Preventing a Dirty Bomb: Vulnerabilities Persist in NRC's Controls for Purchases of High-Risk Radioactive Materials
Fast Facts
Radioactive materials are commonly used for things like treating cancer and sterilizing medical instruments. But even a small amount could be used in a dirty bomb, which uses conventional explosives to spread radioactive material.
The Nuclear Regulatory Commission issues licenses to people and organizations that need to possess radioactive material. However, our investigators used shell companies and fraudulent licenses to purchase radioactive materials from 2 different vendors in the U.S.
We recommended that the NRC add security features to its licenses to make it harder for people to use a fraudulent license to purchase radioactive material.
Highlights
What GAO Found
The Nuclear Regulatory Commission's (NRC) current system for verifying licenses does not adequately protect against the purchase of high-risk radioactive materials using a fraudulent license. Licenses control the type and quantity of radioactive material allowed to be possessed. Quantities of radioactive materials are defined as category 1 through 5, with 1 being the most dangerous. Using shell companies with fraudulent licenses, GAO successfully purchased a category 3 quantity of radioactive material of concern from two different vendors in the U.S. Specifically, GAO provided a copy of a license that GAO forged to two vendors, subsequently obtained invoices, and paid the vendors. GAO refused to accept shipment at the point of delivery, ensuring that the material was safely and securely returned to the sender.
As GAO has previously reported, a category 3 quantity of radioactive material can, on its own, result in billions of dollars of socioeconomic costs if dispersed using a dirty bomb. By purchasing more than one shipment of a category 3 quantity of radioactive material, GAO also demonstrated that a bad actor might be able to obtain a category 2 quantity by purchasing and aggregating more than one category 3 quantity from multiple vendors. NRC officials told GAO that NRC plans to proceed with existing initiatives to implement new verification regulations by late 2023 but does not plan to take immediate corrective actions to address the issues that GAO found.
Radioactive Material Delivered to GAO's Shell Company (box on left)
NRC requires a valid license to possess category 3 quantities of radioactive material, but the paper licenses it issues can be altered and used to make illicit purchases of radioactive materials. During this investigation, GAO created forged licenses to facilitate purchases. GAO's shell companies were successful in acquiring the material because they are not subjected to more stringent controls required for purchases of larger quantities of material. GAO's investigation demonstrates that the integrity of NRC's current license verification processes can be compromised.
Why GAO Did This Study
Radioactive materials are commonly used throughout the U.S. in technological devices for medical, industrial, and research purposes. However, these materials, if used improperly, can be harmful and dangerous. For example, in the hands of terrorists, even a small amount could be used to construct a radiological dispersal device, also known as a dirty bomb. A dirty bomb uses conventional explosives to spread radioactive material.
GAO was asked to review NRC's license verification system for high-risk radioactive materials. This report examines (1) the effectiveness of NRC's license verification system for ensuring that high-risk radioactive materials are not purchased using a forged or altered license and (2) vulnerabilities that could affect NRC's ability to verify licenses for the purchase of high-risk radioactive material. GAO conducted a covert investigation of controls on purchasing radioactive materials. Additional details on GAO's covert testing will be included in an Official Use Only version of this report that will be issued soon.
Recommendations
GAO recommends that NRC (1) immediately require vendors to verify category 3 licenses with the appropriate regulatory authority and (2) add security features to its licensing process that improve the integrity of the process and make it less vulnerable to altering or forging licenses. To address our recommendations, NRC proposed a rulemaking to strengthen licensing. However, vulnerabilities will remain until NRC implements the rule.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Nuclear Regulatory Commission |
Priority Rec.
The Chairman of NRC should immediately require that vendors verify category 3 licenses with the appropriate regulatory authority. (Recommendation 1)
|
When the report was issued, NRC stated in their agency comments that they agreed with requiring vendors to verify category 3 licenses with the appropriate regulatory agency and had begun rulemaking that would require such verification. As of March 2024, the rulemaking was with the NRC Commission and agency officials told us that they were uncertain when the rulemaking would be finalized.
|
Nuclear Regulatory Commission |
Priority Rec.
The Chairman of NRC should add security features to its licensing process to improve its integrity and make it less vulnerable to altering or forging licenses. These security features could include multifactor authentication or moving away from paper licenses to electronic-based licensing. (Recommendation 2)
|
When the report was issued, NRC stated in their agency comments that they agreed with considering enhanced security features in the licensing process. Specifically, as part of their ongoing rulemaking process, they would consider providing guidance to regulators and licensees that would reduce the potential for altered or forged licenses to be used in acquiring category 3 radioactive sources. The NRC staff also explored the security features suggested by GAO as an interim step for licenses for category 3 quantities of material. The NRC evaluated the advantages and disadvantages of features such as two factor authentication, non-fungible tokens, data tokens, and QR codes. Tokenization and QR codes demonstrated the most promise of security improvement within reasonable implementation cost. According to NRC, a path towards adoption of this security feature has been developed, and integration into Web-based Licensing system will begin in 2024.
|