The Institution Trap: How Safety Regimes Become Tools of Dominance
Part 2 of 5: IAEA, WANO, and the Illusion of Neutral Governance
The genius of the Atoms for Peace program was not just that it opened innovation—it was that it wrapped that openness in institutional frameworks that appeared neutral while actually serving American interests. Understanding how those institutions worked, and where they failed, is crucial to understanding why cyber governance is struggling to find the right model.
The Institutional Architecture: Safety vs. Safeguard
After the Atoms for Peace program, nuclear regulation split into two distinct regimes, each with its own institutional apparatus:
The Safety Regime focused on ensuring that nuclear plants wouldn't catastrophically fail. Its concern was accident prevention—reactor design, operating procedures, redundant systems, radiation containment, and environmental protection. The institutions here included the International Atomic Energy Agency (IAEA), regional bodies like EURATOM in Europe, and within the US, the Nuclear Regulatory Commission (NRC) after 1975.
The Safeguard Regime focused on ensuring that nuclear materials and technology didn't get diverted to weapons programs. Its concern was nonproliferation—tracking every gram of fissile material, inspecting facilities, verifying that uranium enrichment and plutonium production stayed within declared peaceful uses, and preventing technology transfer to hostile nations.
The distinction seems clean on paper. In practice, it created structural conflicts that persist to this day—and offer warnings for how cyber governance could go wrong.
How Safety Standards Became A Competitive Advantage
Let's start with how the safety regime was supposed to work.
The IAEA, created in 1957 as a UN agency, was ostensibly independent and neutral. It would publish safety standards. Member nations would commit to following them. Regular inspections and peer reviews would ensure compliance. Best practices would be shared globally. Everyone would benefit from safer nuclear plants.
Sounds reasonable. Here's what actually happened:
The IAEA published standards, but—and this is crucial—member states were not legally required to comply. The agency could recommend, but it had no enforcement power over safety practices. It could only recommend; nations could ignore it.
This created a perverse incentive structure. Countries that followed strict safety standards faced higher construction costs and longer timelines. Countries that cut corners could build reactors faster and cheaper. In a global market where American firms were selling reactors to developing nations, this created pressure for races to the bottom.
The Three Mile Island accident in 1979 exposed the problem. After that catastrophe, it became clear that relying on voluntary compliance with safety standards was insufficient. The response was not to strengthen the IAEA's enforcement power, but to create private, industry-led safety regimes that would be more responsive and rigorous than government bodies.
INPO and WANO: Self-Regulation as Hidden Regulation
In the wake of Three Mile Island, the US nuclear industry created INPO—the Institute of Nuclear Power Operations. This was a private, industry-funded organization whose sole mission was to promote nuclear safety through peer review, performance benchmarking, and information sharing among operators.
Here's the key detail: American insurance companies announced they would not insure nuclear plants that were not INPO members. This turned a voluntary industry association into a de facto mandatory requirement. If you wanted insurance—and you needed it to operate legally—you joined INPO and submitted to its standards.
INPO then globalised. The World Association of Nuclear Operators (WANO) was created, mirroring INPO's model but at the international level. Every major nuclear operator in the world eventually joined because—via insurance companies and bilateral agreements—membership became practically mandatory.
WANO's stated mission was benign: maximize nuclear safety through peer review, performance analysis, technical support, and information sharing. Operators would voluntarily submit to peer review visits where teams of international experts would assess their facilities against "nuclear industry standards of excellence."
But look at who sets those standards of excellence. Look at who conducts the reviews. Look at which nations' operators are best positioned to pass them.
American and Western European operators, with decades of experience and expensive safety cultures, naturally excelled at WANO benchmarking. Operators from less wealthy nations, lacking capital for redundant safety systems and experienced staff, struggled. This created a hierarchical structure where "safety best practice" was defined by the already-dominant operators, and compliance meant adopting their practices—which often meant buying their equipment, their fuel, their services.
Safety, in other words, became a mechanism for maintaining market dominance.
The Safeguard Regime: Nonproliferation as Economic Control
The safeguard regime was even more explicit about using institutional frameworks as tools of control.
The IAEA's Safeguard Division had legal authority—the only part of the agency with real teeth. It could inspect facilities in signatory nations, verify material accountancy, and report noncompliance to the UN Security Council, which could then impose sanctions. This was genuine enforcement power.
But it was asymmetrical. The IAEA could inspect civilian nuclear facilities in countries that signed the Nuclear Non-Proliferation Treaty (NPT). But countries outside the NPT—like Israel, India, and Pakistan—operated entirely outside the inspection regime. And countries that signed bilateral agreements with the US got inspected by American inspectors, which meant American firms got detailed intelligence on competitors' operations.
The safeguard regime was therefore not neutral regulation—it was a tool for:
- Tracking competitors' nuclear capabilities
- Preventing non-aligned nations from developing nuclear weapons
- Enforcing bilateral agreements that favored US interests
- Creating transparency requirements that disadvantaged closed systems while privileging open, commercialized ones
A nation could only safely develop civilian nuclear capacity if it was willing to accept this inspection regime. The moment a nation wanted to develop weapons, or wanted to remain outside American oversight, it had to exit the NPT framework—which came with massive economic costs (sanctions, isolation) and technical obstacles (lack of access to international fuel markets).
This was brilliant statecraft. It created an institutional structure that appeared to be about global safety and nonproliferation, but was actually about locking nations into dependence on US-controlled fuel supply chains and accepting American intelligence-gathering in their nuclear facilities.
The Contradiction at the Heart
Here's where the system broke down, and where the lessons for cyber become clear:
The IAEA was supposed to be both a promoter of nuclear energy AND an enforcer of nonproliferation. It had to encourage nations to adopt peaceful nuclear power (to build the market for reactor exports) while simultaneously preventing them from developing weapons capabilities (to maintain the US strategic advantage).
These missions are fundamentally in tension. If you're successfully preventing weapons development, you're restricting what nations can do with nuclear technology—which discourages adoption. If you're aggressively promoting nuclear power, you're spreading the technologies and expertise that could enable weapons programs.
The IAEA dealt with this contradiction by being somewhat ineffective at both. It recommended safety standards that nations often ignored. It was sluggish in detecting weapons programs—Iraq's clandestine nuclear efforts went undetected for years. After Chernobyl, the agency was criticized for "sluggish and sometimes confused" responses. After Fukushima, despite Chernobyl's lessons, another major accident occurred in a nation that had signed all the treaties and supposedly accepted all the standards.
The institutional framework failed partly because it was overextended—trying to do too many contradictory things. But it also failed because the real control mechanism wasn't the institutional framework. It was economic dependence.
The Hidden Regulator: Insurance and Capital
The most effective regulator of the nuclear industry wasn't the IAEA or the NRC. It was the private insurance industry.
In the 1950s, private insurers were willing to cover nuclear plants only to a maximum of $60 million per accident. The AEC's own studies suggested that a major reactor accident could kill 45,000 people and cause $17 billion in property damage. The gap between available insurance and actual risk was catastrophic.
Congress solved this with the Price-Anderson Act: the government would cover costs beyond what private insurance would. This made it economically feasible to build reactors.
But then something clever happened. Insurance companies, now embedded in the financial structure of nuclear power, began requiring membership in safety organizations like INPO as a condition of coverage. Insurance became the enforcement mechanism. No insurance, no operation. Simple as that.
The Brussels Convention created a similar mechanism internationally: all signatory nations had to contribute to a compensation fund in case of nuclear accident. This made each nation a guarantor of every other nation's nuclear safety. Suddenly, every nation had an incentive to ensure every other nation's reactors were safe, because an accident anywhere imposed costs everywhere.
This created what the regulations called a "community of fate"—everyone was bound together by mutual risk. The institutional framework wasn't what created compliance; mutual exposure to financial catastrophe was.
What This Means for Cyber
The parallels are uncomfortable.
The cybersecurity industry is trying to create institutional frameworks—information-sharing consortia, standards bodies, international agreements on norms—without the underlying economic mechanisms that would make them stick.
No insurance company is refusing to cover firms that don't meet cyber standards because the standards are still poorly defined and the risk models are immature. No government is threatening massive financial penalties for noncompliance. No binding economic interdependence creates mutual interest in everyone's security.
Without those mechanisms, institutions become talking shops. They generate standards that sophisticated actors can ignore. They create the appearance of governance without the reality of enforcement.
More critically, if cyber institutions do eventually acquire enforcement mechanisms, they risk reproducing the same contradictions that plagued nuclear regulation:
- Promotion vs. Restriction: Do we want to spread advanced cyber capabilities globally (to build markets and influence) or restrict them (to maintain strategic advantage)? We can't do both. Yet cyber institutions try to.
- Safety vs. Safeguard: Do we focus on defending critical infrastructure from accidental harm and criminal activity, or on preventing state actors from developing offensive capabilities? These require different institutional approaches, and they're in tension.
- Transparency vs. Competitiveness: Requiring transparency in security practices exposes proprietary methods and creates inequality between firms that can afford secure development practices and those that can't. Yet security through obscurity is a false solution.
- Sovereignty vs. Oversight: Permitting international inspection of cyber capabilities (to verify nonproliferation) requires surrendering sovereignty over information systems in ways nations aren't willing to accept.
Nuclear regulation "solved" these contradictions by creating an institutional appearance of neutrality while allowing underlying power relationships to do the actual work. The IAEA looked independent, but bilateral agreements and economic dependence on US-controlled fuel ensured de facto American influence.
Cyber regulation is trying to create the institutions without acknowledging the power dynamics underneath. It's publishing standards without enforcement mechanisms. Creating information-sharing frameworks while protecting proprietary interests. Calling for "norms" without defining what breaching them costs.
The Lesson: Institutions Don't Regulate—Power Does
The deepest lesson from nuclear regulation is this: institutions don't actually regulate anything. They provide the appearance of regulation while power relationships do the actual work.
The IAEA didn't prevent nonproliferation through the brilliance of its inspection regime. It did so because nations that wanted nuclear power for electricity couldn't get it without joining the NPT and accepting inspections. The choice was between accepting American oversight or going without power—a choice most nations made.
WANO didn't create global nuclear safety norms through peer pressure. It did so because insurance companies wouldn't cover your plant if you didn't join, and because bilateral agreements with major fuel suppliers required WANO membership.
The NRC didn't protect public safety through regulatory authority alone. It did so because insurance companies, state regulations, and capital markets enforced the standards in ways the NRC itself couldn't.
The cybersecurity industry is trying to create IAEA-like institutions without understanding that the IAEA's effectiveness (such as it is) came not from institutional authority but from the economic structures underneath. Building the framework without building the enforcement mechanisms that make it stick is cargo-cult governance.
The second part of the problem is that cybersecurity differs from nuclear power in ways that make the nuclear model impossible to replicate. Nuclear power requires massive capital investment, physical infrastructure, and concentrated resources that can be controlled. Cyber capabilities require only talent, computers, and connectivity—all of which can hide, replicate, and spread globally in hours.
You cannot create a "community of fate" in cyber the way the Brussels Convention created it in nuclear, because cyber attacks are invisible until they happen, their attribution is uncertain, and their diffuse nature means most organizations aren't even aware they've been compromised until months or years after the fact.
The next article will explore what institutional model could actually work for cyber—and why it looks nothing like nuclear regulation, despite the surface similarities.
For now, the key takeaway: institutions are only as effective as the power structures that enforce them. The moment you remove the underlying enforcement mechanism, compliance collapses. And cyber's power structures are fundamentally different from nuclear's in ways that require rethinking governance from first principles.
Member discussion