Abstract
More than a dozen whistle-blowers have given our organization, the Project On Government Oversight (POGO), persuasive unclassified evidence that the U.S. nuclear weapons complex, with its tons of weapons-grade uranium and plutonium, is highly vulnerable to terrorist attack. Their testimony is not surprising; it confirms the repeated finding of numerous presidential and Energy Department commissions.
The Energy Department periodically tests security at nuclear weapon facilities by conducting mock forceon-force exercises, with teams from the U.S. military acting as adversaries. The facilities are expected to be able to adequately defend themselves physically–that is, to be able to repel a surprise attack by some number of adversaries armed with readily available weapons and explosives. But experts who have conducted these tests report that U.S. nuclear weapons facilities fail more than 50 percent of the time. (The number of adversaries security forces train to repel and their exact failure rate are both classified.)
Little has changed since June 1999, when Warren Rudman, a former senator and chair of the President's Foreign Intelligence Advisory Board, testified to Congress about the board's security review of U.S. nuclear weapons laboratories.
The report, Science at its Best, Security at its Worst, was startlingly blunt in its criticism: “The brilliant scientific breakthroughs at the nuclear weapons laboratories came with a very troubling record of security administration…. This report finds that [the Energy Department's] performance, throughout its history, should have been regarded as intolerable.” 1
The Rudman report emphasized that the problems were longstanding, perpetuated by institutional hubris: “Second only to [Energy's] world-class intellectual feats has been its ability to fend off systemic change.” The report described years of disregard for security. Despite “scores of critical reports from the General Accounting Office (GAO), the intelligence community, independent commissions, private management consultants, its Inspector General, and its own security experts … the Department's ingrained behavior and values have caused it to continue to falter and fail.”
And finally, the report concluded, “The Department of Energy is a dysfunctional bureaucracy that has proven it is incapable of reforming itself.” 2
Providing adequate physical security for the nuclear complex is not easy. Ten major sites, spread across the country, each hold enough weapons-grade plutonium and/or highly enriched uranium to build from one to many nuclear devices. Several of these facilities are located near major metropolitan areas with large populations. In addition, the department's Transportation Security Division moves weapons-grade nuclear materials across the country on interstate highways.
A look at just three examples makes it clear that security problems at the government's nuclear weapons sites are systemic, constant, and recurring.
Rocky Flats, near Denver, Colorado, was a major weapons production facility during the Cold War. Plutonium parts for nuclear weapons were milled and fabricated there, and at least 10 tons of plutonium are believed to be still stored at the plant, which is in the process of being shut down. Current plans call for this plutonium to be shipped to the Savannah River Site near Aiken, South Carolina. Rocky Flats's inventory of plutonium pits (weapon cores) has been shipped to the Los Alamos and Lawrence Livermore National Laboratories and to the Pantex plant in Texas. (Contractor Kaiser-Hill Co.'s September 2001 inventory report indicates that all 7 tons of the highly enriched uranium once stored at Rocky Flats have been shipped to the Oak Ridge National Laboratory in Tennessee.)
Physical security at Rocky Flats is provided by private guards from the Wackenhut Corporation. In 1996, Energy Department headquarters rejected Rocky Flats's “Site Safeguards and Security Plan”–a plan to guard the facilities that is supposed to be updated annually–as having serious deficiencies. And in January 1997, the department's “Report to the President on the Status of Safeguards and Security for 1996” gave Rocky Flats a marginal rating–meaning that nuclear materials were not being adequately protected. In March 1997, however, Energy decided that Rocky Flats was in fact not marginal–it merely had “vulnerabilities.”
Within the month, Col. David Ri-denour, then the director of security at the plant, resigned, complaining that the health and welfare of the public was not being protected and that Energy Department managers were preventing him from performing his duties. In a letter to Jessie Rober-son, the head of the Operations Office, he wrote: “In my professional life as a military officer, as a Registered Professional Engineer … I never before experienced a major conflict between loyalty to my supervision and duty to my country and to the public. I feel that conflict today.”
Headquarters gave Rocky Flats 120 days to correct its security plan.
After those 120 days, no action was taken and and no one was held responsible.
The next week, Ridenour wrote to then-Energy Secretary Federico Peña: “I was instructed by my direct supervisor … that my mission was to ‘not negatively impact the contractor’ and that I was to ‘facilitate the contractor winning the award fee.’”
A few months later, in September 1997, the Rocky Flats security plan was rejected again, and headquarters gave Rocky Flats 120 days to implement corrective actions. But after those 120 days had passed, no action was taken and no one was held accountable.
In January 1998, Energy's Independent Oversight team conducted a test of force-on-force at Rocky Flats, concluding that security was adequate “by a narrow margin.” Another security plan was submitted and again rejected by headquarters.
In May 1998, Deputy Assistant Secretary Glenn Podonsky of the Office of Independent Oversight wrote that after a comprehensive inspection, “the protection program elements measured during this inspection do not indicate that a fully effective program is yet in place. As evidenced by deficiencies identified in some areas of physical security systems, material control and accountability, computer security, and classified matter protection and control, there remain a number of legacy safeguards and security issues to be resolved.”
Some of those problems were made apparent in a test that year, when a team of navy SEALs successfully entered the site through the perimeter fence, gained entrance to a nearby building, “stole” a significant quantity of plutonium, exited the building, and escaped through the fence, all without being caught. After this embarrassment, Rocky Flats management stipulated that in future tests the SEALs could not leave the same way they had come in. Instead, they were required to take the plutonium, climb a guard tower, and rope the material over the fence.
What followed were two contrived tests, in which the site's security team successfully defended the facility. According to whistleblowers who attended a summer 1998 briefing, one leader of the SEALs indicated that he intended to waste no more time at Energy Department sites because the tests were unrealistic.
Some months later, in July 1999, Bill Richardson, the new secretary, sent a team to evaluate security at Rocky Flats. Two glaring vulnerabilities were found, strikingly similar to those that had been found there in 1995 and 1997. At first, Rocky Flats managers vehemently denied that plutonium in metal form was kept out of a vault without additional security guards in place, as is required. Several hours later the managers finally admitted that it was customary to keep a supply of plutonium outside the vault eight hours a day, five days a week, while workers stabilized it for shipment.
In October 1999, Energy's security czar–Gen. Eugene E. Habiger–sent Energy and Defense Department experts to Rocky Flats to resolve the outstanding problems found by Richardson's team. At first, managers refused to allow the group on site. Once they were permitted inside, the experts found the same problems Rocky Flats had agreed to fix two years earlier.
Technical Area-18 (TA-18), run by the University of California, is one of a number of special work areas at the Los Alamos National Laboratory in New Mexico. TA-18 houses several nuclear burst reactors and tons of weapons-grade uranium and plutonium. Built in the 1940s, the facility was sited on the floor of a canyon so that its walls would absorb the radiation from the reactors. Because the high ground around the canyon cannot be controlled, the site is extremely difficult to defend.
The House Subcommittee on Oversight and Investigations first expressed concern about security at this site in the early 1980s. According to Cong. John Dingell, a Michigan Democrat and the subcommittee's former chairman, “The subcommittee's work on this matter began in 1981 in response to efforts to undermine independent review of security threats…. The safeguards at the most critical facilities–which included Los Alamos–were in shambles while, at the same time, [the] Office of Safeguards and Security was giving the facilities a clean bill of health.”
In 1997, a unit of the U.S. Army Special Forces served as the adversary in a force-on-force exercise at TA-18. The unit's theft scenario was to “steal” enough fissile material to build a crude nuclear weapon by fitting it into rucksacks. According to the Wall Street Journal, the exercise required the intruders to steal more uranium than they could carry. Not to be outmaneuvered, the army commandos went to a local Home Depot and bought a garden cart. They attacked TA-18, loaded the cart with nuclear materials, and left the facility. This successful breach came after TA-18's defenders had spent months in training and conducted dozens of computerized battle simulations.
In 1998, while completing a required annual survey, the Albuquerque Operations Office rated security at TA-18 and other Los Alamos sites as “unsatisfactory.” Somehow, though, by the time the report made its way to top management, the rating had been changed to “satisfactory,” although no actual changes in security had been made.
Los Alamos's Technical Area-18, where security guards were quickly defeated by U.S. Army Special Forces in a force-on-force test.
During a 1998 force-on-force exercise, the site's defenders cheated–a Wackenhut manager told the security guards where the mock terrorists were. But according to Energy's Inspector General, Energy Department supervisors in Albuquerque refused to investigate the matter.
Believing that something must be done, in fall 1999 Secretary Richardson created a “relocation team” to recommend sites to which the work done at TA-18 might be moved.
When the team visited TA-18 in January 2000, they raised questions about another obvious vulnerability at the site. For instance, one burst reactor with large plates of uranium fuel was properly stored in an upgraded vault. But an almost identical reactor sat in the middle of an open area. Los Alamos management refused either to put this second reactor in the vault or store its fuel there.
In a meeting to assess the relocation team's recommendation to Secretary Richardson, Defense Programs (the predecessor organization to the National Nuclear Security Administration) argued against relocating the facility, even while admitting that TA-18 would actually be less costly if it were moved to a more secure site.
In October 2000, the Independent Oversight group ran a force-on-force test at TA-18. In this exercise, the intruders gained access to the reactor fuel, potentially causing a sizable nuclear detonation that would have contaminated part of New Mexico. After this debacle, Gen. John Gordon, the director of the new National Nuclear Security Administration, sent an angry letter to Los Alamos Director John Browne threatening to shut down TA-18.
In several mock attacks on the Transportation Security division, the security guards were literally annihilated seconds after the attacks began.
In December 2000, a security team from headquarters, making a return visit to Los Alamos to verify that the lab had made upgrades at TA-18, found that the upgrades had been made but not tested. An internal Energy memorandum raised basic questions about the adequacy of the “new and improved” protection at the site.
Energy's Transportation Security Division moves nuclear weapons, as well as weapons-grade uranium and plutonium, from site to site on the nation's public highways. The security guards in this division are civilians employed by the federal government. In 1998, a preliminary examination of the test scenarios in the security plan that the transportation division submitted to headquarters revealed that it was planning only for simplistic attacks and “dumbed down” weapons.
During the planning phases of the mock terrorist attacks, the transportation division's team of specialists and commanders scoffed at the idea that adversaries might use weapons like sniper rifles with armor-piercing incendiary rounds. As Energy's Inspector General later explained, management considered the use of such weapons unreasonable–something only a “super-adversary” would do (the weapons have been available since World War I).
Despite the transportation division's skepticism, in an undercover investigation in 1999, the General Accounting Office found that the Pentagon had sold more than 100,000 rounds of surplus armor-piercing incendiary rounds on the open market. Armed with such weapons, terrorists could shoot through armored truck cabs, killing both drivers and guards. The nuclear materials being transported would then be free for the taking.
According to sources familiar with the testing program, in several mock attacks on the Transportation Security Division, the security guards were literally annihilated within seconds after the attacks began. In after-action briefings, one convoy commander admitted that the guards had experienced similar results in force-on-force testing months earlier.
A December 12, 1998, internal memorandum reported on the guards' performance in computer-simulated attacks: “Results on the first worst-case scenario … were three losses and no wins…. Results on the second worst-case scenario … were three losses and one win.” In response, the Transportation Security Division asked that the computersimulation program be terminated.
In early 1999, a special force-on-force test was run at Fort Hood for luminaries from Washington, including a deputy secretary, an undersecretary, and top security and program officials, to show that the division could handle the threat. In this exercise, the defending security guards won out against a team of army commandos. One of the commandos, however, noticed that the piece of paper in the hand of a guard that he had just “shot” was an outline of the attack plan. In other words, the guards had cheated. Although author Peter Stockton, then a special assistant to Secretary Richardson, shared proof of cheating with both the Albuquerque manager and the transportation division manager, no action was taken.
More than half of all the unclassified security-improvement recommendations made by Energy's Inspector General in a September 2000 report focused on improving the security of the transportation program.
Before the September 11 attacks on the United States, there were three particularly worrisome threats that cut across the complex: theft of nuclear material, attack by truck bomb or weapon of mass destruction; and the possible creation of an improvised nuclear device made from material on site.
To those must now be added the threat that a fully fueled plane might be flown into a nuclear site. That contingency is discussed in “The NRC: What, Me Worry?” on page 38.
As to the other three:
Despite these directives, the possible use of chemical or biological weapons has barely penetrated Energy officials' consciousness. None of the security plans at the nuclear facilities include contingencies for protecting against attack with chemical or biological weapons. In a recent force-on-force drill at Los Alamos, the intruders used a simulated irritant gas against the defenders. The guards were totally unprepared, lacking even a gas mask.
Five and a half years after the Clinton directive was issued, Energy does have a classified study under way aimed at developing strategies against chemical and biological attacks. But our sources tell us that the outcome of this study will be a recommendation of further study.
It's not hard to see why. A truck bomb at a nuclear weapons plant could be devastating, dispersing tons of plutonium and/or highly enriched uranium over surrounding communities.
A number of groups question whether either the force-on-force tests or the computer simulations used to test the effectiveness of defenders are realistic.
In 1999, Secretary Richardson's security team regarded Rocky Flats as vulnerable to just such an attack. At Rocky Flats, the vehicle barrier cable had been placed on the outside fence rather than the inside fence. A terrorist could have cut the cable on the un-alarmed outside fence, driven a large truck through both fences and up against the wall of a vault containing tons of plutonium, and detonated a bomb before any credible defense could have been mounted. Putting the cable on the inside fence would have stopped the intruders at the same time that the sensors between the fences were set off, giving the security guards a little more time to intercept them. Yet the problem remained 16 years after the bombing of the marine barracks in Beirut, four years after the president's directive on terrorism, and two and a half years after the problem was initially identified and Rocky Flats ordered to fix it.
The effects of an improvised nuclear device would be qualitatively different from using conventional explosives to spread nuclear materials. A home-made bomb could disperse more highly radioactive materials than the accident at Chernobyl in the Ukraine in 1986, but the explosion of an improvised device could cause a chain reaction producing devastation on par with that at Hiroshima and Nagasaki. (In an October 2000 force-on-force test at TA-18 at Los Alamos, security failed to stop the “terrorists” from gaining access, making a sizable nuclear detonation possible.)
Discussions of possible improvised devices are not classified, but discussing how they might be detonated is classified as a “Special Access Program.” And although vulnerability to improvised devices is widely recognized within the defense community, Energy has taken the position that the problem cannot be discussed by anyone outside a small “club” with special clearances. As a result, security experts can only wait for these people to address the prob-lem–and they have already been waiting for decades.
Security forces and Energy Department field managers “game the game”–most tests are unrealistic, tactics are “canned” and expected, and the outcome of exercises preordained.
A number of groups, including the army's Special Forces, the navy's SEALs, as well as Energy's Office of Independent Oversight, question whether either the force-on-force tests or the computer simulations used to test the effectiveness of defenders are realistic. They argue that artificial exercises have made facility security forces appear far more capable than they actually are–yet even with the scales tipped in their favor, those security forces still fail more than 50 percent of the time.
There is no surprise involved in force-on-force tests. Once outfitted with their lasers (weapons-simulation equipment) security guards know an attack will take place within an hour or two. Even so, their reactions can be baffling. For example, in force-on-force tests at Rocky Flats in 1998, 1999, and again in 2000, the defenders indiscriminately “shot” scientists, each other, and the controlling referees wearing orange vests.
“In law enforcement training environments, the typical ‘penalty’ for killing a ‘friendly’ is failure of the test. At [Rocky Flats], there are currently no negative consequences for the inappropriate use of deadly force. In fact, if the adversaries are ‘killed’ in the process, the result is actually a win from the site's current perspective. This situation is unacceptable and must be addressed immediately.” 5
The Energy Department's “Trip Report for Rocky Flats, March 21-26, 2000,” shows the kind of restrictions that are placed on intruders by Rocky Flats management. The commandos were prohibited from using their own radios and “could not effectively communicate.” In addition, they were not allowed to drive around a road block “simulated by a … vehicle being parked on the side of the road and a traffic cone placed in the center of the road.”
In its congressional testimony, Energy has led the public to believe that security at weapon sites is a well-oiled machine. After all, department officials argue, the government has been building bombs at these sites for more than 50 years, and no one has attacked them yet. After the recent tragedies in New York and Washington, D.C., however, this argument falls flat.
The Inspector General could find no reason for the improved ratings. In fact, a number of key documents bearing on ratings had been destroyed.
Unfortunately, Energy's problems run all the way up the chain of command.
The problem begins with contractor self-assessments. It is not in the interest of the contractors who manage Energy facilities to reveal problems that could lead to further investigation as well as reduced performance bonuses and award fees. The Inspector General recently found in interviews that most employees performing contractor self-assessments felt they were under pressure not to find problems.
At the Area Office level, personnel may not be technically sophisticated. That was the conclusion reached by Energy's Inspector General about the Los Alamos Area Office. “Several [Energy] personnel told us that [office] security was understaffed and did not have the technical expertise required to conduct all their oversight responsibilities.” 6
The Albuquerque office's annual security review at Los Alamos in 1998 found security to be unsatisfactory or marginal in most categories. By the time the report had journeyed through the political review process at the field office, though, most ratings had become “satisfactory.” But the Inspector General could find no justification for the change. In fact, a number of key documents bearing on ratings had been destroyed.
At the next level, the Office of Independent Oversight reports directly to the secretary. The team in that office is a qualified and capable group. Their 1999 memo to General Habiger revealed careful analysis and concern.
But this group has also pulled its punches or simply not tested certain sites, knowing they were likely to fail at a politically sensitive time. As for annual inspections, as revealed in a December 1999 draft report by the General Accounting Office, “The director of [the Office of Safeguards and Security Evaluations, Independent Oversight] informed us that inspections were not conducted annually from 1994 through 1998 because secretarial interest in the safeguards and security area waned and staff allocated for safeguards and security inspections was reduced.”
In the 1980s, Congressman Dingell concluded that Energy was misleading the president and the National Security Council about the status of security. By the time a report critical of security was written in 1996, congressional interest had waned. That report, drafted by Colonel McCal-lum, was not given to the president until months later, after the National Security Council demanded its release. Soon after, McCallum was put on administrative leave and investigated for breach of security. The investigation was later dropped, and the next year no report was issued.
In the wake of the perceived theft of nuclear secrets from Los Alamos, Congress mandated the reorganization of the nuclear weapons program, creating a semi-autonomous agency–the National Nuclear Security Administration (NNSA).
But this reorganization did nothing to address problems of physical security. It simply rearranged the deck chairs in a bureaucracy that had failed. Furthermore, several of the people appointed to top NNSA positions held the same positions in the predecessor agency, Defense Programs. Dingell predicted that NNSA was a mistake:
“Allowing these proposals to become law would be tantamount to using gasoline to extinguish a fire…. This would indeed be a remarkable act of political jujitsu where the very institutions responsible for the security problems at [Energy] would emerge from scandal not merely intact, but even more powerful and autonomous than before.”
Congress soon realized that it had simply created another unwieldy bureaucracy. The fiscal 2002 House Appropriations Report observes that “Congress assumed that creation of the NNSA would lead to efficiencies and streamlined management. However, the result has been an increase in staff at headquarters and in the field.”
A number of steps could be taken to improve security, and it should also be clear that the United States no longer has the leisure to merely consider them.
First, enough special nuclear material to make a weapon is currently stored at 10 fixed sites–even though most no longer have a national security mission. Unnecessary sites not only cost the taxpayers billions annually, they also present a significant health and safety risk to nearby communities.
Unneeded facilities should be closed. The Base Realignment and Closure Commission should be empowered to recommend closing redundant sites as well as those with no national defense mission. The administration is considering this step.
Two of the most secure facilities in the world could provide enough storage for all the stable weapons-grade plutonium and highly enriched uranium that is required for national defense purposes–a secure underground storage facility at Kirtland Air Force Base in New Mexico and the Device Assembly Facility at the Nevada Test Site.
Weapons-grade plutonium and highly enriched uranium could be encased in glass with a radioactive barrier. Once the materials had been immobilized or vitrified, they would no longer be useful to terrorists.
Second, the Energy Department has traditionally portrayed facilities as being secure and impervious to terrorists and spies when, in fact, they are not.
Until sites are consolidated, Energy should increase the size of security forces and improve weapons, tactics, and command, control, and communication to defend against both theft and radiological sabotage. Federalizing security forces or exploring the use of the military are two options. As far as we can tell, there has been little change in security practices since September 11, although guards are now checking identification badges and cars passing through front gates.
Third, NNSA has exacerbated the security problem by elevating the same people who have mismanaged security over the last three decades.
The Project on Government Over-sight believes that Congress should consider establishing an independent agency to provide security from outside the Energy Department.
Additionally, the Oversight Office could be made independent. The model to follow might be that of the Defense Nuclear Facilities Safety Board. The board could report directly to Congress and be empowered to assess security in the nuclear complex.
Finally, it is critical that the budget for security be adequate. According to Colonel McCallum, since 1992 total security manpower at the weapons complex has “decreased by almost 40 percent (from 5,640 to approximately 3,500), while the inventory of nuclear material has increased by 30 percent.” (The increase has resulted mainly from the dismantling of nuclear weapons, as well as the receipt of a small amount of nuclear material from a former Soviet republic, Kazakhstan.) During the same period, the threat of terrorism has also increased.
The security budget should be arrived at independently. Security should not have to fight for scraps after the more politically appealing and bureaucratically popular scientific research and weapons projects are funded.
Footnotes
1.
2.
Ibid.
3.
Official policy positions by the president are issued through the National Security Council in the form of Presidential Decision Directives (PDDs).
5.
Richard J. Levernier, Energy Department Program Manager, Assessment and Integration, memorandum to James L. Ford, Acting Director, Field Operations Division, April 11, 2000.
6.
Department of Energy Office of Inspector General, “Summary Report on Inspections of Allegations Relating to the Albuquerque Operations Office Security Survey Process and the Security Operations' Self-Assessments at Los Alamos National Laboratory,” May 2000.