Lessons learned
In their paper, the authors offered some advice and insights based on lessons learned from past insider incidents:
Don't assume that serious insider threats are NIMO (not in my organization).
Don't assume that background checks will solve the insider problem.
Don't assume that red flags will be read properly.
Don't assume that insider conspiracies are impossible.
Don't assume that organizational culture and employee disgruntlement don't matter.
Don't forget that insiders may know about security measures and how to work around them.
Don't assume that security rules are followed.
Don't assume that only consciously malicious insider actions matter.
Don't focus only on prevention and miss opportunities for mitigation.
The information for the research paper emanated from an American Academy of Arts and Sciences project on nuclear site threats, Sagan said.
"It was unusual in that it brought together specialists on insider threats and risks in many different areas – including intelligence agencies, biosecurity, the U.S. military – to encourage interdisciplinary learning across organizations," he said.
Sagan explained that the experts sought to answer the following questions: "What can we learn about potential risks regarding nuclear weapons and nuclear power facilities by studying insider threat experiences in other organizations? What kinds of successes and failures did security specialists find in efforts to prevent insider threats from emerging in other organizations?"
'Not perfect'
He noted that only a few serious insider cases in the U.S. nuclear industry have arisen, thanks to rigorous "personal reliability" programs conducted by the Nuclear Regulatory Commission and the U.S. military for people with access to sensitive nuclear materials.
But there is room for improvement, Sagan said.
"These programs are effective," he said, "but they are not perfect. And relative success can breed overconfidence, even complacency, which can be a major cause of security breaches in the future."
For example, the nuclear industry needs to do more research about how terrorist organizations recruit individuals to join or at least help their cause. It also needs to do a better job on distributing "creative ideas and best practices" against insider threats to nuclear partners worldwide.
Sagan said the U.S. government is not complacent about the danger of insider threats to nuclear security, but the problem is complex and the dangers hard to measure.
"Sometimes governments assume, incorrectly, that they do not face serious risks," he said.
One worrisome example is Japan, he said.
"Despite the creation of a stronger and more independent nuclear regulator to improve safety after the Fukushima accident in Japan, little has been done to improve nuclear security there," said Sagan.
He added, "There is no personal reliability program requiring background checks for workers in sensitive positions in Japanese nuclear reactor facilities or the plutonium reprocessing facility in Japan."
Sagan explained that some Japanese government and nuclear industry officials believe that Japanese are loyal and trustworthy by nature, and that domestic terrorism in their country is "unthinkable" – thus, such programs are not necessary.
"This strikes me as wishful thinking," Sagan said, "especially in light of the experience of the Aum Shinrikyo terrorist group, which launched the 1995 sarin gas [chemical weapon] attack in the Tokyo subway."