BASIC RESEARCH REPORT

Y2K and Nuclear Arsenals:
A Final Report

(Part 3)

The Status of US Y2K Remediation Efforts 
(continued)

Air Force Systems for Early Warning and Command of Forces
One remaining potential vulnerability in the Y2K process is NORAD’s primary ground-based early warning radar systems, BMEWS and PAVE PAWS. According to the DoD’s 9th Quarterly Y2K report to the President, PAVE PAWS "encountered problems integrating mission software with new Y2K compliant operating system. Changes to mission software to accommodate new operating system [have been] much more complex than originally planned." Similarly, BMEWS has experienced "Delays in integrating mission software with the new Y2K compliant CYBER Operating System."³³ Both systems must be reconfigured to accept the completed Y2K-compliant patches. Although the revised remediation deadline of April 30, 1999 has passed for both systems, it is possible that both are still stuck in the renovation stage because the May 1999 Quarterly Report does not specifically mention successful completion of ongoing repairs. Due to this setback, BMEWS and PAVE PAWS may not have been fully incorporated into the December 1998 and February 1999 OpEvals that tested repaired systems for the mission of early warning.

Another remaining mystery is the status of the "Nuclear Detonation Detection System (NDS)," a network of military sensors attached to the NAVSTAR Global Positioning System (GPS) satellites. One of the supporting pieces of evidence utilized by STRATCOM to determine the post-hoc validity of early warning data is the explosion of one or more warheads above US territory. The primary system that performs this role is the NDS/GPS, which scans for X-rays, electromagnetic pulse (EMP), and other outputs of above-ground explosions and then processes and delivers the information in near-real time. Because GPS consists of 24 satellites with full earth coverage (for navigation purposes), these military-related sensors "piggybacked’ on the GPS system also have global coverage, 24 hours a day. Like GPS, the NDS sensors depend on ground processing and control stations. However, these stations are independent from the usual GPS ground segments. The NDS control segment consists of hardware and software known as the Integrated Correlation and Display System (ICADS). ICADS meshes the evidence given by NDS/GPS sensors with pre-processed reports by infrared DSP early warning satellites to create full displays for NORAD and SPACECOM analysts.³⁴

The Y2K status of this extensive network is not shown in any unclassified reports from either the DoD or congressional sources. It is not clear what operational consequences would be produced by erroneous evidence of nuclear explosions, or conversely, by the lack of such evidence in case of other sensor malfunctions. There is a slight but real possibility that NDS mis-reporting or sensor shutdowns could negatively affect the safety of operations during a tense international crisis. In 1962, during the Cuban Missile Crisis, erroneous BMEWS radar evidence of a Soviet launch was produced by the combination of a training tape simulation and an orbiting satellite, the latter of which bounced back radar signals from BMEWS while the training simulation was taking place. Confused commanders and on-site radar operators eventually discounted the misleading radar evidence because there was no confirming evidence of nuclear explosion given by ground-based nuclear detonation sensors. These latter detectors had the same function as today’s NDS/GPS network. Conversely, in 1965, these very same ground-based detonation detectors gave erroneous positive evidence of multiple nuclear explosions when an electrical blackout caused circuit switches to malfunction in one major metropolitan area. Commanders never bothered to put US forces on alert, probably because BMEWS ground radars had not indicated any bombers or missiles headed for US territory prior to the reported nuclear explosions. These two examples demonstrate the symbiotic nature of the complex US sensor network and the key role played by sensor redundancy during tense crises.

Trident Strategic Nuclear Submarines (SSBNs)
With the possible exception of its communications systems, the US Navy Trident submarine fleet is beyond the renovation stage of the Y2K process and has already undergone both integrated "pierside" systems tests. Throughout 1999, the Navy incorporated simulated Y2K date rollovers in its annual "polo hat" exercises. During these maneuvers, submarine systems and crews are subjected to rigorous wartime operational conditions in order to verify the readiness of SSBNs for nuclear war. According to one February 10, 1999 article by the Navy News Service, the "Submarine Directorate (SEA 92) at Naval Sea Systems Command teamed with Naval Undersea Warfare Center (NUWC) Division Newport, the Fleet Technical Support Center Pacific (FTCSPAC) and submarine crewmembers to coordinate and conduct the testing. Y2K vulnerable systems were tested in a full operational configuration during a simulated at-sea Y2K environment [while docked at pierside]."³⁵ The renovation and testing regimes have involved nearly all weapons and non-weapons systems, including the C-4 and D-5 missiles, fire control systems (for launch of missiles), weapons safety systems, navigational systems, and nuclear propulsion systems.³⁶

However, there is one potential gap in this slate of integrated tests. Several major communications software and hardware systems that provide command connections to Trident SSBNs did not meet the March 1999 deadline for renovation or validation, and it is not clear that systems behind schedule have since passed the renovation phase. These various components are all part of an ongoing modernization effort dubbed "The Submarine Exterior Communications System (SubECS)." SubECS is an umbrella program which consists of about fifteen smaller programs to improve submarine radio connectivity.³⁷ Navy Fleet Satellite Communications (FLTSATCOM) programs associated with Trident communications were also still behind schedule in summer 1999.

Table 2. The Y2K Program Status of Navy Systems Utilized in Trident Nuclear Operations^a

^a Unless otherwise noted, all sources for these systems’ status have been cited in the regular text of the report.

^b Keith A. Rhodes, Technical Director, Office of Computers and Telecommunications, GAO Accounting and Information Management Division, "Year 2000 Computer Challenge: Time Issues Affecting the Global Positioning System," Testimony before the Subcommittee on Government Management, Information, and Technology, Committee on Government Reform, 12 May 1999.

^c Office of Secretary of Defense , 9th Quarterly Report to OMB, Appendix B, 14 May 1999.

^d DoD Director of Operational Test & Evaluations (DOT&E), "E-6B Airborne Command, Control, and Communications Platform," FY 1998 Annual Report to Congress.

Trident communications are the most complex and logistically-involved of all US nuclear systems, simply because they spend most of their patrols under water and do not stay fixed in any one location. Although this makes SSBNs nearly invulnerable to preemptive surprise attack, it also makes command and control of deployed forces extremely difficult. To communicate from both the ocean surface and deep underwater, Trident SSBNs have onboard receivers and transmitters for several major categories of the frequency spectrum (with categories being based on the qualities of the wavelength being used). In turn, each pair of shipboard receivers and transmitters for these frequency categories have corresponding facilities on shore, on aircraft, or on satellites for the relaying of messages to and from command headquarters to submarines. If Trident operations are to remain safe and secure, all hardware and software in these global communications pathways must be made Y2K compliant.

Extremely Low Frequency (ELF), Very Low Frequency (VLF), and Low Frequency (LF) bandwidths allow messages to be sent through seawater; while VLF/LF each penetrate only several meters below the surface, ELF penetrates tens of meters. For both ELF and VLF/LF communications, Tridents can trail signal-receiving antennas over a hundred meters behind the submarine, thereby allowing "stealthy" operations at lower depths.³⁸ However, all three of these communications modes suffer from extremely slow data rates, and because they require stationary vertical antennas for transmission of messages, Tridents can only receive communications signals in this mode.

Until recently, Trident ELF/VLF/LF communications took place at only 50-75 bits per second (bps), while current modems for personal home computers typically allow at least 36,000-56,000 bps. For this reason, ELF is used principally as a "bell ringer," a simple alarm to tell submarines they need to change its communications posture by ascending to VLF/LF depths or higher to receive more detailed messages.³⁹ VLF can also be utilized as a bell ringer, although along with LF it is primarily used to receive and record messages from top command posts. These recorded messages are generally quite short and are usually made only in periods of "alert" or "modified alert" during crises. Despite a recent upgrade in data rates (to 1600 baud for communications with the shore-based and air-based Minimum Essential Emergency Communications Network [MEECN] net),⁴⁰ VLF/LF channels are still set aside primarily for reception of simple Emergency Action Messages (EAMs), such as launch orders in a nuclear war. In addition to carrying launch orders, VLF-LF frequencies can also be used to tell SSBN crews to stand-down their operational readiness if a crisis abates, or to surface and receive more discriminating orders via higher frequencies that allow voice or data two-way communications.

VLF and LF messages are relayed to submarines stationed in the North Pacific and North Atlantic via two routes: ashore antenna broadcasts, or Navy Take Charge and Move Out (TACAMO) E-6B Aircraft. The first method of communication actually involves many interwoven steps that begin with the initial transmission of orders by STRATCOM and the NMCC to large ashore antennas stationed in strategically-placed "forward" positions. The most important of such antenna sites for today’s Trident operations are in Hawaii (VLF/LF), Okinawa (LF), Washington state (VLF), California (LF), Maine (VLF), and Iceland (LF).⁴¹ The various channels leading from STRATCOM to the distant VLF/LF antenna farms include Ultra High Frequency communications satellites, the ground-based DoD Automated Digital Network (AUTODIN), and private AT&T lines leased by Broadcast Command Authorities.⁴² The Y2K-compliant MEECN encompasses some of these ways of communicating with the far-flung antenna installations (see Table 1). The antennas themselves are the last step of this method of VLF/LF communications and relay the commands directly to submerged submarines immediately upon reception.

Conversely, if war has already started, communication via these antennas would probably be impossible. VLF/LF antennas will at this point have been taken out by strikes, or possibly the MEECN lines that first relay messages to the antennas for broadcast will have been preempted. If this is the case, then submarines can still receive messages via TACAMO aircraft that trail long lines from their tail and make tight circles in one location above the submerged submarines.⁴³ At least one aircraft is in the air at all times in the Pacific and Atlantic theaters, and they stay in contact with central command authorities through Air Force satellite communications networks (AFSATCOM), the growing MILSTAR Extremely High Frequency satellite network, the Navy FLTSATCOM UHF network, and air-to-air communications with other in-flight command posts.⁴⁴ As shown in Tables 1 and 2, TACAMO aircraft are now Y2K compliant, as are the MILSTAR and Air Force satellite networks that connect TACAMO to command headquarters.

For VLF/LF bandwidths, two mission-critical systems were consistently listed as "late implementing" systems throughout 1998 and spring 1999. The "Integrated Submarine Automated Broadcast Processing System (ISABPS)" and "Integrated Verdin Transmit Terminal (IVTT)" are both embedded components of the on-shore antenna installations. The ISABPS receives communications from Broadcast Command Authorities via the MEECN or communications satellites, decrypts and filters the message, then passes the data to the IVTT. The IVTT, which is described by the Navy as the "automated submarine message processing system," re-encrypts the message and changes it into a suitable format for VLF transmission to submerged Tridents.⁴⁵

The Navy seems to be relying primarily on pre-existing modernization plans to ensure Y2K compliance for these on-shore communications functions. According to the November 1998 Quarterly Y2K Report to the President, "the new computers must be purchased, software developed, systems fabricated, tested, and then deployed to 10 sites around the world," and the Navy "cannot take more than one shore broadcast site down in an ocean area at a time."⁴⁶ Full system replacements are being implemented on a revised schedule that involves the installation of new software, hardware, and operating systems. The completion dates for both the Broadcast system and the IVTT are listed as April 15, 1999, but the May 1999 Quarterly Report to OMB was still including these components in lists of "late implementing systems" requiring further repair efforts.47

Additionally, there is an ambitious and ongoing shipboard equipment replacement program that corresponds to the antenna-based replacements being implemented through the IVTT. The "Submarine LF/VLF Versa Module Eurocard Receiver System (SLVR)" is the shipboard equivalent to the on-shore IVTT program, and without it, the legacy equipment currently on Tridents could experience interoperability problems with the new IVTT components at on-shore antenna sites. The SLVR has been slowly weaving its way through Navy Research Laboratory technical and operational evaluations since Fiscal Year 1996, with full capability demonstrated in April 1998. Various Navy planning and budgetary documents have listed the SLVR as being installed in all Tridents during FY 1999, just in time to replace embedded legacy components that may not be Y2K compliant.⁴⁸ The ability of the Navy to finish these replacements is dependent upon ship availability and patrol schedules.⁴⁹

At the other end of the communications spectrum, higher frequencies allow two-way voice and data communications when submarines are in "covert," "broached," and "surface" patrol modes. Covert operations bring the SSBN to just a few feet below the surface, broached operations require the Tridents to rise partially above the ocean, and surface modes bring Tridents completely to the top. All three modes utilize Medium Frequency and High Frequency (MF/HF), Ultra-High Frequency (UHF), and Extremely High Frequency (EHF) antennas. EHF-UHF bandwidths are relayed directly to shipboard antennas through the two remaining Navy Fleet communications satellites (FLTSATCOM) or through the evolving Navy UHF Follow-on (UFO) satellite system, while MF-HF are channeled directly through relatively small shore-based stations.⁵⁰ Other options allow UHF communications to take an indirect route through TACAMO aircraft or through communications buoys floating at strategic locations in the Atlantic and Pacific oceans (UHF). The buoys themselves can receive communications from satellites and TACAMO aircraft.

Unlike the lower frequencies, the HF-UHF-EHF bandwidths allow potentially higher data rates for more nuanced messages to Trident commanders. However, for much of the time on normal patrols, and certainly during a tense crisis with a high "Defense Condition" (DEFCON) rating, submarines are typically submerged to ELF-VLF-LF depths and cannot receive or send messages via any of these modes. SSBNs generally will only ascend for more trivial communications, such as crewmember e-mails to their families and checkups on ship status during non-crisis periods. They also ascend periodically to confirm their location through the GPS network, which as mentioned in Table 1, is now Y2K compliant.

However, HF-UHF-EHF bandwidths could still play an important role during periods of tension because the higher and lower frequencies are symbiotic. If a change in crisis conditions were to come about, VLF/LF frequencies would probably tell Trident crews to ascend to within HF-UHF-EHF depths for more detailed messages on the flow of events. These multiple communications capabilities are essential because Trident commanders are allowed a certain amount of discretion in executing launch orders during crisis operations, including the authority to order nuclear launches if it is believed that command authorities have been destroyed in a first strike. A serious breach in communications capabilities during a crisis, such as a sudden unexpected blackout in VLF communications, could lead at-sea commanders to conclude that offensive attacks had taken out on-shore antennas or phone/satellite links at STRATCOM and NMCC. In general, higher frequencies allow more reliable and centralized command and control of deployed forces, especially because they allow two-way voice or data conversations. This multitude of communications modes assures both a credible state of force readiness and a certain level of safety in operations.

In regard to Y2K, the Navy Extremely High Frequency Satellite Program (NESP) and the shipboard EHF Low Data Rate Terminals (EHF-LDR) were still late system in summer 1999, as shown in Table 2. The EHF-LDR terminals were supposed to have been implemented as of June 30, 1999 for all ships, while the NESP was not slated for completion until August 1, 1999. The NESP involves two aging Navy Fleet UHF satellites and a growing net of UFO satellites with EHF capabilities.⁵¹ These satellites serve both strategic and conventional weapons operations. For both UHF and EHF frequencies, the NESP constitutes the primary means of STRATCOM-to-Trident voice and data communications for SSBN operations. Loss of NESP could undermine almost all UHF and EHF-band transmissions from command authorities to SSBNs, even if the shipboard EHF terminals are finished on time.

The primary contractor for the UFO network, Hughes Space and Communications, certified in 1997 that UFO satellite on-board clocks will operate through the year 2000 rollover. However, the certification letter stated that they had not assessed the adequacy of the various ground segment elements that support satellite operations, nor had they examined the multiple ground processing stations for individual users of UFO services. The letter recommended that the appropriate agencies assess these elements of the UFO communications system. The UFO Program Office is working with the responsible services and agencies to ensure Y2K compliance of the elements that support satellite launch and operations.⁵²

Fortunately, the Air Force controls some of the ground support functions for the UHF-UFO satellites, and the AF Satellite Control Network (SCN) is now Y2K compliant (see Table 1). However, according to the November 1998, February 1999, and May 1999 Quarterly Reports to the President, the "Integrated Satellite Control System," defined as the "Naval satellite ground system which commands and controls the fleet communication of satellites," was not slated for completion until June 30, 1999.⁵³ This ground segment provides telemetry control and other ground support to Navy UHF and UFO networks. Luckily, if this system were to be affected by Y2K, the result would not be immediately catastrophic. The main result would be the loss of proper orbit and orientation for communications satellites over the period of hours and days, in which time Y2K work-arounds could perhaps be instituted by engineers. However, failure to fix errors within several hours could result in a slow but steady degradation of communications capabilities via UHF-UFO channels.⁵⁴

Taken together, evidence on these "late implementing systems" raises some concerns about the reliability and integrity of Trident communications in a Y2K environment. Were the systems in fact successfully remediated as planned, or have they gone back into the "repair" stage? If one or more systems have missed their expected April, June, and July 1999 dates, is it realistic to expect that both the ashore and sea components will be repaired in time for integrated testing and operational evaluations? Will they be ready for fielding by the December 31, 1999 deadline? What might be the effects on operations if one or more such ashore sites and/or submarine terminals and processors were to be affected by Y2K glitches? What contingency plans are in place for these embedded subsystems?

DoD Telecommunications Networks and Nuclear Operations
Another potential vulnerability is the dependence of the DoD (including STRATCOM and NORAD) on privately-supplied phone lines, ground cables, and telecommunications switching centers. Rather than building an entire network from the ground up, it has been much more economical for the DoD to connect to the vast national telephone system, leasing some lines permanently where necessary, and sometimes building its own switches to interconnect military users. For instance, the top secret Automatic Digital Network (AUTODIN) is largely dependent on lines leased from the private sector by the Broadcast Command Authorities (BCA). Besides conventional force operations, these leased BCA lines include those AUTODIN pathways utilized in nuclear post-to-post communications and the dissemination of launch orders to shore-based antennas for Trident submarine operations. Also, the evolving Defense Information Systems Network (DISN), which is currently integrating all DoD-owned networks into new top secret and secret channels, depends on the Public Switched Network maintained by private industry to supply Government Emergency Telecommunications Service (GETS). One expert on nuclear communications described the system's setup as follows:

The phone system is... organized as a switched network, with each subscriber having direct connection only to a local switching center, or exchange. There the wire pair from the subscriber [caller] can be connected to wire pairs leading to other local subscribers or to a wideband cable connecting the exchange to another exchange. Local exchanges are again not all directly connected; they interconnect through regional switches, which in turn interconnect through yet more centralized switching facilities. This hierarchy continues through five layers in the US phone system.⁵⁵

Accidents have at times been prevalent in AT&T or Bell switching nodes without Y2K problems, and the chance of future difficulties may increase with the change of century.

Adding to this complexity is the nature of the repair effort. Y2K compliance issues differ between information technology (IT) systems, such as local-area e-mail and software applications networks (LANs), and telecommunications networks. Y2K remediation for IT systems generally do not require wholesale replacement of hardware, but rather rewriting of code on existing network platforms. Often the owners of the IT systems have the ability to remediate the computer code themselves or outsource the work to other professionals. In any event, IT systems’ owners generally have some control over the code’s remediation efforts.

In contrast, the owners in general do not have control over the renovation or replacement of any computer code embedded within the telecommunications equipment. They must instead rely solely on the efforts of the equipment’s manufacturers to identify Y2K vulnerabilities. Ultimately, complete replacement of hardware components may be required. Also, while owners of IT systems usually have the means to do their own testing of interfaces between systems, users of telecommunications services rarely have this ability. Users may own the local portion of the network, such as a private branch exchange (PBX) for a military base or command post, but the "long haul" portions of the net are provided by commercial carriers.

For both the local PBX’s and long-haul regional network nodes, a glitch in the core operational software could result in complete failure because synchronization of incoming and outgoing calls through date stamps is crucial to keep the system from becoming overloaded. If the switch in question utilizes time-of-day outgoing call routing or supports the scheduling and synchronization of incoming calls for distribution to local users, a Y2K error could cause a misrouting of messages at the local level. Moreover, telecommunications switches and networks are dynamic, with the number of users changing constantly. Each switch has its own parameters and a unique database with current call routing information, and the software that runs these functions is vulnerable to Y2K errors.

Also, testing efforts have been slowed by the inability to take down whole network portions at a time for Y2K-specific evaluations. Many DoD-owned and commercial switches and lines must remain operational for daily usage. Fortunately, the Defense Information Systems Agency (DISA) established a Readiness Assessment Network (RAN) to support CINC OpEvals and lower-level functional tests of integrated systems. The RAN consists of disconnected network nodes, as well as hardware and software that are identical to the systems still being used in the field. The Joint Interoperability Test Center (JITC) of the DoD is working together with a private contractor, Telcordia, to represent both DoD-unique and commercial switching nodes in ongoing mission-level OpEvals. According to the DoD 9th Quarterly Report to the OMB, "this concept of a RAN protects the operational networks/databases and provides the most accurate replication of the DISN [Defense Information System Network] components of each thin-line. It allows Y2K DISN components to roll dates synchronized with the other thin-line components being evaluated/tested."⁵⁶

However, for those services owned by the DoD itself, scheduling access to the Y2K test bed network and coordination of exercise events to synchronize date settings has been a major challenge. The existence of necessary administrative and computing resources for DISA and the JITC is questionable. These organizations are generally understaffed and underfunded, and both are highly dependent on the individual services for supplying and maintaining crucial switching hardware and software needed for interoperability between military branches. Y2K has exacerbated this condition because DISA and JITC are the primary components responsible for providing testing assets for inter-Service, mission-level Y2K operational evaluations of IT networks. If the services themselves are behind in supplying the needed assets, DISA also falls behind. According to the 9th Quarterly Y2K Report to the OMB, "Scheduling issues with DISA Defense Megacenters and their potential Y2K impact on testing and readiness of DoD functions remain a concern."⁵⁷

That said, the commercial portion of DoD communications had been certified Y2K compliant for most vendors by May 1999. The industry-wide National Reliability and Interoperability Council recently conducted a public telecommunications exercise, and DoD representatives observed the tests. DoD-used systems successfully completed all functions.⁵⁸ In general, private vendors have conducted extensive testing across the continental US and overseas interconnections since January 1999.

However, the outlook is not quite as sanguine for DoD internal or "dedicated" military lines. One example is the Defense Switched Network (DSN), which has two segments: a web of 83 multi-function nodal switches, mostly at junctions between military bases within the Continental United States (CONUS); and 811 local "end-office" switches for message distribution at the bases themselves. According to the Office of Secretary of Defense, the DSN is one system that is experiencing "slippage" in meeting its Y2K milestones.⁵⁹ DSN was not slated for Y2K compliance until September 30, 1999,⁶⁰, and one November 1998 DoD Inspector General (DoD IG) report argued that roughly half of the standard "SL-100" telecommunications switches in DoD network nodes would not meet the March 1999 deadline. The limited number of qualified engineers and reliance on one main vendor puts strict limits on the rate of repair, a fact that led the DoD IG to conclude that "DoD telecommunications capabilities may become unstable, unpredictable, and the cumulative impact of non-Y2K compliant operational occurrences could result in system failure."⁶¹

Another worry is the Defense Information System Network (DISN), which is a major part of the current DoD effort to leverage cutting edge Commercial-off-the-Shelf (COTS) products. Eventually, the DISN is meant to bring together all existing DoD networks in one large global "infosphere," tying together a multitude of local, national, and international networks involved in C4I operations. The DoD is in the middle of "migrating" old databases and switching nodes to the DISN network. For sensitive communications, such as nuclear command post teleconferences, DISN provides the top-secret "SIPRNET" network.

Two versions of the main hardware multiplexer for DISN switching nodes, the Integrated Digital Network Exchange (IDNX), have been declared non-compliant by its main vendor. The "IDNX 20" and "IDNX 90" models are listed in a Navy website on noncompliant IT systems.⁶² This is worrisome because the IDNX has worldwide fielding in DoD networks. The IDNX provides the "backbone" of the global DISN communications net and, without proper functioning, could misroute or delay urgent messages.⁶³

This raises the following questions: Do NORAD and other nuclear command centers utilize the DSN or DISN? What outcomes might be generated across the entire nuclear network by the failure of one or more SL-100 or IDNX switches? Which centers or facilities are dependent on private telecommunications vendors? How close to compliance are these vendors' services?

Part 4: The Status of Russian Y2K Remediation Efforts

.
Back to Nuclear and WMD home page