In an April 2009 speech in Prague, President Obama said that nuclear terrorism is the “most immediate and extreme threat to global security and pledged that his Administration would launch a new international effort to secure all vulnerable nuclear material around the world within four years.” To motivate world leaders to achieve this goal, the President hosted a Nuclear Security Summit in Washington, DC, on April 12-13, 2010. Leaders of 47 countries attended the summit, including many heads of state. Attendees represented a wide geographic range of states and nuclear capabilities, and include China, India, Israel, and Pakistan. The summit resulted in a joint statement saying that international cooperative action is necessary to prevent an act of nuclear terrorism. Summit attendees also pledged to improve nuclear security standards, bring international agreements into force, and share best practices.
The Obama Administration’s April 2010 Nuclear Posture Review Report confirms nuclear terrorism as topping the list of nuclear dangers to the United States: “The vulnerability to theft or seizure of vast stocks of such nuclear materials around the world, and the availability of sensitive equipment and technologies in the nuclear black market, create a serious risk that terrorists may acquire what they need to build a nuclear weapon.”
In October 2009, the International Panel on Fissile Materials reported that countries around the world possessed around 1,600 tons of highly enriched uranium (HEU) and 500 tons of plutonium. That’s enough material to build around 120,000 weapons of equivalent power to “Little Boy,” the atomic bomb that destroyed Hiroshima. But since the Nuclear Security Summit, among other activities, efforts have been made to secure HEU in Belarus and Ukraine, to convert reactors in places like Mexico to LEU fuel, and to conduct vulnerability assessments of nuclear facilities in the developing world.
Nuclear security measures refer to a wide range of actions to prevent theft or diversion of nuclear material or sabotage at an installation or in transit. They could include physical protection measures, material control and accounting, personnel reliability screening, and training. A broader understanding of nuclear security also includes measures to prevent and detect illicit trafficking – cargo inspections, border security, and interdiction measures. Another aspect, “nuclear security culture,” describes personnel attitudes towards the importance of nuclear security practices in their daily work. This is known as the “human factor” and recognizes that technology-based physical protection measures are only as effective as the people who are running them. The “insider threat” at nuclear facilities is a worker’s knowledge of facility practices that could be used to aid terrorists or smugglers in obtaining material through diversion.
Here is a definition of nuclear security culture:
- “Security culture includes characteristics and attitudes in organizations and of individuals which establish that the issues relating to protection against the loss, theft and other unlawful taking of nuclear material on one hand and deliberate malicious acts in nuclear facilities or during transport of nuclear materials on the other hand, receive the attention warranted by their significance.”
The malicious acts in question refer to anything that may directly or indirectly have radiological consequences for man and the environment. This definition is more complete than given by the International Atomic Energy Agency (IAEA) which relates only to the physical protection of nuclear materials and nuclear facilities whereas the current definition extends the field to all nuclear facilities and the transport of nuclear materials.
The general public should view security culture as a sign of professionalism, skill and responsibility by all actors (organisations and individuals) involved in the protection of nuclear materials, nuclear facilities and transport of nuclear materials. It must help strengthen the confidence of each one in security within the nuclear field.
1. UNIVERSAL FEATURES OF NUCLEAR SECURITY CULTURE:
The development of a proper nuclear security culture involves individuals in a number of diverse disciplines and organizations who must work together in order to be effective. The model presented under Figure: 63-01 illustrates the main characteristics of security culture and which component group is primarily responsible for it. All the component groups listed below must, nevertheless, be considered as part of the whole in order to develop a security culture through coordination and dialogue:
1.1 Role of the State:
Security culture has the following three major components:
- The first concerns the policy that the State wishes to put into practice, in particular given the national and international contexts;
- The second is the organization introduced within each body concerned, particularly to apply the policy fixed by the State. In this component, a distinction must be made between what comes under the organization itself and what concerns its managers; and
- The third component is the attitude adopted by the various individuals at all levels to implement this policy and to incorporate it into their work.
The responsibility for the establishment, implementation and maintenance of a nuclear security regime within a State rests entirely with that State. Hence, the State has the responsibility for establishing the legal and regulatory framework to foster an effective nuclear security culture. There may be several organizations within the State that have both responsibility for and interest in a nuclear security culture, e.g. the nuclear regulatory body, operating organizations of nuclear facilities, law enforcement authorities, the military, health ministries, intelligence organizations, emergency response authorities and public information officials.A culture is hard to either impose or cultivate, but it can be fostered through role models, training, positive reinforcement and systematized processes. These elements should be considered as the State develops or modifies its regulatory and policy documents.
1.1.1 Definition of General Protection Objectives:
The State fixes the security policy. It develops this policy around identified threats, the international context and specific aspects of the national context. The State uses these elements in particular to define the design basis threat.
The design basis threat must be revised periodically to take account of the constant evolution in risks and technologies. Thus, the protection implemented to face up to the design basis threat must be constantly adapted to maintain a permanent, acceptable level.
1.1.2 Distribution of Responsibilities:
State commitment is given concrete expression in national legislation and regulations, by setting up a competent authority, possibly supported by a technical support body. This authority has the personnel, financial resources and supervisory powers in terms of security. In particular, provision is made for declaring any event affecting or likely to affect the protection of nuclear materials, nuclear facilities and the transport of nuclear materials to the competent authority without delay. So that all organisations and individuals feel involved at their respective levels, the State lays out its own responsibilities in terms of the protection of nuclear materials, nuclear facilities and the transport of nuclear materials clearly as well as those entrusted to other bodies. The operator has full responsibility for protecting his nuclear materials, protection equipment, transport means and installations and for the information he holds. The State, however, with responsibility for the law enforcement agencies, may be called on to intervene on or off site.
It is also justified in intervening when an event occurs during the transport of nuclear materials, particularly on the public highway. Lastly, the potential risk from dysfunctions in the protection of nuclear materials, nuclear facilities or the transport of nuclear materials may involve the entire national territory or even spread to other countries. It is essential for this division of responsibilities to be clearly defined and well understood by all individuals within the organisations.
Given the need for coordination between the public authorities and other organisms – as required by such a division of responsibilities -, the State introduces mechanisms for the exchange of knowledge and data, particularly, in terms of intelligence and intervention. It organises exercises regularly on the protection of nuclear materials, nuclear facilities and the transport of nuclear materials involving operators and State departments.
1.1.3 Protection of Information:
Another action by the State is to establish requirements for the determination of personnel trustworthiness. The process of this determination can involve State agencies and also the operator’s security department.
Nuclear security culture promotes awareness in all people of the sensitive nature of information in this area and the need to protect the confidentiality of that information. Such information should not circulate freely in the public domain since it could be used for malicious purposes.
The State must also establish criteria to determine sensitive information in the nuclear security field.
1.2 Role of Organizations:
Within a State, various organizations – such as regulators, users of radioactive sources, operators of nuclear facilities, border and customs officers, and transporters of radioactive material – have responsibilities associated with the security of radioactive material.
A State’s legal and regulatory framework establishes the basis for an organization’s security policies, which determine the environment of the workplace and influence the behaviour of personnel. These policies have significant common characteristics, but may differ from organization to organization depending on the type of work. The cumulative impact of policy, environment and behaviour determines the quality of the nuclear security culture.
1.2.1 Nuclear Security Policy:
Each organization needs to have a nuclear security policy which contains the aspects of a sound management system. This policy should declare a commitment to quality of performance in all nuclear security activities, making it clear that security has high priority, even overriding operational demands. If there is a conflict regarding the relative priorities of safety, security or operations, senior management must be authorized to resolve the conflict taking into account the overall impact of risk.
This policy forms the foundation of the management systems that are an integral part of the security culture of the organization. It should be communicated to and understood by everyone affected. Nuclear security policy statements by different bodies vary in both form and content. An operating organization has full responsibility for nuclear security in all the activities under its jurisdiction. Its nuclear security policy statement should be clear and provided to all staff.
1.2.2 Management Structure:
The management of all organizations must define roles, responsibilities and accountability for each level of the organization, including security and other interfaces. In addition, the management of relevant organizations must appoint an individual responsible for nuclear security who has sufficient authority, autonomy and resources to implement and oversee nuclear security activities. This individual is required to report to the top manager or to an appropriate senior manager of the organization with the responsibility defined and documented in sufficient detail to prevent ambiguity.
Where appropriate, the organization’s management should establish procedures to facilitate rapid resolution of questions regarding the practical balance among nuclear and radiation safety, security and the various facility operations.
The organization must allocate sufficient financial, technical and human resources to implement the assigned security responsibilities. It must ensure that all security personnel have the necessary qualifications, with these qualifications maintained by an appropriate training and development programme. Personnel must also have the necessary equipment, adequate work areas, up to date information and other forms of support to carry out their security responsibilities.
1.2.4 Review and Improvement:
All of the concerned organizations must make arrangements for the regular review of their nuclear security practices and systems. This regular review necessarily takes into account lessons learned from both internal and external reviews, and changes in the threat level. In particular, organizations should ensure that all discrepancies detected relating to nuclear security are comprehensively analysed and expeditiously corrected.
Owing to the international nature and transboundary aspect of security, the organization should coordinate with similar organizations, both within the nuclear and radioactive material arena and in other high risk areas, to establish expeditious means to communicate security related information and maintain close cooperation for the exchange of intelligence knowledge and data that could impact the security of these materials and facilities, including transport and border operations.
1.3 Roles of Managers in Organizations:
Managers influence culture throughout their organization through their leadership and management practices. With sustained effort, and by employing the incentives and disincentives at their disposal, they must establish patterns of behaviour and even alter the physical environment. Senior managers are responsible for defining and revising policies and protection objectives; operational managers are in charge of initiating practices that comply with these objectives. Through their behaviour, managers demonstrate their commitment to nuclear security and, in so doing, play an important role in promoting nuclear security culture within the organization.
Managers should foster an effective nuclear security culture by ensuring that people understand that:
- A credible threat exists; and
- Nuclear security is important.
1.3.1 Definition of Responsibilities:
The exercising of individual responsibilities is made easy by clearly-defined chains of command. The responsibilities allocated to each individual are established and documented in sufficient detail to avoid all ambiguity; their scope is specified. Thus, are clearly indicated in particular restrictions on the exchange and circulation of information. The definitions of responsibility are approved by the highest possible level in the chain of command. Provision is made for a process to monitor authorisations issued and to put allocated responsibilities into practice.
1.3.2 Definition of Control Practices:
The managers make sure that activities relating to the protection of nuclear materials, nuclear facilities and the transport of nuclear materials are strictly carried out. All the updated documents listed in order of importance from general directives to detailed work procedures, form the foundation for good working practices. These reference documents comply with the organisation’s quality policy and include, in particular, a quality assurance plan for the activity concerned.
The managers ensure that activities are executed as defined and set up a verification system. The managers make sure regular contact between their organisations be maintained, complying with the rules governing information confidentiality. Relationships of this type are necessary when coordinating intervention resources between State departments and operators. In this context, exercises are organised to test the organisations and the planned liaisons, train teams and generally to draw on the lessons learned to improve the intervention system.
1.3.3 Qualifications and Training:
Managers ensure that temporary and permanent staff and any self-employed service provider are made aware of the importance of protecting nuclear materials, nuclear facilities, the transport of nuclear materials and sensitive information. These individuals are systematically informed of rules to be respected on the subject. Managers make sure that their staffs have all the skills and authorisations required to perform their tasks linked to the protection of nuclear materials, nuclear facilities and the transport of nuclear materials.
Recruitment, training and authorisation procedures are established for this purpose. Exercises and retraining courses are carried out periodically. The suitability appraisal of individuals relies on both physical and psychological considerations.
Training is not restricted to acquiring technical qualifications or becoming familiar with the detail of procedures to be followed strictly. It encompasses a far broader spectrum and, whilst meeting previously mentioned requirements, it is sufficiently instructive for individuals to understand the importance of their tasks in terms of security and the possible consequences of an error.
Apart from organisational provisions and resources, the behaviour of individuals, influenced by both independent and group motivations and attitudes, dictates whether a practice is satisfactory or not. Managers encourage and congratulate and attempt to provide tangible rewards for particularly commendable attitudes towards the protection of nuclear materials, nuclear facilities and the transport of nuclear materials. Managers encourage the personnel especially to report any event affecting or likely to affect the protection of nuclear materials, nuclear facilities and the transport of nuclear materials. This involves inciting the personnel to provide the security staff with any information that could improve protection that they might otherwise be inclined to keep to themselves through fear of sanction or ignorance of the issue at stake.
Nevertheless, managers assume their responsibilities and impose sanctions in the event of repeated deficiencies or serious negligence, in particular by withdrawing the authorisations given.
1.3.5 Audit and Review:
Managers are responsible for implementing a certain number of monitoring practices, including regular review of training programmes, staff nomination and authorisation procedures, working methods, document control, the quality assurance system and access to facilities and information.
Managers ensure that events inside or outside the organisation liable to have an impact on security are analysed and enlarged upon. Events outside the organisation will be examined and taken into account if appropriate. It may be relevant to call on specialists from outside the organisation under this approach.
1.4 Attitude of Individuals:
The previous chapters have indicated how the necessary elements on which to build a true security culture are set in place and emphasises the responsibilities of the State, organisations and their managers. As indicated in the introduction, it is up to individuals at all levels to take these elements into account and make the most of them. Nevertheless, distinction must be made between the expected reaction of individuals working in the protection of nuclear materials, nuclear facilities and the transport of nuclear materials and those not directly involved.
1.4.1 Individuals Directly Involved in Security:
The behaviour of individuals involved in security is characterised by:
- A rigorous, prudent approach;
- A constant vigilance and a questioning attitude; and
- A speed of reaction when faced with an unexpected situation.
Amongst other things, this category of individuals can be expected to apply procedures and official rules strictly. They should be aware that security systems must be compatible with the performance of other activities in the organisation. In addition, they must operate a prudent, considered approach towards research and divulgation of confidential information.
They must also have a steady motivation, with no slackening as regards the protection of nuclear materials, nuclear facilities and the transport of nuclear materials. They must also be ready to be receptive and critical of any event or action regarded as suspect. In such circumstances, the information is sent immediately to the hierarchy, even if it appears to be of minor importance.
Lastly, in the event of a breach of security rules, whether deliberate or through negligence, reaction is immediate using the resources matching the estimated risk. When faced with immediate danger, the operator’s staff must act rapidly to counteract or delay the malicious act in progress and request assistance from the public authorities without delay.
1.4.2 Individuals Not Directly Involved in Security:
Security culture concerns us all. Any individual involved directly or indirectly in the protection of nuclear materials, nuclear facilities and the transport of nuclear materials must be totally immersed in it. A duty of vigilance is essential for all.
The expected attitude of these individuals is characterised by:
- A knowledge of the principles of protection and taking them into consideration;
- A compliance with rules and procedures; and
- A questioning attitude to abnormal acts or events with regard to the protection of nuclear materials, nuclear facilities and the transport of nuclear materials. In this case, people in charge of protection are warned systematically.
An effective nuclear security culture requires a set of principles that managers can instill in the organization to guide decisions and behaviour. The principles should be explained to staff. Individuals should be inculcated with these principles and should be shown evidence that they are being applied consistently across the organization. The main principles of nuclear security culture are described below:
- Motivation: Motivation, the key determinant of behaviour, is entirely dependent upon the internalization of beliefs and values. The performance of individuals is, however, significantly influenced by the encouragement and reinforcement received from leaders, peers and subordinates;
- Leadership: The greatest influences on individual performance are the expectations of leaders. Nuclear security is most effective when managers and supervisors of the organization continually demonstrate their commitment to security through their words and actions;
- Commitment and Responsibility: Nuclear security is most effective when everyone takes personal responsibility for system operation as well as for their actions in their job;
- Professionalism and Competence: Nuclear security requires that personnel have the qualifications, skills and knowledge needed to perform all aspects of their jobs. Appropriately qualified and trained personnel should be able to respond effectively to all contingencies and emergencies; and
- Learning and Improvement:
Nuclear security can be improved by continual self-assessment, understanding of the reasons why mistakes occur, and application of best practices and lessons learned.
3. BELIEFS AND ATTITUDES
Beliefs and attitudes that are formed in people’s minds over time become causal factors in behaviour and affect how people respond to security issues and events. Some of these beliefs are
initiated by leaders and are developed through experience. When shared and embraced within an organization, they become common to all personnel.
The beliefs and attitudes held by individuals are influenced by the actions that others take or do not take and also by what others (particularly top managers) say or do not say. In this way, beliefs and attitudes spread and replicate themselves within organizations. For nuclear security, effectiveness depends upon the extent to which these beliefs and attitudes are commonly held and manifest themselves in appropriate behaviour and practices.
Where an effective nuclear security culture exists, people who have responsibilities for the use, handling, safe-keeping or transport of radioactive material and related facilities or other locations hold a deep rooted belief that there is a credible insider and outsider threat, and that nuclear security is important.
These beliefs form the foundation of nuclear security culture and are vitally important because they affect behaviour that ultimately influences the effectiveness of nuclear security to achieve objectives relating, for example, to nuclear non-proliferation and counter-terrorism. Without a strong basis of beliefs and attitudes, an effective nuclear security culture will not exist. Nuclear security should be a concern of everyone working in the facility, related locations or organization — including to a certain extent the members of the public — and not of the organization’s security specialists alone.