Testimony of POGO's Danielle Brian before the House Subcommittee on National Security, Emerging Threats and International Relations regarding Nuclear Security: Has the NRC Strengthened Facility Standards Since 9/11?
The Government Accountability Office (GAO) report that you commissioned, “Efforts Made To Upgrade Security, but the Nuclear Regulatory Commission’s Design Basis Threat Process Should be Improved” (GAO-06-388), is shocking and confirms what POGO has been alarmed about for the past three years. It details the inappropriate influence of the nuclear industry on the Nuclear Regulatory Commission (NRC)’s Design Basis Threat1 process:
- The nuclear industry is allowed to lobby the NRC security staff to lower the security standards recommended to the Commission; and
- The NRC Commissioners removed commonly-used weapons from the DBT, including RPGs, 50-caliber rifles with armor-piercing rounds, and other weapons. They also reduced the size of the truck bomb necessary to defend against, and minimized the impact of an active insider helping the terrorists, because industry claimed it was too expensive for them to protect against such a threat.
The result of this process is a completely unrealistic DBT that reflects not what intelligence estimates dictate but, instead, what industry is willing to pay for. Because of the lowering of these security standards:
- At one site where the GAO observed force-on-force tests, “the site’s ability to defend against the DBT was at best questionable ... . Some or all of the attackers were able to enter the protected area in each of the three exercise scenarios. Furthermore, attackers made it to the targets in two of the scenarios ... .” (p. 40)
- At one site, the mock attackers “were able to destroy three out of four targeted components ... .” (p. 57)
- At one site, a site had not included the control room or spent fuel pool among its targets. (p. 58)
- Two-thirds of the NRC security inspection reports and nearly 50% of the force-on-force inspection reports “identified problems or items needing correction.” (p. 40)
It should be understood that there remain significant artificialities in the NRC’s security tests:
- In a real terrorist attack, the terrorists would have three major advantages: speed, surprise and violence of action. Not one of these are tested in force-on-force tests;
- These tests are still scheduled and announced 8 to 12 weeks before they occur – giving the security force ample time to prepare. Furthermore, the GAO found that the security force can tell within minutes at what time the test will begin;
- The referees, or controllers used for these tests, whose task is to determine who “lives” and who “dies” were sometimes volunteers from the plant with no security experience at all;
- At approximately half the sites, the mock attackers and the security force they are testing are employed by the same company, Wackenhut. How can the public have faith in a system with such an obvious conflict of interest?
- Even with these weaknesses, the GAO also found evidence of behavior that some might call cheating. The GAO wrote that during one test it observed:
... a lapse in protection of information about the planned scenario for a mock attack that we observed may have given the plant’s security officers knowledge that allowed them to perform better than they otherwise would have ... . (p. 12) For example, during a safety “walk down” ... a site employee made motions that may have alerted security officers to the targets the adversaries would be trying to reach that evening. (p. 43)
Imagine. This is happening on a test they KNOW is being audited by the GAO.
Why is this important? As the GAO pointed out, the 9/11 Commission confirmed that “nuclear power plants were among the targets considered in the original plan for the September 11, 2001, attacks.” I suspect that is not news to the members or staff of this committee. What might surprise you though, is this: Just last year, several years after the 9/11 attacks, NBC News asked the Nuclear Energy Institute spokesman about Mohammed Atta’s plans to target what is now believed to have been Indian Point. His reaction? He said he had never heard of Mohammed Atta. The impact of this ostrich-like approach to the homeland security needs of our country permeates the nuclear community – both the industry and its captured regulator, the NRC.
Perhaps the most important evidence that the NRC remains in denial is their decision to require nuclear power plants to protect against only a handful of terrorists. This decision is based on the assumption that only one terrorist cell, acting alone, would attack a plant. The GAO explains that the NRC believes “multiple cells along the lines of the September 11, 2001, attacks would not necessarily target a single nuclear power plant” and therefore the plants do not need to protect against more than a handful of attackers. [emphasis added] There is no explanation why the NRC comes to this conclusion, despite historical evidence that multiple cells of terrorists were used collectively on 9/11. Inexplicably, the NRC is confident they do not need to require nuclear power plants to be protected against a similarly-sized attack. The GAO points out that the Department of Energy (DOE) relied on the same intelligence as the NRC when determining their DBT. In comparison, the DOE requires their facilities to protect against an attacking force THREE TIMES that required by the NRC, and against the weapons rejected by the NRC – and their security is also provided by a private force. The difference in the two agencies’ processes is that the DOE does not have an industry lobbying them to lower their standards.
The GAO relates the NRC’s conclusion that it is not valid to compare NRC and DOE sites. The NRC argues that terrorists attacking a DOE nuclear weapons facility would be more heavily armed because they have to get both into and back out of a facility with a nuclear weapon or Special Nuclear Materials, while they argue terrorists attacking a nuclear power plant would be suicidal in their attempt at radiological sabotage. As you know Mr. Chairman, this is ill-informed. The biggest threat to DOE facilities is a suicidal attack to detonate an improvised nuclear device (an actual nuclear detonation) without the intent to come back out alive. Therefore, while the consequences of an attack on a DOE facility may be far greater than at a nuclear power plant, there is no reason to believe the terrorists would come more heavily-armed or in greater numbers than when attacking a nuclear power plant. Security analysts believe a serious terrorist attack on a nuclear plant would involve no less than a “squad size” of adversaries (12 personnel for U.S. Army Special Forces; 14 personnel for Navy SEALs).
In addition to requiring nuclear plants to protect against only a handful of attackers, the NRC’s DBT also continues to turn a blind eye to protecting against weapons well-known to be used by terrorists around the world.
The GAO reveals a shocking level of influence by the nuclear industry during the NRC’s process of determining these security requirements. The report reveals that the industry essentially gets two opportunities to lobby the NRC to water down its security requirements. First, industry is consulted by the NRC’s Threat Assessment staff. As the GAO wrote:
A number of the changes [to its initial recommendations] reflected industry objections to the draft. For example, following meetings with industry, the staff decided not to recommend including certain weapons in the list of adversary characteristics that nuclear power plants should be prepared to defend against. In its comments, the industry had pressed for NRC to remove such adversary characteristics from the draft DBT. The industry considered these adversary characteristics prohibitively expensive to defend against ... . [I]n our view the process by which NRC used the threat assessment staff to obtain stakeholder feedback created the appearance that changes were made based on what industry considered reasonable and feasible to defend against rather than an assessment of the terrorist threat, especially given the high degree of judgment involved in assessing threat information. (p. 10)
Even after this process, the NRC Commissioners voted to remove two more weapons from the list of weapons the plants must protect against, with no countermanding intelligence to justify the change. POGO wrote to NRC Chairman Diaz on February 22, 2006, raising our concerns about the 3-1 vote by the Commission to overrule the professional security staff, and to not require the utilities to protect the plants against the use of certain lethal weapons, including rocket-propelled grenades and 50-caliber rifles with API rounds. POGO wrote, “During a Special Forces mission in West Africa last year, Pentagon officials found that an RPG-4 could be purchased for less than $10 U.S. on the weapons market, and were available in large quantities in a matter of hours. This is equally true in South Asia. Pentagon officials have told POGO that getting shipments of RPG’s into the U.S. would be surprisingly easy.” As the GAO described, “[R]emoval of weapons from the revised DBT was significant because of the strength of the NRC staff’s intelligence analysis supporting their inclusion.” (p. 28) I’d like to submit POGO’s letter to Chairman Diaz for the record.
NRC Commissioners watered down the original staff-proposed security standards based on the belief that they can only ask of the nuclear industry what can be expected of a private security force. POGO believes this is backwards logic. Security professionals should determine the security threat, and then determine what is required to meet that threat. If it is concluded that private forces cannot adequately protect the facilities to the standards set by the intelligence community, then it is the government’s job to step in, at industry’s expense, to figure out how to meet that threat. Currently, no one is accepting this responsibility.
This dichotomy – between the threat and standards required by the NRC – all comes down to money. This is not a debate over what the intelligence community believes, it is a debate over how much the nuclear industry should have to pay. As the GAO pointed out:
NEI argued against the inclusion of a number of weapons. For example, NEI wrote that (1) one particular weapon recommended by the NRC staff would render the ballistic shielding used at nuclear power plants obsolete ... .
The significance of this point is that the nuclear industry is claiming they don’t want to have to protect against 50-caliber rifles (which have been around since World War I) with armor-piercing rounds because they would then have to acknowledge that their bullet-resistant enclosures can not protect against these weapons. As a result, one of their primary defensive measures – ballistic shielding around these enclosures – would be rendered useless. So rather than addressing the potential vulnerability, the NRC – at NEI’s behest – caved in and pretended these widely-available weapons and ammunition do not exist in their world.
To continue, the GAO found that:
... (2) another proposed weapon would initially cost $1 million to $7 million per site to defend against, with annual recurring costs of up to $2 million per site ... . In the final draft submitted to the NRC commissioners, the NRC staff removed a number of weapons NEI had objected to. . . . The NRC staff did not remove one particular weapon NEI had objected to, which, according to NRC’s analysis, has been a staple in the terrorist arsenal since the 1970s and has been used extensively worldwide ... . [T]he NRC commissioners later voted to remove this particular weapon.
We believe this weapon to be rocket-propelled grenades (RPGs). In an unclassified film created by the DOE, “Systems Under Fire,” they outline the relative ease with which RPGs can destroy traditional shielding. They also show a relatively inexpensive defensive measure – pre-detonation screens – that the industry should be required to adopt which would effectively mitigate the lethality of these weapons.
The NRC continues to operate under a 1967 policy that the nuclear industry is not responsible for protecting the plants against “enemies of the state,” including airborne attacks. This policy was formed because of a concern that Cuba might attack a Florida nuclear power plant. This paradigm is entirely out of date. It is clear that Al Queda is at least as capable of generating as large an attack as Cuba. But more practically, what does this distinction mean? Are security officers expected to demand passports from attackers as they flood through the fence? If it is determined that the attackers are “enemies of the state,” how long will it take for outside law enforcement to get there? DOE timelines suggest it will take approximately 1 ½ to two hours for SWAT teams to be assembled, gather their equipment and weapons, be transported to the site, get briefed on the status of the attack, and engage. The problem is that these attacks are expected to take between three to eight minutes before they are won or lost. If the private security force isn’t responsible for handling such an attack, who will be there to take on that responsibility and protect the public from the consequences of a terrorist attack?
The GAO’s findings clearly reveal devastating discrepancies between current security standards at nuclear power plants and what is needed to repel a terrorist attack. It is clear that the public can not trust the combined efforts of the nuclear industry and the Nuclear Regulatory Commission to protect the them.
1 The Design Basis Threat (DBT) describes the level of threat the protective force is required to defend against – the number of outside attackers and inside conspirators, and the kinds of weapons and size of truck bombs that would be available to terrorists.