Right of Launch: Command and Control Vulnerabilities After a Limited Nuclear Strike
Editor’s Note: Bruce Blair passed away in July 2020. His co-authors are grateful to his widow, Sally Blair, for permission to publish this article and list Bruce as a co-author.
Imagine a rapidly escalating conflict between Russian and NATO forces. Compensating for Russia’s perceived conventional inferiority, Russian commanders execute a limited nuclear strike — a small number of low-yield weapons intended to change conditions on the battlefield. The U.S. president, in turn, authorizes a limited nuclear response just before being evacuated from the White House. While rushing toward their helicopter, he or she wonders what Russia’s next move will be and hopes they will not have to authorize additional nuclear strikes. The problem is they may have unintentionally done so already.
America’s nuclear command and control system focuses on securing nuclear weapons until authentication of a president’s orders. But right of launch — immediately after the president’s first orders have been executed — the system is primed to allow additional strikes instead of resetting the launch codes or putting the launch keys back in their safes. As a result, after that first limited strike the danger of unauthorized launch is worse in crisis situations where controlling escalation is critical. No command and control system can reconcile the adaptation and flexibility required by war with the tight control over nuclear weapons that is vital to preventing unauthorized launches and clearly signaling intentions to limit rather than increase the scale of conflict. In order to maintain robust command and control in a crisis, the United States should place less reliance on limited nuclear options.
Safeguards Against Unauthorized Nuclear Use
The U.S. nuclear command and control architecture focuses on preventing unauthorized use prior to presidential authorization. One of the first barriers is the permissive action link — a code that has to be correctly entered before the warhead arms. Permissive action links are intended to keep warheads and bombs safe during transit and storage, and to prevent unauthorized detonation by anyone who manages to get their hands on one. For silo-based and submarine-launched ballistic missiles, permissive action links are unlocked before warheads are fitted onto their delivery bus.
Presidential authentication is another safeguard. To order a nuclear strike, the president needs to crack open the nuclear biscuit — a laminated card carried by either the president or the president’s military aide — and provide the appropriate response to the sequence of letters read by the duty officer in the Pentagon’s military command center. If the codes match, this is taken as proof that the order is coming from the president, or the next surviving member of the chain of command. Once authenticated, the president’s chosen option is transmitted by the Pentagon’s command center directly to the crews involved in carrying out the order.
Besides making sure any launch order comes from the president, there are additional measures intended to stop unauthorized launch. Here we concentrate on intercontinental ballistic missiles and submarine-launched ballistic missiles, which comprise over 80 percent of deployed U.S. strategic nuclear weapons — an additional 450 nuclear warheads can be delivered by dual-capable aircraft. When the president selects a specific attack option, the associated unlock code is sent to launch crews. Once a submarine or intercontinental ballistic missile crew receives an authenticated order, they unlock safes and compare the codes inside with the one they just received. If the codes match, intercontinental ballistic missile crews then begin the process of typing targeting coordinates into their computers and launching the missiles. On submarines there is an intermediate step that involves two senior officers retrieving from a safe the key needed to fire the missiles.
If the president selects a limited nuclear option, a selective unlock code allows crews to fire specific missiles at specific targets — and only those missiles. Although the launch crews all have the keys necessary to fire additional nuclear weapons, they lack the unlock codes needed to arm, target, and fire those weapons.
But what if a specific missile fails to fire? Or perhaps it leaves its launch tube, arrives at the target, but doesn’t cause sufficient damage because the warhead malfunctions or the target was harder or more elusive than calculated? What happens if — in the two to seven minutes it takes intercontinental ballistic missiles crews (15 to 20 minutes for submarines) to arm, target, and fire their weapons — an important but time-sensitive target becomes available? One can imagine a variety of reasons why the president might find it prudent to authorize both a nuclear strike and then a back-up or contingency plan. In such cases, multiple different unlock codes would be sent to the launch crews, along with instructions that might specify when to launch and whether or not additional authorization is needed.
What Happens After an Initial Launch?
After execution of the initial limited strike authorized by the president, the military would have the unlock codes for selected additional strikes. The command and control system assumes that subsequent orders adhere to the guidance given by the president. No additional authentication by the president is necessary.
Consider, for example, today’s nuclear weapon-equipped submarines. After a missile is fired, they can “pause” their launch sequences and resume strikes later without the need to go through an entire pre-launch checklist again. This means that the president’s back-up or contingency plan can be executed without additional presidential authorization and with little more than the turn of a key.
There are also incentives for the president to authorize more than a small number of contingency strikes. Any president would also take into account possible retaliation or escalation after that first limited nuclear strike. Consider again the scenario in which Russia’s purported escalate to de-escalate doctrine is in operation: In the fog of an ongoing skirmish in Europe that has escalated to limited nuclear use, the president might reasonably be convinced that it is best to leave the White House and move to a more secure facility. Concerned about communications problems, the president authorizes a limited strike, but also additional future options in the event that the crisis escalates while they are aboard a helicopter headed for Andrews Air Force Base. Perhaps there are concerns about attacks on other U.S. government leaders, making it important for the president to leave behind contingency plans until continuity of government can be verified. What happens if the North American Aerospace Defense Command detects an incoming strike that will destroy U.S. intercontinental ballistic missiles unless they are launched, but communications links are temporarily down, garbled, or disabled? Worried about potential communications breakdowns, the president might pre-authorize additional strikes.
Another complication is the need to preserve flexibility so that the remaining nuclear weapons can be allocated to future targets. When a particular strike option is chosen, the nuclear weapons that are left are adjusted to cover remaining targets. Think of operational nuclear weapons as part of a dynamic matrix. New targets appear or the best weapon for a particular target may already have been launched. Some weapons are withheld should other adversaries want to take advantage in a crisis. After a limited nuclear strike, there are numerous reasons why the remaining operational weapons might have to be reallocated to different targets.
Because targeting is dynamic and crises uncertain, the president has multiple incentives to authenticate the universal unlock code. Just as the adjectives suggest, this code would allow intercontinental ballistic missile and submarine crews to launch all of their nuclear weapons. The intent is to provide flexibility to the Pentagon and U.S. Strategic Command to issue additional launch orders if the president can’t be found, weapons don’t function, Russia suddenly escalates, or another country (e.g., China) decides to enter the fray. But the universal unlock code, which would simultaneously be broadcast to all launch crews and command posts, also creates opportunities for unauthorized launch.
The universal unlock code would give Strategic Command and the Pentagon’s command center the ability to transmit orders for additional strikes even if they were not authorized by the president. The same is true for launch crews. Cut off from the chain of command due to communications disruption, or garbled follow-on messages, a submarine crew would be able to unleash a salvo of missiles without additional authorization. For intercontinental ballistic missiles, ten people control a squadron of 50 missiles. But it takes only two such “votes” to launch a nuclear strike.
We are not suggesting that the nuclear weapons chain of command is harboring potential Dr. Strangeloves, just waiting to launch the doomsday machine in retaliation for “the international Communist conspiracy to sap and impurify all of our precious bodily fluids.” But the universal unlock code does provide multiple different actors with the discretion to launch additional nuclear strikes without the authorization of the president or the president’s successor.
What happens if there is a pause in hostilities or the president decides to rule out further use of nuclear weapons? In such cases, the weapons remain subject to unauthorized launch until the unlock codes can be changed. This requires new launch codes to be issued by the National Security Agency and the codes, along with associated equipment, to be physically transported to each missile base and submarine. At intercontinental ballistic missile bases, such code changes often take a full day and require many routine activities to be suspended. It takes longer for submarines, some of which may take days or even weeks to return to port.
Command and Control Protocols Aren’t Prepared for Limited Nuclear War
U.S. nuclear command and control protocols have neglected to keep pace with strategies that call for limited nuclear war or limited nuclear strikes. Moreover, it is difficult and perhaps impossible to create a system of command and control that eliminates the danger of unauthorized launch while also enabling the flexibility sometimes required by the pace and fog of war. Ordering the first use of a nuclear weapon could easily lead to an exponential increase in the risk of unauthorized actions, whether due to nefarious intent or simple miscommunication. This danger is at its worst during precisely those situations where deterrence assumes actions are carefully calibrated and decision-makers securely in control.
The nuclear weapon command and control system needs to be flexible enough to accommodate the uncertainties and dynamic conditions that always come with war, and that permeate efforts to keep limited war from escalating. The command and control system should also be invulnerable to unauthorized launch. But both conditions cannot be satisfied at the same time. As a consequence, the only way to ensure that nuclear weapons are only used as prescribed by the president is to reduce reliance on limited nuclear strikes. To this end, the United States should recognize that the sole purpose of nuclear weapons ought to be deterrence of existential threats, not fighting for limited objectives.
Bruce G. Blair was the author of numerous books on nuclear weapons command and control and the founder of Global Zero, as well as a member of Princeton University’s Program on Science and Global Security.
Sebastien Philippe is an engineer and associate research scholar with Princeton University’s Program on Science and Global Security. His technical work lies at the intersection of nuclear science, physics, and cryptography. He was a Stanton Nuclear Security Postdoctoral Fellow at Harvard’s Belfer Center, and previously served as a strategic nuclear weapon system safety and security engineer.
Sharon K. Weiner, associate professor of international relations at the School of International Service, American University, has received numerous awards for her research on nuclear weapons issues, including a Council on Foreign Relations International Affairs Fellowship and a Carnegie Fellowship. Her government experience includes both houses of Congress, the Joint Staff, and the Office of Management and Budget.