Nasty, British and Short

As we all know, the President carries the nuclear missile codes with him at all times.  President Carter’s codes once ended up at the dry cleaners by mistake, and the FBI accidentally took President Reagan’s codes after he was shot.

The history of nuclear codes is rather interesting.  After the Cuban Missile Crisis, Defense Secretary McNamara vowed to personally see to it that all long range missiles were protected by an eight digit code.  The protection came from a device called a Permissive Action Link (PAL).  One weapons designer stated the security requirement as “Bypassing a PAL should be about as complex as performing a tonsillectomy while entering the patient from the wrong end.”

But a security system is only as strong as its weakest link, and for 15 years until 1977, the codes were set to 00000000 so as not to interfere with the ability to launch the missiles.  Anyone with an operations manual could have done it.

Nowadays, as well as actually having a code, PALs are designed to intentionally misfire the warhead if they detect tampering, so as to render it mostly harmless.

So what kind of safeguards are in place to protect the world against nukes?  The two main requirements are called “assure” and “assure against”.  The first guarantees that missiles will be launched when appropriate authorisation is given; the second guarantees that they won’t be launched accidentally or maliciously.

Some examples of things to protect against:

• The President loses his nuclear codes, and someone else uses them to launch an attack.
• An accident happens in a nuclear base and the missiles are detonated.
• A military base is overpowered by force and the attackers get access to the missiles.
• The President and Vice President are both killed in a nuclear attack, and a retaliatory launch is impossible without their authorisation.
• A launch is authorised, but the PAL launch codes are unavailable (this is actually why the codes were set to 00000000 in 1962).

The details of how an authorization gets from the President to a launched missile aren’t really clear, but it seems to work something like this.

1. The President and the Secretary of Defence both have to authorise a launch.  The NSA provides the technology to verify the authenticity.
2. The verified authorisation goes through military chain of command to the missile locations themselves.  Likely the Presidential authorisation is used as a key at each level to produce codes for the next level down.
3. At the actual launch site, there is a safe containing the launch codes.  The safe must be opened by turning two keys together, which are far enough apart that a single person cannot do it.  Both operators must then verify their codes against the ones in the safe.  The same procedure must also happen at another launch site before the missile can be launched – presumably the safe only contains part of the PAL code and the rest of it comes from the other site.
4. Submarines have a different procedure: there are several combination-lock safes on board, and each safe contains part of the key.  The full code can be reconstructed only from a combination of keys, and additionally, no crew member has any of the safe combinations; they come as part of the launch order.

The British have a different scheme, which has some good things (a launch order has to pass through more people) and some bad things (missiles had less physical protection up until very recently).

This entry was posted on Tuesday, January 12th, 2010 at 3:43 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.