Posing as legitimate buyers through shell companies and using forged licenses, investigators for the Government Accountability Office (GAO) twice surreptitiously obtained from domestic suppliers small quantities of highly radioactive isotopes that they were not authorized to receive. The agency warned that such materials could be used to fashion a radiological dispersion device, commonly known as a dirty bomb, that could cause hundreds of deaths and billions of dollars’ worth of damage.
The GAO sting was carried out to show how terrorists might hack the Nuclear Regulatory Commission’s (NRC’s) licensing process for acquiring small amounts of radioisotopes such as cesium-137 and cobalt-60, which have legitimate uses for sterilization, nuclear medicine, well logging, and other applications. Cesium-137 is particularly dangerous due to its readily dispersible powder form. GAO officials declined a reporter’s request to identify the specific isotopes that were acquired.
The multiple-tier NRC licensing system for possessing and shipping radioisotopes has different levels of stringency depending on the quantity of material involved. The GAO undercover operation involved category 3 amounts, defined as less than 10 times the quantity needed to cause permanent human injury. For comparison, blood irradiators commonly used in hospitals and panoramic irradiators used to sterilize roomfuls of medical supplies contain category 1 quantities, at least 1000 times the amount needed to cause permanent injury. Specific amounts and radioactive activity levels are not provided. The NRC has delegated its regulatory authority under agreements with 39 states, which administer about three-quarters of all domestic radioisotope shipments.
The GAO investigators didn’t attempt to procure category 1 or 2 material quantities because of the more stringent license and tracking requirements for those quantities. Unlike for the larger amounts, vendors aren’t required to contact regulatory authorities to verify the identity of buyers for category 3 items. On two occasions involving two separate vendors, GAO investigators simply presented forged licenses, paid for their purchases, and were sent the isotopes they ordered. The materials were immediately sent back to the suppliers, the report said.
A single class 3 shipment of some isotopes—particularly 137Cs—could be used to fashion a radiological weapon, and a terrorist actor could also combine multiple shipments, the GAO warned. Although detonation of a dirty bomb employing category 3 quantities would cause few, if any, immediate deaths from radiation, it would be likely to result in hundreds of deaths during panicked evacuations and billions of dollars in socioeconomic impacts, the GAO said. The agency pointed to a May 2019 incident at the University of Washington, where the accidental release of only 1 curie of 137Cs resulted in $156 million in cleanup and other costs.
The NRC noted that, in determining the level of security measures that are required, it considers only the risk of direct deaths and immediate health effects of radiation rather than social impacts, such as public panic, or economic effects, such as decontamination costs and denial of access to buildings and public infrastructure for extended periods.
In a statement, NRC spokesperson David McIntyre said that the agency is taking actions to respond to the GAO findings. “We reached out to the manufacturers of these radioactive sources to ensure they are vigilant with sales, especially for new customers or unusual activities. We are also expediting a rule change already in progress that will be a durable regulatory resolution for license verification with sales of category 3 sources, including consideration of multifactor authentication.”
The NRC concurred with the GAO’s recommendation to tighten security features on class 3 materials, including switching from paper licenses to electronic ones. The agency initiated a rulemaking in January to require sellers to verify buyers’ identities. But the rulemaking process requires input from states and public comment and ordinarily takes 18 months to two years to complete. The NRC, in comments submitted to the GAO, said it was taking steps “to appropriately expedite this rulemaking.”
In the interim, the NRC could issue an order immediately requiring vendors to verify licenses via a phone call to the NRC or state regulators, if the agency believed that doing so was necessary to promote the common defense and security. But NRC officials told the GAO that there was insufficient basis to do so.
The NRC’s normal oversight and current security framework, including inspections, ensures the safety of radioactive material, agency spokesperson McIntyre said. Those measures “are appropriate for the safety significance of the category 3 sources. In contrast, imposing immediate additional security requirements would risk unintended impacts to important and safe medical, academic, and industrial uses of these materials.” The NRC, he noted, “also coordinate[s] with other federal agencies to assess current and evolving threats and can take urgent action if necessary.”
The GAO noted that even upon completion of the rulemaking, other vulnerabilities in the system, which it did not publicly disclose, will remain unaddressed.