The Government Accountability Office (GAO) has called on the Nuclear Regulatory Commission (NRC) to add security features to its licenses to make it harder for people to use a fraudulent license to purchase radioactive material, after the watchdog used shell companies and fraudulent licenses to purchase from vendors in the U.S.
Radioactive materials are commonly used for things like treating cancer and sterilizing medical instruments. But even a small amount could be used in a dirty bomb, which uses conventional explosives to spread radioactive material. NRC issues licenses to people and organizations that need to possess radioactive material. Licenses control the type and quantity of radioactive material allowed to be possessed. Quantities of radioactive materials are defined as category 1 through 5, with 1 being the most dangerous.
GAO says NRC’s current system for verifying licenses does not adequately protect against the purchase of high-risk radioactive materials using a fraudulent license. Using shell companies with fraudulent licenses, GAO successfully purchased a category 3 quantity of radioactive material of concern from two different vendors in the U.S.
Specifically, GAO provided a copy of a license that GAO forged to two vendors, subsequently obtained invoices, and paid the vendors. GAO refused to accept shipment at the point of delivery, ensuring that the material was safely and securely returned to the sender. GAO’s shell companies were successful in acquiring the material because they are not subjected to more stringent controls required for purchases of larger quantities of material.
A category 3 quantity of radioactive material can, on its own, result in billions of dollars of socioeconomic costs if dispersed using a dirty bomb. By purchasing more than one shipment of a category 3 quantity of radioactive material, GAO also demonstrated that a bad actor might be able to obtain a category 2 quantity by purchasing and aggregating more than one category 3 quantity from multiple vendors.
NRC officials told GAO in January 2022 that they have begun a Commission-directed rulemaking that if implemented, would strengthen the license verification controls for purchases of category 3 radioactive materials. According to NRC officials, the proposed rulemaking will take between 18 months and two years to complete. GAO has however voiced concern about the effectiveness of these changes and NRC officials told the watchdog in April 2022 that they plan no additional actions beyond the rulemaking to address the vulnerabilities identified by the investigation. However, NRC officials told GAO that they have the authority to quickly issue additional binding security requirements to licensees via an NRC order, if warranted. For example, NRC could issue an order immediately requiring vendors to verify licenses via a phone call to NRC if the agency believed that doing so was necessary to promote the common defense and security.
NRC officials stated that the consequences stemming from the detonation of a dirty bomb using category 3 radioactive materials would be insufficient to require issuing immediately effective orders. However, as GAO found in a previous study, a dirty bomb using a category 3 quantity of radioactive materials could be expected to cause hundreds of deaths.
The government watchdog has recommended that NRC immediately requires that vendors verify category 3 licenses with the appropriate regulatory authority. NRC agreed but will not address the vulnerabilities found immediately and that the rulemaking will not be complete until at least the end of 2023.
GAO also recommended that NRC should add security features to its licensing process to improve its integrity and make it less vulnerable to altering or forging licenses. These security features could include multifactor authentication or moving away from paper licenses to electronic-based licensing. NRC concurred and said it will consider adding enhanced security features in the licensing process and providing guidance to regulators and licensees.