It made for great drama-a tyrannical commanding officer believes he has the authorization to launch his Trident missiles while his executive officer is ready to support mutiny in his belief that such authorization may no longer exist. There is confusion over what the rules of engagement are for an SSBN involved in nuclear warfare. Temion, stress, theater! At the end, the American public is reassured that all will be okay because, as a subtitle tells us, starting in 1997 new codes will be implemented on submarines to preclude such an event. Two experienced FBM submariners are listed as Technical Advisors to lend an aura of credibility to all of this.
Well, it doesn’t work that way and never has. This article will address a highly classified topic in an unclassified venue by attempting to explain how command and control really works on board a unit of the nation’s premier strategic deterrent force. Much has changed since the Berlin Wall came down, since the U.S. Strategic Command (USStratCom) stood up, and since the nuclear posture review was published. However, the fundamental concept would be familiar to anyone who served in SSBNs in the 1960s.
Background
Nuclear command and control procedures are those methods used to ensure that actual nuclear weapons, submarine launched ballistic missiles in this case, are only fired upon receipt of authorization from the National Command Authority-and to ensure that any such authorization is real. Similar procedures apply to other nuclear weapons such as the Tomahawk Land Attack Missile (Nuclear) and the U.S. Air Force’s ICBMs.
Whatever system is used, it has to apply simultaneously to all U.S. nuclear delivery vehicles since one could reasonably assume that the President might only have time to approve a single message to retaliate against a disabling strike. That message would have to implement all phases of the American response without ambiguity
while still being as short as possible.
At the same time, the system would have to have built-in safeguards that would preclude anyone else from sending a false message; and which would provide recipients with absolute assurance that the horror they were about to inflict on the world was properly authorized at the highest level of the U.S. Government.
Out of these requirements evolved the Emergency Action Message system. The message contains values that decode to topics such as the U. S. forces involved, the nations and targets designated for attack, and a coordinated strike time. The message also contains a sealed authentication system (SAS) value that must match, bit for bit, a sealed authentication held under two person control on board the SSBN.
Prior to October 1997. if the message were exact in format, if all the appropriate decodes worked, if the sealed authentication matched, and if the message made sense in the context in which received, the commanding officer would announce on the 1 MC, “Set condition l SQ for strategic launch 1 , the release of nuclear weapons has been directed.” The executive officer would make a similar announcement on the sound powered telephone system and strategic weapons personnel would have had to hear both announcements in order to comply with the “Set ISQ” order. For exercises or test missile launches, different words are used. There is no drill that involves stating that nuclear weapons are released.
The commanding officer and his team have always been charged with ensuring that missiles would be launched only if the team was assured that the release was authorized, that the missiles released were for the right targets, and that all was in accordance with the strike timing.
SSBNs did not have a permissive action link or PAL system as did other U.S. systems. PAL, or its variants, is a system that locks weapons or launchers with a combination that must be sent to the launch site (silo, aircraft, ship, etc.) and entered into the system there. The idea of such a system was to preclude the two people on duty, or the pilot and co-pilot, from starting World War III on their own. SSBN force personnel argued successfully for years that the complexity of a submarine missile launch and the necessary involvement of many people made PAL, or something similar, unnecessarily redundant.
Fail-Safe and Risk Reduction Commission
In 1992, following separate initiatives by Senator Sam Nunn (DGA) and by President George Bush, the Fail-Safe and Risk Reduction Commission was created under the chairmanship of Ambassador Jeanne Kirkpatrick and the deputy chairmanship of Admiral R. L. J. Long, USN(Ret). The Commission was charged with reviewing all U.S. nuclear weapons systems and the supporting command infrastructure in light of the end of the Cold War. It was to see if procedures, equipment, and systems that made sense at the height of our face off with the Soviet Union still made sense in the very different world with new goo-political realities.
The Commission’s findings were extensive and thorough. For SSBN strategic weapons systems, however, they were few. The most dramatic recommendation, from the SSBN perspective, was to lock up a critical component of the SSBN strategic weapons system in an on-board safe to which the crew would not have access. At time of launch authorization, the combination would be provided from an off-board source. Although, this sounds very much like install PAL on SSBNs to those who are not familiar with the workings of a PAL system, there was no requirement to lock individual weapons or launchers, only a critical component of the system. This difference makes this a form of Use Control and not PAL. In summary, what the recommendation essentially said was to “install a use control device on submarine launched ballistic missile systems such that it takes a message from an outside source to employ it.”
The Commission’s findings were extensive and thorough. For SSBN strategic weapons systems, however, they were few. The most dramatic recommendation, from the SSBN perspective, was to lock up a critical component of the SSBN strategic weapons system in an on-board safe to which the crew would not have access. At time of launch authorization, the combination would be provided from an off-board source. Although, this sounds very much like install PAL on SSBNs to those who are not familiar with the workings of a PAL system, there was no requirement to lock individual weapons or launchers, only a critical component of the system. This difference makes this a form of Use Control and not PAL. In summary, what the recommendation essentially said was to “install a use control device on submarine launched ballistic missile systems such that it takes a message from an outside source to employ it.”
Secretary of Defense Cheney endorsed the findings of the Commission and directed compliance. President Clinton, after the nuclear posture review. issued a. Presidential Decision Directive which, among other things, moved the requirement to implement the Commission’s recommendations from a SecDef letter to a Presidential directive.
The change from not having use control on SSBNs to having use control requires some explanation-after all, the Navy had successfully argued against that for years. First, there is the issue of the end of the Cold War. The Commission’s responsibility was to ensure Fail-Safe and Risk Reduction and they were willing to have the SSBN Force stand a little further back in the fox-hole if, by so doing, the risk of nuclear war was acceptably reduced without giving up a credible nuclear option. Further, employment of a use control system meant that a second set of external values enabling launch (the original sealed authentication plus the new use control unlock combination) would give the commanding officer and his team greatly increased confidence in the validity of the launch order. The sealed authentication and use control unlock values are created, distributed, and installed by separate activities along independent paths and the values are not co-located anywhere in the system except at the top command echelons. Note that these two reasons at no time discuss preventing a rogue crew from launching. The rogue SSBN crew argument was reviewed by the Commission and determined to be as fallacious now as it was during the Cold War.
Implementation
Within the Navy. the Director Strategic Systems Programs (DIRSSP) was tasked with implementing the Presidential Decision Directive. A study showed that several requirements had to be met for whatever use control system was eventually employed. With the system in place, we had to be able to:
- do routine testing and maintenance of the weapons system both underway and in port;
- launch test missiles while still carrying tactical missiles as is done during Follow-on Commander-in-Chief Evaluation Tests;
- inventory keys and components at exchanges of command and at other required times;
- jettison a missile if a casualty mandated such an extreme action;
- make it applicable to both the Trident I and Trident II
systems; - not impact the length or format of the current emergency action message;
- not delay the launch; and
- ensure that the traditionally high weapons system reliability of the fleet ballistic missile was not diminished.
Additionally, since any system developed would be a U.S. only program and because the Trident II Weapons System has been bought by the United Kingdom, any design decision could not impact common equipment used by both countries .
Out of all this came the current SSBN use control system which was installed in every SSBN during the summer of 1997 and fully implemented on 1 October of that year.
The key component was determined to be the Commanding Officer’s key (the Captain’s Indicator Panel or CIP Key). That key, previously stored in the two-man control SAS safe, was moved to a new safe. The new container has two combination locks, both set with identical combinations, either of which can cause the safe to open. This ensures that there is no impact on system reliability should one lock fail. The combination to these locks is set by a shore based team which is split into two groups. Each group knows only half of the combination, such that at no time is the full combination known to the entire team. With assistance from the National Security Agency, processes were developed so that the SSBN crew could derive the use control combination using the PAL value sent in the emergency action message. Further details are above the classification level of this article.
Summary
Now, if a real emergency action message is ever received by an SSBN, the additional step of deriving the unlock values to open the safe and get the key will proceed in parallel with other operations. Seeing the Presidential authentication (the sealed authentication system is unchanged) and obtaining the CIP key (meaning that the
proper combination was transmitted) provides the command and control team with two independent assurances that the message is real.
The system has been in operation for over a year. Exercises and Follow-on CinC Evaluation Tests have been conducted with the system working as designed. While one hopes that the system will never be used for real, the extensive testing provides the confidence that it would work as designed.
So Crimson Tide didn’t get it right. I never met an SSBN commanding officer who was not fully aware of the nuclear rules of engagement-and I also never met one who took his Jack Russell terrier to sea.
Mel Lyman, (Captain, USN(Ret.)) is the Special Weapons Safety and Surety Program Manager at the Applied Physics Laboratory. He appreciates the contributions his deputy, Paul Hardy (Lieuten-anl Commander, USN(Ret.)), made in editing this article. Both are expended submarine officers.
CAPT Joseph W. Beadles, Jr. USN(Ret.)
ADM Harold E. Shear, USN(Ret.)
