'The Year 2000 Problem and the Danger of
Accidental Nuclear War
The Year 2000 Problem with computers has attracted growing attention in the computer and commercial sectors, but it
is only in recent weeks that the potential implications of this problem for the danger of nuclear war have become public.
Because of the secrecy and sensitivity of strategic warfighting systems, there are currently few definitive answers, but
many important questions that must be addressed in coming months by the nuclear weapon states.
The considerable uncertainties as to the impact of the Y2K problem on society generally are vastly magnified in the
nuclear context. Contemplating the probable effects on society generally, prognosticators anticipate that the impact of
the Y2K problem will be somewhere between annoying and catastrophic. The range of uncertainty of the impact of
Y2K on nuclear weapons is even greater, ranging between barely noticeable and literally apocalyptic. The most
frightening scenario, in which Y2K problems cause nuclear missiles to spontaneously launch themselves at the instant
new millennium dawns, is also the least plausible scenario. There are, however, other more subtle and less direct paths
by which Y2K problems could appreciably increase the probability of accidental or inadvertent nuclear war.
There are a number of reasons to anticipate, in principle, that Y2K problems would be satisfactorily resolved at these
critical nuclear warfighting commands. There are, however, and number of reasons to suspect that in practice Y2K
problems may continue to lurk in the bowels of these vast enterprises.
In principle, the STRATCOM and USSPACECOM operating environments, as well as those of supporting intelligence
activities, represent discrete highly-visible mission-critical implementations which are obvious candidates for robust Y2K
compliance. In practice, this strategic nuclear warfighting infrastructure is a vast system-of-systems that constitutes the
single most complex automated information system currently in existence. In June 1998, Fred Kaplan reported in the
Boston Globe that a 1993 test of missile warning systems for Y2K compliance produced a shutdown of the system.
Whereas in the past this operating environment was relatively isolated from other systems, post-Cold War changes have
introduced a variety of novel interfaces with non-nuclear systems. During the Cold War strategic bombers were
assigned to the Strategic Air Command, though they are now assigned to Air Combat Command where they are largely
tasked to perform conventional missions. Along with other forces, these units are now linked through the new Global
Command and Control System (GCCS), the automated information system which supports force-wide deliberate and
crisis planning. The inherent complexity of these systems and existing interoperabity problems may be further
complicated by Y2K interface problems. Of the roughly 100 major information systems involved in theater air and
missile defense operations, nearly half are not currently certified for interoperability. In March 1998 GAO reported that
problems encountered in exercises over the past two years "resulted in the simulated downing of friendly aircraft in one
exercise and in the nonengagement of hostile systems in another."
In principle, many Y2K problems should solve themselves through the phase-out of older systems which are most
vulnerable to Y2K, and most difficult to fix. Roughly half of DOD's desktop computers, generally those of more recent
vintage, have been found to be Y2K compliant. However, in practice, nuclear warfighting commands will enter the new
millennium using at least some systems that date to the 1960s. USSPACECOM is nearing completion of the
long-running Cheyenne Mountain Upgrade (CMU) Program, which consists of upgrades to ballistic missile, air, space,
and command center elements, as well as upgrades to survivable communication and warning elements. STRATCOM
has recently embarked on a major upgrade to its headquarters information systems under the Computing Environment
STRATCOM Architecture (CESAR) program.
The new Defense Message System (DMS) is being phased in to replacing the Automated Digital Network
(AUTODIN) which dates to the 1960s. These backbone networks provide secure messaging intelligence, diplomatic
communications, and military operations. But due to problems with implementation of multi-level security in the new
DMS, USSTRATCOM will continue to use the elderly AUTODIN system past the end of the millennium.
The impact of Y2K problems on American nuclear warfighting capabilities remains uncertain. While many
nuclear-related information systems will surely be fixed well in advance of the new millennium, at present this is a
conjecture rather than a matter of public record.
What will happen to American nuclear forces on the first day of the new millennium? Probably nothing. The most
commonly encountered Y2K glitches will almost certainly consist of minor annoyances for system operators that pose
little risk to the rest of the world. And more significant system failures would almost certainly be fail-safe rather than
fail-deadly: Y2K is far more likely to prevent missiles from launching when ordered, than to cause missiles to launch
themselves un-ordered.
The implausibility of the most compelling scenario -- missiles leaping unbidden from their silos the second the new
millennium dawns -- should not diminish concerns about the risk of accidental nuclear war resulting from the Y2K
problem. Complex systems unavoidably display unpredictable emergent properties. The normal vagaries of the
Windows-95 operating environment that are the daily torment of desktop computer users are but a dim premonition of
the potential for vastly more complex nuclear command and control systems to exhibit "undocumented features."
American strategic command and control systems will experience un-precedented stress during the year 2000, due both
to unresolved internal Y2K problems, and Y2K back-contamination from other system interfaces. The precise nature of
this stress is difficult to anticipate at this time, and may be difficult to diagnose at the time. Concerns about Y2K will
surely complicate the normally challenging fault isolation process, as every normal glitch will require the added step of
seeking a Y2K explanation. This will introduce new levels of doubt and uncertainty concerning system integrity, both for
positive control of nuclear attack forces as well as for strategic intelligence and warning systems.
Y2K@nuke.world
Unfortunately, the American strategic command and control system does not exist in isolation, but rather is connected
through subtle interfaces with counterpart systems in the other nuclear weapon states. Just as the United States depends
on a system-of-systems with directly connected interfaces, all the nuclear weapons states are part of a single
system-of-system-of-systems connecting their command networks through indirect, tenuous but nonetheless real
operational interfaces.
Providing robust assurance that Y2K will not substantially increase the risk of accidental nuclear war requires not only
ensuring American Y2K compliance, but also Y2K compliance of the other nuclear weapons states, and assurances of
such Y2K compliance.
The Defense Department is not unaware of the importance of this problem, and in early June 1998 Defense Secretary
Cohen met with Russian Defense Minister Sergeyev to address the Y2K problem. Cohen noted that "early warning
would be important; what happens in the year 2000 with computers if they suddenly shut down, how would they
interpret that and how will they react to that." He also noted that the Russians had stated that "they calibrate their
computers differently than we do in the United States, in the West, and they don't foresee a problem."
The core of the Y2K risk derives from the more general nuclear danger under current conditions. Despite a variety of
force reduction and detargeting initiatives, most of the world's nuclear forces remain on the hair-trigger alert that is a
legacy of Cold War fears of a "bolt-from-the-blue" sneak attack. With the end of the Cold War it has become
increasingly apparent that such high alert levels are unwarranted, and are in fact contributory to the risk of accidental or
inadvertent nuclear war. Standing down from such high readiness levels is long overdue, and should be a high priority
for the nuclear weapons states. While some might suggest that Y2K concerns mandate the immediate de-alerting of
nuclear forces, in the real world these arguments are unlikely to move decision makers, though they would almost
certainly contribute to public alarm.
Such public alarm would not be entirely misplaced, as sustaining high alert levels would seem to be directly contributory
to the nexus between the Y2K problem and the risk of accidental or inadvertent nuclear war. Initially presenting Y2K
glitches would almost certainly have the consequence of rendering information systems inoperable to a greater or lesser
extent. But the mandate to sustain very high alert levels could impel system operators to improvise technical
implementations and operational procedures. Normally contingency procedures may also in turn manifest Y2K
anomalies. System integrity may also face coincidental compromises from a variety of factors, ranging from solar-storm
induced communications outages to heightened security due to warnings of terrorist attacks.
At this point, operators and commanders may face difficult choices between reducing the overall readiness of nuclear
warfighting forces, and making changes in the operational practices of those forces to compensate for degradations in
command and control capabilities. Such difficult choices would not be made in isolation, but might simultaneously
confront system operators in more than one country, creating complex interactions among partially degraded command
and control networks and nuclear warfighting forces. Random events, such as solar storms or sounding rocket launches,
could further perturb the situation.
In practice, such tightly-coupled interactions are all rather unlikely, given the poor track record of the American
intelligence community in monitoring the alert status of Soviet forces during the Cold War. But technological "accidents"
seem inexorably to result from seemingly trivial technical problems compounding in unlikely ways to produce surprising
and occasionally catastrophic results.
There is obviously considerable potential for public alarm here, whatever the actual underlying risks of Y2K leading to
accidental nuclear war. One obvious step would simply be to take all nuclear forces off alert, pending robust resolution
of any lingering doubts concerning Y2K compliance. While there are certainly many compelling reasons for de-alerting
nuclear forces, it would probably be counterproductive to suggest that the Y2K problem mandates immediate
de-alerting as the only prudent step for ensuring that the new millennium dawn with a nuclear apocalypse.
Several relatively straightforward steps are clearly called for, both to address the actual potential for the increased risk
of accidental nuclear war due to Y2K, and to address potential public concerns.
The first step would be a continuation of Awareness Phase activities to include familiarizing information system
operators with likely symptoms of Y2K non-compliance, to reduce the degree of confusion or alarm that may
accompany unexpected system performance. Because of the high level of vigilance that currently attends strategic
command and control operations, care must be taken to ensure that Y2K-induced glitches are not mistaken for
malevolent assaults by adversaries.
The second step would be implementation of robust contingency planning detailing alternate means of fulfilling affected
information system missions in the event of a critical failure induced by Y2K problems. These should include defaulting
functions to appropriate manual operation if needed. It is exceedingly unlikely that Y2K problems would induce the
generation of apparently valid launch authorizations, given the complexity and redundancy of existing launch
authorization mechanisms and procedures. Nonetheless, given equally remote likely hood of a "bolt-from-the-blue"
sneak attack, a requirement to verbally authenticate apparently valid launch orders would provide an additional risk
reduction measure.
The third, and most critical, step would be direction from the National Command Authority that, as a matter of national
policy, system operators and commanders should accept reductions in alert status and warfighting readiness pending
resolution of Y2K induced problems, rather than attempting to sustain high alert rates through implementing or
improvising contingency plans that could contribute to increasing the risk of accidental or inadvertent nuclear war. These
are not priorities that can be chosen by commanders on the scene, particularly when faced with puzzling or alarming
system failures possibly induced by Y2K problems.
The next step would be the completion of an independent Y2K compliance audit of STRATCOM, USSPACECOM,
and supporting intelligence activities. While the full report would surely be highly classified, some portion of the audit and
Y2K compliance certification could surely be released to the public, confirming that the American strategic command
and control system is Y2K compliant, and that robust measures are in place to counter Y2K interface problems caused
by potentially non-compliant American systems.
An American working group, consisting of participants from nuclear weapons agencies and agencies concerned with
information assurance issues, should be established to make formal Y2K compliance presentations to all the other
nuclear states [declared and otherwise]. The focus of these activities would include a rehearsal of the nature of the
problem, representations concerning American Y2K compliance initiatives, offers of technical assistance, and a request
for reciprocal Y2K compliance certification.
Extending Secretary Cohen's initial June meetings, the United States should formally request that all nuclear weapons
states implement formal Y2K compliance certification for their nuclear command and control systems. This compliance
certification should be validated by some independent entity within each country, consistent with domestic Y2K
compliance procedures. The final outcome of this process would be formal public statements by the nuclear weapons
states of their Y2K compliance.
None of these initiatives can guarantee the eradication of the millennium bug from nuclear command and control
systems, just as their is no guarantee against nuclear war other than the elimination of nuclear weapons. But systematic
initiatives taken today could significantly contribute to reducing the risk of accidental nuclear war, and certainly
contribute to reducing public anxieties concerning this risk.
fas.org |
