W353DNRF 121997DNRF Final 12/19/97
The ideal nuclear strategic retaliatory forces to some are none at all; but it may be some time, if ever, before world security will be enhanced by the elimination of all nuclear weapons, in view of the possibility that they might reemerge, to the disadvantage of peace-loving nations.
In the interim, it is in our interest to ensure that whatever nuclear weapons exist are securely in the control of responsible governments. Major reductions in nuclear weaponry are in order, and might be achieved bilaterally between the United States and Russia to a level of 2000 deployed strategic warheads; and in a post-START environment to a level of 1000 total warheads on either side. (1) However, in the interim we are faced with a situation in which there are vulnerable forces, especially in Russia, and vulnerable systems of command and control, so that the interaction between the two major nuclear powers is at least as unstable as during the Cold War. Because Russia, in particular, fears the loss of its command system, it is ready to launch its nuclear retaliatory force on warning of the launch of U.S. missiles; and the Russian warning system is far less capable than was the system of the Soviet Union.
Since 1962, U.S. nuclear weapons have contained a Permissive Action Link, associated with the nuclear warhead itself, which ensures that no nuclear detonation can occur unless a separate code is inserted into the warhead by the chain of command, independent of the firing of the missile or the dropping of the bomb. It appears that Russian nuclear weapons do not have such a closely integrated PAL, but in any case the PAL approach provides an example of the overall command that can be asserted over nuclear weaponry to avoid accidental or unintended launch. Similar techniques can be used to prevent a launch, to destroy a weapon before launch or after launch, and some are useful in what is usually called "de-alerting".
But as will be seen from the discussion, alert forces in general are motivated by their vulnerability and the vulnerability of the command system. The solution to the unintended launch that arises from a small perturbation in an unstable confrontation lies in rendering the forces less vulnerable, and that can be done at great cost by modification of a nation's own forces, but it can be done at lesser cost, in general, by modifications or change of status of the forces that threaten them.
The feared vulnerability of strategic retaliatory forces to a first strike from the other side leads to a posture of launch on warning, which increases the likelihood of inadvertent or unauthorized nuclear war. It is highly regrettable that strategic nuclear forces were given the accuracy to destroy silos on the other side, and equally unfortunate that the Soviet Union and the United States mounted MIRVs on their silo-based missiles. It should be clear that MIRVs do not pose a greater threat to the other side, for a given total number of warheads, but constitute a self-imposed vulnerability; one attacking warhead can be seen as destroying 6 or 10 MIRVed warheads in a single silo.
The combination of these two factors-- accuracy and MIRV vulnerability-- resulted in the theoretical possibility of the ballistic missiles on one side destroying the silo-based retaliatory force on the other side. For the U.S. MIRVed ICBM force (the Minuteman III), even this assumed vulnerability did not result in the elimination of the capability to retaliate, since the U.S. deployed also an invulnerable submarine-based force, but the situation was different for the Soviet Union. A much smaller fraction of the Soviet force (and now the Russian force) is deployed on SLBMs, and few Russian strategic submarines are at sea.
Most of the cost of strategic forces is incurred in reducing their vulnerability; neither the U.S. nor Russia will willingly allow their forces to be vulnerable, even in an era in which they do not regard one another as enemies.
The elimination of silo-based MIRVs in START II would reduce this vulnerability, but Russia would need to build 650 single-warhead silo-based missiles to benefit and come to parity with the U.S. in START II. Even if the Duma ratifies START II, there are years of vulnerabilty and resulting launch-on-warning posture for the Russian strategic forces in order to compensate for that vulnerability. And the hazard to both the U.S. and Russia is incalculable, as well as to the rest of the world.
The Russian warning system for strategic attack does not have the capability of the former Soviet system, since several of the long-range ballistic-missile warning radars are not on Russian territory. On the other hand, Russia says its missiles are no longer set on U.S. targets, and the U.S. states that its missiles are targeted on the oceans. As emphasized by Bruce Blair, (2) however, it would take seconds for the pre-planned targets to replace the non-targets in the missile guidance, and Russia has surely planned for that to happen if the missiles need to be launched on receipt of warning.
Of course, it would benefit neither Russia nor the U.S. to launch those missiles, but because they are considered vulnerable, they are maintained on LOW posture to deter intentional attack by the United States.
Taking only Russian missiles off alert would prevent their being fired before they are destroyed and would increase Russian strategic vulnerability; taking only U.S. missiles off alert would not create overall U.S. force vulnerability and so could not encourage a strike that would not otherwise have come, but it is unlikely be acceptable politically. In any case, only if the U.S. missiles were demonstrably incapable of being fired for some hours or more, would it be possible to take the Russian silo-based ICBMs off launch-on-warning status.
It is important to recognize that the off-alert status is beneficial only if the other side knows reliably when the weapons are being restored to firing capability and can then move to alert status, in the short term, or to reduced vulnerability-- for instance by moving mobile ICBMs out of garrison.
If missiles on both sides are demonstrably incapable of being fired, there is still the problem of competitive alerting. If one side can count on restoring its force to firing capability while the other is still off alert, then the de-alerting will never happen.
The submarine-launched ballistic missile vessels (SLBM) might be sent to patrol out of range of their targets. Especially in a reduced-MIRV condition, however, the SLBM range may be so great that no large patrol areas can be found out of range of the targets; SLBM range can be reduced by fixing ballast mass in place of the offloaded MIRVs.
For the SLBMs in authorized de-alert areas (which can be very large), their presence within the agreed area can be verified by a cooperative system in which the verifying state transmits a coded request to the patrolling state, which forwards the request via its own communication means to the specified submarine claimed to be in the authorized patrol area. Call this particular submarine "B-143". B-143 comes to satellite communication depth within 30 minutes and prepares to receive a coded signal from a satellite at a precisely appointed time. It immediately recodes the signal and rebroadcasts it to that satellite and others that may wish to listen. It also broadcasts its position determined by GPS or GLONASS. The signals relayed to a processing computer on the verifying side then contain time-differences of arrival at the various satellites, that give an independent position determination of the patrolling submarine that should agree with the broadcast position. Since the signals can be timed to much better than a microsecond, and 1 km of displacement would correspond to some microseconds (for a speed of light or radio signals of 0.3 km per microsecond) the position of the coded receiver can be verified to far better than is required to ensure that the submarine is in the patrol area that will measure some hundreds or thousands of km in dimension. One must also ensure that the coded receiver remains with the submarine to which it is initially assigned and that can be done by wires or fiber-optic lines that are attached with disturbance-detecting magnets (or even durable self-adhesive tape) to the interior of the steel shell of the submarine. At the end of the draft paper, some preliminary thoughts are recorded regarding the vulnerability introduced by this occasional precise location of the submarine in the authorized de-alert patrol area, and proposals by others are requested.
A more complex system of cooperative warning could be introduced that would invoke "destruct after launch" of any alert or re-alerted SLBM which had not received from its command authorities an authorization code to prevent self-destruction of the missile; the transmission of this message, by agreement enforced in hardware, would be communicated also to Russia. The authorization for launch of that specific missile might be valid only for a few minutes, as might have been previously agreed between the two sides; and no radio link to the missile would be needed-- only to the submarine or to the national command headquarters for communication to the submarine.
Each box of a pair would contain its own Private Key of a Public Key Cryptosystem in such a way that the "handshaking" between them could not be mimicked by any other box; the Private Key for U.S. missiles and the headquarters command boxes would be installed by Russia, and those for Russian missiles would be installed by the U.S.. The launch of alert missiles could be authorized at any time by the command box transmitting the appropriate command that would be encrypted by the Public Key of the commanded missile and transmitted to the submarine and to the missile for decryption and consequent temporary removal of the destruct-after-launch function. Russia would have the option of querying the command box every minute, to receive the authenticated list of numbered messages generated by the box, encrypted with the Public Key of A1-- which can be decryped with the Private Key of A1, also retained by Russia.
A specific message format, before Public Key encryption, might have fields (P,Q,R,S,T), each of sufficiently many bits to be proof against chance or error, and with the following significance:
If the missile destruct-after-launch box and the command box can be made adequately secure to be used as sketched here, then it would be a modest addition to add to the missile box a timer to impose an agreed pre-set delay before the destruct-after-launch would be disabled, so this scheme would provide a basis for both cooperative warning and de-alerting.
It is clearly in the interest of every nation to have secure control over its nuclear weapons, including post-launch controls. It is also in the interest of the international community. And it especially interests the U.S. that Russia have effective control over its strategic missiles (and Russia surely does not want one or more of its weapons to be fired without authorization or by accident). Hence it would be of value for the U.S. and Russia to collaborate closely on control and especially on Post-Launch Control, in an analog of the highly successful "lab-to-lab" collaboration that is improving Russian control over weapon-usable fissile materials; the U.S. should be willing to provide funds for the development and installation of PLC systems on Russian missiles, at the same time that it installs such on its own forces.
A quite different approach would simply share the output signals from the U.S. "Defense Support Program" (DSP) satellites, now called the Space-Based Infrared System (SBIRS). These satellites provide worldwide detection of missile launch by observing the intense infrared output from the hot rocket exhaust gases; during the 1991 Gulf War, SDIO leader Henry Cooper revealed that DSP had detected every SCUD launch from Iraq against Israel or Saudi Arabia. As with most of these cooperative measures, including de-alerting, if cooperation stops (so that assurance of de-alerting is no longer available, or if the output signals from DSP are no longer provided) the nations affected would need to reduce their vulnerability by resuming launch-on-warning postures, or on a longer time-scale by moving all missiles out of garrison, by deploying more SLBM at sea, etc.
-- As for the submarine patrol in out-of-range patrol areas, the lesser problem seems to be to ensure that ballast that might be installed in place of downloaded warheads is still in the missile and cannot be removed without damage. Can cooperative means be used to verify this, such as fiber-optic lines threaded through the ballast and available at the missile skin?
The greater problem would seem to be the vulnerability of the specific submarine whose precise location suddenly becomes known as a means of demonstrating that it is within the patrol area; it is then vulnerable to a nuclear weapon launched from a ship or submarine 1000 km away, in a carefully planned scheme by the verifying side. While this might be tolerable if 20 submarines are at sea, it would be a problem if only one is on patrol. Use can be made in this case of floating transmitters either tethered or independent, ejected by the submarine through a port always available for that purpose. If a transmitter is attached by a fiber-optic slack line 20 km long, the submarine location can be rendered independent of the location of the transmitter to eliminate this vulnerability. Such slack-line transmitters (6) are discussed in an article by S.D. Drell and R.L. Garwin, (7) and also emphasized-- in the independent-buoy version-- by Aaron Tovish in his new newsletter "De-alerting Alert, No. 2". (8) The satellite interrogation described earlier in this paper would thus yield the precise location of the buoy antenna, and also an upper limit to the fixed length of fiber (spooled plus un-spooled)) with which that antenna was equipped. In the independent-buoy approach, an upper limit to the distance of the submarine from the buoy is set by the maximum speed of the submarine.
There are really two functions to be served by communication with submarines in their patrol area. The first and simpler is to ensure that the re-alerting period has not begun, and if the two sides are agreed that it will take several hours or days to bring the missiles back into operating condition, such interrogation and reply can be at an interval of some hours or days. The other, more time-urgent function is to ensure that alert or re-alerted missiles have not been launched. In order to gain substantial time and assurance, such queries might be issued every five minutes, but need not be issued against every one of the submarines in the area. A single nuclear detonation provided by a smuggled weapon seems to be less risk for one side than to launch an attack against the other by missile with the expectation that it would not be observed.
For either of these approaches, cooperative reassurance is involved. The United States, of course, could readily ensure that its submarines do not reply to Russian queries, and vice versa, but that is not in its interest in this regime. So one would expect that a Russian query to a U.S. submarine would come to the cooperative facility, where a message authenticator would be added by the U.S. side. The composite signal would go out to a satellite for relay to the patrol area, where an awash buoy connected to the specific submarine would receive it and would retransmit in very short order the encrypted signal provided by the locking or de-alerting devices. In order to avoid the unnecessary vulnerability of microsecond response times to every inquiry, the first few such inquiries could simply be signals that prepare the receiver for responding quickly to the next signal. Furthermore, the authenticating signal by the U.S. need not be transmitted only with the Russian inquiry via satellite, but could go out over any reliable communication means, including VLF or ELF that can be received by the submarine submerged or by submerged communication buoys. This latter approach is particularly relevant for the verification of de-alerting, since the submarines need not be in constant responsive communication but need only have a satellite antenna available during the few-second interval when they are told via VLF or ELF to expect an authenticated query.
The value of such cooperative signalling approaches is the presumed greater willingness of the military and political leadership to undertake measures that do not require the transport of warheads during nuclear attack.
(1) "The Future of U.S. Nuclear Weapons Policy," report of Committee on International Security and Arms Control, National Academy of Sciences, Washington, D.C., National Academy Press, June 1997. Available at http://www.nap.edu.
(2) B.G. Blair, H.A. Feiveson, and F.N. von Hippel, "Taking Nuclear Weapons Off Hair-Trigger Alert," SCIENTIFIC AMERICAN, pp. 74-81, November 1997.
(3) R.L. Garwin, "Reducing Dependence on Nuclear Weapons: A Second Nuclear Regime," NUCLEAR WEAPONS AND WORLD POLITICS, see p. 100, (1977).
(4) S. Frankel, SCIENCE AND GLOBAL SECURITY, Vol 2, 1990, pp. 1-20.
(5) R.L. Garwin, "Launch Under Attack to Redress Minuteman Vulnerability?," INTERNATIONAL SECURITY, Vol. 4, No. 3, pp. 117-139, 1980.
(6) See also R.L. Garwin letter of 02/04/80 to Representative J.F. Seiberling, testimony for hearing of the House Interior Subcommittee on Public Land.
(7) S.D. Drell and R.L. Garwin, "Basing the MX Missile: A Better Idea," TECHNOLOGY REVIEW, May 1981.
(8) Soon be available at http://www.fas.org/cusp/alert. Tovish discusses at length the utility of timers for imposing delays on re-alerting.