Preventing Insider Theft: Lessons from the Casino and Pharmaceutical Industries

Through structured interviews and a literature review, we assess which approaches to protection against insider thefts in the casino and pharmaceutical industries could be usefully applied to strengthen protections against insider theft in the nuclear industry, where insider thefts could have very high consequences. Among other measures, we suggest consideration of constant video surveillance of all vaults and insider-material interactions; frequent and rigorous material accounting; requiring everyone who touches material to sign for it; implementing an expanded two-person rule; rewarding attention to security; and establishing incident databases and experience sharing. While many of these measures are in place for some operations with weapons-usable material in some countries, they should be considered for more universal application. Introduction At the Washington nuclear security summit in April 2010, leaders from some forty-seven countries affi rmed that “nuclear terrorism is one of the most challenging threats to international security, and strong nuclear security measures are the most effective means to prevent terrorists, criminals, or other unauthorized actors from acquiring nuclear materials.” The leaders reaffi rmed their commitment to take action to improve nuclear security at the Seoul nuclear security summit in March 2012. Nearly all of the documented thefts of highly enriched uranium (HEU) or separated plutonium—the two materials that could be used to make a nuclear bomb—appear to have been perpetrated by insiders. Protection against insider threats, therefore, is an absolutely critical element of keeping the essential ingredients of nuclear bombs out of terrorist and criminal hands. Insiders, with their authorized access to sensitive areas and materials, their knowledge of the nuclear security system and its weaknesses, and their relations with other staff, pose major challenges for security planners. To address this threat, a broad range of insider protection measures are required in national regulations and recommended in international guidelines for handling weapons-usable nuclear material (and, often, for operations in vital areas of nuclear facilities as well), including checks to ensure insiders are trustworthy before granting access; two-person or three-person rule, so that no one is alone with weapons-usable nuclear material; continuous surveillance of material operations; searches on entering and leaving key areas; accounting suffi ciently accurate to detect either abrupt or protracted thefts; use of uniquely identifi able and diffi cult-to-defeat tamper-indicating devices; and storage of material in secure vaults or vault-type rooms when not in use. A number of useful sets of recommendations for protecting against insider theft of nuclear material have been developed. Nevertheless, insider-threat protection practices in the nuclear industry vary widely, and are often focused on simply complying with national-level rules, rather than focusing on continuous performance improvement. In this article, we explore practices for protecting against insider threats in two high-security industries with a profi t incentive to achieve excellence in preventing insider theft—casinos and controlled pharmaceutical production—and explore whether the nuclear industry can adapt practices from these industries. To perform our assessment, one of us carried out structured interviews with security managers for several casinos and pharmaceutical facilities producing drugs with high black-market value. The interviews were based on a consistent set of questions, for comparability from one interview to the next, but also fl exibly pursued issues as they arose in the discussions. Because of limitations of time and resources, these interviews covered only a limited number of facilities, and covered only facilities located in the United States. All of the interviewees wished to remain anonymous, and to keep the facilities whose security they managed unnamed as well. We combined these interviews with a review of relevant literature on casino and pharmaceutical security; a review of literature on nuclear industry practices to protect against insiders (such as the material already cited); and extensive discussions with nuclear industry experts on insider protection by one of the authors over a period of several years. Our assessment is that both the casino and pharmaceutical industries have developed some valuable approaches that the nuclear industry should consider adopting. While many of