Mitigating Insider Threats and Ensuring Personnel Reliability

Abstract

This chapter discusses the human side of physical security, identifying and evaluating common practices used to mitigate insider threats, including personnel reliability programs, access controls, and defensive forces. Indian author Rajeswari Rajagopalan argues that insiders pose some of the most serious threats to the critical infrastructure of the nuclear enterprise. She points out that complacency can allow insider threats to take root and identifies two areas of improvement for personnel reliability programs: more thorough vetting of temporary workers and persistent monitoring of employees’ online activities. U.S. authors Todd Burbach and Patrick Lynch agree that insiders can pose significant threats to nuclear safety and security. They highlight the role of trustworthiness programs, which rely heavily on workforce cooperation, in mitigating insider threats.

2.1 An Indian Perspective

• Rajeswari Pillai Rajagopalan 

Nuclear security is a global challenge that gained great attention following the September 11 terrorist attacks in the United States. Since then, there has been a genuine fear that terrorists might get hold of nuclear and radiological materials and use it in attacks, with disastrous consequences. There have been some concerted efforts to secure global nuclear and radiological materials, but there are still impediments to developing an effective nuclear security regime. Nevertheless, this is an area that has seen reasonable progress despite some hesitations in the initial stages in certain quarters. There has been generally broad support for nuclear security because all states agree that it is a key challenge and an equal threat to every state. For instance, even states that have engaged in cross-border terrorism have agreed that this is a threat because terrorist groups could threaten the very states that have supported them, or these states could be blamed for sponsoring a nuclear or radiological attack, should there be an attack by their client groups. Therefore, this is an area that has seen large-scale consensus among states in working out institutional and legal mechanisms to address the threat effectively.

While there are several challenges to ensuring effective nuclear security, insider threats have emerged as one of the most significant challenges over the past decade.¹ It is particularly challenging in nuclear and other vital installations because it is almost impossible to imagine that one of your own could be a threat to the organization or the country, which leads to “blindness” in recognizing this threat. Nevertheless, even a cursory look at the numbers is evidence of the seriousness of the insider threat in these high security premises. Insider threat is a critical one also because even as these may be rare, they could impose serious costs in terms of economic, environmental, and human security. Almost all the recent cases of nuclear thefts or losses of highly enriched uranium (HEU) and plutonium (Pu) have had an insider committing the crime or helping someone else commit the crime and that should set the alarm bells ringing. Insider threats from disgruntled employees have been a well-known occurrence globally.²

This chapter looks at the challenge of insider threat from an Indian perspective, India’s approach to addressing the threat, the challenges of ensuring trustworthiness among employees, and concludes with ways to strengthen measures that could be useful in addressing insider threats.

2.1.1 Why and How Significant Is the Insider Threat?

Attention to human factor in the context of nuclear security comes with the recognition that “the best equipment in the world is no better than its operator. Nor can the best written directives in the world compensate for apathy or technical incompetence in the workforce.”³ The human factor can be on a correct and secure path only with the right institutional culture of security. Therefore, insider threat containing the human element at its core goes hand in hand with security culture. The importance of security culture in the context of avoiding complacency cannot be ignored. Lack of incidents tends to otherwise provide a false sense of security and comfort that all is well in a facility and that there will be no insider threats. Prevalence of a positive security culture within a facility is critical in addressing complacency. Complacency and weak security culture can be a dangerous combination adding to the security vulnerability of a facility. The break-in at the Y-12 nuclear facility in the United States in July 2012 by an 82-year-old nun and two protesters is a reflection of such complacency and weak security culture.⁴

Insider threat is significant because the insider in question has knowledge of the facility, its strengths and weaknesses as well as the vulnerabilities that can be exploited. Insiders are authorised employees who enjoy access to the multiple layers of a security system. The fact that insiders are known colleagues, trusted and authorised employees make them immune to any suspicion from colleagues. The further fact that they have the complete knowledge of a facility’s operations, their security systems, and nuclear material accounting practices provide enormous benefits compared to an adversary who as an adversary might not be privy to such knowledge normally. Therefore, insiders are considered possibly the most serious threat to critical infrastructure including nuclear facilities. An insider enjoys tremendous benefits as compared to an outsider because an insider knows how to circumvent and bypass certain processes that are put in place to mitigate the multiple threats. Insiders can also gain knowledge through training and experience. Therefore, for nuclear security purposes, the behaviour of individuals is as important or even more critical than the technologies and process that manage security at a nuclear facility.

Given this vast knowledge and access, an insider is also able to plan an operation over a prolonged period in order to remove all hindrances and ensure a successful outcome. They also enjoy the benefit of observing and studying the practices and approaches which gives an insider an advantage of choosing their target area or material, as well as the best time to engage in a malicious act with greater care. Insider threats become even more significant if an insider colludes with an outsider. It must also be added that an insider can be anyone within a nuclear facility. The threat can come from a senior scientist or a junior staff or a janitor at a nuclear facility. Designations and positions or the longevity of an employee within an organisation do not determine if a person can engage in a malicious act or not. Therefore, developing effective controls in addressing insider threat is that much more challenging because senior employees have access to every part of a facility to access to all the knowledge and sensitive data. It is also an extremely difficult challenge because human behaviour is complex and there could be many different motivations that influence an insider to commit such a malicious act.

There are other challenges as well in addressing an insider threat. Cognitive dissonance, perception bias, and a notion within the hierarchy of an organisation that they have everything under control and their facility has fail-proof mechanism can lead to ignoring any warning signs that may become evident.⁵ Matthew Bunn and Scott Sagan note that assumptions like “Serious Insider Problems are NIMO (Not In My Organization)” are factors that can lead security officials to ignore the potential insider threat in a nuclear facility.⁶ Organisational disfunction is also a factor that could impede the process of reporting in case of any abnormal behaviour and activities. Therefore, one also needs to look at ways to create institutional incentives for employees, so they feel encouraged to report on any warning signs within a plant or notice any odd or suspicious behaviour outside work hours in their social lives. In the absence such incentives, even the most obvious signs can be misread and ignored, to the peril of the plant. There are a number of cases that reflect these systemic loopholes and vulnerabilities.⁷ For instance, one of the earlier incidents occurred at the Koeberg nuclear power plant in South Africa when “an insider placed explosives directly on the steel pressure vessel head of a nuclear reactor and then detonated them” in 1982 (but before the plant went operational) to protest apartheid.⁸ More recently, a French physicist employed at the European Organisation for Nuclear Research offered to assist an al-Qaeda associate to carry out terrorist attacks in France in 2012.⁹ In yet another case in Europe, in 2014, a disgruntled employee at the Doel nuclear power plant imposed a shutdown of the reactor by intentionally draining out the lubricant of its turbine, resulting in a damage of hundreds of millions.¹⁰ Insiders who are disgruntled employees are a real challenge but it is also something that could be rectified with a few remedial measures, which will be discussed in the later sections of this chapter.

2.1.2 India’s Insider Threat Challenge

No country or no high security installation is immune from insider threats. Given the multilayer security system at nuclear power plants, the propensity to cause significant damages using an insider could be the most attractive option from a perpetrator’s perspective. The incidents across different regions mentioned above are a stark reminder of the magnitude of the problem. In a presentation at the IAEA, Jayarajan Kutuvan of the Bhabha Atomic Research Centre (BARC) near Mumbai, India, outlined the Indian awareness of the problem by acknowledging that insider threats are a serious issue also because they, depending on their level and rank, enjoy the “authority to acquire and ability to use tools, equipment, weapons or explosives.”¹¹

Explaining how the Indian approach to nuclear security culture has changed, Ranajit Kumar, formerly with the atomic energy establishment, said at a workshop held in Bangalore that even 10–15 years ago, if there was a question of sharing advice about nuclear security, most people would say that it is the responsibility of the security guards alone. Also, the response would have been that security incidents don’t happen in my facility, but Kumar argued that this mindset has changed.¹²

India remains cognizant of the insider threat, and it has had to deal with one insider threat incident in Kaiga nuclear power plant in Karnataka, in southern India in 2009. According to the Minister for Science and Technology, Pritviraj Chavan, who spoke to the media, the incident involved a disgruntled employee who “mixed a small unit of tritium (radioactive isotope of hydrogen, D20), in a water cooler.”¹³ About 50 employers of the Kaiga nuclear power plant who drank the water were exposed to high level of radiation. There was no casualty from the incident. The minister confirmed that this was an “act of sabotage” possibly committed by an insider.

Commenting on the Kaiga water poisoning incident, KS Parthasarathy, former secretary of the Atomic Energy Regulatory Board (AERB) said that “Traditionally we have been thinking of securing nuclear plants from earthquakes and tsunami but the Kaiga incident has added another dimension to it.”¹⁴ The comment suggests that this was not considered a serious threat even a decade ago. Another former official of the atomic energy establishment, who did not want to be named, agreed with Parthasarathy’s assessment and added that “Security today means checking handbags and inspecting vehicles and vigilance is all about who takes bribe. Our security at this level is good but is unprepared to deal with potential threats from scientific staff.” He was worried that “Scrutiny of staff is totally missing in our power stations.”¹⁵

The former official also pointed to a slightly different but related issue about the forces that protect the nuclear power plants. Currently, these plants are protected by the Central Industrial Security Force (CISF) who reportedly take their orders from their headquarters in Hyderabad or Delhi, but the station director has very little influence in directing the CISF who are posted at a particular facility. The former official suggested that “nuclear plants should have their own security staff with some training in reactor operation.”¹⁶ These comments have implications for a variety of threats in the context of nuclear security including insider threats and the ability to manage them. Since the incident at Kaiga nuclear power plant, the government agencies have organised mock drills and tabletop exercises at the plant site to assess the plant’s emergency response preparedness to deal with a major natural disaster. In fact, the National Disaster Management Authority (NDMA) who was part of these exercises “ruled out the possibility of a Fukushima-type incident” at the Kaiga nuclear power plant.¹⁷

That there has been no reported insider threat incident (except the one at Kaiga) does not provide India with any comfort that it is not going to happen. Given the not-so-benign neighbourhood that India is located in, New Delhi remains mindful of the possibilities of an insider threat with an external element as the possible trigger. That an external agent could collude with an insider in committing an act of sabotage is real possibility. The Ministry of External Affairs, in its document released in 2014, Nuclear Security in India highlighted this as a possibility.¹⁸ In fact, from the time of the design of a facility, key principles like Design Basis Threat (DBT) are taken into consideration. This involves a thorough examination of threats that the facility must be geared to protect against including terrorists, protestors, or saboteurs, which should further translate to designs that would mitigate those threats.¹⁹

While calculating the threat to a facility, India, like other countries, also takes into account who its adversary is, whether it is an insider or an outsider or are they working jointly, their motivations, whether it is economic, religious, and ideological or whether they use coercive methods like kidnapping a family member to force an employee to act. Other issues include the objective of the sabotage, whether is a limited operation because someone is a disgruntled employee and wants to send a message to the management, or a more serious crime of sabotage of the facility or theft of nuclear material to create panic and mass disruptions. The DBT also involves an examination of the style of attack and tactics and capabilities of the adversary. India maintains a national DBT, but a plant-specific DBT is also developed taking into account some of the plant location-specific local threats particular to a state or a region, and together the two DBTs detail each of these threats and their possible manifestation. Speaking at a nuclear security workshop co-organised by the National Institute of Advanced Studies, Bangalore, Ranjit Kumar, a former official at the Indian atomic energy establishment stated that “an adversary with a colluding insider is very dangerous.” He went on to add that such an adversary “can be internally motivated or externally coerced, passive or active, and nonviolent or violent.”²⁰

Insider threats for India can manifest itself in many ways. It could involve passing on to adversaries key information on transportation of nuclear materials, such as the agencies involved and the routes used for transportation of nuclear materials; theft of small quantities of nuclear materials for sale in black markets; or the use of cyber technologies (by an insider or in collusion with an outsider) that could inflict damage and destruction or sabotage at a facility. India has remained cognisant of the fact terrorist groups such as the Indian Mujahideen are seen to be recruiting people with IT skills and who are tech savvy. The arrest of Mansoor Peerbhoy, an IT professional who worked with Yahoo India, by the Mumbai Police in October 2008 was a stark reminder of how the face of terrorism had changed.²¹ Indian Mujahideen has been known to recruit educated people with good IT skills and Mansoor Peerbhoy was not the first such recruit. While they are outsider threats currently, they could be looking at co-opting an insider to commit a range of malicious acts, mentioned above.

Given the substantial reliance of nuclear industries on computer-aided systems, insiders facilitating nuclear security threats in the form of bugs and viruses cannot be ignored. The Stuxnet cyberattack on Iranian nuclear facilities that damaged Tehran’s nuclear facilities reflects the growing threats from cyber and cyber-related technologies. Insiders can become easy accomplices in carrying out these kinds of attacks. Similarly, the possibility of a disgruntled employee with access to sensitive information selling the information to external adversaries for financial gains cannot be discounted.

India is cognisant of the cyber and network vulnerabilities, and such threats and vulnerabilities are addressed by a separate department within the Department of Atomic Energy (DAE) called the Computer Information and Security Advisory Group (CISAG). The CISAG is responsible for undertaking audits of computer and information systems on a periodic basis. The CISAG is also responsible for developing “plans and guidelines to counter cyber attacks and mitigate its adverse effects.”²² The guidelines have clear do’s and don’ts about the use of internet, USBs, and smartphones in sensitive areas within a facility. The CISAG of the DAE issued new guidelines in May 2020 that outlined a number of precautionary steps for the work from home conditions. One of the points said that employees are “advised to keep official documents only in external storage such as Pen Drive, USB Hard Disk.”²³ This is presumably done to protect the document from being stolen if computers are hacked, but this step has its risks as well. For instance, pen drives could be stolen or lost. A much worse scenario is if a disgruntled employee with all the information on a pen drive or USB decides to share this sensitive information with those who want to do harm. Under such circumstances, pen drives, or USBs with important sensitive information become easy tools for attackers. Nevertheless, there are no easy solutions to insider threat problems in an online or offline world. Therefore, the effort must be to inculcate a strong nuclear security culture including cybersecurity culture, whereby individuals are incentivised to be aware of the threats and to take proper precautions. It is important for India to focus on this aspect given that it has been one of the favourite targets of cyberattacks in recent years.²⁴ Even though some of the recent cyberattacks have targeted only administrative systems and had nothing to do with plant control and instrumentation system, this could be potentially dangerous too.²⁵ Gaining information on nuclear power plant staff and their personal details including their financial remuneration could be used by malign actors to extract benefits and could thus compromise India’s nuclear security efforts.

2.1.3 Indian Approach to Addressing Insider Threat

The potential that an insider has to overcome normal security barriers and its consequences have prompted India to be ever vigilant to possible intrusions and collusions by external actors, especially those from across the border in Pakistan. This has driven India to give a particular focus to security culture. While technology has aided in new ways like automation within a nuclear power plant that could minimise the human element and thus reduce human errors in a facility, one has to recognise the limits of technology and the significance of the human element behind the technology. But when it comes to nuclear security, one can have the best technology and the best processes and procedures to minimise security gaps and vulnerabilities, but the individuals responsible for running the plant still have a big role to play in ensuring nuclear security. This brings the focus towards security culture that prevails in a facility that could be helpful in mitigating some of these threats and challenges. According to the former US Department of Energy czar, Eugene Habinger, “good security is 20 percent equipment and 80 percent culture.”²⁶

A good security culture is one that prevails across all ranks and files, from scientists and managers to security guards and janitors, wherein each is conscious of the threats, challenges, gaps, and vulnerabilities and remains conscious of each one’s responsibility to secure a nuclear facility and nuclear materials. A workshop report from the National Institute Advanced Studies that co-organised a workshop on nuclear security makes it clear that “every person, from a custodian to a technician to a scientist to a guard in the protective force, needs to believe in and support the nuclear security program for it to succeed.”²⁷ According to Jayarajan Kutuvan of the BARC, nuclear security culture represents an “assembly of characteristics, attitudes and behavior of individuals, organizations and institutions, which serve to support and enhance nuclear security.” He added that nuclear security “ensures that individuals stay vigilant and be aware of what is happening in their organization” by creating “a questioning attitude among individuals, which may help in detecting insider threat and outsider threat.”²⁸

According to the IAEA’s 2017 report on security culture, security culture self-assessments with a focus on “perceptions, views and behaviour at all levels of the organization, regular self-assessment helps managers to understand the reasons for an organization’s patterns of behaviour in certain circumstances and to devise more effective overall security arrangements”. They are far more useful than typical audits, which highlights technical issues than intangible human elements. The document added that “The results of a security culture self-assessment will rarely point directly to specific technical actions, but will more typically shed light on why particular security related issues emerge, what the root causes of problems may be and how overall nuclear security can be enhanced.”²⁹

This brings into focus the importance of personnel reliability programmes (PRPs) or human reliability programmes (HRPs), as they are alternatively called. These programmes cannot offer any guarantee, but they go a long way in mitigating insider threats when implemented well. In fact, an earlier study by the author that involved extensive field visits and interactions with the security managers found that India has an extensive PRP, which have been quite effective in addressing potential gaps on this front. The Indian PRPs are done across the plant on all staff employed at various facilities and have included a series of rigorous background checks, vetting, and verification process before a person is inducted into a facility. The background screening and checks have included assessing a person’s identity, family background, criminal and medical history, general reputation as well as out-of-office social interactions and any change in behavioural patterns. These are undertaken on a periodic basis and additionally, the PRP is done as and when an employee is to be assigned or transferred to a more sensitive facility or if the employee has been given a clearance to handle more secure and sensitive information. The PRPs are undertaken up to the level of contractors who are engaged with a particular nuclear facility. The Indian atomic energy agencies and security managers have maintained total and complete integrity with the PRPs, and the reliability of these programmes has not so far been compromised, as far as is known.

Nevertheless, as in any other sector, there is scope for improvement. One area that has continued to remain a challenge in this regard is the PRPs on temporary labourers who work with nuclear power plants. These labourers tend to work with a plant for a couple of weeks to a month at best and they work only at the peripherals of a facility and are nowhere near the core of a facility. These are migrant workers from rural India spread across different states and provinces and because they keep moving from place to place, police, and other security agencies have found it challenging to do effective vetting and background checks. Even as they work only for very short time and are at the periphery of a facility, it is still not a comfortable situation from a security and vulnerability perspective. Terrorists, criminals, or persons with malintent can exploit these labourers to commit a crime. Indian security agencies need to find a way to address this loophole.

While the Indian PRPs are fairly exhaustive, one area that needs to be included is a person’s online activities. Cyber-space offers a menu of options if an insider wants to hurt the system.³⁰ Cyber means have been effective tools in pushing individuals towards religious radicalisation, which in turn have prompted employees to engage in activities that they would not have otherwise. Even as the security agencies around the world understand and acknowledge the importance of being alert to an individual’s cyber interactions, it is a complex and sensitive issue, especially for democracies that value and seek to protect privacy and personal freedom. But given that online radicalisation has become a real threat, this is an inescapable area of vulnerability and security agencies have to find a way to monitor employees’ cyber behavioural patterns. Keeping a watch for any abnormal behaviour as a fallout of their possible online radicalisation is one way to address it. For instance, if a person has become suddenly deeply religious, that is possibly a fallout of online radicalisation. So, PRPs must continue with periodic monitoring to keep a tab on a person’s online and offline activities and behavioural patterns.

Therefore, an effective nuclear security policy and practice must evaluate the human factor as an important determining factor while assessing the efficacy of nuclear security. According to an International Atomic Energy Agency (IAEA) document on the self-assessment of nuclear security culture in nuclear facilities and activities, a robust nuclear security approach would input a series of elements including “proper planning, training, awareness, competence, knowledge, operations and maintenance, as well as on the thoughts and actions of all people in the organization.”³¹ The IAEA document further notes that “an organization may have appropriate technical systems in place but remain vulnerable if it underestimates the role of the human factor.” It goes on to emphasise on the importance of human factor including the top layer of managers and leaders in maintaining effective nuclear security. A report co-authored by Matthew Bunn and his colleagues categorised insider threats as the most significant nuclear security threats.³² So, even as the extensive vetting and background checks as part of PRPs are an important tool in addressing insider threats, they offer no guarantee that there will not be an occasional breach.

2.1.4 Challenges of Ensuring Trustworthiness

Ensuring trustworthiness of an employee at high security installations such as a nuclear power plant is not easy. Trustworthiness of employees is undertaken to validate a person’s integrity, reliability, and suitability of them in offices that give them a wide range of access including to nuclear materials, facilities, technology, or sensitive security information.³³ Trustworthiness is done by different states differently but there are some similarities in terms of its application across all levels within an organisation, and the end goals of these programmes. Commenting on the trustworthiness issue, Jayarajan Kutuvan of the BARC said that the screening process that is undertaken as part of this effort will be in line with “the risks and threats related to specific role and responsibility.”³⁴ To that extent, these are graded approaches. Graded approach will be dependent on the type of facility and materials within a facility. Similarly, there will be a graded approach depending on the level of personnel associated with a facility like janitors, lab researchers, technicians, security officers, and control room operators.³⁵ While handling radiological materials, for instance, the risk levels are accorded depending on the risks involved with each of the materials, trustworthiness is an issue that the Indian nuclear regulatory authority, Atomic Energy Regulatory Board (AERB) has flagged.³⁶

Nevertheless, states need to consider trustworthiness programme that will continue monitoring mental well-being, substance abuse, unusual work hours, violent, criminal or any unusual behaviour inside and outside work premises, and political and ideological interests. Kutuvan also suggests that the screening process be applied to all temporary staff, contractors, and visitors, which is an ideal scenario. But the state’s ability to vet temporary staff under PRP has shown some challenges. These challenges are not unique to India. At a conference on radioactive materials security organised by the IAEA in 2013, conference participants (officials from different atomic energy agencies) recognised that even the IAEA’s Nuclear Security Series, while broadly useful in developing national regulations, has gaps in its guidance on insider threats and trustworthiness, gaps that require additional work.³⁷

In the case of India, once individuals are employed by the atomic energy agency, the individual undergoes a one-year training programme at the Homi Bhabha National Institute located in Mumbai. Nuclear safety, nuclear security, and security culture are important components of the training programme. Further, nuclear facilities as well as atomic energy regulators run periodic seminar, workshops, and refresher courses on nuclear safety and nuclear security. The Global Centre for Nuclear Energy Partnership (GCNEP), one of India’s centres of excellence has five schools including one focusing on nuclear security—the School of Nuclear Security Studies (SNSS).³⁸ The training programmes undertaken at the GCNEP by the SNSS independently and in partnership with other countries and agencies involve a number of critical areas related to nuclear security including computer simulation exercises on possible nuclear security incidents and personnel reliability studies as well as systems for personnel and material access control and intrusion detection and vulnerability assessments.³⁹

The effectiveness of trustworthiness programmes comes from continuing monitoring of an individual across a number of parametres including examination of different motivational factors like financial conditions, employee dissatisfaction possibly driving individuals to engage in unusual behaviour, and changed political or ideological orientations. Trustworthiness programmes and security culture training modules need to be evaluated on a periodic basis because of the changing nature of threats and challenges so that such programmes continue to be effective. In case there have been some personnel incidents and failures, these need to be studied both in terms of understanding the reason for the incident from a personnel’s perspective but also to reveal and understand the gap in the trustworthiness programme that led to the failure. Hence, these programmes need to be dynamic, constantly evolving in relation to the changing threat environment.

2.1.5 Are There Solutions and Measures That Can Be Taken?

Addressing insider threats require a combination of strategies and measures because of the difficulties associated with continuous monitoring of human behaviour and impulses. A conference report found many participants agreeing that “the most cost effective measure is a strong security culture with an effective training program (letting employees know their role in security as well as the consequences of security failure) and employee concerns program (non-retaliation for reporting aberrant behaviors and collusion).”⁴⁰ It is further suggested that there be “an appropriate 2-person or 3-person rule with robust surveillance and strict access and work authorizations systems so no single person is left alone to commit a malicious act.”

Insider threats, especially those relating to a disgruntled employee can be addressed by taking simple steps such as by understanding the employee concerns and dissatisfaction, giving a sympathetic ear even if the problems are not entirely resolved to give the employee the satisfaction that he/she is being heard and if possible, rectify the issues that gave way to the disgruntlement. These steps are done at the level of reporting authority and the office management can address dissatisfaction-induced insider threat.

There are no easy fixes to addressing insider threats. Bunn offers a series of steps to incentivise good practices and nurturing security culture in nuclear facilities, both at individual and facility levels. Some of these include: the good citizen incentive, reviewing and rewarding security performance, rewarding reporting, making good security easy, “security watchdogs” award at the individual level, and including security performance in management reviews, and industry self-help and self-regulation, at the facility level.⁴¹ Creating strong incentive structure for employees to report on unusual and odd behaviour can be a useful tool in mitigating the insider threat. Further, periodic refresher courses and training modules can get the entire facility staff to be on the same page on threat perceptions and ways to manage them. These modules and courses should try and build in real-life incidents that might give the staff a better sense of the magnitude of the problem. Extra vigilance and increased surveillance of areas that hold nuclear material could also be useful. An additional step, especially relevant during transportation of nuclear materials, is to have tamper indicating devices that would issue an alert if a vessel transporting nuclear materials has been tampered with.

A related issue is to institute better material auditing process and strengthened inventory management. Material control and accounting of nuclear materials is not easy if an insider chips away materials in small quantities so that it does not catch the attention of the inventory managers. A useful step might be to institute random reviews and screenings by external agencies (other than the plant managers) to look for anomalies in material accounting and inventory management. As an additional step, it is useful to stop theft of materials if materials are kept in “difficult-to-steal forms” so that it is not easy for an individual to carry it out of a facility.⁴²

Forged ID cards and documents are easy tools that perpetrators use to enter a facility. Change of ID cards on a periodic basis, with unique colours and holograms, could make it difficult to clear entry checkpoints. Additionally, vulnerability assessments need to be reviewed and updated on a periodic basis in coordination with threat assessments provided by national and local intelligence agencies. Vulnerability assessments need to look at three different facets while developing them which include characterisation of the threat through target identifications, followed by an analysis of the threat by looking at the vulnerabilities that a facility is exposed to and lastly ways to mitigate the threat and checking the effectiveness of the facility’s security systems in place.⁴³

Compartmentalising information can also be a useful step in delaying and deterring theft of data.⁴⁴ One must devise programmes and processes in way critical information goes through multiple folders, each with passcodes and encryption keys that would delay in case of a security breach. Even for physical protection, a security breach by insider can be mitigated to some extent if there are multiple layers of security in the form of gates and other physical security barriers, including such as through RFID and retina screening measures, that would delay the intrusion into unauthorised areas and could alert the security managers of a possible security breach. Physical barriers and technology-aided delay measures have become fairly common in almost all nuclear material possessing countries. It might also be useful to conduct periodic audit of RFID and other screening measures to test the effectiveness of the barriers of a facility. Identification and maintenance of access levels of employees are useful. Similarly, access to areas within a facility needs to be clearly identified and reviewed periodically. Within the nuclear security context, the de facto format for access should be using “need-to-know” principle. Also, two-person rule needs to be enforced rigorously so that one individual is never alone with sensitive technology.

Addressing nuclear security threats can benefit also from international cooperation. Even as these threats are country-specific and cannot be generalised, sharing of critical information on incidents or a threat was averted can be useful. These can be done through bilateral routes or global conversations that could be hosted by, for instance, regional centres of excellence.

2.1.6 Conclusion

Nuclear security is constantly evolving with a number of threats including insider threats which can lead to havoc in the physical protection of nuclear facilities as well as cyber vulnerabilities in nuclear power plants. While India is yet to face any major nuclear incident, its geographical location and the internal security challenges are a continuous concern for New Delhi. India’s personnel reliability programme is very stringent in addressing the insider threat, but it cannot afford the luxury of assuming that it has the perfect system that will not break down. This chapter has identified a series of steps that can be taken to further strengthen the measures to deal with insider threat. Security culture, better material accounting and audit processes, incentivising reporting of any unusual behaviour, including security performance as part of management reviews, training, and periodic refresher modules can be useful steps in mitigating the insider threat in the nuclear security arena. International cooperation remains another key step in this regard and sharing of information like lessons learnt from an incident or how a threat was dealt with can be useful in avoiding nuclear mishaps. India and the US can think of such practices in the bilateral context first before taking it up in larger minilateral or multilateral formats.

2.2 A U.S. Perspective

• Patrick Lynch &
• Todd Burbach 

Insider threats to the nuclear community pose unique challenges. This paper will introduce insider threats by defining the insider threat from multiple perspectives and explaining the risk against these differences. It will further discuss mitigation measures while reinforcing the diverse nature driving differences between mission sets, including military and civilian processes. Introduction to measures within both the civilian and military approach including trustworthiness or reliability programs with challenges and opportunities will be provided along with a few technical measures. The importance of a reliability program as a tool to mitigate internal threats will be highlighted including approaches well suited to a graded approach, applying elements that are unique to an organization or country. The US approach to mitigating insider threats will be shown using tools and methodologies created to address the threats from the perspective of US nuclear operations culture. Lastly, the international community may seek to learn from best practices and consider applying relevant elements. Publications from the International Atomic Energy Agency (IAEA) and World Institute for Nuclear Security (WINS) will be provided to strengthen this endeavor.

2.2.1 Defining the Insider Threat

Since the various organizations manage different aspects or stages of nuclear or radiological material, their definition of what constitutes an insider threat and how to manage mitigation programs is different. For instance, the US Department of Energy’s (DOE’s) Human Reliability Program (HRP) and the US Department of Defense’s (DoD’s) Personnel Reliability Assurance Program (PRAP) are diverse by design because the mission(s) are dissimilar. The HRP mission is “involved in researching, testing, producing, disassembling, or transporting nuclear explosives, which, when combined with Department of Defense delivery systems, become nuclear weapons systems.”⁴⁵ One key mission difference then is the delivery system, which is reiterated in the DoD description of “nuclear weapons and nuclear weapon systems” but adds “nuclear command and control.”⁴⁶ Mission does not define the totality of difference; magnitude plays a significant part. DoD designates two categories of certification, critical and controlled, to assist in management and provide cost savings for large numbers of personnel. The main difference between the categories is technical knowledge, but critical certification may also mean they “can either directly or indirectly cause the launch or use of a nuclear weapon.”⁴⁷ Keeping these differences in mind, in broad terms, DoD identifies an insider as “a person who has been granted eligibility for access to classified information or eligibility to hold a sensitive position” and the threat insiders may pose “to DoD and US government installations, facilities, personnel, missions, or resources. This threat can include damage to the United States through espionage, terrorism, unauthorized disclosure of national security information, or through the loss or degradation of departmental resources or capabilities.”⁴⁸

The DOE program is created with integration in mind, addressing threats to personnel, facilities, materials, information, equipment, and other DOE assets, establishing a central insider threat program for DOE.⁴⁹ In 2016, HRP experts from the US national laboratory complex, specifically Oak Ridge National Laboratory (ORNL), created an approach for the international community interested in developing an HRP, which leverages specific elements of the DOE HRP. In this case, the following definition was retained: “security and safety reliability program designed to ensure that individuals who occupy positions with access to certain nuclear materials, facilities, and programs meet the highest standards of

• reliability (an individual’s ability to adhere to security and safety rules and regulations),

• trustworthiness (confidence in an individual based on their character), and

• physical and mental suitability”⁵⁰

International definitions of insider threats to the nuclear community are important to consider, as well as recommended programs to mitigate insider threats and ensure the trust and reliability of personnel with access and knowledge to nuclear materials and related information. The below definitions are from both the international nuclear community and the US nuclear community. The IAEA defines an insider threat as “an individual with authorized access to [nuclear material,] associated facilities or associated activities or to sensitive information or sensitive information assets, who could commit, or facilitate the commission of criminal or intentional unauthorized acts involving or directed at nuclear material, other radioactive material, associated facilities or associated activities or other acts determined by the State to have an adverse impact on nuclear security.”⁵¹ The World Institute for Nuclear Security (WINS), which is an international nongovernmental member organization that strives to be a leader in knowledge exchange, professional development, and certification for nuclear security management. WINS defines an insiders as “individuals who may take advantage of their authorised access to facilities, processes, materials, transport operations or sensitive computer and communications systems to perform a malicious act.”⁵²

To complement the US Department of Energy and Department of Defense definitions, the US Nuclear Regulatory Commission, which regulates government and civilian nuclear infrastructure, defines an insider as “a trusted person with protected or vital area access, or access to digital computer and communications systems and networks from outside the protected area, can pose a significant threat to the safety and security of a nuclear power plant.”⁵³

2.2.2 Introduction to Insider Threats

Motivations between the controlled or critical groups may be similar but the reasons are numerous and can range from ideology, revenge, distorted ego, sabotage, financial need, to being threatened, or coerced by outside elements or even family members.⁵⁴ WINS identified two types of possibilities when it came to those who may be influenced by an ideological motivation: the plant and the convert.⁵⁵ The plant, as defined by WINS, is someone who specifically seeks employment with the intention of launching an attack or conducting a malicious act. This may be most successful if a poor security culture is present at a facility or the clearance process for granting access to information or material is weak. According to WINS, this raises the need for a layered approach to protection (defense-in-depth) while also raising awareness among staff that processes will be in place to verify trust and reliability.

Additionally, WINS defined the second type of ideologically motivated insider as a convert. In this case, a convert is an employee who becomes influenced or radicalized while already employed in the organization after successfully passing initial background investigations. Known measures should be considered to identify a convert’s conversion: trauma, a lifestyle change, financial loss, or disgruntlement. An individual who exhibits behavior that deviates from their normal behavior may be identified by some processes deployed by the organization. These may include elements of a reliability or trustworthiness program that include an annual or random reevaluation, rescreening, or participation in an employee behavior observation program in which fellow employees are aware of a reporting process. Chelsea Manning and Edward Snowden represent multifaceted convert cases. Both believed they were whistleblowers and felt some responsibility to inform people of the actions of their government, even to the extent they mentally set themselves up as “protectors of the people.” At  the onset, this may seem motivation enough if given a disagreement or tendency to diverge from the beliefs of the organizations they support. In the former case, pacifism was an underlying motivational nuance, and in the latter case, surveillance and the technology involved including simple encryption and stirring the tech community appeared to be motivators.

Another motivating factor of an insider threat is ego. An insider may seek to prove their knowledge, intelligence, or abilities by performing an act of sabotage or the removal of material or information.⁵⁶ Identifying the traits of an individual who may be motivated by their ego may be difficult during the recruitment and hiring phase. Facilities are encouraged to deploy a graded approach when reviewing critical positions that may require additional measures to ensure trustworthiness and reliability. In 2020, the IAEA published a Nuclear Energy Series Technical Document, Addressing Behavioural Competencies of Employees in Nuclear Facilities, which provides the identification of critical roles, as well as information and recommendations for conducting a job task analysis to determine the key behavioral requirements for effective performance.⁵⁷

An insider may also be motivated by disgruntlement, acting out against an organization or facility because they feel they are unfairly treated. This may take the form of a poor review or evaluation, not receiving a promotion, or other instances where an employee may feel slighted. The WINS International Best Practice Guide encourages employers to treat all employees fairly, which is an important preventive measure in the mitigation of disgruntlement. Similar to preemployment screening, identified as a mitigation effort for individuals motivated by their ego, incorporating preemployment assessments may identify individuals with higher-than-normal probabilities of perpetrating an attack to satisfy an emotional or psychological urge, but this is very difficult to confirm.⁵⁸

The risk of the insider threat is uncertain at best, but it is likely quite small based on historical incidents. The issue is a single insider can inflict devastating consequences. So, how to balance such a low probability against an extremely disastrous outcome? The point is not to eliminate risk but to reduce or manage it in all aspects of the program. Even though “only those individuals who demonstrate the highest levels of integrity and dependability” are accepted, the risk is not zero.⁵⁹ Determining an acceptable level of risk is never an easy task but when applied to the program, it need be cost-effective and not overly burdensome, or it is destined to fail.

How we determine what is an acceptable level begins with determining what risks exist and an assessment of the level of the risk with the probability of occurrence. Many assessment examples exist and can be easily modified to suit each risk. An important note is the actual risk and/or likelihood may differ through another cultural lens. For instance, a cultural acceptance and therefore availability of drugs may increase the probability rating. Still, it becomes fairly easy to see where low severity coupled with low probability may be readily accepted whereas high severity and high probability may require mitigation. A bit harder perhaps are those with a high severity but with an extreme low probability. They may be readily acceptable but a determination must be made. Deciding by whom or at what level risk may be accepted or responsibility assigned is essential. Just as it is important to identify all risks and reassess after mitigation measures, the ultimate determination of acceptance must come from the right authority. Risks stemming from factors on individuals have considerations used by agencies which aid the authority in determining clearance or access determinations. Things such as circumstances, societal conditions, or rehabilitation efforts, to name a few, may be factored. It should be apparent that this is oversimplified and the actual criteria could fill volumes.

In some instances trustworthy members may be coerced into perpetrating a malicious action, such as blackmail or the threat of violence. Often, individuals keep embarrassing problems to themselves, including an addiction to drugs, alcohol, or gambling. This type of information can be used to blackmail an individual, using the fear of retaliation if the information is presented to an employer. Behavioral changes observed by colleagues or management may be the first indication that a change has occurred. An important mitigation measure for this motivation is a commitment to an employee assistance program. If an individual is confident that the employer has the resources and interest in helping, rather than terminating, the individual may be more inclined to self-report challenges they are facing.

Although monetary incentives and others may appear to remain constant, the emerging threats imposed by new technology and what was once a seemingly cut and dry motivation bear close monitoring and adjustments to mitigation. For example, in financial gain, the development of various cryptocurrencies adds a new dimension possibly requiring changes to mitigation efforts. Because of the propensity of this new currency being used for illicit payments and the added difficulty in tracking transactions, this new technology changes the landscape of this incentivization tool. What about those who simply invest in this currency? Is this a statement of their character or another facet of their trustworthiness?

Closer to the enterprise was the 2014 US Air Force scandal involving missile workers who cheated on nuclear launch proficiency tests. On the surface, the behavior may be looked at from the perspective of having netted substandard workers or overarching character flaws and thoughts toward “what else would they be willing to shortcut.” Opinions vary, but organizations must be careful what they incentivize because it influences behavior. Monetary incentivization may not always be external. If a member’s promotion, career, and other job aspects are tied to the test and you add the press toward community and helping one another, then passing is no longer the standard and excelling is the norm, at all costs. This is reminiscent of some issues stemming from the inspection process (discussed briefly later). Units would often go to great lengths to do well on inspections, with competitions and ratings driving behavior (and non-monetary incentives). Prepping the inspection became like polishing the car before your date. Zero faults and impressing the inspectors took the importance. Would you really want a unit to “polish” assets or programs before an assessment or do you want them to do great every day?

As motivations evolve, so must the protective and preventive measures employed. Regarding the aforementioned discussion, simply inserting additional or modifying existing screening questions about cryptocurrencies could prevent an issue. Just as physical screening measures combined with authorization, a series of strict processes and procedures to gain access or establish requirements for teams of personnel are low cost, easily implemented measures. But adding technological advances such as readers, entrapment devices, or airport-style screenings can yield additional protection and defeat individuals attempting to enter inappropriately or enter or exit with restricted items. The measures employed can be tailored to the threat. Insider threat mitigation should never remain static. Times of prolonged stagnation can lead to complacency or worse. People change, situations change, and technology changes. Keeping abreast of these changes is imperative. A review comparing HRP to PRAP has occasionally occurred, which is important to refresh the program and see if there are other ways to mitigate insider threats or reduce costs without unacceptable risk. Even if other methods are not adopted, the review provides insight in the total accomplishment of safeguarding our nation.

Added risk through human error can work into any process, but when members become complacent or take shortcuts, the risk can rise to an unacceptable point. Not long after the 2007 incident involving accidental nuclear weapons transport from Minot Air Force Base to Barksdale Air Force Base, US Air Force leaders chartered a group to create processes to ensure no errors or missed indicators in Personnel Reliability Assurance Program (PRAP). The charter specified ignoring any preconceived ideas, past methods, costs, or difficulties. Such a system was developed but was prohibitive in human resource costs and unwieldy. In fact, it was described as unsustainable. In consideration to risk acceptance, a zero-error program is possible but unaffordable in terms of time, money, or management and maintenance. A decision to draw the line or make a tradeoff of acceptance to cost must be made. Less risk equals more cost. In the example, there were easy wins to be gleaned by such a drill. Many low to no cost process improvements could be implemented almost immediately, eliminating many error-prone steps and reducing the probability of shortcuts. The team’s priority was to develop a training program for members charged with managing the program but who do not participate in the PRAP. Even with the many changes since, this remains largely in place today. It establishes a minimum knowledge standard and eliminates a big portion of the learning curve.

Easy wins do not have to be expensive or revolutionary. Some small changes can yield significant benefits with minimal movement and costs. What is necessary is taking an in-depth look at processes, even if they do not appear broken or in need of corrections, without a precipitating significant event. Addressing challenges as they present can also provide opportunities to change for the better. A robust validation program (in DoD, inspections) can identify new issues or risks, determine changes needed, or evaluate changes made to fully understand their impact. This process includes capturing and evaluating data which is used to drive regulatory guidance and ensures it remains viable as the environment evolves.

The benefits of an HRP can be tremendous to an organization. The employees that are part of the program may experience a sense of satisfaction knowing they are part of a team that has been evaluated and assessed and determined to be reliable and trustworthy. The nuclear industry strives to employ the most reliable and trustworthy individuals. It is important that all employees within a nuclear facility clearly understand their role and their influence on coworkers, the environment, and the country. A clear security foundation is vital, and an HRP sets a standard for employees who occupy sensitive positions.

2.2.3 Trustworthiness/Reliability Programs

The first step toward certification is qualification. At the beginning of US military service, a prequalification is conducted to eliminate applicants who would not pass other pertinent requirements for entry in training for nuclear career fields. This is the equivalent to a preemployment screening in the civilian sector. It is important to understand some of the screening is done for entry into and continued military service, such as drug testing with random follow-on tests. What remains are the requirements for the duty position in the specific nuclear work or the security involved, which will be discussed further. From this pool of military inductees, potential workers who meet the initial requirements and test appropriately may enter training in a sensitive position. A more in-depth review of the service entrance requirements is conducted in the member’s background, criminal history, financial verification, medical and psychological screening, and many other items. Security clearance review is initiated if not already started because much of the technical training will involve material requiring certain clearance levels.

Qualifying criteria include a positive attitude toward nuclear weapons duty, dependability, personal integrity, emotional stability, and flexibility in a changing work environment to name a few.⁶⁰ Some of the items like allegiance to the United States may be a bit harder to judge initially, but consider the following definition of reliability: “a combination of the traits of integrity, trustworthiness, emotional stability, professional competence, and unquestioned loyalty and allegiance to the United States.”⁶¹ The importance of these characteristics requires much consideration to judge the member’s suitability. Extremism has come to the forefront of recent news reports. According to a recent Politico article, Secretary of Defense Lloyd J. Austin empowered a new group to better screen recruits and those currently serving for extremist behaviors and affiliation.⁶² Whether this bears fruit or not remains to be seen, but most agree that it requires a strict definition.

When the ORNL team described the international approach to implementing an HRP, it stressed the graded approach. Ensuring that the approach is designed to address the specific cultural elements of the country and organization, that it is closely aligned with the infrastructure available to operate, and the threats facing the nuclear stakeholders. Questions to consider when determining the stakeholders include the following:

1. 1.

   What type of facility or information is to be protected?

2. 2.

   How is access to sensitive information controlled?

3. 3.

   How are personnel with access to sensitive information controlled?

4. 4.

   What are the significant local threats to the organization?

5. 5.

   What are all of the organizations responsible for safety and security of the facility?

Once these, as well as other organization specific questions are answered, the initial steps within an HRP include an initial evaluation to establish whether an individual can be considered for admittance into an HRP. Research conducted at Oak Ridge National Laboratory (ORNL) on international programs supports using a type of security clearance as a precondition for an individual to be considered for a position that affords the individual access to information or materials. Both the qualifications for eligibility for a security clearance and for access to sensitive materials, information, and physical areas must be determined by the facility or country and should be defined in regulations.⁶³

The initial evaluation of a potential employee is the first official check a facility uses to determine if the individual is qualified for employment and willing to be in a position. Negative or unresolvable issues such as arrests, employment concerns, substance use/abuse discovered during this initial evaluation will likely result in a decision not to hire an individual. This initial process is designed to determine if any information exists that shows a pattern of questionable judgment or emotionally unstable behavior. This initial evaluation will include the following components:

• Background check—The initial background check consists of gathering information and evaluating an individual’s character, general reputation, personality traits, and lifestyle.

• Initial drug test—In many HRPs, before an individual can be considered for an HRP position, he must successfully pass a drug test. Because drugs can affect employee performance and safety, a positive drug test will eliminate the individual from employment consideration.

• Arrest record/criminal history check—A check with law enforcement will be conducted to determine if the individual has ever been arrested and for what charge. A criminal record may preclude an individual from consideration for a security clearance.

• Credit check—The credit check assesses an individual’s financial situation, including loans, bill payments, and indebtedness. This is not just a credit check because the member is not being considered for a loan, but it involves an in-depth look at finances and if there are flags of overextending or struggles that reveal a vulnerability. A poor credit history or excessive indebtedness are causes for concern and could prohibit an individual from being granted a security clearance.

• Education verification—This check validates the individual’s attendance and graduation from educational institutions and their professional qualifications as indicated on their employment application and resume/curriculum vitae.

• Work history verification—Similar to the education verification, the work history verification validates employment history and reveals if any troubling work issues existed, such as disciplinary issues or termination for cause.⁶⁴

Once employment has really begun in the nuclear enterprise, from training on, reviews and checks become more hidden to the member or behind the scenes. Autonomous checking or flags are set within systems to alert personnel to events or series of issues that may lead to questionable reliability. All this eventually leads to certification. A member is initially certified once, but they may need to be recertified under transfer to another unit or permanent change of station. Perhaps the largest benefit is arguably derived from the final point of certification when the certifying official sits with the member, given all the screening results, to ultimately rule on certification. This last step allows the certifying official the opportunity to discuss details of any findings, to hear any undisclosed information, and to review what used to be called the “spirit and intent” of the PRAP. This review is comprehensive, but it does not end at certification—the process is ongoing. Called “continuous evaluation,” the requirements are set to “mitigate risks and protect the nuclear deterrent from insider threats.”⁶⁵ The constant monitoring by an individual with direct knowledge of everything in the member’s life, on and off duty, forms one of the backbone requirements of PRAP mitigation.

An employee may be subject to an annual and continuous evaluation process to ensure sustained eligibility for a sensitive position. As part of this annual and continuous process, any of the initial checks or tests may be reevaluated, and the HRP-certified employee will be monitored and evaluated based on the following criteria:

• Unusual behavior: Supervisors, workers, and managers should be trained on identification of unusual behavior, its possible causes, and ways to distinguish meaningful versus insignificant unusual behavior. All employees should be trained to make accurate observations and following appropriate reporting procedures. With this training in place, managers, supervisors, and workers will be able to effectively monitor behavior in the workplace and alert the proper authorities if unusual behavior is observed.

• Supervisory review: In most HRPs, supervisory reviews are required every 12 months regarding the suitability of employees to remain HRP-certified and continue performing HRP work. Supervisors are trained to evaluate the behaviors and performance of their employees to identify security or safety concerns.

• Medical appraisal: The HRP model requires employees to undergo an evaluation of their health status and health risk factors through a medical history review, physical examination, laboratory tests, and psychological and psychiatric evaluations. These screenings should be country-specific and take cultural aspects into consideration. If records are inadequate or questions arise, medical examinations may be scheduled to include psychological evaluation and testing (DoD 2018b). Health insurance claims may reveal and lead to reviews of care.

• Management decision: A designated senior manager evaluates the individual’s supervisory review, medical appraisal, and personnel records related to any security or safety concerns and makes a recommendation to approve or disapprove the individual for continuation in the HRP. The senior manager makes this recommendation to the certifying official.

• Certifying official review: The certifying official acts as the final reviewer of all information gathered through the continuous evaluation process and makes the final determination on certification or decertification.

• Training: HRP-certified individuals must complete both initial and annual training, which include understanding the need for an HRP, insider risks, nuclear security awareness, and the employee’s responsibilities.

• Random drug and alcohol testing: The HRP generally requires certified employees to undergo random drug and alcohol testing. The abuse of alcohol or use of illegal drugs can cause physical and mental impairment that impact the safety and security of the individual, coworkers, the institution/facility, and national security. Employees with drug and/or alcohol problems may be more susceptible to influence by outsiders and may compromise sensitive information.⁶⁶

Figure 2.1 depicts the initial evaluation, continuous evaluation, and the annual evaluation elements, as well as the process in which the organization may determine the trustworthiness of a staff member. An important portion to remember is the self-reporting mentioned earlier.

Fig. 2.1

STEP processFootnote

Coates, C. W., and G. R. Eisele. Roadmap to a Sustainable Structured Trusted Employee Program (STEP), 2013, https://info.ornl.gov/sites/publications/files/Pub45049.pdf.

(Note STEP is a generic form of a human reliability program created by the Oak Ridge National Laboratory [ORNL], Center for Human Reliability Safety and Security Studies [CHRS]³)

This self-reporting forms the second backbone of PRAP/HRP mitigation. Self-reporting is indoctrinated from the very beginning, and its importance cannot be minimized. The member is taught to always address areas of concern about themselves with their supervisors and leadership. All personnel are required to report these factors to their certifying official or commander whether about themselves or their coworkers.

This information may be a lot to digest, so the DoD provided a guide for determinations and adjudication of this data to make a judgement about the trustworthiness of the individual. The guide is incorporated in DoD Manual 5210.42, Nuclear Weapons Personnel Reliability Program, Incorporating Change 3 and gives considerations and mitigation for suitability factors to aid decisions to certify or continue member’s certification. Contractors (if used) are no different other than if determinations are made of unsuitability, the contract agent need only be notified and they are removed.

2.2.4 Mitigating Insider Threats with Technical Measures

Technical measures are not limited to those mentioned earlier, and many others are geared directly to reliability programs. Most have knowledge of polygraph testing and the confines or fallibility inherent with it. Even with modern methods and equipment, there are limits to the accuracy of information obtained. One area has evolved significantly, and it is aimed directly at the technology which spurred it. Applying advanced cyber techniques allows for reviewing and screening large amounts of data including the potential to reflect on social media content. Although social media may provide a previously unknown look at the member, it also presents a vulnerability because of social media attacks and potential exploitation of members.⁶⁸ This consideration should lead to policies on its use and restrictions. Although social media is a hard discussion point currently and not fully resolved at the time of this publication, the technical capabilities work for financial screening and ad hoc notifications for a myriad of reliability assurance measures.

One of the interesting innovations comes in the form of profiling. Highlighted by recent studies in radicalization and spurred by extremist concerns, University of Maryland’s Study of Terrorism and Responses to Terrorism Research Brief from the Profiles of Individual Radicalization in the United States on QAnon offenders is a good example.⁶⁹ In the report, pre- and post-January 6, 2021, US Capitol attack activities are compared, showing a baseline related to data from the riot.⁷⁰ The same methods can be used across a multitude of groups to identify commonalities and further isolate specific indicators of negative behavior. Using this profile assessment provides an advantage over  the standard insider threat indicators common across the enterprise (e.g., coworker performance decline, questions outside of scope, and requests for sensitive data).

Not everything needs this level of technical measure. One of the simplest measures and the final “backbone” piece is a basic mitigation called the “two-person” team, which pairs one fully certified member with others.⁷¹ This effectively eliminates the lone insider and affords detection by others who are “always watching.” Extensive, and often costly, measures are not always the best. Beginning with basic procedures and actions and then adding technological enhancements can net better results and at less cost.

2.2.5 Conclusion

In summary, mitigating insider threats to the nuclear community poses a unique and challenging problem, though a problem that is not insurmountable. It takes a community to recognize behaviors, changes in behaviors, and an awareness of what is required by staff with the privilege of working within the nuclear industry. Individuals with access to nuclear information and materials must appreciate the importance of self-declaration when they either commit an error or require notice to the organization based on a lifestyle change. Not all organizations will need to adopt all the measures identified in this paper. An organization will need to evaluate what may work best for it based on culture, infrastructure, and the level of threat. For example, a research institution that is introducing small amounts of nuclear material, may take a graded approach to this process and only apply elements that are appropriate to the country’s laws and regulations. Also, it is imperative to recognize that being part of the community of practice is particularly important. This community can learn a great deal from one another, and the provided resources may allow for a platform to share lessons learned and experiences that may benefit organizations new to the nuclear community as well as organizations that have a history of operations.