technical challenges are also slowing conversion. Many of the remaining HEU-fueled research reactors are high-power reactors that could only convert if higher-density LEU fuel were developed, and development of that fuel has been taking longer than expected.165 As of late 2018, the first conversion using such high-density fuel is not expected until 2028, with U.S. officials hoping to complete the effort in the mid-2030s.166 Despite these political and technical challenges, NNSA hopes to return the pace to roughly four facilities per year converted or shutdown through 2023.167

    In the face of these conversion challenges, one area of continuing significant progress is the effort to reduce the amount of HEU used for producing medical isotopes—primarily molybdenum-99 (Mo-99). HEU is used both for the targets irradiated to produce Mo-99 and for the fuel of some of the reactors. The major suppliers of Mo-99 are Australia, Belgium, the Netherlands, and South Africa, which make up 90 percent of the global market. Australia has always used LEU targets for its Mo-99 production and has been using LEU fuel for years. South Africa converted its Mo-99 production from HEU to LEU targets in August 2017 (having converted the fuel of its Safari-I reactor long before). The Netherlands converted its Mo-99 production to LEU targets in January 2018, and expects to convert the rest soon; its reactor converted to LEU fuel in 2006.168 Belgium expects to finish the process of converting its targets to LEU by 2020, though its BR2 reactor will continue to use HEU fuel until the new high-density LEU fuels become available or the reactor is replaced.169

    One company in the United States, Northstar Medical Radioisotopes, has begun producing Mo-99 at the Missouri University Research Reactor (MURR) in a process that does not require uranium targets. Northstar got U.S. Food and Drug Administration approval for its process in early 2018 and made its first commercial shipment in November 2018.170 MURR is fueled with HEU, however; it is slated for conversion once appropriate LEU fuel becomes available. In total, the United States spent $100 million on three U.S. non-HEU Mo-99 production companies, including Northstar, and Congress recently appropriated an additional $60 million for additional cooperative agreements.171 The global annual traffic in HEU for medical isotope production has fallen to approximately 10 kilograms per year, a fraction of its former level, and may fall to zero as the last conversions are completed.172

    Russia is the major gap in the picture of conversion away from using HEU to produce Mo-99. Russia continues to use both HEU fuel and HEU targets to produce Mo-99, and there is concern that Russia could expand production and undercut producers who have accepted the modestly higher costs of producing Mo-99 without HEU. For the present, however, Russian production is limited, and governments may increasingly give preference in their markets to isotopes produced without the use of HEU, limiting Russia’s potential to undermine the market share of non-HEU producers. In the United States, for example, Medicare and Medicaid provide a modest additional payment for isotopes produced without HEU, the Veterans Administration preferentially purchases non-HEU isotopes, and 2013 legislation established a program to support development of non-HEU Mo-99 production in the United States, along with a sunset clause that will eventually end U.S. exports of HEU for Mo-99 production.173

     

    Table 3: Site Clean-Outs Supported by the National Nuclear Security Administration174

     

    In nearly all of the cases of HEU reactors converted or shut down, the HEU fuel was then removed from the reactor site, making one less location from which thieves might be able to get potential nuclear bomb material. The HEU is typically returned to its country of origin (the United States, Russia, and China have accepted returned HEU) or downblended in country, though in a few cases the material is stored pending disposal in the country where it was used. All told, by early 2018, countries had carried out approximately 300 removals of HEU from more than 46 countries plus Taiwan, totaling 6.2 tons of HEU.175 The United States has been a key funder and instigator of such HEU removals for many years, and supported the vast majority of these removals.

    The U.S.-funded removals led to eliminating all weapons-usable nuclear material from 61 sites around the world during the period 1996-2018. See Table 3. This represents only those sites where all HEU and plutonium were eliminated with the support of NNSA’s Material Management and Minimization (M3) program and its predecessors, not the larger number of facilities that may have eliminated these materials without those programs’ help. For example, as discussed earlier, organizations managing a large number of buildings in the United States and Russia eliminated all the HEU or plutonium in them over this period or before, and other events have led to other removals (such as the elimination of HEU from Iraq’s research reactors after the 1991 war, and Projects Sapphire which airlifted nearly 500 kilograms of HEU from Kazakhstan in 1994).176 Nearly all of the 126 shut-down and 71 converted reactors mentioned earlier, totaling 197 facilities, have had all of their HEU removed.

    The U.S.-supported removals were broken into three categories: a U.S.-origin fuel return program (limited to fuel from the two most common types of U.S.-exported research reactors), a Russia-origin fuel return program, and a “gap” program that covered material that did not fall in either category. To date, about half of the material removed with U.S. support was either fresh or spent HEU from Russia; a quarter was fresh or spent HEU from the United States; about 25 percent was gap HEU or plutonium (discussed in more detail below). See Figure 3.

     

    Figure 3: Removals of US Origin, Russian Origin, and Gap Nuclear Weapons Materials177

    The last several administrations have each made progress in removing weapons-usable nuclear material around the globe. The Clinton administration renewed the U.S. HEU take-back program in 1996, and carried out high-profile emergency removals such as Project Sapphire (almost 500 kilograms of HEU from Kazakhstan in 1994) and Operation Auburn Endeavor (several kilograms of vulnerable HEU from Georgia in 1996). Under the Bush administration, from 2001 to 2008, the United States helped remove more than 1,500 kilograms of nuclear weapons-usable from countries. During the Obama administration, from 2009 to 2016, the United States supported the removal of approximately 2,600 kilograms of material.

    The last year of the Obama administration was a record year for the U.S. nuclear material removal program, with nearly 700 kilograms of HEU and plutonium removed. Most of that material was 331 kilograms of plutonium and 215 kilograms of HEU from Japan’s fast critical assembly. Three countries—Argentina, Indonesia, and Poland—eliminated all of their nuclear weapons-usable material that year.178

    There has been some continued progress on HEU removals since 2016:

    • In September 2017, the NNSA announced that it had removed the last HEU from Kazakhstan’s Institute of Nuclear Physics’ VVR-K reactor; overall, more than 200 kilograms of HEU was removed from the facility.179
    • As part of an arrangement reached at the 2014 nuclear security summit, by mid-2018, European countries had shipped 375 kilograms of excess HEU to the United States.180
    • Canada has shipped the HEU from the closed Slowpoke reactor to the United States, and has begun a campaign to ship both U.S.-origin HEU spent research reactor fuel and HEU left over from medical isotope production to the United States.181
    • In August 2017, Ghana shipped the HEU from its MNSR to China, adding itself to the list of countries free of HEU.182
    • In 2018, the United States supported the disposition or removal of 280 kilograms of HEU from four countries.183
    • In December 2018, Nigeria eliminated all of its HEU when it shipped its MNSR HEU to China.

    Between 2018 and 2023, the United States plans to help remove or confirm the disposition of 627 kilograms of weapons-usable nuclear material, including material in Canada, the UK, France, Japan, Kazakhstan, Italy, and Australia.184 It will also work to convert the remaining four Chinese-origin MNSRs in Nigeria, Iran, Pakistan, and Syria, and return their HEU cores to China.

    Some countries where the United States had hoped to cooperate on removing especially high-priority stocks of HEU have not yet agreed, however. As of the fall of 2015, the United States planned that in 2017, it would help remove more than 300 kilograms of fresh HEU from Belarus and, in 2018, more than a hundred kilograms of HEU in spent fuel from South Africa. As a result of political challenges, neither of these removals occurred. Those political challenges would have to be addressed for these stocks of HEU to be removed in the future.185 Moreover, there is still no progress in eliminating the more than 350 kilograms of fresh HEU located at the Pelindaba nuclear facility in South Africa.186

    So far, U.S. efforts to address civilian HEU around the world are not comprehensive. For example, approximately 4.5 tons U.S.-origin fresh HEU and HEU in spent fuel remain abroad, mostly in Europe, and are outside the scope of current U.S. nuclear material removal programs. Keeping track of this material is difficult because European Atomic Energy Community (EURATOM) countries are not required to inform the United States of nuclear shipments within the EURATOM zone.187 Moreover, since the end of HEU Purchase Agreement, there have been no focused efforts to reduce or consolidate the much larger global stocks of military-purpose HEU.

     

    Civilian plutonium

    There has been much less progress in reducing the number of sites handling civilian plutonium, or in limiting the growth of the global civilian stocks of plutonium separated from spent fuel (which now amount to some 290 tons, more than exists in all the world’s military stockpiles combined).

    The U.S. government has supported a small number of removals of unneeded plutonium from research facilities. NNSA is also studying the locations, forms, and quantities of 1.3 metric tons of separated plutonium that the United States exported to some 10 countries under the Atoms for Peace initiative, as part of considering what should be done with that material.188 While the U.S. government has exerted pressure on Japan, South Korea, and others to limit their civilian plutonium stocks or avoid plutonium reprocessing entirely, it has no focused program to consolidate civilian plutonium use to fewer locations, increase civilian plutonium security, or limit the scale of civilian plutonium stockpiles around the world.

    In Europe, while France continues to reprocess plutonium and use MOX fuel in its reactors—a program that involves both large-scale bulk processing of plutonium and frequent transports of plutonium powder and of fabricated fuel containing plutonium—most of the other countries that once used MOX are bringing their programs to a close, reducing the number of sites and transports with plutonium-bearing fresh MOX fuel. Belgium and Switzerland have completed their MOX programs and no longer report large quantities of plutonium on their soil. Germany appears also to have completed its MOX program, reporting zero plutonium in MOX fuel at the end of 2017, compared to 0.5 tons at the end of 2016 and 5.6 tons as recently as the end of 2009.189 The Netherlands, by contrast, used to pay foreign utilities to take the plutonium recovered from French reprocessing of Dutch spent fuel, but when it ran out of utilities willing to take the plutonium, it started irradiating MOX fuel in its single remaining reactor in 2014.190 As noted earlier, Britain’s previous attempt at a MOX program failed, but it has still-uncertain plans to use its plutonium as MOX in the future.

    In Asia, as noted earlier, the use of civilian plutonium looks likely to expand, rather than consolidating. While Japan eliminated the 331 kilograms of plutonium metal from the Fast Critical Assembly, it plans to start up the Rokkasho reprocessing plant in 2021 and an associated MOX plant the following year. Given public concerns and the Japanese nuclear industry’s difficulties recovering after the Fukushima Daichi accident, however, Japan’s plans to use MOX fuel in a large number of light-water reactors (LWRs) are probably not realistic, and Japan has no backup plan for plutonium use or disposal, raising doubts about its recent commitment to reduce its plutonium stockpiles over time. China has begun construction of a “demonstration” reprocessing plant and continues to negotiate with France over the purchase of a larger facility, suggesting a potentially substantial expansion of civilian plutonium use in China in the future. South Korea’s desire to pursue a non-aqueous approach to reprocessing—so far largely blocked by U.S. concerns—may change under President Moon, but South Korean nuclear R&D institutions still seek to move forward. India has expanded its plutonium reprocessing capacities and India’s Prototype Fast Breeder Reactor is expected to begin operations this year, after years of delays, significantly expanding India’s civilian plutonium program—all of which, so far, is proceeding outside of international safeguards. New initiatives will clearly be needed if stocks of separated civilian plutonium are to be reduced and consolidated.

     

    Nuclear Security in Selected Countries: 2018

    This section provides an update on nuclear security progress in Russia, Pakistan, and India in each of the five key areas of nuclear security identified in this report.

     

    Russia

    Russia has the world’s largest stocks of nuclear weapons and weapons-usable nuclear materials, located in the world’s largest number of buildings and bunkers. This vast complex ranges from nuclear weapon storage and deployment sites to huge facilities designed to produce or manufacture fuel and components from plutonium and HEU to small research reactors using HEU fuel.

    Security and accounting for Russia’s nuclear weapons and weapons-usable nuclear materials have improved dramatically since the 1990s.191 These major improvements are the result of the recovery of Russia’s economy and nuclear industry; major Russian investments in nuclear security; and cooperation with the United States and other countries. Russia has taken at least some actions in each of the five areas described in this report:

    • Broad protection. Russia requires nuclear operators to protect against adversaries with a significant range of potential capabilities, and to have well-armed guard forces in place.
    • Comprehensive insider protection. Russia conducts in-depth background checks before approving people to work with nuclear weapons or weapons-usable materials, and has a personnel reliability program that includes ongoing monitoring after the initial background check. Operators are required to put a variety of technical protections against insiders in place, from limits on access to vaults to portal monitors at facility exits.
    • Strong security cultures. As part of U.S.-Russian cooperation, several Russian facilities established small groups working to promote nuclear security culture, and there is some evidence that these efforts strengthened security culture at some sites. It is not publicly known, however, how substantial the effects of these efforts were, how widely such approaches were adopted, or the extent to which they are still ongoing.
    • Realistic assessment and testing. Russian nuclear operators are required to conduct in-depth assessment of their security vulnerabilities and the performance of their security systems. While Russia does not regularly conduct force-on-force exercises comparable to those in the United States, its internal security agencies sometimes conduct surprise tests of security at nuclear facilities.
    • Consolidation. As noted elsewhere in this report, since the end of the Cold War, Russia has pulled all of its nuclear weapons back to Russia and reduced both the number of nuclear weapons locations and the number of buildings with weapons-usable nuclear material. Russia’s nuclear weapons and weapons-usable materials, however, remain more dispersed than those any other country, and Russia has no focused plan for further consolidation.

    Unfortunately, despite these improvements, some important weaknesses in the Russian approach remain—and Russian facilities continue to operate in an environment that includes major corruption and insider theft, as well as ongoing terrorist threats. Despite these continuing issues, as U.S.-Russian tensions rose after the events in Crimea and eastern Ukraine in 2014, Russia suspended nearly all U.S.-Russian nuclear security cooperation. Russia had long been unhappy with an approach to cooperation that put Russia in the role of a weak country needing U.S. help to secure its stockpiles—and involved U.S. experts visiting many of Russia’s most sensitive nuclear facilities.192 Only quite limited information on the status of nuclear security in Russia four years after the suspension of cooperation is publicly available.

    U.S. experts participating in the cooperation with Russia identified a range of issues that still needed to be addressed when the cooperation was suspended, ranging from weaknesses in protections against insider threats to material accounting systems inadequate to detect repeated small thefts of nuclear material over time. Russian regulations, for example, mandate a “two-person-rule,” in the sense that two people have to enter sensitive areas of facilities together—but the rules do not require that they remain within eyesight of each other after they enter. Perhaps the biggest concern U.S. experts had was whether all the improvements made during U.S.-Russian cooperation would be sustained over time; there was already evidence, at some sites, of equipment going unused or unrepaired as U.S. help began to phase down.193

    The threat environment that Russian nuclear security systems have to cope with remains worrisome. While Russia has succeeded in crushing most large-scale terrorist activity in the North Caucasus, violent Islamic extremism has been spreading to other areas of Russia as well, and well-planned attacks on nuclear facilities remain a potential concern.194 Perhaps more important, corruption creates worrisome threats and can also undermine nuclear security itself. For example, in August 2015, the deputy director and chief engineer of the Elektrokkhimpribor Combine in the town of Lesnoy, one of Russia’s two remaining nuclear weapon assembly-disassembly facilities, were arrested for bribery; that facility alone had forwarded 60 criminal cases to law enforcement in 2014-2015.195 Also at Lesnoy, an investigation by the Federal Security Service (FSB, domestic successor to the KGB) found that corruption had led to faulty work on new security fences, which could easily be taken apart by hand, and whose alarm systems were so poorly rigged that every time the wind blew, it appeared an “entire army” was coming through the fence; people at the site were so incensed, they removed a section of the faulty fence and mailed it to Sergei Kirienko, the Kremlin official who used to lead Rosatom.196

    Alone among the five nuclear Nonproliferation Treaty (NPT) nuclear weapon states (NWS), Russia has never had an IPPAS mission led by the IAEA, and with the suspension of nuclear security cooperation, its nuclear sites no longer get the benefit of suggestions from foreign experts visiting the sites. Moreover, again alone among the NWS, Russia has not joined the Strengthening Nuclear Security Initiative (INFCIRC/869) launched at the 2014 Nuclear Security Summit.

    Nevertheless, as the only country with as much experience in security for nuclear weapons and weapons-usable nuclear materials as the United States, Russian experts have a wide range of ideas and approaches that in some cases could complement U.S. approaches. As discussed in the recommendations section of this report, the two countries should resume nuclear security cooperation, as part of a broader package of nuclear cooperation, and with a focus on an equal exchange of ideas and best practices, and even joint R&D on new nuclear security and accounting technologies.

    In short, overall nuclear security in Russia is as good or better as it is in many other countries with weapons-usable nuclear materials—but there are still important weaknesses to be addressed, which could be resolved more effectively if international cooperation resumed.

     

    Pakistan

    Pakistan, unlike the United States and Russia, has relatively small stockpiles of nuclear weapons and weapons-usable nuclear materials, at a fairly modest number of locations. But Pakistan’s stockpile is growing rapidly and diversifying to tactical nuclear weapons, and Pakistan’s security systems face especially severe threats from both outsiders and insiders.197

    Pakistan’s nuclear military program is managed and secured by the Strategic Plans Division (SPD), a unit of the Pakistani military. Security for Pakistan’s small civilian nuclear infrastructure is regulated by the Pakistani Nuclear Regulatory Authority.

    Virtually all of Pakistan’s HEU and separated plutonium is in Pakistan’s military program, and it is heavily guarded. The SPD reportedly has some 25,000 troops in its security and intelligence sections, including a 1,000-person Special Response Force for tactical response to attacks on nuclear facilities.198 Pakistan reportedly stores nuclear weapons in disassembled form, with parts in different buildings, to make theft more difficult (though this may change with the shift toward battlefield nuclear weapons and canisterized missiles).199 Pakistan has also asserted that it uses locks similar to Permissive Action Links (PALs) to prevent anyone from being able to use the weapons without an authorized code.200 Pakistan has an extensive nuclear security training program, based on the Pakistan Nuclear Security Center of Excellence, established in 2012.201

    Pakistan has reported taking important actions in four of the five key areas of nuclear security described in this report:

    • Broad protection. Pakistan’s statement to the Nuclear Security Summit reports that its security systems are designed to protect against “the entire spectrum of threats.”202 An earlier version specifically mentioned “insider, outsider, or cyber” threats.203 The SPD has a dedicated intelligence unit to provide “continuous threat appraisal.”204
    • Comprehensive insider protection. In addition to PALs, Pakistan reports that it takes a broad range of steps to protect against insider threats, including an extensive screening and monitoring program similar in some respects to the U.S. Personnel Reliability Program.205
    • Strong security cultures. Belief in the threat is the foundation of a strong security culture, and the ever-present terrorist attacks in Pakistan keep the threat front and center for nuclear personnel; U.S. officials have repeatedly concluded that Pakistan’s nuclear establishment takes the threat, and the security measures to needed to address it, very seriously.206 Pakistan’s Center of Excellence has included an emphasis on security culture and inculcating a sense of responsibility for nuclear security in its training program.
    • Realistic assessment and testing. Pakistan reports that it requires regular vulnerability assessments and that “force validation exercises are carried out regularly” to “revisit and upgrade” facilities’ nuclear security approaches.207
    • Consolidation. While Pakistan’s nuclear weapons and materials are not at a large number of locations, the trend appears to be toward larger, rather than smaller, numbers of locations and scale of bulk processing as Pakistan’s arsenal expands and diversifies.208

    The United States has undertaken an extensive nuclear security cooperation program with Pakistan, which reportedly expanded during the Obama administration.209 President Trump continued to highlight nuclear security as a U.S. priority in the region in August 2017 speech on South Asia policy, stressing that “we must prevent nuclear weapons and materials from coming into the hands of terrorists and being used against us, or anywhere in the world.”210 Pakistan is highly sensitive about its nuclear program and security arrangements, and virtually nothing has been made public about the specifics of this effort. In 2009, a Pakistani Foreign Ministry spokesman confirmed that Pakistan would never “allow any country to have access to its nuclear or strategic facilities.”211 As then-Chairman of the Joint Chiefs of Staff Admiral Mike Mullen put it in 2008—after spending substantial time with Pakistani counterparts on this topic—in the end “they are their weapons. They’re not my weapons. And there are limits to what I know.”212

    While Pakistan’s nuclear security efforts are substantial, so are the threats those security systems must cope with—both outsiders and insiders. Pakistan suffers a more severe terrorist threat than any other nuclear-armed country on earth. Well-armed, well-trained terrorists with apparent insider help have attacked facilities ranging from Army headquarters to major airbases to a naval destroyer, and have succeeded in seizing portions of these facilities for hours at a time before being defeated.213 Sympathy for Islamic extremist causes remains widespread in Pakistan, including in the nuclear and security establishments—some of whom have long been key sources of support for terrorist groups such as the Taliban, the Haqqani network, Jaish e Mohammed, and Lashkar e Taiba.214 Insiders in then-President Pervez Musharraf’s guard force twice attempted to assassinate him in cooperation with al Qaeda, and there have been multiple successful assassinations of other officials by their guards in the years since then.215 The difficulties excluding insider adversaries from these guard forces raise an obvious question about excluding insiders from nuclear guard forces. Pakistan’s deep and endemic corruption heightens the insider threat problem and may weaken nuclear security measures in some cases.

    Pakistan’s shift toward tactical nuclear weapons increases the risks of theft. In a crisis or military conflict with India, Pakistan’s nuclear weapons would have to be moved out of their storage bases to make them less vulnerable to Indian attack, and the tactical weapons would likely have to be moved close to the front for them to be usable. Putting these weapons on the road and dispersing them would make them more difficult to protect from terrorists—who might well be the ones who provoked the crisis in the first place.

    Pakistan has not allowed any international peer review of its nuclear security arrangements. This deprives the Pakistani system of independent ideas and suggestions, and limits international confidence in Pakistan’s security arrangements. Unlike India, Pakistan has not signed up to the Strengthening Nuclear Security Implementation Initiative (INFCIRC/869), which would commit it to following the intent of IAEA nuclear security recommendations and hosting periodic peer reviews.

    More broadly, there are inevitable limits to what nuclear security measures alone can do. If the threat is a squad of heavily armed terrorists, or one to two medium-level insiders, well-designed and operated security systems can provide effective protection. But if the threat is a collapse of the Pakistani government, or the commander of a military unit with nuclear weapons deciding to provide them to a terrorist group, investments in nuclear security are not going to solve the problem. Ultimately, reducing the risks of nuclear terrorism from Pakistan’s nuclear stockpiles is likely to require both ongoing improvements in Pakistan’s nuclear security systems and much broader efforts to address terrorism and build resilience in Pakistan, including stabilizing the Pakistani political, economic, and social systems. That, for the near term, is a tall order.

     

    India

    Like Pakistan, India has a relatively small but growing nuclear stockpile, in a limited number of locations, which are generally under heavy guard. Its nuclear security systems are also challenged by substantial terrorist threats, though not quite at the scale of those that Pakistan faces.216 Nuclear security in India has improved significantly over the past two decades, and India continues to make improvements. But given the secrecy surrounding its nuclear security, it is unclear whether it is keeping pace with the threats it faces.

    India is in the midst of a significant nuclear weapons modernization program, with five new nuclear weapons systems under development and major expansions of its nuclear material production capacity underway. It currently has 130-140 nuclear weapons stored in a handful of locations, but that stockpile is expected to grow.217 India is believed to possess just over half a ton of weapons-grade plutonium; several tons of separated reactor-grade plutonium (all but a few hundred kilograms of it kept outside of safeguards, available for military use), and several tons of HEU enriched to 30-45 percent U-235, mainly intended for submarine fuel.218

    India has a significant nuclear infrastructure, with 22 nuclear power plants, reprocessing and enrichment facilities, and more. India’s nuclear material production capacity is expanding as part of its pursuit of a “closed” nuclear fuel cycle. India’s new Prototype Fast Breeder Reactor—expected to come on-line soon, after years of delays—will substantially expand India’s capacity to produce weapons-grade plutonium, should India choose to use it for that purpose.219

    Like Pakistan, India is secretive about its nuclear security. As a result, little information is publicly available about India’s approach to specific security issues. Indian nuclear facilities are protected by the Central Industrial Security Force (CISF) and by local police. India has taken steps recently in at least three of the five key areas of nuclear security discussed in this report.

    • Broad protection. India requires its nuclear facilities to have DBTs based on a national DBT that includes both outsider and insider threats.220 Cyber threats are also included.221 India has an interagency process (including the intelligence agencies) for regularly reviewing the threat environment and adjusting the security posture at nuclear facilities; this occurs several times a year, and as needed if there are major security events.222
    • Comprehensive insider protection. India’s nuclear security system includes measures to protect against insider threats, including personnel reliability programs that extend to technicians, maintenance staff, and, recently, temporary staff. Employees are screened and undergo periodic reviews for criminal history, “general reputation,” substance abuse, and dangerous medical conditions. Employees undergo more extensive checks at more sensitive facilities.223 Most Indian nuclear facilities provide housing for almost all of their workers; with everyone living together, the chance that concerning behavior or unusual outside contacts would be noticed and reported is increased.224 Nevertheless, as in the United States, insider incidents continue to occur, such as a 2014 incident in which a member of the CISF murdered several other guard force members at the Madras Atomic Power Station.225
    • Strong security cultures. Indian analysts report that nuclear facilities and regulators conduct seminars and workshops on safety and security—but how much those workshops contribute to a strong security culture remains unclear.226 To date, there is little evidence of a focused Indian effort to assess and strengthen nuclear security culture, or any effort to consolidate nuclear activities to fewer locations. Indeed, India is adding additional bulk processing facilities for nuclear material.
    • Realistic assessment and testing. India conducts a variety of vulnerability assessments and tests of the performance of its nuclear security systems. Nuclear operators work collaboratively with CISF, as the response force, to perform these assessments. CISF is also involved in audits and regulatory review.227 At the Bhabha Atomic Research Center (BARC), a full-time team works to find ways to break into the facility’s computer systems, discovering vulnerabilities to be fixed.228
    • Consolidation. Like Pakistan, India appears to be expanding the number of facilities storing and handling nuclear weapons and weapons-usable materials, rather than consolidating them.

    Like many other countries, India established a nuclear security “center of excellence” during the nuclear security summit process. India’s Global Centre for Nuclear Energy Partnership (GCNEP), however, is still being built. It includes five schools, only one of which is focused on nuclear security. The School of Nuclear Security Studies is intended to offer courses on physical security, personnel reliability, vulnerability assessment, and more.229 The United States has worked in cooperation with the GCNEP, but India has not been interested in the scale of cooperation that the United States has had with the equivalent Chinese or Pakistani centers. How much impact the school has yet managed to have on strengthening nuclear security practices in India is difficult to say from publicly available information.

    Nuclear security regulation also remains an issue. For military activities, India’s Department of Atomic Energy (DAE) regulates itself. Civilian activities are regulated by the Atomic Energy Regulatory Board (AERB), which covers both safety and security. The AERB, however, is not fully independent; in particular, the head of the DAE sits on the AERB’s board of directors. In 2011, the Indian government proposed replacing the AERB with a new, fully independent organization, the Nuclear Safety Regulatory Authority (NSRA). Despite domestic and international pressure to move forward with the NSRA, however, after seven years this legislation has not yet been approved.230

    As already noted, India’s nuclear security systems must provide protection in the face of substantial threats from both outsiders and insiders. Like Pakistan, India has faced cases in which well-armed, well-trained terrorist teams with apparent insider assistance took on major military bases and captured portions of the base for hours before being defeated. In September 2016, in a less sophisticated attack, four militants armed with guns and grenades attacked a military base in Kashmir, killing 17, and provoking a modest Indo-Pakistani crisis.231 The 2014 shooting incident and the widespread corruption that continues to be endemic in India both highlight the potential for insider threats—an issue that echoes back to the assassination of Indira Gandhi by members of her personal guard.

    India has made several key nuclear security commitments in recent years. In 2016, Prime Minister Narendra Modi announced that India would join the initiative on strengthening nuclear security implementation (INFCIRC/869). As noted elsewhere in this report, Prime Minister Modi also announced in 2016 that India would host a summit on preventing weapons of mass destruction terrorism in 2018.232 Thus far, however, there appears to be little progress toward organizing the summit, and India does not yet appear to have requested an independent peer review of its nuclear security arrangements—a key part of the commitment to INFCIRC/869.

     

     


     

    IV.  International Frameworks for Strengthening Nuclear Security

    ← previous section  |  ↑ Table of Contents  |  next section →
    HEU and plutonium removal from Italy, 2014. National Nuclear Security Administration
    HEU and plutonium removal from Italy, 2014.
    (National Nuclear Security Administration)

    Every country using nuclear technology that could pose a hazard bears responsibility for ensuring that the nuclear materials and facilities within its borders are effectively secured. Indeed, this is a personal responsibility of national leaders that cannot be fully delegated to others. But nations can meet this responsibility better by working together; international cooperation is an essential component of an effective global nuclear security system. Countries should exchange information and best practices, encourage action, discuss future steps, and, if necessary, provide expertise or financial support for nuclear security initiatives. For decades, international nuclear security cooperation has taken place via bilateral relationships, multilateral groups, and international institutions supported by a gradually developing framework of legal agreements and political initiatives.

    This section assesses the impact of international frameworks for nuclear security cooperation on progress in the five key elements of nuclear security outlined at the beginning of this report and on important supporting areas such as regulation, training, and confidence-building. It begins with a discussion of the nuclear security summits and then discusses the institutions and frameworks that are attempting to keep the momentum going in the absence of further summit-level attention.

    Impact of the Nuclear Security Summits

    The nuclear security summit process played a key role in strengthening international nuclear and radiological security cooperation.233 The summits focused the attention of dozens of presidents and prime ministers from around the world on nuclear security, often leading to action on issues that had been delayed or blocked before. The summits served as deadlines that accelerated action, as leaders often wanted something to be done so they could announce it at the summit. The summits provided several options for participants to make pledges to strengthen nuclear security. There were consensus-based communiques that all participants joined in together and “house gifts” where participants could make unilateral commitments. Beginning with the second summit, participants also agreed to “gift baskets,” in which groups of states would make joint commitments, making it possible to launch initiatives even if not every summit participant was ready to take part. Over the course of the summit process, countries made more than 935 commitments related to strengthening or improving nuclear security. Countries averaged 18 commitments, with a range of 8-30.234 Remarkably, the commitments whose implementation could be readily observed were almost entirely fulfilled: by the second summit, for example, independent analysts estimated that 80 percent of the commitments made at the first summit had already been completed.235

    The summits also helped to strengthen multilateral groups and international organizations that facilitate nuclear security cooperation. By the end of the summit process, the IAEA’s nuclear security efforts had grown from an office to a higher-ranking division, expanded their budget, drafted nuclear security plans for most IAEA member states, and organized some of the largest international meetings in the IAEA’s history, drawing interested participants from the vast majority of IAEA member states. Nuclear security efforts by other groups were also strengthened.

    In principle, many of the initiatives and commitments launched at the nuclear security summits are expected to live on (including, as discussed below, group commitments that have since been turned into IAEA Information Circulars, or INFCIRCs, open to all countries to join). Perhaps the most important single “gift basket” is INFCIRC/869, the “Strengthening Nuclear Security Implementation Initiative.” In it, states commit, among other things, to following the “intent” of all the IAEA nuclear security recommendations; continually improving their nuclear security systems; periodically hosting nuclear security peer reviews; and ensuring that nuclear security staff are “demonstrably competent.”236

    Finally, the summits resulted in the strengthening of international legal frameworks supporting nuclear security. For example, the 2016 summit convinced enough countries to ratify the amendment to the Convention on Physical Protection of Nuclear Material that it went into force soon after the meeting, and support for it has continued to grow.

    The results for international cooperation were not all positive, however. The summits were an invitation-only process, and some countries that were not invited reacted against everything that came out of them, opposing efforts to get support from groups like the IAEA for initiatives that started in the summit process. Some countries saw the focus on nuclear security as an effort distract attention from what they saw as the nuclear weapon states’ failure to meet their disarmament obligations, or as siphoning money from the IAEA’s technical cooperation program, designed to help countries with the use of nuclear and radiological technologies. While there is a strong international consensus that nuclear security is important, and that the IAEA should be engaged on the topic, there is little agreement on what more should be done or what priority the effort should have.

    What impact did the summit process have on the five key areas of nuclear security discussed in this report? The answer varies across the areas:

    • Defending against the full spectrum of plausible threats. As described earlier, during the summit years, several countries strengthened their nuclear security requirements to include additional threats, such as cyber threats. But the summits did not focus on what threats nuclear security systems should be able to cope with or attempt to agree on any baseline standard for nuclear security, so their contribution to progress in this area was modest.
    • Comprehensive, multi-layered protection against insider threats. The summit process highlighted the insider threat problem (in part because it occurred as the U.S. security establishment was reacting to insider leakers such as Chelsea Manning and Edward Snowden). As discussed earlier, several countries indicated that they were upgrading their protections against insider threats. The insider threat “gift basket” launched at the final summit outlined a broad menu of potential actions to address insider threats that may be influential as countries revise their programs, though it did not commit participants to many particular actions.
    • Strong security cultures. The summit process also highlighted the security culture issue (including in communiqués approved by all participants). As described earlier, several countries began initiatives related to security culture, and overall, the reality of potential security threats to nuclear operations became more broadly accepted. How much effect the summit process had on strengthening security culture where it is most needed remains uncertain, however.
    • Regular, in-depth vulnerability assessment and realistic performance testing. The summit process did not put a heavy emphasis on these topics, and it is not clear how much impact it had on them. As discussed earlier, however, some additional countries began conducting force-on-force exercises during the years of the summit process.
    • Consolidation to fewer locations. This was the area where the summit process made some of its most substantial and demonstrable contributions, with all the HEU removed from numerous sites during the period, and agreements on removals and work to implement them often accelerated to meet summit deadlines. The summit process did not, however, affect consolidation of military stocks.

    The summit process also contributed significantly to some of the support activities needed to achieve success in the key areas of nuclear security outlined above, such as strong regulation and effective training. In particular, by the end of the summit process, roughly two dozen countries had established nuclear security training centers, and one of the key commitments in INFCIRC/869 was to ensure that nuclear security staff were trained and “demonstrably competent” to do their jobs.

    In the end, despite these achievements, it is not clear that the summit process made very much difference in the security of some of the world’s most important nuclear stockpiles. It is difficult to make the case that Russia, India, Pakistan, Israel, North Korea (which was not invited), or the United States actually changed their on-the-ground security practices significantly as a result of the summit process—though India, as a result of its participation in INFCIRC/869, is now committed to following the intent of IAEA nuclear security recommendations and hosting regular peer reviews. With the crisis in U.S.-Russian relations following Russia’s seizure of the Crimea, Russia did not participate in the 2016 summit and has opposed any IAEA support for initiatives coming out of the summit process. Overall, although the summit discussions and communiques referred to “all” nuclear material, it does not appear that the summit process had much effect on security practices for nuclear weapons or weapons-usable nuclear material held for military purposes, which represents some 85 percent of the world’s weapons-usable nuclear material.

    To carry on the work of the summit process, participants in the final summit agreed on “action plans” for steps they would support by five international organizations and groups—the IAEA, the United Nations, Interpol, the Global Partnership Against the Spread of Weapons and Materials of Destruction, and the Global Initiative to Combat Nuclear Terrorism (GICNT)—to bolster ongoing nuclear security cooperation after the summit process ended. As discussed below, however, the action plans have led to little action.

    Since the last summit, the momentum of international cooperation has slowed. National leaders appear to be uninterested in using other forums to discuss nuclear security or make new nuclear security commitments. U.S.-Russian nuclear security cooperation remains at a near-standstill, and most other bilateral or small-group nuclear security engagements remain quite limited in scope and impact. While gift baskets have been formalized in the form of IAEA INFCIRC’s, very few additional countries have joined them, and little information on what steps countries have taken to implement these initiatives is publicly available. Finally, the IAEA, which was supposed to play the most significant nuclear security role in a post-summit world, has been constrained by opposition from some member states, and few of its activities focus on improving security for the highest-risk stockpiles around the world.

     

    The International Atomic Energy Agency

    The IAEA’s role in supporting nuclear security gradually increased throughout the nuclear security summit process. In 2013, the Office of Nuclear Security became the Division of Nuclear Security, and the IAEA held its first international nuclear security meeting attended by minister-level government officials. The budget for nuclear security, however, inched up only slowly during the summit process (though there was a significant pulse of voluntary contributions in 2016). That pulse of funding was short-lived: while the Division of Nuclear Security spent €38 million in its 2015-2016 fiscal year and again in 2016-2017, by 2017-2018, this had fallen to €28 million—a 26 percent cut, though still higher than the office’s budgets had been before the summit process began. See Figure 4.

     

    Figure 4: IAEA Nuclear Security Spending237

    The IAEA Action Plan approved at the 2016 Summit emphasized the IAEA’s “central role in strengthening the nuclear security architecture,” and argued that a “strengthened role” for the IAEA would be “crucial” in delivering on the actions called for in the summit process.238 But the Action Plan was quite general and largely reaffirmed work already planned or underway. It mentioned implementing the IAEA Nuclear Security Plan, providing technical and financial support for the IAEA Nuclear Security Fund, participating in nuclear security advisory missions, and producing guidance documents on a range of nuclear security issues.239

    Since the summit, the IAEA Division of Nuclear Security has shown that it can deliver on its core missions of developing guidance and providing training, reviews, and assistance to states on request. But it has not been able to serve as a forum for real discussion, reporting of accomplishments, and decision-making on “strengthening the nuclear security architecture,” leaving those fundamental roles of the summit process still unfilled.240

    In 2013 and 2016, the IAEA hosted major international meetings on nuclear security, with sessions attended by ministers from many countries.241 These meetings made clear that the IAEA can serve as an outstanding forum for technical exchange among interested experts, but that it so far is unable to serve as a forum for serious political-level discussion of next steps in strengthening nuclear security. The ministerial statements from these two meetings say very little—other than endorsing the IAEA’s role in nuclear security (which itself was not a given, since the subject is not mentioned in the IAEA Statute, and some countries in the past had argued that the IAEA had no role in this area).242

    Indeed, the 2016 ministerial declaration was weaker than the 2013 one had been.243 It did not mention the nuclear security summits or any of the initiatives coming from them. Unlike the 2013 Declaration, it did not call on states to make political commitments to the non-legally binding IAEA Code of Conduct on the Safety and Security of Radioactive Sources and the supplementary Guidance on the Import and Export of Radioactive. Unlike the 2016 Security Summit communique, it did not address the roles the nuclear industry and civil society play in strengthening nuclear security. Most strikingly, it did not mention the nuclear security Contact Group—founded by summit participants, but now open to all countries willing to endorse its principles—which was supposed to be one of the major vehicles for advancing dialogue on nuclear security after the summit process ended.

    Unfortunately, the limitations of decision-making within the IAEA, as opposed to invitation-only summits, have been evident. While the IAEA carries much greater political legitimacy, it includes a larger group of state participants with a more diverse set of political interests, while the summits were a coalition of the willing with very high-level political representation.

    As already noted, because of objections from IAEA members who were excluded, the IAEA has not followed up on initiatives that came out of the summit process (or on elements of the summit Action Plan that go beyond what the IAEA was already doing).

    For example, 11 gift baskets from the summit process have been memorialized as IAEA INFCIRCs:244

    • INFCIRC/869 on Strengthening Nuclear Security Implementation
    • INFCIRC/899 on the Statement of Principles of the Nuclear Security Contact Group
    • INFCIRC/901 on Certified Training for Nuclear Security Management
    • INFCIRC/904 on Nuclear and Radiological Terrorism Preparedness and Response
    • INFCIRC/905 on Nuclear Detection Architectures
    • INFCIRC/908 on Mitigating Insider Threats
    • INFCIRC/909 on Transport Security of Nuclear Materials
    • INFCIRC/910 on the Security of High-Activity Radioactive Sources
    • INFCIRC/912 on Minimizing and Eliminating the Use of Highly Enriched Uranium in Civilian Applications
    • INFCIRC/917 on Forensics in Nuclear Security
    • INFCIRC/918 on Countering Nuclear Smuggling

    In principle, these initiatives are now open to all. But few countries have endorsed these INFCIRCs since the summits, and the IAEA has done little to advocate for them. The ministerial statements from the 2013 and 2016 meetings do not mention any of them.

    Nevertheless, the IAEA remains central to international nuclear security cooperation, maintaining a roughly $30 million per year program that includes guidance development, and training, reviews, and assistance at the request of member states.245 For example, for 79 countries, the IAEA has used a combination of visits, country self-assessments, and discussions to draft Integrated Nuclear Security Support Plans (INSSPs), outlining plans to fill gaps in areas ranging from security for radiological sources to detecting nuclear or radiological trafficking.246

    The IAEA’s help is particularly important for developing countries with limited nuclear infrastructure and experience; most countries with nuclear weapons, extensive stocks of HEU or separated plutonium, or nuclear power reactors already have nuclear security regimes in place and make less use of the IAEA’s programs. The nine states with nuclear weapons, for example, make little use of the nuclear security services the IAEA has to offer (though most contribute both money and expertise to those efforts)—as discussed below, IPPAS is an exception, now widely used by both developed and developing countries. As a result, much of the work of the IAEA’s Division of Nuclear Security ends up focused on security for radiological materials, rather than weapons-usable nuclear material. In any case, the IAEA’s programs are focused on civilian materials, and hence do not address some 85 percent of the world’s weapons-usable nuclear material—except to the extent that IAEA guidance and training programs may have some influence on how those materials are managed as well.

    Nevertheless, the IAEA plays at least a limited role in each of the five key areas of nuclear security described in this report, and in several of the important activities to support success in those areas, such as regulation and training. In particular:

    • IAEA guidance, training, and workshops on threat assessment and DBTs have helped a number of countries assess what threat to design their security systems to protect against;
    • Although the IAEA effort on mitigating insider threats is quite small (only one of the roughly 100 staff in the IAEA’s Division of Nuclear Security is assigned full-time to insider issues), IAEA guidance, training, and workshops on coping with insider threats have helped some countries strengthen their insider threat protections—and a new, more advanced training program on insider threats is under development;247
    • IAEA guidance, training, and workshops on security culture have encouraged a number of countries to launch new security culture efforts or strengthen existing ones;248
    • While the IAEA does not yet have guidance on approaches to in-depth vulnerability assessment or to implementing realistic force-on-force exercises and other performance tests, an IAEA Coordinated Research Program (CRP) on “Nuclear Security Assessment Methodologies” (NUSAM) has made it possible for technical experts from a number of countries to compare approaches and lay out best practices.249
    • The IAEA (often with U.S. funding and support) has supported many of the recent HEU removals from sites around the world.250

    Some of the IAEA’s most important activities supporting these broad areas of nuclear security include its peer review programs and its coordination of nuclear security training and education, both of which are discussed below.

     

    IAEA peer reviews

    Peer reviews of nuclear security help provide an independent perspective and ideas on what could be improved; help distribute best practices from one site and country to another; and provide an important measure of transparency, helping to build confidence that effective security is in place (while helping to identify additional actions that may be needed). Because of their importance, the participants in INFCIRC/869, the “Strengthening Nuclear Security Implementation Initiative,” commit to host peer reviews “periodically.”251 Peer reviews can be bilateral (such as the physical protection visits the United States conducts to ensure that nuclear material and facilities it exported are adequately protected), or countries may organize them within their own territories, having groups of experts from some sites review security at other sites (as has been done in both the United States and Russia, for example).

    But some of the most important peer reviews are those organized by the IAEA. International Nuclear Security Advisory Service (INSServ) missions offer a broad overview covering many areas, from radiological source security to border detection, and from legislative and regulatory frameworks to on-the-ground implementation; given their breadth, they typically are not able to go very deep, and hence are most widely used by states in early stages of developing their nuclear security infrastructure. IPPAS is the IAEA’s premier program specifically for reviewing security of nuclear materials and facilities.

    From 1996 through 2018, the IAEA organized 85 IPPAS missions in 50 countries.252 Fifty of the missions were to countries that possessed separated plutonium or HEU (though some of those countries have since eliminated these materials). Twenty of the missions were to countries that had operational nuclear power reactors, but no weapons-usable nuclear material. Only 15 of the missions went to countries that had neither weapons-usable nuclear material nor an operating nuclear power plant. See Figure 6. Notably, China hosted an IPPAS mission in 2017, making Russia the only remaining member of the P5 not to have had an IPPAS mission.253 Overall, 14 of the 24 countries with either plutonium or HEU have had IPPAS missions.254

    In 2003, with high demand after the 9/11 attacks in the United States, the IAEA conducted nine IPPAS missions. Since then, there have been 2-6 missions per year. See Figure 5. If nuclear security peer reviews were to become a regular part of doing business in the nuclear world—as safety peer reviews already are—the global capacity to implement such missions would have to be drastically increased. If even the current 38 countries participating in INFCIRC/869 requested reviews every five years—a minimal interpretation of “periodically”—they alone would consume over 7 IPPAS missions per year (if they chose that type of peer review). Unfortunately, the summit process does not appear to have led to any substantial or lasting increase in the IAEA’s peer review capacity.

     

    IAEA training programs

    Training is also essential to achieving effective nuclear security—as highlighted in INFCIRC/869’s commitment to ensure that all nuclear security staff are “demonstrably competent,” and in the separate summit gift basket on “Certified Training for Nuclear Security Management.” The IAEA provides a wide range of training programs and workshops on particular aspects of nuclear security. In the year from July of 2017-June of 2018, over 2400 people from 149 member states (the vast majority of IAEA member states) took part in one of the IAEA’s training activities (not counting nearly 900 people who made use of one or more of the e-learning modules the IAEA has developed).255

    In addition, the IAEA helps coordinate the work of the roughly two dozen nuclear security training centers that countries have now established (mostly, though not exclusively, during the years of the nuclear security summit process).256 The IAEA has also built the International Nuclear Security Education Network (INSEN), which now has 170 universities and other institutions participating. Unquestionably, training for nuclear security tasks is far more available than it was a decade ago.

     

    Figure 5: IPPAS Missions Per Year, 1996-2018257

     

    Figure 6: IPPAS Missions by Country Category, 1996-2018258

     

    The United Nations

    The United Nations has played a more limited role in nuclear security. Since 2004, when the UN Security Council unanimously approved Resolution 1540 (UNSCR 1540), creating a legal requirement that all UN member states provide “appropriate effective” security and accounting for stocks of nuclear weapons and weapons-usable materials in their possession, the UN has not really attempted to be a major forum for decision-making on nuclear security. Since most of the nuclear expertise in the UN system resides in the IAEA, other UN bodies have also not devoted substantial resources to helping states with on-the-ground nuclear security implementation.

    The Action Plan for the United Nations from the 2016 nuclear security summit largely reaffirmed the limited UN activities already taking place. Where the Action Plan mentioned specific new initiatives, the record on follow-through is mixed. For example, it called on parties of the International Convention for the Suppression of Acts of Nuclear Terrorism (ICSANT) to convene a review meeting in honor of the convention’s 10th anniversary. The meeting took place in December 2017.259 On the other hand, the Action Plan pledged summit participants to contribute to the UN Trust Fund for Global and Regional Disarmament Activities, and there are no public indications that there has been any significant increase in such contributions. The UN Secretary-General’s sweeping agenda for disarmament, released in 2018, does not mention nuclear security, UNSCR 1540, the danger of nuclear terrorism, or any of the nuclear security conventions.260

    In December 2016, the UN completed a review of the implementation of UNSC 1540 and passed a supplementary resolution (UNSCR 2325). Despite the summit Action Plan, the new resolution did not call for significant new nuclear security-related activities.261 Since the review, the 1540 Committee’s activities on nuclear security have focused on participation in workshops or meetings—where in most cases nuclear security is one issue among many and receives only modest attention.

    In principle, UNSCR 1540, with its legal obligation on all states to provide effective security and accounting for all nuclear weapons and weapons-usable nuclear materials, could be a very important element of the global nuclear security framework, covering as it does all UN member states and both military and civilian nuclear materials. But so far, the resolution and the UN’s activities to implement it have had very limited impact on changing on-the-ground security for nuclear weapons and materials. Since the resolution was passed, no one has defined what essential elements must be in place for nuclear physical protection and accounting systems to be “appropriate” and “effective.”262 The UN’s 1540 Committee and its Group of Experts have largely focused on yes/no questions about whether countries have laws and regulations in place to address the different elements of the resolution, and then on encouraging those countries with gaps to fill them. They have not had the resources or authority to review whether countries’ on-the-ground implementation of the elements of the resolution really was “appropriate” and “effective.”

    Overall, it seems clear that the UN, like the IAEA, is not currently serving as a forum for states to discuss and make decisions about next steps in nuclear security. There is little public evidence that UN activities have significantly affected any of the five key areas of nuclear security described in this report, though its activities around ICSANT probably have contributed to states putting in place stronger laws criminalizing acts related to nuclear terrorism and facilitating international legal cooperation in such cases.

     

    The Global Initiative to Combat Nuclear Terrorism

    Founded in 2006, the GICNT is a group of countries who have endorsed a common set of principles that include “accounting, control, and protection of nuclear material” and “security of civilian nuclear facilities.” As of mid-2018, there were 88 members of the GICNT, two more than there were in 2016, and five international observers. The GICNT is co-chaired by the United States and Russia and is one of the few remaining forums in which the two countries work together.

    While the GICNT’s statement of principles starts with nuclear and radiological security, most of its work in recent years has been focused on topics related to its three working groups: nuclear detection, nuclear forensics, and response to and mitigation of terrorist incidents. The group largely focuses on planning workshops, exercises, and meetings that develop state capacity in these three areas. The GICNT Action Plan, like its IAEA and UN equivalents, largely endorsed activities already planned. Most of the work in the plan was focused on the three working group areas, not on physical protection or control and accounting for nuclear weapons, weapons-usable nuclear material, or high-consequence nuclear facilities—though the plan did suggest convening expert meetings to discuss possible activities “in other technical subjects or on cross-disciplinary issues” covered by the GICNT principles.263

    There is some evidence there may be a greater focus on preventing theft of nuclear material in the future. At the GICNT’s 10th plenary meeting in 2017, Argentina identified the need for increasing international engagement focused on radioactive source security. It recommended that the GICNT bring together groups to “strengthen coordination, exchange best practices, and promote the importance of radiological source security.” This recommendation was endorsed by the GICNT’s Implementation and Assessment Group coordinator.264 Also, some participants in the plenary offered public statements reminiscent of those in the summit process that included information about their progress in implementing nuclear security measures. For example, Pakistan highlighted the accomplishments of its Nuclear Security Center of Excellence.265

    Nevertheless, to date, the GICNT has not engaged in a focused way on actual security measures to protect nuclear weapons, materials, or facilities. While participation in the GICNT has helped highlight the threat of nuclear and radiological terrorism, which has probably contributed to security culture in some countries, there is no publicly available evidence the GICNT activities have contributed significantly to any of the other key areas of nuclear security considered in this report. The GICNT clearly has, however, strengthened countries’ capacity in the three working group areas, nuclear detection, forensics, and emergency response.

     

    Interpol

    Interpol is the premier international agency for law enforcement cooperation. It has a sub-directorate that addressees nuclear, chemical, biological, radioactive, and explosive (CBRNE) crime and terrorism. That group is relatively small, with only a handful of officers in the radiological and nuclear program.266

    The CBRNE program primarily focuses on coping with material that is already out of regulatory control, not on preventing theft or sabotage. The Action Plan for Interpol from the 2016 nuclear security summit largely endorsed activities already underway or planned. While the Action Plan pledged that participants would contribute additional resources to Interpol’s nuclear and radiological efforts, there is little indication this has occurred. Indeed, hopes for expanding Interpol’s nuclear and radiological work actually dimmed in 2016, when the U.S. Federal Bureau of Investigation cut its funding.267 Similarly, while the Action Plan suggests that Interpol help police investigations by publishing “a comprehensive study of scams and hoaxes” related to nuclear smuggling, there is no indication this has happened.

    Interpol’s nuclear and radiological initiatives include the following:268

    • Operation Conduit conducts trainings at airports, seaports, and border crossings. For example, they place sources on actors and teach police and law enforcement what to do when they detect someone who possesses a source.
    • Project Geiger collects and analyzes public-source information on incidents related to the illicit use of nuclear or radioactive materials. Project Geiger combines IAEA data with open-source reports and law enforcement data.
    • INTERPOL runs training courses and table-top exercises for police, customs, border security agencies, public health groups, partners, and regulatory bodies on preventing and responding to nuclear or radioactive incidents.
    • Project Mercury, a pilot project launched in 2016, is designed to train international law enforcement officials to respond to terrorist use of CBRNE materials. The initial focus of the program will be radiological and nuclear terrorism.
    • Project Stone provides technical support and training for detecting and intercepting illicit nuclear materials.
    • Operation Fail Safe provides real-time monitoring and tracking of persons involved in illicit trafficking of nuclear materials.

    Overall, Interpol’s small program makes a contribution to law enforcement capacity to respond to nuclear smuggling and terrorism but does not appear to have a significant impact on any of the five key areas of security for nuclear weapons, materials, and facilities outlined in this report.

     

    The Global Partnership Against the Spread of Weapons and Materials of Mass Destruction and the G7 Summits

    In 2002, the Group of Eight (G8) industrialized democracies created the Global Partnership (GP), committing $20 billion over ten years to dismantle and control nuclear chemical and biological weapons and materials. In 2008, the G8 expanded the GP’s focus beyond Russia and Ukraine to all countries that needed help implementing UNSCR 1540. While the majority of the initial funding came from the United States, at least nine other countries have contributed to nuclear-related projects.269

    Nuclear security only makes up a small portion of the GP’s work; U.S. spending on nuclear security still dwarfs spending on that topic by all other GP members combined. The GP Nuclear and Radiological Working Group is co-chaired by Norway and Canada. GP-funded nuclear security projects include upgrading physical protection measures at nuclear facilities, such as surveillance cameras, intrusion barriers, secure transports, and cybersecurity.

    Just before the 2014 Nuclear Security Summit, the G8 became the G7 when Russia was kicked out because of its seizure of Crimea and destabilization of eastern Ukraine. Russia cut off U.S.-Russian nuclear security cooperation later that year. The absence of the country with the largest nuclear stockpiles diminishes the GP’s ability to play a central role in nuclear security.

    Despite this setback, the GP’s Action Plan at the 2016 Summit mentioned, among other initiatives, helping countries with nuclear security culture; reducing insider threats; strengthening transport security; strengthening computer security; and working with the nuclear security Centers of Excellence.270 It is unclear how much has taken place since then—in part because the GP ended its practice of publishing annual reports on progress in 2010. Statements from relevant G7 officials in 2017 and 2018 reaffirmed the importance of nuclear and radiological security, and of the Global Partnership, but did not call out any particular nuclear and radiological activities being undertaken.271 The 2017 and 2018 reports of the G7 Nuclear Safety and Security Group discuss efforts to strengthen cybersecurity for nuclear activities and to promote universalization and implementation of ICSANT and the amended CPPNM, but did not focus on other activities from the 2016 Action Plan.272 The group has worked to reach out to industry and to WINS.

    At the 2018 G7 meeting, President Trump raised some doubts about the future of the group, first floating the idea of reintroducing Russia, and then refusing to sign the communique and insulting the Canadian host. It remains to be seen whether these political differences make it more difficult to advance nuclear security initiatives within the G7.

    Overall, while the G7 and the Global Partnership it launched continue to discuss nuclear security, they have not attempted to take on any substantial part of the role the summits played in discussing and deciding on next steps in nuclear security. The Global Partnership, in providing modest additional funding for nuclear security efforts, has likely modestly advanced each of the five key areas of nuclear security discussed in this report.

     

    The Nuclear Security Contact Group

    One of the most significant developments at the 2016 Nuclear Security Summit was the creation of a Nuclear Security Contact Group. The Contact Group continues the consultative component of the summit process, providing an opportunity for senior government officials to meet to discuss ongoing work, assess progress on previous commitments, evaluate emerging trends, and determine future steps. The contact group is now open to all IAEA members who endorse its statement of principles.273 Seven countries—Colombia, Slovenia, Luxembourg, Philippines, Ireland, Malaysia, and Qatar—have joined the contact group since 2016. Although the summit process was created by the United States, other countries have taken the reins of the Contact Group. Canada was the first chair, followed by Jordan. Hungary and Argentina are slated to take over the chairmanship in the future.

    Early meetings of the Contact Group, with new people participating, reportedly struggled just to get back to the consensus of the 2016 summit. Initially planned for brief meetings on the margins of the IAEA General Conference, the Contact Group has now agreed to hold longer meetings not tied to other events. The Contract Group has discussed a variety of elements of the summit agenda, from approaches to building confidence in nuclear security implementation to preparations for the review conference for the amended physical protection convention (discussed below).

    Overall, however, while the Contact Group is now perhaps the most important international forum for discussing the implementation of existing nuclear security commitments and possible next steps, its participants would be the first to admit that it is no substitute for gatherings of heads of state. While the contact group provides an additional forum to discuss nuclear security implementation, it lacks the summits’ political heft. There has so far been no process of making commitments or of offering public progress reports, and indeed, the group has offered very limited statements about its work.274

     

    International Legal Nuclear Security Frameworks

    Nuclear security treaties are key elements of the global nuclear security framework. While there are no specific, legally binding international nuclear security standards, there are treaties that establish broad security requirements and that require criminalization of nuclear theft, sabotage, and terrorism. There has been progress in recent years on both entry into force and broader participation in these agreements.

    The Convention on the Physical Protection of Nuclear Material (CPPNM), which entered into force in 1987, requires states to apply physical protection measures to civilian nuclear material in international transport, to criminalize offenses related to nuclear theft and terrorism, and creates mechanisms for cooperation on securing international transports, responding to incidents, and extradition of suspects.

    When the summit process ended in March 2016, 153 countries were parties to the CPPNM, eight of which joined between 2010 and 2016. Some modest momentum continued after the summits; by November 2018, four additional parties had joined.275

    The more impressive progress during the summit process had to do with the amendment to the CPPNM adopted in 2005. The amendment expands the convention’s scope to include protection of nuclear material located in peaceful domestic use and storage and to sabotage of nuclear facilities. The amendment also requires a conference five years after entry into force to review implementation. A majority of states parties can request additional conferences at intervals of no less than five years thereafter.

    Ratifications of the amendment accelerated significantly during the summit years, and finally reached the threshold needed for the amendment to enter into force just after the last summit. Notably, Pakistan, which was slow to ratify the amendment to the CPPNM, finally did so in March 2016. Progress on expanding participation has continued since then: by November 2018, 20 parties had joined the amended convention since the last summit, bringing the total to 118.276

    Progress on another important nuclear security treaty, ICSANT, has also continued, though slowly. ICSANT, which entered into force in 2007, requires states to criminalize nuclear theft and nuclear terrorism, including acts not covered by the CPPNM, such as the use of radiological dirty bombs. Between 2009 and March 2016, 50 parties ratified the treaty, bringing the total to 102. Since then, an additional 14 countries have ratified it.277 Despite this progress, a number of states with weapons-usable nuclear material have not joined one or more of these agreements. See Table 4.

     

    Table 4: States with Weapons-Usable Nuclear Material that Have Not Joined Nuclear Security Treaties278

    *Indicates the state has neither signed nor ratified. The amendment does not need to be signed.

     

    Although the amendment to the physical protection convention extends its application to material in domestic use, it does not create any specific standards for nuclear security. Instead, it offers broad principles—requiring, for example, that states establish rules for how secure nuclear materials and facilities should be and an agency with responsibility for ensuring the rules are followed. Three of the principles relate to the key areas of nuclear security described in this report, including:

    • A state’s nuclear security system should be designed to handle its “current evaluation of the threat.”
    • All relevant organizations should “give due priority” to security culture and ensuring its “effective implementation through the entire organization.”
    • States should establish and implement a quality assurance approach to provide confidence that nuclear security systems really do meet their requirements.279

    ICSANT, focusing primarily on criminalization of various acts related to nuclear terrorism, is even less specific, requiring only that states parties “make every effort” to provide “appropriate” protection for nuclear and radiological materials, “taking into account” IAEA recommendations.280

    No particular provisions in these treaties have required major improvements in the way nuclear security was actually implemented at nuclear facilities and transports. Nevertheless, the processes of signing and ratifying these amendments have created “decision moments” for highlighting the dangers of nuclear terrorism and the need for action to address them, and have probably contributed to nuclear security upgrades that were not strictly required. The amended physical protection convention, in particular, with its specific reference to security culture, has likely contributed to the spread of security culture initiatives. On the other hand, ratifying these treaties may also have distracted attention, offering decision-makers a measurable marker of progress that did not, in itself, result in better nuclear security on the ground. Overall, the effect of these treaties on the five key areas of nuclear security discussed in this report has been modest so far.

    Some analysts argue that the 2021 review conference for the CPPNM, and the possibility of further review conferences thereafter, could provide an important new forum for reviewing progress on nuclear security and discussing next steps.281 Review conferences for agreements like the Nuclear Safety Convention have certainly had some benefit, particularly with the detailed reporting that has become the norm in that convention. Both the Contact Group and IAEA meetings have begun discussing preparations for the upcoming review conference.

     

    Bilateral Nuclear Security Cooperation

    Traditionally, the element of the international nuclear security framework that has had the largest demonstrable impact on on-the-ground nuclear security practices has been bilateral cooperation. The United States, in particular, has helped with nuclear security improvements in Russia and the other states of the former Soviet Union, and in many other countries, often helping to finance installation of major new barriers, detectors, accounting and control systems, and other nuclear security equipment, along with provision of appropriate training, improvements to regulations, and other elements of an effective nuclear security system. Other countries have engaged in similar cooperation, though on a much smaller scale. In some cases, such cooperation has not been bilateral, but trilateral or quadrilateral, with several countries cooperating at a particular site.

    The United States has also pressured countries to which it supplied nuclear materials and technologies to provide adequate security for them, and has worked to convince countries that did not need U.S. financial help to do more on their own. These efforts have had substantial effects: at nuclear facilities in the former Soviet Union, and at many other sites in other countries, the difference between the security arrangements of the 1990s and those in place today is like night and day.

    Bilateral nuclear security cooperation has slowed in recent years, however, and in the future, its impact is likely to be substantially smaller than it has been in the past (though still an important influence on nuclear security practices and always an option in case of emergency). There are several reasons for this. First, the most urgent gaps bilateral cooperation was addressing have been filled. Projects involving installing major new security systems have largely been completed (though recipients must cope with maintenance, upgrading, and eventual replacement of these systems). Second, as noted earlier, in 2014 Russia suspended almost all U.S.-Russian nuclear security cooperation, in response to U.S. sanctions over Russia’s seizure of Crimea and other concerns. If U.S.-Russian relations permit, there are good reasons to restart a more limited form of cooperation in which each side would pay for its own experts’ participation, but the overall impact of cooperation will inevitably be smaller than it was in the past, as the remaining gaps are not as wide.282 Third, while the United States is cooperating with countries such as China and India on nuclear security, the cooperation is limited to workshops, training sessions, and expert discussions, and does not involve significant numbers of visits to major facilities. Even in Pakistan, where U.S. nuclear security cooperation programs have been more substantial, a good deal of the most urgent work is done, poor U.S.-Pakistani relations are making ongoing work more difficult, and Pakistan has not been interested in allowing visits to its military nuclear facilities (or even telling U.S. experts where they are), in part because Pakistani officials believe that the United States might try to seize Pakistan’s nuclear stockpiles if it had full knowledge of where they were.

    Overall, bilateral cooperation has had major effects on each of the five key areas of nuclear security described in this report. If such nuclear security programs are revitalized, appropriately funded, and targeted on these five key areas, such programs could continue to have important effects in the future, though, as discussed earlier, more focused on convincing countries to do more themselves and advising them on how best to do it.

     

    Industry and Civil Society Organizations

    Both the nuclear industry and civil society—from the press to non-government organizations to academics—can play important roles in achieving the vision of nuclear security outlined in this report.

     

    The role of the nuclear industry

    Ultimately, nuclear-operating organizations—whether private or state-owned companies, or government-run labs and facilities, or military units—bear the ultimate responsibility for ensuring effective protection of the nuclear weapons, materials, and facilities entrusted to them. They typically must meet stringent rules and regulations that are externally imposed, but even among facilities in compliance with the rules, decisions about the specifics of implementing security day-to-day make an enormous difference in how effectively these items are protected.

    For decades, nuclear-operating organizations have advised governments on nuclear security. In some cases, their expertise has enabled significant nuclear security improvements or more efficient approaches to achieving comparable objectives; in others, companies have lobbied to weaken nuclear security requirements they considered unnecessary, in order to save money.283

    The founding of WINS has been perhaps the most important industry-level development in recent years.284 WINS conducts good practice exchanges, develops guidance on good practices in a variety of areas of nuclear and radiological security, and has established the WINS Academy (discussed below), which provides online education and certification in several areas of nuclear security, contributing to the professionalization of the nuclear security field. Particularly in areas such as security culture and corporate governance of security, there seems little doubt that WINS is having an impact: more than 82 percent of participants in WINS activities report that they have changed security practices as a result.285 To date, however, there have been few WINS participants from some of the countries where its effect could be most important, such as Russia, Pakistan, and India.

    During the nuclear security summit process, industry organizations put together a series of parallel industry summits. At the last industry summit in 2016, the participating organizations decided to establish the Nuclear Industry Steering Group for Security (NISGS).286 NISGS got off to a slow start—but in 2018 it has been reformed, with the President of WINS in the chairmanship, and a Rosatom official as deputy chair.287 It is too soon to tell what impact NISGS will have on the five key areas discussed in this report under its new leadership. For the present, while the nuclear industry’s role within countries has been extremely important, the role of industry in international nuclear security cooperation has been more limited.

     

    The role of civil society

    Civil society also plays a critical role in nuclear security. Press stories, legislative investigations, think tank and academic studies, unofficial dialogues, and other activities can educate policymakers about nuclear security, create pressure for action, suggest ideas, create forums for discussion, and more. Indeed, many of the core ideas pursued during the nuclear security summit process and before came originally from civil society.288

    At each of the nuclear security summits, in addition to the government summit and the industry summit, there was also a summit organized by civil society organizations. An international coalition of non-government organizations, the Fissile Materials Working Group (FMWG), played a central role in organizing those non-official summits, and continues to coordinate international civil society efforts on nuclear security.289 In addition, the Nuclear Threat Initiative has organized a “Global Dialogue on Nuclear Security Priorities”—a series of multi-day workshops bringing together government, industry, and non-government experts (often, in the past, including some of the Sherpas supporting the nuclear security summit process) to discuss ideas for next steps in nuclear security. Both the FMWG’s efforts and NTI’s dialogue process contributed significantly to the ideas pursued in the official nuclear security summits, and are continuing beyond the summit process.

    Civil society organizations have contributed to international cooperation in each of the five key areas of nuclear security highlighted in this report, and have been quite important in pushing for change within particular countries. But in many countries, very little information about nuclear security arrangements is available in the public domain, and there is very little financial or institutional support for non-government experts to develop the expertise and credibility that would allow them to make useful suggestions and have a chance of being listened to. There is, of course, a dramatic difference between authoritarian countries and democracies in this respect, but even in some advanced democracies, civil society’s role in nuclear security is weak. In many countries, non-government people interested in nuclear issues are assumed to be simply anti-nuclear protesters, and neither government nor industry has much interest in listening to them. In short, for both industry and civil society, there is more to be done before they can reach their full potential in contributing to the vision of nuclear security outlined in this report.

     

    Nuclear Security Education and Training

    An effective nuclear security program requires well-trained personnel. As noted earlier, the availability of nuclear security training has expanded dramatically in recent years, in several categories.

    First, some two dozen countries have now established nuclear security training and support centers, sometimes known as Centers of Excellence.290 These centers have provided training courses to thousands of participants, in topics ranging from physical protection system design to measurement of nuclear material. The IAEA helps coordinate the centers’ programs and shares nuclear security information and resources through the Nuclear Security Support Center network, which now has representatives from 60 member states.291

    Second, as discussed earlier, the IAEA provides extensive training programs, reaching thousands of participants each year. Third, a variety of academic institutions and other organizations provide nuclear security training—and as noted earlier, the IAEA has established a coalition of groups involved in nuclear security training, known as INSEN. WINS, in particular, has established the WINS Academy, offering training and certification in a wide range of nuclear security issues (with a particular focus on nuclear security management). As of 2018, over 1,000 participants from 89 countries had taken WINS Academy courses.292

    Unfortunately, no comprehensive assessment of the impact of this training is publicly available. Are these centers training the right people? Do those people continue on in nuclear security, or move to other work? Does the training provided significantly improve their performance? Are there elements of knowledge important to achieving effective nuclear security that are not generally being covered? Further assessment of such questions is needed. The WINS Academy provides somewhat more public information on such topics than other nuclear security training programs do; a large percentage of participants believe the training was valuable for improving their nuclear security competence, and significant numbers of them have received additional responsibilities after taking part in the training, suggesting that such a professional credential does indeed have a positive career effect.293 Overall, there is little doubt that training programs have had significant positive effects in at least the first four of the key areas of nuclear security described in this report (the fifth being consolidation to fewer locations, less often a topic of training programs), but the magnitude of the effect is difficult to assess. Unlike other elements of the international framework, these training programs appear to be continuing at roughly the same pace after the summits (though it is likely that few new ones will be established); one question, however, is whether they will continue to receive the needed financial support over the years to come.

     

    Good Practice Exchange

    Exchanges of ideas and good practices among groups of experts are another important element of the international nuclear security framework. Frequently these take place in the context of other types of cooperation already discussed—such as bilateral cooperation, the IAEA, WINS, and nuclear security training centers. WINS, in particular, has focused much of its work on good practice exchanges followed by development of guides outlining WINS’ ideas about good practice in particular areas of nuclear security. But these exchanges also take place in other contexts, such as stand-alone workshops, international conferences, professional societies, and more. For example, there have now been two international conferences on good practices in regulation of nuclear security, and there are likely to be more in the future.294

    Such exchanges can spread ideas, motivate experts to advocate for additional action in their own countries, and build cooperation between countries and organizations. There is no doubt that they have had important effects in all five of the key areas of nuclear security that are the focus of this report. The magnitude of their impact is difficult to assess, however.

     


     

     

    V.  Assessing National-Level Inputs to Nuclear Security

    ← previous section  |  ↑ Table of Contents  |  next section →
    Nigeria's Miniature Neutron Source Reactor was the last operational research reactor in Africa to make the conversion from HEU to LEU. Here, the HEU once used in the reactor is loaded for shipment back to China, the supplier. ​​​​​​​(IAEA)
    Nigeria's Miniature Neutron Source Reactor was the last operational research reactor in Africa to make the conversion from HEU to LEU. Here, the HEU once used in the reactor is loaded for shipment back to China, the supplier.
    (IAEA)

    In addition to assessing progress in nuclear security outputs and outcomes, it is worth asking about the inputs as well. Are countries putting a level of effort into nuclear security commensurate with reducing a central risk to global security? One set of inputs, the international frameworks and organizations that can facilitate nuclear security cooperation, has already been discussed. In this section, we assess a select set of national-level inputs that suggest the level of real priority focused on nuclear security, including nuclear security leadership, planning, funding (at least for U.S. support for international nuclear security programs), and leading by example—the degree to which states are themselves taking the nuclear security steps they encourage others to take.

     

    Effective Nuclear Security Leadership

    Meaningful progress on nuclear security is impossible without strong leadership on the international stage. Strong leadership has led to the creation of international organizations, multilateral groups, bilateral cooperative relationships, and the recently concluded nuclear security summit process. Unfortunately, the level of leadership focused on nuclear security has declined dramatically since the end of the nuclear security summit process.

    Successful leadership in nuclear security requires influential countries to: put well-placed people in charge of pushing the nuclear security agenda forward; devote significant time and political capital of high-level officials to the topic; develop and implement overall plans for progress; assign sufficient people and funds to carry out those plans; and lead by example, taking the nuclear security steps themselves that they advocate others should take. Each of these areas appears to have declined since the end of the nuclear security summit process, in the United States and elsewhere.

    For decades, the United States has led most international nuclear security initiatives, proposing initiatives, using its diplomatic muscle to move them forward, and providing funding for improvements around the world. U.S. leadership is likely to remain essential. But with the Trump administration’s limited enthusiasm for many forms of international cooperation, the reaction against its “America First” approach in many foreign capitals, and the complaints of many developing non-nuclear-weapon states about what they see as the unfairness of the nonproliferation regime and the lack of progress on disarmament by the nuclear weapon states, it is likely to be increasingly important for other countries to take up leadership roles as well. Fortunately, a number of other countries have taken on increasingly active roles—ranging from the other hosts of the nuclear security summits (South Korea and the Netherlands) to the United Kingdom, Australia, Canada, Jordan, Morocco, Norway, and even China.295

     

    Sustained, High-Level Political Attention to Nuclear Security

    Every president in the past quarter century has emphasized the serious threat posed by nuclear terrorism and has launched initiatives to strengthen nuclear security. At the 2016 Nuclear Security Summit, President Obama warned that “the danger of a terrorist group obtaining and using a nuclear weapon is one of the greatest threats to global security,” and argued that “the single most effective defense against nuclear terrorism is fully securing this material so it doesn’t fall into the wrong hands in the first place.”296

    President Trump has also offered rhetorical support for nuclear security. In a 2017 speech in Fort Myer, Virginia, he declared that the United States “must prevent nuclear weapons and materials from coming into the hands of terrorists and being used against us, or anywhere in the world.”297 Lower-level officials have also reiterated that nuclear security remains an important U.S. priority.298 The Trump administration’s Nuclear Posture Review, released in early 2018, also emphasized that reducing the danger of nuclear terrorism must be a U.S. national security priority, and argued that while a multi-layered approach is needed, the first layer of defense is the most important: “the most effective way to reduce the risk of nuclear terrorism is to secure nuclear weapons and materials at their sources.” The report also stressed the importance of “enhancing cooperation with allies, partners, and international institutions.”299

    This rhetorical support is important. Nevertheless, there is little indication that nuclear security is receiving sustained attention by President Trump or by anyone in his Cabinet—or even anyone at the Deputy Secretary or Undersecretary level. The Trump administration took more than a year to put in place a Senate-confirmed official in charge of the nonproliferation and nuclear security programs of the NNSA. President Trump has made clear to Secretary of Energy Rick Perry that he expects him to work to save failing coal and nuclear plants from closure; there is no evidence that he has issued any similar instruction for Perry to make improving nuclear security one of his priorities.300

    Moreover, countries make broader foreign policy choices that can directly impact international nuclear security initiatives. The Obama administration’s decision to impose sanctions on Belarus for human rights violations effectively ended an initiative that was supposed to remove HEU from the country only weeks later. The Trump administration’s broader foreign policy could undermine international efforts to strengthen nuclear security by calling traditional alliances and bilateral relationships into question, disrupting agreements in international groups like the G7, and diminishing the significance of international agreements and institutions.301

    A similar situation appears to pertain in other countries. Without summits repeatedly forcing the issue to the highest levels of government, the level of sustained, high-level attention on nuclear security has markedly decreased around the world.

     

    Designated Officials With Responsibility for Nuclear Security Progress

    In the Obama administration, for the first time, a Senior Director on the National Security Council staff was tasked with focusing primarily on efforts to prevent nuclear, chemical, and biological terrorism, particularly by upgrading nuclear security around the world. The people in that office played a central role in organizing the nuclear security summits and the other nuclear security initiatives of the Obama years and led the relevant interagency processes.302

    Initially, the same was true on President Trump’s National Security Council (NSC). But the topic of nuclear security has now been subsumed as one of the many issues under a Senior Director overseeing all of arms control and nonproliferation, and is likely to get far less focused attention than it has received in the past.

    Another positive example is in Sweden, which formed a Nuclear Security Coordination Group consisting of the national regulator, the National Police, the Swedish Security Service, the Civil Contingencies Agency, the Swedish National Grid, and the Coast Guard. The purpose of the group is to “oversee, coordinate, and integrate activities supporting the Swedish nuclear security regime.”303

    Elsewhere, one benefit of the nuclear security summit process was that countries designated senior officials as Sherpas to lead summit preparation efforts, and these officials, directly supporting their heads of state, were able to pull together interagency discussions—and discuss the issues internationally—in a way that had not happened before. In those countries participating in the Nuclear Security Contact Group, there are still senior officials designated to lead their participation in nuclear security discussions—but without any connection to upcoming meetings for the head of state, their ability to mobilize the resources of other agencies of their governments (or cause shifts in those other agencies’ policies) is much reduced. Few countries have designated senior officials for whom strengthening international nuclear security is a major portion (e.g., more than 20 percent) of their portfolio.

     

    Plans for Strengthening Nuclear Security

    The Trump administration developed its own nuclear “Integrated Nuclear Security Strategy,” which was summarized in the Trump administration’s National Strategy for Countering WMD Terrorism released in December 2018.304 The strategy stresses the urgency of securing nuclear material and states the United States will seek to “eliminate or minimize superfluous” stocks of nuclear material and improve security for those materials. Notably, similar to the Nuclear Posture Review, the report emphasizes international cooperation with other countries, as well as with international organizations, groups, and industry.

    This strategy, as well as other policy statements, indicates that the general approaches and emphases of the Trump administration’s approach are similar to those that existed toward the end of the Obama administration. In both cases, plans have called for continued efforts to convert HEU-fueled research reactors to LEU and remove unneeded HEU and plutonium from sites willing to cooperate in that endeavor; continued workshops, trainings, and good practice exchanges with countries such as China and India, largely focused at their nuclear security Centers of Excellence, with somewhat more extensive cooperation with Pakistan; modest sets of nuclear security workshops and other activities with a range of other countries; continued support for the IAEA Division of Nuclear Security; continued efforts to convince more countries to participate in nuclear security conventions and initiatives, and to ensure that they take implementation seriously; and larger programs for security of radiological sources than for security for nuclear weapons and weapons-usable nuclear material (as there is more “low-hanging fruit” in the form of straightforward improvements that have not already been done in the case of radiological materials). Much of the rest of the effort would be focused on efforts to stop nuclear smuggling and counter high-capability terrorist groups. (See “Beyond Nuclear Security,” p. 202.)

    These plans, however, appear to leave major gaps remaining:

    • Nuclear security in Russia. Given Russia’s resistance to continued nuclear security cooperation with the United States—at least until the United States removes its sanctions on other elements of nuclear cooperation—neither the Obama administration nor the Trump administration planned significant further efforts to cooperate with Russia on nuclear security. As discussed elsewhere in this report, however, Russia has the world’s largest stockpiles of nuclear weapons and weapons-usable nuclear material, and security for them that has improved dramatically but still has some weaknesses that should be addressed. Neither the U.S. government nor any other government has a real plan to revive cooperation with Russia.
    • Nuclear security in wealthy countries. Traditionally, U.S. nuclear security programs have focused primarily on “other than high income” countries, which were seen as most in need of help. The effort to cooperate with wealthier countries was quite modest—often limited to a small number of officials discussing potential improvements, and U.S. teams visiting to confirm that U.S.-origin nuclear material had adequate physical protection (as required by U.S. law). But the reality is that wealthy countries (including the United States) also have important weaknesses in their nuclear security arrangements. Now that the focus of nuclear security programs is shifting from U.S. financing for installing equipment and providing training to convincing other countries to do more themselves, the approach would be equally applicable to developing and wealthy countries, making the absence of substantial plans to work with most wealthy countries on nuclear security improvements an important gap.
    • HEU and plutonium stocks not planned for removal. As described elsewhere in this report, efforts to consolidate nuclear materials to fewer locations have been remarkably successful, helping more than half of all the countries that ever had HEU or plutonium on their soil to eliminate them. Efforts to remove Russian-supplied HEU from non-Russian countries are nearly complete. But tons of U.S. supplied HEU still exists in foreign countries (primarily in Europe) and no focused plan to eliminate those stocks exist; Belarus and South Africa, the two remaining non-nuclear-weapon states with enough HEU at a single site for a gun-type bomb, are not participating in efforts to eliminate those stocks; no credible plan is in place to slow the growth of the huge stocks of civilian separated plutonium around the world (now in the range of 290 metric tons, more than in all the world’s weapon stocks combined), or to reduce the processing, transport, and use of this material or the number of sites where it exists; and there is no focused effort to consolidate stocks of nuclear weapons, HEU, and separated plutonium used for defense purposes to the minimum number of locations needed for ongoing military missions.
    • Alternative incentives and policy approaches. Finally, there are other potentially effective incentives and policy approaches that are not included in current plans (either of the U.S. government or of other governments or organizations). In some cases, for example, it may be cheaper and quicker to provide incentives for a research reactor shut down when it has limited remaining uses than to convert it. Such incentives might include funding for scientists at the site to do research at other research reactors, or help with spent fuel or with decommissioning. Current conversion efforts, however, are not supplemented with any approach to encouraging shut down of less needed reactors.305 Although Russian officials have indicated that Russia would be willing to restart limited nuclear security cooperation if the United States agreed to restart nuclear energy cooperation, no such package is currently included in U.S. plans (or other countries’ plans, as far as is known). A common political commitment to take particular steps to ensure nuclear security might give countries additional incentives to put those measures in place, but it not currently being discussed. Current plans do not focus on ensuring that operating organizations handling nuclear weapons or weapons each have targeted efforts to strengthen nuclear security culture or comprehensive, multi-layered protections against insider threats.

    In short, if the question is: does any country or international organization have a plan for a comprehensive effort to do everything that could plausibly be done at a reasonable cost to improve nuclear security, the answer is clearly “no.”

     

    Funding for International Nuclear Security

    One way the United States has led on nuclear security has been by paying to help other countries upgrade nuclear security, and to finance IAEA nuclear security activities and cooperative efforts such as exchanges of good practices. Other countries have also contributed to such financing, though on a much smaller scale. As noted earlier, future nuclear security programs are likely to focus on the less expensive tasks of convincing other countries to do more themselves and advising them on how to do it, rather than the United States paying for nuclear security upgrades. Nevertheless, these efforts will still require significant financial support, and the need for them is likely to continue for many years, since the work of adapting nuclear security to evolving technologies, threats, and understandings of vulnerabilities is never “done.” Hence, budget and personnel allocations remain relevant indicators of nuclear security efforts.

    The responsibility for securing nuclear weapons-usable materials rests with the states that possess them, which means that states should find the resources to pay for effective nuclear security systems themselves. But some states that are poor, or are in crisis (as the states of the former Soviet Union were following the Soviet collapse) have found it difficult to do so, and many more have benefited from advice on how best to implement an effective, modern nuclear security system. Given the potentially catastrophic economic, political, and humanitarian consequences of an act of nuclear terrorism, which would extend far beyond national borders, the United States and other countries have considered investments in nuclear security improvements around the world as investments in their own security.306

    The United States has spent billions of dollars on improving nuclear security around the world over the past quarter century. But for context, in the past decade, the amounts the United States has invested have never amounted to as much as 1/800th of U.S. defense spending—a bargain if one considers the importance successive U.S. presidents have placed on preventing nuclear terrorism.

    Unfortunately, under both President Obama and President Trump, both budget requests and legislative appropriations for nuclear security programs have been declining for years. Funding has now declined to the lowest levels since the early days of these programs in the mid-1990s. Much of this decline is due to projects being completed or countries being unwilling to implement other projects—but more funding would be needed to implement a more comprehensive nuclear security effort.307

    Most U.S. international nuclear security work is conducted through the DOE’s NNSA.308 For more than a decade, the two major DOE nuclear security programs were International Materials Protection and Cooperation and the Global Threat Reduction Initiative. Those programs have now been rearranged into two new programs: Global Materials Security, and M3. The Global Material Security program works with foreign countries to help improve security for nuclear weapons, weapons-usable nuclear materials, and radiological materials.309 M3 is responsible for removing HEU and separated plutonium from vulnerable sites; converting research reactors and medical isotope production facilities so they no longer use HEU; and disposing of HEU and plutonium. These are the key programs we count as “nuclear security” programs in assessing budget allocations. Recent appropriations for these programs are shown in Table 5.

    The Obama administration ramped up nuclear security spending throughout its first term. See Figure 7. In fiscal year (FY) 2012, nuclear security spending reached its peak when the administration’s budget requested $822 million and Congress appropriated $824 million.310 During the Obama administration’s second term, budget requests for nuclear security programs declined every year, and appropriated budgets declined accordingly every year—except for FY 2016, when Congress added funds to the administration’s request. The Obama administration’s last (FY 2017) budget request was particularly alarming, proposing to cut NNSA’s International Nuclear Security program, which is most responsible for supporting security upgrades around the world, by two-thirds, to the lowest level since its nascent days in the 1990s.

     

    Figure 7: Requested and Allocated Funding for U.S. Department of Energy Nuclear Theft Prevention Programs311

    Figure 8: Projected Department of Energy Nuclear Theft Prevention Spending312

      

    The Trump administration has continued requesting cuts to nuclear security programs, proposing to slash them even further in FY 2018 and FY 2019. The Trump administration proposed spending $351 million on nuclear security in FY 2018, down from $389 million in FY 2017. Congress rejected the idea of such deep cuts, increasing nuclear security spending to $443 million. The Trump administration has proposed even deeper cuts, to $327 million, for FY 2019. Congress has responded by, once again, rejecting most but not all of the projected cut, with an appropriated budget of $419 million. On average, the Obama administration asked for $643 million per year on NNSA nuclear security programs. The Trump administration’s requests are averaging $340 million, roughly half that amount.313

    These cuts are not what the program managers originally planned. As recently as 2016, the United States planned to spend $200 million more on nuclear theft prevention programs in FY 2019 than the Trump administration ultimately requested, and $150 million more than is now planned for FY 2020.

     

    Table 5: DOE Nuclear Security Appropriations (in millions of dollars)

    *May not add due to rounding.

     

    Estimated future spending for these programs has also declined. Even while the Obama administration was cutting funding for nuclear security, it anticipated increasing funding again in the future, for more reactor conversions, material removals, and cooperative nuclear security improvements. The Trump administration has stopped envisioning future increases. See Figure 8. From 2019-2021, the Trump administration proposed cutting the International Nuclear Security program from $355 million projected in 2016 (the FY 2017 budget request did not include a full five-year nuclear security budget because of when the Nuclear Posture Review was released) to $143 million, a funding level 60 percent below what managers expected to have only a few years ago. Similarly, the administration proposes cutting the amount of money the United States plans to spend on removing nuclear weapons-usable material over the 2019-2021 period from $410 million projected in FY 2016 to $146 million, only about one-third what managers had previously expected to have.314 There appear to be hundreds of millions of dollars of cooperative nuclear security upgrades and materials removals that are no longer included in current plans.

    There are a number of reasons for the decline in nuclear security programs. First, tension between the United States and Russia has led to the suspension of almost all nuclear security cooperation between the two countries—the two largest nuclear powers—so in most cases funding for Russian cooperation is no longer planned. Second, political impediments with countries like India, China, and Pakistan limit the scope of what NNSA nuclear security programs can achieve. Third, many research reactors outside of Russia that can convert with existing fuels have already done so—so many reactor conversions are waiting for the availability of higher-density fuels, still projected to be roughly a decade in the future. Fourth, with limited overall NNSA budgets, the increasing costs of weapons programs are crowding out nonproliferation programs.315

    While Trump administration officials have argued that planned funding is sufficient for their limited current nuclear security plans, the proposed budgets are clearly not enough to fund the more comprehensive and ambitious nuclear security agenda that is needed.

     

    Leading by Example

    To convince other countries to strengthen their nuclear security approaches, the United States and other countries advocating such improvements are likely to need to take similar steps themselves. The United States has some of the world’s most stringent nuclear security requirements—but there are still areas of weakness that can undermine U.S. international nuclear security efforts.

    Consider:

    • The United States has hosted one IPPAS mission, at a government-owned HEU-fueled research reactor in Maryland, but is not currently planning to host other missions at facilities with larger stocks of plutonium or HEU.
    • There are no U.S. requirements for operators to implement programs focused on strengthening security culture, even though some other countries have adopted such requirements.
    • The NRC requires only very modest security measures for radioactive sources, even large and dangerous ones (though some organizations using such radioactive sources have implemented upgrades going well beyond NRC requirements, with help from NNSA).
    • Similarly, research reactors regulated by the NRC enjoy an exemption from the most important NRC physical protection rules, so that they are not required to protect against any specified level of threat, to have any armed guards, or even to have a fence outside the reactor building itself. (As with radiation sources, however, NNSA has helped the most important research reactors implement security measures going well beyond NRC requirements.)
    • The United States has announced plans to increase, rather than decreasing, the number of U.S. sites performing bulk processing of plutonium, with proposed pit production facilities at both Los Alamos laboratory and the Savannah River Site in South Carolina (though both of these operations would be on a scale of tens or hundreds of kilograms a year, rather than tons, making accounting for the plutonium significantly easier).

    U.S. organizations are debating other steps that would weaken nuclear security in the United States, and the U.S. ability to convince other countries to implement desired nuclear security measures:

    • NRC is considering reducing the intensity of NRC-organized force-on-force exercises, so that licensees would have only one scenario tested every three years (with another organized by the licensee and observed by the NRC), down from three a few years ago.316
    • NRC is also considering a staff proposal to reduce security requirements for fabricated plutonium fuel and other materials containing less than 10 percent by weight plutonium or U-235, to the point that they would not have to be protected against a DBT and the security plan could be based on allowing the material to be stolen and relying on local law enforcement to pursue the thieves.317
    • The U.S. House of Representatives proposed legislation in 2018 to block expenditure of funds to convert DOE’s high-power research reactors from HEU to LEU fuels.318 This would make it more difficult to convince other countries to convert their HEU-fueled reactors.

    A comprehensive U.S. plan for strengthening nuclear security around the world would include the steps the United States needs to take to lead by example.

     

     


     

     

    VI.  Next Steps to Regain the Momentum

    ← previous section  |  ↑ Table of Contents  |  next section →
    Secretary of Energy Ernest Moniz (center right) and Xu Dazhe (center left), head of the China Atomic Energy Authority (CAEA), discuss U.S.-Chinese cooperation on the Chinese nuclear security Center of Excellence, while taking part in the 2016 nuclear security summit. Yin Bogu/Xinhua/Alamy Live News
    Secretary of Energy Ernest Moniz (center right) and Xu Dazhe (center left), head of the China Atomic Energy Authority (CAEA), discuss U.S.-Chinese cooperation on the Chinese nuclear security Center of Excellence, while taking part in the 2016 nuclear security summit.
    (Yin Bogu/Xinhua/Alamy Live News)

    As this report has made clear, as the nuclear security summits recede into the rear-view mirror, nuclear security progress is slowing, despite substantial work yet to be done. The international community needs to take steps to regain the momentum—or face a risk of nuclear and radiological terrorism that will begin to rise again. As with nuclear safety, nuclear security efforts must focus on continuous improvement in pursuit of excellence, not just compliance with a particular set of nuclear security rules. Toward that end, this chapter will offer recommendations for action in four categories, including steps to:

    • Combat complacency and build understanding of the threat;
    • Strengthen nuclear security implementation on the ground;
    • Bolster frameworks for international nuclear security cooperation; and
    • Ensure effective leadership of and sufficient inputs to the effort.319

    Although the U.S. role is changing in the Trump administration, and other countries are taking expanded leadership roles, the role of the U.S. government is likely to remain central, and this chapter will include recommendations for the U.S. government role in each of these four areas—including for a revitalized set of U.S.-sponsored international nuclear security programs.

     

    Combating Complacency

    Finding 1.1: Complacency—the belief that the threats of nuclear and radiological terrorism are minimal, and existing security measures are sufficient to address them—is the most fundamental barrier to nuclear security action.

    From national leaders to regulators to facility operators, people will be mostly likely to take action if they believe that (a) nuclear terrorism poses a real threat to their own country’s interests, and (b) their actions can significantly reduce the threat.

    With the end of the nuclear security summits, and the corresponding end of high-level global meetings that call attention to the threat, complacency is growing. The defeat of the Islamic State’s geographic caliphate and the passage of time since the death of Osama bin Laden add to the sense of a lack of urgency. And the countless other nuclear issues being debated in the world—from North Korea to the U.S. pullout from the Iran nuclear deal to the South Asian nuclear arms competition to U.S.-Russian nuclear tensions and eroding arms control agreements to the fates of the ban treaty and the nuclear NPT—help push nuclear security issues onto the back burner.

    But complacency is partly the result of lack of knowledge about real events related to nuclear terrorism and real weaknesses of nuclear security systems. That part of the problem can be countered by providing credible, relevant information. The international community should take several steps to combat complacency and make the case for continued action to strengthen nuclear security.

    Recommendation 1.1: Prepare reports and briefings on the threat.

    The U.S. government should prepare detailed reports and briefings on the threats of nuclear and radiological terrorism. (Other countries may want to prepare similar reports and briefings of their own, to make clear that this is not only an American concern.) These should include, among other topics:

    • Analyses showing that it is plausible that terrorists could make a crude nuclear bomb if they got enough of the needed HEU or separated plutonium;
    • The history of real terrorist actions and plots to try to get nuclear weapons and the materials needed to make them, to make “dirty bombs,” or to sabotage nuclear facilities;
    • The record of real thefts of HEU and separated plutonium (with assessments of how much material may have been stolen and never recovered);
    • Incidents, test results, and other information that suggests that nuclear security systems still have important weaknesses that adversaries might be able to exploit;
    • The difficulties of stopping nuclear smuggling, or preventing a crude bomb from being brought to a target country (whole or in readily-assembled pieces); and
    • The enormous scale of the potential consequences, if terrorists ever did manage to detonate a nuclear bomb in the heart of a major city (along with the serious but more modest consequences of “dirty bomb” attacks or successful sabotage of a major nuclear facility).320

    Such reports and briefings should be prepared in several versions. First, there should be a highly classified version for use only by cleared officials of the government preparing the information. This is needed to make sure that current policymakers are aware of the information collected and analyzed years ago. In recent years, for example, even some senior U.S. government officials focused heavily on the nuclear terrorism threat were unaware that al Qaeda’s nuclear weapons effort had progressed as far as carrying out crude but sensible (for their level of resources) tests of conventional explosives for the bomb program in the Afghan desert.321

    Second, there should be a classified version that the United States could share with the United Kingdom and France (with whom the United States has formal agreements for sharing “restricted data” related to nuclear weapons). There have already been extensive classified discussions of this topic among these three governments, but it is important for current policymakers in each country to be drawing on a similar background of information.

    Third, there should be a version that can be shared confidentially with other governments, as part of the broader effort to convince governments to take additional actions to improve nuclear security (and cooperate to find and stop nuclear terrorist plots). Finally, there should be an entirely unclassified version that could be made public, to inform the public debate worldwide.

    Of course, information on this topic is not static. The material contained in these reports and briefings should be reviewed and updated on a regular schedule (perhaps every two years), and whenever major developments in the threat arise.

    Recommendation 1.2: Establish regular sharing of incidents and lessons learned.

    Another area where better information could help motivate action is expanded sharing of nuclear security incidents, instructive non-nuclear security incidents, and lessons learned on how to prevent such incidents in the future. There are major gaps in the incident information policymakers and operators have available. Many are unaware, for example, that there really was an incident (long ago) in which an insider at a nuclear power plant brought explosives into the plant, placed them directly on the steel pressure vessel head, and detonated them.322 In 2003, a Russian court case revealed that a Russian businessman had been offering $750,000—roughly a century of the average Russian’s salary at the time—for stolen weapon-grade plutonium for sale to a foreign client.323 That buyers were actively offering such huge sums to motivate insiders to steal nuclear material is highly relevant to threat assessment, but the authors have rarely encountered a nuclear security manager in Russia (or anywhere else, for that matter) who had ever heard of that case.

    People learn from real stories, and remember them, far more than they learn from and remember lists of rules. Overall, more widespread knowledge could do a great deal to convince nuclear security policymakers and operators that the threats are real and stronger nuclear security steps are needed. In a 2012 survey of nuclear security experts in most of the countries with HEU or plutonium, respondents reported that incidents were the most important drivers of recent decisions to strengthen nuclear security measures.324

    In nuclear safety, sharing of information on incidents and lessons learned is routine, and contributes enormously to ongoing improvement. For example, if there is a safety “near miss” at a U.S. nuclear power plant, the plant operator will do an in-depth analysis of the incident, exploring its root causes and lessons learned from it. This information is shared through an industry group, the Institute for Nuclear Power Operations (INPO). Compiling information from many facilities, INPO analyzes trends and issues. It sends lessons learned reports to U.S. reactors—and then inspects to see how well the facilities are implementing the lessons learned.325 Less detailed but still substantial processes for sharing such incident information and operating experience also exist internationally, through the industry-level World Association of Nuclear Operators (WANO) and the IAEA.

    Nothing remotely comparable exists in nuclear security, either nationally or internationally. There is the IAEA’s Incident and Trafficking Database (ITDB, formerly the Illicit Trafficking Database, with the same acronym), which compiles information from participating member states on episodes such as losses or intercepts of radioactive materials. But this sharing is typically limited to the date of an incident, the material involved, and a few other basic facts. Most of the reports do not include any information about how the incident occurred, what weaknesses were revealed, or how countries could prevent similar incidents in the future, limiting the opportunities for learning.326

    Secrecy inevitably makes it more difficult for facilities to share such detailed incident information than it is in the case of safety incidents. But a great deal of information about incidents can be shared—particularly after the vulnerabilities that adversaries exploited have been fixed—without in any way compromising security. Secrecy has not prevented a number of other industries from putting in place regular mechanisms for sharing detailed information on security incidents and lessons learned from them. Civil aviation, for example, has extensive measures for sharing such information.327 In the United States, for cybersecurity, in response to presidential Executive Orders, various industries have established “Information Sharing and Analysis Centers” (ISACs). The tagline for the financial services sector ISAC, for example, is “Sharing Critical, Authoritative Information Across Our Industry… Worldwide…Instantly.”328

    Similarly, casinos, despite being in fierce commercial competition with each other, also have a regularized system for sharing such information, so that a cheater kicked out of one casino cannot just walk down the street and pull the same scam at another.329 Distributors of often-stolen pharmaceuticals, similarly, have mechanisms for sharing information about incidents and what they suggest about adversaries’ tactics.330

    Several steps should be taken to move toward similar approaches for nuclear security. First, as a pilot initiative, the U.S. government should prepare (or have a contractor prepare) detailed open-source information on a set of incidents and lessons learned that it believes would be relevant for nuclear security policymakers and operators, which could be shared internationally. Second, each government with nuclear power plants or facilities handling HEU or separated plutonium should establish a mechanism for confidential sharing of incident information within its own country. Third, governments and the nuclear industry should work together to find an effective means for sharing this incident information internationally; each country should establish a means for reviewing the confidential reports developed for sharing within the country and determining which parts need to be removed before the information is shared internationally. The United States has already offered accounts of the weaknesses that allowed the 2012 intrusion at the Y-12 nuclear complex to occur and the lessons learned and steps that have been taken to prevent similar occurrences in the future; that is a good first step, but it would be helpful to offer even more detail, since more detail has already been made public in congressional hearings and investigative reports.

    What should be included? To the extent practical, each incident should be explored in depth, with analyses of the vulnerabilities that adversaries exploited to defeat security systems, and strengthened security measures that could prevent such incidents. Non-nuclear incidents that offer important lessons about the types of capabilities and tactics against which nuclear materials and facilities must be protected should also be included.331

    There are many institutional options for establishing and managing the international element of such an incident-sharing system. Its political legitimacy would be high if it were located at the IAEA, but the ITDB experience suggests that the political constraints of satisfying all member states might make it difficult for the IAEA to take this task on effectively. Industry groups such as WINS or the NISGS would be another option, as would a grouping of like-minded states (perhaps organized within the Nuclear Security Contact Group or the Global Initiative to Combat Nuclear Terrorism).

    Recommendation 1.3: Conduct creative, realistic vulnerability assessment and testing.

    Few things do more to convince a policymaker or manager that security needs to be improved than seeing the security system defeated—either in a vulnerability assessment in which analysts identify plausible ways to beat the system, or in a realistic test where mock adversaries actually succeed in doing so. As major non-nuclear heists around the world demonstrate again and again, security systems that look quite impressive—and can thus contribute to complacency—can often be defeated by intelligent adversaries who find and exploit unnoticed weaknesses. As effective vulnerability assessment and testing is a key part of on-the-ground nuclear security implementation, it is discussed in more detail below.

    Recommendation 1.4: Carry out intelligence agency dialogues.

    States usually rely on their intelligence agencies to keep them informed about threats to their security. Hence, convincing intelligence agencies that nuclear terrorism and radiological terrorism are real dangers to their countries’ security, and that existing nuclear security measures are not fully sufficient to address the threat, would be a major step toward combating complacency. The United States and other interested countries should direct knowledgeable teams from their intelligence agencies to conduct dialogues with other countries’ intelligence agencies to build common understandings about the threat—and, where practicable, to undertake cooperative actions against the threat.

    This is not a new idea. In the years after the 9/11 attacks, U.S. intelligence, in partnership with agencies in the United Kingdom and elsewhere, found detailed evidence concerning al Qaeda’s nuclear, biological, chemical, and radiological efforts.332 To ensure that everyone who might be able to stop ongoing plots had the information they needed, U.S. intelligence shared key information with a remarkable set of other agencies—including even those in Iran.333 Subsequently, U.S. intelligence agencies undertook a focused series of discussions of the nuclear terrorism threat with other agencies, often bringing a nuclear weapon design expert to address issues about the crude nuclear explosives terrorists might plausibly be able to make if they got the needed nuclear material. In one case, counterparts at a foreign intelligence agency asserted confidently that terrorists could not possibly make a nuclear bomb, and the U.S. representatives said, in effect, “you’re wrong. Discuss it with your government’s nuclear weapons experts, and we’ll come back and talk again in six months”—which then led to a more productive later discussion.334 The U.S. government and other interested governments should direct selected experts from their intelligence agencies to undertake similar dialogues, to help ensure that relevant intelligence agencies around the world have a full understanding of the threat of nuclear and radiological terrorism.

    Recommendation 1.5: Assign focused teams to search for weapons-usable nuclear material or information that could lead to it.

    Suppose that a team of top intelligence agents were given the mission of penetrating the shadowy world of nuclear smuggling—with its hoaxers, middlemen, smugglers, and thieves—and getting information that would lead to weapons-usable nuclear material. If, after a couple of years of effort, they proved unable to find anyone who could really get separated plutonium or HEU, that would suggest that terrorists would also have great difficulty in doing so, which would be an important (and comforting) piece of information. If, on the other hand, they succeeded in getting information that led to such material, that would provide compelling evidence of the danger that terrorists might do the same, which could be a powerful tool to combat complacency about the threat.

    The concept of creating such an intelligence team to proactively go on the hunt for information relating to nuclear material has been dubbed “the Armageddon Test.”335 The U.S. government should launch such an effort—in cooperation with other states to the extent that makes the operation work better.

     

    Strengthening Nuclear Security Implementation on the Ground

    Finding 2.1: Additional action in a wide range of specific areas is needed to protect nuclear and radiological weapons, materials, and facilities from theft and sabotage.

    Over the past quarter century, countries have made major, in some cases dramatic, improvements in nuclear security. In some cases, facilities that once had gaping holes in fences and weapons-usable nuclear materials left out on working tables at night are now equipped with modern fences, intrusion detectors, barriers, and substantial guard forces—and the weapons-usable nuclear materials are monitored and stored in secure vaults. As this report has documented, nuclear security progress has continued in some countries even after the end of the nuclear security summits. This progress should be celebrated.

    Nevertheless, as this report has also documented, there is more to be done. In some countries, nuclear security systems simply are not designed to handle some of the capabilities and tactics that thieves and terrorists have already shown they can bring to bear to defeat security systems in non-nuclear heists and attacks—let alone those that are plausibly just around the corner. For protecting against insider threats, many nuclear operators place too much reliance on measures such as background checks or portal monitors and lack a truly comprehensive approach. Similarly, many nuclear operators lack a focused program to strengthen their organization’s security culture—a crucial element of security. And weapons-usable nuclear materials continue to exist at far more locations than genuinely need them.

    Finding 2.2: Nevertheless, genuinely effective nuclear security implementation in five key areas could substantially reduce the risk of nuclear terrorism and should receive priority attention.

    A broad range of actions are needed to address these deficiencies. Nevertheless, as discussed earlier in this report, five broad elements are especially central to effective nuclear security:336

    • Designing nuclear security systems to protect against the full spectrum of plausible adversary capabilities and tactics;
    • Establishing comprehensive, multilayered programs to protect against insider threats;
    • Implementing targeted programs to strengthen security culture;
    • Conducting realistic performance testing and vulnerability assessment; and
    • Consolidating nuclear weapons-usable material to the minimum number of locations.

    If countries achieved strong performance in each of these five areas—which inevitably also require effective regulation and training of nuclear security-related personnel—they would have made major progress toward an effective and sustainable nuclear security system. Below, therefore, we offer recommendations for action in each of these five key areas.

    As previously noted in this report, at least broad principles for the first four of these steps are already called for in IAEA nuclear security recommendations, while the fifth is included in commitments from the nuclear security summits. (Specifics for each area are discussed below.) Hence, the key need is less for new commitments than for genuinely effective implementation of the existing ones (though it is certainly important to work to get additional countries to sign up to some of the key group commitments that were developed in the nuclear security summit process). The existing commitments and recommendations could be implemented in ways that would make little difference—or they could be implemented in ways that would truly transform nuclear security performance. The specifics necessary for effective protection are likely to vary from country to country, depending on factors such as the types of nuclear facilities and materials to be protected and the level of adversary threat, but the broad goals should be the same.

    Recommendation 2.1: Protect against all plausible adversary capabilities and tactics.

    A central nuclear security challenge is to ensure that nuclear weapons, materials, and facilities are protected against the full spectrum of plausible adversary threats and capabilities without going too far. Underestimating threats creates dangerous vulnerabilities, while protecting against unrealistic threats wastes resources and inhibits successful operations at nuclear facilities.337

    Countries should protect nuclear weapons, weapons-usable material, and major nuclear facilities against the full spectrum of adversaries their intelligence agencies judge to be credible. Moreover, there is a baseline level of threat that all countries should protect against. In an age of globalized threats, where all nuclear materials and facilities are potential targets of theft or sabotage, no country is so safe that it does not need to protect against a well-placed insider; a modest group of well-trained and well-armed outsiders, capable of operating as more than one team; and both an insider and the outsiders working together.338 Facilities or transports in countries facing more substantial adversary threats should have more extensive protection.

    U.S. nuclear security programs should seek to work with as many as possible of the countries with nuclear weapons, HEU, separated plutonium, or major nuclear facilities that might be sabotaged—through workshops, training, diplomacy, and briefings on adversary capabilities and potential responses to them—to ensure that their nuclear security systems protect against this wide spectrum of plausible adversary capabilities and tactics.

    Recommendation 2.2: Establish comprehensive, multilayered defenses against insider threats.

    Truly effective protection against insiders is critical, but difficult to achieve—particularly if the possibility of multiple insiders conspiring together is considered (something that occurs regularly in non-nuclear thefts). Insiders are known, trusted employees, with access to pass through many of the layers of the security system; they may have knowledge of the security system and its weaknesses; and they may have months or years to observe, plan, and recruit others. A web of cognitive and organizational biases lead organizations to systematically understate the insider threat and fail to notice warning signs. In some organizations, even the most alarming “red flags” can go unreported and unaddressed.339

    In the face of such challenging threats, it is a mistake to assume that any particular measure (such as background checks) will be sufficient. Instead, nuclear organizations must take a comprehensive, multilayered approach to insider protection, putting in place programs that maximize the scale and complexity of the challenges insider adversaries would have to overcome to carry out a devastating action. But at the same time, nuclear organizations need to build an organizational culture that is focused both on high performance and on high vigilance, for if protection against insiders is seen as interfering with getting the organization’s job done, people will disregard the rules for insider protection. And insider protection approaches that undermine trust and breed suspicion can undermine an organization’s effectiveness. Approaches to insider protection will necessarily vary from one situation to the next, and need to be designed within the context of the laws, culture, and rules of each particular country and organization.

    A comprehensive approach to insider protection should include:

    • Thorough background checks before granting access and ongoing monitoring of behavior after access is permitted;
    • Strong incentives for staff to report any concerning behavior, or any potential vulnerabilities they observe;
    • Effective programs to address employee disgruntlement (which is a remarkably important driver of insider incidents across a range of industries);
    • Effective investigations and responses to reports, seen as fair and reasonable by the organization’s staff (including providing help with mental health or other issues when these are brought to the organization’s attention through the reporting program);
    • Regular training programs focused on protecting against insider threats, including real stories of insider incidents, to give management and staff a feel for the reality of the problem;
    • Keeping human access to the materials or areas being protected to the absolute minimum (including through automation of key processes);
    • Nuclear material accounting that is accurate and timely enough to detect either a rapid or a protracted theft, identify when and where it happened, and establish who had access at that time and place;
    • Constant surveillance of nuclear material, and of vital areas that might be sabotaged;
    • Two-person or three-person rules, so that nobody is ever alone with weapons-usable nuclear material or in a vital area;
    • Portal monitors capable of detecting nuclear material at all potential entrances and exits to set off an alarm if any material is being removed;
    • Physical protection systems consciously designed to handle both insider and outsider threats (including insiders and outsiders working together); and
    • Regular tests, assessments, and inspections to ensure the effectiveness of the insider protection program in place—including “red teaming” in which creative staff members are assigned to find ways that an insider might be able to defeat the security systems.

    Insider protections are particularly important at HEU or plutonium bulk-processing facilities, which appear to have been the source of nearly all of the known cases of seizure of stolen weapons-usable nuclear material. When material is being handled regularly and is in the form of powders or liquids, it is significantly easier for insiders to remove small amounts without being detected. In the 21st century, organizations must also design programs to protect against potential insider cyber adversaries, both conscious and inadvertent. Here too, U.S. nuclear security programs should work with countries to ensure such insider protections are in place for key materials and facilities.

    Recommendation 2.3: Conduct realistic performance testing and vulnerability assessments.

    Realistic performance testing and vulnerability assessments are a critical component of an effective nuclear security system. As previously noted, INFCIRC/225/Rev. 5 recommends that nuclear operators have quality assurance programs to ensure that security systems can effectively protect against the design basis threat, including force-on-force exercises conducted at least annually.340 To be genuinely effective, other key elements of quality assurance programs should include:

    • Making sure that force-on-force exercises are as realistic as possible, within safe parameters, including realistic tests of the system’s ability to defend against intelligent adversaries (insiders and outsiders) trying to find ways to defeat it;
    • Establishing “red teams” whose job is to find security vulnerabilities and propose solutions. These teams should include individuals with a creative, “hacker” approach. They should have incentives to find vulnerabilities, and they should be protected from potential organizational backlash.
    • Conducting “tabletop” exercises, computer simulations, and brainstorming workshops to identify and assess tactics adversaries might use.

    Of course, operating organizations must act to address weaknesses identified in such vulnerability assessments and performance testing. Here too, U.S. nuclear security programs should include working with states around the world to ensure that they have effective vulnerability assessment and testing programs in place.

    Recommendation 2.4: Implement targeted programs to strengthen security culture.

    Nuclear security systems are only as effective as the people implementing them. If staff are ignoring security rules, security doors are propped open for convenience, guards are turning off intrusion detectors because of annoyance with false alarms, or guards are sleeping on the job, even extensive technological systems will not provide effective nuclear security. Hence the culture of the organization, and the priority it convinces its staff to place on security, is critical to success.

    Security culture, too, is already a major focus of IAEA recommendations. Every organization handling nuclear weapons or weapons-usable nuclear material, or managing a major nuclear facility, should have in place a targeted program to (a) assess their security culture regularly; and (b) seek to strengthen their security culture over time.

    Unfortunately, achieving a strong security culture can be quite difficult, as security success—in the form of lack of incidents—breeds complacency. Most nuclear facilities have never experienced even an attempted major theft or sabotage. In an average guard’s career, all the alarms he or she experiences will either be false alarms or tests. In this environment, it is difficult to develop and sustain an organizational culture where people believe there are realistic adversary threats to their organization that could strike at any time, and hence that they must be constantly vigilant and constantly trying to find and fix potential vulnerabilities.

    States should ensure that all organizations managing high-consequence nuclear materials or facilities have targeted nuclear security culture improvement programs that include:

    • Implementing security culture recommendations of the IAEA and WINS;341
    • Conducting regular security culture self-assessments;342
    • Providing regularly updated information to all security-relevant managers and staff at such organizations on nuclear security threats (perhaps making use of the reports and incident analyses recommended in the previous section), at levels of detail appropriate to their particular roles;
    • Establishing programs of incentives for strong nuclear security performance (for individuals, teams, and organizations, as appropriate); and
    • Developing mechanisms for sharing good practices and lessons learned in strengthening security culture among nuclear organizations (including, as appropriate, through the IAEA and WINS).

    The goal must be a strong focus on continuous improvement in security throughout the organization, especially from the organization’s leadership. An essential element of such a focus is a willingness to devote resources to improving security—including both money and capable, trained personnel. U.S. nuclear security programs should work with countries to ensure that each of their operators handling nuclear weapons, HEU, separated plutonium, or major nuclear facilities that might be sabotaged has an effective security culture program in place.

    The INFCIRC/869 commitment to ensure that all management and staff with responsibilities relevant to nuclear security are “demonstrably competent” is crucial not only to ensure that each individual is trained for his or her job, but for building an overall organizational culture that values nuclear security and understands that doing it well requires specialized knowledge and skills. Hence, in addition to programs specifically focused on security culture, states should ensure that organizations take part in relevant training programs, and that managers and staff demonstrate their competence through testing and certification programs (such as those offered, for example, by the WINS Academy).

    Recommendation 2.5: Consolidate nuclear weapons-usable material to fewer locations.

    As previously noted, states can achieve stronger security at lower cost by protecting fewer places. Every location where nuclear weapons, HEU, or separated plutonium are located is a potential target for theft. Each location adds to the risk that adversaries will exploit a vulnerability that defenders failed to notice. Hence consolidating nuclear weapons and weapons-usable material to the minimum number of locations required for ongoing military and civilian missions is a key part of nuclear security.343 All countries should continue the effort of minimizing stocks and the number of locations with HEU and plutonium. This should include (where applicable):

    • Developing national-level plans to consolidate nuclear stockpiles to the smallest attainable number of facilities.
    • Reviewing each location where nuclear weapons or weapons-usable nuclear material exists and eliminating these items from any site where their continued benefits are outweighed by their costs and risks.
    • Structuring nuclear security regulations to give operators incentives to reduce security costs by consolidating stocks of material.
    • Supporting efforts to help facilities convert from HEU to LEU fuel, and offering incentives for unneeded HEU-fueled reactors to close (such as support for research at other nuclear facilities).
    • Subscribing to the joint commitment on minimizing and eliminating stocks of civilian HEU (INFCIRC/912) for states that have not already done so.
    • Making commitments to reduce stocks of HEU and separated plutonium over time, maintaining stringent standards of security and accounting throughout the process.

    Interested states—perhaps working through the Nuclear Security Contact Group—should develop joint commitments on minimizing civilian uses of separated plutonium, and on consolidating non-civilian stocks to the smallest practicable number of locations, paralleling the statement on civilian HEU.

    The United States should continue its critical role in this effort, working to convince states to minimize the use of fissile material, the bulk processing, transport, and stocks of such material, and number of locations where nuclear weapons or fissile material exist. The United States should have a policy that it will take back, arrange for the elimination of, or assist in providing effective and sustainable security for all plutonium and HEU anywhere in the world. This would cover both a broader set of materials and a broader range of policy tools than existing U.S. programs (see discussion in the leadership section below).

    The IAEA can play a critical role in this work, supporting minimization efforts at the request of states as it has in the past, and serving as the custodian of INFCIRC/912 and its system of reporting on progress in minimizing civilian uses of HEU.

    Recommendation 2.6: Strengthen nuclear security organizational governance and incentives.

    To achieve effective nuclear security—in the five categories just described and others—people and organizations have to be motivated to act. The focus should be on continuous improvement toward excellence in performance. Multiple approaches to governance and incentives are likely to be needed.

    First, strong regulation is an essential element, setting out clear standards for nuclear security implementation and performance and requiring that they be met. Countries need to ensure that their regulations are designed so that compliance with them would lead to effectively performing nuclear security systems. And they need to ensure that their regulators have the authority, resources, expertise, and culture to design and enforce regulations appropriately.

    But the set of incentives needs to go beyond just regulatory requirements; as is often said, no one ever wrote a book called “regulate your way to excellence.” One important element is convincing organizational leaders and staff that the threat is real and protecting against it is important for their organization’s success and risk management. The briefings, reports, and incident analyses described above could be important contributors toward that objective, as would the training and other steps to strengthen security culture.

    In particular, nuclear security needs to be fully integrated into the risk management approach of each nuclear organization—something to be discussed regularly and managed actively by the CEO and the board of directors. It is part of the “duty of care” for each nuclear organization, the requirement to do everything a reasonable person would do to prevent catastrophe. This requires building a corporate governance approach to security that is focused on continuous improvement, and on scanning the industry for best practices that could help improve security.344

    Within organizations, leaders and managers have to set clear expectations for security performance, consistently reinforce the importance of security to the organization, and structure incentives so that good security performance is rewarded. The goal should be that not just the security force but all staff whose roles might relate to nuclear security are motivated to achieve ever-improving nuclear security performance.345

    Making nuclear security part of the organization’s risk management approach inevitably means integrating nuclear safety and nuclear security, addressing conflicts and seizing synergies between them. For nuclear activities subject to international inspections, or safeguards, both safety and security should be coordinated with safeguards as well.

    Recommendation 2.7: Ensure that all nuclear security management and staff are adequately trained for their jobs.

    None of the five key elements of nuclear security we identify in this report can be achieved reliably without competent, well-trained personnel. Ensuring that all “management and staff with accountability for nuclear security” are “demonstrably competent” is one of the key commitments of INFCIRC/869. States should provide thorough and well-evaluated training programs on all aspects of nuclear security, and require that key management and staff involved in nuclear security pass through such training and achieve certification. This can include participation in courses at national and international training centers, programs such as the WINS Academy, and more. Information on the evolving adversary threats to nuclear activities, and the need for nuclear security to address them, should be a major element of such training.

     

    Bolstering Frameworks for Nuclear Security Cooperation

    As noted earlier, each country with nuclear weapons, weapons-usable nuclear materials, dangerous radiological materials, or nuclear facilities that might be sabotaged is responsible for ensuring that they are effectively protected. But a variety of mechanisms for international cooperation and governance can help states fill that responsibility and give the world confidence that these items are secure. Nuclear security can be achieved more effectively working together than working in isolation. International agreements and initiatives are not ends in themselves, however; their purpose is to contribute to nuclear security improvements on the ground, and progress should not be measured by the number of countries that join an initiative but by how much real difference the initiative makes in reducing the risks of nuclear theft and sabotage.

    International governance mechanisms can play several important roles:346

    • Agenda setting and issue framing (starting processes, mobilizing actors and attention, identifying ideas for actions and the reasons for them);
    • Capacity building (mobilizing resources and providing ideas, training, equipment);
    • Norm creation and dissemination (establishing common expectations of appropriate conduct);
    • Standard setting (more precise, sometimes legally binding commitments);
    • Accountability, compliance, and adjudication (mechanisms for assessing performance in meeting norms and standards, encouraging compliance, and resolving disputes)
    • Coercive diplomacy and collective use of force.

    In nuclear security in particular, the first three of these roles for international institutions have contributed substantially to improved nuclear security around the world—from the forcing function provided by the nuclear security summits to the substantial improvements resulting from bilateral nuclear security assistance and cooperation to the improvements countries have made in response to recommendations, training, and reviews provided by the IAEA. The second three have been less prominent, as there are no binding international nuclear security standards; there are no agreed mechanisms for tracking nuclear security progress and the degree to which states are following international nuclear security norms; and there have been few recourses to coercive diplomacy and none to the use of force to address nuclear security concerns.347 The discussion below addresses each of the potential roles for international cooperation and governance that are most important for nuclear security.

    Finding 3.1: Existing frameworks for international cooperation in nuclear security each have useful roles to play, but the forums still available after the end of the summit process have so far proven insufficient for identifying and agreeing on next steps in nuclear security.

    As discussed earlier in this report, the five “action plans” laid out at the 2016 Nuclear Security Summit have not led to much action. Few of the items in the action plans have been accomplished, other than ones that were simply descriptions of what the organizations planned to do anyway. In the two years since the 2016 summit, there have been no further international nuclear security decisions, commitments, or initiatives, and only a tiny number of additional countries have joined on to any of the initiatives that came out of the summit process. The evolution of the global nuclear security framework appears nearly frozen. Overall, the remaining international mechanisms for agenda-setting and issue framing appear to be insufficient.

    In particular, while the IAEA is indisputably the principal international organization for nuclear security, the IAEA’s nuclear security work is tightly constrained by the politics of nuclear security among the IAEA member states. Many developing countries argue that each dollar spent on nuclear security is a dollar not spent on helping them use peaceful nuclear technologies, and are therefore reluctant to endorse more action. As a general rule, at the IAEA, most initiatives that do not have consensus support from member states do not move forward. As noted earlier, the IAEA’s international nuclear security meetings have been effective forums for international technical exchange, but not for decision-making—their ministerial statements have said very little.

    The nuclear security Contact Group and NTI’s “Global Dialogue” are perhaps the most promising remaining groups for international discussions of nuclear security commitment implementation and potential next steps. The Global Dialogue has been effective in generating ideas and inserting them into formal processes—but with no summit process for new ideas to feed into, the opportunity for influence is reduced. The Contact Group has focused primarily on implementation of commitments from the nuclear security summits and trying to spread those commitments more broadly. It has also discussed issues such as preparations for the 2021 conference to review the amended physical protection convention. Overall, however, it does not appear that either of these forums has yet succeeded in building much momentum for further international action on nuclear security.

    Recommendation 3.1: Establish an additional forum for discussing next steps in nuclear security at a senior level, and work to take maximum advantage of existing forums.348

    The record since the nuclear security summits suggests that an additional forum is needed, at a level senior enough to have a chance of influencing national nuclear security decisions. Interested countries should:

    • Create a nuclear security working group within the GICNT. Nuclear security is one of the GICNT’s core principles, but the initiative has never focused on nuclear security very much. The GICNT brings the key parties to the table: it is co-led by the United States and Russia (representing practically the only related area where the two still cooperate), has all but a few of the states with weapons-usable nuclear material or nuclear power plants participating, and is open to all states willing to endorse its principles. In activities such as its exercise program and its development of documents on topics such as nuclear forensics, it has shown it can function reasonably effectively. At its annual plenaries, it has shown it can draw Undersecretary or Deputy Minister-level participation, and in its early days key nuclear security experts—such as the commander of the force that guards Russia’s nuclear weapons—used to take part. A GICNT working group could be an important supplement to existing nuclear security frameworks, organizing activities, developing documents, and suggesting next steps to be pursued.
    • Alternatively, create a nuclear security working group of the G-20. The G-7 has long had a nuclear safety and security experts group, which discusses, among other issues, ongoing implementation of the Global Partnership Against the Spread of Weapons and Materials of Mass Destruction (launched at the Kananaskis summit in 2002). But without Russia, China, India, or a variety of other key players in managing weapons, energy, and materials, there is only so much a G-7-centered group can do. The G-20 membership, by contrast, includes the countries holding the vast majority of the world’s nuclear weapons, weapons-usable nuclear material, and nuclear energy (though the membership is narrower than the GICNT participants, leaving out countries such as Pakistan, Belgium, the Netherlands, and Israel, among others). Building a nuclear security working group of the G-20 would likely be more difficult than creating such a group in the GICNT, as the G-20 has traditionally been focused almost exclusively on economic issues, not security issues, and does not have an agreed set of principles related to nuclear security to build from.
    • Encourage India to move forward with its proposed summit on nuclear, chemical, biological, and other mass destruction terrorism. At his 2016 summit with U.S. President Barack Obama, Indian Prime Minister Narendra Modi announced that India would host a summit on preventing terrorism with weapons of mass destruction in 2018.349 There has been little progress toward organizing such a meeting, however, and it is now clear it will not occur in 2018. Nevertheless, as a public commitment from the Prime Minister, it seems likely to go forward, perhaps in 2019 or 2020.350 Like the nuclear security summits, such a gathering could provide a focused venue where leaders could discuss next steps, and a forcing deadline by which leaders would want to have progress to be able to announce. Focused on nuclear, chemical, biological, and other mass destruction terrorism generally, it would offer opportunities for more discussion of cooperation in areas such as sharing intelligence on terrorists’ efforts to acquire such weapons and ways to reduce their chances of recruiting relevant experts, as well as preventing them from gaining access to relevant materials. Hosted by a country Russia considers friendly, such a summit might draw Russia back into the global dialogue on these topics. Such a gathering could help revitalize the global nuclear security architecture.
    • Seek to make the upcoming review conference of the amended physical protection convention as focused and action-oriented as possible. The amendment to the physical protection convention, which entered into force in 2016, calls for a review conference within five years (slated for 2021). Many treaty review conferences accomplish little—but there is at least the potential for a conference that could make a major contribution to the nuclear security agenda, if interested states work with the IAEA to produce a conference that focuses specifically on steps states have taken to meet the physical protection convention’s requirements and on next steps that should be taken.351 For example, states with interests in particular issues, such as security culture, insider threat protection, or security for military stocks (referenced in the convention’s preamble) could form working groups that could prepare reports for the full conference, and possibly develop new voluntary commitments. Interested states could voluntarily prepare detailed reports on their approaches to nuclear security for discussion at the conference—similar to the reports on nuclear safety measures that states prepare for discussion at review conferences for the Convention on Nuclear Safety (CNS). Over time, a norm of detailed reporting with discussion of the reports—the focus of CNS review conferences—might develop. Since one of the “fundamental principles” in the amended convention is that states must base their nuclear security approaches on their current evaluation of the threat, the review conference could include a discussion of the current threat environment and how it is evolving. Indeed, one approach would be for the review conference to have sessions or working groups focused on each of the fundamental principles of physical protection laid out in the convention, exchanging good practices on how these principles can best be implemented.
    • Work with the IAEA to revise the approach to its nuclear security conferences so that there is actual discussion of proposed initiatives at the ministerial meetings. At the IAEA’s nuclear security conferences in 2013 and 2016, the IAEA gathered ministerial-level representatives from countries all over the world, but there was little discussion beyond each making a brief formal statement. For future meetings, interested states should work with the IAEA to build a more functional approach, in which ministers could actually discuss key nuclear security issues with each other, perhaps using some of the tactics to enhance discussion developed at the different nuclear security summits.
    • Once a year, hold a meeting of the Nuclear Security Contact Group at the level of deputy ministers. The Nuclear Security Contact Group established at the 2016 nuclear security summit is perhaps the most active and focused international forum remaining for states to discuss next steps in nuclear security—from expanded and strengthened implementation of existing commitments and initiatives to potentially developing new steps. Without the driving deadlines and access to the highest levels of authority provided by the summits, however, the pace of accomplishment in the Contact Group has been slow. It would make sense, perhaps once a year, to elevate the discussion in the Contact Group to a higher political level, perhaps bringing deputy minister-level officials together to move the nuclear security agenda forward.

    Whatever forums are established for such broad international discussions, however, bilateral discussions are likely to remain essential. As discussed below, such bilateral discussions have in the past often been the most successful in addressing difficult and sensitive nuclear security issues, though they may not be able to achieve as much in the future as they have in the past.

    Finding 3.2: Existing international nuclear security agreements, commitments, and recommendations are important, but a focus on genuinely effective implementation is needed for them to help to effective nuclear security.

    Today, there are no binding international agreements that specify how secure nuclear weapons or the materials needed to make them should be. The CPPNM and its 2005 amendment have only very broad requirements, such as that states should base their security measures on their current evaluation of the threats they need to protect against. As noted above, UNSCR 1540 requires all states to provide “appropriate effective” security and accounting for any nuclear weapons or related materials they have, but there is no agreement on what key elements must be in place for a nuclear security system to be genuinely effective in protecting against the range of plausible threats that adversaries might pose.352 IAEA nuclear security recommendations are more specific, but still worded in very broad terms. They recommend, for example, that certain areas have fences, but say nothing about how difficult these fences should be to get over or through. The most important group commitment or “gift basket” from the nuclear security summit process—now known as INFCIRC/869—is also not very specific, committing participants to implement the “intent” of IAEA nuclear security recommendations.

    Recommendation 3.2: Launch a new initiative in which states with weapons-usable nuclear material commit to implement a range of key nuclear security steps, while continuing to work to expand participation in existing agreements and commitments and ensure they are implemented effectively.

    While the absence of nuclear security summits will surely make major new initiatives more difficult, it is still worth attempting to bring interested states together to build a new commitment to stringent principles of nuclear security. Such a commitment should be specific enough to form a basis for action (and for discussions of whether commitments are being met), but broad enough to allow each participating country to implement nuclear security in its own way, as the best approach varies with the threat environment, site specifics, national regulatory environment and culture, and more. As outlined in more detail in our previous report, such a joint statement might include commitments to:

    • ensure that all stocks of nuclear weapons and weapons-usable nuclear materials, or nuclear facilities whose sabotage could cause a major disaster, are protected against the full range of outsider and insider threats that each country’s intelligence agencies judge to be credible;
    • provide well-equipped, well-trained, professional armed guard forces on-site;
    • put in place comprehensive protections against insider threats;
    • carry out regular, realistic assessments and test of nuclear security performance;
    • require operators to have programs to assess and strengthen their organization’s security culture; and
    • consolidate nuclear weapons and weapons-usable material to the minimum practicable number of locations.353

    In the absence of such new commitments, there is a great deal to be done to strengthen implementation of existing commitments—both by expanding the number of participants and by ensuring effective implementation. The United States, other interested countries, the IAEA, and industry and civil society organizations should all be working to convince additional states to sign up to key nuclear security treaties, such as the physical protection convention (with its 2005 amendment and the nuclear terrorism convention. They should also be working hard to convince additional states to take part in the joint commitments on nuclear security that originated in the summit process but are now open to all—particularly INFCIRC/869 (strengthening nuclear security implementation), INFCIRC/908 (insider threat protection), INFCIRC/912 (HEU minimization) and INFCIRC/910 (security for high-activity radiological sources).354 And as described above, they should be working hard to move these commitments from broad words on paper to effective nuclear security actions on the ground, through national actions, bilateral cooperation, and international discussions.

    In particular, governments, the IAEA, and civil society organizations should work to track participation in these agreements and commitments, and actions taken to meet their objectives—to give countries and operators credit for positive actions, to hold accountable those who are not yet taking needed actions, and to identify areas where more work is needed.

    Finding 3.3: Finding a path to renewed nuclear security cooperation with Russia will be important to achieving effective global nuclear security.

    As noted earlier in this report, Russia suspended nearly all cooperation with the United States on nuclear security in late 2014 (in response to U.S. sanctions responding to Russia’s intervention in Ukraine, which included cutting off nuclear energy cooperation).355 Russia did not participate in, and heavily criticized, the 2016 nuclear security summit. Later in 2016, Russia withdrew from or suspended its participation in several other nuclear-security related arrangements.356

    Finding a path to a reformed approach to U.S.-Russian nuclear security cooperation would be important for U.S. security, Russian security, and world security. Russia has the world’s largest stockpiles of nuclear weapons and weapons-usable nuclear materials, dispersed in the world’s largest number of buildings and bunkers. As discussed earlier in this report, Russia, with cooperation from the United States and others, has dramatically strengthened nuclear security compared to the 1990s, but some important weaknesses remain, and whether Russia will sustain an effective nuclear security system for the long haul remains uncertain.357 Russian experts and U.S. experts have more experience in securing nuclear stockpiles than anyone else in the world; their ideas are different and in some cases complementary, meaning that nuclear security in each country would benefit from expert-to-expert exchange with the other. U.S.-Russian cooperation is important to agenda-setting, to capacity-building, and to norm-building. As Siegfried Hecker put it simply: “Isolation increases the risks of catastrophe.”358

    Today, there is a crisis in U.S.-Russian relations. The United States and Russia each see each other as threatening their core interests. But in the past, it has been possible to work together to achieve common interests even in times of extreme tension: for example, half a century ago, as war raged in Vietnam, U.S. and Soviet negotiators co-chaired the negotiation of the NPT, which was opened for signature shortly before Soviet tanks crushed the Prague Spring. Surely it should be possible today to return to the fundamental principle of cooperating where the United States and Russia share common interests, even as the two countries compete, negotiate, and in some cases confront each other where their interests clash.

    Recommendation 3.3: The United States and Russia should find ways to launch reformed, partnership-based approaches to nuclear security cooperation, and broader cooperation among nuclear experts.

    The United States and Russia are not going to return to the assistance-focused Nunn-Lugar cooperation of the past, which is no longer needed or appropriate. Instead, they should launch a new approach based on fully equal participation, with each side paying its own way.

    For example, the two sides should agree to carry out joint R&D on new technologies that could provide better nuclear security more cost-effectively. They could agree to joint ownership of the resulting intellectual property, so that each side could manufacture resulting technologies for use in its own complex, and they could share in marketing those results in other countries, providing a commercial incentive for pursuing the work.359 Effective R&D would require at least general discussions of the threats each side perceived to its nuclear material and facilities, current approaches to countering those threats, and how new technologies could help, which would offer each side additional insight into how the other side thought about and implemented nuclear security.

    In addition, the two sides should form joint working groups to discuss good practices in key areas of nuclear security, including each of the five key areas described above, as well as areas such as regulation and training that are needed to ensure progress in those five areas.360

    Finally, building on their still-continuing cooperation to repatriate Russian-supplied HEU to Russia, the two sides should work together on nuclear security in third countries, from helping to secure radiological sources to ensuring that newcomer countries building their first reactors have effective security measures in place.

    The Russian government has indicated that it would be willing to return to nuclear security cooperation, but only as part of a broader set of cooperation that included work on nuclear energy as well. Fortunately, reversing the Obama-era decision to cut off nuclear energy cooperation with Russia would also serve U.S. interests, giving U.S. nuclear energy researchers access to the ideas, data, and test facilities Russia’s nuclear complex has to offer. Indeed, some U.S. commercial firms would like to test new fuel concepts in Russia’s test reactors (Russia has a fast neutron test reactor, unavailable in the United States).

    There are also opportunities for mutually beneficial cooperation in nuclear safety, nuclear cleanup, nuclear science. The two governments should restart lab-to-lab cooperation in these areas, and in other mutually beneficial areas such as verification and counterterrorism technologies.361

    All of these initiatives would get U.S. and Russian nuclear security experts working together again, exchanging ideas, discussing problems, and building personal relationships that can be crucial in overcoming obstacles to progress. They would contribute to predictability and transparency, giving each side greater insight into the thinking, activities, and security approaches in the other’s nuclear complex. Fundamentally, at present, the world’s two largest nuclear complexes are preceding in total isolation from each other and are not working together to reduce nuclear dangers. That situation is a danger to the United States and to the world, and it is time to act to resolve it.

    Finding 3.3: Bilateral cooperation is likely to continue to be more effective than multilateral initiatives for addressing security for the most sensitive stockpiles, but bilateral cooperation may not be as effective in the future as it has been in the past.

    While nuclear security summits and other multilateral initiatives have led to many nuclear security improvements in many countries, it is difficult to make the case that they have had any substantial effect on, for example, the security for U.S., Russian, Pakistani, Indian, or Chinese military stockpiles, or even on security for civilian stocks and facilities in these countries or in some non-nuclear-weapon states, such as Belarus. For these especially sensitive stocks, bilateral cooperation has been the international community’s most effective path to nuclear security improvements. The United States has invested billions of dollars in bilateral nuclear security capacity-building programs with dozens of countries. Other countries have also invested in bilateral cooperation (or, in a few cases, three-party cooperation), though on a much smaller scale. These programs have led to substantial nuclear security improvements in many countries—though whether all of them will be sustained when foreign funding is no longer available remains uncertain.

    The most dramatic improvements such bilateral cooperation can plausibly make are already done, however. The nuclear security benefits of such cooperation in the future are likely to be real but subtler and harder to measure. Today, countries with major nuclear stocks or facilities generally have the money, technologies, and people needed to provide effective security if they choose to make doing so a priority. Hence, as discussed elsewhere in this report, future cooperation in most cases will focus less on the United States paying to install equipment and provide training, and more on convincing states to do more themselves and advising on how best to do it. This will not require as much funding as past cooperation, but it will require a substantial number of people traveling to relevant capitals and nuclear facilities, persistence, and bringing a “whole of government” approach to giving countries incentives to move in the right direction on nuclear security (including steps to counter complacency, discussed above).

    Recommendation 3.4: Pursue bilateral cooperation with all willing states with nuclear or radiological materials and facilities whose security affects U.S. interests, focused on convincing countries to do more themselves and advising them on how best to do it.

    There are still over 20 countries with nuclear weapons or weapons-usable nuclear material on their soil. Over 30 countries operate nuclear reactors, and scores of countries use radiological sources which could pose a danger if stolen and used by terrorists for “dirty bombs.” The United States should seek to work with as many as possible of these states to convince them to put in place and sustain effective nuclear security measures. Priorities should be set based on the overall risk to U.S. national interests posed by a particular facility or stock of nuclear or radiological material, and the degree of opportunity to make a difference in reducing that risk.

    The U.S. government should seek to work with these countries in each of the five priority areas for nuclear security implementation described above, as well as in areas such as effective regulation and training that are likely to be required to make and sustain progress in those areas. While future nuclear security cooperation is likely to cost significantly less than past programs that focused on U.S. funding for installing major equipment, in-depth engagement with dozens of countries in each of these areas would be a substantial effort, requiring significant funding and personnel, as discussed below.

    Finding 3.4: Bilateral cooperation, cooperation among groups of interested states, cooperation through international organizations, industry-level cooperation, and cooperation among civil society organizations all have potentially important roles to play in strengthening nuclear security.

    A wide range of types of cooperation have contributed to strengthening nuclear security in the past, and are likely to do so in the future. The nuclear security summit process, for example, included meetings among heads of state—but it also included industry summits and summits of non-government and academic organizations working to improve nuclear security. Government, industry, and civil society all have important roles to play in nuclear security, from implementing security on the ground to assessing progress and identifying next steps.

    Recommendation 3.5: Continue to strengthen nuclear security efforts by states, industry groups, and civil society organizations, and cooperation among them.

    State-level cooperation on nuclear security is discussed extensively above. But expanded cooperation among nuclear operators—both private and state-owned—and among civil society organizations is also needed.

    Industry. At the 2016 Nuclear Industry Summit, the participating nuclear industry organizations announced the formation of the NISGS.362 As noted elsewhere in this report, the industry is working to reinvigorate this group under new leadership. It should continue to do so, working to build cooperation that can encourage and help operators to achieve excellence in each of the five areas discussed in this report, and others.

    Civil society. The Fissile Materials Working Group (FMWG), established in the lead-up to the first nuclear security summit, is the principal international coalition of non-government and academic organizations working to strengthen nuclear security.363 While the FMWG has continued its activities after the end of the summits, as with the industry grouping, the reduction in high-level attention after the summits has led to reduced focus among civil society organizations. The FMWG and its member organizations should work to reinvigorate their efforts, suggesting ideas for next steps in nuclear security, assessing progress, educating legislatures and the public, and pushing national governments for action. In particular, it is important to identify and support local nuclear security “champions” who can knowledgeably press for action in their own countries. Finding means to sustain ongoing media attention to nuclear security is also important.

    Finding 3.5: Improved approaches to sharing information, reporting on steps taken, and building accountability could help in assessing and accelerating nuclear security progress.

    As the saying goes, “you get what you measure.” As long as nuclear security lacks clear measures of progress, improvements will be slower than they would otherwise be. Moreover, all states have a security interest in ensuring that states with nuclear weapons and the materials needed to make them secure these items appropriately—but there are few mechanisms available for them to be assured that this is the case.

    Unfortunately, today there are no agreed measures of nuclear security progress and no consistent means of reporting or assessing nuclear security steps states or organizations have taken. Most nuclear security activities take place in secrecy, to avoid giving information about the security measures in place to adversaries who might try to defeat them.

    But there is a great deal of information that could be shared without in any way helping adversaries. Sharing more information, in ways that genuinely built confidence in the effectiveness of security measures in place, could help in holding states and operators accountable for nuclear security progress and in identifying next steps to be taken.364

    Recommendation 3.6: Establish an experts group to work out approaches to providing information about nuclear security progress that would build real confidence without unduly compromising sensitive information.

    Key elements of such an approach should include:

    • Reports. The experts group should develop regular, consistent approaches for states to report on the nuclear security measures they have taken, challenges that have come up, and how those challenges were addressed. These could be similar, for example, to the fairly detailed reports countries provide on the steps they have taken to ensure nuclear safety—though with some obvious differences to protect genuinely sensitive information.365 Although the CPPNM and its 2005 amendment do not require such detailed national reports, there would be nothing preventing a group of states from publishing such reports and encouraging other states to do likewise. If a group of leading countries began providing such reports regularly, it could increase the pressure on others to do the same.
    • Peer reviews. Regular, independent reviews of nuclear security arrangements—by international teams where possible, or by teams of experts from other sites within a country where necessary. Such reviews should include actual visits to key facilities and discussions with the people there, which can provide insights not available from simply reviewing regulations in capitals. International reviews could be led by the IAEA (as in IPPAS reviews), by a state partner in technical cooperation, by a nuclear supplier, by industry organization established for this purpose (on the model of the World Association of Nuclear Operators, WANO, in the area of safety), or by others. The states participating in INFCIRC/869 commit to hosting peer reviews “periodically.” Such reviews should occur at least every 3-4 years.
    • Publications. Publication of at least general information about nuclear security regulations and requirements and about the kinds of inspections and tests used to ensure that nuclear security systems are effective and are meeting the requirements. This should include at least broad descriptions of the kinds of threats operators are required to protect nuclear weapons, HEU, or separated plutonium against—for example, confirming that these threats include a group of well-armed and well-trained outsiders, an insider, and a broad range of possible tactics and approaches.366 It should also include at least general information about how well its operators performed on inspections and tests (for example, for years, DOE published the percentage of its sites that had been rated in the highest category in its security inspections, with fairly detailed descriptions of what items were included in these inspections). If other countries knew that a country required operators to protect nuclear weapons, HEU, and separated plutonium against a robust range of potential adversary threats; understood the inspection and testing program used to confirm that operators were meeting these requirements; knew that a large fraction of the facilities had been shown in inspections to meet these standards; and understood that thorough and effective corrective actions were taken in response to any weaknesses identified, this could increase confidence in nuclear security substantially.

    In addition to publications, there is likely to be information that countries might be willing to exchange confidentially with one or a few other states, or with the IAEA, that they are not willing to make public. There may be a need for alternative measures for stocks that states judge to be particularly sensitive. In particular, it is unlikely that states will invite IAEA-led reviews of security for their nuclear weapons or military nuclear materials (and given the IAEA’s civilian mandate, there is some doubt about whether it could realistically respond to such a request). States that have such stocks should work together to develop ways to provide assurance that they are protecting them effectively, including developing approaches to exchanging peer reviews of defense-oriented sites. Operators need to build confidence with local communities and other stakeholders, just as they need to build confidence in safety. Nuclear operators should engage with a full spectrum of stakeholders, protecting genuinely sensitive information but providing other information to build confidence in the effectiveness of security implementation.

    As an early step, both toward improved accountability and toward improved spread of best practices, the United States and other interested countries should work with the IAEA to expand its capacity to implement IPPAS missions; should work to expand the number of countries making regular use of the IPPAS service; and should invite IPPAS missions at sites with substantial stocks of nuclear material, as the UK did when it hosted an IPPAS mission at the huge plutonium store at Sellafield. In particular, the United States should host an IPPAS mission at the plutonium store at Savannah River—where two tons of plutonium is already under IAEA safeguards in any case—and should encourage Russia, India, Pakistan, and other countries with significant stocks of weapons-usable nuclear material who have not yet hosted IPPAS missions to do. Over time, hosting regular IPPAS missions should become a normal part of the nuclear business, just as hosting international peer reviews of nuclear safety already is.

     

    Sustaining Nuclear Security Leadership

    Finding 4.1: Major progress in nuclear security will require sustained high-level leadership—and U.S. leadership in particular will continue to be essential, despite the increasing leadership role played by others.

    For decades, each important step forward in nuclear security has occurred because some leader focused in a sustained way on making it happen. Ongoing leadership is needed to generate ideas for next steps, to organize and finance nuclear security activities, and to muster incentives and diplomatic muscle to convince states and organizations to act.

    As discussed elsewhere in this report, despite the changing U.S. role and increases in leadership from other countries, U.S. leadership is likely to remain central to nuclear security progress. The United States remains the world’s most powerful country; it has one of the world’s largest nuclear complexes and some of the world’s most extensive experience in nuclear security; it has been a forceful advocate of many of the existing nuclear security institutions and initiatives; and it has some of the world’s most stringent nuclear security rules and likely the world’s highest nuclear security spending. Without a sustained, focused U.S. effort, it is likely that global nuclear security efforts will slow further and eventually stagnate.

    Recommendation 4.1: Focus sustained, high-level attention on strengthening nuclear security.

    Occasional public statements on the importance of nuclear security are helpful, but they are not enough. Governments need to focus sustained high-level attention on overcoming the obstacles to improved nuclear security. This is difficult to do, since the state of nuclear security rarely pushes itself onto the front pages, and many other urgent issues compete for policymakers’ attention. The best approach to sustaining attention is to institutionalize the issue, with a senior official or office for whom nuclear security is a major part of their day-to-day mission. The United States should take that approach and encourage other interested countries to do likewise.

    Recommendation 4.2: Develop a comprehensive U.S. government plan for achieving effective and sustainable security for nuclear stocks worldwide and should assign a senior official to take full-time charge of the effort.367

    President Eisenhower once remarked that “plans are worthless, but planning is everything.”368 He meant that, in battle or in public policy, things rarely work out as previous plans specified—but the process of developing a plan and thinking through the problems to be addressed helps immensely in being able to react “intelligently,” as he put it, to events as they unfold.

    U.S. nuclear security programs need a compelling vision of the objective they hope to reach, a strategic plan for achieving that vision, and clear indicators that can be used to assess their progress. And they need resources and consistent, focused support from the highest levels of the U.S. government. Without those things, there is a real danger that global nuclear security initiatives will continue to lose momentum; indeed, without robust U.S. nuclear security programs, nuclear security in a number of countries may begin to degrade, leading to new dangers. Building on existing efforts, the U.S. government should prepare a comprehensive plan focused on continuous improvement toward the ultimate goal of effective and sustainable security for all of the world’s stocks of nuclear weapons, HEU, and separated plutonium and all of the nuclear facilities whose sabotage could cause a major catastrophe, whether military or civilian.369 Where there seems little chance of cooperating to improve security of a particular stock—such as in North Korea—the plan should include alternative steps to mitigate the security risks. This plan should be developed and implemented as a whole-of-government effort, led from the White House, as success will require efforts by technical experts, intelligence agencies, diplomats, program managers, and more.

    As noted earlier, in the new era of nuclear security, the main focus of U.S. efforts should be on convincing other countries to strengthen their own nuclear security arrangements, and advising them on how to do it. That approach is equally applicable whether a country is wealthy or not. There may be as much to be done in Belgium and Japan as in South Africa or Kazakhstan.

    The new approach should draw on the best of past experience. For example, the United States has long held quiet discussions of nuclear security approaches and best practices with countries such as France and Britain—in some cases contributing to substantial improvements.The nuclear security Centers of Excellence that several countries are establishing have provided a focus for providing best practices and understanding of modern equipment and approaches, and a forum for expert discussions. Over time, with groups of local experts focused on nuclear security, they may become champions for improving nuclear security in their own countries and regions.

    Indeed, the new approach should focus on learning by doing, regularly assessing what is working and what is not, and making adjustments accordingly. The approach should be comparable to that called for in the Trump administration’s strategy for combating terrorism:370

    [W]e must rigorously monitor and assess our effectiveness and adjust operations accordingly. Annual independent strategic assessments informed by research, intelligence, and analysis will ensure that we are making measurable progress toward our strategic objectives. These assessments will identify the impediments to our effectiveness and recommend adjustments to the strategy to outpace dynamic adversaries. They will also ensure that our progress is sustainable as we continue to address the full range of contemporary national security challenges.

    The nuclear security plan should be prioritized based on two factors: (a) the degree of risk posed by each stock of material—determined by the quantity and quality of the material, the quality of the security in place for it, and the severity of the potential adversary threats in the area where it exists—and (b) the scope of the opportunity for reducing that risk, ranging from countries that may be totally unwilling to work with the United States to countries that are eager to do so. The plan should include indicators of progress toward the overall objective, and mechanisms for learning from both successes and failures, reacting to obstacles as they arise, and adjusting course accordingly.

    Finally, the U.S. government should designate a senior official who is in charge of leading and coordinating the nuclear security effort throughout the government. Past experience suggests that plans without officials accountable for implementing them (and with the resources and authorities needed to do so) contribute little to progress; they tend to gather dust on shelves.

    Recommendation 4.3: Under the comprehensive plan just described, revitalize U.S. international nuclear security programs, seeking to work with all countries with nuclear weapons, HEU, separated plutonium, or major nuclear facilities that might be sabotaged to convince them to put effective and sustainable nuclear security measures in place, focusing on the five key areas of nuclear security outlined above.

    As an investment in U.S. national security against the threats of nuclear and radiological terrorism, the U.S. government should expand and revitalize its international nuclear security programs, with broader objectives and more money and personnel to accomplish them. An expanded nuclear security effort should seek to be comprehensive, closing, to the extent possible, key gaps that now exist in U.S. nuclear security programs, described earlier in this report.

    Such an expanded effort should include expanded funding in the range of $10-$20 million for each of the first four of the five key areas discussed in this report:

    • Ensuring protection against the full spectrum of plausible threats. This could include discussing countries’ approaches to their DBT, working with countries that have not established such a DBT to help them do so, exchanging unclassified threat information, holding workshops with experts from each country, and having teams review the adequacy of security against a range of threats.371
    • Putting in place comprehensive, multilayered protections against insider threats. This could include in-depth exchanges on good practices in insider threat protection, workshops, help with appropriate vulnerability assessments, and peer review by expert teams.
    • Establishing targeted programs to strengthen nuclear security culture. This could include working with both regulators and operators to ensure that each operating organization has an effective program in place to strengthen its security culture, including regular security culture assessments to identify strengths and areas that still need improvement. Here, too, best practice exchanges, workshops, and peer reviews of approaches might be among the techniques used. As security culture in an organization is inevitably part of broader national culture, specifics of the best approaches are likely to vary from one country to another.
    • Instituting effective, regular vulnerability assessments and performance testing. Many countries have very limited experience with in-depth vulnerability assessments that probe for ways adversaries might be able to defeat the security system, or with realistic testing of the security system’s ability to provide protection in the face of intelligent adversaries trying to overcome it—including “force on force” exercises. Through workshops, peer observation of such activities in the United States, training, and description of approaches that have been effective, the United States can work with regulators and operators around the world to make these practices much more widespread.

    A larger expansion of funding—perhaps in the range of $100 million initially—could be devoted to expanding efforts in the fifth key area discussed in this report, consolidating nuclear weapons and materials to the minimum practical number of locations.

    In addition, the United States and other countries should consider providing something in the range of $10 million per year to expand the IAEA’s nuclear security peer review program. As described earlier in this report, the IAEA only conducts a handful of IPPAS missions each year. To make such peer reviews a regular part of doing business in the nuclear world would require a substantially larger number of annual missions.372 Such an initiative could also fund other peer review teams for sensitive stocks that countries were unwilling to have reviewed by an IAEA-led team.

    Recommendation 4.4: Provide the budgets and people needed to implement the nuclear security plan, so that improvements that could significantly reduce the risk of nuclear terrorism are never slowed for lack of money or people.

    As documented earlier in this report, for years, budgets for nuclear security and the teams of people assigned to implement nuclear security projects have been shrinking. These budget and personnel cuts have now gone too far. Current budgets and staffs may be enough to implement the limited programs now contemplated—but they are not enough to implement a truly comprehensive approach that uses a full suite of policy tools to address the full set of weapons and materials in the full set of countries that create the risk to U.S. and world security. The Trump administration and the Congress should work together to ensure that both the funding and the personnel available for nuclear security programs are sufficient so that efforts that could genuinely reduce the risk of nuclear terrorism are never slowed by lack of funding or lack of people to seize available opportunities or explore possibilities for new ones. In particular, the budgets for NNSA’s nuclear security programs should be increased to something in the range of the fiscal year 2016 (FY16) level of $513 million, compared to the FY19 request of $328 million. Congress should then direct the administration to submit funding and staffing requests sufficient to implement the comprehensive nuclear security plan, once it is developed.

    Recommendation 4.5: Lead by example, implementing at home the nuclear security proposed for other countries.

    As discussed earlier in this report, it is not likely to be effective for the United States and other countries advocating strengthened nuclear security measures to say, in effect, “do as I say, not as I do.” Overall, in considering nuclear-security related initiatives within the United States, the U.S. government (including the NRC) should consider not only the benefits and costs for reducing risk within the United States, but also the likely impacts on efforts to reduce risks of nuclear theft and sabotage elsewhere.

     

    Beyond Nuclear Security

    In addition to nuclear security—the focus of this report—there are a range of additional steps that should be taken to reduce the risk of nuclear terrorism. Preventing nuclear terrorism requires a multifaceted, cooperative, international effort.373

    Countering High-Capability Terrorist Groups

    Only a tiny number of the highest-capability terrorist groups with the most extreme objectives pose any serious risk of choosing to try to get or make nuclear weapons and succeeding in the attempt. Focused efforts to disrupt and destroy these groups—and to detect and stop any nuclear, chemical, biological, or radiological plots they may be pursuing—are essential parts of the overall effort to prevent nuclear terrorism.

    Such efforts have had significant successes in the last two decades. Osama bin Laden—who was not only al Qaeda’s leader, but a key driver of their nuclear ambitions—is dead, and the core of al Qaeda is a shadow of its former self. The geographic caliphate of the Islamic State has largely been defeated, and some of its top leadership killed. After the 9/11 attacks, a focused intelligence effort succeeded in finding and stopping multiple terrorist conspiracies focused on getting nuclear, chemical, or biological weapons.374

    Unfortunately, as described earlier in this report, both al Qaeda and the Islamic State now have significant operations in many countries, and a nuclear plot could have a small footprint that was difficult to detect. Interested countries should rebuild the kind of proactive intelligence effort to go out and look for evidence of possible nuclear, chemical, biological, or radiological activities that once existed. Countries—and in particular the United States and Russia—should expand police and intelligence cooperation targeted on identifying and countering groups with nuclear aspirations and intercepting nuclear smuggling. And continued efforts are needed to convince people who might provide expertise to terrorists not to do so—ranging from building strong norms against such behavior in relevant technical communities to strong and well-enforced criminal laws (as required by UNSCR 1540, and by the nuclear security conventions).

     

    Stopping Nuclear Smuggling

    Once a nuclear weapon or weapons-usable nuclear material has been stolen, it could be anywhere, and all the later lines of defense are variations on looking for needles in haystacks. Nevertheless, the thieves would still have to figure out how to transfer it to terrorists, with whom the thieves might have no initial connection; the thieves, the terrorists, or middlemen between them would have to figure out how to get it to whatever location the terrorists were planning to use to figure out how to make it into a bomb (or figure out how to detonate a stolen weapon); and then it would have to be transported to the eventual target. Each of these stages is potentially susceptible to government action to stop it.

    Good police and intelligence work is central to such government efforts—and has been the key factor in the successes to date in seizing stolen HEU or plutonium. All countries who believe they could be source or transit states for such stolen items should have counter-nuclear smuggling teams trained and equipped to deal with such cases.

    Radiation detection is also important, making it more difficult for nuclear smugglers to move their materials and potentially forcing them toward higher-risk pathways where they are more likely to be caught.375 Countries should continue to strengthen their radiation detection capabilities, both fixed and mobile—particularly to the extent new technologies make it possible to detect shielded HEU, which most detectors in place today would have little chance of noticing. But the myriad pathways by which nuclear items might be smuggled, the huge size of countries and enormous length of their borders, the weak radiation and small size of weapons-usable nuclear material (which would fit in a briefcase), the huge and varied legitimate traffic across national borders, and the many areas of the world with little control over border crossings or of areas within countries all conspire to make the job of detecting smuggled nuclear material extremely challenging.

     

    Preventing State Supply

    Some analysts worry that hostile states such as North Korea, or Iran (if it someday produced HEU or separated plutonium) might give or sell nuclear weapons or weapons-usable nuclear materials to terrorists. North Korea did, after all, transfer a plutonium production reactor to Syria (later bombed by Israel). But transferring a nuclear weapon or the materials needed to make one to an uncontrollable terrorist group would be a very different thing. Terrorists might use a nuclear weapon to destroy a city—an act that might be traced back to the government that provided the material and provoke retaliation that would remove them from power forever. For regimes bent on maintaining their control, this seems an unlikely risk to take. Conscious state decisions to transfer nuclear weapons or materials to terrorists cannot be ruled out, but likely contribute only a small portion of the overall risk of nuclear terrorism.376

    Nevertheless, states should take steps to reduce this risk still further, making clear that any state that took such an action would face overwhelming consequences; limiting North Korea’s opportunities for unscrutinized exports as much as possible (important in any case for sanctions implementation); and investing in nuclear forensics and other means to maximize the chance of identifying where nuclear material might have come from, either before an attack or afterward.377

    In the case of North Korea, two scenarios are both more likely than conscious regime decisions to provide nuclear weapons or materials to terrorists: a senior insider stealing a weapon or the materials to make one to sell (particularly once there was enough material that some could be removed without detection), and state collapse. Negotiations to limit North Korea’s program could cap the growth of material stocks and end bulk processing of material, making theft at least somewhat less likely—though attention needs to be given to the fate of large numbers of nuclear experts who may be unemployed or underemployed after such a deal, some of whom might still have sensitive access. The dangers of the collapse scenario are very real and difficult to mitigate—but the United States, South Korea, and China should be planning for what they would each do to reduce these risks in various different collapse scenarios.

     

    Strengthening Preparations for Emergency Response

    Finally, as horrific as the damage from a nuclear bomb going off in a city would be no matter what had been done to prepare, preparation for emergency response can save many lives should such a catastrophic event occur. Moreover, better preparation for a wide range of other potential emergencies—from terrorists seizing a nuclear reactor to intelligence revealing that stolen HEU or plutonium was on the road in a particular area to information leading to finding a terrorist nuclear bomb before it went off—could strengthen national and international response. States should put in place, and regularly exercise, appropriate emergency response capabilities and protocols for cooperating internationally as needed.378

     

    Revitalizing Nuclear Security

    Nuclear security around the world has improved dramatically over the last three decades—which demonstrates that with focused leadership, major progress is possible. But important weaknesses remain, and the evolution of the threat remains unpredictable—as the Islamic State’s sudden seizure of much of Iraq and Syria in 2014, when the U.S. Director of National Intelligence had not mentioned the group in his summary of threats to U.S. national security in January of that year, makes clear. The danger that terrorists could get and use a nuclear bomb, or sabotage a major nuclear facility, or spread dangerous radioactive material in a “dirty bomb,” remains too high. The United States and countries around the world need to join together and provide the leadership and resources needed to put global nuclear security on a sustained path of continuous improvement, in the never-ending search for excellence in performance.

    Notes

    ↑ Table of Contents

     

    1  Nuclear Posture Review (Washington, D.C.: Department of Defense, 2018), https://media.defense.gov/2018/Feb/02/2001872886/-1/-1/1/2018-NUCLEAR-POSTURE-REVIEW-FINAL-REPORT.PDF (accessed October 29, 2018), p. 66.

    2 The phrase “nuclear security” means many different things to different people. In this report, we use it to mean the actual security and accounting measures that help protect nuclear weapons, nuclear materials, nuclear facilities, and nuclear transports from theft or sabotage.

    3 “Nuclear Security Summit Communique,” April 1, 2016, https://www.belfercenter.org/sites/default/files/legacy/files/nuclearmatters/files/nuclear_security_summit_2016_communique.pdf?m=1460469255 (accessed October 29, 2018).

    4 Nuclear Threat Initiative and Economist Intelligence Unit, NTI Nuclear Security Index: Theft/Sabotage: Building a Framework for Assurance, Accountability, and Action, 4th Edition (Washington, D.C.: NTI, 2018), https://ntiindex.org/wp-content/uploads/2018/08/NTI_2018-Index_FINAL.pdf (accessed November 1, 2018), p. 6.

    5 See, for example, Nuclear Threat Initiative and Economist Intelligence Unit, NTI Nuclear Security Index: Theft/Sabotage; Sara Z. Kutchesfahani, Kelsey Davenport, and Erin Connolly, The Nuclear Security Summits: An Overview of State Actions to Curb Nuclear Terrorism 2010–2016 (Washington, D.C.: Arms Control Association and Fissile Materials Working Group, 2018), https://www.armscontrol.org/sites/default/files/files/Reports/NSS_Report2018_digital.pdf (accessed November 1, 2018).

    6 The NTI Nuclear Security Index provides helpful overall nuclear security ratings for different countries, but these are based on assessing whether particular types of rules are or are not in place; they do not attempt to assess the on-the-ground effectiveness of nuclear security implementation. See Nuclear Threat Initiative and Economist Intelligence Unit, NTI Nuclear Security Index: Theft/Sabotage: Building a Framework for Assurance, Accountability, and Action.

    7 See, for example, the measures in Matthew Bunn, Securing the Bomb 2010: Securing All Nuclear Materials in Four Years (Cambridge, Mass.: Project on Managing the Atom, Belfer Center for Science and International Affairs, Harvard Kennedy School, and Nuclear Threat Initiative, 2010), https://www.nti.org/media/pdfs/Securing_The_Bomb_2010.pdf (accessed November 27, 2018).

    8 For a summary of the progress states announced in their progress reports at the different summits, see Kutchesfahani, Davenport, and Connolly, The Nuclear Security Summits: An Overview of State Actions to Curb Nuclear Terrorism 2010–2016. Ninety ministers and heads of delegation did offer statements during the ministerial portion of the 2016 IAEA International Conference on Nuclear Security, but they were not nearly as detailed as those offered during the summits. In addition, at expert conferences, officials from a variety of countries have provided new details on particular aspects of nuclear security arrangements in their countries. See IAEA, International Conference on Nuclear Security: Commitments and Actions (Vienna, Austria, December 5-9, 2016), https://wwwpub.iaea.org/MTCD/Publications/PDF/Pub1794_web.pdf (accessed August 31, 2018).

    9 Matthew Bunn and Dmitry Kovchegin, “Nuclear Security in Russia: Can Progress Be Sustained?,” Nonproliferation Review, Vol. 24, Issue 5-6, 2017, https://scholar.harvard.edu/files/matthew_bunn/files/bunn-kovchegin_penultimate_nuclear_security_in_russia_can_progress_be_sustained.pdf (accessed October 1, 2018).

    10 See discussion in Matthew Bunn, Martin B. Malin, Nickolas Roth, and William H. Tobey, Preventing Nuclear Terrorism: Continuous Improvement or Dangerous Decline? (Cambridge, MA: Project on Managing the Atom, Belfer Center for Science and International Affairs, Harvard Kennedy School, 2016), http://belfercenter.ksg.harvard.edu/files/PreventingNuclearTerrorism-Web.pdf (accessed August 8, 2016), pp. 18, 29.

    11 George W. Bush, “The President’s News Conference with President Vladimir Putin of Russia,” Weekly Compilation of Presidential Documents, Volume 37, No. 46, November 19, 2001 (Washington, D.C.: Government Printing Office), https://www.gpo.gov/fdsys/pkg/WCPD-2001-11-19/html/WCPD-2001-11-19-Pg1652.htm (accessed February 10, 2018), p. 1652.

    12 David Smith, “Barack Obama at Nuclear Summit: Madmen Threaten Global Security,” The Guardian, April 1, 2016, https://www.theguardian.com/us-news/2016/apr/01/obama-nuclear-security-summit-stop-madmen-isis-terrorism (accessed February 10, 2018).

    13 See, for example, Brian Michael Jenkins, The Long Shadow of 9/11: America’s Response to Terrorism (Santa Monica, CA: the RAND Corporation, 2011), https://www.rand.org/content/dam/rand/pubs/monographs/2011/RAND_MG1107.pdf (accessed February 10, 2018), pp. 96-97.

    14 Graham T. Allison, for example, famously estimated in 2004 that the probability of a terrorist nuclear bomb detonating in a major city in the ensuing decade was over 50 percent. He recently argued that the many changes that have occurred since then have left that probability about the same for the coming decade. See Graham T. Allison, “Nuclear Terrorism: Did We Beat the Odds or Change Them?,” PRISM: The Journal of Complex Operations, Vol. 7, No. 3, 2018, https://cco.ndu.edu/News/Article/1507316/nuclear-terrorism-did-we-beat-the-odds-or-change-them/ (accessed November 5, 2018).

    15 The 9/11 Commission Report: Final Report of the National Commission on Terrorist Attacks Upon the United States (New York: Norton, 2004), https://www.npr.org/documents/2004/9-11/911reportexec.pdf (accessed February 10, 2018), p. 9.

    16 A history of perceptions of the nuclear terrorism threat can be found in Bunn, Malin, Roth, and Tobey, Preventing Nuclear Terrorism. For a less optimistic assessment comparing the chances of nuclear terrorism in the mid-2000s to the chances today, see Allison, “Nuclear Terrorism: Did We Beat the Odds or Change Them?.”

    17 Matthew Bunn, Anthony Wier, and John P. Holdren, Controlling Nuclear Warheads and Materials: A Report Card and Action Plan (Cambridge, Mass: Project on Managing the Atom, Belfer Center for Science and International Affairs, Harvard Kennedy School and Nuclear Threat Initiative, 2003), pp 15-19.

    18 Kofi Annan, “A Global Strategy for Fighting Terrorism: Keynote Address to the Closing Plenary,” speech at the International Summit on Democracy, Terrorism and Security, Madrid, March 10, 2005, http://www.un.org/press/en/2005/sgsm9757.doc.htm (accessed December 16, 2018).

    19 Matthew Bunn, “The Danger of Radiological Terrorism—and Steps to Reduce the Risk,” (Boston, Mass: National Nuclear Security Administration East Coast 2020 Initiative, September 26, 2018).

    20 Allison, “Nuclear Terrorism: Did We Beat the Odds or Change Them?.”

    21 See, for example, Lyudmila Zaitseva and Friedrich Steinhäusler, Nuclear Trafficking Issues in the Black Sea Region, Non-Proliferation Papers No. 39 (Paris: EU Non-Proliferation Consortium, 2014), https://www.sipri.org/publications/2014/eu-non-proliferation-papers/nuclear-trafficking-issues-black-sea-region (accessed December 17, 2018). The 2011 incident in Moldova remains, as of late 2018, the most recent publicly known incident of seizure of stolen HEU or plutonium.

    22 For an approach using simple assumptions to suggest that large amounts of fissile material may have been stolen but not recovered, see Valentin Stanev and Steve Fetter, “Estimating the Amount of Nuclear Weapons-Usable Material Outside Government Control Using Data on Reported Seizures,” Science & Global Security, Vol. 25, No. 3 (2017), pp. 125-142. While the article offers suggestive ways of thinking about the problem, the validity of the assumptions is not known; hence it remains difficult to know whether international efforts have succeeded in seizing something close to 100 percent or only a small fraction of the total material that was stolen.

    23 See “Explosives Found at Sweden Nuclear Site in Ringhals,” BBC News, June 21, 2012, https://www.bbc.com/news/world-europe-18532298 (accessed October 29, 2018).

    24 Alissa J. Rubin and Milan Schreuer, “Belgium Fears Nuclear Plants Are Vulnerable,” New York Times, March 25, 2016, https://www.nytimes.com/2016/03/26/world/europe/belgium-fears-nuclear-plants-are-vulnerable.html (accessed June 19, 2018).

    25 Pierlugi Paganini, “Malware Based Attack Hit Japanese Monju Nuclear Plant,” Security Affairs, January 10, 2014, http://securityaffairs.co/wordpress/21109 (accessed January 9, 2019). For a discussion of the growing cyber threat to nuclear facilities, see Alexandra Van Dine, Michael Assante, and Page Stoutland, Outpacing Cyber Threats: Priorities for Cybersecurity at Nuclear Facilities (Washington, D.C.: Nuclear Threat Initiative, 2016), https://www.nti.org/media/documents/NTI_CyberThreats__FINAL.pdf (accessed January 9, 2019).

    26 Alissa J. Rubin and Milan Schreuer, “Belgium Fears Nuclear Plants Are Vulnerable.”

    27 “Greenpeace Sounds Alarm on Nuclear Safety with New Break-In,” phys.org, November 28, 2017, https://phys.org/news/2017-11-greenpeace-alarm-nuclear-safety-break-in.html (accessed January 9, 2019), and “Activists Break Into French Nuclear Site to Highlight Risks,” Reuters, October 12, 2017, https://www.reuters.com/article/us-france-nuclear-security/activists-break-into-french-nuclear-site-to-highlight-risks-idUSKBN1CH0IS (accessed January 12, 2019). French nuclear officials made the point that their security forces would have reacted differently to violent intruders.

    28 Bill Gertz, “Drones Threatened Nuclear Facilities,” Washington Times, March 8, 2017, https://www.washingtontimes.com/news/2017/mar/8/inside-the-ring-drones-threatened-nuclear-faciliti/ (accessed January 9, 2019), and Aaron Mehta, “STRATCOM Issues Guidance for Anti-Drone Measures Near Nuclear Sites,” C4ISRNet, April 4, 2017, https://www.c4isrnet.com/digital-show-dailies/space-symposium/2017/04/05/stratcom-issues-guidance-for-anti-drone-measures-near-nuclear-sites/ (accessed January 9, 2019).

    29 Interview with European nuclear security official, December 2016.

    30 For one summary of a set of major thefts from well-guarded facilities, see Jarret M. Lafleur, Liston K. Purvis, and Alex W. Roesler, The Perfect Heist: Recipes from Around the World, SAND-2014-1790 (Albuquerque, N.M.: Sandia National Laboratories, 2015), https://prod-ng.sandia.gov/techlib-noauth/access-control.cgi/2014/141790.pdf (accessed January 9, 2019).

    31 For discussion, see Matthew Bunn and Anthony Wier, “Terrorist Nuclear Weapon Construction: How

    Difficult?” Annals of the American Academy of Political and Social Science, Vol. 607,

    September 2006, pp. 133-149.

    32 Pavel Koryashkin, “Russian Nuclear Ammunition Depots Well Protected—Official,” ITAR-TASS, October 25, 2001); Vladimir Bogdanov, “Propusk K Beogolovkam Nashli U Terrorista” ["A pass to warheads found on a terrorist,"] Rossiskaya Gazeta, November 1, 2002.

    33 Major General Douglas L. Raaberg, “Commander Directed Report of Investigation Concerning an Unauthorized Transfer of Nuclear Warheads Between Minot AFB, North Dakota, and Barksdale AFB, Louisiana” (Langley, Vir.: Air Combat Command, U.S. Air Force, August 30, 2007),

    http://scholar.harvard.edu/files/jvaynman/files/minot_afb_report.pdf (accessed February 10,

    2018), p. 10.

    34 Raaberg, “Commander Directed Report of Investigation,” p. 10.

    35 Raaberg, “Commander Directed Report of Investigation,” p. 15.

    36 Joby Warrick and Walter Pincus, “Missteps in the Bunker,” Washington Post, September 23, 2007, http://www.washingtonpost.com/wp-dyn/content/story/2007/09/23/ST2007092300048.html?sid=ST2007092300048 (accessed February 10, 2018).

    37 Pervez Hoodbhoy, “Nuclear Battles in South Asia,” Bulletin of the Atomic Scientists, May 4, 2016, https://thebulletin.org/nuclear-battles-south-asia9415 (accessed February 10, 2018).

    38 Daniel R. Coats, “Worldwide Threat Assessment 2018,” Statement for the Record, February 13, 2018, https://www.dni.gov/files/documents/Newsroom/Testimonies/2018-ATA---Unclassified-SSCI.pdf (accessed February 19, 2018), p. 8.

    39 Jenkins, The Long Shadow of 9/11: America’s Response to Terrorism, p. 89.

    40 See, for example, Richard Danzig et al., Aum Shinrikyo: Insights into How Terrorists Develop Biological and Chemical Weapons, 2nd Edition (Washington, D.C.: Center for a New American Security, 2012), https://s3.amazonaws.com/files.cnas.org/documents/CNAS_AumShinrikyo_SecondEdition_English.pdf? (accessed November 10, 2018); Sara Daly, John Parachini, and William Rosenau, Aum Shinrikyo, Al Qaeda, and the Kinshasa Reactor: Implications of Three Case Studies for Combating Nuclear Terrorism (Santa Monica, CA: RAND, 2005), http://www.rand.org/pubs/documented_briefings/2005/RAND_DB458.sum.pdf (accessed November 10, 2018); David E. Kaplan and Andrew Marshall, The Cult at the End of the World: The Terrifying Story of the Aum Doomsday Cult, from the Subways of Tokyo to the Nuclear Arsenals of Russia, 1st American ed. (New York: Crown Publishers, 1996).

    41 See, for example, Rolf Mowatt-Larssen, Al Qaeda Weapons of Mass Destruction Threat: Hype or Reality? (Cambridge, Mass: Belfer Center for Science and International Affairs, Harvard Kennedy School, 2010), https://www.belfercenter.org/sites/default/files/legacy/files/al-qaeda-wmd-threat.pdf (accessed January 12, 2019); George Tenet, At the Center of the Storm: My Years at the CIA (New York: HarperCollins, 2007); David Albright, “Al Qaeda’s Nuclear Program: Through the Window of Seized Documents,” Nautilus Institute Special Forum 47 (2002). For Osama bin Laden’s “religious duty” quote, see Rahimullah Yusufzai, “Conversation With Terror,” Time, January 11, 1999, http://content.time.com/time/magazine/article/0,9171,17676-1,00.html (accessed February 10, 2018).

    42 For a brief account of Chechen activities in these areas, see, for example, Matthew Bunn et al., The U.S.-Russia Joint Threat Assessment of Nuclear Terrorism (Cambridge, Mass: Belfer Center for Science and International Affairs, Harvard Kennedy School, and Institute for U.S. and Canadian Studies, 2011), http://belfercenter.ksg.harvard.edu/publication/21087/ (accessed November 10, 2018).

    43 For a discussion of the Islamic State’s activities and potential, see Bunn, Malin, Roth, and Tobey, Preventing Nuclear Terrorism, pp. 17-19.

    44 Bunn, Malin, Roth, and Tobey, Preventing Nuclear Terrorism, pp. 135-37. See also Matthew Bunn and Anthony Wier, “Terrorist Nuclear Weapon Construction: How Difficult?"

    45 Bunn, Malin, Roth, and Tobey, Preventing Nuclear Terrorism, p. 140.

    46 Commission on the Intelligence Capabilities of the United States Regarding Weapons of Mass Destruction, Report to the President of the United States (Washington, D.C., 2005), http://www.gpo.gov/fdsys/pkg/GPO-WMD/pdf/GPO-WMD.pdf (accessed February 10, 2018), pp. 272, 277.

    47 Coats, “Worldwide Threat Assessment 2018,” p. 9.

    48 See, for example, testimony of Rolf Mowatt-Larssen, then Director of the Office of Intelligence and Counter-Intelligence, U.S. Department of Energy, U.S. Senate, Committee on Homeland Security and Governmental Affairs, April 2, 2008, https://www.hsgac.senate.gov/imo/media/doc/040208MowattLarssen.pdf. See Bunn, Malin, Roth, and Tobey, Preventing Nuclear Terrorism, pp. 142-143.

    49 James R. Clapper, “Worldwide Threat Assessment 2014,” Statement for the Record to the Senate Select Committee on Intelligence, January 29, 2014, https://www.dni.gov/files/documents/Intelligence%20Reports/2014%20WWTA%20%20SFR_SSCI_29_Jan.pdf (accessed February 10, 2018).

    50 Shreeya Sinha, “Obama’s Evolution on ISIS,” The New York Times, June 9, 2015, https://www.nytimes.com/interactive/2015/06/09/world/middleeast/obama-isis-strategy.html (accessed February 10, 2018).

    51 Coats, “Worldwide Threat Assessment 2018,” p. 10.

    52 Peter R. Neumann, “Options and Strategies for Countering Online Radicalization in the United States,” Studies in Conflict & Terrorism, Vol. 36, No. 6 (2013), pp. 431-459.

    53 Thomas Hegghammer and Andreas Hoelstad Daehli, “Insiders and Outsiders: a Survey of Terrorist Threats to Nuclear Facilities,” in Matthew Bunn and Scott D. Sagan, eds., Insider Threats (Ithaca, NY: Cornell University Press, 2017).

    54 A description of these incidents can be found in Bunn, Malin, Roth, and Tobey, Preventing Nuclear Terrorism, p. 29.

    55 Tony Wesolowski, “Ukraine’s Exploding Munition Depots Give Ammunition to Security Concerns,” Radio Free Europe/Radio Liberty, October 6, 2017, https://www.rferl.org/a/ukraine-exploding-munitions-security-concerns-russia/28777991.html (accessed February 10, 2018).

    56 Miles Brundage et al., “The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and Mitigation” (Oxford, UK: University of Oxford, 2018), https://maliciousaireport.com (accessed February 20, 2018), p. 5.

    57 Bunn, Malin, Roth, and Tobey, Preventing Nuclear Terrorism, pp. 20-21.

    58 While this is often attributed to Albert Einstein, it appears that the earliest available use of it is in William Bruce Cameron, Informal Sociology: A Casual Introduction to Sociological Thinking (New York: Random House, 1963), p. 13. See “Quote Investigator: Not Everything That Counts Can be Counted,” https://quoteinvestigator.com/2010/05/26/everything-counts-einstein/ (accessed January 9, 2019).

    59 The Nuclear Threat Initiative’s Nuclear Security Index provides overall ratings based on whether countries have rules in place in key categories, but it does not attempt to assess the quality of those rules or the effectiveness of their implementation. Nuclear Threat Initiative and Economist Intelligence Unit, NTI Nuclear Security Index: Theft/Sabotage: Building a Framework for Assurance, Accountability, and Action.

    60 For these reasons, among others, a committee of the U.S. National Research Council recommended against attempting to mathematically assess risk in planning security for DOE nuclear facilities. U.S. National Research Council, Understanding and Managing Risk in Security Systems for the DOE Nuclear Weapons Complex (Washington, D.C.: National Academies Press, 2011), http://www.nap.edu/catalog.php?record_id=13108 (accessed January 12, 2019).

    61 For more on these arguments, see Matthew Bunn, Nickolas Roth, and William H. Tobey, “Protecting Nuclear Materials and Facilities against the Full Spectrum of Plausible Threats,” in Proceedings of the International Conference on Physical Protection of Nuclear Material and Nuclear Facilities (Vienna: IAEA, 2017).

    62 United Nations Security Council, Resolution 1540 (New York: UN, 2004), http://www.un.org/ga/search/view_doc.asp?symbol=S/RES/1540%20(2004) (accessed January 12, 2019).

    63 Matthew Bunn, “’Appropriate Effective’ Nuclear Security and Acounting—What Is It?,” paper presented at Global Initiative/UNSCR 1540 Workshop on “Appropriate Effective Material Accounting and Physical Protection,” Nashville, Tennessee, July 18, 2008, http://belfercenter.ksg.harvard.edu/files/bunn-1540-appropriate-effective50.pdf (accessed January 12, 2019).

    64 IAEA, “Amendment to the Convention on the Physical Protection of Nuclear Material” (Vienna: IAEA, May 9 2016, https://www.iaea.org/sites/default/files/infcirc274r1m1.pdf (accessed February 9, 2017); IAEA, Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities, INFCIRC/225/Rev.5 (Vienna: IAEA, 2011), http://www-pub.iaea.org/MTCD/publications/PDF/Pub1481_web.pdf (accessed January 12, 2019). For discussion, see Bunn, Roth, and Tobey, “Protecting Nuclear Materials and Facilities against the Full Spectrum of Plausible Threats.”

    65 IAEA, Communication Received from the Netherlands Concerning the Strengthening of Nuclear Security Implementation, INFCIRC/869 (Vienna: IAEA, 2014), https://www.iaea.org/sites/default/files/publications/documents/infcircs/infcirc869.pdf (accessed November 24, 2016).

    66 In a 2015 interview, a White House official working on nuclear security remarked: “How would I know what countries’ DBTs are?” Both U.S. and Japanese officials have concluded that a new legal agreement would be needed before the United States and Japan could share DBT information.

    67 IAEA, “International Physical Protection Advisory Service (IPPAS): Mission Report: Canada” (Vienna: IAEA, October 2015), pp. 33-35. Canadian regulators, however, acknowledged to the IPPAS team that at that time (2015) they were still working on incorporating cyber threats into the DBT.

    68 “Highlights of National Progress Reports,” Nuclear Security Summit 2016 website, http://www.nss2016.org/news/2016/4/5/highlights-from-national-progress-reportsnuclear-security-summit (accessed October 1, 2018).

    69 Presentation by Hosik Yoo, “ROK’s Efforts to Strengthen Physical Protection Measures for NM and NF,” presented at the International Conference on Physical Protection of Nuclear Material and Nuclear Facilities (Vienna: IAEA, 2017).

    70 Tom Bielefeld, personal communication, November 2018.

    71 IAEA, “International Physical Protection Advisory Service (IPPAS): Draft Follow-up Mission Report: Sweden” (Vienna: IAEA, October 2016), p. 7.

    72 “Armed Guards at Sweden’s Nuclear Power Stations Next Month,” Seattle Times, January 5, 2017, https://www.seattletimes.com/business/armed-guards-at-swedens-nuclear-power-stations-next-month/ (accessed January 9, 2019).

    73 Discussions at Harvard University-Tsinghua University workshop, Beijing, June 2017. Our colleague Hui Zhang has long recommended that China adopt such a national-level DBT. Hui Zhang, China’s Nuclear Security: Progress, Challenges, and Next Steps (Cambridge, Mass: Project on Managing the Atom, Belfer Center for Science and International Affairs, Harvard Kennedy School, 2016), http://belfercenter.hks.harvard.edu/files/Chinas%20Nuclear%20Security-Web.pdf (accessed August 13, 2016).

    74 Zhang, China’s Nuclear Security: Progress, Challenges, and Next Steps.

    75 Nuclear Threat Initiative and Economist Intelligence Unit, NTI Nuclear Security Index: Theft/Sabotage: Building a Framework for Assurance, Accountability, and Action, p. 7.

    76 Caroline Baylon with Roger Brunt and David Livingstone, Cyber Security at Civil Nuclear Facilities: Understanding the Risks (London, England: Chatham House Report, September 2015) https://www.chathamhouse.org/sites/default/files/field/field_document/20151005CyberSecurityNuclearBaylonBruntLivingstoneUpdate.pdf (accessed July 20, 2018), p. 5.

    77 For discussion, see Matthew Bunn and Scott D. Sagan, eds., Insider Threats (Ithaca, N.Y.: Cornell University Press, 2017). This section draws on Matthew Bunn, Martin B. Malin, Nickolas Roth, and William H. Tobey, “Key Steps for Continuing Nuclear Security Progress,” in Proceedings of the International Conference on Nuclear Security: Commitments and Actions (Vienna: IAEA, 2016), https://www.belfercenter.org/sites/default/files/files/publication/%5B3A-1%5D_FUL_574_Bunn.pdf (accessed August 28, 2017).

    78 IAEA, Communication Received from the Netherlands Concerning the Strengthening of Nuclear Security Implementation.

    79 IAEA, Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities, p. 12.

    80 IAEA, Preventive and Protective Measures against Insider Threats, IAEA Nuclear Security Series No. 8 (Vienna: IAEA, 2008); World Institute for Nuclear Security, Wins International Best Practice Guide 3.4: Managing Internal Threats, Rev. 2.0 (Vienna: WINS, 2015).

    81 IAEA, Communication Dated 22 December 2016 Received from the Permanent Mission of the United States of America Concerning a Joint Statement on Mitigating Insider Threats, INFCIRC/908 (Vienna: IAEA, 2017), https://www.iaea.org/sites/default/files/publications/documents/infcircs/2017/infcirc908.pdf (accessed July 6, 2018).

    82 “Russian nuclear scientists arrested for ‘Bitcoin Mining Plot,’” BBC, February 9, 2018 https://www.bbc.com/news/world-europe-43003740 (accessed February 9, 2018).

    83 For examples from major non-nuclear thefts, see Lafleur, Purvis, and Roesler, The Perfect Heist.

    84 See, for example, Yuzo Yamaguchi, “Japan’s NRA to Introduce Nuclear Security Regulations in August,” Platts Inside NRC, July 25, 2016; Masakatsu Ota, “Potential Insider Threat Against Japanese Nuclear Facilities: Challenge and Progress Since the Fukushima Nuclear Disaster,” NAPSNET Special Reports, November 16, 2017, https://nautilus.org/uncategorized/potential-insider-threat-against-japanese-nuclear-facilities-challenge-and-progress-since-the-fukushima-nuclear-disaster/ (accessed November 19, 2018), and Nobuyasu Abe, “Nuclear Terrorism and Spent Fuel Storage in Northeast Asia,” NAPSNet Special Reports, December 08, 2017, https://nautilus.org/napsnet/napsnet-special-reports/nuclear-terrorism-and-spent-fuel-storage-in-northeast-asia/ (accessed November 18, 2018). For background on the debate over such background checks in Japan, see Tomoaki Inamura and Tomoyuki Tanabe, “Issues on Security Clearance for Nuclear Security in Japan,” in Proceedings of the 55th Annual Meeting of the Institute for Nuclear Materials Management, Atlanta, GA, July 20–24, 2014 (Mount Laurel, NJ: INMM, 2014).

    85 See Yuzo Yamaguchi, “Japan’s NRA to Introduce Nuclear Security Regulations in August,” Platts Inside NRC, and “State secrets law still deeply flawed,” The Japan Times, December 8, 2015.

    86 In Japan, in order to buy a gun, you need to pass a written test, take classes, and pass a psychological test at a hospital. The police conduct a background check, interview relatives, and check to see if you are a member of certain political or activist groups. Gun owners need to keep their gun in a locker and provide a map to the police showing its location. The police conduct an annual gun inspection and licenses must be renewed every three years. See David Kopel, “Japanese Gun Control,” Asia-Pacific Law Review, Vol. 2, No. 2 (1993), pp. 26-52.

    87 See Canadian Nuclear Safety Commission, Fitness for Duty Volume II: Managing Alcohol and Drug Use, Version 2, REGDOC-2.2.4 (Ottawa: CNSC, December 27, 2017).

    88 “IPPAS Mission Report: Canada,” p. 25.

    89 For a description of the new transport rules, see Alice Wiesbaum, “The Development of Guidelines for the Transport of Nuclear Material in Germany,” in Proceedings of the International Conference on Physical Protection of Nuclear Material and Facilities, Vienna, November 13-17, 2017 (Vienna: IAEA, 2017). According to Wiesbaum, a new guideline was also developed and introduced requiring reliability checks for all staff directly involved in such transports. We are grateful to Tom Bielefeld and the Nuclear Threat Initiative and the Economist Intelligence Unit for pointing out these references to us.

    90 U.S. Department of Energy, “Insider Threat Program,” Order 470.5 (Washington, D.C.: DOE, June 2, 2014).

    91 Personal communications with the DOE local insider threat program, July 2017

    92 IAEA, “International Physical Protection Advisory Service (IPPAS): Draft Follow-up Mission Report: Sweden,” p. 27.

    93 See, for example, Matthew Bunn, “Belgium Highlights the Nuclear Terrorism Threat and Nuclear Security Measures to Stop It,” HuffPost, March 29, 2016, https://www.huffingtonpost.com/matthew-bunn/belgium-nuclear-terrorism_b_9559006.html?utm_hp_ref=world (accessed January 9, 2019).

    94 “Highlights of National Progress Reports,” April 5, 2016, http://www.nss2016.org/document-center-docs/2016/4/5/highlights-from-national-progress-reports-nuclear-security-summit (accessed October 29, 2018).

    95 Adrian Levy and R. Jeffrey Smith, “India’s Nuclear Explosive Materials are Vulnerable to Theft, U.S. Officials and Experts Say,” Center for Public Integrity, December 17, 2015, https://www.publicintegrity.org/2015/12/17/18922/india-s-nuclear-explosive-materials-are-vulnerable-theft-us-officials-and-experts (accessed October 29, 2018).

    96 IAEA, Communication Dated 22 December 2016 Received from the Permanent Mission of the United States of America Concerning a Joint Statement on Mitigating Insider Threats, 2017.

    97 See, for example, the description of the Antwerp Diamond Center heist in Scott Andrew Selby and Greg Campbell, Flawless: Inside the Largest Diamond Heist in History (New York: Union Square Press, 2010) See also the many cases described in Lafleur, Purvis, and Roesler, The Perfect Heist.

    98 Roger Johnston, “Security Maxims” (Argonne, Ill.: Rightbrain Sekurity, August 2018), http://rbsekurity.com/Papers/security%20maxims%20with%20axe.pdf (accessed August 7, 2018).

    99 IAEA, Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities.

    100 In 2012, the Nuclear Regulatory Commission conducted 23 force-on-force inspections at 22 commercial nuclear plants and one fuel cycle facility. Eleven of those inspections found performance deficiencies. One exercise resulted in the simulated destruction of or damage to vital plant components. See Mark Holt and Anthony Andrews, Nuclear Power Plant Security and Vulnerabilities (Washington, D.C.: Congressional Research Service, January 2014), https://fas.org/sgp/crs/homesec/RL34331.pdf (accessed May 1, 2018).

    101 For one summary of recent U.S. debates over force-on-force exercises, see Edwin Lyman, “Nuclear Plant Security on the 15th Anniversary of 9/11: The Need to Remain Vigilant,” All Things Nuclear, September 9, 2016, https://allthingsnuclear.org/elyman/nuclear-plant-security-on-the-15th-anniversary-of-911-the-need-to-remain-vigilant. For the recent reductions, see Steve Clemmer, Jeremy Richardson, Sandra Sattler, and Dave Lochbaum, The Nuclear Power Dilemma: Declining Profits, Plant Closures, and the Threat of Rising Carbon Emissions (Washington, D.C.: Union of Concerned Scientists, November 2018), p. 7, and Steven Dolley, “NRC Staff Revising Oversight of Nuclear Plant Security Exercises,” Nucleonics Week, November 20, 2018.

    102 Personal communication, February 2016.

    103 Terry Jamieson, Protecting Canada’s Nuclear Industry, presented at the International Regulators Conference on Nuclear Security, (Washington, D.C.: December 2012), http://www.nrcsecurityconference.org/slides/Dec5/Canada.pdf (accessed August 22, 2018). See also “IPPAS Mission Report: Canada,” pp. 35, 51.

    104 Hui Zhang, personal communication, November 2018, based on the Chinese-language draft regulations, available at http://www.sastind.gov.cn/n152/n6424542/c6424828/content.html (accessed November 20, 2018). For an earlier overview recommending that China conduct such exercises, see Zhang, China’s Nuclear Security: Progress, Challenges, and Next Steps.

    105 Robert Perc, “How Force-on-Force Exercise Helped US Building Joint Training Programme: Graded approach gives results, increase cooperation and efficiency [sic],” Presented at the International Conference on Physical Protection of Nuclear Material and Nuclear Facilities (Vienna: IAEA, 2017).

    106 National Progress Report: Republic of Korea (Washington, D.C.: 2016 Nuclear Security Summit, March 31, 2016), http://www.nss2016.org/document-center-docs/2016/3/31/national-progress-report-republic-of-korea (accessed October 29, 2018).

    107 See, for example, Japan Nuclear Fuel Limited, “Nuclear Security for Protecting Against Nuclear Terrorism,” no date, https://www.jnfl.co.jp/en/activity/security/ (accessed October 29, 2018). In December 2010, U.S. experts were able to observe the first force-on-force exercise at the Rokkasho plutonium reprocessing facility, and conducted a force-on-force workshop with Japanese experts. In November 2011, Japanese experts observed a U.S. force-on-force exercise at the Cooper Nuclear Station, and participated in a workshop on the topic at U.S. Nuclear Regulatory Commission headquarters. See “Fact Sheet: United States-Japan Nuclear Security Working Group” (Washington, D.C.: The White House, March 24, 2014).

    108 “National Progress Report: The Netherlands” (Washington, D.C.: 2016 Nuclear Security Summit, March 31, 2016), http://www.nss2016.org/document-center-docs/2016/3/31/national-progress-report-the-netherlands-1 (accessed September 5, 2018) and “National Progress Report: Australia” (Washington, D.C.: 2016 Nuclear Security Summit, March 31, 2016), http://www.nss2016.org/document-center-docs/2016/3/31/national-progress-report-australia-1 (accessed September 5, 2018).

    109 See Rajeswari Pillai Rajagopalan, Rahul Krishna, Kritika Singh, and Arka Biswas, Nuclear Security in India (New Delhi: Observer Research Foundation, 2016), https://www.orfonline.org/wp-content/uploads/2016/10/ORF_Monograph_Nuclear_Security.pdf (accessed August 17, 2018), p. 109.

    110 Interview by Matthew Bunn, April 2003.

    111 Bunn, Malin, Roth, and Tobey, Preventing Nuclear Terrorism, pp. 87-90.

    112 IAEA, Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities, p. 15.

    113 IAEA, “Self-assessment of Nuclear Security Culture in Facilities and Activities,” (Vienna: IAEA, 2017). WINS’s nuclear security culture guidance offers a simpler questionnaire for organizational self-assessment. World Institute for Nuclear Security, WINS International Best Practice Guide 1.4: Nuclear Security Culture, Rev. 3.0 (Vienna: WINS, 2016).

    114 See Bunn, Malin, Roth, and Tobey, Preventing Nuclear Terrorism, p. 68.

    115 Nobuaki Eguchi, “Efforts to Enhance Nuclear Security Culture in Japan, presentation to the Second International Regulators Conference on Nuclear Security, Madrid, Spain, May 11-13, 2016, and Satoru Tanaka, “A Nuclear Security Regime in Japan: Enhancement Efforts and Global Contributions,” presentation to the IAEA International Conference on Nuclear Security: Commitments and Actions, Vienna, December 5-9, 2016.

    116 Yoo, “ROK’s Efforts to Strengthen Physical Protection Measures for NM and NF.”

    117 Khairul, “A Multi-Stakeholders Approach toward Development of Sustainable Nuclear Security Culture: Indonesia’s Experience” (Vienna, Austria: International Conference on Nuclear Security: Commitments and Actions, December 5-9, 2016). Indonesia no longer has HEU on its soil, and has not yet built nuclear power reactors.

    118 IPPAS Mission Report: Canada, p. 49.

    119 Jeremy Davison, Alex Gregory, Robert Rodger, Kevin Thompson, Mark Edmiston, “Assessing and Enhancing the Security Culture of an Organization,” Proceedings of the International Conference on Physical Protection of Nuclear Material and Nuclear Facilities (Vienna: IAEA, 2017).

    120 Personal communication with Rajeswari Pillai Rajagopalan, August 2018.

    121 Germany asked for an IPPAS mission on June 14, 2016. See Helge Kröger and Peter Koschel, “IPPAS Mission to Germany,” presented at the International Conference on Physical Protection of Nuclear Material and Nuclear Facilities (Vienna: IAEA, 2017).

    122 Carsten Speicher, “The Regulator’s Tools to Support the Operator’s Security Culture,” presented at the International Conference on Physical Protection of Nuclear Material and Nuclear Facilities (Vienna: IAEA, 2017).

    123 Pablo Grossi and Fabio Suzuki, “Brazilian Report on the Effort for Enhancing Nuclear Security Culture,” presented at the International Workshop on Nuclear Security Culture, Madrid, Spain, February 2016.

    124 Discussion at the IAEA International Conference on Nuclear Security: Commitments and Actions, Vienna, December 5-9, 2016. See U.S. Nuclear Regulatory Commission, “Final Safety Culture Policy Statement,” NRC-2010-0282, in Federal Register, Vol. 76, No. 114, pp. 34773-34778.

    125 Indian Diplomacy At Work: Nuclear Security in India (Government of India Ministry of External Affairs, March 18, 2014), https://www.mea.gov.in/in-focus-article.htm?23091/Nuclear+Security+in+India (accessed September 5, 2018).

    126 The Hague Nuclear Security Summit Communiqué, Netherlands Ministry of Foreign Affairs (The Hague, 2014).

    127 Gift Basket on Minimizing and Eliminating the Use of Highly Enriched Uranium in Civilian Applications, 2016 Nuclear Security Summit, Washington, D.C. (2016).

    128 IAEA, Communication Received from the Permanent Mission of Norway Concerning a Joint Statement on Minimizing and Eliminating the Use of Highly Enriched Uranium in Civilian Applications, INFCIRC/912 (Vienna: IAEA, 2017), https://www.iaea.org/sites/default/files/publications/documents/infcircs/2017/infcirc912.pdf (accessed May 26, 2018). INFCIRC/912 also includes a format for each country to report on its progress in minimizing and eliminating civilian HEU.

    129 International Panel on Fissile Materials, “Fissile Material Stocks” (Princeton, N.J.: IPFM, February 12, 2018), http://fissilematerials.org/ (accessed October 29, 2018).

    130 The United States continues to blend down its excess HEU at a rate of about two tons per year; Russia is producing a small amount of HEU for export as research reactor fuel; India, Pakistan, and North Korea continue to produce HEU for weapons, but global production is less than the U.S. blend-down rate. See U.S. Department of Energy, National Nuclear Security Administration, Prevent, Counter, and Respond—A Strategic Plan to Reduce Global Nuclear Threats FY2019-FY-2023 (Washington, D.C.: NNSA, October 2018), pp. 2-9-2-11.

    131 Based on IAEA and UN data. Turkey, which eliminated its stocks of civilian HEU in 2010, is not listed here as having removed all weapons-usable nuclear material because the United States reportedly deploys nuclear weapons at Turkish military bases.

    132 As of the publication of this report, it is unclear whether or not there is plutonium in Switzerland. In 2016, the U.S. National Nuclear Security Administration announced that Switzerland was free of plutonium and, at the 2016 Nuclear Security Summit, Switzerland announced that it had eliminated all of its plutonium. Yet Switzerland’s 2016 plutonium declaration to the IAEA reported less than 2 kilograms of plutonium. See “National Progress Report: Switzerland (Washington, DC: 2016 Nuclear Security Summit, March 31, 2016), https://www.belfercenter.org/sites/default/files/legacy/files/nuclearmatters/files/2016_nss_switzerland_national_progress_report.pdf?m=1461084731 (accessed October 29, 2018); “United States Collaborates with Switzerland to Remove Last Remaining Separated Plutonium” (Washington, D.C.: National Nuclear Security Administration, March 3, 2016), https://www.energy.gov/nnsa/articles/united-states-collaborates-switzerland-remove-last-remaining (accessed October 29, 2018); and Atomic Energy Agency, “Communication Received from Switzerland Concerning its policies Regarding the Management of Plutonium,” INFCIRC/549, April 3, 2018, https://www.iaea.org/sites/default/files/publications/documents/infcircs/1998/infcirc549a4-22c.pdf (accessed October 29, 2018).

    133 Matthew Bunn and Eben Harrell, Consolidation: Thwarting Nuclear Theft, (Cambridge, Mass.: Project on Managing the Atom, Harvard University, March 2012), https://www.belfercenter.org/publication/consolidation-thwarting-nuclear-theft (accessed January 10, 2019), p. 14 and 2010-2018 National Nuclear Security Administration press releases.

    134 Hans M. Kristensen and Robert S. Norris, “Status of World Nuclear Forces” (Washington, D.C.: Federation of American Scientists), November 2018, http://fas.org/issues/nuclear-weapons/status-world-nuclear-forces/ (accessed November 22, 2018). See also Hans M. Kristensen and Robert S. Norris, “Nuclear Notebook: Worldwide Deployments of Nuclear Weapons, 2017,” Bulletin of the Atomic Scientists Vol. 73, No. 5 (2017), https://www.tandfonline.com/doi/full/10.1080/00963402.2017.1363995 (accessed November 22, 2018).

    135 “Nuclear Disarmament NATO,” February 10, 2017, https://www.nti.org/analysis/articles/nato-nuclear-disarmament/ (accessed September 24, 2018). The Nuclear Threat Initiative’s 2018 Nuclear Security Index states that 22 countries that have one kilogram or more of weapons-usable nuclear materials. Since there are U.S. nuclear weapons stationed at Incirlik Air Base in Turkey, this report does not count Turkey as cleaned out. Additionally, the 2018 Nuclear Security Index does not count Syria as having weapons-usable nuclear material because its Miniature Neutron Source Reactor contains just under one kilogram of HEU. (In some cases, however, countries with such reactors have a modest number of additional fuel elements, bringing the total to just over one kilogram of HEU.) See Nuclear Threat Initiative and Economist Intelligence Unit, NTI Nuclear Security Index: Building a Framework for Assurance, Accountability, and Action (Washington, D.C.: NTI, September 2018).

    136 Hans Kristensen and Robert Norris, “North Korean Nuclear Capabilities,” Bulletin of the Atomic Scientists, January 2, 2018, https://thebulletin.org/2018/01/north-korean-nuclear-capabilities-2018/ (accessed July 5, 2018).

    137 Lindsay Bever, “Activists raid nuclear submarine base with hammers and ‘baby bottles of their own blood,’” Washington Post, April 5, 2018, https://www.washingtonpost.com/news/energy-environment/wp/2018/04/05/activists-raid-nuclear-submarine-base-with-hammers-and-baby-bottles-of-their-own-blood/?utm_term=.a3f8339aa034 (accessed December 18, 2018).

    138 “Vladimir Evdokimov, Deputy Director General of the Priargunsky Industrial Mining and Chemical Union is arrested for bribery,”Kommersant, December 20, 2017, https://www.kommersant.ru/doc/3502721 (accessed July 18, 2018).

    139 Norris and Kristensen, “Nuclear Notebook: Worldwide Deployments of Nuclear Weapons, 2017.”

    140 Material containing at least 2 kilograms of plutonium or at least 5 kilograms of U-235 contained in HEU is considered Category I, requiring the highest level of protection. Nuclear material categories are defined internationally in the physical protection convention and in the IAEA’s physical protection recommendations, INFCIRC/225. Domestically, they are defined (somewhat differently) in NRC regulations and DOE orders.

    141 They are at MIT, the University of Missouri, the National Institute of Standards and Technology, and at a General Electric facility in California.

    142 The National Institute of Standards and Technology (NIST, part of the Department of Commerce) also has an HEU-fueled research reactor, but it is regulated by the NRC in the same way that non-government research reactors are.

    143 U.S. Congress, House of Representatives, Energy and Water Development and Related Agencies for the Fiscal Year Ending September 30, 2019, and for Other Purposes: Conference Report (to accompany H.R.5895), 115th Congress, 2nd session, 2018, 115-929, https://www.congress.gov/congressional-report/115th-congress/house-report/929/1?overview=closed (accessed September 21, 2018).

    144 This is Building 9206. See NNSA, Prevent, Counter, and Respond, p. 2-11.

    145 See, for example, Timothy Gardner, “Trump Administration Kills Contract for Plutonium-to-Fuel

    Plant,” Reuters, October 12, 2018.

    146 Colin Demarest, “Another 70 MOX Workers Issued Layoff Notifications, Employment Document

    Shows,” Aiken Standard, December 12, 2018, https://www.aikenstandard.com/news/another-mox-workers-issued-layoff-notifications-employment-document-shows/article_eeb424d8-fe1c11e8-a35f-9742aa22948d.html (accessed December 18, 2018).

    147 Kristensen and Norris, “Nuclear Notebook: Worldwide Deployments of Nuclear Weapons, 2017.”

    148 Interview with Russian laboratory expert, July 2015. Also, see Matthew Bunn and Dmitri Kovchegin, “Nuclear Security in Russia: Can Progress be Sustained?” Nonproliferation Review, Vol. 24, No. 5-6 (Spring 2018), pp. 527-551, https://scholar.harvard.edu/files/matthew_bunn/files/bunn-kovchegin_penultimate_nuclear_security_in_russia_can_progress_be_sustained.pdf (accessed October 1, 2018).

    149 See Steve Gutterman, “Uranium Shipment Signals End of US-Russian Nuclear Deal,” Reuters, November 14, 2013, https://www.reuters.com/article/us-russia-usa-nuclear/uranium-shipment-signals-end-of-us-russian-nuclear-deal-idUSBRE9AD15620131114 (accessed September 24, 2018) and “Russia Suspends Implementation of Plutonium Disposition Agreement,” International Panel on Fissile Materials Blog, October 3, 2016, http://fissilematerials.org/blog/2016/10/russia_suspends_implement.html (accessed September 19, 2018).

    150 See “Civilian HEU: Russia” (Washington, D.C.: Nuclear Threat Initiative, December 21, 2017), https://www.nti.org/analysis/articles/civilian-heu-russia/ (accessed September 16, 2018).

    151 Japan Nuclear Fuels Limited, “Change in Schedule of Rokkasho Reprocessing Plant and MOX Fuel Fabrication Plant,” December 22, 2017, https://www.jnfl.co.jp/en/release/president-talk/2017/201712.html (accessed November 22, 2018).

    152 For a discussion of Japan’s pledge to reduce its stockpile, see Tatsujiro Suzuki and Masa Takubo, “Japan’s New Policy on its Plutonium Stockpile,” International Panel on Fissile Materials Blog, August 20, 2018, http://fissilematerials.org/blog/2018/08/japans_new_policy_on_its_.html (accessed December 19, 2018).

    153 See David Albright, Sarah Burkhard, and Frank Pabian, Pakistan’s Growing Uranium Enrichment Program (Washington, D.C.: Institute for Science and International Security, May 30, 2018), http://isis-online.org/isis-reports/detail/pakistans-growing-uranium-enrichment-program/12 (accessed September 25, 2018); Sarah Burkhard, Allison Lach, and Frank Pabian, Khushab Update (Washington, D.C.: Institute for Science and International Security, September 7, 2017), http://isis-online.org/isis-reports/detail/khushab-update/12 (accessed September 25, 2018); and “Countries: India” (Princeton, NJ: International Panel on Fissile Materials, February 12, 2018), http://fissilematerials.org/countries/india.html (accessed September 15, 2018).

    154 Mark Hibbs, The Future of Nuclear Power in China (Washington, D.C.: Carnegie Endowment for International Peace, 2018), pp. 38-39.

    155 Adam Vaughan, “Sellafield faces huge fine over worker’s exposure to radiation,” The Guardian, May 11, 2018, https://www.theguardian.com/environment/2018/may/11/sellafield-faces-huge-fine-over-employees-exposure-to-radiation (accessed June 13, 2018).

    156 Neil Hyatt, “Plutonium management policy in the United Kingdom: The need for a dual track strategy,” Energy Policy, Vol. 101 (February 2017), https://reader.elsevier.com/reader/sd/pii/S030142151630458X?token=F32239DC7EC9C2031C09730013B5572393294EEADE59A7612238E2987B8B9855FE182BB072A15B1B6496C146F2A611A5 (accessed September 30, 2018).

    157 Data provided by National Nuclear Security Administration, February 2016.

    158 “Nigeria Becomes HEU Free,” World Nuclear News, December 10, 2018, http://www.world-nuclear-news.org/Articles/Nigeria-becomes-HEU-free (accessed December 11, 2018).

    159 Data provided by the National Nuclear Security Administration, October and November 2018.

    160 Shutdowns prior to 2004 are from Ole Reistad and Styrkaar Hustveit, “Appendix II: Operational, Shut Down, and Converted HEU-Fueled Research Reactors,” Nonproliferation Review, Vol. 15, No. 2 (July 2008), http://cns.miis.edu/npr/pdfs/152_reistad_appendix2.pdf (accessed May 21, 2015). Information on conversion data was provided by NNSA officials, October 2017.

    161 International Panel on Fissile Materials, “Facilities: Reasearch Reactors” (Princeton, N.J.: IPFM, 2018), http://fissilematerials.org/facilities/research_reactors.html (accessed January 11, 2019).

    162 NNSA’s total goal is to convert or confirm the shutdown of 156 reactors or isotope production facilities by 2035. See NNSA, Prevent, Counter, and Respond, p. 2-9. Roughly 102 of these were completed as of October 2018, leaving 54 remaining. Data provided by NNSA, October 2018.

    163 Lidia Kelly, “Russia Suspends Nuclear Agreement, Ends Uranium Research Pact with United States,” Reuters, October 5, 2016, https://www.reuters.com/article/us-russia-usa-nuclear-uranium-idUSKCN12521J (accessed September 20, 2018). The 17 figure is from data provided by NNSA, October 2018.

    164 International Panel on Fissile Materials, “Facilities: Reasearch Reactors.”

    165 Report on HEU Research Reactor Conversion and Technical Advances by Working Group 1 (Oslo, Norway: 3rd International Symposium on HEU Minimization, June 5-7, 2018).

    166 Updated data provided by NNSA, December 2018. For discussion, see U.S. National Research Council, Reducing the Use of Highly Enriched Uranium in Civilian Research Reactors (Washington, D.C.: The National Academies Press, 2016), https://www.nap.edu/catalog/21818/reducing-the-use-of-highly-enriched-uranium-in-civilian-research-reactors (accessed October 3, 2018).

    167 During FY19-FY23, NNSA hopes to increase the total from 102 to 123 reactors or isotope facilities converted or shut down. See NNSA, Prevent, Counter, and Respond, p. 2-10.

    168 “Medical Isotope Production in the Netherlands Converted to LEU,” International Panel on Fissile Materials Blog, January 31, 2018, http://fissilematerials.org/blog/2018/01/medical_isotope_productio.html (accessed October 29, 2018).

    169 Belgium is developing a new Multifunctional Research Facility for Innovative Applications (MYRRHA) reactor, scheduled to go online in 2033, to replace the BR2. Belgian Nuclear Research Centre (SCK-CEN), “MYRRHA: Research Reactor in Development,” http://science.sckcen.be/en/Facilities/MYRRHA (accessed December 19, 2018).

    170 Matt O’Connor, “NorthStar May Receive Federal Funding to Produce Mo-99,” Health Imaging, October 8, 2018, supplemented with data provided by NNSA, December 2018.

    171 Data provided by NNSA, December 2018. See also “U.S. Department of Energy’s National Nuclear Security Administration Honors Northstar Medical Radioisotopes as First U.S. Producer of Medical Radioisotope Molybdenum-99 in Nearly 30 Years” (Wisconsin: NorthStar Medical Radioisotopes, October 1, 2018), https://www.marketwatch.com/press-release/us-department-of-energys-national-nuclear-security-administration-honors-northstar-medical-radioisotopes-as-first-us-producer-of-medical-radioisotope-molybdenum-99-in-nearly-30-years-2018-10-01 (accessed October 4, 2018).

    172 Personal communication from Alan Kuperman, November 2018.

    173 The United States has traditionally been the only major supplier of HEU for research and isotope production, but Russia has recently provided HEU to both Germany and Belgium (with fabrication occurring in France) for such purposes, potentially undercutting the leverage offered by the U.S. role as sole supplier. The relevant legislation is the American Medical Isotopes Production Act of 2012 (though enacted early in 2013), text available at https://www.ncbi.nlm.nih.gov/books/NBK396175/ (accessed November 22, 2018). For a useful summary of U.S. supports for non-HEU production as of 2015, see Lynne A. Fairobent, “Ongoing Efforts to Support Reliable Supplies of Mo-99 Produced Without HEU,” presentation to the American Association of Physicists in Medicine, October 29. 2015, http://chapter.aapm.org/nccaapm/z_meetings/2015-10-29_and_10-30/10_THURSDAY_Agenda-and-Presentations/2015-10-29_Fairobent.pdf (accessed November 22, 2018).

    174 Data provided by NNSA, November 2017. Data provided by NNSA eight years earlier estimated larger numbers of sites cleaned out through 2009. See Bunn, Securing the Bomb 2010, pp. 40-41. It may be that counting rules changed: for example, when there were two or more HEU-fueled facilities at the same large site, the earlier data may have counted each separately while the later data may have only counted one when all HEU and separated plutonium was removed from the entire site.

    175 “Report on Removal and Disposition By Working Group 2 Chaired by Argentina,” The Third International Symposium on HEU Minimization (Oslo, Norway, June 5-7, 2018).

    176 For an attempt at a more complete listing of sites with all material removed up to 2009, see Bunn, Securing the Bomb 2010, pp. 40-42.

    177 Data provided by National Nuclear Security Administration, June 2018.

    178 The elimination of all HEU from Argentina made all of South America—indeed, all of the Latin American Nuclear Weapon Free Zone—free of all potential nuclear weapons materials, both HEU and separated plutonium. Similarly, the elimination of the HEU in Indonesia made all of South-East Asia, including all of the countries participating in the Southeast Asian Nuclear Weapon Free Zone, free of potential nuclear weapons materials. On the importance of such zones, see Miles A. Pomper, Andrew J. Bieniawski, and Elena Sokova, The Case for Highly Enriched Uranium-Free Zones (Washington, D.C.: Nuclear Threat Initiative, June 2015), https://www.nti.org/media/pdfs/The_Case_for_Highly_Enriched_Uranium-Free_Zones_Final.pdf (accessed December 20, 2018).

    179 National Nuclear Security Administration, “NNSA Partners with Kazakhstan Research Institute to Remove All of its Highly Enriched Uranium” (Washington, D.C.: National Nuclear Security Administration September 19, 2017), https://www.energy.gov/nnsa/articles/nnsa-partners-kazakhstan-research-institute-remove-all-its-highly-enriched-uranium (accessed October 29, 2018).

    180 “Report on Removal and Disposition By Working Group 2 Chaired by Argentina,” 2018. The 2014 arrangement involved continued U.S. supply of some HEU for reactors until they could convert, and larger European shipments of HEU that was not being used to the United States.

    181 “Report on Removal and Disposition By Working Group 2 Chaired by Argentina,” 2018.

    182 “NNSA Removes All Highly Enriched Uranium from Ghana” (Washington, D.C.: National Nuclear Security Administration, August 29, 2017), https://www.energy.gov/nnsa/articles/nnsa-removes-all-highly-enriched-uranium-ghana (accessed December 3, 2018).

    183 Interviews with NNSA, January 2018.

    184 For planned removal totals, see U.S. Department of Energy, FY 2019 Congressional Budget Request: National Nuclear Security Administration, Vol. 1, DOE/CF-0138 (Washington, D.C.: DOE, February 2018), https://www.energy.gov/sites/prod/files/2018/03/f49/FY-2019-Volume-1.pdf (accessed December 2, 2018), p. 461. The 627 kilogram figure includes some of the 375 kilograms mentioned earlier that has already been removed from Euratom countries; because those removals are not yet complete, and are considered sensitive, NNSA has not included them in its publicly reported totals yet. For a list of countries reducing their weapons-usable material stocks, see “Report on Removal and Disposition By Working Group 2 Chaired by Argentina,” 2018.

    185 Douglas Birch and R. Jeffrey Smith, “South Africa Rebuffs Repeated U.S. Demands That it Relinquish its Nuclear Explosives,” Center for Public Integrity, March 17, 2015, https://www.publicintegrity.org/2015/03/14/16873/south-africa-rebuffs-repeated-us-demands-it-relinquish-its-nuclear-explosives (accessed October 29, 2018).

    186 Quantity of material in South Africa provided by National Nuclear Security Administration, 2016.

    187 U.S. Congress, Government Accountability Office, U.S. Agencies Have Limited Ability to Account for, Monitor, and Evaluate the Security of U.S. Nuclear Material Overseas, GAO-11-920 (Washington, D.C.: GAO, September 2011), https://www.gao.gov/assets/330/323043.pdf (accessed December 2, 2018), p. 14.

    188 Communications with NNSA officials, October and November 2018.

    189 See IAEA, “Communication received from Belgium Concerning its Policies Regarding the Management of Plutonium,” INFCIRC/549/Add.3/17, July 5, 2018, https://www.iaea.org/sites/default/files/publications/documents/infcircs/1998/infcirc549a3-17.pdf (accessed October 1, 2018); IAEA, “Communication received from Switzerland Concerning its Policies Regarding the Management of Plutonium,” INFCIRC/549/Add.4/22, April 3, 2018, https://www.iaea.org/sites/default/files/publications/documents/infcircs/1998/infcirc549a4-22c.pdf (accessed October 1, 2018); and IAEA, “Communication received from Germany Concerning its Policies Regarding the Management of Plutonium,” INFCIRC/549/Add.2/21, April 3, 2018. https://www.iaea.org/sites/default/files/publications/documents/infcircs/1998/infcirc549a2-21.pdf (accessed October 1, 2018). For a detailed overview of these MOX programs, see Alan J. Kuperman, ed., Plutonium for Energy? Explaining the Global Decline of MOX (Austin, Texas: University of Texas at Austin Nuclear Proliferation Prevention Project, 2018), http://sites.utexas.edu/prp-mox-2018/downloads/ (accessed November 24, 2018).

    190 See Alan J. Kuperman, “MOX in the Netherlands: Plutonium as a Liability,” in Kuperman, ed., Plutonium for Energy?, pp. 228-254.

    191 For a recent analysis, see Bunn and Kovchegin, “Nuclear Security in Russia,” pp. 527-551.

    192 Russian statements rarely acknowledge that Russian security experts also visited all of the U.S. nuclear weapons laboratories, the U.S. nuclear weapon assembly and disassembly facility, U.S. facilities where plutonium and HEU are processed, and more.

    193 Interviews with U.S. laboratory experts (and some Russian facility experts), 2014-2017.

    194 See, for example, Leon Aron, “The Coming of the Russian Jihad: Part I,” War on the Rocks, September 23, 2016, https://warontherocks.com/2016/09/the-coming-of-the-russian-jihad-part-i/, and “Part II,” https://warontherocks.com/2016/12/the-coming-of-the-russian-jihad-part-ii/ (accessed November 29, 2018). For a recent incident of the Islamic State apparently planning a major attack in Russia—and unusual U.S.-Russian intelligence cooperation to thwart it — see Andrew E. Kramer, “CIA Helped Thwart Terrorist Attack in Russia, Kremlin Says,” New York Times, December 17, 2017.

    195 “Two Top Managers of Elektrokhimpribor Accused of Bribe-Taking,” Nuclear.ru, August 19, 2015.

    196 «Кусок этого забора выпилили и передали Кириенко» [“A Piece of this Fence was Cut Out and Handed Over to Kirienko”], znak.com, September 11, 2017, https://www.znak.com/2017-09-11/yadernoe_proizvodstvo_rosatoma_na_srednem_urale_okazalos_s_brakovannoy_zachitoy (accessed November 27, 2018). The story has detailed photographs of the faulty fencing in question.

    197 For a previous discussion see Bunn, Malin, Roth, and Tobey, Preventing Nuclear Terrorism, pp. 47-49. For a summary of publicly available information on the topic, see Paul K. Kerr and Mary Beth Nikitin, Pakistan’s Nuclear Weapons (Washington, D.C.: Congressional Research Service, August 1, 2016), https://fas.org/sgp/crs/nuke/RL34248.pdf (accessed November 28, 2018). See also Bruno Tertrais, “Pakistan’s Nuclear and WMD Programmes: Status, Evolution, and Risks” (Brussels: EU Non-Proliferation Consortium, July 2012), https://www.files.ethz.ch/isn/151272/brunotertrais5010305e17790.pdf (accessed November 28, 2018).

    198 See Kerr and Nikitin, Pakistan’s Nuclear Weapons, pp. 18-19. By another account, the total strength of the “security division” of the National Command Authority was 20,000 in 2013, but at that time was headed upward to 28,000. See Naeem Salik and Kenneth N. Luongo, “Challenges for Pakistan’s Nuclear Security,” Arms Control Today, March, 2013, https://www.armscontrol.org/act/2013_03/Challenges-for-Pakistans-Nuclear-Security (accessed November 28, 2018). These tens of thousands of people are not all guards at nuclear facilities, but handle a wide variety of security functions.

    199 Kerr and Nikitin, Pakistan’s Nuclear Weapons, p. 16.

    200 Kerr and Nikitin, Pakistan’s Nuclear Weapons, pp. 20-21.

    201 See Noreen Iftakar and Sitara Noor, “Nuclear Security Education and Training in Pakistan,” International Journal of Nuclear Security, Vol. 3, No. 1 (2017).

    202 “Nuclear Security Summit 2016: National Statement: Pakistan” (Washington, D.C.: The White House, April 1, 2016), http://www.nss2016.org/document-center-docs/2016/4/1/national-statement-pakistan (accessed November 28, 2018).

    203 “Nuclear Security Summit 2014: National Statement: Pakistan” (The Hague: Netherlands Foreign Ministry, March 25, 2014), http://projects.iq.harvard.edu/files/nuclearmatters/files/pakistan_national_statement_0.pdf (accessed November 28, 2018).

    204 The White House, “Nuclear Security Summit 2016: National Statement: Pakistan.”

    205 See, for example, David O. Smith, “The Management of Pakistan’s Nuclear Arsenal,” Nonproliferation Review, Vol. 21, No. 3-4 (2014), pp. 285-286.

    206 The White House, “Nuclear Security Summit 2016: National Statement: Pakistan.”

    207 The White House, “Nuclear Security Summit 2014: National Statement: Pakistan.”

    208 Kerr and Nikitin, Pakistan’s Nuclear Weapons.

    209 David Sanger, Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power (New York: Crown, 2012), p. 62. Pakistani officials have acknowledged participating in such cooperation. See, for example, Nirupama Subramanian, “Pakistan Accepted U.S. Help on N-Plants,” The Hindu, June 22, 2006.

    210 “Remarks by President Trump on the Strategy in Afghanistan and South Asia,” Fort Myer, Arlington, Virginia, August 21, 2017, https://www.whitehouse.gov/briefings-statements/remarks-president-trump-strategy-afghanistan-south-asia/ (accessed January 11, 2019).

    211 Similarly, Gen. Tariq Majid, then chairman of Pakistan’s Joint Chiefs of Staff Committee, said in 2009 that “there is absolutely no question of sharing or allowing any foreign individual, entity or a state, any access to sensitive information about our nuclear assets,” while the year before, Air Commodore Khalid Banuri, then director of arms control and disarmament affairs for Pakistan’s Strategic Plans Division, said that Pakistan only accepted cooperation with the United States that was “non-intrusive.” All quoted in Kerr and Nikitin, Pakistan’s Nuclear Weapons, pp. 18-20.

    212 Quoted in Kerr and Nikitin, Pakistan’s Nuclear Weapons, p. 17.

    213 See, for example, the discussion in Bunn, Malin, Roth, and Tobey, Preventing Nuclear Terrorism, pp. 47-49.

    214 See, for example, Daniel L. Byman, The Changing Nature of State Sponsorhip of Terrorism (Washington, D.C.: Brookings, May 2008), https://www.brookings.edu/wp-content/uploads/2016/06/05_terrorism_byman.pdf.

    215 See Bunn and Sagan, Insider Threats, p. 148.

    216 For a previous assessment, see Bunn, Malin, Roth, and Tobey, Preventing Nuclear Terrorism, pp. 50-52. A summary from an Indian perspective can be found in Rajagopalan, Krishna, Singh, and Biswas, Nuclear Security in India. For a scathing journalistic account, see Levy and Smith, “India’s Nuclear Explosive Materials Are Vulnerable to Theft, U.S. Officials and Experts Say."

    217 Hans M. Kristensen and Matt Korda, “Indian Nuclear Forces: 2018,” Bulletin of the Atomic Scientists, Vol. 74, No. 6 (2018), https://www.tandfonline.com/doi/pdf/10.1080/00963402.2018.1533162?needAccess=true (accessed December 1, 2018), pp. 361-366. On fissile material production from a Pakistani perspective, see Mansoor Ahmed, India’s Nuclear Exceptionalism: Fissile Materials, Fuel Cycles, and Safeguards (Cambridge, Mass.: Project on Managing the Atom, Belfer Center for Science and International Affairs, Harvard Kennedy School, May 2017), https://www.belfercenter.org/sites/default/files/files/publication/India%27s%20Nuclear%20Exceptionalism.pdf (accessed December 1, 2018).

    218 “Countries: India,” International Panel on Fissile Materials, http://fissilematerials.org/countries/india.html, (accessed December 1, 2018).

    219 See “Kalpakkam Fast Breeder Reactor May Achieve Criticality in 2019,” Times of India, September 20, 2018, http://timesofindia.indiatimes.com/articleshow/65888098.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst (accessed November 30, 2018).

    220 Rajagopalan, Krishna, Singh, and Biswas, Nuclear Security in India, 2016, p. 25.

    221 Discussion at workshop on nuclear safety and security, Bengaluru, India, October 2015.

    222 Discussions at international physical protection workshop, Mumbai, India, May 2003.

    223 Rajagopalan, Krishna, Singh, and Biswas, Nuclear Security in India, 2016, p. 31.

    224 Discussions at workshop in Mumbai, India, May 2003.

    225 Levy and Smith, “India’s Nuclear Explosive Materials Are Vulnerable to Theft, U.S. Officials and Experts Say.”

    226 See Jayarajan Kutuvan, “Building Robust Nuclear Security Culture in Nuclear Research Centers,” in Proceedings of the International Conference on Physical Protection of Nuclear Material and Nuclear Facilities (Vienna: IAEA, 2017).

    227 U.S. National Research Council, India-United States Cooperation on Global Security: Summary of a Workshop on Technical Aspects of Civilian Nuclear Materials Security (Washington, D.C.: The National Academies Press, 2013), p. 70.

    228 Discussions with BARC staff, October 2016.

    229 “Global Centre for Nuclear Energy Partnership: School of Nuclear Security Studies,” http://www.gcnep.gov.in/schools/schools.html (accessed December 18, 2018).

    230 Anil Sasi, “Nuclear Safety Regulatory Authority Bill: Statutory Backing Key to Better Safety,” The Indian Express, April 26, 2017, https://indianexpress.com/article/business/business-others/nuclear-safety-regulatory-authority-bill-statutory-backing-key-to-better-safety-4628342/ (accessed November 30, 2018).

    231 “Militants Attack Indian Army Base in Kashmir ‘Killing 17,’” BBC, September 18, 2016, https://www.bbc.com/news/world-asia-india-37399969 (accessed November 30, 2018).

    232 U.S. Department of State, “Joint Statement: The United States and India: Enduring Global Partners in the 21st Century” (Washington, D.C.: June 7, 2016), https://in.usembassy.gov/joint-statement-united-states-india-enduring-global-partners-21st-century-june-7-2016/ (accessed October 29, 2018).

    233 For a useful overview from one of the architects of the summit process, see Laura Holgate, “A Reflective Piece on the Nuclear Security Summits,” in Kutchesfahani, Davenport, and Connolly, The Nuclear Security Summits.

    234 Kutchesfahani, Davenport, and Connolly, The Nuclear Security Summits, p. 3.

    235 Michelle Cann, Kelsey Davenport, and Margaret Balza, The Nuclear Security Summit: Assessment of National Commitments (Washington, D.C.: Arms Control Association and Partnership for Global Security, 2012), https://partnershipforglobalsecurity.org/wp-content/uploads/2013/05/reports_the-nuclear-security-summit-assessment-of-national-commitments_3-13-12_cann-davenport-and-balza.pdf (accessed September 1, 2018).

    236 IAEA, Communication Received from the Netherlands Concerning the Strengthening of Nuclear Security Implementation.

    237 See IAEA, Nuclear Security Report 2018, GOV/2018/36-GC(62)/10 (Vienna: IAEA, August 6, 2018), and the equivalent reports for previous years.

    238 “Action Plan in Support of the International Atomic Energy Agency” (Washington, D.C.: Nuclear Security Summit 2016, April 1, 2016), https://www.belfercenter.org/sites/default/files/legacy/files/nuclearmatters/files/nss_2016_iaea_action_plan.pdf?m=1460488780 (accessed October 1, 2018).

    239 Notably, the plan emphasizes using guidance to “strengthen preventative and protective measures against insider threats at nuclear facilities, including through the use of nuclear material accountancy.”

    240 For a somewhat similar judgment, see Holgate, “A Reflective Piece on the Nuclear Security Summits.” Holgate served from 2016-2017 as U.S. Ambassador to the IAEA and other Vienna-based international organizations, and so saw the IAEA debates first hand.

    241 Perhaps the most significant announcement was that the United States would dilute and dispose of six metrics tons of plutonium, an activity that has far more to do with nuclear disarmament than it does with nuclear security.

    242 See “Ministerial Declaration” (Vienna, Austria: International Conference on Nuclear Security: Enhancing Global Efforts, June 27, 2013), https://www-pub.iaea.org/MTCD/Meetings/PDFplus/2013/cn203/cn203MinisterialDeclaration.pdf (accessed October 29, 2018); “Ministerial Declaration” (Vienna, Austria: International Conference on Nuclear Security: Commitments and Actions, December 2016), https://www.iaea.org/sites/default/files/16/12/english_ministerial_declaration.pdf (accessed October 29, 2018); and “Nuclear Security Summit 2016 Communique” (Washington, D.C., 1 April 2016), https://www.belfercenter.org/sites/default/files/legacy/files/nuclearmatters/files/nuclear_security_summit_2016_communique.pdf?m=1460469255 (accessed October 29, 2018). At the 2016 IAEA meeting, “[a]ccording to one observer, Russia played the role of spoiler, preferring to emphasize national-level responsibilities over international rules.” https://www.armscontrol.org/ACT/2017_01/News/IAEA-Hosts-Nuclear-Security-Meeting. Indeed, the announcement of the already-agreed ministerial statement was held up for most of an hour as delegates worked to convince the Russian representative to drop last-minute objections. Russia, however, was by no means the only country that objected to the statement supporting anything that came from the nuclear security summit process.

    243 See the texts of the two statements, and Holgate, “A Reflective Piece on the Nuclear Security Summits.”

    244 Very few countries have joined onto these INFCIRCs since they were first announced.

    245 For a recent summary of the IAEA’s activities, see IAEA, “Nuclear Security Report 2018,” GOV/2018/36-GC(62)/10 (Vienna: IAEA, August 6, 2018), https://www-legacy.iaea.org/About/Policy/GC/GC62/GC62Documents/English/gc62-10_en.pdf (accessed October 29, 2018).

    246 IAEA, “Nuclear Security Report 2018.” As of the end of June 2018, an additional 19 INSSPs had been completed and were awaiting approval by the relevant states, and three more were still in development.

    247 Discussions with IAEA staff, November 2017, and with Los Alamos, Sandia, and National Nuclear Security Administration staff, May 2018.

    248 Long-awaited IAEA guidance on how to assess security culture at nuclear facilities was finally published in 2017. IAEA, Self-assessment of Nuclear Security Culture in Facilities and Activities, Nuclear Security Series, No. 28 (Vienna: IAEA, 2017), https://www-pub.iaea.org/books/iaeabooks/10983/Self-assessment-of-Nuclear-Security-Culture-in-Facilities-and-Activities (accessed October 1, 2018).

    249 Discussions with Russian physical protection experts, October 2017; IAEA experts, November 2017; and Sandia experts, May 2018.

    250 That work is typically done by the IAEA group supporting research reactors around the world, in the Department of Nuclear Energy, rather than the Division of Nuclear Security.

    251 IAEA, Communication Received from the Netherlands Concerning the Strengthening of Nuclear Security Implementation.

    252 IAEA, Nuclear Security Report 2018, p. 8.

    253 The United Kingdom and France had IPPAS missions in 2011 and the United States had an IPPAS mission in 2013.

    254 The countries with HEU or plutonium that have not had IPPAS missions are Russia, India, Pakistan, Israel, Italy, North Korea, South Africa, Iran, Nigeria, and Syria.

    255 IAEA, Nuclear Security Report 2018.

    256 The IAEA refers to these as Nuclear Security Support Centers (NSSCs).

    257 Data provided by the IAEA, 2017, and from IAEA press releases.

    258 Data provided by the IAEA, 2017, and from IAEA press releases.

    259 “Action Plan in Support of the United Nations” (Washington, D.C.: Nuclear Security Summit 2016, April 1, 2016), https://www.belfercenter.org/sites/default/files/legacy/files/nuclearmatters/files/nss_2016_un_action_plan.pdf?m=1460488776 (accessed October 1, 2018). For a summary of key points from the meeting, see “ICSANT 10th Anniversary Event: Co-Chairs Summary” (New York: United Nations, 2017), https://www.unodc.org/documents/frontpage/2017/ICSANT_5_December_2017_10th_Anniversary_Event_Summary.pdf (accessed December 19, 2018).

    260 Securing our Common Future: An Agenda for Disarmament (New York: United Nations Office for Disarmament Affairs, 2018), https://front.un-arm.org/documents/SG+disarmament+agenda_1.pdf (accessed October 1, 2018).

    261 “Resolution 2325” (New York: United Nations, December 15, 2016), http://unscr.com/en/resolutions/2325 (accessed October 1, 2018).

    262 For one attempt to do so, see Bunn, “’Appropriate Effective’ Nuclear Security and Accounting—What Is It?.”

    263 Office of the Press Secretary, “Nuclear Security Summit 2016 Action Plan in Support of the Global Initiative to Combat Nuclear Terrorism” (Washington, D.C.: The White House, April 1, 2016), https://obamawhitehouse.archives.gov/the-press-office/2016/04/01/nuclear-security-summit-2016-action-plan-support-global-initiative (accessed October 1, 2018).

    264 Global Initiative to Combat Nuclear Terrorism 2017 Plenary Meeting (Tokyo: Joint Co-Chair Statement, June 1, 2017), http://www.gicnt.org/statements/documents/2017-plenary/2017%20GICNT%20Joint%20Co-Chair%20Statement.pdf (accessed October 1, 2018).

    265 “Statement by Khalil Hashmi, Director General (Disarmament), MFA” (Tokyo: GICNT Plenary Meeting, June 2, 2017), http://www.gicnt.org/statements/documents/2017-plenary/Pakistan.pdf (accessed October 1, 2018).

    266 Interview with INTERPOL official, September 2017.

    267 Interview with INTERPOL official, September 2017.

    268 “INTERPOL Written Contribution to the Nuclear Security Summit” (Lyon, France: INTERPOL, March 21, 2016), https://www.belfercenter.org/sites/default/files/legacy/files/nuclearmatters/files/2016_nss_interpol_progress_report.pdf?m=1461084693 (accessed October 1, 2018) and INTERPOL, “Radiological and Nuclear Terrorism” (Lyon, France: INTERPOL, March 2017), https://www.interpol.int/content/download/34610/453663/version/5/file/Radnuc-trifold-EN-web.pdf (accessed October 1, 2018).

    269 “Report on the G8 Global Partnership” (Hokkaido Toyako, Japan: Leaders’ statement, 2008), http://www.g8.utoronto.ca/summit/2008hokkaido/2008-gp.pdf (accessed October 1, 2018). See also Global Partnership Against the Spread of Weapons and Materials of Mass Destruction, “News, Events & Statements,” 2017, https://www.gpwmd.com/events (accessed October 1, 2018).

    270 “Action Plan in Support of the Global Partnership Against the Spread of Weapons and Materials of Mass Destruction” (Washington, D.C.: Nuclear Security Summit 2016, April 1, 2016) (accessed December 19, 2018).

    271 G7 Statement on Non-Proliferation and Disarmament (Lucca: G7, April 11, 2017), http://www.g7italy.it/sites/default/files/documents/NPDG_Statement_Final_0.pdf (accessed October 1, 2018) and “G7 Statement on Non-Proliferation and Disarmament,” 2018, https://g7.gc.ca/en/g7-presidency/themes/building-peaceful-secure-world/g7-ministerial-meeting/g7-foreign-ministers-joint-communique/2018-g7-statement-non-proliferation-disarmament/ (accessed October 1, 2018).

    272 “Report of the Nuclear Safety and Security Group” (Charlevoix: G7 Summit Final Report, 2018), https://g7.gc.ca/wp-content/uploads/2018/07/2018-G7-NSSG-report-FINAL-1.pdf and Nuclear Safety and Security Group (Italy: Italian G7 Presidency Report, 2017), https://www.mofa.go.jp/files/000260025.pdf (accessed October 29, 2018).

    273 IAEA, “Communication dated 24 October 2016 received from the Permanent Mission of Canada concerning the Statement of Principles of the Nuclear Security Contact Group,” INFCIRC/899, November 2, 2016, https://www.iaea.org/sites/default/files/publications/documents/infcircs/2016/infcirc899.pdf (accessed October 1, 2018).

    274 See “Nuclear Security Contact Group,” http://www.nscontactgroup.org/index.php (accessed November 25, 2018).

    275 IAEA, Convention on the Physical Protection of Nuclear Material (Vienna: IAEA, December 2018), https://www-legacy.iaea.org/Publications/Documents/Conventions/cppnm_status.pdf (accessed December 2, 2018).

    276 “Amendment to the Convention on the Physical Protection of Nuclear Material” (Vienna: IAEA, July 25, 2018), https://www-legacy.iaea.org/Publications/Documents/Conventions/cppnm_amend_status.pdf (accessed October 29, 2018).

    277 “International Convention for the Suppression of Acts of Nuclear Terrorism” (New York: United Nations, October 29, 2018), https://treaties.un.org/Pages/ViewDetailsIII.aspx?src=TREATY&mtdsg_no=XVIII-15&chapter=18&Temp=mtdsg3&lang=en (accessed October 29, 2018).

    278 Based on IAEA and UN Data, January 2019

    279 Fundamental Principles F, G, and J, in IAEA, “Amendment to the Convention on the Physical Protection of Nuclear Material”.

    280 Article 8, in “International Convention for the Suppression of Acts of Nuclear Terrorism” (New York: United Nations, 2005), http://treaties.un.org/doc/Treaties/2005/04/20050413%2004-02%20PM/Ch_XVIII_15p.pdf (accessed July 7, 2015).

    281 Samantha Pitts-Kiefer and Michelle Nalabandian, “Strengthening the Convention on the Physical Protection of Nuclear Materials and Nuclear Facilities Regime: A Path Forward” (Washington, D.C.: Nuclear Threat Initiative, 2016), https://www.nti.org/media/documents/IAEA_Conf_2016_Strengthening_CPPNM_Pitts-Kiefer.pdf (accessed October 29, 2018).

    282 For an overall assessment of nuclear security in Russia and how it might evolve, see Matthew Bunn and Dmitry Kovchegin, “Nuclear Security in Russia: Can Progress Be Sustained?,” Nonproliferation Review, Vol. 24, Issue 5-6, 2017, https://scholar.harvard.edu/files/matthew_bunn/files/bunn-kovchegin_penultimate_nuclear_security_in_russia_can_progress_be_sustained.pdf (accessed October 1, 2018).

    283 Critics report, for example, that the U.S. nuclear industry is again proposing to weaken NRC force-on-force exercises. See Ed Lyman, “The NRC’s Security Inspections at Nuclear Power Plants are Again under Attack,” All Things Nuclear, March 21, 2014, https://allthingsnuclear.org/elyman/the-nrcs-security-inspections-at-nuclear-power-plants-are-again-under-attack (accessed October 1, 2018). The U.S. industry has long criticized these exercises as excessively expensive and burdensome. Prior to the 9/11 attacks, as a result of industry-NRC discussions, nuclear facilities were allowed to add more guards for the day of test, and then not maintain those expanded guard forces after the test, so the tests did not genuinely assess the level of security that was in place day-to-day; nevertheless, the defenders failed to protect the plants in about half of the exercises. U.S. Congress, General Accounting Office, Nuclear Regulatory Commission: Oversight of Security at Commercial Nuclear Power Plants Needs to Be Strengthened, GAO-03-752 (Washington, D.C.: GAO, 2003, http://www.gao.gov/new.items/d03752.pdf (accessed July 2, 2015).

    284 As a non-government organization funded by governments, industry, and foundations, with nuclear-operating organizations as its primary audience, WINS arguably sits at the intersection of industry and civil society. Full disclosure: one of the authors (Tobey) is Chairman of the WINS Board of Directors. For more on WINS, see the organization’s website, at http://www.wins.org.

    285 Annual Report: Reaching the Tipping Point (Vienna: The World Institute for Nuclear Security, 2018), https://wins.org/document/annual-report-2018/ (accessed October 29, 2018).

    286 For more on the NISGS, see the organization’s website, at http://www.nisgs.org/.

    287 Personal communications with WINS staff, 2018.

    288 The series of reports that this report continues has been one of the voices warning of remaining nuclear security vulnerabilities and suggesting actions to fill them. In particular, the earlier reports were the first to suggest a four-year effort to secure nuclear material around the world—the most important item agreed to at the first nuclear security summit. See Matthew Bunn and Anthony Wier, Securing the Bomb: An Agenda for Action (Cambridge, Mass., and Washington, D.C.: Project on Managing the Atom, Belfer Center for Science and International Affairs, Harvard Kennedy School, and Nuclear Threat Initiative, 2004), http://www.nti.org/media/pdfs/Securing_The_Bomb_2004.pdf (accessed on December 20, 2018).

    289 For more on the FMWG, see the organization’s website, at https://armscontrolcenter.org/fmwg/. Full disclosure: one of the authors (Bunn) is a member of the FMWG’s Steering Committee.

    290 Kutchesfahani, Davenport, and Connolly, The Nuclear Security Summits, p. 3.

    291 IAEA, Nuclear Security Report 2018, p. 17.

    292 Data from WINS Academy website, https://wins.org/wins-academy/ (accessed December 22, 2018).

    293 World Institute for Nuclear Security, Annual Report: Reaching the Tipping Point.

    294 The first nuclear security regulators’ conference was sponsored by the U.S. Nuclear Regulatory Commission, in December 2012 (see http://www.nrcsecurityconference.org/), while the second was sponsored by the Spanish nuclear regulatory agency, in May 2016 (http://csnsecurityconference.org/).

    295 For a similar argument, see Holgate, “A Reflective Piece on the Nuclear Security Summits.”

    296 “Remarks by President Obama and Prime Minister Rutte at Opening Session of the Nuclear Security Summit” (Washington, D.C.: The White House, April 1, 2016), https://obamawhitehouse.archives.gov/the-press-office/2016/04/01/remarks-president-obama-and-prime-minister-rutte-opening-session-nuclear (accessed October 29, 2018).

    297 “Remarks by President Trump on the Strategy in Afghanistan and South Asia” (Arlington, VA: The White House, August 21, 2017), https://www.whitehouse.gov/briefings-statements/remarks-president-trump-strategy-afghanistan-south-asia/ (Accessed January 11, 2019).

    298 Andrea Hall, “Universalization of the CPPNM and its Amendment” (Vienna, Austria: Speech for IAEA Physical Protection Conference, November 13, 2017) and Christopher Ford, “Countering Nuclear Terrorism and the Trump Administration’s Agenda (Washington, D.C.: Hudson Institute, November 14, 2017) https://www.hudson.org/research/14009-christopher-ford-s-remarks-countering-nuclear-terrorism-and-the-trump-administration-s-agenda (accessed January 11, 2019).

    299 Nuclear Posture Review, 2018, pp. 66-67.

    300 Saving coal and nuclear plants has been a priority since early in the Trump administration. Early initiatives failed, however—such as an effort to force the Federal Energy Regulatory Commission to require electricity market operators to write rules that would subsidize all nuclear and coal plants. President Trump reiterated the importance of the issue to Perry in mid-2018. See, for example, Eric Wolff, “Trump Calls for Coal, Nuclear Plant Bailout,” Politico, June 1, 2018, https://www.politico.com/story/2018/06/01/donald-trump-rick-perry-coal-plants-617112 (accessed October 29, 2018).

    301 For a defense of the administration’s approach to international institutions, see Mike Pompeo, “Restoring the Role of the Nation-State in the Liberal International Order,” remarks to the German Marshall Fund, Brussels, December 4, 2018, https://www.state.gov/secretary/remarks/2018/12/287770.htm (accessed December 21, 2018).

    302 Laura S.H. Holgate was the first official in that position, followed by Andrea G. Hall.

    303 IAEA, “International Physical Protection Advisory Service (IPPAS): Draft Follow-up Mission Report: Sweden,” p. 7.

    304 See National Strategy for Countering WMD Terrorism (Washington, DC: The White House, December 2018), https://www.whitehouse.gov/wp-content/uploads/2018/12/20181210_National-Strategy-for-Countering-WMD-Terrorism.pdf (accessed January 9, 2019). This WMD counter-terrorism strategy only discusses nuclear security briefly; the nuclear security strategy itself has not been released. A Trump administration official outlined the nuclear security strategy off the record at a meeting sponsored by the Arms Control Association in October 2017. Christopher Ford, then Senior Director for Weapons of Mass Destruction and Counterproliferation on the NSC staff, provided a broad overview of the approach on the record: “Countering Nuclear Terrorism and the Trump Administration’s Agenda,” Hudson Institute, November 14, 2017, https://www.hudson.org/research/14009-christopher-ford-s-remarks-countering-nuclear-terrorism-and-the-trump-administration-s-agenda (accessed October 29, 2018). While work on the strategy continued into 2018, by late 2018 it had been completed. Nevertheless, months later, elements of the strategy were still being debated. Interviews with NSC officials, February and May 2018.

    305 This gap has become less important as a number of HEU-fueled reactors have shut down on their own. Most of the remaining HEU-fueled reactors outside of Russia (and some inside Russia) are heavily used and will likely be operated for as long as they safely can be.

    306 Bunn and Roth, “The Effects of a Single Terrorist Nuclear Bomb.”

    307 Nickolas Roth, Matthew Bunn, and William H. Tobey, “Rhetoric Aside, the US Commitment to Preventing Nuclear Terrorism is Waning,” The Hill, April 19, 2018, https://thehill.com/opinion/national-security/383596-rhetoric-aside-the-us-commitment-to-preventing-nuclear-terrorism-is (accessed October 29, 2018).

    308 The Departments of Defense, State, and Homeland Security all have relevant efforts underway as well, but on much smaller scales. The Department of Defense’s (DOD’s) Cooperative Threat Reduction (CTR) program used to finance large efforts in Russia on security for nuclear weapon storage and transport and construction of a huge storage facility for fissile material from dismantled weapons at the Mayak Production Association in Ozersk. DOD’s work in Russia ended with the expiration of the CTR umbrella agreement with Russia in 2013, and DOD’s current work on helping other countries with nuclear security is quite limited, including, in recent years, some support to China’s Center of Excellence and some efforts to help countries better patrol coasts to interdict nuclear smuggling. The State Department funds a small effort known as the Partnership for Nuclear Security, which organizes training and workshops on nuclear security issues for a number of countries, provides most of the U.S. funding for the IAEA (including funding for nuclear security), and manages U.S. participation in initiatives such as the Global Partnership and GICNT. The Department of Homeland Security’s Domestic Nuclear Detection Office (DNDO) helps develop improved radiation detectors and is responsible (in coordination with other agencies) for laying out a global nuclear detection “architecture” that the United States will help put in place—but NNSA has played the lead role in actually funding the installation of detectors in foreign countries. The Department of Homeland Security also operates detectors at U.S. borders and at chosen locations within the United States, and cooperates with customs agencies in other countries to reduce the risk that containers shipped to the United States might contain nuclear or radiological materials or other dangerous illicit items.

    309 The Global Materials Security program includes the Office of Nuclear Security, the Office of Radiological Security (both of which we count as “nuclear security” funding), and Nuclear Smuggling Detection and Deterrence (NSDD, formerly Second Line of Defense), which we count as focused on the next layer of defense when security at nuclear sites and transports has failed.

    310 See discussion of these funding issues in Matthew Bunn, Martin B. Malin, Nickolas Roth, and William H. Tobey, Preventing Nuclear Terrorism: Continuous Improvement or Dangerous Decline? (Cambridge, MA: Project on Managing the Atom, Belfer Center for Science and International Affairs, Harvard Kennedy School, 2016), pp. 81-86.

    311 Based on data from Department of Energy budget requests FY 2009−FY 2019, see “Budget (Justification & Supporting Documents),” https://www.energy.gov/cfo/listings/budget-justification-supporting-documents (accessed October 29, 2018). From 2009 to 2015, the programs we count as “Nuclear Theft Prevention Programs” included the Global Threat Reduction Initiative, International Material Protection and Cooperation (excluding Second Line of Defense, which focused on stopping nuclear smuggling rather than improving security for nuclear materials and facilities), and International Nuclear Security. As a result of the 2016 reorganization of NNSA non-proliferation programs, several of these programs were renamed, but the underlying programs remain largely the same, making it possible to come very close to apples-to-apples comparisons. After fiscal year 2015, the programs we include in our accounting of nuclear security programs include Material Management and Minimization (excluding plutonium and HEU disposition) and Global Material Security (excluding Nuclear Smuggling Detection and Deterrence, the successor to Second Line of Defense).

    312 Based on data from Department of Energy budget requests FY 2013−FY 2019.

    313 Based on data from DOE budget requests, see “Budget (Justification & Supporting Documents),” https://www.energy.gov/cfo/listings/budget-justification-supporting-documents (accessed October 29, 2018).

    314 U.S. Department of Energy, FY 2019 Congressional Budget Request: National Nuclear Security Administration, Vol. 1, DOE/CF-0138 (Washington, D.C.: DOE, February 2018), https://www.energy.gov/sites/prod/files/2018/03/f49/FY-2019-Volume-1.pdf (accessed December 2, 2018), pp. 450-451.

    315 John Donnelly, “US Spending Less to Secure World’s Nuclear Bomb Materials,” Roll Call, July 2, 2018, https://www.rollcall.com/news/policy/u-s-spending-less-secure-worlds-nuclear-bomb-materials (accessed December 3, 2018).

    316 See, for example, Lyman, “Nuclear Plant Security on the 15th Anniversary of 9/11: The Need to Remain Vigilant.”

    317 See, for example, Matthew Bunn, “Comment on Proposed Rule on Enhanced Security at Nuclear Fuel Cycle Facilities; Special Nuclear Material Transportation; Docket NRC-2014-0118” (Rockville, Md.: Nuclear Regulatory Commission, October 17, 2014), http://pbadupws.nrc.gov/docs/ML1429/ML14293A636.pdf (accessed August 30, 2015).

    318 U.S. Congress, Joint Explanatory Statement of the Committee of Conference, Energy and Water, Legislative Branch, and Military Construction and Veterans Affairs Appropriations Act, 2019 (H.R. 5895), 115th Congress, 2018, p. 50.

    319 For earlier recommendations, on which this chapter draws, see Matthew Bunn, Martin B. Malin, Nickolas Roth, and William H. Tobey, Preventing Nuclear Terrorism: Continuous Improvement or Dangerous Decline? (Cambridge, MA: Project on Managing the Atom, Belfer Center for Science and International Affairs, Harvard Kennedy School, 2016), pp. 96-132. https://www.belfercenter.org/sites/default/files/legacy/files/PreventingNuclearTerrorism-Web.pdf (accessed October 29, 2018), pp. 96-132.

    320 For one recent account, see Bunn and Roth, “The Effects of a Single Terrorist Nuclear Bomb.”

    321 These tests are mentioned briefly in Tenet, At the Center of the Storm: My Years at the CIA, p. 275; Mowatt-Larssen, Al Qaeda Weapons of Mass Destruction Threat: Hype or Reality?, p. 15.

    322 See the description in David Beresford, Truth Is a Strange Fruit: A Personal Journey through the Apartheid War (Auckland Park, South Africa: Jacana Media, 2010), pp. 102-107

    323 See, for example, “Russia: Criminals Indicted for Selling Mercury as Weapons-Grade Plutonium,” trans. U.S. Department of Commerce, Izvestiya, October 11, 2003; “Plutonium Con Artists Sentenced in Russian Closed City of Sarov,” NIS Export Control Observer, November 2003, http://cns.miis.edu/observer/pdfs/ob_0311e.pdf (accessed July 7, 2015).

    324 Bunn and Harrell, Threat Perceptions and Drivers of Change in Nuclear Security around the World: Results of a Survey.

    325 For a discussion of INPO and its sharing of incident information, see Joseph V. Rees, Hostages of Each Other: The Transformation of Nuclear Safety Since Three Mile Island (Chicago.: University of Chicago Press, 1996).

    326 For a public summary of the ITDB, see IAEA, “IAEA Incident and Trafficking Database (ITDB): 2017 Fact Sheet” (Vienna: IAEA, 2017).

    327 For example, the U.S. Transportation Security Administration’s Office of Intelligence, in conjunction with the National Counterterrorism Center, produces transportation-related threat assessments, threat assessments for specific events, weekly intelligence reporting, suspicious incident reports, and analysis on trends, incidents, and tactics. See Bart Elias, National Aviation Security Policy, Strategy, and Mode-Specific Plans: Background and Considerations for Congress (Washington, D.C.: Congressional Research Service, February 2, 2009), https://fas.org/sgp/crs/homesec/RL34302.pdf (accessed November 5, 2018).

    328 See Financial Services Information Sharing and Analysis Center, “About FS-ISAC,” no date, https://www.fsisac.com/about. For an analysis, see, for example, Scott E. Jasper, “U.S. Cyber Threat Intelligence Sharing Frameworks,” International Journal of Intelligence and Counterintelligence, Vol. 30 (2017), pp. 53-65, https://calhoun.nps.edu/bitstream/handle/10945/50768/Jasper_US_Cyber_Threat_2017.pdf?sequence=1 (accessed October 29, 2018).

    329 “Casinos Across US Using Intelligence Network to Beat Cheaters,” Associated Press, September 22, 2013, https://www.foxnews.com/us/casinos-across-us-using-intelligence-network-to-beat-cheaters (accessed October 29, 2018).

    330 Matthew Bunn and Kathryn M. Glynn, “Preventing Insider Theft: Lessons from the Casino and Pharmaceutical Industries,” Journal of Nuclear Materials Management Vol. 41 No. 3 (Spring 2013): pp. 4-16.

    331 For an interesting first step in this direction, see Lafleur, Purvis, Roesler, and Westland, The Perfect Heist. David Ek of Sandia National Laboratories has worked with the U.S. National Consortium for the Study of Terrorism and Responses to Terrorism (START) to help several countries develop assessments of capabilities and tactics of potential adversaries who might threaten their nuclear or radiological facilities based on open-source reporting on non-nuclear incidents in particular regions. See A. Mastauskas et al., “An Approach to Develop a DBT-Like Threat Statement Using Open-Source Adversary Data,” in Proceedings of the International Conference on Nuclear Security: Commitments and Actions (Vienna: IAEA, 2016).

    332 Mowatt-Larssen, Al Qaeda Weapons of Mass Destruction Threat: Hype or Reality?

    333 U.S. Congress, House, Committee on Government Oversight and Reform, “Iran: Reality, Options and Consequences, Part 2—Negotiating with the Iranians: Missed Opportunities and Paths Forward,” 110th Cong., 1st sess., November 7, 2007, https://www.gpo.gov/fdsys/pkg/CHRG-110hhrg50111/pdf/CHRG-110hhrg50111.pdf (accessed November 5, 2018), p. 29.

    334 Rolf Mowatt-Larssen, personal communication, February 2018.

    335 William H. Tobey and Rolf Mowatt-Larssen, “The Armageddon Test: To Prevent Nuclear Terrorism, Follow the Uranium” (Cambridge, Mass.: U.S.-Russia Initiative to Prevent Nuclear Terrorism, Belfer Center for Science and International Affairs, Harvard Kennedy School, July 26, 2010), https://www.belfercenter.org/publication/armageddon-test-prevent-nuclear-terrorism-follow-uranium (accessed October 29, 2018).

    336 The following discussions draws in part on an earlier paper: Bunn et al., “Key Steps for Continuing Nuclear Security Progress.”

    337 For discussion, see Bunn, Roth, and Tobey, “Protecting Nuclear Materials and Facilities against the Full Spectrum of Plausible Threats.”

    338 For an earlier argument on these lines, see Matthew Bunn and E.P. Maslin, “All Stocks of Weapons-Usable Nuclear Materials Worldwide Must be Protected Against Global Terrorist Threats,” Journal of Nuclear Materials Management, Vol. 39, No. 2 (Winter 2011), pp. 21-27.

    339 Bunn and Sagan, eds., Insider Threats.

    340 IAEA, Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities.

    341 IAEA, Nuclear Security Culture: Implementing Guide, No. 7 (Vienna: IAEA, 2008), http://www-pub.iaea.org/MTCD/publications/PDF/Pub1347_web.pdf (accessed May 26, 2018); World Institute for Nuclear Security, WINS International Best Practice Guide 1.4: Nuclear Security Culture.

    342 Approaches to carrying out such assessments can be found in IAEA, Self-Assessment of Nuclear Security Culture in Facilities and Activities, No. 28-T (Vienna: IAEA, 2017), https://www-pub.iaea.org/MTCD/Publications/PDF/PUB1761_web.pdf (accessed May 26, 2018); World Institute for Nuclear Security, Wins International Best Practice Guide 1.4: Nuclear Security Culture.

    343 Matthew Bunn and Eben Harrell, Consolidation: Thwarting Nuclear Theft (Cambridge, MA: Project on Managing the Atom, Belfer Center for Science and International Affairs, Harvard Kennedy School 2012), http://belfercenter.ksg.harvard.edu/publication/21818/consolidation.html (accessed 21 May 2015).

    344 See, for example, World Institute for Nuclear Security, Corporate Governance Arrangements for Nuclear Security (Vienna: WINS, 2018). See also Lovely Umayam, Kathryn Rauhut, and Jacquelyn Kempfer, Lifting the Lid on Nuclear Liability (Washington, D.C.: Stimson Center, January 2018), https://spark.adobe.com/page/ZeWgo09ShxGr7/ (accessed June 2, 2018).

    345 Matthew Bunn, “Incentives for Nuclear Security,” in Proceedings of the 46th Annual Meeting of the Institute for Nuclear Materials Management, Phoenix, Ariz., July 10-14, 2005 (Northbrook, Ill.: INMM, 2005, http://belfercenter.ksg.harvard.edu/files/inmm-incentives2-05.pdf (accessed July 7, 2015).

    346 This description of the roles of global governance draws on presentations by John Ruggie, Harvard Kennedy School.

    347 The United States has, however, sometimes pressured countries to improve security for nuclear material by threatening to withhold future nuclear supplies, and in a few cases has applied other diplomatic pressures as well. In a 2012 survey of nuclear security experts from 18 countries, experts from four countries indicated that the “conclusion that changes were necessary for continued supply from a nuclear supplier” was one of the dominant causes of recent steps to strengthen nuclear security in their country. Bunn and Harrell, Threat Perceptions and Drivers of Change in Nuclear Security around the World: Results of a Survey, p. 28.

    348 For an earlier assessment of this issue, see Bunn, Malin, Roth, and Tobey, Preventing Nuclear Terrorism, pp. 127-129.

    349 U.S. Department of State, “Joint Statement: The United States and India: Enduring Global Partners in the 21st Century” (Washington, D.C., June 7, 2016), https://in.usembassy.gov/joint-statement-united-states-india-enduring-global-partners-21st-century-june-7-2016/ (accessed October 29, 2018).

    350 Discussion with European participant in the Nuclear Security Contract Group, June 2018.

    351 Samantha Pitts-Kiefer and Michelle Nalabandian, “Strengthening the Convention on the Physical Protection of Nuclear Materials and Nuclear Facilities Regime: A Path Forward” (Washington, D.C.: Nuclear Threat Initiative, 2016), https://www.nti.org/media/documents/IAEA_Conf_2016_Strengthening_CPPNM_Pitts-Kiefer.pdf (accessed October 29, 2018).

    352 For one argument as to what effective systems require, see Bunn, “’Appropriate Effective’ Nuclear Security and Acounting—What Is It?.”

    353 For a more detailed account of what such a commitment might include, see Bunn, Malin, Roth, and Tobey, Preventing Nuclear Terrorism, pp. 100-102.

    354 IAEA, Communication Received from the Netherlands Concerning the Strengthening of Nuclear Security Implementation; IAEA, Communication Dated 22 December 2016 Received from the Permanent Mission of the United States of America Concerning a Joint Statement on Mitigating Insider Threats; IAEA, Communication Received from the Permanent Mission of Norway Concerning a Joint Statement on Minimizing and Eliminating the Use of Highly Enriched Uranium in Civilian Applications; IAEA, Communication Dated 20 December 2016 Received from the Permanent Mission of France Concerning a Joint Statement on Strengthening the Security of High Activity Sealed Radioative Sources, INFCIRC/910 (Vienna: IAEA, 2017, https://www.iaea.org/sites/default/files/publications/documents/infcircs/2017/infcirc910.pdf (accessed July 6, 2018).

    355 Matthew Bunn, “Rebuilding U.S.-Russian Nuclear Security Cooperation,” Nuclear Security Matters, January 22, 2015, http://nuclearsecuritymatters.belfercenter.org/blog/rebuilding-us-russian-nuclear-security-cooperation (accessed December 18, 2018) and Matthew Bunn, “Russia Puts a Positive Spin on Nuclear Security Cooperation—Which Is Good,” Nuclear Security Matters, January 23 2015, http://nuclearsecuritymatters.belfercenter.org/blog/russia-puts-positive-spin-nuclear-security-cooperation-%E2%80%93-which-good (accessed on January 18, 2016).

    356 See Kingston Reif, “Russia Suspends Plutonium Agreement,” Arms Control Today, November 2016, https://www.armscontrol.org/ACT/2016_11/News/Russia-Suspends-Plutonium-Agreement (accessed October 29, 2018).

    357 Matthew Bunn and Dmitry Kovchegin, “Nuclear Security in Russia: Can Progress Be Sustained?,” Nonproliferation Review, Vol. 24, Issue 5-6, 2017, https://scholar.harvard.edu/files/matthew_bunn/files/bunn-kovchegin_penultimate_nuclear_security_in_russia_can_progress_be_sustained.pdf (accessed October 1, 2018).” pp. 527-551.

    358 Remarks to workshop on U.S.-Russian nuclear cooperation, Moscow, February 2016.

    359 Simon Saradzhyan and William H. Tobey, “U.S.-Russian Space Cooperation: A Model for Nuclear Security,” Bulletin of the Atomic Scientists, March 7, 2017, https://thebulletin.org/2017/03/us-russian-space-cooperation-a-model-for-nuclear-security/ (accessed October 29, 2018).

    360 For a broader set of nuclear security suggestions, see Matthew Bunn, “Steps for Rebuilding U.S.-Russian Nuclear Security Cooperation,” in Proceedings of the 58th Annual Meeting of the Institute for Nuclear Materials Management, July 16-20, 2017 (Mount Laurel, NJ: INMM, 2017).

    361 For joint U.S.-Russian suggestions in these areas, see Pathways to Cooperation: A Menu of Potential U.S.-Russian Cooperative Projects in the Nuclear Sphere (Washington, D.C.: Nuclear Threat Initiative and Center for Energy and Security Studies, February 2017), https://www.nti.org/media/documents/Pathways_to_Cooperation_FINAL.pdf (accessed October 29, 2018). For an account of the remarkable work U.S.-Russian lab-to-lab cooperation accomplished in the 1990s and early 2000s, see Siegfried S. Hecker, Doomed to Cooperate: How American and Russian Scientists Joined Forces to Avert Some of the Greatest Post-Cold War Nuclear Dangers (Los Alamos, NM: Bathtub Row Press, 2016).

    362 For a description of the NISGS, see its web page, http://www.nisgs.org/. One of the authors (Tobey) is chairman of the board of WINS.

    363 For a description of the FMWG, see its web page, https://armscontrolcenter.org/fmwg/. The authors have all been involved with the FMWG, and one (Bunn) is a member of the group’s steering committee.

    364 For detailed recommendations, see Bunn, Malin, Roth, and Tobey, Preventing Nuclear Terrorism, pp. 124-127.

    365 To understand the scope of the Convention on Nuclear Safety reports, see, for example, The People’s Republic of China: The Seventh National Report Under the Convention on Nuclear Safety (2013-2015) (Beijing: National Nuclear Safety Administration, June 2016), http://nnsa.mep.gov.cn/gjhz_9050/gjgybg/201703/P020170331275561956767.pdf (accessed October 29, 2018).

    366 The openly published version of the U.S. NRC physical protection regulations, for example, include the requirement that facilities with Category I material be protected against a group of well-armed, well-trained outsiders, capable of operating as multiple teams, using “determined violent external assault, attack by stealth, or deceptive actions, including diversionary actions,” with either active or passive help from a knowledgeable insider; an insider acting alone; and cyber attacks. Outsiders might have land or sea vehicles, and might use vehicle-borne bombs, such as truck bombs. See Paragraph 73.1 in U.S. Nuclear Regulatory Commission, “Part 73: Physical Protection of Plants and Materials,” in Title 10, Code of Federal Regulations (Washington, D.C.: U.S. Government Printing Office, 2015), http://www.nrc.gov/reading-rm/doc-collections/cfr/part073/ (accessed July 4, 2018).

    367 Congress appears to take a similar view of the need. In the defense bill passed in 2017, Congress asked the JASON group of scientific advisors on national security to “assess and recommend improvements to the strategies of the United States for preventing, countering, and responding to nuclear and radiological terrorism,” including specifically making recommendations for “(1) closing technical, policy, or resource gaps; (2) improving cooperation and appropriate integration among Federal entities and Federal, State, and tribal governments; (3) improving cooperation between the United States and other countries and international organizations; and (4) other important matters identified by JASON that are directly relevant to the strategies of the United States” for reducing the risks of nuclear and radiological terrorism. See Section 3137 in U.S. Congress, House of Representatives, National Defense Authorization Act for Fiscal Year 2018: Conference Report (Washington, D.C.: Government Printing Office, 2017), https://www.gpo.gov/fdsys/pkg/CRPT-115hrpt404/pdf/CRPT-115hrpt404.pdf (accessed January 9, 2019). As of late 2018, no report from JASON on this topic had been released.

    368 Dwight D. Eisenhower, “Remarks at the National Defense Executive Reserve Conference,” November 14, 1957, http://www.presidency.ucsb.edu/ws/?pid=10951 (accessed October 29, 2018).

    369 In 2017, Congress directed the JASON defense advisory group to outline what such a comprehensive nuclear security plan might include. See U.S. Congress, House of Representatives, National Defense Authorization Act for Fiscal Year 2018: Conference Report (to accompany H.R. 2810), 115th Congress, 1st sess., Section 3137, November 9, 2017, https://www.congress.gov/congressional-report/115th-congress/house-report/404/1?overview=closed (accessed November 25, 2018).

    370 National Strategy for Counterterrorism of the United States of America (Washington, D.C.: The White House, October 2018), https://www.whitehouse.gov/wp-content/uploads/2018/10/NSCT.pdf (accessed January 9, 2019), p. 11.

    371 For some countries, such as Japan, no legal basis exists for exchanging sensitive information related to the design basis threat, and new accords might be needed.

    372 The IAEA also needs to ensure that is has adequate capacity to provide other nuclear security review services, such as the International Nuclear Security Review Service (INServ), which takes a broader but less in-depth look at countries’ nuclear security arrangements. These are especially useful for countries at an earlier stage of putting their nuclear security infrastructure in place; most IAEA member states have already received an INServ mission and have adopted a resulting Integrated Nuclear Security Support Plan.

    373 Matthew Bunn, Securing the Bomb 2010, pp. 106-109. For a joint U.S.-Russian view, see Matthew Bunn et al., Steps to Prevent Nuclear Terrorism: Recommendations Based on the U.S.-Russia Joint Threat Assessment (Cambridge, Mass.: Belfer Center for Science and International Affairs, Harvard Kennedy School, and Institute for U.S. and Canadian Studies, 2013, http://belfercenter.hks.harvard.edu/files/JTA%20eng%20web2.pdf (accessed January 18, 2016).

    374 See, for example, discussion in George Tenet, At the Center of the Storm: My Years at the CIA (New York: HarperCollins, 2007), pp. 259-280

    375 Radiation detection is the principal focus of the National Nuclear Security Administration’s (NNSA’s) Nuclear Smuggling Detection and Deterrence program (formerly known as the Second Line of Defense), of one of the working groups of the Global Initiative to Combat Nuclear Terrorism (GICNT), and of a portion of the IAEA Division of Nuclear Security’s effort.

    376 For arguments focused on states using terrorists to carry out attacks on the state’s behalf, see Keir A. Lieber and Daryl G. Press, “Why States Won’t Give Nuclear Weapons to Terrorists,” International Security 38, no. 1 (Summer 2013). For a somewhat broader set of arguments on state provision being a small portion of the overall risk, see Matthew Bunn, “A Mathematical Model of the Risk of Nuclear Terrorism,” Annals of the American Academy of Political and Social Science 607 (September 2006).

    377 Nuclear forensics is the subject of another of the GICNT working groups.

    378 Such responses are the principal focus of NNSA’s Nuclear Counterterrorism and Incident Response program, and are the focus of the third of the GICNT working groups.

    Recommended citation

    Bunn, Matthew, Nickolas Roth and William H. Tobey. “Revitalizing Nuclear Security in an Era of Uncertainty.” Belfer Center for Science and International Affairs, Harvard Kennedy School, January 2019