The Air Force calls the situation "Launch Facilities Down." On Oct. 23, a Wyoming-based squadron of 50 nuclear-tipped intercontinental ballistic missiles (ICBMs) enough firepower to kill some 20 million people lost computer communications with its human controllers for 45 minutes. When news of the incident broke, the ensuing political debate focused on what effect the outage might have had on America's readiness to fight a nuclear war. But the more important concern should be that for the better part of an hour, the safeguards that protect against unauthorized launch of America's missiles were compromised. And that elevated the risk of the world being plunged into a nuclear war that none of the nuclear-armed states intended.
Of course, I am describing a remote, worst-case scenario whose plausibility is dismissed by the Pentagon. Still, there's a lot more reason for anxiety over the Wyoming incident than there is over this week's "mystery missile" off California. Nuclear missiles are, after all, worst-case weapons, doomsday bombs. And as we have learned to our dismay over the years, we are seldom as crafty as our adversaries.
From 1972 to 1974, I served as a Minuteman missileer in control of 50 ICBMs in underground silos in Montana. Since leaving the Air Force, I have studied America's launch protocols and safeguards for the U.S. Congress, the Pentagon and the Washington-based Brookings and World Security Institutes. Those protocols have not changed since the end of the Cold War. America still keeps its missiles on launch-ready alert. In this posture, the bias is on ensuring that the missiles can be fired, rather than on making sure they are not launched accidentally. That's a dangerous posture, as we now live in an era of terrorism and cyberwarfare.
When the Wyoming rockets went off-line on Oct. 23, the remote underground launch centers that control them lost their ability to detect and cancel any unauthorized launch attempts. Such an attempt could have come moments before the blackout from a rogue or compromised underground crew. Or it could have come during the blackout from someone hacking into the ICBMs' radio receivers tuned to a backup launch-control aircraft. Or from someone splicing into the many thousands of miles of cabling that connect America's ICBMs to launch control.
In such a situation, the rockets would have waited for a short period 30 minutes or so to give the crews a chance to cancel an illicit command. But since the crews would have been unable to do so, the 50 rockets would have accepted the launch instruction, ignited their boosters and risen out of their silos.
U.S. early-warning satellites would have detected hot rocket exhaust soon after liftoff, but by then it would have been too late. The missiles, which travel across the globe in 30 minutes at a shade under 4 miles a second, have no self-destruct mechanism; they cannot be recalled.
The communications and computer networks used to control nuclear forces are supposed to be firewalled against the two dozen nations (including Russia, China and North Korea) with dedicated computer-attack programs and from the thousands of hostile intrusion attempts made every day against U.S. military computers. But investigations into these firewalls have revealed glaring weaknesses. During the 1990s, for example, a Pentagon-led investigation found an unprotected electronic back door into the naval broadcast-communications network used to transmit missile-launch orders to nuclear-armed submarines. The Navy was sufficiently concerned about the danger of crews' receiving and carrying out unauthorized launch orders that it overhauled the entire system.
Assuming that a firewall system designed before the era of cyberwarfare is probably not impenetrable, what other safeguards were in place to prevent the launch of the Wyoming ICBMs? A launch order to any of America's strategic nuclear forces would not be accepted as valid unless it contained proper unlock codes, access to which is normally tightly held. But, again, these codes have been compromised in the past (for instance, aboard an EC-135 airborne command post in 1993, when unauthorized people on board had access to the unlock-code book because of improper handling by the code custodian), and we cannot rule out the possibility that a corrupt insider could provide crucial assistance in obtaining the necessary codes.
What about physical protection? The thousands of miles of ICBM cabling are supposed to be monitored automatically through readings of air pressure in the cables that might indicate a break in the line. But in my experience during the '70s and in numerous interviews since this remotely monitored system is notoriously unreliable. In a Launch Facilities Down scenario, security teams are required to travel to every affected missile and insert safety pins that physically prevent the missiles from being armed and launched. In the Wyoming case, that process could not have been completed within the 30-minute safety window.
The missiles are currently set to land in open ocean if they are accidentally launched, so they would need to be targeted to cause maximum carnage. But targeting would not be an obstacle to a rogue crew or cyberintruder; it could be done with a few keystrokes.
In the short term, the Air Force should inspect the security environment surrounding every yard of cabling that connects the rockets with their launch-command posts just to make sure this most recent outage was not the result of a hacking incident and to detect any possible attempt under way to tap into these launch circuits.
More important, the U.S. needs to finally relax the hair-trigger alert status of its nuclear forces and persuade Russia to do the same. Our past two Presidents campaigned on promises to "de-alert," but neither pursued it after assuming office. Last week at the United Nations, 144 countries, citing concern about unintentional nuclear war, passed a resolution calling on the U.S. and Russia to reduce the operational readiness of their nuclear forces. (The U.S. voted against the resolution; Russia abstained.) The latest Launch Facilities Down incident in Wyoming is a reminder of why the hair-trigger alert status of its nuclear arsenal could make America more, rather than less, vulnerable to the threats of the 21st century.
Bruce Blair is co-coordinator of Global Zero.