A permissive action link (PAL) is an access control security device for nuclear weapons. Its purpose is to prevent unauthorized arming or detonation of a nuclear weapon.[1] The United States Department of Defense definition is:
The earliest PALs were little more than locks introduced into the control and firing systems of a nuclear weapon, designed to prevent a person from detonating it or removing its safety features. More recent innovations have included encrypting the firing parameters it is programmed with, which must be decrypted to properly detonate the warhead, and anti-tamper systems which intentionally mis-detonate the weapon if its other security features are defeated, destroying it without giving rise to a nuclear explosion.
Permissive action links were developed in the United States in a gradual process from the first use of atomic weapons to the early 1960s. In 1953 the United States Atomic Energy Commission and the Department of Defense signed the Missiles and Rockets Agreement, which paved the way for the development and implementation of PALs. Certain national laboratories, under the auspices of the AEC, would develop and produce nuclear weapons, while the responsibility for the use and deployment remained with the military. The laboratories were also free to conduct their own research in the field of arms control and security. The thinking behind this was that if the government would ever be interested in such a security device, the research and development of prototypes would already be well advanced. At the beginning of the 1960s, the desire for the usage of such a system grew for both political and technological reasons.
Newer nuclear weapons were less complex in operation, relatively mass-produced (and therefore predictably similar), and less cumbersome to arm and use than previous designs. Accordingly, new methods were necessary to prevent their unauthorized use. As the Cold War came to a head in the 1960s, the government felt it best not to leave the use of nuclear weapons in the hands of possibly-renegade generals, including the commander of Strategic Air Command (SAC).[2] Without Permissive Action Links, each nuclear weapon was effectively under the independent control of one person, the general under whose command it happened to fall.
In order to protect its NATO allies, the United States had stationed various nuclear weapons overseas; these weapons were thus at least under the partial control of the hosting allied state. This was especially concerning to the United States Congress, as control of these weapons by a third party was in violation of U.S. federal law. Added to this was the fact that some of the allies were considered potentially unstable—particularly West Germany and Turkey.[3] There was considerable concern that in one of these countries the instructions of the civilian leadership of the host country could overrule that country's military. In addition, the U.S. realized that in the event of war, parts of West Germany would be overwhelmed early on, and nuclear weapons stationed there could fall into the hands of the Soviet Union.
For a long time the U.S. military resisted the use of PALs. It feared the loss of its own independence, and it feared malfunction, which could put warheads out of action in a time of crisis. But the advantages of PALs outweighed the disadvantages: thanks to the PALs weapons were able to be distributed to a greater extent in Europe, so as to prevent a rapid and selective destruction or conquest by the Soviet bloc, while still retaining U.S. control over the farther-flung weapons.
The precursors of permissive action links were simple mechanical combination locks that were set into the control systems of nuclear weapons, such as the Minuteman ICBM. There they could perform different functions: some blocked the cavity through which the nuclear materials were shot to create a reaction; other locks blocked circuits; and some simply prevented access to the control panel. For testing, some of these mechanisms were installed during 1959 in weapons stationed in Europe.[4]
The work on PAL prototypes remained at low levels until 1960. Sandia National Laboratories successfully created a number of new combination locks that were adaptable to different types of weapons. In the spring of 1961, there was a series of hearings in Congress, where Sandia presented the prototype of a special electro-mechanical lock, which was then known still as a "proscribed action link". The military leadership, however, soon realized that this term had negative connotations for the use of weapons by the officer corps ("proscribed" meaning "prohibited"), and decided to start calling PAL "permissive action link" instead ("permissive" meaning "allowing" or "tolerating").
In June 1962, President John F. Kennedy signed the National Security Action Memorandum number 160. This presidential directive ordered the installation of PALs in all U.S. nuclear weapons in Europe. (U.S. nuclear weapons that were not in Europe were excluded from the order.) The conversion was completed in September 1962 and cost $23 million ($ in dollars).
According to nuclear safety expert Bruce G. Blair, the US Air Force's Strategic Air Command worried that in times of need the codes for the Minuteman ICBM force would not be available, so it decided to set the codes to 00000000 in all missile launch control centers. Blair said the missile launch checklists included an item confirming this combination until 1977.[5] A 2014 article in Foreign Policy said that the US Air Force told the United States House Committee on Armed Services that "A code consisting of eight zeroes has never been used to enable a MM ICBM, as claimed by Dr. Bruce Blair."[6] The Air Force's statement (that 00000000 was never used to enable an ICBM, i.e. the weapons were not actually launched) does not contradict Blair's statement (that 00000000 was the code for doing so).
The complete conversion to PAL systems was relatively slow. In 1974, U.S. Defense Secretary James Schlesinger found that a variety of tactical nuclear weapons were still not fitted with permissive action links, even though the technology had been available for some time.[7] It took another two years until all the tactical nuclear weapons were fully equipped with PALs. In 1981, almost 20 years after the invention of PALs, just over half of U.S. nuclear weapons were still equipped only with mechanical locks.[3] It took until 1987 until these were completely replaced.
Over the years the permissive action links have been continuously maintained and upgraded. In 2002, PALs on older B61 nuclear bombs were replaced and upgraded with new systems to improve reliability and security, as a part of extending the weapons' service lives to at least 2025.[8]
Code management system
The year 1995 saw the development of the code management system (CMS). The CMS has simplified the control and logistics for staff and improved the flexibility and speed in deploying and arming weapons. New codes can be used to recode, lock, and manage the weapons, while the secrecy and validity of the possible launch orders is still ensured. In total, CMS consists of fourteen custom products (nine software and five hardware products).[9] The software products were developed by Sandia National Laboratories while the hardware was created by the National Nuclear Security Administration.
The CMS was fully operational for the first time in November 2001. A part of the system, a special cryptographic processor fitted into the weapons in 1997 had a potential Year 2000 problem. By the spring of 2004, all PAL systems were equipped with the CMS. It is thus currently the general foundation for future hardware and software improvements to PALs.
Elements of PAL systems are located deep within the nuclear device. The design and construction attempt to create a black box system so as to limit information leakage. PALs are also linked directly or indirectly with a number of other security measures, which together form a comprehensive security package. To prevent exploitation and sniffing via power line attacks permissive action links are powered by low-maintenance radioisotope generators. Instead of conventional batteries, these generators produce electricity using the heat from the radioactive decay of plutonium-238. Although the half-life of 238Pu is 87.7 years, these generators' lifespan is shorter than that; the alpha decay of the plutonium produces helium, causing the pressure inside the generator to increase.[10]
PAL devices have been installed on all nuclear devices in the US arsenal. The US Navy was last to receive them, with all weapons fitted with PALs by 1996 or 1997.[11]
See main article: Two-man rule.
Modern PALs use the two-man rule, which is designed to prevent accidental or malicious launch of nuclear weapons by a single individual.
For example, on a ballistic missile submarine (SSBN), both the commanding officer (CO) and executive officer (XO) must agree that the order to launch is valid, and then mutually authorize the launch with their operations personnel. Instead of another party confirming a missile launch as in the case of land-based ICBMs, the set of keys is distributed among the key personnel on the submarine and kept in safes (each of these crew members has access only to his keys), some of which are locked by combination locks. Nobody onboard has the combination to open these safes; the unlock key comes as a part of the launch order from the higher authority.[12]
In the case of Minuteman missile launch crews, both operators must agree that the launch order is valid by comparing the order's authorization code against a code from a "sealed authenticator" (a special sealed envelope that holds a code). The sealed authenticators are stored in a safe that has two separate locks so that a single crew member cannot open the safe alone. Both crew members must simultaneously turn the four launch keys. An additional safeguard is provided by requiring the crew in another launch control center to do the same for the missiles to be launched.
Another part of the PAL design is the inclusion of "stronglinks" and "weaklinks". These ensure resilience to accidental activation through damage. The stronglinks include an increased ruggedness of some components and the inclusion of insensitive munitions so that they will not be circumvented by fire, vibration, or magnetic fields, leaving the PAL vulnerable to bypass after such damage. Also, activation-critical electronics within the weapon, such as capacitors, are selected so that they will fail before the safety device in the event of damage, ensuring that the weapon fails safe.[13]
Nuclear weapons will only respond to a specific arming signal. This is passed to the weapon by a unique signal generator located outside the weapon. This output is specific and well-defined, precluding approximation, emulation, noise, or interference from being accepted as a false positive.[14]
An environmental sensing device (ESD) determines through environmental sensors whether the weapon is operating in its combat environment. For example, on an ICBM, a nuclear warhead would first be exposed to a strong acceleration, then a period of free fall and then further acceleration as the warhead reenters the atmosphere. The ESD determines the external parameters such as acceleration curve, temperature and pressure, and only arms the weapon when these environments are sensed in the correct order.[15]
ESDs are not exclusive to weapons equipped with PALs and some weapons, such as the W25, also had ESDs despite not being fitted with PALs.[16]
Modern PALs are believed to feature a limited number of code reentries before the weapon locks out, requiring that the weapon be returned to Pantex for rebuilding. This system may also include a non-violent disablement system, where some of the weapon's internal components are destroyed to hamper use. This system may be part of the ordinary limited retry lockout system, or may be a feature that can be enabled if the local situation calls for it. The non-violent disablement system may also be part of the weapon's anti-intrusion system, designed to activate if someone tries to enter one of the weapon's exclusion regions such as for the purpose of circumventing the weapon's PAL.[17]
Over the years the design and feature set of PALs has increased, as has the length of the access code. US-manufactured PALs are divided into five categories; however, the earliest PALs were never assigned a category letter.
Category | Code length | Description | |
---|---|---|---|
Combination locks with a three-number sequence. Later versions used five numbers, so that the access code could be divided between two people, each of whom would only know half of the sequence with a commonly known number in between. | |||
Electromechanical switches designed for ballistic missiles. The four-digit code was entered into the weapon using a portable electronic device. | |||
Essentially identical in function to category A, but designed with newer technology. Additionally, they could be activated via a wired remote, and were thus used on weapons launched by aircraft. | |||
Featured a six-digit switch, and allowed for only limited code attempts before lockout. Such behavior was pioneered in some late model category B PALs. | |||
All the features of the previous generation, but also allowed for the input of multiple types of codes, including ones that could set the device to a training mode, or disable the weapon entirely. | |||
Expanded the code length to 12 digits, and disabled the weapon in addition to lockout after a series of failed code entry attempts. They also include the ability to control the magnitude of the nuclear reaction (the so-called dial-a-yield feature) and an emergency stop.[18] |
The increase in the number of nuclear-armed states was a similar cause for concern for the United States government for reasons similar to the original impetus for PALs. Thus, since the 1960s, the US has offered its own PAL technologies to other nuclear powers. The US considered this a necessary step: if the technology were kept secret, it would only be half as effective as possible, since the other power in a conflict might not have such safety measures.In the early 1970s, France was an early recipient of United States assistance on this critical element of nuclear security. The Nuclear Non-Proliferation Treaty (NPT) went into effect in 1970 and precluded treaty members (including the US) from directly disseminating technology related to nuclear weapons development or enhancement. In order to get around this prohibition, the US developed a legal trick: "negative guidance". French nuclear scientists would regularly brief US scientists on French developments in the field of PALs, and the US scientists would tell their French counterparts when they were not on the right track. In 1971, the US also offered its technology to the Soviet Union, which developed a similar system.
In the early 1990s, the People's Republic of China requested information to develop its own PALs.[19] The Clinton administration believed that to do so would give too much information to the Chinese about American weapon design, and therefore, refused the request.
Following the dissolution of the Soviet Union, Ukraine had on its territory the world's third largest nuclear weapons stockpile.[20] While Ukraine had physical control of the weapons, it did not have operational control of the weapons as they were dependent on Russian-controlled electronic permissive action links and the Russian command-and-control system. In 1994 Ukraine agreed to the destruction of the weapons, and to join the NPT.[21] [22]
In 2007, the UK government revealed that its nuclear weapons were not equipped with permissive action links. Instead, the UK's nuclear bombs to be dropped by aircraft were armed by inserting a key into a simple lock similar to those used to protect bicycles from theft. The UK withdrew all air-launched bombs in 1998.[23]
Detailed information about PAL systems design and their use is classified, although these mechanisms have been offered to Pakistan[24] for protection of their nuclear weapons.[25] In the end, the US decided that it could not do so for legal reasons; the Pakistanis were also concerned that such technology would be sabotaged by a "kill-switch" that the US could operate. However, many experts in the field of nuclear technology in the US government supported the publication of the PAL system because they considered Pakistan's arsenal as the world's most vulnerable to abuse by terrorist groups.
In November 2007, The New York Times revealed that the US had invested $100 million since 2001 in a secret program to protect Pakistan's nuclear arsenal. Instead of transferring PAL technology, the US provided helicopters, night vision and nuclear detection devices, as well as training to Pakistani personnel in order to prevent the theft or misuse of Pakistan's nuclear material, warheads, and laboratories.[25]