FAS Homepage | Millennia Monitor | Y2K ||||| Index | Search | Join FAS



The Year 2000 Problem and the Danger of Accidental Nuclear War

The Year 2000 Problem with computers has attracted growing attention in the computer and commercial sectors, but it is only in recent weeks that the potential implications of this problem for the danger of nuclear war have become public. Because of the secrecy and sensitivity of strategic warfighting systems, there are currently few definitive answers, but many important questions that must be addressed in coming months by the nuclear weapon states.

The considerable uncertainties as to the impact of the Y2K problem on society generally are vastly magnified in the nuclear context. Contemplating the probable effects on society generally, prognosticators anticipate that the impact of the Y2K problem will be somewhere between annoying and catastrophic. The range of uncertainty of the impact of Y2K on nuclear weapons is even greater, ranging between barely noticeable and literally apocalyptic. The most frightening scenario, in which Y2K problems cause nuclear missiles to spontaneously launch themselves at the instant new millennium dawns, is also the least plausible scenario. There are, however, other more subtle and less direct paths by which Y2K problems could appreciably increase the probability of accidental or inadvertent nuclear war.

There are a number of reasons to anticipate, in principle, that Y2K problems would be satisfactorily resolved at these critical nuclear warfighting commands. There are, however, and number of reasons to suspect that in practice Y2K problems may continue to lurk in the bowels of these vast enterprises.

In principle, the STRATCOM and USSPACECOM operating environments, as well as those of supporting intelligence activities, represent discrete highly-visible mission-critical implementations which are obvious candidates for robust Y2K compliance. In practice, this strategic nuclear warfighting infrastructure is a vast system-of-systems that constitutes the single most complex automated information system currently in existence. In June 1998, Fred Kaplan reported in the Boston Globe that a 1993 test of missile warning systems for Y2K compliance produced a shutdown of the system.

Whereas in the past this operating environment was relatively isolated from other systems, post-Cold War changes have introduced a variety of novel interfaces with non-nuclear systems. During the Cold War strategic bombers were assigned to the Strategic Air Command, though they are now assigned to Air Combat Command where they are largely tasked to perform conventional missions. Along with other forces, these units are now linked through the new Global Command and Control System (GCCS), the automated information system which supports force-wide deliberate and crisis planning. The inherent complexity of these systems and existing interoperabity problems may be further complicated by Y2K interface problems. Of the roughly 100 major information systems involved in theater air and missile defense operations, nearly half are not currently certified for interoperability. In March 1998 GAO reported that problems encountered in exercises over the past two years "resulted in the simulated downing of friendly aircraft in one exercise and in the nonengagement of hostile systems in another."

In principle, many Y2K problems should solve themselves through the phase-out of older systems which are most vulnerable to Y2K, and most difficult to fix. Roughly half of DOD's desktop computers, generally those of more recent vintage, have been found to be Y2K compliant. However, in practice, nuclear warfighting commands will enter the new millennium using at least some systems that date to the 1960s. USSPACECOM is nearing completion of the long-running Cheyenne Mountain Upgrade (CMU) Program, which consists of upgrades to ballistic missile, air, space, and command center elements, as well as upgrades to survivable communication and warning elements. STRATCOM has recently embarked on a major upgrade to its headquarters information systems under the Computing Environment STRATCOM Architecture (CESAR) program.

The new Defense Message System (DMS) is being phased in to replacing the Automated Digital Network (AUTODIN) which dates to the 1960s. These backbone networks provide secure messaging intelligence, diplomatic communications, and military operations. But due to problems with implementation of multi-level security in the new DMS, USSTRATCOM will continue to use the elderly AUTODIN system past the end of the millennium.

The impact of Y2K problems on American nuclear warfighting capabilities remains uncertain. While many nuclear-related information systems will surely be fixed well in advance of the new millennium, at present this is a conjecture rather than a matter of public record.

What will happen to American nuclear forces on the first day of the new millennium? Probably nothing. The most commonly encountered Y2K glitches will almost certainly consist of minor annoyances for system operators that pose little risk to the rest of the world. And more significant system failures would almost certainly be fail-safe rather than fail-deadly: Y2K is far more likely to prevent missiles from launching when ordered, than to cause missiles to launch themselves un-ordered.

The implausibility of the most compelling scenario -- missiles leaping unbidden from their silos the second the new millennium dawns -- should not diminish concerns about the risk of accidental nuclear war resulting from the Y2K problem. Complex systems unavoidably display unpredictable emergent properties. The normal vagaries of the Windows-95 operating environment that are the daily torment of desktop computer users are but a dim premonition of the potential for vastly more complex nuclear command and control systems to exhibit "undocumented features."

American strategic command and control systems will experience un-precedented stress during the year 2000, due both to unresolved internal Y2K problems, and Y2K back-contamination from other system interfaces. The precise nature of this stress is difficult to anticipate at this time, and may be difficult to diagnose at the time. Concerns about Y2K will surely complicate the normally challenging fault isolation process, as every normal glitch will require the added step of seeking a Y2K explanation. This will introduce new levels of doubt and uncertainty concerning system integrity, both for positive control of nuclear attack forces as well as for strategic intelligence and warning systems.

Y2K@nuke.world

Unfortunately, the American strategic command and control system does not exist in isolation, but rather is connected through subtle interfaces with counterpart systems in the other nuclear weapon states. Just as the United States depends on a system-of-systems with directly connected interfaces, all the nuclear weapons states are part of a single system-of-system-of-systems connecting their command networks through indirect, tenuous but nonetheless real operational interfaces.

Providing robust assurance that Y2K will not substantially increase the risk of accidental nuclear war requires not only ensuring American Y2K compliance, but also Y2K compliance of the other nuclear weapons states, and assurances of such Y2K compliance.

The Defense Department is not unaware of the importance of this problem, and in early June 1998 Defense Secretary Cohen met with Russian Defense Minister Sergeyev to address the Y2K problem. Cohen noted that "early warning would be important; what happens in the year 2000 with computers if they suddenly shut down, how would they interpret that and how will they react to that." He also noted that the Russians had stated that "they calibrate their computers differently than we do in the United States, in the West, and they don't foresee a problem."

The core of the Y2K risk derives from the more general nuclear danger under current conditions. Despite a variety of force reduction and detargeting initiatives, most of the world's nuclear forces remain on the hair-trigger alert that is a legacy of Cold War fears of a "bolt-from-the-blue" sneak attack. With the end of the Cold War it has become increasingly apparent that such high alert levels are unwarranted, and are in fact contributory to the risk of accidental or inadvertent nuclear war. Standing down from such high readiness levels is long overdue, and should be a high priority for the nuclear weapons states. While some might suggest that Y2K concerns mandate the immediate de-alerting of nuclear forces, in the real world these arguments are unlikely to move decision makers, though they would almost certainly contribute to public alarm.

Such public alarm would not be entirely misplaced, as sustaining high alert levels would seem to be directly contributory to the nexus between the Y2K problem and the risk of accidental or inadvertent nuclear war. Initially presenting Y2K glitches would almost certainly have the consequence of rendering information systems inoperable to a greater or lesser extent. But the mandate to sustain very high alert levels could impel system operators to improvise technical implementations and operational procedures. Normally contingency procedures may also in turn manifest Y2K anomalies. System integrity may also face coincidental compromises from a variety of factors, ranging from solar-storm induced communications outages to heightened security due to warnings of terrorist attacks.

At this point, operators and commanders may face difficult choices between reducing the overall readiness of nuclear warfighting forces, and making changes in the operational practices of those forces to compensate for degradations in command and control capabilities. Such difficult choices would not be made in isolation, but might simultaneously confront system operators in more than one country, creating complex interactions among partially degraded command and control networks and nuclear warfighting forces. Random events, such as solar storms or sounding rocket launches, could further perturb the situation.

In practice, such tightly-coupled interactions are all rather unlikely, given the poor track record of the American intelligence community in monitoring the alert status of Soviet forces during the Cold War. But technological "accidents" seem inexorably to result from seemingly trivial technical problems compounding in unlikely ways to produce surprising and occasionally catastrophic results.

There is obviously considerable potential for public alarm here, whatever the actual underlying risks of Y2K leading to accidental nuclear war. One obvious step would simply be to take all nuclear forces off alert, pending robust resolution of any lingering doubts concerning Y2K compliance. While there are certainly many compelling reasons for de-alerting nuclear forces, it would probably be counterproductive to suggest that the Y2K problem mandates immediate de-alerting as the only prudent step for ensuring that the new millennium dawn with a nuclear apocalypse.

Several relatively straightforward steps are clearly called for, both to address the actual potential for the increased risk of accidental nuclear war due to Y2K, and to address potential public concerns.

The first step would be a continuation of Awareness Phase activities to include familiarizing information system operators with likely symptoms of Y2K non-compliance, to reduce the degree of confusion or alarm that may accompany unexpected system performance. Because of the high level of vigilance that currently attends strategic command and control operations, care must be taken to ensure that Y2K-induced glitches are not mistaken for malevolent assaults by adversaries.

The second step would be implementation of robust contingency planning detailing alternate means of fulfilling affected information system missions in the event of a critical failure induced by Y2K problems. These should include defaulting functions to appropriate manual operation if needed. It is exceedingly unlikely that Y2K problems would induce the generation of apparently valid launch authorizations, given the complexity and redundancy of existing launch authorization mechanisms and procedures. Nonetheless, given equally remote likely hood of a "bolt-from-the-blue" sneak attack, a requirement to verbally authenticate apparently valid launch orders would provide an additional risk reduction measure.

The third, and most critical, step would be direction from the National Command Authority that, as a matter of national policy, system operators and commanders should accept reductions in alert status and warfighting readiness pending resolution of Y2K induced problems, rather than attempting to sustain high alert rates through implementing or improvising contingency plans that could contribute to increasing the risk of accidental or inadvertent nuclear war. These are not priorities that can be chosen by commanders on the scene, particularly when faced with puzzling or alarming system failures possibly induced by Y2K problems.

The next step would be the completion of an independent Y2K compliance audit of STRATCOM, USSPACECOM, and supporting intelligence activities. While the full report would surely be highly classified, some portion of the audit and Y2K compliance certification could surely be released to the public, confirming that the American strategic command and control system is Y2K compliant, and that robust measures are in place to counter Y2K interface problems caused by potentially non-compliant American systems.

An American working group, consisting of participants from nuclear weapons agencies and agencies concerned with information assurance issues, should be established to make formal Y2K compliance presentations to all the other nuclear states [declared and otherwise]. The focus of these activities would include a rehearsal of the nature of the problem, representations concerning American Y2K compliance initiatives, offers of technical assistance, and a request for reciprocal Y2K compliance certification.

Extending Secretary Cohen's initial June meetings, the United States should formally request that all nuclear weapons states implement formal Y2K compliance certification for their nuclear command and control systems. This compliance certification should be validated by some independent entity within each country, consistent with domestic Y2K compliance procedures. The final outcome of this process would be formal public statements by the nuclear weapons states of their Y2K compliance.

None of these initiatives can guarantee the eradication of the millennium bug from nuclear command and control systems, just as their is no guarantee against nuclear war other than the elimination of nuclear weapons. But systematic initiatives taken today could significantly contribute to reducing the risk of accidental nuclear war, and certainly contribute to reducing public anxieties concerning this risk.

Sources and Methods


FAS Homepage | Millennia Monitor | Y2K ||||| Index | Search | Join FAS


http://www.fas.org/2000/y2k/analysis.htm
Maintained by John Pike
Created Saturday, July 04, 1998 9:00:00 AM
Updated Thursday, December 03, 1998 9:44:58 AM