|
|
|
 |
Research Reports | BASIC Reports | BASIC Papers | BASIC Notes | Joint Publications |
|
| HOME |
| NUCLEAR AND WMD |
| NATIONAL MISSILE DEFENSE (NMD) |
| BIOLOGICAL WEAPONS |
| NUCLEAR AND WMD PUBLICATIONS |
| NUCLEAR AND WMD LINKS |
OTHER ISSUE AREAS: |
| EUROPEAN SECURITY |
| WEAPONS TRADE |
|
BASIC RESEARCH REPORT Number 99.4, November 1999 Y2K and Nuclear
Arsenals: By Michael Kraig . The Nature of Y2K Dangers for Nuclear Arsenals The Status of US Y2K Remediation Efforts The Status of Russian Y2K Remediation Efforts US Initiatives to Avoid Nuclear Accidents Conclusion: Alternative Options for Alleviating the Dangers of Y2K Executive Summary Potential gaps and ambiguities remain for US operations. Two major ground-based radar systems experienced problems with Y2K software patches and had to return to the renovation stage in spring 1999, while the status of a space-based system for identifying nuclear detonations remains uncertain. Also, several major communications software and hardware systems that provide command connections to Trident Strategic Nuclear Submarines (SSBNs) did not meet the March 1999 deadline for validation, and it is not clear that systems behind schedule have since passed the renovation phase. Finally, there are continuing lags in repairing and testing DoD-owned telecommunications networks that might be involved in nuclear operations, including the widely used Defense Switched Network. When BASIC originally reported on US Department of Defense (DoD) remediation efforts in November 1998, there were severe problems across the entire program. Ill-defined concepts and operating procedures, insufficient standards for declaring systems ‘Y2K compliant,’ insufficient contingency planning in case of Y2K-related failures, and poor inter-departmental communications were some of the problems plaguing the DoD. Additionally, Russia did not have a committed Y2K remediation program in place and had not even assessed the extent of the potential problem for its own nuclear operations. Since the November Report, upper management of the Y2K process has improved dramatically. The list of "mission critical systems" needing assessment and repairs has finally stabilized for all agencies and services, and contingency plans are being created for each of these systems in the event of Y2K failures. As a result of such actions, Secretary of Defense William Cohen decided not to freeze funds for the development of new DoD information technology systems, a threat he had made in fall 1998 to spur the DoD into action. For nuclear operations, the "thin line" of mission critical systems has been renovated and the Pentagon is completing the testing or "validation" stage through "sensor to shooter" nuclear alert simulations involving NORAD, Strategic Command, and Space Command. Two simulations in December 1998 and February 1999 involved at least 30 separate attack scenarios for each of five critical Y2K-related dates, incorporating both single ICBM launches and an all-out first strike by the opponent. No "hard failures" were reported for the mission of "Integrated Tactical Warning and Attack Assessment (ITW/AA)." In addition, private telecommunications services for nuclear operations have been certified by vendors such as AT&T, and basic infrastructure such as electrical power, climate control, and internal security systems are being certified for all military bases. However, reports on nuclear operations remain ambiguous from the standpoint of effective Presidential oversight, largely because of narrowly-defined reporting standards instituted by the Office of Management and Budget. Major systems integral to nuclear operations are not systematically identified and grouped by their contributions to military missions. To aid the oversight process, the General Accounting Office (GAO) formally initiated an audit in April 1999 for nuclear operations, with a final report expected sometime in fall 1999. Potential gaps and ambiguities remain for US operations. Two major ground-based radar systems experienced problems with Y2K software patches and had to return to the renovation stage, while the status of a space-based system for identifying nuclear detonations remains uncertain. Also, several major communications software and hardware systems that provide command connections to Trident Strategic Nuclear Submarines (SSBNs) did not meet the March 1999 deadline for validation, and it is not clear that systems behind schedule have since passed the renovation phase. Finally, there are continuing lags in repairing and testing DoD-owned telecommunications networks that might be involved in nuclear operations, including the widely used Defense Switched Network. Russia is much further behind in its Y2K program. It has assessed all of its systems and has declared that 74 of its 134 early warning facilities are vulnerable to Y2K errors. Current funds may not be sufficient to cover all costs for rewriting software and buying new components, and Russia may be unable to complete testing of all relevant interfaces between systems by the December 31, 1999 deadline. The US constructed a facility outside of Cheyenne Mountain, Colorado, for sharing US early warning satellite data with Russia, but Russia canceled policy cooperation during the Kosovo war. This cooperation was renewed in mid-September,1999, when Russian authorities gave the go ahead for their personnel to return to the project and and has yet to renew high-level contacts to complete the necessary communications lines to Russian command posts. Given the continuing uncertainties with Russian and US systems, elected leaders should still give serious consideration to policy moves that would lessen dependence on split-second early warning data. Potential assistance for Russian Y2K remediation programs and the plans for a shared early warning facility do nothing to address the more basic problem of US-Russian "hair trigger" force postures. Roughly 4,400 warheads in Russian and US arsenals are in "ready to launch" mode. For the US, the three required steps for launch can be implemented in one minute or less. Given the gaps in its capabilities, Russia has been forced to put increased emphasis on both first-use of nuclear weapons and quick retaliation in a crisis. While the US can and should offer technical and monetary assistance as soon as possible, such measures should not be touted as a cure-all. The Nature of Y2K Dangers For Nuclear Arsenals There is a real danger of Y2K errors compromising nuclear safety, but this danger is not in the weapons themselves. Nuclear ballistic missile delivery vehicles and warheads will not spontaneously launch or explode due to Y2K malfunctions. For all countries with nuclear arsenals, human beings in the command chain must be given high-level authorization to transmit launch instructions to the personnel in the missile silos or strategic submarines, and the launch officers must then enter the required instructions and physically turn manual launch keys. For instance, in the United States, carefully engineered "Permissive Action Links" (PALS) ensure that the turning of launch keys will be useless unless the proper command code of six digits is entered. Because this process is not automated at the lowest levels of operations, it is impossible for Y2K errors to cause a missile strike without both human knowledge and human agency being involved in the launch sequence. On the American side, this has been confirmed by recent tests of ICBM operations. The 91st Space Wing of the Air Force Space Command conducted an operational evaluation of its intercontinental ballistic missile force during a Simulated Electronic Minuteman Launch (SELM).1 This recent SELM tested two launch control centers (LCCs) and 11 launch facilities from the 740th Missile Squadron under US Space Command (USSPACECOM). Launch commands were sent from in-flight Navy E-6B Mercury planes that are part of the 625th Missile Operations Flight/Airborne Launch Control System at Offutt Air Force Base, Nebraska. After receiving instructions from these aircraft, missile launch officers on the ground completed the required actions, turning the keys to initiate simulated launches. Test equipment read the electronic messages sent between the LCCs and the launch facilities to verify the system would operate as it should in the event of nuclear war. No Y2K-induced accidents were recorded during the simulation. The threat of Y2K-induced nuclear war is instead found in two areas connected to daily nuclear operations:
Within the first 30 seconds after enemy launch, hardware infrared sensors onboard three Defense Support Program (DSP) satellites register the launch by identifying the particular signatures of Russian or Chinese ICBM rocket plumes. The three satellites are in geosynchronous orbit and scan both Earth and the surrounding black background of space; when put together, this space-based sensor net ensures global coverage.2 The DSP network tracks ICBM and submarine-launched ballistic missile (SLBM) flight paths for roughly 3-4 minutes, after which the specific infrared signatures of the rocket plumes can no longer be seen. After initial reception of launch evidence, early warning data are heavily filtered and correlated at multiple sites so that human beings can understand the implications of millions of instantaneous electronic signals given off by the satellites. Filtering initially occurs onboard the satellites themselves and in the ground-based receiving stations. The satellite data are sent to grounded receiving and processing sites, one of which is remote from the ultimate users at US command centers. For instance, one such reception/processing site is based in Australia to receive signals from "DSP-East". At the same time, automated telecommunications systems, consisting primarily of the Defense Satellite Communications System (DSCS), together with privately-leased AT&T phone lines on the continental US,3 transfer these continuous streams of data from the dispersed ground-based receiving stations for satellites to the relevant command posts for human analysis. Finally, at a command post in the US, the filtered satellite data are correlated and fused with other data sources and presented to human operators for analysis. This entire process takes only a few minutes. Additionally, the US has a ring of ground-based radars in Alaska, Greenland, the UK, and the continental United States for full 360-degree coverage of missile flight paths into the continental US. The backbone of this radar ring consists of two systems: the Ballistic Missile Early Warning System (BMEWS) and Precision Acquisition of Vehicle Entry-Phased Array Warning System (PAVE PAWS). BMEWS radars back up the initial warnings of ICBM launches given by infrared satellites by tracking incoming missiles and warhead reentry vehicles roughly 7-10 minutes after launch. PAVE PAWS also acts as a backup for satellites, primarily for Russian submarine (SLBM) launches closer to American territory.4 The evidence from these radar systems is almost simultaneous with initial DSP satellite readings. Again, automated telecommunications systems transfer evidence from these ground radar sites to the relevant command centers in the continental US for further filtering, correlation, and fusion. Finally, automated telecommunications systems (with routers and switches that depend on microprocessors) allow real-time verification of data by linking command posts in large teleconferences during a nuclear alert. There are three primary command posts in US operations.5 The North American Aerospace Defense Command (NORAD) – otherwise known as the "Cheyenne Mountain Complex" – receives and correlates all information given by satellites and radars and is the focal point for early warning information analysis. Internally, NORAD consists of four separate but highly interdependent departments: the missile warning center, which continually scans for ballistic missile attacks and tracks incoming reentry vehicles and missiles that are on an offensive flight path; the Air Defense Operations Center, which tracks potential air threats (such as bomber attacks) to US territory; the Space Defense Operations Center (SPADOC), which catalogues the space assets of all nations, monitors missile launches, tracks space junk, and helps keep US satellites in their proper trajectory on a daily basis; and finally, the NORAD unified Command Post, which coordinates and oversees all other departments. These three individual centers and one top command post within Cheyenne Mountain share communications and data correlation systems among themselves and with "forward users" such as US Strategic Command (STRATCOM) and the National Military Command Center (NMCC) in the Pentagon. Taken alone from the rest of the US nuclear Command, Control, Communications, Computers, and Intelligence (C4I) network, the four mission centers within NORAD currently maintain over 12 million lines of code on 34 separate operational systems written in 27 languages.6 Most of these systems are geared towards shuffling and deciphering bits of information. For instance, each single rocket launch seen by DSP satellites generates hundreds of thousands of internal "messages" between NORAD subsystems that are eventually filtered, correlated, and fused to form a single coherent threat message to human analysts. Contrary to popular belief, the human operators do not watch screens 24 hours a day; instead, computers alert the NORAD desk crews when suspicious data is found. In particular, huge databases in NORAD mission centers contain threat profiles based upon known Russian and Chinese ICBM/SLBM weapons characteristics, such as the infrared rocket plume signatures given off in the first minute of launch, or flight trajectories further into the alert process. Computer systems make comparisons between these catalogued threat characteristics and the incoming data from satellites and radars, so that the differences between "suspicious" data and normal launch events are largely defined by computer software functions. At the top of the command chain, STRATCOM coordinates forces during battle and devises plans for future potential nuclear wars during peacetime. The National Military Command Center brings together the highest civilian and military officials within the National Command Authority (NCA). STRATCOM and the NMCC can be thought of as the "consumers" of the "information products" produced by NORAD. For the NMCC, the primary computer-dependent component is the National Military Command System (NMCS), which supports the NCA and the Joint Chiefs of Staff in exercising their military command responsibilities, including planning and executing of joint operations. "Command Connectivity" is a general term used to describe the idealized function of communications in nuclear operations, namely, ensuring predictable centralized control by top officials. Communications patterns can be divided into three rough categories:
A breakdown in the first two types of communication would make verification of attack exceedingly difficult for commanders, and therefore could be highly destabilizing. At times, evidence given by radars and/or satellites is erroneous and must be identified as such through large teleconferences between analysts and officers at various posts. Whenever a suspicious launch is detected by sensors, teleconferences are initiated that typically include not only NORAD and STRATCOM command posts but also the crews of radar sites and satellite data receiving sites. This activity is called a "Missile Event Conference" and is integral to NORAD’s role of tactical threat assessment. Finally, if data about a nuclear attack are in fact verified as accurate, command posts must still communicate with each other in a "Missile Attack Conference" to choose retaliatory options.7 NORAD human operators must visually process the information from DSP infrared satellites in three minutes or less, giving STRATCOM their evaluation of the data’s validity just five minutes after initial reception by satellite sensors. STRATCOM and the NMCC must then make a command decision in 5-10 minutes, at the same time that ground-based radars (BMEWS and PAVE PAWS) are still continuing to input new information on missile flight paths for final processing and correlation at NORAD, STRATCOM, and the NMCC. The chronology of the entire alert process from initial enemy launches to defensive US retaliatory actions can be seen in Figure 1.
From Carter, Ashton B. et al., eds., Managing Nuclear Operations. Washington, DC: Brookings Institution, 1987. Information provided to warfighters throughout the process must be timely, accurate, and unambiguous. Furthermore, the nuclear C4I system-of-systems must be highly reliable in order to minimize unscheduled downtime. Finally, because command decisions based on erroneous data or bad communications could destroy the entire earth, the stakes for the C4I system are as high as they could possibly be. However, there is a history of computer-related failures in US operations preceding the Y2K threat. In 1980, an embedded 64-cent chip with a flawed design, nestled deep in telephone switching hardware at NORAD, suddenly started sending messages to other command posts that a Soviet attack was under way, causing two raised alert levels within a three-day period.8 According to nuclear expert Bruce Blair of the Brookings Institution, official correspondence between US commanders in later years refer obliquely to multiple computer-based mishaps, such as false reports from an infrared satellite that "could have resulted in unacceptable posturing of SAC forces."9 And in one report by the General Accounting Office (GAO) on the computer modernization programs at NORAD from 1989-1994, auditors describe an operating environment plagued by flawed and lost data, ambiguous screen displays for human operators, extensive system downtimes, and dangerously slow data transmission rates throughout the Cheyenne Complex.10 Finally, there is an upcoming natural event that may exacerbate the effects of both Y2K glitches and existing non-Y2K software problems in nuclear C4I systems. According to astronomers, a surge of solar flares or solar storms that could shut down power grids and burn out satellites is expected to peak in late 1999 and early 2000.11 The last peak in the 11-year cycle of solar flares was in March 1989, when a surge of atmospheric magnetic activity shut down the Hydro-Quebec power grid in Canada, leaving 6 million people without power for days. Another sneak preview of how solar flare activity could paralyze communications came in May 1998, when it is believed that flares knocked out the Galaxy 4 satellite over the United States. For three days, 40 million pagers stopped working, television and data broadcasts were disrupted, and many credit card transactions were blocked. The next peak is expected to have a much heavier impact on communications satellites than in 1989 and 1998. Communications satellites utilized in nuclear operations could also be affected, including the Defense Satellite Communications Systems III (DSCS-III), which is used to transmit early warning evidence from satellite ground-receiving stations in Australia and Colorado to commanders in NORAD, STRATCOM, and the NMCC.12 Furthermore, there are many examples from Cold War history of DSP satellite outages due to intense solar flares, blinding one (and sometimes two) of the three principal infrared early warning sensors and severely attenuating the early warning mission performed by NORAD threat analysts. It is not known how a combination of Y2K errors and strong solar activity would affect the overall nuclear C4I network, and accurate estimates are probably impossible. Part 2: The Status of US Y2K Remediation Efforts . |
|
|
HOME
| NUCLEAR AND
WMD | EUROPEAN
SECURITY | WEAPONS
TRADE |