Start the clip at about 5:04.
General Turgidson: Mr. President, about thirty-five minutes ago, General Jack Ripper, the commanding General of Burpleson Air Force Base, issued an order to the 34 B-52’s of his wing which were airborne at the time as part of a special exercise we were holding called Operation Dropkick. Now, it appears that the order called for the planes to attack their targets inside Russia. The planes are fully armed with nuclear weapons with an average load of 40 megatons each. Now the central display of Russia will indicate the position of the planes. The triangles are their primary targets, the squares are their secondary targets. The aircraft will begin penetrating Russian radar cover within 25 minutes.
President Muffley: General Turgidson, I find this very difficult to understand. I was under the impression that I was the only one in authority to order the use of nuclear weapons.
General Turgidson: That’s right sir. You are the only person authorized to do so. And although I hate to judge before all the facts are in, it’s beginning to look like General Ripper exceeded his authority.
Dr. Strangelove or: How I Learned to Stop Worrying and Love the Bomb, 1964
This moment in Stanley Kubrick’s Dr. Strangelove or: How I Learned to Stop Worrying and Love the Bomb is like many others the film — it is darkly humorous, but also accurate. The authority to launch a nuclear weapons is not the same as the capability to do so.
That is an important distinction to keep in mind, when reading about this story that Bill Clinton — or, rather, a Clinton aide — misplaced the President’s laminated card (the “biscuit”) containing the codes to authorize the use of nuclear weapons.
The story has been revived by the memoir of General Hugh Shelton, Without Hesitation: The Odyssey of an American Warrior, who served as Chairman of the Joint Chiefs of Staff for much of the Clinton Administration. In Shelton’s telling, President Clinton’s nuclear authorization “codes were actually missing for months.” Shelton describes this as “a big deal — a gargantuan deal” — “we would be unable to launch a retaliatory strike” with nuclear weapons. He further describes the employment of nuclear weapons without the codes as “impossible” and a “deal-breaker.”
Although Shelton claims this “has never been released,” the story actually tracks with a similar claim in Robert “Buzz” Patterson’s Dereliction of Duty. Patterson, who was one of Clinton’s military aides for a time (the guy who carries the President’s Emergency Satchel, more colorfully known as “The Football”) wrote a book so scurrilous in its accusations about Bill Clinton that no one took it seriously. (Among other reasons to be skeptical, Patterson claims he was in the oval office at 7:00 am on January 21, 1998. The Clinton schedules don’t have a meeting before 9:00 am, though they’ve been heavily sanitized. He also makes minor mistakes, like promoting Bruce Lindsey from Deputy to White House Counsel.)
There are some important differences between Shelton and Patterson’s account. Shelton places the event “around the year 2000” rather than January 1998. Shelton also blames the President’s “aide” — presumably the military aide — noting “even though the movies may show the President wearing these codes around his neck. its pretty standard that they are safeguarded by one of his aides, but that aide sticks with him like glue…” It’s possible Patterson heard the story second hand, or Shelton has the date wrong and is pinning the blame on him.
In either case, however, the story seems to suggests that the entire US nuclear arsenal suffers from the possibility of a single point failure, in the form of a small laminated card that, according to lore, has been routinely misplaced by the occupant of the Oval Office. Such stories involve Carter sending it to cleaners with his suit, and being misplaced in the hospital as doctors worked to save President Reagan after the 1981 attempt on his life. The problem with a lot of these stories is that much of what we know about the authorization process comes from pretty sensationalistic accounts — starting with Bill Gully’s 1980 book Breaking Cover, through memoirs by Ivian Smith and Patterson. (Bruce Blair’s The Logic of Accidental Nuclear War is a welcome exception to this trend.)
Shelton’s account, however, is somewhat simplistic. The important point is that it would not be impossible for a group of senior US officials to order a nuclear strike without the President — although they would, of course, be exceeding their authority. And the scope of such a conspiracy is virtually unthinkable. And, of course, any disruption of the normal comand-and-control procedures would be very unwelcome in a crisis.
Well, who am I to tell the Chairman of the Joint Chiefs of Staff that he’s not quite right? Tom Ricks and David Hoffman have both pointed out reasons to be skeptical of Shelton’s account. There is at least some reason to think that Shelton might be conflating the President’s authority to use nuclear weapons, with STRATCOM’s ability to do so.
The first hint, of course, is that a new set of codes had been delivered to the President. This isn’t like an ATM pin number that the President makes up (Chelsea’s birthday!). This is an alphanumeric code generated automatically, by the National Security Agency. The President gets the code delivered to him. There are procedures to replace codes that have been compromised.
The second hint comes from a description of the procedure for launching a nuclear weapon on a Trident ballistic missile submarine bu Douglas Waller in his excellent Big Red: Three Months on Board a Trident Nuclear Submarine:
The supersecret National Security Agency, whose spy satellites and ground antennas vacuum phone calls all over the world, produces the [Sealed Authenticator System] SAS codes. Agency machines stamp the same computer-generated code of randomly arranged letters and numbers on two plastic cards. The machine then seals each card in a shiny metal foil. The code cards are nicknamed “SAS cookies” because they look like wafer bars wrapped in tinfoil. The machine was specially built to do all the stamping and sealing itself, so no human eyes ever see the numbers and letters printed on the cards.
One of the sealed cards is placed aboard the Trident. Its twin, with the identical arrangement of numbers and letters, is kept by the Strategic Command. When STRATCOM’s generals drafted the emergency action message to launch nuclear weapons, they would break open the sealed card and print its authentication code in the order. At the other end, the Trident captain could break open the card he had and compare the alphanumeric code on it with the arrangement of numbers and letters in the message. If the two codes matched, the captain could be certain that he had a valid launch order.
There are several interesting things about this account: First, the authentication code that a Trident submarine commander receives from STRATCOM is not the same one that comes from the President. Which makes sense, because otherwise a local commander could compromise the entire authorization system just by opening his package of cookies. Second, authentication is not automated — it is done by a pair of human beings, with their eyes and their brains. This makes sense — if the code were programmed into a computer system, it would be vulnerable to hacking.
Which brings us back to the distinction between authorization and ability. The codes are used to demonstrate down the chain of command that the use of nuclear weapons has been authorized. But the judgment is a human one, by those who are (in aggregate) capable of acting on those orders. Of course, there are coded control devices that unlock weapons systems, but those codes are not held by the President.
The reason for this should be obvious — the system is designed to avoid precisely the sort of single-point failure that Shelton describes.
Shelton has a readable account of command and control of nuclear weapons, but it doesn’t really jibe with more wonkish debates. As the Cold War ended, for example, the George H. W. Bush Administration looked at command and control arrangements very carefully, through the Failsafe and Risk Reduction (FARR) Advisory Committee, chaired by the late Jeanne Kirkpatrick.
The FARR Committee — the final report is now partially declassified — was aware that efforts to improve surety must not interfere with authorized uses. So, for example, the FARR Committee noted that the National Command and Control System “is enjoined to meet the dual requirements of assuring the authorized use of nuclear weapons while assuring against their unauthorized or inadvertent use. National guidance mandates an appropriate balance between these sometimes competing objectives.” Emphasis in the original.
The kinds of discussions in the FARR Committee suggest that the balance still favors assuring authorized use. For example, a major recommendation of the FARR committee was to have STRATCOM hold the combination for the safe aboard the Trident, which had previously been available to a Trident commander. This shifted the balance a bit from assuring that a submarine commander could always use nuclear weapons, even if communications were disrupted, in favor of never permitting an unauthorized use. But overall this is a far cry from having the President alone know the code to each and every safe aboard a Trident submarine.
Shelton is right, however, that without the Presidential authorization code, it would be very hard to convince the next layer down the chain of command that the order to employ nuclear weapons had been lawfully given. But that is because people down the chain of command would object — ultimately, this system relies on the reliability of personnel. Again, as the FARR Committee observed: “Loyal and capable personnel compose the most important layer in the system of positive measures.”
Hence, the dark but accurate humor in Kubrick’s observation that it’s beginning to look like General Ripper exceeded his authority. This is a system based on human beings. Human beings are fallible. Which, in an odd way, was precisely the moral of the tale as told by General Shelton:
You do whatever you can and think you have an infallible system, but somehow someone always seems to find a way to screw it up.
The Presidential identification (ID) codes in question are neither necessary nor sufficient to successfully order the implementation of U.S. nuclear war plans. It could delay implementation long enough to prevent a rapid response — say launch on warning — because of the short timelines involved and the time lost to notifying the President and authenticating (unsuccessfully in this case)with him.
If the President fails to properly authenticate, then the Pentagon (the National Military Command Center or its alternates, which could be STRATCOM Hqs in some scenarios) speed dials down the chain of presidential succession looking for the ranking successor that is able to authenticate — the VP, Speaker of House, Senate Protempore, and Cabinet officials in order of their creation starting with State, Treasury, Defense and so on down the line. This is not necessarily a straightforward process and is fraught with anomolies. For instance, President Carter did not allow any successor except his VP (Mondale) to have the pertinent ID codes, which ensured that nuclear launch authority would have switched over to the military chain of pre-delegated nuclear release authority rather abruptly if the President and VP were incapacitated or could not authenticate for some reason (such as lost codes). Another example of the idiosyncracies of the process: during the speed dial search for a presidential successor during exercises in the Clinton years, Secretary of State Albright was skipped over because she was not eligible to become president by dint of the constitutional disqualification of foreign-born citizens to become president.
All of the codes needed to create a fully valid and authentic launch order that will be obeyed by the nuclear chain of command including the individual launch commanders are held strictly and exclusively by the U.S. military. They (SAS codes and unlock codes which go into a launch order and KAC codes used by nuclear commanders for decoding launch orders) are fairly widely distributed in order to ensure that launch authority could not be neutralized by an attack against the command and control system. If the chain of command is intact, and the President authenticates using his ID codes (if he takes refuge in the Pentagon or some other top nuclear command facility then his physical presence suffices as identification) and selects a war plan option for execution, then the Pentagon NMCC would normally format and transmit the launch order replete with SAS and unlock codes (this takes two minutes). It would be immediately received by launch crews and hundreds of other nuclear commanders and carried out within two minutes in the case of Minuteman crews. These crews as well as submarine and bomber crews check the SAS codes received in the message with the SAS codes kept inside their safe and then proceed to unlock and fire (or withhold) their weapons according to the selected option.
If the chain of command is not intact, either due to missing presidential/successor codes or damage to the command and communications structure, then a back-up national command post facility or plane, or alternates like STRATCOM Hqs on the ground or its airborne command post, seek out a presidential successor to authenticate with but meanwhile it would proceed to prepare a launch message replete with SAS and unlock codes. Historically (going back to Eisenhower and forward to Reagan’s second term and possibly beyond) these back-up high-level command posts possessed pre-delegated launch authority and would not have waited very long in the absence of presidential/successor contact to send the order unleashing the strategic war plan.
When I served as a Minuteman launch officer in the 1970s, I and another crew member could have reverse engineered this entire business to create and transmit to the entire U.S. land- and sea-based strategic force a fully valid and authentic order that would have been carried out by crews whose only validation requirement was to match their SAS codes with the order’s SAS codes. (We didn’t use unlock codes at the time, even though Defense Secretary McNamara thought otherwise). The source of the message was irrelevant; all crews were trained to carry out any launch message that validated regardless of the source.
For that matter, we also had the technical ability to launch our missiles on our own, with or without any orders from above.
So not only were (and are) the presidential ID codes not essential, but for much of the nuclear age neither were the SAS or other codes.
Are you serious about Minuteman officers being able to launch their missiles without outside clearance?
If that is still the case, I really hope that the psychological screening works. I am not sure how the Russians would take even one accidental strike on Moscow, even without a Strangeloveian doomsday machine.
Dr. Blair — I hope you are writing a book about this. I, for one, will pay upwards of $35.99 for a copy, and I am sure others will also.
Ain’t no one gonna have the capability to launch those nukes if the power is cut!
Seriously though I found Bruce Blair’s comment on Page’s post below about perhaps even (knowledgeable) terrorists being able to use the power line interconnects between the land based silos to force a launch scary. Just another reason to dump that trash.
I think the main experimental/historical examples are staring us in the face. The transferal of war powers to the US Presidency has been a huge strategic blunder. It gave us Viet-Nam, Central America, Cambodia, Laos, Cuba, Iran (1950’s – 70’s with fallout today.), Afghanistan, and Iraq. Afghanistan and Iraq are integral into what will probably be the major agents of economic decline that will remove the US from the position of sole global superpower and usher in a world of only major powers and no superpower. The policy did have two successes, I think South Korea and Kuwait can be held up as examples of success of Presidential war powers. However there’s no saying Congress could not have played its part, and in some ways did.
The point being creating a system that depends on human intelligence has just that failure. One day, you’ll get a GW Bush administration, and that safeguard will fail. Historically we now see that this failure can wreck an economy and upset the global balance of power. It’s unfortunate that in planing our institutions of command an control we seem to assume that the people who hold those offices are shining examples of human analysis and restraint. Even in the face of a history that shows anything but that.
Andrew makes a good point: who is to say that “rogue” military elements are more insane than future US presidents? Can you say “President Palin”?
We cycle back to http://lewis.armscontrolwonk.com/archive/2088/blair-on-the-ever-ready-misileer
And, of course, http://www.wired.com/images_blogs/photos/uncategorized/2007/12/04/patch_bunny_slippers.jpg
Reminds me of a post I once saw on (I think) the sci.military.naval newsgroup by a former submariner. The guy told the story about how he had been on a ballistic missile submarine in the 1970s when they were off the coast of Cape Canaveral to conduct a test firing of a Poseidon missile. This was a case where they were testing the missile, not the sub or the crew. They did the countdown, got to the point where the guys turned their keys to launch, and the launch sequence did not start.
There was much consternation, and they called in an electronics technician, who took apart the back of the console and rewired it to bypass a faulty component. Turns out that he rewired so that it was possible for a _single key turn_ to launch the missile.
He said that all the officers were aghast that such a thing was possible. They thought that it was designed so that the two-person system was the _only_ way to launch a missile. But he said that the techs who were trained to repair that system had long known that such a bypass was possible. It was an overlooked security vulnerability in that particular weapons system. But I’m sure they fixed it.
Do people on SSBN have daily access to world news when they are strategic patrol?
Phew..for a minute there I was afraid that the US had temporarily lost the option to incinerate millions of people in a retaliatory strike.
Retaliatory strike? The current crowd would lose it if the office of el-presidente lost the ability to strike first for no reason beyond an exercise of executive power.
Well said.
Given that the constitution gives the War Powers to congress, should not congress have the nuke codes?
“You’re not talking about war, General!”
Indeed, congress should. They should also get back to controlling regular-plain-ole non-nuclear war powers also. But hey, who cares about the Constitution anymore?
Looking forward to seeing this film after reading Mr Blairs posts.
http://www.magpictures.com/countdowntozero/
.
I’m a bit confused ,
the ability to short all control system and launch a missile
is no big news , but what about the targeting ?
is it preloaded or does it has to be downloaded prior to launch ?
what about the weapon firing ? certainly there must be some sort of arming ,
one would hope there is an ultimate safety there.
The U.S. has produced some fine fruitcakes down the years
none more brave and gifted that Curtis leMay ,
pretty much a rottweiler with brains
I “heard” that the hair-trigger ICBMs are pre-programmed to hit the ocean — not Russia or China.
Which begs the frickin question about why we’d want to promptly wipe out some tuna?
Can anyone confirm/deny the pre-programmed targets are in the ocean?
Straight out of the Nuclear Posture Review, page 26 (P.48), open-ocean targeting since 1994.
http://www.defense.gov/npr/docs/2010%20Nuclear%20Posture%20Review%20Report.pdf