National Security

Published — August 4, 2016 Updated — August 23, 2016 at 3:58 pm ET

A secret group easily bought the raw ingredients for a dirty bomb – here in America

Soldiers and airmen from the California National Guard’s 49th Military Police Brigade and the FEMA Region IX Homeland Response Force joined first responders in a drill simulating a radioactive dirty bomb attack at the Richmond Fire Training Center in northern California on April 11, 2015. Army National Guard/ Capt. Will Martin

An undercover congressional operation exposes gaps in U.S. regulations and undermines Washington’s claim to be the best in the world at blocking this potential terrorist threat


This article was co-published with The Washington Post and the Texas Tribune.

The clandestine group’s goal was clear: Obtain the building blocks of a so-called radioactive “dirty bomb” – capable of poisoning a major city for a year or more – by openly purchasing the raw ingredients from authorized sellers inside the United States.

It should have been hard. The purchase of lethal radioactive materials – even modestly dangerous ones – requires a license from the Nuclear Regulatory Commission, a measure meant to keep them away from terrorists. Applicants must demonstrate they have a legitimate need and understand the NRC’s safety standards, and pass an on-site inspection of their equipment and storage.

But this secret group of fewer than 10 people – formed in April 2014 in North Dakota, Texas, and Michigan – discovered that getting a license and then ordering enough materials to make a “dirty bomb” was strikingly simple in one of their three tries. Sellers were preparing shipments that together were enough to poison a city center when the operation was shut down.

The team’s members could have been anyone – a terrorist outfit, emissaries of a rival government, domestic extremists. In fact, they were undercover bureaucrats with the investigative arm of Congress. And they’d pulled off the same stunt nine years before. Their fresh success has set off new alarms among some lawmakers and officials in Washington about risks that terrorists inside the United States could undertake a “dirty bomb” attack.

Here’s how they did it: In Dallas, Texas, they incorporated a shell company they never intended to run and rented office space in a nondescript industrial park, merely to create an address for the license application. In a spot on the form where they were supposed to identify their safety officer, they made up a name and attached a fake resume. They claimed to need the material to power an industrial gauge used in oil and gas exploration.

Last year, their application was sent not to Washington but to Texas regulators, who had been deputized by the NRC to grant licenses without federal review. When the state’s inspector visited the fake office, he saw it was empty and had no security precautions. But members of the group assured him that once they had a license, they would be able to make the security and safety improvements.

So the inspector, who always carried licenses with him, handed them one on the spot.

The two-page Texas document authorized the company to buy the sealed radioactive material in an amount smaller than needed for any nefarious purpose. But no copies were required to be kept in a readily-accessible, government database. So after using the license to place one order, the team simply made a digital copy and changed the permitted quantities, enabling it to place a new order with another seller for twice the original amount.

“I wouldn’t call what we did very sophisticated,” Ned Woodward, the mastermind of the Government Accountability Office’s plot, said in a phone interview with the Center for Public Integrity. “There was nothing we had done to improve that site to make it appear as if it were an ongoing business.”

In 2007, Woodward’s colleagues in the GAO similarly set up fake businesses, got licenses to purchase low-level radioactive material and altered them to buy larger quantities. The NRC promised “immediate action to address the weaknesses we identified,” according to the GAO’s report on that incident.

The auditors’ aim this time around was to see if the government had cleaned up its act, and taken steps to close some simple gateways to obtaining the ingredients for a dirty bomb.

It turns out, the government had not.

While the purchases that Woodward’s team set in motion were never completed, if they had been, his group would have had enough radioactive material to create the type of dangerous dirty bomb that terrorists may seek, according to David Trimble, director of Natural Resources and Environment at the GAO and Woodward’s boss. It would have been within the group’s reach to spread cancer-causing americium and beryllium dust over many blocks, threatening the health of anyone who breathed it.

The quantity each seller could have sent was dangerous, and together the quantity was “significantly dangerous,” Trimble said in a GAO podcast.

Trimble said that he is confident his investigators could have altered the license again and again, allowing them to amass an even larger quantity. “It’s a back door,” he said in an interview. “We walked through it and we showed the door was still open. We could have kept doing it. If you can forge [a license] once, there’s no reason you can’t forge it again and again.”

Texas nuclear regulatory officials have responded by quietly firing two managers and organizing new training efforts.

NRC Commissioner Jeff Baran, an attorney and former House of Representatives staff member, wrote a swift letter to the two other current NRC commissioners (two positions are vacant) stating that even if Texas changed its procedures, “GAO’s covert testing identified a regulatory gap.” He urged his colleagues to consider creating a system for tracking licenses and sales of low-level radioactive materials – an idea that its members rejected seven years ago under heavy state and industry pressure.

The GAO’s July 15 report on the episode, which described the bare bones of its scam without naming any of the states involved or identifying the precise materials that were improperly ordered, similarly said that the NRC and state regulators aren’t doing enough to keep such materials out of terrorists’ hands.

It criticized the state regulator for granting the licenses, but also said the commission needs to act to block license alterations and track sales and shipments of lower-level radiological materials, using measures like those already in place for the sale of more hazardous fissile materials.

Billions of dollars in potential economic harm

Unlike a nuclear detonation, which could destroy a large city, the explosion of a dirty bomb would provoke more chaos than immediate fatalities, according to a 2007 study commissioned by the Department of Homeland Security.

“A terrorist attack using a dirty bomb in the United States is possible, perhaps even moderately likely, but would not kill many people,” two professors at the University of Southern California wrote in the study, which was conducted with advice from government scientific and counterintelligence experts. “Instead, such an attack primarily would result in economic and psychological consequences.”

The explosion could be lethal to someone nearby or to the first emergency personnel to arrive. But cleaning up the contaminated area would cost billions of dollars and take about a year in the scenario examined by the study’s authors – a dirty bomb targeting the ports of Los Angeles and Long Beach, which together constitute the third busiest in the world. At its worst, the resulting economic harm could exceed $250 billion.

One key to keeping the ingredients out of terrorists’ hands, the authors concluded, is “being more proactive in controlling and protecting the original sources of radioactive material.” But they also warned that “an attack that involves relatively low-level radioactive material from a U.S. facility” – the precise scenario tested by the GAO – is more likely to be successful than an attack using imported material, because the chances of detection are so much less.

“Why bother smuggling it if you can just order it with a fake license?” said Trimble, in the podcast.

Radioactive materials considered useful in a dirty bomb are widely present in U.S. and international commerce, used legitimately for medical and industrial purposes in more than 70,000 high-risk devices located at 13,000 buildings, according to a 2013 Energy Department estimate. These include machinery that irradiates food or blood products or is used to diagnose illness. In the United States alone, roughly 21,000 licenses for the purchase of these materials are active – and in some states they are reviewed by regulators only once a decade.

The Obama administration highlighted the dangers associated with loose radioactive materials at international summits in 2010, 2012, 2014, and this March. The summits inspired more than a dozen countries to adopt stronger physical security standards at sites that house radioactive materials and during their transportation, while others held special exercises for law enforcement and health workers who’d likely respond to a dirty bomb. Still others installed radiation detectors to prevent smuggling, or pledged money to other countries to help them develop stronger safety and security standards for radiological materials.

But on March 31, Obama’s deputy national security advisor Ben Rhodes warned reporters at a press briefing that while terrorists would have a hard time building or stealing a working nuclear weapon and delivering it, making a “more rudimentary dirty bomb” would be less challenging.

Coordinated suicide bombings in Brussels nine days earlier had stoked special anxiety about dirty bombs, because two perpetrators had secretly surveilled a senior researcher in a Belgian radioactive isotope program as he came and went from his home. The resulting videos, which police seized, prompted worries that the terrorists wanted to kidnap the man to force a handover of radioactive materials.

“The Belgium example – I think it reinforces what we’ve seen for many years, which is that we have seen indications, both through their public statements and through their actions, that terrorist organizations like al Qaeda and ISIL have an interest in getting their hands on these types of materials,” Rhodes said at the summit press briefing. “They want to do as much damage as possible. That was al Qaeda’s position for many years; we have no reason to doubt that that is ISIL’s position as well.”

The Obama administration’s ambition in convening the summits, Rhodes said, was to “bring the standard up around the world so that it is at the level that we see certainly here in the United States.”

That level, it turns out, isn’t so high.

Tighter regulation rejected in 2009

In a written statement about the report, Rep. Bennie Thompson (D-Miss.), the ranking Democrat on the House Committee on Homeland Security, who asked for the GAO’s investigation, said, “radiological and nuclear terrorism remains a threat to our nation’s security,” and the GAO’s scam showed how easy it is to exploit gaps in the NRC’s oversight that should have been fixed years ago.

“The NRC should re-evaluate its licensing requirements to ensure those who want to do us harm cannot obtain a license to purchase radioactive materials as easily as covert testers did,” Thompson said.

Similar demands were made, but refused, after the GAO’s sting operation in 2007 exposed the same weaknesses. Then, NRC staff proposed requiring that all licensing and sales involving so-called Category 3 radioactive materials – those in types or quantities considered less dangerous than others – be tracked in a single national database, as they already were for higher-risk Category 1 and 2 materials. Otherwise, it said, these Category 3 materials might be accumulated surreptitiously – through the process the GAO used – “for potential malevolent use.”

The NRC staff estimated that such a system would cost between $11 million and $14 million over a decade, with the federal government bearing 47 percent of the cost, licensees paying 39 percent and state regulators shouldering 14 percent. But companies that sell radiological materials complained in response that they couldn’t even begin to guess how burdensome an expanded tracking system might be for them.

“We do not consider that the supposed benefits of the expansion … justify this potential expenditure,” Hugh Evans, secretary and treasurer of the Council on Radionuclides and Radiopharmaceuticals, a trade association that lobbies on behalf of companies that sell radioactive materials, wrote in a letter to the NRC on May 9, 2008. The co-chair of the Nuclear Sector Coordinating Council for Radioisotopes – an industry task force recognized by the government as a partner in combatting radiological terrorism – sent a separate letter with some wording identical to that in Evans’s letter, suggesting a well-organized campaign.

Regulators in 24 of the states that had been deputized by the NRC to issue licenses also registered their opposition to the expanded tracking, partly because the system for tracking more dangerous quantities was then not working well.

Only Minnesota supported the proposal, calling it one of several “essential steps” that were “long overdue.” Then-NRC member Peter Lyons, a former official at the Los Alamos weapons laboratory, similarly argued at the time that expanded tracking “will further reduce the potential for aggregating sources” to a dangerous level. But Commissioner Kristine Svinicki, a nuclear engineer who had worked on the civilian side of the Energy Department, said she thought the on-site inspections would be enough to stop thefts or diversions.

In June 2009, the radioactive material sellers and state regulators got their way. The NRC rejected on the plan with a 2-2 tie vote.

Egregious behavior didn’t stop a Texas license

That left in place regulations for keeping low-level radioactive materials out of terrorists’ hands that were written in 1978. While the NRC is technically responsible for overseeing these rules, in practice it has granted only 13 percent of the active purchase licenses, relying instead on inspectors in 37 states to oversee the rest. They are supposed to get NRC training, and to follow the NRC’s 14-point checklist rules for inspections.

This is what the GAO sought to verify: “We designed our test to fail” through egregious behavior during on-site visits, the report said.

In its latest investigation, the GAO deliberately focused on two states – North Dakota and Texas – with robust oil and gas extraction industries, which issue many licenses for well-logging equipment, including gauges powered by radioactive americium combined with a lightweight, cancer-causing metal, beryllium, that are plunged into the ground to predict whether a prospective drill site would be productive.

In 2014, the GAO reported that it had caught companies licensed to use well-logging equipment storing large quantities of radioactive materials that auditors said could have been easily stolen. Officials from the NRC and state regulators told the GAO “the security controls are adequate.” But an official from the Department of Energy’s National Nuclear Security Administration determined “the security measures employed by some well loggers could put the sources at risk.” No policies have been changed, however.

The NRC had previously judged North Dakota’s on-site inspections deficient. With high staff turnover fueled by higher-paying jobs in the state’s booming oil and gas industry, the NRC decided in 2011 to put its radiation protection office into a remedial “heightened oversight” program. But the GAO’s experiment failed there, showing the state had turned around.

The applicants’ facility was unsuited for the kind of work they said they intended to do. They “couldn’t even get a well-logging truck through the door of this building they’d rented,” said Dale Patrick, manager of the radiation program at the North Dakota Department of Health, in a telephone interview. Similar concerns arose during a second GAO licensing application attempt in Michigan, where NRC regional inspectors from Illinois also blocked the GAO’s scam.

Unlike North Dakota, Texas was considered a strong performer. In 2014, an NRC audit of its licensing declared it “adequate to protect public health and safety,” according to an 82-page assessment.

But Texas failed the GAO’s test last year because its inspector didn’t follow agreed procedures “to make sure this unknown entity was a legitimate company and did not question that the applicant was not a registered business with the Texas Secretary of State,” according to Christine Mann, a spokeswoman for the Texas Department of State Health Services.

Texas’s on-site inspectors routinely carried licenses with them and commonly handed them to applicants on the spot without consulting anyone else about what they’d observed. The practice meant that a single person, operating in the field and without independent scrutiny, functioned as the sole obstruction to improper sales.

“Yes, that did happen but we no longer allow that to occur,” Mann said.

The GAO’s sting spurred change in Texas. The state fired two managers and sent letters of reprimand to two members of its licensing staff, according to Mann. The radiation control department retrained its personnel, and altered its procedures to require supervisory reviews of all licenses. A new NRC review last February, however, noted that the division still had “budgetary shortfalls” because the state was using its regulatory fees to raise revenues that it then spent for other purposes. It had 42 personnel to oversee more than 1,570 licensees and shippers and thousands of transactions each year.

After being briefed by the GAO on what had happened, the NRC immediately revoked the license Texas had granted the GAO’s shell company and told the vendors to cancel the orders. The NRC also asked all its state-level partners and regional NRC offices to review their licensing practices and updated its training courses to emphasize the need for heightened scrutiny. But unnamed NRC officials told the GAO that “NRC had no current plans to take action” to enact stricter regulations, because the issue had been considered and rejected in 2009.

After the report’s release, however, Duncan White, a senior health physicist at the NRC, wrote in an official blog post that NRC staff will restudy the issue and discuss it further with the commission later this year. A spokeswoman for the NRC, Maureen Conley, declined to add to what the blog said.

“We’re encouraged that NRC appears to be looking closely at this issue and considering the merits of the recommendation that we made,” Trimble said, “which we believe is on point.”

Read more in National Security

National Security

A trail of contracting fiascos

How a company using a rented mailbox in Chicago got millions of dollars from international agencies and the U.S. government, despite official allegations of lying and repeated sanctions

Share this article

Join the conversation

Show Comments

Notify of
Inline Feedbacks
View all comments