Information Sharing, Standards and Best Practices, and Security Culture

3 downloads 79 Views 952KB Size Report
recommendations on information sharing, standards and best practices as well as security ...... Republic of Korea, the United States committed to hosting a Nuclear ...... and implement security culture in all relevant domains remain largely ...

FMWG Working Group Report

Information Sharing, Standards and Best Practices, and Security Culture

Content Introduction & Work Process Topical Area I: Information Sharing   

The Public as a Nuclear Security Stakeholder Notes and Observations on Information Sharing Engaging Journalists to convey priorities and Messages in Front of the 2016 Nuclear Security Summit

Topical Area II: Standards and Best Practices  

Improving Implementation of Information Exchange Forecasted in International Law Moving Towards Effective Nuclear Security Standards and Their Implementation

Topical Area III: Security Culture 

Nuclear Security Culture

Discussion Recommendations

FMWG Working Group, 20 April 2016

FMWG Working Group Report

Information Sharing, Standards and Best Practices, and Security Culture

Introduction The FMWG (Fissile Material Working Group) established in August 2014, a working group to provide recommendations on information sharing, standards and best practices as well as security culture, to feed into the Nuclear Security Summit (NSS) process for consideration as recommendations of the Summit, and with the prospect of subsequently being implemented. The Recommendations were developed in consideration of the 5 priorities that were published by the FMWG in August 2014. Effective nuclear security is an essential component in the implementing and management of a peaceful nuclear programme. Such programme may contain nuclear power plants, fuel cycle facilities, research establishment and the use of radioactive sources in non-nuclear applications such as medical therapy and industrial measurement. The use of uranium for nuclear fuel, radioactive isotopes for medical uses and in industry is always associated with a license that stipulates radiation safety measures, and specific arrangements that may be required to ensure radiation safety, but this is not always the case for nuclear security. International nuclear security standards/guidance became available relatively recently, and the culture of applying them shows wide implementation differences. An example may be found in security arrangements for high-activity radioactive sources that are used for radiation therapy at hospitals, where security improvements are perceived to slowdown the treatment of patients and also slows down implementation. Furthermore, a relatively large number of transports with radioactive sources and nuclear material take place regularly. The IAEA Illicit Trafficking Database collect official State-generated information of nuclear security incidents, including but not limited to losses, thefts and other unauthorized uses of nuclear material and radioactive sources. This information reports that a nuclear trafficking incident occurred, but without specific and detailed information. The trafficking reports are coordinated with reports to the IAEA International Nuclear and Radiological Event Scale reporting system, which is relevant when there is an incident or accident (irrespective its cause) with actual or radiological consequences. There is a need for better understanding of and more information about nuclear security, security events, standards of performance and implementation to reassure a broad range of stakeholders, including the public. This requires a) more information, and b) a differentiated approach to information sharing through various channels that are appropriate to a given audience. Media is the prevailing channel for nuclear security relevant information to the general public, a channel that highly depends on access to information and its quality. It is recognized that nuclear security -1-

sometimes contains highly sensitive information and that this requires a balance between making information available and protecting the sensitive items from disclosure and inappropriate access. The responsibility to protect nuclear and other radioactive materials from the hands of terrorists or criminals’ rests entirely with the country in which the material is used. The approaches and measures implemented are established in national regulatory systems. Obligations made in international treaties and agreements are normally reflected as requirements in the national regulatory system. Recognizing that a serious nuclear security incident would have global consequences, the international community has been involved in strengthening the legal basis for nuclear security. The Nuclear Security Summits have given highest priority to universal implementation of the Convention on the Physical Protection of Nuclear Material (CPPNM), its Amendment and the International Convention on the Suppression of Acts of Nuclear Terrorism (ICSANT), in parallel with UN Security Council Resolution 1540 of 2004. These legal instruments recognize principles for national implementation and identify offences that are to be punishable according to national law. The IAEA develops and publishes nuclear safety standards and nuclear security guidance1, to help States implement a nuclear security regime. Further guidance or recommendations are published regarding suitable measures to implement. The standards or guidance issued by the IAEA are voluntary for any Member State to implement. The international nuclear security regime has significant gaps: there are no binding standards, no built-in peer review process and no mechanism to assess and improve the system as a whole. IAEA International Physical Protection Advisory Service (IPPAS) missions, as requested by States, are intended to guide a State to establish and maintain effective nuclear security, including physical protection at facilities and locations. Although the subscription of this service has increased, the desired potential to strengthen the standards and build confidence, both regionally and with the public, has not been realized. Other international standards and review systems, e.g. that of ICAO for aviation safety and security, take a different approach which may be a useful example for the nuclear sector. Safety, security, and safeguards are insufficiently integrated. Security culture underpins an effective nuclear security regime. It requires regular information, effective technical and performance evaluation. It is most effective when it is comprehensive, spanning across the state level, competent authorities, operators and other stakeholders. Under the current nuclear security regime, certified education and training is neither required nor implemented. Under the current arrangement, there is scant integration of security culture development and promotion across the chemical-biological-radiological-nuclear (CBRN) spectrum. The issues of information-sharing, standards, and security culture are all deeply interconnected. For example, without sufficient information there can be no effective security culture: security culture relies on knowledge of credible threats and effective responses. This knowledge base cannot be built if the requisite information is not shared.


IAEA Nuclear Security Series,


The FMWG Working Group Anita Nilsson, AN&Associates, Chair Members: Wyn Bowen, Kings Colleague, London. Roger Brunt, independent consultant;, Pablo Garcia, Sandia National Laboratory; Miroslav Gregoric, independent consultant; Igor Khripunov, University of Georgia; Peter Rickwood, independent consultant; Maria Sultan, South Asian Strategic Stability Institute (SASSI); Sharon Squassoni, Center for Strategic and International Studies. Cindy Vestergaar, Danish Institute for International Studies; Timur Zhantikin, the Atomic Energy Agency of Republic of Kazakhstan. Observers; Leslie McNiesh, FMWG, and Anya Loukianova, Stanley Foundation.

Work Process Members of the working group provided input on a sub-set of topics that were agreed to be essential for the overarching objective of building confidence that nuclear security is implemented effectively. Contributing subjects include Information Sharing, the availability of effective Standards and Best Practices as well as a broadly implemented Security Culture. The contribution of information depends on its timely provision and in sufficient quantity, at the same time maintaining confidentiality of sensitive information. Members of the working group gave written contributions that were subsequently discussed in meetings with the working group and through conference calls and information exchange. The draft documents provided are included in this report. The working group met twice; in Washington 17-18 February and 23-24 March 2015, to discuss the topics of the working group and recommendations to provide to the FMWG for further processing in contribution for up-to-date input for the Nuclear Security Summit process. Recommendations for action within the three topical areas discussed by the Working Group were outlined and agreed upon. Those recommendations were submitted to FMWG in April 2015. The issue of information sharing was further developed with a view of promoting sharing of information. Stanley Foundation called on members of the working group to contribute to a policy brief on the subject, with a Nuclear Security Information Matrix to help in identifying information of nuclear security value and of value in efforts to build confidence regarding effective nuclear security. A report; Improved Nuclear Security through Information Sharing was developed2.



Topical area I. Information Sharing FMWG priority 2: Share Information to Build Global Confidence The basic core question of information sharing relates to whether there is sufficient information available (quality and quantity) to build confidence that all nuclear and other radioactive materials is adequately protected to ensure effective nuclear security. This include information on: a) Nuclear security incidents and national processes, including law enforcement processes related to the follow-up of nuclear security incidents, e.g. illicit trafficking cases or incidents at nuclear facilities or locations. b) Regulatory systems and policy for the national nuclear security regime, in the cases there is a regime, its establishment and implementation. c) Effectiveness of the national system, which includes information related to implementation of agreed international standards and guidance, results of national and other expert evaluations and accountability of competent authorities and operators. d) International cooperation, including from international peer reviews, e.g. IPPAS or operator-to-operator interaction and review. Participation in international initiatives and processes. e) Information required to build confidence; internationally, regionally and national. Cindy Vestergaard, Peter Rickwood, Wyn Bowen and Igor Kripunov contributed draft documents for discussion.

Contribution I:1

The Public as a Nuclear Security Stakeholder Dr. Igor Khripunov Commonly referred to as “civic society” or “the public,” this element embraces a diversity of interests, capacities, perspectives, and institutions of varying degrees of formality, autonomy, and influence. Civic society normally includes charities, nongovernmental organizations, community groups, professional associations, trade unions, self-help groups, social movements, business associations, coalitions, and advocacy groups. Their boundaries overlap, and their agendas may conflict on specific issues. But one issue where they may find consensus is on collaborative efforts to ensure nuclear safety and security and prevent nuclear terrorism. Nongovernmental and academic communities are in a position to strengthen nuclear security culture as a societal value. They can offer expertise and resources to help concentrate government and industry efforts on pressing matters such as screening nuclear facilities and materials, as well as managing the risk of nuclear terrorism. They have the opportunity to develop innovative solutions while bolstering public awareness and acceptance of the need for measures to enhance nuclear security. Grassroots movements can also lobby their governments to take part in relevant international agreements and arrangements, advocate speedy ratification of international instruments by national parliaments, and debate proposed government policies. Religious organizations are in a position to explain the ethical dimensions of combating nuclear terrorism and can help local communities contribute to nuclear security. In the event of a nuclear terrorist incident, they can also supply crucial assistance in reducing the physical and psychological impact of such an event. -4-

Finally, the independent media plays a vital role in keeping the public informed, and has the responsibility to communicate accurate, reliable, and verifiable information. Due to terrorists’ dependence on the media to influence a population, the media has to perform a careful balancing act between commercial interests and good citizenship. Relationships between organizations and the public are typically built in three sequential stages: f) Public Communications: This is a one-way process, with information flowing from the organization to the public with the goal of education. g) Public Outreach: This is a proactive campaign whose goal is to respond to emerging concerns. h) Public Involvement: This is usually an ongoing, mutual relationship whose goal is to enlist the community as a partner with the organization. As an organization embarks on a public-awareness campaign, it may have to move through all three stages over the long term. An educated public may want to raise concerns that need to be addressed through outreach. Some outreach activities may in turn mature into partnerships. However, outreach and involvement programs cost time and money and must be sustainable over the long term. Therefore, organizations should not embark upon such programs lightly. Public communications. Organizations should consider what information they can usefully provide about nuclear security, either directly to the public or through the news media. Specific security arrangements obviously cannot be divulged, but related information can be very helpful. That there is a threat and the organization has reviewed and tightened its security precautions is beneficial information. Public communications can encourage the public to remain vigilant while taking an interest in security and self-protection. The airlines following 9/11 are one industry that has communicated effectively with the populace. Aside from information specific to certain organizations or facilities, more general information about threats and developments in other areas of the world could be useful to the public. Government institutions, specialized advocacy groups, and other interested parties such as universities generally carry on such communications. The more attention paid to these issues in the public arena, the stronger the overall nuclear security regime will be. When information about nuclear security is communicated to the general public, people working inside the organization must be candid. Disclosing partial information, or spinning the facts, fans perceptions that the organization is being less than straightforward. Such perceptions estrange the facility from the populace while impairing the organization’s internal nuclear security culture. Conversely, an organization seen as being frank about nuclear security nourishes its own internal culture. Managers inside the organization should undergo media training to help them support public communications while acting as spokesmen in emergencies or crisis situations. The benefits of public-communications programs also apply to public-outreach programs. Publicoutreach programs are built around specific areas of interest of which the organization wants to apprise the public. Such initiatives should be undertaken when the site needs popular involvement with and support for specific aspects of nuclear security. Potential outreach forums and activities -5-

include educational courses and institutions, community roundtable discussions, distribution of printed materials, regular newsletters, and press briefings. Public-involvement programs should be created where there is a need for public input or partnership. In the field of nuclear security, this might apply to sites such as hospitals housing radioactive sources and medical isotopes. The public enjoys generous access to these sources, so changes to the security regime could have significant impact. Public involvement could also be beneficial during public hearings on building and licensing new facilities. As stated earlier, public-involvement programs cost time and money and must be sustainable, so the organization must have an interest in embarking on one. There could well be such an interest. Public support for nuclear technology, and thus for the site’s mission, would come under severe challenge if a serious security incident involving nuclear materials or radioactive substances occurred. Executed properly, public communications, outreach, and involvement build better relations, mutual understanding, and cooperation. Some specific benefits of public awareness include:  Making issues publicly visible, thereby heightening motivation within the facility staff.  Persuading ordinary people to remain vigilant and to report apparent attempts at diversion or theft of materials, unauthorized access, terrorism, insecure boundaries, breaches of security, or suspicious people or activities near facilities.  Concentrating the attention of media and government institutions on important issues, promoting questioning and review of site policies, eliciting support for improvements to the site.  Disseminating information in the belief that an informed public will “do the right thing” and is less likely to panic in an emergency. Global challenges demand global responses. Preparedness for nuclear or radiological terrorism must involve the civic society in developing public resilience, preparedness, and participation. The public must no longer be looked upon only as victims or panicked masses, but rather as an ally.

Contribution 2:

Notes and Observations on Information Sharing Wyn Bowen Question: How can the timely provision of information on, or in follow up to, nuclear security incidents by different stakeholders be enhanced in order to build confidence in nuclear security actors that relevant materials and sites are adequately secured? Timely information sharing related to nuclear security incidents can play a central role in the implementation of effective responses to and the development or enhancement of future mitigation measures, as well as generating confidence in those actors with direct responsibilities of some kind for nuclear security. The question of timely information provision vis-à-vis 'nuclear security incidents' is a rather broad one, and can be broken down into a series of sub-questions:


     

What do we mean by 'nuclear security incidents'? What is the purpose of sharing information, by whom and with whom? What do we mean by 'timely information'? What do mean by ‘confidence’? What are the incentives and disincentives for nuclear security actors/stakeholders to share information on nuclear security incidents in a timely fashion? Taking into account the above, how can information sharing on, and in follow up to, nuclear security incidents realistically be enhanced to build confidence in nuclear security actors? Questions: What do we mean by nuclear security incidents? Are we interested in 'nuclear security incidents' broadly defined or more narrowly?

The four main types of scenario generally covered by the definition of nuclear terrorism include:    

The theft and use of an existing intact nuclear weapon from a state arsenal The theft of fissile material to fabricate and use an improvised nuclear device (IND) The sabotage of a nuclear facility or transport to cause a radiation hazard The theft of a radioisotope to manufacture and use a radiological dispersal device (RDD) or radiation emission device (RED)

If we are interested in all four of the generic scenarios then there are clearly many potential types of 'nuclear security incidents' within this broad characterization that we need to think about, each of which will carry different requirements for and constraints upon information sharing. Examples of specific types of incidents within these four areas might include:    

Acquisition related (e.g. discovery of illicit theft or trafficking of nuclear/RA materials; interdiction of actual materials in transit) Cyber-security incidents Hostile surveillance Different types of physical attacks (e.g. employing an IND or RDD; against a nuclear facility)

There is of course a distinction to be made between civilian and military nuclear security incidents. Are we interested purely in the civilian sector? Or both? Should we cover scenario 1 (theft of intact weapon) given its low likelihood and the sensitivity of sharing information due to national security concerns surrounding nuclear weapons? Question: What is the purpose of sharing information, by whom and with whom? There are likely to be four general reasons for sharing information related to nuclear security incidents:    

Protection against theft, trafficking, direct attacks Recovery after an attack Short-term urgent lessons identified for future prevention (including restoring deterrence) and detection Longer-term non-urgent lessons identified for future prevention (including restoring deterrence) and detection -7-

There are also many different nuclear security actors/stakeholders with responsibilities for sharing or passing on such information and these will differ across scenarios. In general terms, because nuclear activities and those involving radioisotopes are licensed, the main stakeholders are likely to involve license holders, law enforcement bodies and security/intelligence agencies, the media and so on. Depending on the type of incident, information may best be disseminated to a broad audience as quickly as possible or it may need to be shared with a very small and targeted group; information sharing may need to occur just locally or nationally, or it may need to be communicated across borders. Question: What do we mean by timely information? The timeliness of information sharing will depend on the type of scenario and with whom the information needs to be shared and for what purpose. For example, with a successful interdiction of a smuggled radioisotope as part of a planned operation by a national law enforcement body where no-one is put at risk, then the timeliness of sharing this information with other parties is not likely to be measured in hours or even days. While one might expect this information to be shared across government and potentially with other friendly governments fairly rapidly, this is probably not going to be the case in terms of alerting the media or the public if there isn't perceived to be a good reason related to public safety, etc. There could also be very good reasons to keep a close hold of the information as part of investigating the incident thereby de-emphasizing the timeliness issue. Another example might include the theft of a radioisotope from a license holder by an unknown party. In this situation in order to increase the chances of successful recovery, then sharing information rapidly across all relevant parties, including the public, is likely to be appropriate. Question: What do we mean by confidence? Confidence may be understood as an evidence-based judgment concerning the intention and capability of a nuclear security actor to communicate relevant information on nuclear security incidents to other stakeholders in an effective and timely fashion. The capability to communicate in an effective and timely fashion may depend on others. Question: What are the incentives and disincentives for, and constraints on, nuclear security actors/stakeholders to share information in a timely fashion? Assessments of confidence will be influenced by perceived incentives and disincentives for timely information sharing, which will differ across stakeholders and the specific scenarios involved. For example, for license holders’ disincentives for timely information sharing related to a nuclear security incident might include a desire to avoid blame, reputation damage, commercial loss, etc. Incentives on the other hand might include being seen to be responsible, minimization of the impact, legal requirements, etc.


A key question is how disincentives for information sharing can be minimized and the incentives maximized?

Propositions/ideas In terms of developing realistic propositions/ideas for building confidence some things to bear in mind might include the following: Our aim could be to develop a set of ‘principles on sharing information on nuclear security incidents’; or to ‘sets’ of principles related to the sharing of information for specific reasons (1. protection against theft, trafficking, direct attacks; 2. recovery after an attack; 3. short-term urgent lessons identified for future prevention (including restoring deterrence) and detection; 4. longer-term non-urgent lessons identified for future prevention (including restoring deterrence) and detection) 

  

Any practical proposals related to sharing information on nuclear security incidents will need to take into account the incentives, disincentives and constraints associated with different nuclear security actors/stakeholders; can we develop a matrix here laying these out for different actor Information will need to be shared in a systematic and structured way so it is clear to digest and readily actionable if necessary by other parties, regardless of when it is shared Information should ideally be communicated via recognized, established channels with clarity regarding the types of actors to be informed in which circumstances and within set time frames The IAEA could play a more empowered and institutionalized role - what systematic data sets does the IAEA maintain on lessons identified relevant to all types of nuclear security incident beyond the ITDB?

Sharing information on nuclear security incidents should not cause unnecessary anxiety amongst the public.

Recommendation The proposal being put forward here is for a ‘joint statement’ for participants at NSS 2016 related to sharing information on nuclear security incidents. The example of draft statement below highlights the benefits and main existing multilateral channels for sharing information. It identifies some key principles related to sharing information and so on. DRAFT ‘Joint statement on sharing information on nuclear security incidents’: Timely information sharing on nuclear security incidents can play a central role in the implementation of effective responses to and the development or enhancement of preventive and mitigation measures. It can also generate confidence in those actors with direct responsibilities for nuclear security provision. 3 There exist several mechanisms through which information on nuclear security incidents are currently shared at the international level including the Incident and Trafficking Database (ITDB, IAEA), the International Nuclear and Radiological Event Scale (INES, IAEA) and Operation Fail Safe (Interpol). The greater the number of states and

Confidence may be understood as an evidence-based judgment concerning the intention and capability of a nuclear security actor to communicate relevant information on nuclear security incidents to other stakeholders in an effective and timely fashion. 3


organisations that actively participate in, and contribute information via these initiatives, the stronger the overall contribution will be to enhancing awareness and strengthening nuclear security provision on a global basis. There are many different nuclear security actors with responsibilities for sharing or passing on such information on nuclear security incidents and these will differ across scenarios. But in general terms, because nuclear activities and those involving radioisotopes are licensed, the primary actors, or stakeholders, will be the license holders themselves, law enforcement organizations, security/intelligence agencies, regulatory and oversight bodies, and the media. There are clear benefits to sharing information on nuclear security incidents among relevant stakeholders both within and across state boundaries:  

 

Sharing information broadens and deepens understanding of nuclear security challenges across relevant actors and, importantly, provides for multiple outlooks thereby adding additional valuable insights It can facilitate partnerships and enhance relationships between nuclear security actors both nationally and internationally, as well as assist with the development of modified or new responses to existing and emerging challenges Sharing information can contribute to performance monitoring thereby building confidence in those actors with responsibilities for nuclear security The development of information sharing protocols between actors can facilitate secure sharing of information and govern the secure use and management of that information The timeliness of information sharing will depend on the scenario and with whom the information needs to be shared and for what purpose. Depending on the type of incident, information may best be disseminated to a broad audience as quickly as possible or it may need to be shared with a very small and targeted group; information sharing may need to occur just locally or nationally, or it may need to be communicated across borders. Regardless of the above several principles should govern the sharing of information on nuclear security incidents:

        

It should always involve information of practical use, the sharing of which provides clear benefits The information should be easy to understand and to access by relevant actors The information shared should be as complete and as current as possible but within any constraints based on security sensitivities Information needs to be shared in a systematic and structured way so it is clear to digest and readily actionable if necessary by other parties, regardless of when it is shared Providers of information should have confidence in how it will be shared and used Information sharing must comply with extant legal frameworks and requirements Information sharing must comply with local/national needs to protect highly sensitive information related to potential nuclear security vulnerabilities and mitigation measures Sharing information on nuclear security incidents should not cause unnecessary anxiety amongst the public Regional approaches to information sharing should be adopted where these complement existing multilateral mechanisms such as ITDB. One vehicle for this could be regional Centres of Excellence Where possible constraints on information sharing should be loosened to realise the benefits identified above. This may involve:

    

Replacing ad hoc information sharing arrangements with established processes for information sharing Avoiding the late provision of information or the sharing of information of insufficient detail to be useful Avoiding poor communication between relevant organizations Avoiding a silo approach to information where organizations to do not take into account the potential relevance of information to others, or are generally reluctant to share information Reducing disincentives to share information based on avoidance of blame, reputational damage and commercial loss.

- 10 -

Contribution I:3

Engaging Journalists to Convey Priorities and Messages in Front of the 2016 Nuclear Security Summit Peter Rickwood

Introduction The proposals brought forward in this contribution is based upon: 1. The potential contribution of an informed media to establishing nuclear security as a societal value - by stimulating public debate and broadening understanding 2. Satisfying the curiosity and meeting the needs of journalists by providing them with the knowledge and tools that will permit them to cover the subject accurately 3. Effective and proven means to support journalists – to be delivered in series of regional workshops 4. The opportunity to meet the latent curiosity of journalists in nuclear technology and science and help them overcome their frustration at not better understanding the issue 5. Using the ‘news hook’ of the 2016 Security summit as a means to create further relevance for reporters in the subject of nuclear security. 6. Taking a holistic approach to explaining nuclear science and technology in introducing journalists to the subject of nuclear security

Background Journalists are information multipliers and recommendations for best practices to the 2016 Nuclear Security Summit that propose better informing a general audience about nuclear security related issues would be well served by active engagement with media workers. Coverage of two recent major nuclear security incidents, the theft and subsequent recovery of a cobalt 60 source in Mexico in December 2013 and the arrest of seven alleged smugglers of Uranium in Moldova in December 2014 indicate there is significant media interest in such events. However, such reporting is rarely framed in the context of broader efforts to improve nuclear security and the subject is not well understood. Journalists continue to conflate nuclear security and nuclear safety. While the importance of nuclear safety is familiar to the public – in fact the involvement of the public is widely acknowledge as a means to maintain it - there is in general meagre discussion about nuclear security and information sensitivity has kept it at arms-length from journalists and their public.

Journalistic curiosity By default, and learned through experiences, there is keen curiosity among journalists about nuclear related issues and there is a strong desire to develop the competence to better cover nuclear news. One recent example is a workshop for journalists based in the Middle East Region, who attended in November 2014, a workshop in Amman, Jordan, to learn more about prevailing nuclear issues. - 11 -

Journalists expressed frustration at feeling unqualified to cover the nuclear story - in particular security related issues. Atomic Reporters, an independent non-profit organization, incorporated in Canada and operating from Austria as an international NGO, organizes workshops and provides online resources for journalists. Its workshops have been co-organized with the Vienna Center for Non-Proliferation and Disarmament, the Stanley Foundation, CNS Monterey and the Arab Centre for Security Studies. The conclusion drawn from several workshops is that the appetite of journalists for information and tools that provide them with more authority to bring to nuclear related issues in general, would appear to be an opportunity to build a nuclear security cornerstone among media. The following is an outline of a proposal to develop a series of activities engaging media workers in the run up to the 2016 Summit. This represents an investment in raising long term understanding of nuclear security among media workers but also the possibility of demand for more reporting, transparency and accountability to regulators and others.

Proposals for a programme of activities for media representatives The focus on nuclear security will require broad background for journalists about nuclear science and technology in general. Hence if courses are offered they will need to be of two to three days’ duration and the views of a number of experts will be required to provide context. A foundation course approach, a 101, according to their feedback, has proven very useful to journalists, whether veterans covering nuclear issues or newcomers to the subject. Such an approach also provides the flexibility to tailor a variety of responses that circumstances may provide. There is discussion about involving journalists as players in future Convex radiological emergency exercises. The scenario of the last major exercise was based on two fictitious RDD events in Tangiers. An FMWG workshop could be an introduction to such an exercise for journalists In order to establish their integrity, the workshops should be offered to journalists on an independent basis, not by governmental organizations. They would best serve their purpose by being provided on a regional basis globally. Overall such a process would make a long term contribution to nuclear security by establishing peers among journalistic communities and engendering debate. In the journalistic community there is increasing emphasis on evidence based reporting and a growing system of oversight – so-called fact checking. Journalists do not wish to be ridiculed by ‘getting it wrong’. If they do not understand a subject, they are unlikely to be able to adequately cover it and will certainly not raise questions or challenge claims. A critical and well-informed media appears to be an important component in advancing public awareness about nuclear security. But it will take development and nurturing to achieve it. Such an undertaking is achievable.

- 12 -

Building competence Journalists who have participated in “educational” workshops have stated that the information they received enabled them to file stories they would previously not have been able to write. The workshops have been recognized for their focus on substance, from the applications of the discovery of fission, the evolution of non-proliferation legal instruments, responses to accidents and improvements in safety. A challenge for building journalistic competence about nuclear security will be the means to provide frankness, a narrative, and anecdotal information. In order to report the subject adequately, journalists also require reliable independent sources – experts with whom they can make contact, who can verify and offer context. There is also the issue of advocacy to consider and if journalists are ready to take a more assertive approach to the subject. The journalistic mission is clear in supporting “the interests of journalists in obtaining better access to information relevant to the public.” Journalism, by its nature, cannot be respectful of the withholding of information that is important to the public. Better reporting in media can contribute to a more engaged public and more responsive policy. To raise the knowledge of journalists of the CPPNM and amendments, ICSANT, UNSC Resolution 1540, will require opportunities for them to obtain a comprehensive view of the challenges faced by nuclear security. Familiarity with the various legal instruments provides substance for journalists to grapple with the issues, and knowledge about them may prove valuable to future reporting addressing nuclear security issues. A journalist is more able to obtain information if she or he can cite a state’s commitments to a legal undertaking.

Long term This is not a short term proposal – if nuclear security is to become as familiar to the public as nuclear safety, a continuing engagement with media will be required and a recognition of the need to share non-sensitive information with the public through media. The undertaking should not end when the next summit is over. The following will be required to ensure a successful outcome of any program established to work with journalists:   

accessible and articulate experts who are willing to engage with journalists information resources in various languages, on line as well as fact sheets and updates funding to support a multi-year program

- 13 -

Consideration should also be given to providing support for journalists to undertake independent investigative reporting. With media employing fewer specialist reporters there has been growth in organizations such as ProPublica4and the Independent Journalism Foundation5. Bursaries and scholarships are other means to support journalists and encourage their development of knowledge about nuclear security. If funding was available, a steering committee of senior journalists from a number of major media organizations, could be established to provide recommendations and oversight of programs for journalists.

Experiences from the press-campaign 2003 on the security of radioactive sources In March 2003 the IAEA, with a number of other organizations, held an international conference on the security of radioactive sources in the Hofburg Palace in Vienna. It was supported by an international press campaign to raise awareness about the threat from the misuse of radioactive sources and the imperative to ensure their security. The result of the conference and the press campaign, in the wake of the shock of the 11 September attack in New York, was extensive reporting and discussion in global news media about “dirty bombs,” and commensurate expressions of public concern. At this time, twelve years later, it is not uncommon to hear a tone of cynicism and dismissal enter the response of even reasonably well informed lay persons when the subject of nuclear security is broached. This suggests that initial efforts to communicate the urgency of the need for improving nuclear security may have been successful but the narrative has become lost, and measures to sustain focus have been unsuccessful. There is needed now a completely fresh approach to communicating the issue, one that is more measured, that will lead to broader public awareness, involvement and empowerment. Information will be required to be provided for action and not consumption. ‘Report cards,’ and other performance metrics, currently unavailable for the implementation of nuclear security measures, should be considered a goal worthy of pursuit. News media would be a willing partner in communicating such information if it was made publicly available. Even in the absence of initial support from governments, international organizations, industry and other players, the institution of a public accounting system for measuring nuclear security achievements would generate significant interest. The lack of involvement from stakeholders in such a system would also provide a focus for news media. Such an initiative more than a decade away from post 9/11 anxiety, that seeks accountability for nuclear security and encourages public involvement and oversight, is likely to better support the bid to strengthen nuclear security than the previous fear driven response.



- 14 -

Topical area II. Standards and Best Practices FMWG Priority 3: Implement Measureable Best Practices and Standards The role of nuclear security standards is recognized as of key importance in the process of establishing effective nuclear security. Standards clarify approaches, allocates responsibilities among the actors and provides performance goals. A process of translating international standards into national regulations is a normal way of implementing a global regime. Since about 10 years, the IAEA publishes nuclear security guidance, through a process of interaction with Member States that is not much different from that of developing and publishing nuclear safety standards. Questions that emerge vis-à-vis standards include; what are indicators of effective standards, how shall the standards be established, should they be mandatory etc. More recently, the concept of “Best Practices” have emerged, and the relationship between “Best Practices” and “IAEA Standards or Guidance” may not always be clear. In addition, language used in international standards, guides or best practices may not be easy to understand. In the security field, also regulations may be referred to as “sensitive”, which could limit openness. Normally, however, national regulations are open and the basic requirements for an effective nuclear security regime that enjoys confidence among the public and with neighbor States that the system is effective. In examining the existing international standards for nuclear security, the following questions were discussed.  Moving towards more effective nuclear security standards and their implementation; international standards or guidance, performance objectives, voluntary versus mandatory implementation. Monitoring progress of the Nuclear Security Summit Strengthening Nuclear Security Implementation (IAEA Nuclear Security Series: 20, 13, 14 and 15).  Assessing effectiveness of national nuclear security regimes through peer reviews, self-assessments and international evaluation missions.  Maintaining confidentiality of sensitive information, separated from information that may be legitimately shared. Cindy Vestergaard, Miroslav Gregoric and Roger Brunt contributed draft documents for discussion.

Contribution II.1

Improving Implementation of Information Exchange Forecasted in International Law Cindy Vestergaard

Introduction The nuclear security regime is governed by three international legal instruments: the 1987 Convention on the Physical Protection of Nuclear Material (CPPNM) and its 2005 Amendment; the 2007 International Convention on the Suppression of Acts of Nuclear Terrorism (ICSANT); and UN Security Council Resolution 1540 of 2004. All of these instruments encourage, but do not formalize, the exchange of information among States Parties and international organizations. Unlike nuclear safety and safeguards where information sharing and demonstrated governance are considered critical for building confidence (albeit confidentially), the responsibility for nuclear security is considered a matter of national sovereignty.

- 15 -

Accountability within the nuclear security regime is dependent upon the quantity and quality of information available to build confidence that all nuclear and other radioactive materials are adequately protected to ensure effective nuclear security.

Present status of information The CPPNM and ICSANT have provisions for developing guidance and for exchanging information, but the mandates and incentives weak. UNSCR1540 does require regular reporting from countries on how they prevent the spread of weapons and materials of mass destruction and their delivery systems, but compliance is uneven as is the quality. Accordingly, the nuclear security regime is limited in scope and enforcement, and functions both within and outside of the IAEA. While exchanges within national networks or supply chains may involve sharing security experiences, there are limited and intermittent exchanges with operators abroad. Industry associations however are beginning to take on the promotion of nuclear security such as the World Nuclear Transport Institute (WNTI) and its working group on nuclear security. Nuclear regulators in eight countries 6 did establish the International Nuclear Regulators Association (INRA) in January 1997, which brings together senior regulatory officials twice a year in for informal exchanges of thoughts and good practices. The association however is limited to these eight countries and the main purpose is to influence and enhance nuclear safety, not security. At the 2012 Nuclear Security Summit in the Republic of Korea, the United States committed to hosting a Nuclear Regulators Security Conference. In December 2012, the the US Nuclear Regulatory Commission (NRC) sponsored the first international regulators conference on nuclear security7. Regionally, there is the European Nuclear Security Regulators Association (ENSRA) which was established in 2004 with the goal of exchanging information on classified data between its member states regarding physical security of nuclear power plants, nuclear material and sharing best practices. ENSRA was modelled on a similar group of European safety authorities, the Western European Nuclear Regulators Association. At the IAEA level, interaction within the Conventions is limited. Parties to the CPPNM may or may not use the IAEA to communicate to each other their national points of contact with responsibility for physical protection of nuclear material and for coordinating recovery of and response operations. If an incident occurs, parties are required to cooperate to the maximum extent in the recovery and protection of nuclear materials. The IAEA could act as a clearinghouse in matching offers of assistance to needs, similar to the Convention on Assistance in Case of a Nuclear Accident, although this is not specified in the Convention. States Parties are also obliged to report to the treaty depositary on the laws and regulations it has adopted to implement the convention.

Canada, France, Germany, Japan, Spain, Sweden, the United Kingdom and United States. Note: the French regulator website says there are nine countries involved but does not list them. 6

The full list of participants is not available on the conference website. From the list of speakers, the following were represented: Australia, Austria, Belgium, Canada, Czech Republic, Finland, France, Georgia, India, Indonesia, Japan, Netherlands, Mexico, Pakistan, Russia, Spain, Sweden, United Kingdom, United States and the IAEA. See: 7

- 16 -

Entry into force of the 2005 Amendment of the CPPNM would expand cooperation between and among States regarding rapid measures to locate and recover stolen or smuggled nuclear material, mitigate any radiological consequences of sabotage and prevent and combat related offences. It would allow the IAEA to link its advisory and expert services to compliance with nuclear security standards domestically as well as during international transport. The Agency is encouraging more states to join the Amendment. In November 2011, it held a meeting on Facilitating Adherence to the 2005 Amendment to the CPPNM attended by 55 states and Euratom. The depositary of ICSANT is the UN Secretary-General. The UN Office on Drugs and Crime (UNODC) tasked with administering the convention and therefore it is not considered one of the IAEA’s family of treaties. The IAEA does have some treaty functions, specifically in cases where a state seizes control of radioactive material, devices or facilities as a result of an offence. It is also emphasized that a State Party must ‘make every effort’ to prevent the offences, and in that consider IAEA programmes and recommendations8, as well as health and safety standards. The state party must also inform the IAEA of how such seized items have been disposed and also can ask for assistance by the IAEA. The IAEA cooperates with the UN’s Counter Terrorism Implementation Task Force, especially on inter-agency coordination in the event of nuclear terrorism. The IAEA serves as the lead organization for the CTITF’s Working Group on Preventing and Responding to WMD Terrorist Attacks, which includes the World Health Organization, the UN Office for Disarmament Affairs, Interpol, the Expert Staff of the 1540 Committee and UN Development Programme. Meetings between these agencies however are not regularized. At the IAEA level, states can ask the IAEA to conduct an International Physical Protection Advisory Service (IPPAS) mission where the IAEA reviews the nuclear security legislation and regulatory structures and provides recommendations for strengthening them. Results of the assessment are kept strictly confidential between the IAEA and the host country; other IAEA members are not privy to even the generic principles and lessons learned. Canada, Hungary and the Netherlands have embarked in a different route and made non-restrictive parts of their reports available online. Civil society is also engaging in nuclear security, such as the World Institute of Nuclear Security (WINS) which was launched in 2008 as an international non-governmental organization. WINS organizes frequent events to exchange experiences and lessons learned and identifies best practices on nuclear security. WINS offers certified training for scientists, technicians and engineers; senior administrators and Board Directors, and for Executive Managers. In 2015, WINS will be expanding its certification to include Communicating with Civil Society, certification for Radioactive Materials Managers, for security programme managers, regulators and for transport security. Other civil society organizations such as the Fissile Materials Working Group (FMWG) and Nuclear Threat Initiative (NTI) also have efforts dedicated to nuclear security. The FMWG’s working group on Information sharing, standards and best practices, and security culture - which this document is a


Article 8: For purposes of preventing offences under this Convention, States Parties shall make every effort to adopt appropriate measures to ensure the protection of radioactive material, taking into account relevant recommendations and functions of the International Atomic Energy Agency.

- 17 -

part of - is working to provide recommendations to policy-makers on ways to increase and strengthen information exchanges on nuclear security. NTI has published two editions of its Nuclear Materials Security Index. Prepared with the Economist Intelligence Unit, the index fosters public discussion about priorities required to strengthen security and to encourage governments to provide assurances to take actions to reduce risks.

Target audience The objectives of greater transparency in nuclear security differ in scope and depth across a number of audiences. States and regulators may be willing to share some details in confidence between the IAEA and its members that it would not share with the public while information operators are willing to share within their national networks or supply chains they may not be willing to share with foreign operators. Maintaining public confidence in the nuclear industry is important to both industry and the state. Reputational risk is relevant to industry where failing to meet industry standards is not only embarrassing but could lead to commercial disadvantage, i.e. exclusion from particular markets or partnerships. A major loss of public confidence in nuclear facilities would challenge the nuclear industry as a whole where an event in one part of the world can impact all (i.e. Fukushima) and the role of regulators would be questioned in not only their development of regulations, but also oversight, implementation and employing skilled staff. It should be noted that there are many cases where it is the regulatory system that has to catch up with industry. The table below categorizes target audiences for information and related stakeholders.

Target Audience (Transparency to whom?)

Information (About What?)

Between operators

Best practices, security culture, 3S’ interface, vulnerability assessments, security plans, lessons learned, security as part of corporate sustainability

To regulators

To publics

Between countries

Interactions (in what fora?)

 National, regional and international networks,  Within companies’ supply chains  WINS, WNTI, WNA, WANO, INRA  centers of excellence  bilateral on-site visits  accreditations Implementation by operators European Nuclear Security Regulators Association, Euratom, ABACC, International and regional regulator conferences Effective regulation,  Public consultation in licensing system implementation and industry best  Engaging with journalists practice  Non-technical briefings and materials Legislation, regulations, licensing,  Regular UNSCR1540 reporting export controls, response,  Joint exercises forensics, law enforcement, illicit  Peer reviews trafficking cases lessons learned,  CPPNM Amendment threat/risk assessments

- 18 -

Additional information sources Other sources of information on nuclear security and responses to incidences can come from national intelligence and law enforcement agencies. This information would be shared through secured channels, but it is also crucial for agencies to provide timely information to the public and media to assist/support response actions and mitigate any safety risks. It is important to note that the starting point of security begins earlier in the fuel cycle than the starting point of safeguards. The IAEA has drafted a technical document entitled ‘Nuclear Security in the Uranium Industry’ that provides guidance to States, regulatory bodies and industry for preventing unauthorized removal of concentrated uranium as part of a complete physical protection regime. The document notes that security measures based on risk assessments and a graded approach should begin when uranium is being or has been concentrated, purified and transported.9 Safeguards for states with a Comprehensive Safeguards Agreement and an Additional Protocol however start at the point of uranyl nitrate (i.e. within or at the beginning of the refining/conversion process).10 The IAEA technical guidance on ‘uranium security’ is forthcoming in 2015. At the backend of the fuel cycle, materials in reprocessing and storage and disposal do have safeguards requirements. For reprocessing, the material is easier to verify than those in storage/disposal where the material is difficult or ‘impossible’ to access and therefore indirect verification is required. It should be noted that nuclear material continues to be subject to safeguards even after geological disposal, but it is unclear as to how much security information is shared at the backend, if any at all.

Suggestions The following lists activities and measures that would positively contribute to building confidence about effective nuclear security. 

  

More regularized meetings of international regulators, regional meetings for operators and regulators, o within supply chains o within industry associations IAEA outreach on security guidelines Between states, states could issue still confidential, but IAEA-wide versions of IPPAS mission reports that highlight lessons learned which has common interest. Add security to the IAEA’s Uranium Production Site Assessment Team (UPSAT) missions

9 Including the process of concentrating the uranium into intermediate forms of UOC, including ammonium

diuranate, (ADU) sodium diuranate and their refining into uranium trioxide (UO 3), uranium peroxide (UO4), and triuranium octoxide (U3O8). 10

Policy Paper 18, 2003.

- 19 -

The identification of and provision of information without compromising confidentiality of sensitive information The rationale against transparency in nuclear security is that confidentiality is necessary to make theft, sabotage or unauthorized access more difficult to undertake. Security also involves prevention along with deterrence, detection and response where the balance between sharing and restricting information may differ among them. Developing information sharing mechanisms on nuclear security will need to strike a balance between enhancing confidence and minimizing misperceptions without compromising proprietary or classified information. It will also have to take into account the interface with nuclear safety and safeguards. The line between them can be blurred, but also clarified if states, operators and the IAEA begin to share information. There are aspects of physical protection that can be shared without making measures ineffective. Operators for example could inform the public and foreign counterparts that they have security measures such as fencing, access controls and 24-hour CCTV that are routinely checked and monitored without getting into specifics on sensitive (or proprietary) operating systems, details of the exact number of cameras, where they are placed, etc. The following chart highlights areas where specific information could be shared and where it would be restricted based on prevention, deterrence, detection and response. The table below addresses the balance between open and restricted information. Policy Objective Information Sharing Information Restriction Prevention On identifying threats and solutions, Information security about systems, essential elements of a security plans, specifics of security plans is crucial developing risk assessments for defense Deterrence Strength of measures, approaches, Information on weaknesses in systems Detection Coordination of national or international Restriction on sources and methods libraries of materials (for nuclear for detection may be necessary forensics) Response Coordination of law enforcement Restricting some information about agencies preparedness can be a crucial defense (i.e.

Recommendation The Nuclear Industry should consider incorporating nuclear security as a part of their corporate sustainability to demonstrate how they operate ‘beyond compliance’ in ensuring safe and secure operations.

- 20 -

Contribution II:2

Moving Towards Effective Nuclear Security Standards and their Implementation Miroslav Gregoric and Roger Brunt The IAEA Nuclear Security Series provides international nuclear security guidance, based on identified performance objectives and fundamental principles. The Series takes into account obligations established in international nuclear security conventions and agreements. While the international conventions include mandatory obligations, the IAEA nuclear security guidance is voluntary for implementation. The Nuclear Security Summit in the Netherlands, 2014, gave important impetus for strengthening nuclear security implementation through the joint initiative by 35 countries; Strengthening Nuclear Security Implementation (IAEA Nuclear Security Series: 20, 13, 14 and 15). The IAEA Nuclear Security Series is drafted by experts from Member States; with several nuclear security guidance documents published, including Nuclear Security Fundamentals; NSS 20, Recommendations of Physical protection of Nuclear Material; NSS13, Recommendations on Security of Radioactive Material; NSS 14 and Recommendations on Security of Radioactive Material Outside Regulatory Control. The IAEA Board of Governors and Member States presently prefers to maintain the voluntary nature of the guidance, rather than moving towards a more mandatory implementation. After the serious accident that took place in Fukushima, Japan, additional voluntary measures were agreed among the State Parties of the Nuclear Safety Convention, but the measures remained voluntary rather than mandatory in a revised convention. As an example of the contrary, standards issued by the International Civil Aviation Organization (ICAO) are mandatory for Member States to implement, as a result of the ICAO statute which contain Annexes for processes to maintain effective safety and security standards for civil aviation. The example provided by ICAO may provide valuable incentives also for the making of international standards in nuclear security. Safety and security are unchallenged national responsibilities. The recognition, however, that if there is a nuclear security event with dispersion of radioactivity, there will be serious trans-boundary concern and societal anxiety of society. Such situation would affect the nuclear industry and the national economy. Thus, the long-term perspective for nuclear security should also be universal, with binding nuclear safety and security standards. The present situation with global warming may increase requirements on the nuclear industry to maintain power-production that is without a carbon-dioxide footprint. The Nuclear Security Summit 2016 provides an opportunity for Governments to be proactive; to strengthen nuclear security and to view the issue also from today’s perspective of climate change. Individual States subscribe to the trilateral Strengthening the Nuclear Security Implementation Initiative. At the Nuclear Security Summit in 2016, the success of the Initiative will be measured against the number of States having declared their intention to implement the Initiative and progress in their implementation. - 21 -

The first commitment of the Initiative, addresses the essential elements of nuclear security and how they are brought together in a national regime that is comprehensive, covers all radioactive materials including that which is out of regulatory control. Indicators of progress are to be found in States’ communications to the Director General of the IAEA as well as to the other States subscribing to the Initiative. The second commitment of the Initiative, to implement measures to secure nuclear and other radioactive materials, also material which is out of regulatory control will require more detailed information related to the regulatory system, allocation of responsibilities and how the vairous elements of the national nuclear security regime are coordinated and interfaced. Each State implementing the Initiative would communicate relevant legislation and regulations that are applicable for all users of nuclear and other radioactive material to ensure their control, protection and accounting. The communication should give special attention to the interface between safety and security and access to information of accounting of nuclear material. It should also provide information in relation to principles for security of radioactive materials in transport and to sustainability of the national regime, such as measures to ensure that staff are qualified and well educated and trained. The third commitment of the Initiative; continue to improve effectiveness of the national regime, may be achieved through a variety of measures, ranging from national assessments including of the completeness of the regime and performing regular controls, inviting international peer reviews, performing tests and exercises, follow-up on specific parts of the regime, e.g. transports and participating in facility-to-facility review and interaction through net-works, accounting of nuclear material as well as interfaces with safety. The third commitment will require increased transparency on measures taken, e.g. through the issue of an annual report at both national level and facility levels. Measures taken should be reflected in annual reports and policy documents that are made public. The fourth commitment of the Initiative; to ensure competent and accountable management and staff, is closely related with company policy and security culture. A culture that recognizes the need for security, is built up over a period of time and recognized by the executive body of the company or of regulatory body or competent national authority. The attention given to nuclear security by the governing bodies of national regulatory authorities and operators are indicators of the priority given to nuclear security and thus an indicator of sustainability of the regime that is implemented. Networks, policy documents and public reports should provide information that may give insight in how sustainability and effectiveness is ensured at national level as well as by operators. Another way to monitor progress in implementing Nuclear Security Series 20, 13, 14 and 15 of the States that have signed the Joint Statement and other States that have ratified the CPPNM is to request IAEA to provide an open data base of all national letters/submissions with information on legislation (laws, decrees, regulations) showing how they have transposed CPPNM and CPPNM Amendment into national legislation. According to Article 14, Paragraph 1of the CPPNM; "Each State Party shall inform the depositary of its laws and regulations which give effect to this Convention. The depositary shall communicate such information periodically to all States Parties." Having such a data base available at IAEA web site would assist other countries in drafting their own laws and regulations

- 22 -

and provide improved visibility and transparency of the subject to the public. Similar data bases may be found in other UN organizations like UNODC and UNSCR-1540 committee. There are good examples of national collaboration which have already contributed to effective nuclear security by raising and imposing collective standards. In particular, the enhanced collaboration between the Netherlands, Germany and the United Kingdom, in their multinational enrichment effort may give a good example that may be followed also in other areas. Another dimension of nuclear security guidance and safety standards is related to the introduction of new nuclear energy in some States, and connect the conditions imposed by vendors and suppliers of nuclear power generation technology to the process of introducing nuclear energy in newcomer States. Supplier nations will have considerable leverage in terms of fuel supply and technical support, giving them the opportunity to insist on minimum nuclear security standards. As more nations consider going nuclear, this presents itself as an important opportunity for the international community to raise standards.

Assessing effectiveness of national nuclear security regimes Maintained effectiveness of a nuclear security regime requires periodic review, assessment and tests. A quality control system may contain periodic assessments, “control stations”, and an internal reporting system of events. Tests and exercises will be essential for maintaining an effective response system. Likewise, structures to obtain specific technical support for equipment used in physical protection and for detection of radioactive materials in smuggling, will be required to handle difficult situations. At facility level, established policies for nuclear security will provide a company platform for measures that will be needed to maintain effectiveness in the security regime. Options to continue to improve effectiveness of the national security regime include: 1. National assessment of the effectiveness of the elements of the national regime. The assessment should involve all stakeholders, and be performed against NSS20. A periodic national assessment (e.g. on a 3-year basis), aim at reviewing the completeness of the regime; the different elements and how they are established in the legislative and regulatory system, how stakeholders involved and mechanisms established to ensure interaction and coordination. Recommendations for improvements, will be part of the assessment report. Follow-up of earlier recommendations will be an important part of the next assessment. 2. Regular control/tests of journals, databases and reporting procedures to maintain the established quality level, as part of the quality control system. Internal records of findings at these regular control points may be useful tools for follow-up. 3. Exercises and tests at both national and facility level, to test different parts of the security system; a. The physical protection system; testing its ability to provide a verified alarm of intrusion to get access to materials, sensitive technical systems or equipment and its robustness, e.g. through “force-on-force” exercise. Observers from other nuclear

- 23 -

facilities may be invited. Exercise records will have a particular value in the process of maintaining and improving effectiveness. b. Response measures e.g. after a theft, including procedures to exchange information, coordinate actions and introduce law enforcement. 4. Review of security of transports of nuclear or other radioactive materials. Transports are identified as a vulnerable element in the national nuclear security regime, and specific evaluation of the transport sector may be valuable. 5. International review, e.g. IPPAS review of the national nuclear security regime, should be performed at regular intervals, e.g. every 5th year. An international team, called to review the national regime, may focus on the national level, the national nuclear security regime. The review could contain visits to facilities/locations to obtain information of how the regime is implemented at the facility level. In particular, a review of the interaction between the operator and the regulatory and/or competent authority as well as stakeholders in the response system, e.g. law enforcement may be useful. It should be noted that much work and resources are required to turn the present IPPAS system into a review system for a national nuclear security regime. 6. Facility-to-facility review. Established in 1993, World Association of Nuclear Operators (WANO) helps its members accomplish the highest levels of operational safety and reliability. WANO has performed more than 500 operating station peer reviews in 31 countries/areas, including at least one at every WANO member station. Peer reviews are conducted in 4-year periods. WANO is a good example of networking within the nuclear industry and a way of exchanging information among facilities that may stand as a model also in the security field. 7. The World Institute for Nuclear Security (WINS) was established as an organization to help improve security of nuclear and high hazard radioactive materials, to keep them secure from unauthorized access, theft, sabotage and diversion. WINS provides an international forum for those accountable for nuclear security to share and promote the implementation of best security practices. It could also help organize peer reviews in nuclear security and promote the implementation of best practices. 8. Facility-to-facility networks. Establishment of networks within which facilities of similar nature may interact in an informal manner, with the sole purpose of exchanging information of common facilities/operators/locations that may benefit from learning from each other and discussing common problems or obstacles in maintaining physical protection. The network which provides useful exchange of practical information should be made widely available, but information that is exchanged through interaction within the network is be kept confidential.

- 24 -

IAEA may make more information available from its work in nuclear security, also general information resulting from the peer reviews of national nuclear security regimes. Over time, such information will be both promoting strong and effective nuclear security and building confidence among the public and neighbors. As a tool to improve transparency of non-sensitive information, such information would stimulate States in learning from one another and also to be encouraged to request IAEA IPPAS peer review. Also in this regard, nuclear security could learn from the civil aviation field. ICAO introduced, in 2002, the Universal Security Audit Programme (USAP)11. The objective of the Universal Security Audit Programme (USAP) is to promote global aviation security through the auditing of all ICAO Member States on a regular basis to determine the status of States’ implementation of the critical elements of an aviation security oversight system and the security-related ICAO Standards and Recommended Practices (SARPs), associated procedures, guidance material and security-related practices. USAP audits are regular, mandatory, systematic and harmonized. They cover States’ aviation security oversight capabilities as well as auditing security measures at selected airports. The USAP is based on nine principles: Sovereignty of States; Universality; Transparency; Objectivity; Fairness; Quality; Timeliness; All-inclusiveness and Confidentiality. The USAP was created in October 2001 when the ICAO Assembly adopted a resolution which contained a declaration on misuse of civil aircraft as weapons of destruction and other terrorist acts involving civil aviation. The resolution directed the ICAO Council and the Secretary General to consider the establishment of an audit programme on airport security and civil aviation security programmes. It also directed the ICAO Council to convene an international High-level, Ministerial Conference on Aviation Security with the objective of strengthening ICAO's role in the adoption of SARPs in the field of aviation security and in the auditing of their implementation. The Conference endorsed a global strategy for strengthening aviation security worldwide, adopted a number of conclusions and recommendations, and issued a public declaration. A central element of the strategy was an ICAO Aviation Security Plan of Action, which includes regular, mandatory, systematic and harmonized audits to enable the evaluation of aviation security in all Member States. In another comparison with nuclear safety, it is noted that within the EU, mandatory safety peer reviews are included in the new EU Nuclear Safety Directive of 2014. The long-term goal for nuclear security should be that an all-inclusive, regular and periodic nuclear security peer review, like IPPAS, is implemented in an institutionalized manner.

Separating sensitive information from information that may be legitimately shared. The UK Office for Nuclear Regulation, published in 2014 a guidance document that would balance the need for openness with the legitimate need and requirement to maintain confidentiality of information that is sensitive and which disclosure may introduce a security risk. The document


- 25 -

“Finding A Balance, Guidance on the Sensitivity of Nuclear and Related Information and Its Disclosure”12 addressed a number of the concerns raised by the FMWG working group, with a view of encouraging more openness without introducing new security risks. The document states that there should be a presumption of openness unless there are cogent and defensible reasons against it. The document is established within the UK system, and refers to UK regulations or legislation, such as the Freedom of Information Act 2000. The Guide contains relatively detailed guidance to inform decisions about which information, because of its potential value to terrorists or others with malevolent intent, should not be disclosed. Thereby, it provides assistance to those compiling safety cases and to those that are planning applications, by assist safety and local government authorities which parts of those documents to protect and not make available to the public. Sensitive data on nuclear material, other radioactive materials (radioactive sources or substances), nuclear facilities etc., may be categorized as:           

information on the physical security arrangements in place to protect NM/ORM and the facilities; technical guidance on security standards and requirements; information on the quantity and type of material at a facility and its location; inventories, throughput, output, storage capacity of facilities and accounting; detail of planned movements of NM/ORM; technical information about the production or processing of NM; information contained in facility IT systems; information on computer systems important to security and to safety; information contained in safety cases and other documents which describe facilities; information contained in planning applications; information about the deployment and operations of the Civil Nuclear Constabulary (CNC).

The system is a way of indicating that information should be seen only on a need-to-know basis and that it should receive appropriate protection. It is based on the damage that could arise if the information were to be seen outside of the need-to-know group. It is not usual to attach visible labels to physical assets but the same principles can be applied. The explanations used for not releasing information may also provide guidance to determine the appropriate security classification. It is convenient, therefore, to indicate the sensitivity of particular sorts of information through the use of the national system. The UK experience since 2014 has been that there is a significant increase in the amount of information available, yet without having increased the risk that information is disclosed that may introduce new or higher security risks.


Issued by the UK Office for Nuclear Regulation, 2014.

- 26 -

Topical area III.

Security Culture

FMWG Priority 4: Create a Sustainable Mechanism for Continuous Progress Long-term nuclear security, at nuclear facilities or where high-activity radioactive sources are used, will require a security culture, and an infrastructure that may support the implementation of an effective national nuclear security regime. It appears important that the national nuclear security regime subscribes to a policy that promotes a high quality of nuclear security, in all operations and for all staff categories. Information related to these policy principles may contribute to confidence building. Similarly, human resource programmes and reliable opportunities for education and training are critical for maintaining nuclear security effectiveness.  Security culture, a pre-requisite for nuclear security effectiveness; the challenges and rewards associated with organizational nuclear security implementation, for staff, procedures and openness. Sensitivities and vulnerabilities. The role and good example of the CEO in a nuclear establishment. The role of information and of communication with different audiences, including with the general public. Author: Igor Khripunov. Igor Khripunov contributed a draft document for discussion.

Contribution III.1

Nuclear Security Culture Igor Khripunov Of an estimated 100 million lookups on the Merriam-Webster’s website in 2014, the word of the year is “culture.” Not surprising, because “culture” enjoyed a 15 percent year-over-year increase. This word is used to explain a variety of phenomena, but as each tends to adopt a slightly different perspective, there is no unanimously accepted definition. Perspectives differ because culture is studied by several different disciplines, all of which have their distinctive approach. These disciplines include anthropology, sociology, social psychology and others including security management. In the latter domain, it means human performance while interacting with risks, systems, products and work environment. There is ample evidence that the more complicated this interaction grows both technologically and procedurally, the more important becomes the role of the dedicated and securityconscious personnel. An effective security culture implies a work environment where an ethic of security permeates the entire organization. People’s behavior focuses on preventing malicious acts through critical selfassessment and aggressive efforts to identify problems and effective resolutions of problems before they become crises. Security culture enables a person to respond to known and unknown security risks out of carefully nurtured and proactive habit rather than improvised effort. The International Atomic Energy Agency defines it as “the assembly of characteristics, attitudes and behavior of individuals, organizations and institutions which serves as a means to support and enhance nuclear security.”

Security culture as a cross-cutting element Security culture is an overarching integrating concept without which most of the other fundamental principles of nuclear security cannot be successfully and fully implemented. Although security culture

- 27 -

is listed, for example, in the 2005 Amendment to the 1980 Convention on the Physical Protection of Nuclear Material alongside principles such as threat evaluation, graded approach, defense-in-depth and others – implying coequal status – it is clear that culture is an overall enabler and a driving force. This cross-cutting function is evidenced by the communiqués adopted at all three Nuclear Security Summits in Washington, Seoul and The Hague. The Washington Summit in 2010 urged nuclear operators and architect/engineering firms to take into account and incorporate security culture into “the planning, construction, and operation of civilian nuclear facilities.” It also referred to capacity building for nuclear security and cooperation as a source of the promotion of nuclear security culture “through technology development, human resource development, education, and training.” The Seoul Summit in 2012 recognized a need to build “national capacities” for promoting and sustaining a strong nuclear security culture as well as expanded the list of stakeholders identifying among them “the government, regulatory bodies, industry, academia, nongovernmental organizations and the media.” It added information security to the scope of security culture by encouraging states to “promote a security culture that emphasizes the need to protect nuclear security related information.” The Hague Summit in 2014 encouraged all relevant stakeholders to build and sustain a strong nuclear security culture to “effectively combat nuclear terrorism and other criminal threats.” Another step forward in clarifying the concept was its emphasis on the need to develop a nuclear security culture, with a particular focus on the coordination of safety and security. The status of nuclear security culture was further enhanced in the summit statement to the effect that operators’ security systems should “place a strong emphasis on an effective security culture, physical protection and materials accountancy.” Significantly, in this particular order.

IAEA record Numerous IAEA documents in the Nuclear Security Series (NSS), known as fundamentals, recommendations, implementing guides and technical guidance, reiterate the importance of culture for specific elements of nuclear security. For example, NSS 20, “Nuclear Security Fundamentals: Objectives and Essential Elements of a State’s Nuclear Security Regime” specifies that each competent authority and authorized person and other organizations with nuclear security responsibilities contribute to the sustainability of the regime by developing, fostering and maintaining a robust nuclear security culture. Similar references to the role of security culture are to be found in NSS 17, “Computer Security at Nuclear Facilities”; NSS 15, “Recommendations on Nuclear and Other Radioactive Materials Out of Regulatory Control”; NSS 14, “Recommendations on Radioactive Material and Associated Facilities”; NSS 13 “Recommendations on Physical Protection on Nuclear Material and Nuclear Facilities,” and other NSS reports. In 2008 the IAEA published an NSS Implementing Guide on nuclear security culture. The guide defines the concept and characteristics of nuclear security culture while describing the roles and responsibilities of institutions and individuals entrusted with a function in the security regime. Since then, the IAEA has conducted 2 international, 13 regional and 11 national workshops to promote security culture and train nuclear security personnel at all levels. Two Draft Technical Guidance documents are currently under development and expected to be released at the end of 2014. They are - 28 -

“Self-Assessment of Nuclear Security Culture in Facilities and Activities that Use Nuclear and/or Radioactive Material” and “Enhancing Nuclear Security Culture in Organizations Associated with Nuclear and/or Radioactive Material.” The draft self-assessment methodologies have been successfully put to test for assessing security culture at Indonesia’s research reactors (2012-2013); at Bulgaria’s nuclear power plant (2014); at Malaysia’s hospitals for radioactive sources (2014-2015). Results are submitted to IAEA technical meetings as well as international conferences and published in professional journals. The IAEA is planning to launch later in 2015 a coordinated research project “Development of Nuclear Security Culture Enhancement Solutions” (NSCES) (IO2007) to conduct analysis and research of approaches and methods as well as develop additional practical tools to assess and enhance nuclear security culture. The overall project is coordinated by the Coordinating Group that will consist of the working group leaders and led by a chair-person who is nominated by the IAEA and supported by an IAEA Scientific Secretary. The four working groups are: 1) self-assessment methodology WG; 2) tailored approach for development and implementation WG; 3) training and education program development WG; and 4) case study development WG. The IAEA can play a pivotal role as a global coordinator and leader in the efforts to enhance nuclear security culture. The IAEA is in a position to a) provide member states with the appropriate tools that can be used to promote and sustain a strong nuclear security culture; b) evaluate the level of nuclear security culture and progress made in enhancing it; and c) coordinate with international agencies to continue to emphasize the importance of nuclear security culture. To this effect, the IAEA needs to acquire human and organizational capacity to accomplish the following missions:     

 

Develop outreach materials such as an NSC program brochure, posters, and a website Sponsor and/or participate in technical meetings to improve NSC program elements Collaborate with other organizations and programs such as UNSCR 1540 (2004), Global Partnership, Centers of Excellence (COEs) Work with other specialized agencies such as OPCW and WHO to share best security culture practices applicable to their domains Encourage participation in professional meetings from developing countries to increase Member State’s understanding of the services available from the IAEA to promote nuclear security culture Encourage submission of relevant technical papers and presentations to appropriate journals and conferences Encourage academia to conduct in-depth research on security culture related topics

A subset of organizational culture As one of several distinct subsets of organizational culture, nuclear security culture is first of all rooted in country’s national culture. Numerous constituent factors, among them history, traditions, geography, religion, and demography, contribute to national culture, making it distinctly different from one country to another. In other words, culture represents society’s evolving interpretation of - 29 -

historical precedents and contemporary experience. National cultural values are learned early, held deeply, and change slowly over the course of generations. Though uniquely linked, national and organizational cultures are based on a different set of values and practices. Organizational culture is comprised of broad guidelines that are rooted in organizational and management practices learned on the job. As a result, organizational culture has more common international traits due to globalized trade and communication. The role of organizational culture is now unambiguously recognized by the business and academic communities as a significant factor contributing to higher standards of performance, productivity, safety, security, compliance, personnel discipline, etc. The IAEA security-culture design is based on the organizational-culture model developed by Professor Edgar Schein of the Massachusetts Institute of Technology (MIT). Schein’s model was successfully used in the 1990s to develop nuclear safety culture after the Chernobyl accident in 1986 which amply demonstrated serious gaps in safety compliance and a disastrous failure of the human factor. Given many synergies between safety and security and their overlaps it provides a ready-made analytical framework for exploring and modeling nuclear security culture. Applied to security as a subset of organizational culture, its essence is jointly learned relevant values, beliefs, and assumptions that become shared and taken for granted as a nuclear facility continues to successfully operate at an acceptable risk and compliance level. The IAEA Implementing Guide recognizes the need to integrate national experience and best practice into security culture methodology. The guide states: … it is evident that history, traditions and established management practice often leave a distinct imprint on national security culture as it is observed in different regions and countries.” Indeed, the objective of the Implementing Guide is to stimulate further thought through self-examination rather than to be prescriptive. As any culture related phenomenon, nuclear security culture is a multi-disciplinary construct. Its successful conceptualization and practical implementation require teamwork of experts with different professional backgrounds including sociologists, occupational psychologists, manager and others. Hence, it would be advisable to encourage and support the establishment of regional and national programs or centers which can focus on a multi-disciplinary approach toward refining the methodologies for nuclear security culture with due regard for specific national and organizational culture traits and risk environment. One such specialized center has been recently established in Indonesia and several more in other regions are at the stages of conceptualization and fundraising. Indonesia’s Center for Security Culture and Assessment (CSCA) was set up in 2014 by the National Nuclear Power Agency (BATAN) following the IAEA supported pilot project for self-assessment of nuclear security culture at its three research reactors. Its programmatic activity includes the conduct of regularly held culture self-assessments, skills upgrading sessions for self-assessment teams, joint development with international and national partners of relevant guidance reports, best practice sharing with neighboring countries and participation in regional efforts to promote security culture methodologies. Among other benefits, such initiatives represent an effective vehicle to strengthen nuclear security among management and personnel at all levels.

- 30 -

A way to sustainability An important measure of success for security culture promotion is to make its implementation sustainable. To this end, the 2016 Nuclear Security Summit can formulate a set of recommendations to integrate security culture into general societal values to complement the facility focused IAEA approach. Such a two-tiered architecture would consist of a) the facility-based model at the micro level, deriving its strength in part from national perceptions and relevant policies toward nuclear issues; and b) general societal values at the macro-level. Ideally, these two levels combined will harness the human component to generate a more sustainable nuclear security culture. If nuclear security represents a societal value, the macro-level input from national culture will reinforce efforts at the facility level. The input expected at the macro-level would include: a) nature of compliance with relevant international legal instruments and participation in cooperation programs; b) weight placed on nuclear security by the national leadership; c) consistency with which the nuclear industry focuses on nuclear security and related issues; d) criminalization and prosecution of crimes associated with nuclear material and the security of nuclear installations; e) general public awareness of and involvement in security matters; and f) a visible role of educational institutions in nuclear security promotion, awareness, and capacity building. The performance and sustainability of a nuclear security regime ultimately hinge on security perceptions shaped by national and industry leaders. Weak input from the macro level must not discourage efforts at the micro level. Ideally, the two levels should work together toward promoting and popularizing nuclear security culture. A sustainable security culture will depend on the efforts of individual countries to assimilate generic international standards into their national culture as well as integrate it into their established organizational culture as a subset. In practice, this means that the ongoing IAEA Regional Training Workshops need to be followed by training events in individual countries that would attempt to adjust their generic standards to prevailing national practice, values and traditions. Such efforts may require a multidisciplinary approach involving a wide range of non-technical experts, representing all relevant stakeholders. For achieving sustainability, it is imperative to recognize and widely publicize evidence that security culture goes beyond traditional approaches to physical protection and can yield numerous other benefits. Security culture would encourage the workforce to remain vigilant, question irregularities, execute its work diligently, and exhibit high standards of personal and collective accountability. Other potential benefits include better information technology security and protection of trade secrets; improved safety arrangements; reduced across-the-board theft and diversion; reduced risks of vandalism and sabotage by employees and outsiders; improved mechanisms for personnel control and accounting under emergency conditions; and better relationships with local authorities and surrounding communities. Also, an institutionalized security culture across the nuclear sector, introduced in coordination with the government, may facilitate auditing and inspections when government officials verify compliance with security and other standards.

- 31 -

The shift toward an effective nuclear security culture is characterized by the recognition of security as an investment rather than a burdensome expense. Also, the overall perspective of security moves beyond threats, vulnerability, and protection and integrates efficiency, organizational continuity, and the preservation of trust.

General public as a major stakeholder The general public should view nuclear security culture as a sign of professionalism, skill and responsibility by all actors involved in the protection of nuclear and radioactive materials and their associated facilities and transports. Therefore, every group or organization in the nuclear field is expected to raise public and media awareness to security culture. To communicate effectively about security culture issues, government officials and nuclear facility operators must understand and respect the public’s very real worries about radiological safety and security. The public understands and is largely concerned that terrorists may be intent on breaching the safety features built into nuclear installations. The public typically questions whether security systems are adequate and develops an active interest in making security robust enough to keep safety features reliably operational. Accordingly, meaningful risk communication strategy and follow-up interrelated actions can pursue several distinct objectives: 1) Educate the public about risk and preparedness. Inspired public support requires a realistic portrayal of risk that is accurate and strikes a balance between hyping the threat to spur people to action and trivializing it to provide reassurances. Preparedness provides a way for the public to translate risk awareness into action. Preparedness can consist of a range of activities, including developing and practicing contingency plans, such as communication, evacuation, or sheltering. Preparedness serves as a bridge between risk education in advance of an event and taking protective actions during crisis. 2) Encourage a well-informed and well-motivated public to contribute to a healthy nuclear security culture. The public should be aware that security is a key consideration for nuclear infrastructure operation. Information about general security may be delivered, explained and divulged provided it does not jeopardize the protection of material, transports and facilities. An IAEA guide on public sharing of nuclear security related information would enable governments and the industry to understand the trade-offs in deciding what types of information should be made available and in what detail to make the process of risk communication manageable and effective. A public convinced of the need for nuclear security can have a positive impact on nuclear security culture through its attitudes and actions. It is also important to understand that most members of the workforce at a nuclear plant are part of the community adjacent to the site. They have families there and socialize with local citizens on a regular basis. Hence, a strong commitment to nuclear security on the part of the local community heightens the public visibility of security-related issues, indirectly improving the motivation of the staff that operates that site. 3) Develop public vigilance and encourage citizens to cooperate more closely with law enforcement. In the nuclear field, this vigilance will manifest itself in reports of unauthorized efforts to gain access to sensitive infrastructure sites. An engaged public will report suspicious people or activities near the site. In some countries, a small portion of local citizens could be trained to perform such functions on - 32 -

a voluntary basis, particularly in sparsely populated and difficult to monitor areas. To be sure, such programs need to avoid encouraging vigilante style responses by members of the public who might otherwise rush to the scene of a terrorist incident and attempt counterterrorist actions. Still, there is a niche for a security-conscious public to fill. Training of local citizens, if deemed necessary, must be a well-scrutinized, stably funded, and widely publicized campaign. 4) Reduce the immediate and long-term physical and psychological impact of a terrorist incident by warding off panic, boosting morale, maintaining credibility, and providing guidance. This is especially important while counterterrorist actions are under way or other terrorist acts are likely. These post-incident arrangements consist of steps that individuals and communities can take to save lives and to reduce losses. The ultimate test is their effectiveness in a real crisis when traditional societal institutions unravel. Such actions include different forms of sheltering, evacuation, and quarantine, as well as using individual protective equipment and medical countermeasures. 5) Integrate nuclear terrorism into comprehensive community disaster response plans. Despite the obvious and important differences between different kinds of terrorism, all require similar measures at the community level throughout the prevention, preparedness, emergency response, and postdisaster periods. Community education and training, resilience building, vulnerability and risk assessment, communication, and hazard-control mechanisms are common. Including nuclear terrorism in this aggregate model can carry benefits including placing radiation and the fears associated with it on the same level as dangers that are equally life-threatening but more easily intelligible. The global challenge of nuclear terrorism demands a global response. This must include the involvement of civic society to develop public resilience, preparedness, and participation to help deny terrorists their goal. A more empowered and awakened citizenry can contribute to an effective campaign against nuclear terrorism. The public must no longer be looked upon only as potential attack victims but rather as a vital element of the society-wide security culture and a contributing factor for better nuclear security.

Reinforcing safety-security culture nexus While both nuclear safety and nuclear security consider the risk of inadvertent human error, nuclear security places additional emphasis on deliberate acts that are intended to cause harm. Because security deals with deliberate acts, security culture requires different attitudes and behavior, such confidentiality of information and efforts to deter malicious acts, as compared with safety culture. Safety and security culture need to be built into a plant throughout all phases of its service life, from design and construction to routine operation and decommissioning. Safety and security should begin at the drawing board, with assessment of candidate sites for the plant and the design of the installation itself. Assessing and continuously reassessing risk from safety and security angles is crucial throughout the plant’s lifetime. Realistic safety and security risk estimates factor in a wide range of hazards, not to mention combinations of hazards, both natural and man-made. Confronted with complex disasters, nuclear managers must organize, recruit, train, and lead safety and security

- 33 -

personnel in a way that helps the leadership react with flexibility. Instilling the right habits and traits – the optimal overlap of safety and security culture – is critical.

Beyond nuclear The development and implementation of security culture is more advanced in the nuclear domain than in the chemical and biological sector. Security culture in these two domains does exist but it is shaped by the nature of their unique operational requirements and the perception of risks. In addition, each domain has its own interface of safety and security practices. At the same time, efforts to promote and implement security culture in all relevant domains remain largely isolated and uncoordinated because universal tools, horizontal communication and integration among them have yet to be developed. Security experts from each domain espouse similar ideas and methodologies, but they lack a shared concept to achieve cross-fertilization which is particularly needed in countries at initial stages of R&D and production. A common security culture architecture is imperative to support and enhance the mandate of EU Centers of Excellence. Similarly, this common architecture has a potential to become a key best practice for implementing UNSCR 1540 (2004). The Nuclear Security Summits (2010, 2012 and 2014) raised security culture to the top of their agenda. Given its record and advancement in security culture across nuclear infrastructure, the IAEA and other nuclear security stakeholders are well positioned to share their experience and contribute to best practice sharing with other relevant domains. The initial experience in developing nuclear security culture concepts and tools has shown the relevance of this approach as part of broader security concept. The 2016 Nuclear Security Summit may recommend an initiative for the IAEA to launch an informal joint mechanism with other UN specialized agencies and international organizations which would enable them to find ways for achieving a shared architecture of comprehensive security culture.

Conclusion As nuclear security culture becomes a widely recognized tool in efforts to bolster nuclear security, it is imperative to introduce user-friendly and universal methodologies to promote, assess and enhance it. This can be a daunting challenge because intangible human characteristics like beliefs, attitudes, and perceptions comprise a culture. Measuring and improving cultural traits requires a multidisciplinary and interpretive approach. Nevertheless, managing security culture can draw on rich experience with evaluating organizational culture and, in particular, nuclear safety culture. The 2016 Nuclear Security Summit can make specific recommendations not only to expand and strengthen the ongoing IAEA activity in support of nuclear security culture but also lay the groundwork for raising it to the level of a universally recognized value nationally and internationally.

- 34 -

Discussion The working group interacted at meetings, in conference calls and though digital exchange of information. The draft documents contributed were discussed, with a view of extracting valuable recommendations that may also be implemented in the period to come after the Nuclear Security Summit in 2016. The working group agreed on the following recommendations.

Recommendations Recommendation #1: Share more information and improve channels to share information. NSS participating countries should commit to sharing significantly more information on nuclear security, with the purpose of building confidence among stakeholders, inter alia the international community, in particular within regions, and with the public so that an effective nuclear security regime is established and implemented. a) Extant commitments. International conventions that are relevant for nuclear security recognize the need for and benefits of information exchange. All commitments made by States to share information should be implemented and it should be recognized that information sharing is an essential component in an effective nuclear security culture. b) Action plan. A concrete action plan should be established to provide sufficient, consistent, persistent, credible and timely information. Such a plan should identify the broad range of stakeholders that are involved in nuclear security, their general and specific need for information and appropriate channels to share the information. c) Enhanced interaction and communication. The plan should consider enhanced interactions with media and non-governmental organizations as important channels to reach a broad audience: the public, the science community and schools. However, it should be recognized that some nuclear security information may be highly sensitive and protection from disclosure needs to be considered. d) Information about security events. The global nuclear security regime should encourage more substantive information in relation to security events, e.g. trafficking, threats to nuclear facilities and, at the right time, of law enforcement processes. e) Stakeholders. States and international organizations should invest in interaction with industry, media and non-governmental organizations, as important tools to reach all stakeholders. Establishing regional networks among stakeholders for information exchange could significantly improve information-sharing.

- 35 -

Recommendation #2: Close gaps in the international nuclear security legal framework The Nuclear Security Summit should establish a legacy that will ensure sustainable improvements in international nuclear security legal framework, including guidance and encouraging the use of best practices. a. International framework. A group of States should initiate an effort to start a process aimed at closing the gaps in the international legal framework covering nuclear security by establishing mandatory nuclear security standards, peer reviews and a process for continuous improvement through periodic review of the global regime. b. Confidence building. A group of States should propose a sustainable, long-term, differentiated system to build confidence of effective nuclear security, with periodic international peer review or evaluation, such as IAEA IPPAS, national performance control and industry-selfreview. A common approach to communicating the results of international peer reviews as well as national self-assessments should be elaborated, with due consideration to maintaining confidentiality of sensitive information. c. IAEA standards and guidance. Strengthening the international nuclear security framework should include a process by which the existing voluntary IAEA guidance becomes mandatory, to ensure more consistent implementation of better defined, succinct, IAEA guidance d. Incentives. Identify mechanisms to demonstrate and reward good performance and practices. e. Integrated approach. Bridges and synergies should be explored and reflected in the nuclear security regime, between nuclear security, nuclear safety, nuclear safeguards, and export control. Nuclear regulators and nuclear operators should share best practices in integrating nuclear security, safety, safeguards, accounting and control.

Recommendation #3: Enhance Security Culture The day-to-day attitude and actions towards implementation of nuclear security measures make up a corporate or organizational nuclear security culture. A nuclear security culture is most effective when implemented widely; at the State level, by competent authorities, operators and other stakeholders. The education and training of staff at all levels should promote principles of security culture and meet high quality requirements. The development and Implementation of a nuclear security culture is a necessary management approach for all activities in the nuclear fuel cycle. To enable its wide implementation throughout the entire nuclear fuel cycle, it is recommended that; a. Holistic, comprehensive approach. States should take a holistic approach to nuclear security and promote a culture that recognizes and supports its principles, applied for all nuclear activities, their control and management. The approach should reinforce bridges and synergies between nuclear security, nuclear safety and international safeguards and export control. b. Enhancing interaction. The IAEA, nuclear security practitioners and the academic community should take steps to enhance interaction on nuclear security culture and its implementation. Centers of Excellence and Nuclear Security Support Centers should carry forward the

- 36 -

comprehensive nuclear security culture message, through support activities and through management of technical systems and human resource development. c. Training. International training, including that offered by the IAEA, should further promote the integration of nuclear security culture. d. CBRN interaction. Experiences gained across the broader Chemical-Biological-NuclearRadiological (CBRN) Security spectrum should be leveraged in the comprehensive approach to nuclear security culture.

Final report provided to FMWG April 20, 2016 Anita Nilsson, Working Group Chair

- 37 -

Suggest Documents