How China needs to improve its legal framework on nuclear security

On March 31, Chinese President Xi Jinping will be among world leaders attending the fourth and last Nuclear Security Summit in Washington, D.C., where they will try to strengthen nuclear security to deal with the evolving threat of nuclear terrorism. Such efforts are badly needed, in light of the facts that there have been approximately 20 documented cases of theft or loss of highly enriched uranium or plutonium (although more may have occurred) since the early 1990s,and that there are nearly 2,000 metric tons of dangerous nuclear materials scattered across hundreds of sites around the globe.

Chinese leaders have actively participated in the last three summits, and pledged at each of them to act to strengthen nuclear security. But how successful have they been so far?

On the one hand, largely due to these earlier summits, nuclear security issues have received greatly increased national attention and awareness in China, from both national leaders and the general public. China has actively worked on several national laws and regulations related to nuclear security, and invested significant money to improve the physical protection of its nuclear facilities—including the updating of its monitoring devices, and otherwise accounting for and controlling every bit of nuclear material in China’s possession. A “center of excellence” on nuclear security—a joint US-China project initiated at the first nuclear security summit—was just commissioned on March 18 in Beijing, marking a milestone in summit outcomes. In short, China’s commitment to nuclear security is seemingly now well-established.

But on the other hand, in spite of these advances, there are still significant gaps in China’s nuclear security, which leave room for improvement. For example, the country has yet to build an overall legal framework that would govern the use of nuclear energy and related safety and security issues. In particular, China needs to update its nuclear regulations and guidelines, especially those that oversee tests of the ability of China’s nuclear facility designs to resist attacks from large-scale and well-organized armed terrorist groups; such tests are vital for identifying the strengths and weaknesses of security procedures. And cybersecurity is yet to be  addressed.

So what major gaps remain, and what steps does China still need to take to improve the legal framework behind its nuclear security—a framework that is vital to making any substantial changes on the ground?

Progress on China’s nuclear laws and regulations. In China, legal documents are classified into four tiers. From high to low, these are laws, regulations, rules, and guidelines. Or, to be more precise: statutory law requiring approval by the National People’s Congress; State Council regulations; departmental rules; and regulators' guidance or publications.

To further complicate matters, some laws and regulations are directly relevant to nuclear security, while others are much more indirect. The most direct ones are the Atomic Energy Law, the Nuclear Safety Law, and the Nuclear Security Regulations, while the ones that are indirectly relevant to nuclear security are the National Security Law and the National Counterterrorism Law. 

Currently, the only major regulations on fissile material controls can be found in a document called the "Regulations for Control of Nuclear Materials," issued in 1987, or 29 years ago—a time when the Berlin Wall was still up, Ronald Reagan was president, the World-Wide Web was not even a glint in a computer scientist’s eye, and the word “cybersecurity” was yet to be coined. Obviously, much has changed since then. Yet China’s only updating of these regulations was its “Rules for Implementation of the Regulations on Nuclear Materials Control”—issued in 1990.

In comparison, the most updated guidelines regarding the physical protection of nuclear facilities were issued in 2008—which is much more current, although itself now eight years old.

While new updates on those regulations and rules have still not come out, over the last two years China has made great progress in this area. At the last three summits, Chinese leaders addressed China’s efforts to continuously improve the legal framework. In April 2014, China’s president Xi emphasized, for the first time, the integration of nuclear safety and security with the national security system. He highlighted this change at the first meeting of the Central National Security Commission, established in November of 2013. (Xi is the commission chairman.) More recently, China not only issued a number of new laws and policies relevant to nuclear security, but also sped up work on nuclear safety law and on nuclear security regulations.

Influenced by the Nuclear Security Summit process and the Fukushima nuclear accident, China has also paid much more attention to preparing for a nuclear accident. In January 2016, China issued a white paper on nuclear emergency preparedness—China’s first-ever in the area of nuclear safety and security—which emphasized that China will establish a national nuclear emergency rescue team of over 300 people responsible for rescue missions in the event of a serious nuclear accident. The country has backed up its words with deeds; in June 2015, China conducted a nuclear emergency exercise code-named Shield 2015, which comprehensively reviewed China’s nuclear accident response preparedness and capability.

China also issued its National Security Law—its first meaningful law on national security—in the middle of last year. This law addresses “strengthening management, oversight and protection of nuclear materials, nuclear activities, and disposal of nuclear waste,” “increasing the capacity to respond to nuclear incidents,” and “ensuring citizens from the threat of nuclear and nuclear attacks and accidents hazards.” In addition, the new law addresses cybersecurity as it regards key items of national infrastructure—apparently including nuclear facilities. This marks the first time that nuclear security issues were addressed at the highest level of the Chinese legal system. And on December 27, China issued its National Counterterrorism Law, which provides a legal basis for dealing with the threat of nuclear terrorism in China.

In addition to these efforts, China is speeding up the process to approve what is known as the Atomic Energy Law, which will provide an overall legal framework to govern the use of nuclear energy and related safety and security issues. This new law was submitted to the State Council at the end of 2014; it is now going through the legislative review procedure and expected to be promulgated in 2016. Meanwhile, over the last two years, China’s National Nuclear Safety Administration has been leading the way in actively working on a separate legal initiative known as the Nuclear Safety Law, which includes nuclear security. It is expected to be approved in the 2016-2017 time frame.

Moreover, China’s Atomic Energy Authority has been working on a set of nuclear security regulations over the last two years, which were submitted to the State Council in 2015 and should be issued just after the approval of the Nuclear Safety Law. (The new nuclear security regulations are expected to have more specific requirements about nuclear security and control.)

Meanwhile, at the lower tiers of the legal system, the National Nuclear Safety Administration is developing new guidelines regarding cybersecurity at civilian nuclear facilities.

Major gaps remain. While China has been making progress at improving the legal framework surrounding its nuclear laws and regulations, there have not been many updates of nuclear regulations and rules on the security of nuclear materials and facilities. All the existing regulations and rules were written before the attacks on New York and Washington in September 11, 2001, and the threat of nuclear terrorism was not specifically mentioned.

Although the 2008 guidelines require all civilian nuclear facilities to be designed in such a way that they consider threats to their security coming from outsiders, insiders, or a collusion of both—technically known as a “design basis threat”—they contain no clearly defined standards for how each nuclear facility should be designed for local conditions. Operators typically create their site-specific designs on a case-by-case basis. But as National Nuclear Safety Administration director Li Ganjie noted, the existing design basis threat plans for nuclear power plants could have produced facilities that are unable to resist attacks from large-scale and well-organized terrorist groups with powerful weapons. Neither the upcoming Atomic Energy Law nor the Nuclear Safety Law is expected to address such a specific issue. The physical protection guidelines usually deal with those specifics, but, at the moment, the National Nuclear Safety Administration has no plan to update its 2008 physical protection guidelines.

Moreover, while operators currently are required to do in-depth vulnerability assessments and performance tests of the individual components in their security systems, these tests do not include the realistic force-on-force exercises recommended by the International Atomic Energy Agency (IAEA). No Chinese regulations and guidelines require such tests, which are vital for identifying the strengths and weaknesses of security procedures.

Finally, China’s existing nuclear regulations and guidelines have not yet specifically addressed cybersecurity issues. Strengthening cybersecurity at nuclear facilities has become an important topic in the area of nuclear security, due to operations and security systems becoming increasingly reliant on digital control—and digitization invites cyber-attack. In practice, a number of countries like the United States and Russia have recently updated their regulations or rules regarding cybersecurity at nuclear facilities.

But China has not yet written nuclear regulations and guidelines with provisions specific to cybersecurity at nuclear facilities. Chinese nuclear security regulators are considering new guidance or regulations that may cover nuclear cybersecurity based on US Nuclear Regulatory Commission-related regulations. In general, like other industries in China, nuclear facilities are required to have cybersecurity plans—mainly focused on traditional information technology security.

It should be noted, however, that the Chinese government has begun to speed up the passing of national legislation focused on cybersecurity. Last July, China issued a draft of its National Cyber Security Law for review—where it addresses the importance of cybersecurity in fields such as the energy system and the electrical power system. Additionally, the new National Security Law issued in 2015 addressed cybersecurity for critical infrastructure. These new laws are expected to be the bases for new nuclear regulations and rules relevant to cybersecurity.

Steps for improvement. At the 2014 nuclear security summit, President Jinping stated that “the more we do to enhance nuclear security, the less chance we will leave to terrorists.” Converting the top Chinese leader’s stated commitment into practical, sustainable reality, however, will require China to undertake several steps. In particular, China should speed the updating and issuing of any new laws, regulations, rules, and guidelines on nuclear security, especially those that have not been touched since the regulations of 1987 and the rules of 1990.

Clearer and more stringent rules and guidelines would establish a national-level design basis threat, with clarifying requirements for all military and civilian nuclear facilities. China should have at least a minimum standard for any design basis threat that includes protection against a modest group of well-armed and trained outsiders, a well-placed insider, and outsiders and an insider working together, using a broad range of possible tactics.

Moreover, China should incorporate IAEA principles and guidelines regarding nuclear security into its national laws and regulations, as suggested by a recent pledge by 35 countries to observe the terms of a joint agreement—known as Strengthening Nuclear Security Implementation—initiated at the 2014 summit at The Hague.

China should update and issue new nuclear regulations and guidelines incorporating cybersecurity explicitly. Cybersecurity should be integrated strongly and fully into the physical protection and accounting systems, and they should be an integrated component of any nuclear power plants design basis threat.

Soon, China should be issuing the Atomic Energy Law, Nuclear Safety Law, and Nuclear Security Regulations that have been under review for quite a while now. As a faster way of making progress, China should also update its 2008 guidelines on physical protection to integrate new IAEA guidelines, including the conduct of force-on-force exercises.

To ensure that the new regulations and rules are effectively implemented for facilities and transporters of nuclear weapons and weapon-usable fissile materials, China needs an effective system of enforcement and a constantly developing and improving nuclear security system that will not stagnate.