________________________________________________________
The Nature of Y2K Dangers For Nuclear Arsenals
There is a real danger of Y2K errors compromising nuclear safety, but
this danger is not in the weapons themselves. Nuclear ballistic
missile delivery vehicles and warheads will not spontaneously launch
or explode due to Y2K malfunctions. For all countries with nuclear
arsenals, human beings in the command chain must be given high-level
authorization to transmit launch instructions to the personnel in the
missile silos or strategic submarines, and the launch officers must
then enter the required instructions and physically turn manual launch
keys. For instance, in the United States, carefully engineered
"Permissive Action Links" (PALS) ensure that the turning of launch
keys will be useless unless the proper command code of six digits is
entered. Because this process is not automated at the lowest
levels of operations, it is impossible for Y2K errors to cause a
missile strike without both human knowledge and human agency being
involved in the launch sequence.
The threat of Y2K-induced nuclear war is instead found in two areas
connected to daily nuclear operations:
*Command and Control (C2) systems, such as command center television
displays, threat databases, and telecommunications systems between
command posts that depend on automated routers and switches.
*Early warning information systems, including not only the satellites
and radars for detecting enemy launch but also thousands of software
modules and millions of lines of programming code for the filtering
and correlating of data. The ability of the US to detect missile
launches and track through time the flight and delivery of warheads is
based upon a highly interdependent conglomeration of radar arrays,
satellites, communications networks, and data processing stations.
"Command Connectivity" is a general term used to describe the
idealized function of communications in nuclear operations, namely,
ensuring predictable centralized control by top officials.
Communications patterns can be divided into three rough categories:
*Messages among the nuclear command posts NORAD, STRATCOM, and NMCC;
*Messages between command posts and the human crews monitoring the
satellite sensor receiving stations or the far-flung ground-based
radar arrays (i.e., between commanders and the sources of early
warning data); and,
*Messages between command posts and deployed forces (i.e., ICBM launch
centers or Trident I-II nuclear submarine crews).
A breakdown in the first two types of communication would make
verification of attack exceedingly difficult for commanders, and
therefore could be highly destabilizing.
Information provided to warfighters throughout the process must be
timely, accurate, and unambiguous. Furthermore, the nuclear C4I
system-of-systems must be highly reliable in order to minimize
unscheduled downtime. Finally, because command decisions based on
erroneous data or bad communications could destroy the entire earth,
the stakes for the C4I system are as high as they could possibly be.
The Status of US Y2K Remediation Efforts
When BASIC originally reported on US Department of Defense (DoD)
remediation efforts in November 1998, there were severe problems
across the entire program. Since then, upper management of the Y2K
process has improved dramatically. The list of "mission critical
systems" needing assessment and repairs has finally stabilized for all
agencies and services, and contingency plans are being created for
each of these systems in the event of Y2K failures.
For nuclear operations, the "thin line" of mission critical systems
has been renovated and the Pentagon is completing the testing or
"validation" stage through "sensor to shooter" nuclear alert
simulations involving NORAD, Strategic Command, and Space Command. Two
simulations in December 1998 and February 1999 involved at least 30
separate attack scenarios for each of five critical Y2K-related dates,
incorporating both single ICBM launches and an all-out first strike by
the opponent. No "hard failures" were reported for the mission of
"Integrated Tactical Warning and Attack Assessment (ITW/AA)." In
addition, private telecommunications services for nuclear operations
have been certified by vendors such as AT&T, and basic infrastructure
such as electrical power, climate control, and internal
security systems are being certified for all military bases.
However, reports on nuclear operations remain ambiguous from the
standpoint of effective Presidential oversight, largely because of
narrowly-defined reporting standards instituted by the Office of
Management and Budget. Major systems integral to nuclear operations
are not systematically identified and grouped by their contributions
to military missions. To aid the oversight process, the General
Accounting Office (GAO) formally initiated an audit in April 1999 for
nuclear operations, with a final report expected sometime in fall
1999.
Potential gaps and ambiguities remain for US operations. Two major
ground-based radar systems experienced problems with Y2K software
patches and had to return to the renovation stage, while the status of
a space-based system for identifying nuclear detonations remains
uncertain.
Also, several major communications software and hardware systems that
provide command connections to Trident Strategic Nuclear Submarines
(SSBNs) did not meet the March 1999 deadline for validation, and it is
not clear that systems behind schedule have since passed the
renovation phase. Finally, there are continuing lags in repairing and
testing DoD-owned telecommunications networks that might be involved
in nuclear operations, including the widely used Defense Switched
Network.
To summarize, the "big picture" for US nuclear operations is generally
quite positive, despite an extremely rocky start. However, ambiguities
in the status of specific nuclear C4I systems remain for the Air
Force, Navy, and DoD. Also, the US arsenal is only one side of the
bilateral nuclear picture, and the situation in Russia is not nearly
as comforting.
Trident Strategic Nuclear Submarines (SSBNs)
With the possible exception of its communications systems, the US Navy
Trident submarine fleet is beyond the renovation stage of the Y2K
process and has already undergone integrated "pierside" systems tests.
Nuclear Trident communications are the most complex and
logistically-involved of all US nuclear systems, simply because they
spend most of their patrols under water and do not stay fixed in any
one location. Although this makes SSBNs nearly invulnerable to
preemptive surprise attack, it also makes command and control of
deployed forces extremely difficult. To communicate from both the
ocean surface and deep underwater, Trident SSBNs have onboard
receivers and transmitters for several major categories of the
frequency spectrum (with categories being based on the qualities of
the wavelength being used). In turn, each pair of shipboard receivers
and transmitters for these frequency categories have corresponding
facilities on shore, on aircraft, or on satellites for the
relaying of messages to and from command headquarters to submarines.
If
Trident operations are to remain safe and secure, all hardware and
software in these global communications pathways must be made Y2K
compliant.
Taken together, evidence raises some concerns about the reliability
and integrity of Trident communications in a Y2K environment. Were the
systems in fact successfully remediated as planned, or have they gone
back into the "repair" stage? If one or more systems have missed
their expected April, June, and July 1999 dates, is it realistic to
expect that both the ashore and sea components will be repaired in
time for integrated testing and operational evaluations? Will they be
ready for fielding by the December 31, 1999 deadline? What might be
the effects on operations if one or more such ashore sites and/or
submarine terminals and processors were to be affected by Y2K
glitches? What contingency plans are in place for these
embedded subsystems?
DoD Telecommunications Networks and Nuclear Operations
Another potential vulnerability is the dependence of the DoD
(including STRATCOM and NORAD) on privately-supplied phone lines,
ground cables, and telecommunications switching centers. Rather than
building an entire network from the ground up, it has been much more
economical for the DoD to connect to the vast national telephone
system, leasing some lines permanently where necessary, and sometimes
building its own switches to interconnect military users. One expert
on nuclear communications described the system's setup as follows:
"The phone system is... organized as a switched network, with each
subscriber having direct connection only to a local switching center,
or exchange. There the wire pair from the subscriber [caller] can be
connected to wire pairs leading to other local subscribers or to a
wideband cable connecting the exchange to another exchange. Local
exchanges are again not all directly connected; they interconnect
through regional switches, which in turn interconnect through yet more
centralized switching facilities. This hierarchy continues through
five layers in the US phone system."
Accidents have at times been prevalent in AT&T or Bell switching nodes
without Y2K problems, and the chance of future difficulties may
increase with the change of century. Adding to this complexity is the
nature of the repair effort.
That said, the commercial portion of DoD communications had been
certified Y2K compliant for most vendors by May 1999. However, the
outlook is not quite as sanguine for DoD internal or "dedicated"
military lines. The limited number of qualified engineers and reliance
on one main vendor puts strict limits on the rate of repair, a fact
that led the DoD IG to conclude that "DoD telecommunications
capabilities may become unstable, unpredictable, and the cumulative
impact of non-Y2K compliant operational occurrences could result in
system failure."
The Status of Russian Y2K Remediation Efforts
Russia is much further behind in its Y2K program. It has assessed all
of its systems and has declared that 74 of its 134 early warning
facilities are vulnerable to Y2K errors. Current funds may not be
sufficient to cover all costs for rewriting software and buying new
components, and Russia may be unable to complete testing of all
relevant interfaces between systems by the December 31, 1999 deadline.
The US constructed a facility outside of Cheyenne Mountain, Colorado,
for sharing US early warning satellite data with Russia, but Russia
canceled policy cooperation during the Kosovo war.
This cooperation was renewed in mid-September,1999, when Russian
authorities gave the go ahead for their personnel to return to the
project and and has yet to renew high-level contacts to complete the
necessary communications lines to Russian command posts.
Despite the late start, Major-General Vladimir Dvorkin (head of the
Ministry responsible for nuclear operations) assured reporters in
early March 1999 that all necessary testing and validation of Y2K
repairs would be done throughout October 1999. Both Dvorkin and
Major-General Valery Khalansky of the Russian General Staff maintained
that "the calendar date does not exist" in the control and launch
authorization process for weapons. According to Khalansky, "Nuclear
weapons control systems are at the required level of reliability... We
have not so far found any fatal mistakes in the systems responsible
for nuclear weapons storage, nor in the systems controlling them."
Similarly, First Deputy Defense Minister Nikolay
Mikhaylov has declared that "these automated systems have no calendar
dates, as the countdown of time begins from the moment of a command
for some operations." Furthermore, he stated that "in Russia the
missile command systems are real-time systems. We have no Y2K problem
in the on-board missile equipment, at launching sites, or at command
centers."
Despite these assurances, Dvorkin and Khalansky also mentioned during
the same March press confer
-- Jean Wasp (jean@sonic.net), December 01, 1999