Nuclear Threat Initiative gives Canada high score on cyber security but much of world’s weapons-grade material ‘still to vulnerable to theft’

Much of the world’s enriched uranium and plutonium is “too vulnerable to theft” and a cyber attack on a nuclear facility could “facilitate” either theft of nuclear material or sabotage, the Nuclear Threat Initiative warned in a recent report.

“Nearly 2,000 metric tons of weapons-usable nuclear materials remain stored around the world, much of it still too vulnerable to theft,” wrote Sam Nunn, Co-chairman and CEO of Washington, D.C.-based NTI, in a forward to the 2016 NTI Nuclear Security Index: Theft and Sabotage. “The risk is compounded by the fact that a terrorist group wouldn’t need much nuclear material to make a nuclear bomb.” [click image below to enlarge]

Nunn represented the state of Georgia, as a Republican, in the United States Senate from 1972 through 1996, serving as chairman of the Senate Armed Services Committee.

This year’s NTI index – Building a Framework for Assurance, Accountability and Action, Third Edition – was developed with The Economist Intelligence Unit.

Released Jan. 14, the index assesses the security of highly enriched uranium and plutonium, rating 24 countries – including Canada – with one kilogram or more of “weapons-usable nuclear materials.” It also rates 45 countries “with respect to the protection of nuclear facilities against sabotage.”

Of the 24 nations with weapons-usable nuclear material, nine, including Canada, received the maximum score for cyber security. Seven scored zero.

A cyberattack “could facilitate the theft of nuclear materials or an act of sabotage,” NTI warned. “For example, access control systems could be compromised.”

Countries were rated on a scale of 0 to 100, where 100 is the most favourable nuclear security conditions.

For risk environment, Canada scored 79.

In addition to cyber security, Canada scored 100 each in on-site physical protection, control and accounting procedures, response capabilities, international legal commitments, voluntary commitments, international assurances, domestic nuclear legislation, independent regulatory agency and pervasiveness of corruption.

Canada scored 80 on its implementation of United Nations Security Council Resolution 154. That resolution requires all UN members to “have and enforce appropriate and effective measures against the proliferation” of nuclear, chemical, and biological weapons and their delivery systems, the U.S. State Department notes.

In NTI’s index, Canada scored above average but not 100 in insider threat prevention (67), political stability (85) and effective governance (88). Canada scored average (50) when rated by group (s) interested in committing acts of nuclear terrorism, and number of sites (60).

“A new ‘sabotage ranking’ of 45 countries with certain types of nuclear facilities shows that many countries considering nuclear power are struggling to put in place the basic measures necessary to prevent an act of sabotage that could result in a radiological release similar in scale to the 2011 Fukushima disaster in Japan,” NTI said in a press release.

NTI added that an attack “that deliberately disrupts or damages a nuclear facility – through a physical attack, a cyber attack or a combination of both” could produce a release similar to that of the release from the Fukushima Daiichi nuclear generating station in Japan – which was hit by a tsunami in 2011 after the Tohoku earthquake – or to the 1986 accident at Chernobyl, then in the Soviet Union.

Belgium and Iran are two of the countries that scored zero in cyber security. Iran also scored zero in international legal commitments, domestic nuclear materials security legislation, independent regulatory agency and pervasiveness in corruption. Iran scored below average in insider threat prevention (22), voluntary commitments (20), international assurances (20) and UNSCR 1540 implementation (20).

Both India and China scored 17 in sites and transportation, 25 in pervasiveness of corruption and 33 in insider threat prevention.The Nuclear Liability Compensation Act (NLCA) and the increased liability limits for operators of nuclear facilities it introduces are not yet in force.

The Energy Safety and Security Act (ESSA), which enhances safety and security in Canada’s nuclear energy and offshore petroleum industries, received Royal Assent on February 26, 2015. This Act contained two distinct parts – one for the offshore industry and one for the nuclear industry (the NLCA). 

Bringing the NLCA into force requires the completion of several implementation steps, including the development and approval of regulations to define the nuclear installations covered by the legislation and the amount of insurance the operators of those installations require. The increases in absolute liability for nuclear operators under the NLCA will come into force only once these steps are complete. This process is expected to take several months, and the NLCA is expected to come into force in late 2016 or early 2017.

When the NLCA comes into force, it will replace the current Nuclear Liability Act, and the liability limit for nuclear power plant operators will increase from $75 million to $650 million. The liability limit will increase over time, and will be phased in to reach $1 billion 4 years after the NLCA comes into force.

The Nuclear Liability and Compensation Act does not apply to war, hostilities, civil war or insurrection, but does apply to terrorist activity.

Shortly before Bill C-22 was passed into law, a spokesperson for Natural Resources Canada told Canadian Underwriter that under the Nuclear Liability Act (which was superseded by the Nuclear Liability and Compensation Act,) the federal government provided about 75% of coverage for damages resulting from a terrorist act. That coverage was provided under a reinsurance agreement.

Related: Federal bill increasing absolute liability to $1 billion for nuclear operators, offshore energy, passes Senate

The new Nuclear Liability and Compensation Act gives the Minister of Natural Resources the authority to “enter into an indemnity agreement with an operator under which Her Majesty in right of Canada covers any risks that, in the Minister’s opinion, would not be assumed by an approved insurer.”

The majority of insurance coverage, for Canadian nuclear generating station operators, is written by the Nuclear Insurance Association of Canada, an association of insurers that form liability and property damage pools for nuclear installations.

Other insurers approved by Natural Resources Canada are Nuclear Risk Insurers Limited, American Nuclear Insurers (ANI) and European Liability Insurance for the Nuclear Industry (ELINI).

In the United States, the Terrorism Risk and Insurance Act (TRIA) essentially requires commercial property insurance in the U.S. to cover terrorism, with the federal government sharing losses under certain conditions.

TRIA expires Dec. 31, 2020.

“TRIA does not require that insurers provide coverage for losses from nuclear, biological, chemical, or radiological risks,” according to a paper published in June, 2015 by the Congressional Budget Office.

Those risk “were excluded by insurers” before the Sept. 11, 2001 hijacking by al-Qaeda operatives of four civilian airliners, and “continue to be excluded from most policies today,” stated the CBO paper, titled Federal Reinsurance for Terrorism Risk in 2015 and Beyond. “The major exception is for workers’ compensation insurance; state regulations allow virtually no exclusions for that type of coverage.”

TRIA “reinsures NBCR coverage when it is included in a policy,” the CBO paper noted.

In 2013, Risk and Insurance Management Society (RIMS) Inc (RIMS) recommended in a report – titled Terrorism Risk Insurance Act: The Commercial Consumer’s Perspective – that TRIA should require the inclusion of coverage of acts of terrorism involving the use of nuclear, biological, chemical or radiological devices.

TRIA was originally passed in 2002. It expired several times but was extended again in January, 2015.

After Sept. 11, 2001 attacks, “terrorism risk insurance quickly became either unavailable or very, very expensive and unaffordable,” U.S. Congressman Gregory W. Meeks told the House of Representatives in 2014 during debate on bills to extend TRIA.

Under TRIA, an act of terrorism is one that is “violent” or dangerous to human life, property or infrastructure . It must also have been “committed by an individual or individuals acting on behalf of any foreign person or foreign interest, as part of an effort to coerce the civilian population of the United States or to influence the policy or affect the conduct of the United States Government by coercion.”

There is a program trigger – which is US$120 million this year and will gradually rise to US$200 million by 2020 – of aggregate losses to the insurance industry.

There is also a deductible, to the private insurers, of 20% of their annual direct earned premiums from commercial P&C lines, RIMS stated in 2013. Once that deductible is exceeded, the federal government covers 85% of the insurer’s loss above the deductible, until total losses are US$100 billion, RIMS stated at the time.

CORRECTION: An earlier version of this article contained erroneous information about the increased liability limits for operators of nuclear facilities. The NLCA and the increased liability limits are not yet in force. Canadian Underwriter regrets the error.