BASIC RESEARCH REPORT

The Bug in the Bomb:

The Impact of the Year 2000 Problem on
Nuclear Weapons
(Part 4)

Based on present knowledge, the potential effects of the Year 2000 computer date change on specific nuclear weapons systems are highly uncertain and almost entirely unpredictable. Both the status and the names of particular US mission-critical systems remain highly classified. In general, as the year 2000 approaches, US officials are less willing to specify those high-risk areas in danger of complete or partial failure.¹⁰⁷

One example of this penchant for secrecy is the results of a recent interview with Robert Martin, a top computer specialist and managerial focal point for Y2K issues at MITRE Corporation, a government-funded research and development center that has been working for several years on C3I systems at NORAD and other DoD programs.¹⁰⁸Although sympathetic to the responsibility of private contractors and DoD officials for informing the public on this issue, Martin argued that releasing information on the continuing weaknesses of several sensitive systems would jeopardize US security, especially as the year 2000 approaches. As with other knowledgeable contacts in the Navy, Air Force, Defense Information Systems Agency, and private firms, Martin suggested pursuing the question through the Y2K representatives at higher managerial levels, primarily the OASD (C3I) or the functional groups based at STRATCOM. For their part, STRATCOM officials directed inquiries to Curtis at the OASD (C3I). Although Curtis and his assistants are the final coordinators and administrative enforcers for DoD remediation programs, they do not have or are unwilling to make public "sensitive" details on a consistent basis, even if the information is not classified. Similarly, China, France, Russia and the UK have not made Y2K data public, if it is available at all.

In regard to the status of Russia’s systems, former satellite control technician Sergey Fradkov has said that someone would have to be privy to officials or manuals at the point of production in order to find more concrete and irrefutable evidence on the vulnerability of individual C3I components to Y2K-related problems. According to Fradkov, Russian nuclear communication and intelligence networks are based on "wired logic systems" in the form of enclosed "modules," most or all of which are manufactured and tightly sealed within the same electronics plant. It is these components that send, receive, and decode information on telemetry (for Russian forces) or data from surveillance of US forces, and which could be the weak link between satellites in space and command installations on the ground. More specifically, these modules contain a more primitive forerunner of the embedded chips and ‘firmware’ found in US systems. Therefore, the logic components may be in danger of Y2K failure. According to Fradkov, if these potential vulnerabilities do in fact exist, they would be "much harder to fix" than many components that perform the same sorts of tasks in US systems. ¹⁰⁹

However, no Russian C3I personnel are allowed to pry open the modules for inspection; all work is done at the source, which is probably the same production facility used during the Soviet period.¹¹⁰ Upon production of replacement modules (or repair of old ones), the final product is sent out as a sealed unit to the multiple receiving stations or "radio control centers" spread across Russia.¹¹¹Thus, there is no practical method for producing a final conclusion on the Y2K "compliance" of Russian communications modules. Finally, the radio receiving centers are just one part of the overall network; there are also the satellites themselves and the central computer networks at Impulse and other service-level command installations in Russia.¹¹²

The question remains: just what are the potential "Y2K outcomes" in respect to nuclear systems? One can identify three general categories of hypothetical scenarios.

First, the consequences of the century date change might be minor in both depth and breadth. Problems would not occur for most systems, and those that are affected would experience only partial failures that could be easily repaired within hours or days. Repairs would be largely successful and costs would be uniformly low.

Second, the problem could be pervasive, but with fairly minor effects in most cases. In this situation, Y2K would be a wide-spread "nuisance" that slows down or impedes normal operations for a few days, but the glitches would be dissolved fairly quickly as trained personnel enact contingency plans and complete emergency ‘interventions’ for systems needing repair.¹¹³ Also, repairs initiated well in advance of the date change would be successful and relatively low in costs, with financial outlays being met largely within existing budgetary allocations. Both of these latter situations fit the predictions of Y2K ‘optimists.’

Third, Y2K might affect only a limited number of systems, but with decisive impacts on their performance in terms of both operational safety and their ability to meet the stringent requirements of the Single Integrated Operational Plan (SIOP). In this environment, system overseers would be wise to discontinue operations outright, or to formulate major contingency plans that completely bypass the affected systems for an unspecified period of time. Y2K fixes for such cases would have to be initiated early on to allow testing and verification of post-2000 (inter)operability. The costs of crash programs for identifying, repairing, and testing prior to the century date change could be high, possibly climbing into the multi-billion dollar category. Attempts to meet existing national security objectives, as outlined in the target coverage and damage-expectancy criteria of the SIOP, might lead to disaster if Y2K problems were to cause partial or total failures in just a few crucial systems.

What system failures might occur under the third scenario, and with what effects? Fortunately, the worst-case or "doomsday" example of an accidental nuclear detonation is exceedingly small. As a private 1995 study summarized,

. . . preventing an accidental nuclear explosion consists in ensuring that impacts, fires, explosion, and any other causes not covered by the electrical safety system cannot set off any weapon’s high explosive in such a way that any significant nuclear yield results. Recognition of this danger led to the adoption of the so-called "one-point-safety" standard in 1968. This quantitative standard requires all weapons in the stockpile to be "one-point safe," which is defined as achieved if the probability of a nuclear explosion with a yield of four pounds TNT-equivalent or greater from detonation of the [high explosives] at any single point is less than one in a million in an accident. And this safety performance must be intrinsic to the design, i.e. it must obtain in the absence of any mechanical safing device.¹¹⁴

However, these achievements do not rule out other nuclear accidents involving weapons systems. For instance, according to the 1990 Report of the Panel on Nuclear Weapons Safety (commonly referred to as the "Drell Report" after its chairman, Dr. Sidney Drell), the combustibility of third stage solid fuel for Trident II missiles leaves open the possibility of an indirect nuclear accident short of warhead explosion on US submarines. If Y2K-related failures lead to a non-nuclear, propellant-based fire on Trident II missiles, warhead safety could be threatened. Such an event might lead to the detonation of the conventional high explosives (HE) in W76 and W88 warheads and the dispersal of highly radioactive fissile material over a large area. Even in those cases where the HE did not detonate, the plutonium could still burn along with the solid fuel propellant, again causing dispersal of radioactive materials. As one report illustrated in 1995:

Can the possibility of nuclear weapons accidents in which plutonium is dispersed be eliminated? The answer, of course, is no. Even with . . . fire-resistant pits (FRPs, which have a refractory shell surrounding the plutonium), and with speculative "super-safe" designs in which the fissile material is somehow kept separate from the HE . . . until the arming sequence—there will always be a finite chance of plutonium dispersal in the event of a fire or other accident. And this finite chance will continue to be much greater than the one-in-a-million standard adopted for electrical isolation and for one-point safety [that is, fire and HE explosion is much more likely to happen than accidental nuclear explosions through uncontrolled electrical pulses and failure of Permissive Action Links (PALS)]. ¹¹⁵

In these situations, a Y2K catastrophe would not be in the form of an unauthorized launch or warhead explosion, but rather in the form of environmental systems failure and a nuclear accident. Similarly, there is an extremely small but not inconceivable chance that fires and warhead conventional HE detonations could occur for MM III ICBMs and their W78 warheads.¹¹⁶

More recent testimony by Dr. Drell provides evidence that the small probability of propellant fires and plutonium dispersal has been further reduced.¹¹⁷For example, operational changes were introduced to make accidents less likely, including loading Trident missiles on submarines before installing their warheads. However, these studies and operational changes were made without consideration of Y2K-induced system failures. Most statements about quantitative probabilities assume that propellant-based fires are exceedingly rare events, which in turn makes HE explosion and the burning of plutonium extremely rare events. However, it is not clear that propellant fires are "rare" if fuel and propulsion support systems on the launch platform fail. How likely such failures are in the event of Y2K computing problems is unknown. To be truly representative of Year 2000 conditions, a cross-service study needs to be initiated that directly addresses the following four questions:

1. Could Year 2000 computing failures in maintenance and support systems cause a propellant fire in missiles?

2. If the answer to the above is yes, what is the probability of a Y2K-induced propellant fire?

3. Once a fire has broken out, what is the probability that the HE in the warhead primaries will explode or burn?

4. Given the explosion or burning of HE, what is the likelihood of significant plutonium dispersal?

To date, the Drell Report and other follow-on studies have answered only the last two questions. The general conclusion is that accidental plutonium dispersal is much more probable than originally thought by warhead systems designers once a fire has occurred. However, existing studies do not address the first two questions, which raises doubts as to the continuing validity of DoE and DoD assessments that nuclear accidents of this kind are so unlikely that they are not a serious hazard.

In contrast to warheads, no fail-safe design specifications have been explicitly adopted to cope with the safety implications of C3I accidents. Instead, the US has guarded against human and technical errors by requiring multiple sources of verification for a suspected nuclear attack, and by making communications systems highly redundant.¹¹⁸

Nonetheless, the breakdown of even a few components in the C3I network could cause partial early warning blackouts that would severely truncate the decision times available for political leaders and military officials. For instance, the failure of some or all of the ground receivers and data processing stations for the Defense Support Program (DSP) satellites could cause an inability to detect missile launch at the source. If that happened, the first signals of an attack might be provided by ground-based radar networks such as BMEWS and PAVE PAWS.¹¹⁹ This could reduce warning time by five to ten minutes, or one-sixth to one-third of the roughly 30-minute flight time for Russian ICBMs. To give leaders at least 10-15 minutes to consider and disseminate launch orders, all data retrieval, processing, analysis, and interpretation are supposed to be concluded by NORAD in the first ten minutes of an incoming nuclear strike.¹²⁰ A delay of any kind could have enormous implications.

Conversely, the DSP network may function while one or more of the ground arrays "black out." In this latter case, military officials would be forced to make a judgement as to the "true" nature of Russian launch activities based on evidence from fewer surveillance systems, seriously compromising safety protocols that require verification from multiple independent sources. The danger in this instance would be human errors in judgement brought on by insufficient data.¹²¹ Finally, foreign systems (such as those in Russia or China) might partially fail while the US continues to field a viable arsenal. This could increase fears and instability as leaders of countries with Y2K problems become suspicious of US military activities.

The preceding descriptions are not the most likely outcomes of serious Y2K-related problems. They are merely indicative of the types and serious nature of problems that could result from unpredictable Y2K failures. The most dangerous factor in the entire Millennium Bug scenario is that no ones knows what, how, or even when, systems might fail.

Which of the three scenarios is most likely? Although it is not possible to reach a definitive conclusion on the status of individual nuclear systems, available information on the DoD’s overall remediation activities does not support the first two ‘optimistic’ scenarios for Y2K outcomes. The evidence clearly shows that Y2K-induced failures are likely to be pervasive, complex, and difficult to repair. Given the highly interconnected nature of many systems under the purview of STRATCOM, it is unlikely that experts inside or outside the DoD can claim with any degree of certainty that repairs have succeeded. Also, given the pervasiveness of embedded subsystems in the form of microchips and microprocessors, it is even difficult to say with any authority that all problem areas have been properly identified, much less repaired. The only method for attaining this type of knowledge is through comprehensive, integrated, "mission level" testing and verification programs for completed repair work, done well in advance of the Year 2000 in case difficulties occur that need further renovation.

More importantly, if nuclear weapons are to remain on high alert status, ready to be launched at a moment’s notice, then the United States and all other nuclear powers must have extremely high confidence in their ability to identify, assess, repair, and test all C3I systems for Y2K bugs before the turn of the century. Otherwise, there remains the possibility that crucial systems will either fail to function or will function improperly. Either case could lead to communications logjams, a broken chain of command, suspect early-warning data, or shortened decision times. Furthermore, if SLBMs and ICBMs are to be kept in a ready-to-launch operational mode, STRATCOM must be very confident that all Y2K bugs have been identified and repaired for all weapons support systems, especially those relating to the solid fuel propellant for the rocket propulsion systems.

The state of the overall Y2K remediation program in the Pentagon does not indicate that the DoD can execute the highly organized and demanding approach of ensuring full compliance for all mission-critical systems. According to a Congressional staff person closely monitoring Y2K programs, "The ongoing response to the Y2K bug is symptomatic of catastrophic mismanagement throughout the DoD."¹²² Reports from agencies inside and outside the DoD have uncovered severe and recurring problems across the entire spectrum, including ill-defined concepts and operating procedures, ad-hoc funding and imprecise estimates for final costs, lax management, inadequate standards for declaring systems "Y2K compliant," insufficient contingency planning in case of Y2K-related failures, a lack of planning for future tests of "renovated" systems, and poor inter-departmental communications. Despite some recent improvements in the program (see "The Current State of Y2K Programs Inside the Pentagon" on p. 20), these general problems remain.

As one example, the concept of "fixing" a system for Y2K bugs has been ill-defined from the beginning. Until summer 1998, there was no consistent central guidance on the procedures and definitions involved in declaring a system "renovated" or "compliant." While there has been an increased use of centrally approved "checklists" for making more valid decisions on the repair status of systems, there still exists little system-level oversight from the OSD itself or from external agencies. Instead, rules and proclamations intended to improve identification of Y2K "fixes" have been sent down en masse from the Office of the Assistant Secretary of Defense (C3I), with little follow-up on whether the repair efforts are following these mandates.

This state of affairs has been exacerbated by a lack of Congressional attention to defense matters and Y2K. The majority of Y2K committee hearings and bills have been driven by non-defense-related domestic industries and sectors such as finance, banking, and energy. The dearth of external oversight of Y2K and defense systems extends to Congressional support agencies as well. As one example, the General Accounting Office has thus far reported only on general DoD procedures and management, rather than on specific nuclear systems. Future GAO reports will follow the same pattern, with the result that external monitoring is at least one step removed from the actual status of key systems. The earliest that GAO will consider the results of individual systems projects is when the DoD completes all "verification" activities by mid-1999. This leaves little time for alternative solutions of any kind if a serious malfunction is predicted or even possible for some components of the nuclear arsenal.

In order for the DoD to have real confidence in its remediation program, it will have to undertake fully integrated tests of Y2K repairs for all affected systems. Exactly how does the DoD plan to test the entire interlocking web of C3I systems and facilities, let alone nuclear weapons? Is there a feasible method, from a systems engineering standpoint, for simultaneously testing interfaces between satellites, radars, receivers, communications lines, and ground processing computer systems? For instance, on a mission-level basis, conventional systems will primarily be tested in the massive, battlefield-level wargames already scheduled for early- to mid-1999. Do similar simulations exist for nuclear systems, or could they be constructed on short notice? The answer is not clear. The General Accounting Office is just starting its next wave of reports on Pentagon testing procedures. It might be early 1999 before anyone outside STRATCOM will know. By then, it might be too late for serious Congressional action.

Furthermore, in February 1998, six high-level civilian managers from the OASD (C3I), the branch of the OSD responsible for monitoring and guiding Y2K remediation efforts, left almost simultaneously. This exodus included many experts on Information Technology (IT) systems, leaving the program without effective leadership for several months. It is still not clear that recent organizational restructuring and new civilian appointments have adequately addressed the need for rational and consistent central management.

Even less information is available about Russian Y2K problems. Some steps have already been taken to reduce the dangers developing from the Y2K bug, focusing especially on the problems arising from maintaining high levels of alert status for nuclear weapons systems. In 1994, President Clinton and President Yeltsin reached an agreement on "de-targeting" their nuclear forces. Unfortunately, both countries can reset targeting data in seconds, and Russian missiles are designed to revert to their original target should a launch occur, even accidentally. On 1 September 1998, the two Presidents agreed on a more significant step. The countries will provide each other with advance notice of missile launches and furnish each other with early warning information on the detection of missile launches. Exact details on how this will be accomplished are still being worked out, but both sides expect this effort to reduce the dangers of a Russian early warning system collapse at the millennium. However, there is no guarantee that the US system will not face a similar fate.

Even further, for both Russia and the United States, it is unclear when problems will occur. Top US military leaders, such as Deputy Secretary Hamre, speak as if the only problem dates are 31 December 1999 and 1 January 2000. However, some US systems will experience "rollover" problems months before the century date change because of the nature of their internal clocks, and Russian systems are likely to face similar problems. If the necessary deadline is uncertain, potentially occurring months before 1 January 2000, it is questionable whether there enough time to implement the early warning exchanges.

For all of these reasons, leaders should take a "safety first" approach to Y2K and nuclear arsenals. Such an approach would have several characteristics currently lacking in the Pentagon’s program. First and foremost, a safety-first approach would recognize that the ramifications of Y2K-related failures extend into the arms control debate and the purview of central foreign policy leaders. So far, the "contingency planning" of the DoD has been based entirely on force readiness – that is, the ability of the US arsenal to meet its pre-designated mission objectives as outlined in Presidential directives, Joint Staff planning documents, and the longstanding targeting and damage requirements of the SIOP. However, the "mission" of the US deterrent has undergone important de facto changes, especially given the steady erosion of Russian nuclear C3I and the potential for Y2K failures in both countries. Although not enunciated consistently by STRATCOM and other nuclear planning bodies, a key objective must be to avoid accidental or mistaken launch of nuclear weapons.

Senator Tom Daschle and others have expressed concern that current military policies and programs do not address this critical dimension of post-Cold War security. These worries have led to a recent research request for the Congressional Budget Office (CBO) to look into US options for bolstering the stability of Russian nuclear operations.¹²³ However, while the CBO is framing its studies entirely in terms of continuing Russian difficulties, the Millennium Bug has now opened up the possibility that both sides will experience faulty or blocked communications, erroneous early-warning readings, blacked-out computer screens, and failed weapons support systems.

The policy alternatives and prescriptions currently on the scene do not deal with this bilateral problem. Many officials and policy pundits almost blithely assume that the US arsenal will be up and running, and international policy recommendations are being geared towards transmitting money, personnel, and proven C3I technologies to Russia so that both powers can keep their existing nuclear strategies, targeting doctrines, and weapons deployments.

There are not sufficient grounds to support such optimism. A rational policy debate would take into account the uncertainties inherent in the Y2K computer problem rather than assuming that all US nuclear systems can be successfully fixed. Because the US is open to unpredictable Y2K failures, senior policymakers and the public should be brought inside the Y2K information loop currently being monopolized by the Pentagon and its array of contractors. An important step in this direction would be for the Clinton Administration and Congress to become more actively involved in the monitoring of Y2K programs and the definition and creation of viable Y2K "contingency plans."

Along with increased openness in the DoD’s efforts, the United States and Russia should take technical steps to reduce the dangers of a Y2K disaster. These steps should end or at least greatly reduce the "launch on warning" posture maintained by both. They would follow from (but go well beyond) both the sharing of early warning information and the US financial and technical support for increasing the safety and security of Russian nuclear materials. The immediate goal of the steps would be to insure that Y2K-related failures do not lead to nuclear catastrophe.

Steps that would address Y2K dangers generally fall under the rubric of "de-alerting" nuclear forces. These steps would reduce the alert status and increase, by minutes, hours, days, or weeks, the amount of time required to launch a nuclear attack. In the Y2K context, these steps would allow both countries greatly increased confidence that, regardless of potential failures in early warning systems, neither could carry out or be the victim of a surprise nuclear attack.

One decisive de-alerting step would be to remove nuclear warheads from delivery vehicles. Comprehensively and verifiably "de-coupling" warheads from missiles would eliminate the danger of accidental, mistaken or inadvertent missile launch. It would create a significant delay between a decision to launch and the ability to execute it. De-coupling would completely rule out the almost inconceivable notion of a massive first strike, a concept that still drives US and Russian "launch on warning" postures. In the Y2K context, it would fully address the problems of unpredictable and/or massive failure of early warning systems and related technologies.

To be completely successful, the de-coupling regime would eventually have to include all of the nuclear-weapon states. It could begin as a Russian-US initiative and, as confidence grows, expand to the other three nuclear-weapon states. The nuclear-capable states not party to the nuclear Non-Proliferation Treaty (NPT) – India, Israel, and Pakistan – should also join the regime, although given the limited capabilities and sizes of their arsenals, this is less important.

De-coupling is just one of a variety of de-alerting options that would greatly reduce the dangers arising from the Y2K problem. There are also viable intermediate alternatives that could support a general stand down of nuclear operations. One option is the removal of "shrouds," or nose cones, from the warhead bodies of ICBMs and SLBMs. Warheads could stay attached to the "bus" that connects the warhead body to the delivery vehicle. This would make it impossible for a missile to be succesfully launched. This option eliminates concerns about the vulnerability of stored de-coupled warheads, while still requiring hours or days before personnel could reattach the nose cones. A second option is "pit stuffing," in which wire is inserted into the hollow core or "pit" of the warhead, prohibiting the necessary compression of fissile material that creates a nuclear explosion. To "re-alert" forces, the warhead would have to be completely dismantled to extract the wire. As such, it is a more committed form of de-alerting and would be expensive (and physically difficult) to reverse.

Unfortunately, there are hurdles to all of these proposals. US officials have already conducted an examination of de-alerting options. The study led to the US-Russian agreements in September 1998 on early warning. Other de-alerting steps were, for the time being, dismissed. This dismissal stems from continuing US commitments to Cold War policies of preemptive use, launch on warning, and first use. Russia has tentatively adopted a first use policy as well, in response to the deterioration of its conventional forces. US officials also cite concern about a potential "race to re-alert" that might be destabilizing, although how such a "race" would be more dangerous than current hair-trigger force postures is not clear. As long as both countries remain devoted to these Cold War military doctrines, neither can move ahead on a more constructive policy of standing down nuclear arsenals to avoid nuclear accidents.

Other logistical and political difficulties exist. Verifying de-coupling on Russia’s mobile missiles may require additional technical steps, although the START I inspection regime already in place may be useful in that regard. Both Russia and the US have difficulties with fully de-alerting their submarine forces, regarded as the most survivable leg of the nuclear arsenal. Russian officials have objected that warhead de-coupling would actually increase the vulnerability of their arsenal to attack or theft. According to some experts, de-coupling would require at least two years, with a final date of completion somewhere between 2001-2003.¹²⁴However, removing missile shrouds or stuffing the plutonium pits could be implemented without increasing proliferation dangers.

Whether it is through de-coupling or some other de-alerting step, the time to begin discussing this issue is now. If it only becomes clear that there will be major failures in US and/or Russian nuclear, early warning, or related systems in mid-1999, it may be too late to undertake the necessary safety steps to preclude disaster. Thus, it is vital that the Clinton Administration, Congress, outside experts, and the public be made aware of the status of Y2K problems and the dangers involved. At present, the Pentagon is closely controlling information on the status of its repair efforts and rejecting any proposals to suggest safer and more reliable options than trying to maintain full force readiness.

In conclusion, the dangers of Y2K-induced nuclear systems failure are of sufficient probability and magnitude to warrant serious and immediate action by the President, Congress, the Pentagon, governmental investigative branches, outside experts, and the public. The principle informing such action should be to insure that safety takes precedence over force readiness. Toward that end, the DoD should increase the amount of information it provides on its Y2K efforts. More importantly, the Clinton Administration should urgently begin planning to reduce the dangers of failing to achieve full Y2K compliance. Those plans should include steps to de-couple nuclear warheads from missiles, or take comparable moves that would reach the same goal. These should be taken multilaterally, initially with Russia, but including all five nuclear-weapon states as soon as possible.

Programs at the Department of Energy also warrant serious attention. Each of these programs for warhead maintenance and dismantlement, stockpile stewardship, subcritical testing, fissile material storage, facility cleanup operations needs to be evaluated for Y2K compliance.

The General Accounting Office and other investigative agencies should evaluate the Pentagon’s efforts to achieve Y2K compatibility, focusing on those nuclear systems that are experiencing the most difficulties in the current "renovation" phase. Such outside investigation will be vital to ensuring both the validity and effectiveness of the Pentagon’s process, and its openness.

Finally, the public and the media should demand more information. Why did six high-level personnel leave the Office of the Assistant Secretary of Defense for C3I almost simultaneously ? If the Pentagon does not complete is Y2K compliance programs, what will happen? Even if it does, what still might go wrong, and what would the implications be? What steps are being taken to ensure that disaster is not simply less likely, but precluded to the fullest extent possible? These kinds of questions must be answered before the United States can have confidence that its nuclear systems will not fail, or that failure will not lead to disaster.

"The Bug in the Bomb" continued