Blog Post - Nuclear Security Matters

The Dannemora Prison Break: Lessons for Nuclear Facilities

| Sep. 09, 2015

In prisons as in nuclear facilities, employees are tasked with guarding something highly dangerous in high-stress environments. Both face high costs in the event of failure, and both are especially vulnerable to complacency and insider threats. Given these parallels, two inmates’ dramatic break-out from a New York prison in early June offers nuclear security practitioners valuable insights into how to avert an equally dramatic (and potentially much more consequential) breech.

The escape from Clinton Correctional Facility, a maximum security prison in Dannemora, New York, is a complicated, intricate plot fit for the cinema. Two convicted killers - David Sweat and Richard Matt - spent months devising and implementing their escape from the so-called “honor block,” where inmates who exhibited good behavior enjoyed looser security restrictions and, among other privileges, could move freely between cells and gather in open areas. They cut their way out of their cells, climbed down several stories using pipes and catwalks, slipped through tunnels, and emerged from a manhole outside of the prison. Following their escape, hundreds of law enforcement officers engaged in a three week manhunt that ended in Matt’s death and Sweat’s recapture. As if this was not a dramatic enough story already, soon after the breakout investigators discovered that two prison employees, Joyce Mitchell and Gene Palmer, aided the prisoners in their escape (the former on purpose and the latter - he claims - unintentionally).

So what lessons does this remarkable prison break offer those concerned with security at nuclear facilities?

Lesson #1: The success of any security program depends on combating complacency.

Complacency – an uncritical sense of satisfaction with the status quo – undermines basic security procedures and practices, producing cracks in what may otherwise be an entirely adequate system. It is an especially pernicious force in industries and fields which are primarily threatened by low-likelihood but very high consequence “events.” Complacent security managers and higher-ups see few if any major incidents and feel little inclination to reinforce existing security measures or promote new ones.

The prison system and the nuclear complex are similar with respect to the probability of a major incident. Escapes from maximum-security prisons nation-wide are rare, and no one had escaped from Clinton since the Civil War. This contributed to a gradual relaxation in adherence to security procedures at Clinton as employees became confident that, because a break-out had not happened, it never would. Corrections officers disregarded rules mandating they be able to see inmates’ skin during hourly bed checks and routinely permitted the prisoners to sleep entirely covered. This allowed Sweat and Matt to place “dummies” under their blankets and work undetected throughout the night. Employees also failed to carry out required inspections of the tunnels beneath the cell blocks and catwalks behind the cells (used in the escape) and had not staffed two 35-foot guard towers overnight for years. Had prison employees executed their duties in even one of these areas, Sweat and Matt’s escape would have been much more challenging. Had all the procedures been observed, it may have been impossible.

Similarly, incidents of theft and sabotage at nuclear facilities are relatively few and far between, a fact that makes complacency difficult to resist. This contributed directly to the 2012 break-in at the Y-12 facility in Oak Ridge, Tennessee by an 82 year-old nun and her two accomplices. The three cut through four fences, set off multiple alarms, and spent some 30 minutes hammering on the walls of a building housing hundreds of tons of highly enriched uranium (HEU) before encountering a single guard. The various elements at play in this incident – among them security cameras broken for months and a new alarm system that, with its exponential increase in false alarms, produced a reluctance among guards to investigate alerts (even when they led directly to a HEU storage building) – are all indicative of a deep-seated culture of complacency at what should have been one of the most vigilantly guarded facilities in the nation.

In short, complacency corrodes security culture and increases risk by undercutting an organization’s ability to prevent major (and minor) incidents. Practitioners must enforce constant vigilance, in the form of tests and exercises that highlight weaknesses and vulnerabilities, updating threat information, sharing best practices, and other measures, to overcome the tendency toward complacency.

Lesson #2: Insider threats are a real danger that must be addressed: just because something seems unlikely does not mean it cannot happen.

Joyce Mitchell was instrumental in the escape from Dannemora. A civilian employee at the prison since 2008, she developed close and eventually sexual relationships with the two inmates. She contacted people outside the prison on their behalf, helped them manipulate other prison employees, and provided them with tools necessary to their escape (including hacksaw blades and chisels). She was even supposed to supply the getaway car and agreed to pick up the escapees outside the prison, take them back to her home to kill her husband, and flee with them (possibly to Mexico) (she checked into a hospital with panic attack symptoms instead). Gene Palmer, a corrections officer of over 25 years, also played a key role. He provided (and then helped to conceal during cell inspections) contraband including paint, a screwdriver, and pliers, and he granted Sweat access to the catwalk behind his cell (which was later used in the escape). In exchange, he received paintings by the inmates and tips on the activities of other prisoners. This assistance– itself likely facilitated by an entrenched sense of complacency— no doubt significantly eased the escape. It also illustrates another important lesson: when people are cooped up together in isolated facilities, unexpected relationships develop that can become highly dangerous in a short amount of time. This suggests a need to better monitor staff for concerning behaviors.

Insiders represent a significant threat to nuclear facilities as well. As Matthew Bunn and Scott Sagan have documented, insiders have perpetrated or helped perpetrate all cases of nuclear theft where the circumstances of the theft are known. Employees inside nuclear facilities have also perpetrated many of the known incidents of nuclear sabotage. The investigation into an incident in Belgium in 2014, in which an apparently deliberate act caused the shutdown of the Doel 4 nuclear reactor and over €30 million in damage (not including the cost of replacement electricity while the reactor was shut down), has focused almost entirely on employees. The nuclear realm clearly struggles to address insider threats, and security officials should pay attention to the prison system’s efforts to address this problem, adopting and adapting new measures appropriately.

Some legislators in New York, for example, are working to prohibit unguarded access to civilians by especially violent offenders. In other words, they hope to more stringently regulate who has access to the most dangerous individuals in an effort to reduce the insider threat. In addition, the New York State Assembly’s Corrections Committee chairman, Daniel O’Donnell, introduced a bill that would increase independent oversight of prisons. It requires any prison investigation to be conducted independently by the Inspector’s General Office, rather than an internal probe by the Department of Corrections. This external layer of supervision and accountability could reduce systemic weakness and discourage insider plots.  

Lesson #3: Threats can involve multiple insiders (and they don’t even have to be actively conspiring).

The Dannemora episode also demonstrates that one cannot assume that only consciously malicious insider actions matter. Not all insider threats are deliberate, and programs looking only for deliberate actions can miss important things. If his story is true, Gene Palmer may not have intentionally aided the escapees, but, at a minimum, his complacency and willingness to compromise the security rules certainly facilitated Mitchell’s very deliberate actions and the inmates’ flight. In the same way, a failure to adhere to security rules in a nuclear facility by one insider could enable malicious action by another. Moreover, the case highlights the fact that incidents involving multiple insiders are very possible. A report out of Sandia National Laboratories (“The Perfect Heist”), which surveyed 23 sophisticated and high-value heists and found that multiple-insider heists were more common than single-insider heists, further emphasizes this point.

This is a particularly important observation given that in a survey of nuclear security experts from 18 countries conducted by the Project on Managing the Atom, 14 out of 22 respondents considered the idea that a small group of insiders could threaten nuclear facilities or materials as incredible or only modestly credible. In fact, they rated multiple insiders (along with a large group of outsiders) as the least credible threat to nuclear facilities. At the same time, however, those experts ranked insider knowledge of the facility and/or security system to be the most credible threat. In other words, some of the world’s foremost experts on nuclear security have rejected the possibility that multiple insiders represent a credible threat while acknowledging insider knowledge as the most credible danger. The disconnect here, and the presumed disinterest in strengthening security measures that address the danger of collaborating insiders, is concerning to say the least.

Lesson #4: Seeing red flags is not enough - organizations must also correctly interpret and respond to them.

Finally, it is important to draw attention to the fact that Mitchell was the subject of an investigation a few years earlier that examined allegations of an inappropriate relationship between her and Sweat. While no disciplinary action was taken, “action was taken to separate her” from Sweat at the time. This suggests that despite knowledge of the possible risks, the prison administration failed to place Mitchell under more careful watch (i.e. not leaving her alone with Sweat and other inmates, particularly in areas where security measures were loosened). Furthermore, her interactions with those close to Sweat (including Matt) should have been more carefully monitored. In short, red flags were raised, examined, and either misinterpreted or ineffectively addressed. Organizational inertia and incredulity at the idea that an employee could be persuaded to facilitate a prison break ruled the day, with unfortunate consequences.

The prison-nuclear facility analogy is not perfect, of course. Nuclear material will not try to escape on its own, unlike inmates. Employees have opposing objectives: in prison the goal is to keep criminals in whereas nuclear facilities keep them out. And in prisons the primary objective is security while in nuclear facilities security is just one of many objectives and draws resources away from other operations. Yet, the parallels between the prison system and the nuclear complex are numerous and suggest that the nuclear security field has much to learn from the N.Y. prison-break. And learn from it we must. The possible ramifications of a nuclear security lapse like that seen at Dannemora are much more severe than any that could have been imposed by two killers.

For more information on this publication: Please contact the Belfer Communications Office
For Academic Citation: Miller, Kate.The Dannemora Prison Break: Lessons for Nuclear Facilities.” Nuclear Security Matters, September 9, 2015, https://nuclearsecuritymatters.belfercenter.org/publication/dannemora-prison-break-lessons-nuclear-facilities.

The Author