Nuclear Command, Control and Communications (NC3)Is there a ghost in the machine?Peter Hayeswww.nautilus.orgNPTG 8651 - Seminar: The President & the BombMiddlebury College West!April 9, 2018

Roadmap of Talk: DO NOT TAKE NOTES!1. Cold War NC3I2. Vulnerability and Failure Assessment end Cold WarAsh Carter 87 Scott Sagan 93 Redux3. Post Cold War Force and NC3I Restructuring4. NC3 Shocks & Modernization5. Global NC3I Meta-System6. NC3 Stresses RussiaChinaSSBNsNorth KoreaFalse alarms-social media triggering of EW systemsNon-State Catalytic attackDisruptive AI, Q-Tech7. Possible Antidotes Multilateral Data Exchange & Independent Early Warning NetworksGlobal NC3 Code of ConductNuclear RefuseniksCommand Discipline, military tradition and honor“Duty to disobey” humanitarian international lawTrade warheads for NC3 upgrade

1. Cold War NC3I

Cold War Nuclear C3I to support bombers EW radarsAir Force World Wide Communications System , 1955 (SIGNAL)

Early Triad, Sixties : Worldwide Military Command andControl System WWMCCS

Cold War Centralization N-C3ISource: R. Finkler, Command, Control, and Communication Problems,Weapons Systems Evaluation Group WSEG 159, IDA, 1971.

Key NC3 Issues, 1971, IDA ReportSource: R. Finkler, Command, Control, and Communication Problems,Weapons Systems Evaluation Group WSEG 159, IDA, 1971.

Mature US NC3 System, Early 1980sSource: C. Zraket, presentation in C3 Systems for President and Military Commanders, session 3 National Security Issues Symposium1981, Strategic Nuclear Policies, Weapons and the C3 Connection, Electronic Systems Division USAF, MITRE Corporation, MITREDocument M82-30, pp, 87-92.

2. Vulnerability and Failure Assessmentend Cold WarAsh Carter 87 Scott Sagan 93 Redux

Carter, 1987: NC3 Vulnerability 3Identifies 3 categories of US command centers, communication nodes,warning/assessment sensors (mid-80s, notional numbers) as potential Soviet targets(560-566)Cat 1: highest priority US national nuclear command sites143Cat 2: second priority US national nuclear command sites, eg regional587Cat 3: communications , small command sites, alternate airfields1577Total Cat 1, 2, 3 NC3I targets2307Primary and secondary US strategic nuclear force targets1580With 2 WH per site, Soviets can hit all targets. But not before US missiles fired onwarning or under attack, bombers are airborne, and submarines are alerted.Concludes that US strategic N forces cannot be decapitated, some NC3I will survive suchthat massive retaliation assured by surviving, self-directed elements of 3 legs of triad,even if delayed. (607)Un-targetable airborne control posts relays critical, to all legs of triad, all regionsAttack to “stun” NC3I system would not be limited but massive, unlike eg regionalnuclear war.New vulnerabilities on horizon due to innovation eg lasersReviews technological fixes to specific vulnerabilities eg better warning and attackassessment so can retarget surviving US forces

Carter, 1987: NC3 Error and Uncertainty 3Type II error, ie, launch with false data, sensors can discriminate betweenattack and otherwise anomalous signals; and very unlikely that redundantsensors inform falsely on same time/day. But if sensors share common failuremode, system may defeat itself. Such error more likely in midst ofmischaracterized limited nuclear attack leading to launch under warning.Redundancy not simple solution: problem is not error across allsensors/displays at once, but some failures, an inconsistent picture based ontrue and false data and error of inference.“This prospect comes alive when one realizes that conflicting sensor data arenot an aberration, but the norm in the warning system. Current sensorsystems are not precise enough or cross-calibrated closely enough to make itlikely that they would all agree on the assessment.”CINCNORAD expects different sensors to present differently, even verydifferent assessments. may be real N detonation creating confusion, makingltd vs all-out attack difficult to determine because inconsistent sensor readingseven less surprising.Lesson: better attack characterization, fewer outages in sensor system, canhelp avoid both types error. Adding too much sensor redundancy may makeboth types errors more likely. May increase odds of conflicting information,increase complexity of data processing and comms system behind dataprocessing and transfer and common failure mode.

Sagan 2: High Reliability vs Normal Accidents Test of Nuclear SafetyOctober 1962 Cuban Missile CrisisSafety-Loss of ControlVandenberg October 26 1962Fired unarmed Titan test missile while rest converted to active duty, nucleararmed missiles w/o orders knowledge of senior leaders.Malmstrom Minutemen Missiles rushed into ready status w/o propercertification, procedures, launch controlOctober 26, U2 took new route more north for sampling Soviet tests, had touse sextant, but aurora prevented star sighting, strayed into Soviet airspace.Soviet MIGs scrambled; U2 ran out of fuel, glided back to Alaska, US F102Ainterceptors armed only with nuclear weapons sent to escort U2, blockMIGs. Possible precursor reconnaissance for pre-emptive attack fromSoviet perspective.October 26-27, UK nuclear forces on full alert w/o US seniors knowing, andQRA nuclear-armed aircraft on alert in Turkey w/o senior oversight althoughsuch given to missilesScott Sagan, The Limits of Safety, Organizations, Accidents, and Nuclear Weapons, Princeton, New Jersey 1993

Sagan 3: High Reliability vs Normal Accidents Test of Nuclear SafetyOctober 1962 Cuban Missile CrisisIntelligence and Early Warning:October 25, bear climbing fence set off perimeter security, leading to falseklaxon alarm at another base and alert of nuclear-armed F106A interceptorsreadying for takeoffOctober 31, Ontario radar reported 2 unidentified planes, base went toDefcon 3.October 28, Falling Leaves SW US emergency warning radar net created;Moorestown NJ radar, 2nd false alarm, software test simulating missile launchfrom Cuba, combined with coincidental Soviet satellite on screen, appearedand reported as precursor of missile attack. Warned SAC in Omaha. Nodetonation detected few minutes after predicted impact in Florida.Redundancy failed (other radars not working, no advice that satellite pending)November 2, US spy Penkovsky, already arrested in Moscow by KGB, sent falsewarning of pending Soviet attack 1968 Thule Bomber Accident (co-location nuclear weapons with earlywarning system) Oct 73 Defcon 3 alert SAC changes in alert, dispersion, but again rushed toarm test ICBMs and Cobra Ball flew edge of Soviet airspace

Sagan 4: High Reliability vs Normal Accidents Test of Nuclear SafetyNORAD 1979 False Warning-- NORAD NORAD, SAC, Pentagon, Fort Richiedisplays show full-scale Soviet SLBMs ICBMs attack. NORAD alerted entireair defense, 10 interceptors took off; presidential NEACP launched (butafter attack declared false alarm). Terminated after 6 minutes, after directcontact with warning sensors, radars, satellites.Occurred during testing of software of new computer also supporting actualdisplays. NORAD was never able to replicate source of error. Moreover,alert of fighter interceptors was due to message and communicationformatting errors.Parallel to today: new software and spirits lurking in circuits result ofgrafting new redundant sensors and comms onto nuclear warning system,increasing interactive complexity. Soviet force levels demanded rapidresponse to warning and tighter coupling of warning to forces.Conclusion: “Nuclear weapons may have made deliberate war less likely,but, the complex and tightly coupled nuclear arsenal we have constructedhas simultaneously made accidental war more likely.”

Sagan 5: High Reliability vs Normal Accidents Test of Nuclear Safety LESSONS LEARNEDMore trial and error learning, safety culture, training, exercises, redundancyMore independent reviewVicarious US-RF learningDetailed NC3 studiesShift from warrior to guardian cultureMore NUWEX, accident preventionFewer weapons to coordinate improves safety.Nuclear weapons should never be located or transported near national warningsystemsNuclear weapons should not be stored at missile testing facilities.Separate pits from warheadsSeparate Pu from high explosivesDe-alert ICBMs from L on warning postureSSBNs not be able to launch nuclear weapons w/o PALsInstall timers to prolong launch time on missilesRe-institute civilian custody of nuclear weaponsInstall radio-controlled devices to destroy missiles in flightCooperative missile defenses?Reduce complexity, avoid complexifying, needless redundancyReduce coupling

Cold War N-C3I Role in Near-Use IncidentsThree other cases: 1958 Quemoy-Matsu Crisis 1962 Okinawan missiles in Cuban Missile Crisis August 76 DMZ CrisisP. Lewis et al, “Too Close for Comfort: Cases of Near Nuclear Use and Options for Policy” Royal Institute of International Affairs, April 2014

Credibility, risk taking, flexible response, limited nuclear warRisk inherent in Massive Retaliation led to new declaratory doctrineof “Flexible Response”In Korea, this combination of forces disposed for massive retaliationwith new doctrine Inflexible ResponseTheater nuclear operations requiredLNO-Limited Nuclear Options todefeat superior (or inferior, eg NorthKorea) conventional forcesIn Korea, the “flexible response”doctrine (lower threshold) wascombined with forward-deployment(from the former massive retaliation”era) of nuclear forces to create ahybrid best called Inflexible Response.Here is a typical example of suchthinking (1976) that was in play inAugust 1976 Panmunjon CrisisPeter Hayes, "THE AUGUST 1976 INCIDENT REVISITED—THE LAST NEARLY NUCLEAR WAR IN KOREA", NAPSNet Special Reports, March 03, -nearly-nuclear-war-in-korea/4/8/201817

3. Post Cold War Forceand NC3I Restructuring

NC3, End Cold WarNuclear Safety Glass 1% empty 99% fullWe survived the Cold WarReliability Culture Perspective on NC3 US NC3 best in world USNC3 had leadership committed to nuclear safety, redundancy in controls, earlywarning sensors, decision making systems; strong reliability culture; continuous alert,high level training, PRP, ethos Not so tightly coupled so still time to react, recover to near-misses Nett result: safe routinely, even safer in crisis Normal Accident Perspective on NC3 High levels interactive complexity , eg weapons, NC3 in close proximity Dependence on sensors with long, interruptible communications Opacity and secrecy high, oversight lowHigh level of coupling, rapid warning, decision, launch times with global coordination Poor readiness for unanticipated crises and events Bugs in systems, procedures, software, concepts Accident waiting to happen

2018Massive Reduction, Re-Structuring Strategic Nuclear Force Structure: 1990-2018MIRVs on ICBM/SLBMs1990SSBN-SLBMICBMBombersTotal WarheadsMX ICBMDelivery Warheads 0%2018 "New Start"SSBN-SLBMICBMBombersTotal WarheadsDelivery Warheads : A. Woolf, U.S. Nuclear Strategic Forces: Background, Developments, and Issues, CRS RL33640, November 3,2015, pp. 2-8, at:

Carter, 1987: NC3 Vulnerability 4Deep Cuts since Cold War Greatly Reduced NC3 VulnerabilityCarter notes (596): Only deep cuts would reduce Soviet ability to target UScategory 1/2 NC3I targets (730).If still 730 such NC3 targets in 2015, and US strategic delivery targets now 1860targets, heading to 794 in 2018, then US total targets for Russia (730 1860) 2590 targets in 2018.Assuming double targeting ( 5000 warheads), the US target set now vastlyexceeds Soviet deployed strategic warheads under START II (1862) and will doso even when US strategic delivery targets falls to 794 in 2018 (total targetsthen fall to 1524, with double targeting 3048 warheads).Prima facie case that proliferating survivable NC3 nodes & links is powerfulway to overcome vulnerability when numbers fall—as they now have.

NEW TRIAD2001, DOD outlined howconventional forces bolsternuclear strategicdeterrence, rendering thelatter less important and insome cases, unnecessary.This posture wasconceptually enshrined inthe 2010 Nuclear PostureReview and resultingpresidential guidance as tohow the US should reformits nuclear forces in the“new triad”4/8/201822

1992-2006: Organizational Centralization and Consolidation1991 tactical and theater nuclear weapons removed from unified andregional commands except for small number of gravity bombs in NATO1992 US Strategic Command created, Air Force flattened structure, halvedin size, shifted out of Cold War culture2002 Space Command merged into STRATCOMThen added global strike, computer network operations, informationoperations, global intelligence, surveillance and reconnaissance, strategicwarning and assessments, combating WMDFought major conventional wars in Middle East, counter-insurgency war inAfghanistan, global counter-terrorism operations2002, a 4 star general responsible for nuclear weapons at STRATCOMBy 2008, senior military official was a Lt-Col.Source: U.S. Strategic Command, “History,” at:

4. NC3 Shocks & Modernization

2005-2014, 5 NC3 Perfect Storm of System ShocksRevenge of Near-Normal Accidents?2005-7: mistaken shipment MK-12 RV assemblies to Taiwan2007: Unauthorized transfer of six nuclear warheads left insecure24 hours, loss of control2010: Launch Control Center Launch Facility Down status and lostcommand-connectivity with 50 missiles2014-15: USAF missileer certification cheating, cultural failure2014: Maj. Gen Davey fired/retired after partying drunkenly inMoscow (former Deputy Director, Command, Control and NuclearOperations; at time, in charge AF missiles)

“Doom 99” Unauthorized Transfer of six nuclear warheads August 2007Most dangerous loss of control in history apart from 1966 Palomaresloss of H-Bomb in ocean?29–30 August 2007. Six AGM-129 cruise missiles, each loaded with a W80-1 nuclear warhead, were mistakenlyloaded onto a B-52H, call sign “Doom 99,” at Minot Air Force Base and transported to Barksdale Air Force Base. Thenuclear warheads in the missiles were supposed to have been removed before taking the missiles from their storagebunker. The missiles with the nuclear warheads were not reported missing and remained mounted to the aircraft atboth Minot and Barksdale for a period of 36 hours. During this period, the warheads were not protected by thevarious mandatory security precautions for nuclear weapons.USAF and Department of Defense at first decided to conceal the incident.Investigation found that “the intricate system of nuclear checks and balances was either ignored or disregarded,”and a “chain reaction” of leadership and supervision failures led to turning off of two separate warning systemsdesigned to prevent unauthorized transfer of nuclear weapons.Six mistakes: 1. Oversight to label trailer due to loose procedures on storage nuclear-conventional weapons. 2.Scheduling error and coordination failure munitions and maintenance personnel re what weapons to transfer at lastminute. 3, 4, munitions and handling crew did not monitor move and follow checklist to ensure weapons were nonnuclear. Not checked as drove past security. 5. Aircraft crew chief signed off w/o checking weapons. 6. Radarnavigator checked only one of non-nuclear missiles.Six major investigations by US AF and other panels led to establishment in October 2008 of Air Force Global StrikeCommand to control all USAF nuclear bombers, missiles, and personnel, operational on 7 August 2009Procedural change: The USAF issued a new policy directive regarding the handling of nuclear weapons and deliverysystems, which prohibits the storing of nuclear armed and nonnuclear armed weapons in the same storage facility.The directive further instructs that all nonnuclear munitions and missiles must be labeled with placards clearlystating that they are not armed with nuclear warheads. Wing commanders are now charged with approving anymovement of nuclear weapons from weapons storage areas and must appoint a single individual as a munitionsaccountability system officer and weapons custodian. All units that handle nuclear weapons must develop acoordinated visual inspection checklist. The policy further directs that airmen charged with handling or maintainingnuclear weapons cannot be on duty for longer than 12 hours, unless during an emergency, when their duty periodcan be extended to a maximum of 16 hoursSources: Sources: Commander Directed Report of Investigation Prepared by Major General Douglas L. Raaberg, Investigating OfficerConcerning an Unauthorized Transfer of Nuclear Warheads between Minot AFB, North Dakota and Barksdale AFB, Lousiana, 30 August2007, released under FOIA and redacted, at: and Michelle Spencer et al, TheUnauthorized Movement of Nuclear Weapons and Mistaken Shipment of Classified Missile Components: An Assessment, TheCounterproliferation Papers Future Warfare Series No. 56 January 2012 USAF Counterproliferation Center, Air University, Maxwell Air ForceBase, Alabama, at: ADA557097

DISA 2010: NC3 “patchwork”“There is no one NC3 system. The NC3system as it exists today is a patchwork ofdisparate systems, each with its owncharacteristics. There is no one operatingsystem or coding language”The contractor shall be responsible to design, develop, and conduct recurring operational assessments to assist in the determining, in a quantitativemanner, the operational capabilities of the Nuclear Command, Control and Communications (C3) System.This system supports the President and the Secretary of Defense, Joint Staff, and Combatant Commanders' decision making across the spectrum ofconflict and threat environments. Included in the Nuclear C3 System are the Survivable Mobile Command and Control Centers consisting of airborneresources, selected fixed and mobile ground command centers, the strategic and non-strategic (theater) nuclear forces, and surviving commandelements (including shipboard) of the nuclear and non-nuclear Combatant Commanders, the military services, and the DoD agencies as defined in theEmergency Action Procedures of the Chairman, Joint Chiefs of Staff (EAP-CJCS Volumes VI and VII) and the National Military CommandSystem/Department of Defense Emergency Communications Plan (NMCS/DoD Emergency Communication Plan). The objectives of the assessments are to identify deficiencies in equipment, both hardware and software, and procedures and to recommendcorrective action to improve the operational capability.Source: Answer to Question 1 at: Nuclear Command, Control, and Communications System Operational Assessment ProgramSolicitation Number: HC104710R4009, Agency: Defense Information Systems Agency, Office: Procurement DirectorateLocation: DITCO-NCR, August 4, 2010, at: opportunity&mode form&id ca9ed977f427844fb095c1e170a579ee&tab core& cview 1

2014: Council on Oversight of the National LeadershipCommand, Control and Communications System (CONLC3S).Council on Oversight of the National Leadership Command, Control, and Communications System, established by section 1052 ofthe National Defense Authorization Act for Fiscal Year 2014 (Public Law 113-66)(b) MEMBERSHIP.—The members of the Council shall be as follows:(1) The Under Secretary of Defense for Policy.(2) The Under Secretary of Defense for Acquisition, Technology, and Logistics.(3) The Vice Chairman of the Joint Chiefs of Staff.(4) The Commander of the United States Strategic Command.(5) The Director of the National Security Agency.(6) The Chief Information Officer of the Department of Defense.(7) Such other officers of the Department o