Security of the nuclear infrastructure: the vulnerabilities remain strong

(The following commentary is written in response to the issues, raised in the public talk by Professor Sagan, discussing the insider threats to nuclear security at King's College London, 02.10.2014. The presented paper is available here)

A biometric key lock

An insider threat is your employee or a colleague. They may deliberately cause harm to fellow human beings and the organisation.

Why should it be a priority?

To answer this question and understand the scale of the threat, it is interesting to see how a problem manifests itself in other areas as well. Here it is considered in relation to the cases in cyber security and nuclear security.

The PwC report notes that cybercrimes happen so frequently, according to the stats, because the systems are rather vulnerable to the insider attacks. The greatest reason for a concern is that some of the organisations simply do not have a strategy for dealing with insider threats. This news is very disturbing, particularly due to the threat posed in particular instances, like in case of Manning 2010 and Morrisons 2014. These cases have little in common, but they demonstrate how grave the outcome can be, both for the organisations and the greater environment. In the first example, the authority and legitimacy of certain actors are compromised on an international scale, and in the second case, the general public falls victim to the crime committed by the insider accomplice from a business organisation.

Also, Bunn and Sagan (2014) state that the theft crimes in a nuclear industry are frequently to be due to the insider access to nuclear facilities. The nuclear facilities generally struggle to "understand and protect" itself against the threat. This point, about the lack of understanding, is crucial to resolving the security problem but it fails to acquire anyone's attention. For example, some security specialists attending a EUCERS Conference have discussed the terrorist attacks in the energy sector. One attendant asks the panel about the likelihood of a terrorist attack to be directed at the nuclear power plant. The panel replies that the nuclear plants are genrally highly protected, so in their view, the terror attack is not likely to succeed. However, neither of the members had considered the insider attack. These specialists have shown an overwhelming belief that nothing can actually be a threat to these facilities.

Steps to take

There are several scholars addressing the issue of insider attacks in a coherent manner. Scott Sagan, a highly distinguished nuclear research specialist, has given several talks about the worst practices of not tackling the insider threat. Overall, the list of lessons amounts to 10, and the message of each is not to ignore the warning signs. Certainly other specialists like Moore, Capelli and Trzeciak (2009) note that almost all of the insiders are noticed for acting suspiciously by their co-workers and supervisors prior to the attack.

Yet, there is this tendency not to notice the "red flags". A rational perspective demonstrates why it is so. A Person A notices some Person B acting inadequately at work. The Person A is not alarmed because Person B may be subject to a temporary destabilising factor. The early reporting is likely to bring Person A a greater anxiety and dissatisfaction, due to the low motivation (weak signs of disruptive behaviour by Person B) and the fear of a worst-case scenario (others don't treat Person A's concerns seriously- social rejection and no action taken). In other case, a less likely one, Person A decides to report an incident to the higher manager. At this point, an organisation finds the calculated risks to be minimal, because the likelihood of a dangerous activity, conducted openly, is very low (the lovely reasoning of general statistics).  Hence, the situation turns into a simple risk-taking model: a person is more likely take greater risks in order to reap happy benefits (no effort made to address an unlikely threat), instead of choosing a low-risk strategy with low benefits (concerns taken seriously).

This trend needs to be reversed, both on an individual and a large-scale levels. Person A needs to be more aware and think about the situation, aware of potential risks. What if the Person B is a dangerous person? The worst-case scenario is a brain's favourite game. Nevertheless, the range of outcomes is simple: it is EITHER that the Person A ignores Person B's actions and leaves it OR acts upon their suspicions and prevents the possibility of a disaster.

Security is not a matter of just somebody else's concern, it is everyone's responsibility. No one wants to be the victim of other person's ignorance. No one wants to work at an insecure nuclear facility.