The vulnerability of Russia's crumbling nuclear arsenal to Y2K problems poses a global threat.
BY MICHAEL R. KRAIG
On September 26, 1983, at a secret military bunker just south of Moscow, officers of the Soviet Strategic Rocket Forces expected yet another uneventful night of monitoring the constant data stream supplied by Russias early warning satellite network. Suddenly, the warning systems computer indicated that a potentially massive American strike had begun. Five distinct Minuteman III Intercontinental Ballistic Missile (ICBM) launches were reported by space sensors.
Lieutenant Colonel Stanislav Petrov was responsible for judging the datas veracity and informing superiors at early warning system headquarters. His superiors would report immediately to the General Staff of the entire Soviet military, who in turn would communicate with top political officials. All of these decision-making steps, including individual analyses and small group teleconferences between command posts, were to be completed in less than 12 minutes to allow an equal amount of time for the issuing and implementation of launch orders if needed.
After minutes of confusion, Petrov decided that the data simply were not valid. Ground-based radar deployed around Russias perimeter backed up his claim by failing to detect any signs of advancing missiles or warhead reentry vehicles. The General Staff gave the order to stand down alert levels.
Weeks after this incident, Russian investigators determined that computer software onboard one of the Molniya early warning satellites had mistaken intense sun glare for the signature of ICBM rocket plumes. As Lieutenant Colonel Petrov would later explain to Soviet military tribunals and Western reporters, his decision was mostly an educated guess. "When people start a war," he said, " they dont start it with only five missiles. You can do little damage with just five missiles."1
Many would scoff at the idea that the Y2K problem could lead to a panic-generating military crisis like this one. Yet in 1993, when computer technicians at the North American Aerospace Defense Command in the United States simulated a century-rollover for data processing computers, the result was systemwide screen blackouts.
Exactly how could Y2K errors affect the Russian nuclear arsenal? First, the good news: Y2K-related glitches will not cause a spontaneous, unauthorized launch of missiles or the explosion of nuclear warheads. For both the United States and Russia, safety devicesin the form of weapons "unlock" or "go" codesprohibit nuclear launch without command authorization. Other devices also prohibit detonation of the warhead itself in the absence of the proper environmental conditions, including variables such as trajectory and acceleration.
Instead, the potential danger of Y2K is posed by those systems supporting Command, Control, Communications, and Intelligence (C3I) operations. The vulnerability of these nuclear operations to Y2K-related errors is not surprising when one considers the absolute dependence of human analysts on computer processing in the interpretation of data.
The ability of the United States and Russia to detect missile launches and track through time the flight and delivery of warheads depends on a highly interdependent conglomeration of radar arrays, satellites, communications networks, and data processing stations.
Within the first minute after hardware sensors receive readings, automated computer systems filter and correlate early warning data so that human analysts can understand the implications of millions of instantaneous electronic signals given off by satellites and radar. At the same time, automated telecommunications systems transfer continuous streams of data from the highly dispersed, ground-based receiving sites for satellitesor from ground-based radarto the relevant command posts for human analysis. Finally, automated telecommunications systemswith routers and switches that depend on microprocessorsallow real-time verification of data by linking command posts in large teleconferences during a nuclear alert. Thus, without computer-automated procedures, early warning systems would fail.
The extremely short decision-making periods that characterize a nuclear alert are due to a combination of U.S.-Russian policies of "launch on warning" and the short flight times of ballistic missiles. ICBMs complete their flight paths between the United States and Russia in just 25 to 30 minutes, while weapons launched from U.S. forward-deployed Trident submarines would hit Russian targets within 15 minutes or less. A launch-on-warning policy demands that each side avoid the preemption of its own forces by enemy surprise attacks while at the same time preempting as many enemy missile sites as possible in an offensive strike. Therefore, even under the best of circumstances, the United States and Russia have no more than 25 minutes to complete the entire launch process. Given this unforgiving operating environment, if Y2K were to produce ambiguous data or blackouts of crucial surveillance sensors or the failure of critical communications between command posts, nuclear commanders could interpret these events as evidence of an ongoing surprise strike by the opponent and act accordingly.
POST-COLD WAR STATUS QUO
Because computer errors, hardware failures, and sensor outages were common for both Russia and the United States during the Cold War, redundancy in sensors and human command procedures was built into the system to avoid accidents. Unfortunately, the integrity of Russian nuclear operations has steadily declined over the last decade due to severe shortfalls in military expenditures, undermining this redundancy.
Russia has two types of satellite networks. The original Molniya network consisted of seven to nine satellites in elliptical orbits. Now only three satellites out of this constellation remain operational. This degradation is part of normal system operations, and without one to two launches of replacement satellites every year, Russias capability will continue to erode. In the late 1980s, Russia attempted to support the Molniya network by launching a second network of more advanced geosynchronous satellites, which have a longer lifespan. Only two of the necessary eight satellites from this second network are still operational.2
In theory, Russia can detect an American launch of ICBMs a minute or two after launch. However, due to the deterioration of satellite networks, Russia is blind to ICBM launches from the continental United States for approximately three hours each day. Additionally, neither of its satellite networks could spot a U.S. attack staged by Trident submarines stationed in the North Atlantic and Pacific, close to Russian territory.3 Only the ground-based radar stationed around Russias perimeter could identify Trident launches, and then only after the missiles had completed about a third of their flight path. This would give Russian leaders very little timeonly 6 to 10 minutesto analyze the data, make a decision, and issue launch orders.
To make matters worse, Russias ground-based radar network is outdated, and some key sites have been lost due to the disintegration of the Soviet Union.4 Because of these losses, two large gaps in coverage would allow Trident submarines stationed in the Gulf of Alaska or the North Atlantic to attack with impunity.5
Possible Trident launches are not Russias only problem, however. The gaps in ground-based radar seriously weaken Russias ability to track U.S. ICBM attacks through time in all flight corridors. The temporal element of early warning, in which each missile or warhead is identified at two separate points in the warning process, would be lost for some attack scenarios. This undermines redundancy in verification procedures for launches from the continental United States.6 Of course, this growing dependence on just one type of sensor increases the chances of a mistake if Y2K disturbances were to affect the systems still in operation.
Also, Russialike the United Statesdepends on dispersed data-receiving sites for the initial processing and transfer of satellite data to officials in more central locations. If computer malfunctions were to take out the data processors for one or more of these satellite ground stations, or if Y2K errors were to undermine the automated telecommunications systems that relay information to command posts from these sites, then Russia would find itself dependent on the ground-based radar network. In this case, 25 to 30 minutes advance notification of ICBM launch would be nearly impossible, and commanders would be faced with severely truncated decision times similar to those associated with a Trident missile attack from forward-deployed positions in the North Atlantic and Pacific.
Furthermore, the existing gaps in the early warning network may increase Russian reliance on streamlined command procedures with a greater chance of human-machine errors. Russias military and political leaders can now choose among a variety of alternatives for improving quick-launch defensive capabilities during a crisis if needed.
One such option would give the civilian political authorities push-button control of forces without the intervention of the militarys General Staff in the authorization process.
Another option is a back-up launch authorization system dubbed Perimeter. In the event that a U.S. first strike overwhelmed the early warning capabilities of space and ground sensors and eliminated Russian leadership, this system would automatically send up an ICBM with communications relays housed in the nose cone. Once at a sufficient height, this system would remotely transmit unlock codes and launch instructions to lower launch personnel without any authorization by top officials in the normal chain of command.7
Less dramatically, existing plans for delegating launch codes before a crisis could allow lower commanders to act on their own if they believe the General Staff has been taken out by an American first strike. In all of these cases, Y2K-related computer failures could be magnified by the loss of human checks and balances in the Russian command system.
Finally, there is an ongoing danger completely unconnected to the deployed Russian arsenal: the state of Russian decommissioned submarines. Hundreds of out-of-service Russian nuclear submarines have been improperly handled since the end of the Cold War and spent nuclear fuel from these vessels has been polluting communities and large tracts of the North Atlantic close to Scandinavia. Moreover, many of these scuttled submarines require the circulation of liquid metal coolant through their reactor cores to prevent a meltdown of the nuclear fuel rods, which are still generating heat years after reactor shut-down.8 The loss of electrical power from outside suppliers potentially due to Y2K problems in the automated switches of the electrical grids, or to loss of natural gas supplied by Gazprom if IBM-style mainframes in Russian power facilities fail could stop coolant pumps and cause multiple meltdowns. Bruce Blair, a Russian nuclear expert at the Brookings Institution in Washington, D.C., has referred to this situation as "multiple mini-Chernobyls waiting to happen."9
There is both good and bad news regarding the probability of Y2K mishaps in Russian operations. The good news is that because Russia is currently decades behind the United States in computer technology, most of its infrastructure is electromechanical rather than digital.10 Unlike digitally based microprocessors, electromechanical devices do not have software that potentially includes date fields in its logic.
However, overshadowing the good news are other realities. First, Russian military and civilian officials have only recently admitted the potential enormity of the Y2K problem for nuclear operations. In August 1998, Russias telecommunications chief Alexander Krupnov admitted that roughly 100 government computer systems might be affected by Y2K. However, he made no specific reference to military computers at that time. In a more candid account published on February 3, 1999, Krupnov summarized the results of an agency-by-agency assessment conducted during the fall of 1998.11 These assessments involved all 134 early warning facilities that rely on some level of automated computer control for the reception, processing, and distribution of data.12 The ministry responsible for early warning systems is now expected to find resources within its own budget for the repair and testing of these facilities.13 Unfortunately, Russia cannot even pay its own officers and technicians on a consistent basis, let alone fund the complex and costly testing program needed to validate Y2K repairs across all computer interfaces.
Testing is the most time-consuming and expensive part of the Y2K remediation process. Comprehensive sensor-to-shooter examinations involve multiple missile attack scenarios, including everything from a single ICBM launch to an all-out first strike by an opponent. Furthermore, these scenarios must be repeated for every date related to Y2K errors. For instance, in addition to recognizing the year 2000, these systems-of-systems tests must also recognize that the Year 2000 is the first millennial leap year since 1600, so that both February 29th and the 366th day of 2000 are accounted for in simulations.
In the West, integrated tests of early warning systems were performed in December 1998 and February 1999. The tests involved computer systems under three separate commands, with at least 30 separate attack scenarios for each of five critical Y2K-related dates. These exercises incorporated repeated test runs with thousands of subsystems and millions of lines of code.14
Still more wargames are necessary to test the dependency of the North American Aerospace Defense Command (NORAD) on private and in-house suppliers of telecommunications lines and electrical power, as well as communications between Strategic Command and all of the crews controlling the deployed forces.15 Given the extraordinary logistical demands of this testing process, it is unlikely that enough time remains for Russia to complete repairs and testing.
Progress has been delayed at least in part because top Russian officials disagree on the nature of date dependencies in nuclear systems. General Vladimir Dvorkin, head of Defense Ministry for Missile-warning Systems, claims 74 early-warning facilities are in critical condition because of their unpreparedness for the Y2K computer problem.16
In contrast, Nikolay Mikhaylov, the first deputy defense minister, has declared that "these automated systems have no calendar dates, as the countdown of time begins from the moment of a command for some operations."17 Furthermore, said Mikhaylov, "In Russia the missile command systems are real-time systems. We have no Y2K problem in the on-board missile equipment, at launching sites, or at command centers."18
Although it is hard to tell where the truth lies, this inconsistency in official positions may be more a matter of semantics than a real disagreement. The difference appears to be in the distinction between the dispersed network associated with early warning of U.S. launch activities and the more direct, top-down command and control of Russian nuclear weapons.
Early warning networks constitute the first part of a nuclear alert. The data flows upward from the dispersed data receiving sites on the ground, to mid-level command posts for interpretation of data, and finally to the political and military leaders who must actually make decisions about retaliation. In contrast, the command and control of nuclear weapons during the second half of a nuclear alert involves a top-down information flow, from political leaders and commanders at the apex of the chain of command down to the personnel manning the missile silos.
Russian officials seem to be saying that the telecommunications connections between the general staff, political leaders, and lower controllers of deployed ICBMs are impervious to Y2K problems, so that no gaps will develop in the authorization process for launch of weapons. However, Dvorkins and Mikhaylovs remarks still question the preparedness of satellites, radars, ground-based data receiving stations, and the communications links between these various systems and top commanders.
The U.S. intelligence community has reached conclusions similar to those of General Dvorkin. In recent Senate testimony, the National Intelligence Council noted that Soviet-era mainframes are roughly similar to the IBM 360 and 370 series, which are two of the primary legacy systems in the West with operating systems vulnerable to Y2K problems.19
On September 2, 1998, Presidents Bill Clinton and Boris Yeltsin issued a "Joint Statement on the Exchange of Information on Missile Launches and Early Warning." The plan is for the United States and Russia to provide each other with "continuous information on the launches of strategic and ballistic missiles...detected by their respective early warning systems." This information coordination could take place at a center operated by U.S. and Russian personnel working side-by-side.20
Russia and the United States subsequently formed high-level interagency teams to plan and implement this joint declaration, holding a session in Washington, D.C., in September 1998, followed by a similar session in Moscow three months later. However, no concrete proposals on the timing, logistics, and scope of data sharing were generated or discussed during these meetings.21
This lack of concrete planning was evident in discussions with John Harvey, director of nuclear forces and ballistic missile defense policy in the Office of the Secretary of Defense. When asked in February 1999 whether the three U.S. infrared early warning satellites could in fact provide useful data on American launch activities to the Russiansas opposed to the traditional mission of spying on Russian missile fieldsDr. Harvey admitted that his office had not yet "considered those kinds of technical details."22 In March, a civilian advisor to the talks, nuclear systems expert Theodore Postol of the Massachusetts Institute of Technology, broke ranks and sharply criticized the efforts of both the Pentagon and the National Security Council.
"On both sides, high-level policy makers and elected officials accepted the idea of sharing early warning information without consulting their own technical people," Postol said. "They have nothing specific to say about the proposed center because they have not thought through any of the details. Theres nothing for them to say."23
As it turns out, U.S. satellites can in fact inform the Russians about all U.S. missile launch activities, including Trident submarine patrols as well as stationary ICBMs on American territory.24 However, there are many other significant weaknesses that have plagued talks from the beginning.
First, Russian officials have always regarded the prospect of data sharing as pertaining only to the activities of developing countries, such as the ballistic missile programs of Iran, North Korea, and China.
Second, if Russia were to share its data on a real-time basis through the use of computer screens combining U.S. and Russian coverage of the same missile events, it would be a fairly straightforward task for U.S. nuclear analysts to map the exact gaps in Russian operations.25 Conceivably, concrete evidence on the nature of Russian systems degradation could be used to benefit the United States in a future crisis.
Third, Russians would be unable to verify the accuracy of U.S. data because the output of U.S. satellite sensors is never seen by human analysts in its original form. Given the heavy data filtering that occurs even within the first minute after reception by ground stations, the United States could manipulate the data for its own benefit at several points in the information pipeline that leads to NORAD headquarters. Therefore, for the proposed facility to be successful in its mission, Russian officials would simply have to accept at face value the data stream that is fed to them through United States computer systems.
These factors have led many Russian senior military officials to conclude that the U.S. proposal is simply an intelligence operation aimed at Russia.26 One respected military affairs journalist for the Moscow Times argued in February 1999 that "Exposing Russias military computer backwardness to Americans could undermine the threat potential of Russias nuclear deterrent. Instead of improving an already wobbly partnership, attempts at Russian-U.S. Y2K cooperation have up to now only enhanced mutual mistrust."27
To allay these fears and reinvigorate the talks, a third bilateral meeting in February 1999 was explicitly connected to the more public discussions of the Defense Consultative Group, a body created after the Cold War to coordinate defense policies between the United States and the Russian Federation.28 During these meetings, the United States raised the possibility of exchanging "management techniques" and various software tools for assessing and repairing Y2K-vulnerable systems. More significantly, the U.S. team drastically amended the original concept for a shared early warning facility in Moscow. While noting that consultations on the Moscow center would continue, the team created a new track for Y2K, one that would specifically not require Russia to supply its own early warning data.
Instead, the United States would construct the "Joint Center for Year 2000 Strategic Stability," a smaller facility outside Cheyenne Mountain in Colorado where the Russians would be invited to monitor U.S. data in real-time during the century rollover (roughly, December 15-January 15). In technical terms, the facility was to be constructed along the lines of the shared air traffic control systems in Berlin during the Cold War.29 Russian officials soon agreed to visit the United States in March to address the technical parameters of the proposed facility.30
Despite these amendments, however, the success of a shared warning facility still depends on the continuation of smooth relations between the two nuclear powers. As one American nuclear expert remarked in early March, "It can be implemented as long as an international crisis does not exist. However, it would surely break down if a renewed crisis were to develop between the United States and Russia, and it is precisely during tense crises that stabilizing measures are needed the most."31
This prophetic statement has been born out by events in Kosovo. The Russians have suspended, along with other measures, all planned discussions on the Cheyenne Mountain facility.32 So far, the Pentagon has received no information on the possibility for a future renewal of talks. NORAD and Office of the Secretary of Defense planners are now proceeding unilaterally with the construction of the Y2K facility in the hopes that Russia will eventually return to the bargaining table.33
LAUNCH ON WARNING
Despite these considerable obstacles, there is a glimmer of hope for the new millennium. This hope resides in the ability of the United States to alter its strategy to fit the post-Cold War international environment.
Plans for a shared early warning facility do nothing to address the more basic problem of U.S.-Russian hair-trigger force postures. Roughly 4,400 warheads in Russian and U.S. arsenals are in ready-to-launch mode.34 For the United States, the three required steps for launch can be implemented in one minute or less. Also, the U.S. Strategic Command continues to emphasize offensive military options that incorporate quickly executed first strikes against the enemys nuclear arsenal. Because most of Russias nuclear weapons are easy-to-target stationary ICBMs and therefore more vulnerable to first strikes, Russia has been forced to place increased emphasis on first use of nuclear weapons and quick retaliation in a crisis.
Presumably, American military officials are not alarmed by these bilateral policies because they believe U.S. systems will be entirely Y2K compliant, and through the early warning cooperative agreement, U.S. data can take the place of flawed Russian information. On these assumptions, officials have repeatedly rejected mutually verifiable arms control measures that would lower alert rates and make quick launch of ICBMs impossible for both sides.
This collective attitude of both senior U.S. legislators and military officials demonstrates a fundamental inability to learn from computer accidents that occurred throughout the Cold War. In U.S. operations in 1980, for example, an embedded 64-cent chip with a flawed design, nestled deep in telephone switching hardware at NORAD, suddenly started sending messages to other command posts that a Soviet attack was under way, causing two raised alert levels within a three-day period.35 Nor was this incident an isolated case. Official correspondence between U.S. commanders in subsequent years refer obliquely to multiple computer-based mishaps, such as false reports from an infrared satellite that "could have resulted in unacceptable posturing of Strategic Air Command forces."36
Y2K vulnerabilities add to this disturbing history of unforeseen glitches in the early warning information pipeline. Most experienced computer scientists admit that dedicated testing programs will reveal only the presence of errors, not their complete absence. Moreover, computer failures rarely repeat themselves in exactly the same form, with the result that none of the documented U.S. and Russian near-accidents could have been predicted beforehand by the systems designers.
Relying on the proposed early warning facility as a cure-all for Russias lack of a Y2K program is a counterproductive diversion from more meaningful policies. A much more effective means of avoiding accidental nuclear war would be to end Russian and American dependence on the complex computer systems that provide early warning information to commanders. This can only be done by instituting de-alerting procedures to abolish the ever-present threat of nuclear surprise attacks by both sides.n
Michael Kraig is a Herbert Scoville Jr. Peace Fellow at the British American Security Information Council (BASIC) in Washington, DC.37
1. David Hoffman, "Soviet Officer Faced Nuclear Armageddon," Washington Post (February 10, 1999).
2. Theodore Postol, Briefing slides: "The Nuclear Danger from Shortfalls in the Capabilities of Russian Early Warning Systems," presented on February 26, 1999, at the Carnegie Endowment (Washington, DC); see also David Hoffman, "Russias Myopic Missile Defense: Gaps in Early-Warning Satellite Coverage Raise Risk of Launch Error," Washington Post Foreign Service (February 10, 1999).
3. David Hoffman, "Soviet Officer Faced Nuclear Armageddon," Washington Post (February 10, 1999).
5. Postol, Briefing slides.
6. The implications of this lack of redundancy in some geographical areas has not yet been fully explored for all conceivable US attack scenarios against Russia.
7. Bruce Blair, "Statement before the House National Security Subcommittee," US Senate (Washington, DC: March 13, 1997).
8. Thomas Nilsen, "Naval Nuclear Waste Management in Northwest Russia," Bellona Project (Oslo, Norway: Bellona Foundation, 1998).
9. Bruce Blair, Presentation at the "Nuclear Y2K Symposium," co-sponsored by the STAR Foundation, British American Security Information Council (BASIC), and Nuclear Information and Resource Service (NIRS) (Washington, DC, March 8, 1998).
10. Ron Lewin, Voice of America broadcast, January 30, 1999, 12:09 pm.
11. Bulletin News Network (BNN) "Frontrunner," Washington News (February 4, 1999). Originally taken from the Associated Press Wire Service by BNN.
12. Itar-Tass News Agency, "Russias Nuclear Control not Prone to 2000 Bug Official" (March 3, 1999).
13. Martin Nesirky, "Russian Military Upbeat on Y2K but not Complacent," Reuters Wire Service (February 3, 1999).
14. Warren Patterson, Joint Staff Year 2000 Task Force, DOD News Briefing (Washington, DC: Office of the Assistant Secretary of Defense for Public Affairs, January 14, 1999); John Donnely, ed., interview with Brigadier General Robert Behler, US Air Force, "Nuclear Warriors Take on New Foe: Y2K," Defense Week (January 4, 1999); R.F. Smith, Testimony before the Senate Armed Services Committee, Subcommittee on Readiness and Management Support, Hearing "Year 2000 Threats to National Security" (February 24, 1999).
15. Ibid. The December and February integrated tests involving systems under NORAD, Space Command, and Strategic Command considered only the first phase of a nuclear alert, the Integrated Tactical Warning and Attack Assessment Phase, which includes the mission of ballistic missile attack warning. Strategic Command must still complete integrated systems tests for the command and control of deployed forces, dubbed the execution and post-execution phases (i.e., those phases in operations that include dissemination and implementation of launch orders, both before and after the missiles start flying).
16. Associated Press Wire Service, "Official: Y2K Raises Missile Fears" (March 2, 1999).
17. Itar-Tass, "Russias Nuclear Control Not Prone to 2000 Bug Official."
19. Lawrence K. Gershwin, "Written Statement for the Senate Special Committee on the Year 2000 Technology Problem" (Washington, DC: National Intelligence Council, March 5, 1999).
20. United States Information Agency (USIA), "Fact Sheet: The Exchange of Information on Missile Launches (US, Russia Strengthen Strategic and Regional Stability)," USIS Washington File (September 2, 1998).
21. Telephone interview with Theodore Postol, professor of Science, Technology, and National Security Policy, Massachusetts Institute of Technology, March 1 1999.
22. Telephone interview with Dr. John Harvey, Director, OSD Nuclear Policy and Ballistic Missile Defense Policy Office, February 8, 1999.
23. Postol, Telephone interview.
24. Postol, Briefing slides.
25. Postol, Telephone interview.
27. Reuters Wire Service, "U.S. Military Start Moscow Talks on Millennium Bug," February 18, 1999.
28. Edward Warner, "DOD News Briefing," February 25, 1999.
31. Postol, Telephone interview.
32. Reuters Wire Service, "Russia Calls off Y2K Cooperation with the US" (March 26, 1999).
33. Discussion with Peter Tyler, legislative assistant to Senator Tom Harkin (Iowa), April 8, 1999. Peter Tyler received notification of OSD plans from Dr. Phil Jameson, Assistant Director, Nuclear Forces and Ballistic Missile Defense Policy Office, Pentagon.
34. Frank von Hippel, "Briefing Slide: Warheads Possibly on Launch-on-warning Alert," Presentation at the International Workshop on Dealerting of Nuclear Missiles (Stockholm, Sweden; October 8-10, 1998).
35. Scott D. Sagan, The Limits of Safety: Organizations, Accidents, and Nuclear Weapons (Princeton: Princeton University Press, 1993), pp. 231-238.
36. Bruce Blair, The Logic of Accidental Nuclear War (Washington, DC: Brookings Institution Press, 1993), p. 189.
37. The author would like to thank BASIC research fellow Tanya Padberg for her invaluable editorial comments in finishing the final draft of this article.