A culture of security: Focus for the next Nuclear Security Summit?

It would not take much highly enriched uranium to kill hundreds of thousands of people: as little as what could fit in a five-pound bag of sugar. That it has not happened so far does not mean it may never happen, especially when one considers that there are more than 2,000 metric tons of dangerous nuclear materials in hundreds of sites scattered across the globe. And that there have been more than 2,300 cases of theft or loss of nuclear or radioactive material since the early 1990s. 

Consequently, one of the greatest dangers facing the global community is the risk of terrorists getting enough uranium or plutonium to build a working, crude nuclear bomb, or to spike a conventional bomb with enough radioactive material to create a so-called “dirty bomb”—one which disperses harmful radioactive material over a wide area. The latter in particular is quite a plausible scenario; just think how the public would react if such a device exploded in a major urban center.

To prevent either scenario from happening, a coalition of about 80 civil society organizations from across the globe has been working together for the past five years to improve the security of fissile materials. Known as the Fissile Materials Working Group (FMWG), it has been a forceful advocate for the prevention of nuclear terrorism, by spotlighting attention on the issue, sponsoring talks, and publishing detailed, formal written recommendations, among other activities. Its latest contribution is the report “The Results We Need in 2016: Policy Recommendations for the Nuclear Security Summit” developed by a group of international experts and circulated this month at public events in Vienna and Washington, DC. The release of the report was timed to coincide with the most crucial meetings of the “summit sherpas”—the official representatives of the participating states charged with preparing its agenda and drafting the final communiqué.

With the planning of the next summit in mind, the report prioritizes the items that the nongovernmental expert community wants the 2016 summit to focus on during its two-day proceedings. The list includes enhancing the security of military nuclear material, information sharing, best practices, and the elimination of highly enriched uranium (HEU) in civilian applications, among other agenda items. In so doing, the FMWG has elevated the role of the public from what was perceived not long ago as a bystander to that of a major and proactive stakeholder in nuclear security. And a unique feature of the group’s report is that it takes a much wider and longer-term perspective of nuclear security challenges compared to the rather short-term vision often espoused by most government experts.  

But a funny thing happened on the way to the forum: It turns out that there is more to ensuring the security of nuclear material than physically protecting it, or trying to account for the whereabouts of every last bit of, say, highly enriched uranium. There is also something a bit harder to define, but perhaps even more important: a broader, all-embracing culture of nuclear security, that takes into account the human factor. Known as nuclear security culture, this approach encompasses programs on personnel reliability and training, illicit trafficking interception, customs and border security, export control, and IT security, to name just a few. Security culture has become a bit of a buzzword in many security-related domains, and the FMWG report seeks to raise it above this level, explicitly detailing the concept and its implications in a special section.

The rationale behind developing a security-minded nuclear culture is that stopping an intelligent adversary from outwitting a security system is an intensely interactive process; as adversaries refine their capabilities and tactics and new threat scenarios evolve, security systems must evolve rapidly to keep pace. Only personnel that have security culture imbued in them as second nature can continuously evaluate security systems, predict their performance against changing scenarios, and stay ahead of the threat.

Highlighting its significance, The Hague Communiqué in 2014 listed nuclear security culture as the first of its three pillars of nuclear security (the other two being physical protection and materials accountancy).

Logically, then, nuclear security culture ought to be a focus of the upcoming—and last—Nuclear Security Summit, to be held in 2016.

But . . . what exactly is nuclear security culture?

Coming to terms

The International Atomic Energy Agency (IAEA) defines nuclear security culture as the “assembly of characteristics, attitudes, and behavior of individuals, organizations and institutions which serves as a means to support and enhance nuclear security.” The scope of this cultural approach can be large, as can be deduced from the IAEA definition of nuclear security:  “prevention and detection of and response to, theft, sabotage, unauthorized access, illegal transfer or other malicious acts involving nuclear material, other radioactive substances or their associated facilities.”

Developed in the aftermath of the 9/11 terrorist acts, nuclear security culture has become a concept that cuts across disciplines, covering a much wider playing field than originally thought. Though it emerged as a somewhat vague concept, nuclear security culture is maturing into a multifunctional discipline. Practicing it efficiently demands special methodologies and skills—including shared databases of real incidents and lessons learned, along with realistic testing—to help find and fix weaknesses that terrorists or thieves could exploit. In this sense, nuclear security culture is akin to the safety culture that emerged much earlier as a discipline following the Chernobyl disaster—whose cause was attributed to the deficient human factor. Both disciplines are subsets of organizational culture, based on shared principles that pursue a common objective: operating a nuclear facility at an acceptable level of risk.

Despite its origins within the nuclear industry and the IAEA, nuclear security culture is endowed with a solid legal framework all its own, as can be seen in the yet-to-be ratified 2005 Amendment to the 1980 Convention on the Physical Protection of Nuclear Material, which calls on individual governments to be accountable for implementation. And the 2004 Code of Conduct on the Safety and Security of Radioactive Sources similarly urges every state to promote a culture of safety and security regarding radioactive sources. (The code is nonbinding, but over 120 countries have notified the IAEA director general that they support it.)

To encourage the growth of this culture, the IAEA has been acting as a sort of global coordinator, developing guidance documents and implementing worldwide outreach and training programs over the past several years. In 2008, for example, the IAEA published a guide that not only defines the concept of nuclear security culture but also outlines its characteristics, and describes the roles and responsibilities of the institutions and individuals entrusted. To achieve the goals of security culture, leaders must act as role models, and use specially designed management systems to impart such characteristics as professionalism, personal accountability, adherence to procedures, teamwork, cooperation, and vigilance among facility personnel. To these ends, in the past seven years the IAEA has conducted over 25 international, regional, and national workshops to promote security culture and train nuclear security personnel at all levels.

The IAEA has also drawn up two technical guidance documents—still in draft form—on self-assessment and enhancement of nuclear security culture, expected to be released sometime in 2015 or 2016. Draft versions of these self-assessments have been successfully put to the test for assessing security culture at Indonesia’s research reactors (2012-2013); Bulgaria’s nuclear power plant (2014); and Malaysian hospitals that use radioactive sources (2014-2015). Results from these tests were submitted to IAEA technical meetings as well as international conferences, and published in professional journals. It is important to note that the self-assessment methodology is not an audit that accentuates technical items more than intangible human elements; instead, it requires conscious efforts from personnel to think about how individuals and teams interact with one another, the physical surroundings within the site, and the external environment.

It is a complicated methodology, difficult to describe in one or two paragraphs; I was the lead drafter in the group of international experts, and it took me almost three years to develop and test it in Indonesia and Bulgaria. The text was approved by IAEA member states on June 16; it may take several months to polish the language, but the methodology is now approved. Its publication is scheduled for late 2015-early 2016.

At the risk of over-simplifying, the self-assessments are a multi-stage process, with a heavy focus on perceptions, views, and behavior, whose goal is to help understand and explain the reasons for an organization’s patterns of behavior, devise optimal security arrangements, and predict how the workforce may react in certain circumstances. By identifying potential problems early on, corrective actions can be taken in time to prevent or mitigate security breaches.

Self-assessments may identify numerous culture-related problems in an organization, such as overconfidence and complacency; lack of a systematic approach toward security risks; leadership and management that depend more on security technology at the risk of underestimating the role of the human factor; apathy or ignorance toward security culture; and indifference toward the experience of others. Consistent use of indicators as references help management to draw up a plan of action for transforming the culture.

Is nuclear security culture gaining traction internationally? Indonesia is a good case in point. This country pioneered a self-assessment that put the methodology to the test at an early stage, and later established its Center for Security Culture and Assessment—likely to become a regional hub of this unique expertise. Indonesia’s first self-assessment found that there were poor lines of communication between the leadership and the workforce regarding security; insufficient incentives to encourage employees to contribute to security improvements; gaps in the training programs; and other problems. In the latter half of 2015, the center is planning to carry out a second self-assessment project to assess the results of attempts at change so far.

The next steps

The momentum for a culture of nuclear security has now reached the point where a global roadmap and a coordinated strategy are needed. This strategy, which the IAEA must continue to anchor, would focus on several areas, such as tailoring the IAEA’s generic model of nuclear security culture to the specific needs of each segment—fuel cycle, nuclear research, power generation, use of radioactive sources, transportation—of a given country’s national nuclear infrastructure. Each segment has different levels of risk and security challenges, depending on the nuclear material they manage and the external environment they operate in. For example, an HEU research reactor requires much more stringent security arrangements than a medical institution operating with radioactive sources. Consequently, practitioners need user-friendly and specific toolsets, a goal that can be achieved by helping national regulatory agencies develop guidance documents consistent with the unique features of their country’s nuclear infrastructure.

In addition, nuclear security culture does not exist in a vacuum; it must be treated as a field that benefits from input from a wide range of experts with different professional backgrounds, including academia. Since the IAEA model focuses on intangible human traits like beliefs, attitudes, and values as drivers of human behavior, its tools must include those of the social sciences: surveys, interviews, document reviews, and observations. To use these tools in a meaningful way, sociologists, occupational psychologists, and safety experts must be involved.

And we must be aware that in order to be sustainable, nuclear security culture must integrate national history, traditions, and good practices. Such things vary tremendously from country to country. This issue is particularly important for the so-called “nuclear newcomers”—countries that are developing their nuclear power infrastructure from scratch. Nigeria, the United Arab Emirates, Vietnam, Jordan, and several others have to blend their national good practices with established methodologies to ensure that their nuclear facilities will operate at an acceptable level of risk.

To accomplish this integration, nuclear security culture must become part of a comprehensive, joint architecture that elevates security to a basic societal value. Sharing the progress made in the nuclear field with other domains—particularly the chemical and the biological—will call for deeper communication and cooperation. To avoid fragmentation, security experts will need a shared concept to work together.

Finally, we must treat nuclear security culture as a continuously evolving educational and training discipline. Collaboration among government, industry, and academia is pivotal to a thriving, broad-based nuclear security culture; this means that nuclear security culture promotion needs a multi-stakeholder approach.

The 2016 Nuclear Security Summit can leave a valuable legacy by addressing such issues in a nuclear security culture roadmap endorsed by participating states. Nuclear security culture is an agenda item that deserves much more attention at the upcoming summit.