Permissive action link

From Wikipedia, the free encyclopedia
(Redirected from Permissive Action Link)

UC1583 PAL controller (early 1990s), based on a commercial Compaq LTE laptop

A permissive action link (PAL) is an access control security device for nuclear weapons. Its purpose is to prevent unauthorized arming or detonation of a nuclear weapon.[1] The United States Department of Defense definition is:

A device included in or attached to a nuclear weapon system to preclude arming and/or launching until the insertion of a prescribed discrete code or combination. It may include equipment and cabling external to the weapon or weapon system to activate components within the weapon or weapon system.

The earliest PALs were little more than locks introduced into the control and firing systems of a nuclear weapon, designed to prevent a person from detonating it or removing its safety features. More recent innovations have included encrypting the firing parameters it is programmed with, which must be decrypted to properly detonate the warhead, and anti-tamper systems which intentionally mis-detonate the weapon if its other security features are defeated, destroying it without giving rise to a nuclear explosion.

History[edit]

Background[edit]

Sandia National Laboratories, 1951. Sandia was instrumental from the beginning in developing PALs.

Permissive action links were developed in the United States in a gradual process from the first use of atomic weapons to the early 1960s. In 1953 the United States Atomic Energy Commission and the Department of Defense signed the Missiles and Rockets Agreement, which paved the way for the development and implementation of PALs. Certain national laboratories, under the auspices of the AEC, would develop and produce nuclear weapons, while the responsibility for the use and deployment remained with the military. The laboratories were also free to conduct their own research in the field of arms control and security. The thinking behind this was that if the government would ever be interested in such a security device, the research and development of prototypes would already be well advanced. At the beginning of the 1960s, the desire for the usage of such a system grew for both political and technological reasons.

Newer nuclear weapons were less complex in operation, relatively mass-produced (and therefore predictably similar), and less cumbersome to arm and use than previous designs. Accordingly, new methods were necessary to prevent their unauthorized use. As the Cold War came to a head in the 1960s, the government felt it best not to leave the use of nuclear weapons in the hands of possibly-renegade generals, including the commander of Strategic Air Command (SAC).[2] Without Permissive Action Links, each nuclear weapon was effectively under the independent control of one person, the general under whose command it happened to fall.

I used to worry about the fact that [General Power] had control over so many weapons and weapon systems and could, under certain conditions, launch the force. Back in the days before we had real positive control [i.e., PAL locks], SAC had the power to do a lot of things, and it was in his hands, and he knew it.

— General Horace M. Wade, (at that time subordinate of General Power), [3]

In order to protect its NATO allies, the United States had stationed various nuclear weapons overseas; these weapons were thus at least under the partial control of the hosting allied state. This was especially concerning to the United States Congress, as control of these weapons by a third party was in violation of U.S. federal law. Added to this was the fact that some of the allies were considered potentially unstable—particularly West Germany and Turkey.[4] There was considerable concern that in one of these countries the instructions of the civilian leadership of the host country could overrule that country's military. In addition, the U.S. realized that in the event of war, parts of West Germany would be overwhelmed early on, and nuclear weapons stationed there could fall into the hands of the Soviet Union.

For a long time the U.S. military resisted the use of PALs. It feared the loss of its own independence, and it feared malfunction, which could put warheads out of action in a time of crisis. But the advantages of PALs outweighed the disadvantages: thanks to the PALs weapons were able to be distributed to a greater extent in Europe, so as to prevent a rapid and selective destruction or conquest by the Soviet bloc, while still retaining U.S. control over the farther-flung weapons.[4]

Development and dissemination[edit]

The precursors of permissive action links were simple mechanical combination locks that were set into the control systems of nuclear weapons, such as the Minuteman ICBM. There they could perform different functions: some blocked the cavity through which the nuclear materials were shot to create a reaction; other locks blocked circuits; and some simply prevented access to the control panel. For testing, some of these mechanisms were installed during 1959 in weapons stationed in Europe.[5]

The work on PAL prototypes remained at low levels until 1960. Sandia National Laboratories successfully created a number of new combination locks that were adaptable to different types of weapons. In the spring of 1961, there was a series of hearings in Congress, where Sandia presented the prototype of a special electro-mechanical lock, which was then known still as a "proscribed action link". The military leadership, however, soon realized that this term had negative connotations for the use of weapons by the officer corps ("proscribed" meaning "prohibited"), and decided to start calling PAL "permissive action link" instead ("permissive" meaning "allowing" or "tolerating").[citation needed]

National Security Action Memorandum 160: introduction of PAL to all U.S. nuclear weapons under NATO command

In June 1962, President John F. Kennedy signed the National Security Action Memorandum number 160. This presidential directive ordered the installation of PALs in all U.S. nuclear weapons in Europe. (U.S. nuclear weapons that were not in Europe were excluded from the order.) The conversion was completed in September 1962 and cost $23 million ($223 million in 2022 dollars[6]).

According to nuclear safety expert Bruce G. Blair, the US Air Force's Strategic Air Command worried that in times of need the codes for the Minuteman ICBM force would not be available, so it decided to set the codes to 00000000 in all missile launch control centers. Blair said the missile launch checklists included an item confirming this combination until 1977.[7] A 2014 article in Foreign Policy said that the US Air Force told the United States House Committee on Armed Services that "A code consisting of eight zeroes has never been used to enable a MM ICBM, as claimed by Dr. Bruce Blair."[8] The Air Force's statement (that 00000000 was never used to enable an ICBM, i.e. the weapons were not actually launched) does not contradict Blair's statement (that 00000000 was the code for doing so).

The complete conversion to PAL systems was relatively slow. In 1974, U.S. Defense Secretary James Schlesinger found that a variety of tactical nuclear weapons were still not fitted with permissive action links, even though the technology had been available for some time.[9] It took another two years until all the tactical nuclear weapons were fully equipped with PALs. In 1981, almost 20 years after the invention of PALs, just over half of U.S. nuclear weapons were still equipped only with mechanical locks.[4] It took until 1987 until these were completely replaced.

Modernization and the present[edit]

Over the years the permissive action links have been continuously maintained and upgraded. In 2002, PALs on older B61 nuclear bombs were replaced and upgraded with new systems to improve reliability and security, as a part of extending the weapons' service lives to at least 2025.[10]

Code management system

The year 1995 saw the development of the code management system (CMS). The CMS has simplified the control and logistics for staff and improved the flexibility and speed in deploying and arming weapons. New codes can be used to recode, lock, and manage the weapons, while the secrecy and validity of the possible launch orders is still ensured. In total, CMS consists of fourteen custom products (nine software and five hardware products).[11] The software products were developed by Sandia National Laboratories while the hardware was created by the National Nuclear Security Administration.

The CMS was fully operational for the first time in November 2001. A part of the system, a special cryptographic processor fitted into the weapons in 1997 had a potential Year 2000 problem. By the spring of 2004, all PAL systems were equipped with the CMS. It is thus currently the general foundation for future hardware and software improvements to PALs.

Features[edit]

Elements of PAL systems are located deep within the nuclear device. The design and construction attempt to create a black box system so as to limit information leakage. PALs are also linked directly or indirectly with a number of other security measures, which together form a comprehensive security package. To prevent exploitation and sniffing via power line attacks permissive action links are powered by low-maintenance radioisotope generators. Instead of conventional batteries, these generators produce electricity using the heat from the radioactive decay of plutonium-238. Although the half-life of 238Pu is 87.7 years, these generators' lifespan is shorter than that; the alpha decay of the plutonium produces helium, causing the pressure inside the generator to increase.[12]

"Bypassing a PAL should be, as one weapons designer graphically put it, about as complex as performing a tonsillectomy while entering the patient from the wrong end."

— Peter D. Zimmerman, nuclear physicist and weapons inspector[13]

PAL devices have been installed on all nuclear devices in the US arsenal. The US Navy was last to receive them, with all weapons fitted with PALs by 1996 or 1997.[14]

Two-man rule[edit]

These two locks are part of the implementation of the two-man-rule in a Minuteman ICBM launch control capsule

Modern PALs use the two-man rule, which is designed to prevent accidental or malicious launch of nuclear weapons by a single individual.[citation needed]

For example, on a ballistic missile submarine (SSBN), both the commanding officer (CO) and executive officer (XO) must agree that the order to launch is valid, and then mutually authorize the launch with their operations personnel. Instead of another party confirming a missile launch as in the case of land-based ICBMs, the set of keys is distributed among the key personnel on the submarine and kept in safes (each of these crew members has access only to his keys), some of which are locked by combination locks. Nobody onboard has the combination to open these safes; the unlock key comes as a part of the launch order from the higher authority.[15]

In the case of Minuteman missile launch crews, both operators must agree that the launch order is valid by comparing the order's authorization code against a code from a "sealed authenticator" (a special sealed envelope that holds a code). The sealed authenticators are stored in a safe that has two separate locks so that a single crew member cannot open the safe alone. Both crew members must simultaneously turn the four launch keys. An additional safeguard is provided by requiring the crew in another launch control center to do the same for the missiles to be launched.

Stronglinks and weaklinks[edit]

Simplified illustration of some nuclear weapon safety mechanisms

Another part of the PAL design is the inclusion of "stronglinks" and "weaklinks". These ensure resilience to accidental activation through damage. The stronglinks include an increased ruggedness of some components and the inclusion of insensitive munitions so that they will not be circumvented by fire, vibration, or magnetic fields, leaving the PAL vulnerable to bypass after such damage. Also, activation-critical electronics within the weapon, such as capacitors, are selected so that they will fail before the safety device in the event of damage, ensuring that the weapon fails safe.[16]

Critical signal detection[edit]

A B-61 bomb contains 5,919 parts, including its PAL

Nuclear weapons will only respond to a specific arming signal. This is passed to the weapon by a unique signal generator located outside the weapon. This output is specific and well-defined, precluding approximation, emulation, noise, or interference from being accepted as a false positive.[17]

Environmental sensing device[edit]

An environmental sensing device (ESD) determines through environmental sensors whether the weapon is operating in its combat environment. For example, on an ICBM, a nuclear warhead would first be exposed to a strong acceleration, then a period of free fall and then further acceleration as the warhead reenters the atmosphere. The ESD determines the external parameters such as acceleration curve, temperature and pressure, and only arms the weapon when these environments are sensed in the correct order.[18]

ESDs are not exclusive to weapons equipped with PALs and some weapons, such as the W25, also had ESDs despite not being fitted with PALs.[19]

Limited retry and non-violent disablement[edit]

Modern PALs are believed to feature a limited number of code reentries before the weapon locks out, requiring that the weapon be returned to Pantex for rebuilding. This system may also include a non-violent disablement system, where some of the weapon's internal components are destroyed to hamper use. This system may be part of the ordinary limited retry lockout system, or may be a feature that can be enabled if the local situation calls for it. The non-violent disablement system may also be part of the weapon's anti-intrusion system, designed to activate if someone tries to enter one of the weapon's exclusion regions such as for the purpose of circumventing the weapon's PAL.[20]

Versions[edit]

Simulated Peacekeeper missile launch (with a house key shown, rather than an actual missile system key)

Over the years the design and feature set of PALs has increased, as has the length of the access code. US-manufactured PALs are divided into five categories; however, the earliest PALs were never assigned a category letter.

Category Code length Description
3–4 Combination locks with a three-number sequence. Later versions used five numbers, so that the access code could be divided between two people, each of whom would only know half of the sequence with a commonly known number in between.
A 4 Electromechanical switches designed for ballistic missiles. The four-digit code was entered into the weapon using a portable electronic device.
B 4 Essentially identical in function to category A, but designed with newer technology. Additionally, they could be activated via a wired remote, and were thus used on weapons launched by aircraft.
C 6 Featured a six-digit switch, and allowed for only limited code attempts before lockout. Such behavior was pioneered in some late model category B PALs.
D 6 All the features of the previous generation, but also allowed for the input of multiple types of codes, including ones that could set the device to a training mode, or disable the weapon entirely.
F 12 Expanded the code length to 12 digits, and disabled the weapon in addition to lockout after a series of failed code entry attempts. They also include the ability to control the magnitude of the nuclear reaction (the so-called dial-a-yield feature) and an emergency stop.[21]

Usage by other states[edit]

  Other NPT signatory

The increase in the number of nuclear-armed states was a similar cause for concern for the United States government for reasons similar to the original impetus for PALs. Thus, since the 1960s, the US has offered its own PAL technologies to other nuclear powers.[citation needed] The US considered this a necessary step: if the technology were kept secret, it would only be half as effective as possible, since the other power in a conflict might not have such safety measures.

A Russian version of analogous PAL system for their program.

In the early 1970s, France was an early recipient of United States assistance on this critical element of nuclear security. The Nuclear Non-Proliferation Treaty (NPT) went into effect in 1970 and precluded treaty members (including the US) from directly disseminating technology related to nuclear weapons development or enhancement. In order to get around this prohibition, the US developed a legal trick: "negative guidance". French nuclear scientists would regularly brief US scientists on French developments in the field of PALs, and the US scientists would tell their French counterparts when they were not on the right track. In 1971, the US also offered its technology to the Soviet Union, which developed a similar system.

In the early 1990s, the People's Republic of China requested information to develop its own PALs.[22] The Clinton administration believed that to do so would give too much information to the Chinese about American weapon design, and therefore, refused the request.

Following the dissolution of the Soviet Union, Ukraine had on its territory the world's third largest nuclear weapons stockpile.[23] While Ukraine had physical control of the weapons, it did not have operational control of the weapons as they were dependent on Russian-controlled electronic permissive action links and the Russian command-and-control system. In 1994 Ukraine agreed to the destruction of the weapons, and to join the NPT.[24][25]

In 2007, the UK government revealed that its nuclear weapons were not equipped with permissive action links. Instead, the UK's nuclear bombs to be dropped by aircraft were armed by inserting a key into a simple lock similar to those used to protect bicycles from theft. The UK withdrew all air-launched bombs in 1998.[26]

A mobile TEL system equipped with IRBM displayed at the IDEAS 2008 defense exhibition in Karachi, Pakistan

Detailed information about PAL systems design and their use is classified, although these mechanisms have been offered to Pakistan[27] for protection of their nuclear weapons.[28] In the end, the US decided that it could not do so for legal reasons; the Pakistanis were also concerned that such technology would be sabotaged by a "kill-switch" that the US could operate. However, many experts in the field of nuclear technology in the US government supported the publication of the PAL system because they considered Pakistan's arsenal as the world's most vulnerable to abuse by terrorist groups.

Whether it's India or Pakistan or China or Iran, the most important thing is that you want to make sure there is no unauthorized use. You want to make sure that the guys who have their hands on the weapons can't use them without proper authorization.

In November 2007, The New York Times revealed that the US had invested $100 million since 2001 in a secret program to protect Pakistan's nuclear arsenal. Instead of transferring PAL technology, the US provided helicopters, night vision and nuclear detection devices, as well as training to Pakistani personnel in order to prevent the theft or misuse of Pakistan's nuclear material, warheads, and laboratories.[28]

See also[edit]

References[edit]

  1. ^ "Nuclear Command and Control" (PDF). Security Engineering: A Guide to Building Dependable Distributed Systems. Ross Anderson, University of Cambridge Computing Laboratory. Archived (PDF) from the original on February 19, 2011. Retrieved April 29, 2010.
  2. ^ Richard Rhodes: Dark Sun: The Making of the Hydrogen Bomb. Simon & Schuster, New York 1996, ISBN 978-0-684-81690-6.
  3. ^ Peter D. Feaver: Armed Servants: Agency, Oversight, and Civil-Military Relations. Harvard University Press, Cambridge 2005, ISBN 978-0-674-01761-0, S. 151.
  4. ^ a b c Peter Stein, Peter Feaver: Assuring Control of Nuclear Weapons: The Evolution of Permissive Action Links. University Press of America, Lanham 1989, ISBN 978-0-8191-6337-0.
  5. ^ Weapon Dispersal without Fear of Unauthorized Use. In: Sandia Lab News, Family Day Special Edition, Bd. 38 Nr. 20, 1986, S. 4.
  6. ^ 1634–1699: McCusker, J. J. (1997). How Much Is That in Real Money? A Historical Price Index for Use as a Deflator of Money Values in the Economy of the United States: Addenda et Corrigenda (PDF). American Antiquarian Society. 1700–1799: McCusker, J. J. (1992). How Much Is That in Real Money? A Historical Price Index for Use as a Deflator of Money Values in the Economy of the United States (PDF). American Antiquarian Society. 1800–present: Federal Reserve Bank of Minneapolis. "Consumer Price Index (estimate) 1800–". Retrieved February 29, 2024.
  7. ^ "Keeping Presidents in the Nuclear Dark (Episode #1: The Case of the Missing "Permissive Action Links") - Bruce G. Blair, Ph.D". Cdi.org. February 11, 2004. Archived from the original on May 11, 2012. Retrieved April 29, 2010.
  8. ^ Lamothe, Dan (January 21, 2014). "Air Force Swears: Our Nuke Launch Code Was Never '00000000'". Foreign Policy. Archived from the original on March 29, 2017. Retrieved January 24, 2017.
  9. ^ Thomas C. Reed: At the Abyss: An Insider’s History of the Cold War. Presidio Press, New York 2005, ISBN 978-0-89141-837-5.
  10. ^ Grossman, Elaine M. (September 26, 2008). "U.S. Air Force Might Modify Nuclear Bomb". GlobalSecurity.org. Archived from the original on October 9, 2008. Retrieved April 1, 2010.
  11. ^ Hans M. Kristensen: U.S. Nuclear Weapons in Europe. Natural Resources Defense Council, New York 2005, S. 20–21. (PDF; 4,9 MB Archived July 23, 2014, at the Wayback Machine, accessed February 4, 2009).
  12. ^ Milliwatt Surveillance Program Ensures RTG Safety and Reliability Archived March 7, 2011, at the Wayback Machine. In: The Actinide Research Quarterly, Winter 1994. accessed February 4, 2009.
  13. ^ Dan Caldwell, Peter D. Zimmerman: Reducing the Risk of Nuclear War with Permissive Action Links. In: Barry M. Blechman, David K. Boren (Eds.): Technology and the Limitation of International Conflict. Johns Hopkins Foreign Policy Institute, Washington, D.C. 2000, ISBN 978-0-941700-42-9.
  14. ^ Busch, Nathan E. No End in Sight: The Continuing Menace of Nuclear Proliferation. University Press of Kentucky. p. 48. ISBN 9780813126760.
  15. ^ Waller, Douglas C. "Practicing For Doomsday". Archived from the original on October 8, 2009.
  16. ^ David W. Plummer, William H. Greenwood: History of Nuclear Weapon Safety Devices. Sandia National Laboratories, Albuquerque 1998. Presented at the 34th AIAA/ASME/SAE/ASEE Joint Propulsion Conference, Cleveland, July 1998. (PDF; 1,3 MB Archived June 17, 2022, at the Wayback Machine, accessed September 23, 2010).
  17. ^ Donald R. Cotter: "Peacetime Operations: Safety and Security." In: Ashton B. Carter, John D. Steinbruner, Charles A. Zraket (Eds.): Managing Nuclear Operations. Brookings Institution Press, Washington, D.C. 1987, ISBN 978-0-8157-1313-5.
  18. ^ History of the TX-61 Bomb (Report). Sandia National Laboratories. August 1971. Archived from the original on March 30, 2021. Retrieved May 9, 2021.
  19. ^ History of the Mk 25 Warhead (Report). Sandia National Laboratories. August 1967.
  20. ^ Sublette, Carey (October 1, 1997). "Principles of Nuclear Weapons Security and Safety". Nuclear Weapon Archive. Retrieved May 9, 2021.
  21. ^ Thomas B. Cochran, William M. Arkin, Milton M. Hoenig: Nuclear Weapons Databook: Volume I - U.S. Nuclear Forces and Capabilities. Ballinger Publishing Company, Pensacola 1984, ISBN 978-0-88410-173-4.
  22. ^ Steven M. Bellovin: Permissive Action Links, Nuclear Weapons, and the Prehistory of Public Key Cryptography. Department of Computer Science, Columbia University, April 2006. (PDF; 0.1 MB Archived September 1, 2021, at the Wayback Machine, retrieved on February 4, 2009).
  23. ^ "Budapest Memorandums on Security Assurances, 1994". Council on Foreign Relations. December 5, 1994. Archived from the original on March 17, 2014. Retrieved March 2, 2014.
  24. ^ William C. Martel (1998). "Why Ukraine gave up nuclear weapons: nonproliferation incentives and disincentives". In Barry R. Schneider, William L. Dowdy (ed.). Pulling Back from the Nuclear Brink: Reducing and Countering Nuclear Threats. Psychology Press. pp. 88–104. ISBN 9780714648569. Archived from the original on March 21, 2017. Retrieved August 6, 2014. There are some reports that Ukraine had established effective custody, but not operational control, of the cruise missiles and gravity bombs. ... By early 1994 the only barrier to Ukraine's ability to exercise full operational control over the nuclear weapons on missiles and bombers deployed on its soil was its inability to circumvent Russian permissive action links (PALs).
  25. ^ Alexander A. Pikayev (Spring–Summer 1994). "Post-Soviet Russia and Ukraine: Who can push the Button?" (PDF). The Nonproliferation Review. 1 (3): 31–46. doi:10.1080/10736709408436550. Archived (PDF) from the original on May 21, 2014. Retrieved August 6, 2014.
  26. ^ "Programmes | Newsnight | British nukes were protected by bike locks". BBC News. November 15, 2007. Archived from the original on January 17, 2010. Retrieved April 29, 2010.
  27. ^ Sanger, David E. (2009). The Inheritance. London, UK: Bantam Press. p. 224. ISBN 978-0-593-06417-7.
  28. ^ a b New York Times: U.S. Secretly Aids Pakistan in Guarding Nuclear Arms Archived April 13, 2016, at the Wayback Machine, Accessed on February 4, 2009.

Further reading[edit]

External links[edit]