Permissive Action Link
A Permissive Action Link (PAL) is a security device for nuclear weapons. Its purpose is to prevent unauthorized arming or detonation of the nuclear weapon. The United States Department of Defense definition is:
A device included in or attached to a nuclear weapon system to preclude arming and/or launching until the insertion of a prescribed discrete code or combination. It may include equipment and cabling external to the weapon or weapon system to activate components within the weapon or weapon system.
The earliest PALs were little more than locks introduced into the control and firing systems of a nuclear weapon, that would inhibit either the detonation, or the removal of safety features of the weapon. More recent innovations have included encrypted firing parameters, which must be decrypted to properly detonate the warhead, plus anti-tamper systems which intentionally mis-detonate the weapon, destroying it without giving rise to a nuclear explosion.
- 1 History
- 2 Features
- 3 Versions
- 4 Usage by other states
- 5 See also
- 6 References
- 7 External links
Permissive Action Links were developed in the United States over a gradual process from the first use of atomic weapons to the early 1960s. Importantly, in 1953 the United States Atomic Energy Commission and the Department of Defense signed the Missiles and Rockets Agreement, which paved the way for the development and implementation of PALs. Certain national laboratories, under the auspices of the AEC, would develop and produce nuclear weapons, while the responsibility for the use and deployment remained with the military. The laboratories were also free to conduct their own research in the field of arms control and security. The thinking behind this was that if the government would ever be interested in such a security device, the research and development of prototypes would already be well advanced. At the beginning of the 1960s, the desire for the usage of such a system grew for both political and technological reasons.
Newer nuclear weapons were simpler in their operation and were produced en masse and were less cumbersome to arm and use than previous designs. Accordingly, new controls were necessary to prevent their unauthorized use. As the Cold War came to a head in the 1960s, the government felt it best not to leave the use of nuclear weapons in the hands of possibly-renegade generals, including the commander of Strategic Air Command (SAC). Without Permissive Action Links, nuclear weapons were effectively under the independent command of a number of generals.
I used to worry about the fact that [General Power] had control over so many weapons and weapon systems and could, under certain conditions, launch the force. Back in the days before we had real positive control [i.e., PAL locks], SAC had the power to do a lot of things, and it was in his hands, and he knew it.
In order to protect its NATO allies, the United States had stationed various nuclear weapons overseas; these weapons were thus at least under the partial control of the hosting allied state. This was especially concerning to the United States Congress, as this lack of control was in violation of federal law. Added to this was the fact that some of the allies were considered potentially unstable—particularly West Germany and Turkey. There was considerable concern that in one of these countries the instructions of the civilian leadership of the host country could overrule the military. In addition, the U.S. realized that in the event of war, parts of West Germany would be overwhelmed early on, and nuclear weapons stationed there could fall into the hands of the Soviet Union.
For a long time the U.S. military resisted the use of PALs. It feared the loss of independence and feared malfunction, which could put warheads out of action in a time of crisis. But the advantages of PALs outweighed the disadvantages: thanks to the PALs weapons were able to be distributed to a greater extent in Europe, so as to prevent a rapid and selective destruction or conquest by the Soviet bloc, while still retaining U.S. control over the farther-flung weapons.
Development and dissemination
The precursors of Permissive Action Links were simple mechanical combination locks that were set into the control systems of nuclear weapons, such as the Minuteman ICBM. There they could perform different functions: some blocked the cavity through which the nuclear materials were shot to create a reaction; other locks blocked circuits; and some simply prevented access to the control panel. For testing, some of these mechanisms were installed during 1959 in weapons stationed in Europe.
The work on PAL prototypes remained at low levels until 1960. Sandia National Laboratories (SNL) successfully created a number of new combination locks that were adaptable to different types of weapons. In the spring of 1961, there was a series of hearings in Congress, where Sandia presented the prototype of a special electro-mechanical lock, which was then known still as a "Proscribed Action Link." The military leadership, however, soon realized that this term had negative connotations for the use of weapons by the officer corps (proscribed = "prohibited"), and changed the meaning of PAL to "Permissive Action Link" (permissive = "allowing / tolerating").
In June 1962, President John F. Kennedy signed the National Security Action Memorandum number 160. This presidential directive ordered the installation of PALs in all U.S. nuclear weapons in Europe. All other U.S. nuclear weapons were excluded at that time. The conversion was completed September 1962 and cost $23 million ($191 million in 2018 dollars).
According to nuclear safety expert Bruce G. Blair, the US Air Force's Strategic Air Command worried that in times of need the codes for the Minuteman ICBM force would not be available, so it quietly decided to set the codes to 00000000 in all missile launch control centers. Blair said the missile launch checklists included an item confirming this combination until 1977. A 2014 article in Foreign Policy said that the US Air Force told the United States House Committee on Armed Services that "A code consisting of eight zeroes has never been used to enable a MM ICBM, as claimed by Dr. Bruce Blair."
The complete conversion to PAL systems was relatively slow. In 1974, U.S. Defense Secretary James Schlesinger found that a variety of tactical nuclear weapons were still not fitted with Permissive Action Links, even though the technology had been available for some time. It took another two years until all the tactical nuclear weapons were fully equipped with PALs. In 1981, almost 20 years after the invention of PALs, just over half of U.S. nuclear weapons were still equipped only with mechanical locks. It took until 1987 until these were completely replaced.
Modernization and the present
Over the years the Permissive Action Links have been continuously maintained and upgraded. In 2002, PALs on older B61 nuclear bombs were replaced and upgraded with new systems to improve reliability and security, as a part of extending the weapons' service life to at least 2025.
Code Management System
The year 1995 saw the development of the Code Management System (CMS). The CMS has simplified the control and logistics for staff and improved the flexibility and speed in deploying and arming weapons. New codes can be used to recode, lock, and manage the weapons, while the secrecy and validity of the possible launch orders is still ensured. In total, CMS consists of fourteen custom products (nine software and five hardware products). The software products were developed by Sandia National Laboratories while the hardware was created by the National Nuclear Security Administration.
The CMS was fully operational for the first time in November 2001. A part of the system, a special cryptographic processor fitted into the weapons in 1997 had a potential Year 2000 problem. By the spring of 2004, all PAL systems were equipped with the Code Management System. It is thus currently the general foundation for future hardware and software improvements to Permissive Action Links.
Permissive Action Links are powered by low-maintenance radioisotope generators. Instead of a conventional battery, these generators produce electricity based on the heat evolved from the radioactive decay of plutonium-238. Although half-life of 238Pu is 87.7 years, these generators have shorter lifespans. This is due to the pressurization of the generator from helium produced by the alpha decay of the plutonium fuel.
PALs are also linked directly or indirectly with a number of security measures, which together form a comprehensive security package. In general, elements of PAL systems are located deep within the nuclear device. This makes it almost impossible to bypass the system.
"Bypassing a PAL should be, as one weapons designer graphically put it, about as complex as performing a tonsillectomy while entering the patient from the wrong end."— Peter D. Zimmerman, nuclear physicist and weapons inspector
PAL devices have been installed on all or nearly all nuclear devices in the US arsenal (except for those deployed by the U.S. Navy), including the Minuteman ICBM, MGM-13A Mace Tactical Ballistic Missile, CGM-13B Mace Tactical Ballistic Missile, Sergeant, Pershing, and WAC Corporal missiles as well as the Nike-Hercules, Honest John rockets, the Davy Crockett system, and artillery-launched howitzer rounds.
For example, on a ballistic missile submarine (SSBN), both the commanding officer (CO) and executive officer (XO) must agree that the order to launch is valid, and then mutually authorize the launch with their operations personnel. Instead of another party confirming a missile launch as in the case of land-based ICBMs, the set of keys is distributed among the key personnel on the submarine and kept in safes (each of these crew members has access only to his keys), some of which are locked by combination locks. Nobody on board has the combination to open these safes; the unlock key comes as a part of the launch order from the higher authority.
In the case of Minuteman missile launch crews, both operators must agree that the launch order is valid by comparing the order's authorization code against a code from a Sealed Authenticator (a special sealed envelope that holds a code). The Sealed Authenticators are stored in a safe that has two separate locks so a single crew member cannot open the safe alone. Both crew members must simultaneously turn the four launch keys. An additional safeguard is provided by requiring the crew in another Launch Control Center to do the same for the missiles to be launched.
Another part of the PAL design is the inclusion of "stronglinks" and "weaklinks." These words, which come from the proverb "a chain is only as strong as its weakest link", ensure resilience to accidental activation through damage. The stronglinks include the ruggedization of some components and inclusion of insensitive munitions so that they will not be circumvented by fire, vibration, or magnetic fields, leaving the PAL vulnerable to bypass after such damage. On the other hand, activation-critical electronics within the weapon, such as capacitors, are selected so that they will fail before the safety device in the event of damage, ensuring that the weapon fails safe.
Critical signal detection
Nuclear weapons will only respond to a specific arming signal. This is passed to the weapon by a unique signal generator located outside the weapon. This output is specific and well-defined, precluding approximation, emulation, noise, or interference from being accepted as a false positive.
A further safeguard is the Environmental Sensing Device (ESD). It determines through environmental sensors whether the weapon is operating under expected parameters. For example, on an ICBM, a nuclear warhead would first be exposed to a strong acceleration, and then a period of free fall. The ESD determines the external parameters such as acceleration curve, temperature and pressure and only activates the weapon when these external effects occur in the correct order and fall within specific parameters. So, should unauthorized personnel succeed in stealing a weapon, they could not activate it as long as a functional launch mechanism was not also stolen along with it. Of course, without the PAL codes they would still not succeed.
The conventional explosives needed to start the chain reaction are tailored to the characteristics of the fissile material in the core of the weapon. If the detonation does not occur exactly as planned, such as in the case of a misfire, a nuclear reaction is unlikely to occur—the explosion will be no greater than the amount of conventional explosive (although radioactive material—the unreacted nuclear fuel—may be dispersed). Computer simulations have assisted in calculating the likelihood of a chain reaction still occurring in a misfire. The odds of a nuclear chain reaction after a misfire of the conventional explosives is estimated to be one in one million. The likelihood of a full-yield nuclear explosion is estimated to be even lower, at one in one billion.
The weapon renders itself inoperable if an activation code is entered incorrectly multiple times. This precludes attempts to bypass the PAL codes through trial and error. The weapon must be returned to a maintenance facility in order to work again.
Over the years the design and feature set of PALs has increased, as has the length of the access code. US-manufactured PALs are divided into five categories; however, the earliest PALs were never assigned a category letter.
|–||3–4||Combination locks with a three-number sequence. Later versions used five numbers, so that the access code could be divided between two people, each of whom would only know half of the sequence with a commonly known number in between.|
|A||4||Electromechanical switches designed for ballistic missiles. The four-digit code was entered into the weapon using a portable electronic device.|
|B||4||Essentially identical in function to Category A, but designed with newer technology. Additionally, they could be activated via a wired remote, and were thus used on weapons launched by aircraft.|
|C||6||Featured a 6-digit switch, and allowed for only limited code attempts before lockout. Such behavior was pioneered in some late model Category B PALs.|
|D||6||All the features of the previous generation, but also allowed for the input of multiple types of codes, including ones that could set the device to a training mode, or disable the weapon entirely.|
|F||12||Expand the code length to 12 digits, and disable the weapon in addition to lockout after a series of failed code entry attempts. They also include the ability to control the magnitude of the nuclear reaction (the so-called dial-a-yield feature) and an emergency stop.|
Usage by other states
The increase in the number of nuclear-armed states was a similar cause for concern for the United States government for reasons similar to the original impetus for PALs. Thus, since the 1960s, the US has offered its own PAL technologies to other nuclear powers. The US considered this a necessary step: if the technology were kept secret, it would only be half as effective as possible, since the other power in a conflict might not have such safety measures.
In the early 1970s, France was an early recipient of United States assistance on this critical element of nuclear security. The Nuclear Non-Proliferation Treaty (NPT) went into effect in 1970 and precluded treaty members (including the US) from directly disseminating technology related to nuclear weapons development or enhancement. In order to get around this prohibition, the US developed a legal trick: "negative guidance". French nuclear scientists would regularly brief US scientists on French developments in the field of PALs, and the US scientists would tell their French counterparts whether they were on the right track. In 1971, the US also offered its technology to the Soviet Union, which developed a similar system.
In the early 1990s, the People's Republic of China requested information to develop its own PALs. The Clinton administration believed that to do so would give too much information to the Chinese about American weapon design, and therefore, refused the request.
Following the dissolution of the Soviet Union, Ukraine had on its territory the world's third largest nuclear weapons stockpile. While Ukraine had physical control of the weapons, it did not have operational control of the weapons as they were dependent on Russian-controlled electronic Permissive Action Links and the Russian command and control system. In 1994 Ukraine agreed to the destruction of the weapons, and to join the NPT.
In 2007, the UK Government revealed that its nuclear weapons were not equipped with Permissive Action Links. Instead, the UK's nuclear bombs to be dropped by aircraft were armed by just inserting a key into a simple lock similar to those used to protect bicycles from theft. The UK withdrew all air-launched bombs in 1998. The current UK Trident warheads can also be launched by a submarine commander with the support of his crew without any code being transmitted from the chain of command.
Detailed information about PAL systems design and their use is classified, although these mechanisms have been offered to Pakistan for protection of their nuclear weapons. In the end, the US decided that it could not do so for legal reasons; the Pakistanis were also concerned that such technology would be sabotaged by a "kill-switch" that the US could operate. However, many experts in the field of nuclear technology in the US government supported the publication of the PAL system because they considered Pakistan's arsenal as the world's most vulnerable to abuse by terrorist groups.
Whether it's India or Pakistan or China or Iran, the most important thing is that you want to make sure there is no unauthorized use. You want to make sure that the guys who have their hands on the weapons can't use them without proper authorization.— Harold M. Agnew, former director, Los Alamos National Laboratory
In November 2007, The New York Times revealed that the US has invested $100 million since 2001 in a secret program to protect Pakistan's nuclear arsenal. Instead of transferring PAL technology, the US provided helicopters, night vision and nuclear detection devices, as well as training to Pakistani personnel in order to prevent the theft or misuse of Pakistan's nuclear material, warheads, and laboratories.
- Emergency Action Message
- Special Weapons Emergency Separation System
- Nuclear football
- Insensitive munitions
- "Nuclear Command and Control". Security Engineering: A Guide to Building Dependable Distributed Systems (PDF). Ross Anderson, University of Cambridge Computing Laboratory. Retrieved April 29, 2010.
- Richard Rhodes: Dark Sun: The Making of the Hydrogen Bomb. Simon & Schuster, New York 1996, ISBN 978-0-684-81690-6.
- Peter D. Feaver: Armed Servants: Agency, Oversight, and Civil-Military Relations. Harvard University Press, Cambridge 2005, ISBN 978-0-674-01761-0, S. 151.
- Peter Stein, Peter Feaver: Assuring Control of Nuclear Weapons: The Evolution of Permissive Action Links. University Press of America, Lanham 1989, ISBN 978-0-8191-6337-0.
- Weapon Dispersal without Fear of Unauthorized Use. In: Sandia Lab News, Family Day Special Edition, Bd. 38 Nr. 20, 1986, S. 4.
- Federal Reserve Bank of Minneapolis Community Development Project. "Consumer Price Index (estimate) 1800–". Federal Reserve Bank of Minneapolis. Retrieved January 2, 2019.
- "Keeping Presidents in the Nuclear Dark (Episode #1: The Case of the Missing "Permissive Action Links") - Bruce G. Blair, Ph.D". Cdi.org. February 11, 2004. Archived from the original on May 11, 2012. Retrieved April 29, 2010.
- Lamothe, Dan (2014-01-21). "Air Force Swears: Our Nuke Launch Code Was Never '00000000'". Foreign Policy. Retrieved 24 January 2017.
- Thomas C. Reed: At the Abyss: An Insider’s History of the Cold War. Presidio Press, New York 2005, ISBN 978-0-89141-837-5.
- Grossman, Elaine M. (September 26, 2008). "U.S. Air Force Might Modify Nuclear Bomb". GlobalSecurity.org.
- Hans M. Kristensen: U.S. Nuclear Weapons in Europe. Natural Resources Defense Council, New York 2005, S. 20–21. (PDF; 4,9 MB, accessed February 4, 2009).
- Milliwatt Surveillance Program Ensures RTG Safety and Reliability. In: The Actinide Research Quarterly, Winter 1994. accessed February 4, 2009.
- Dan Caldwell, Peter D. Zimmerman: Reducing the Risk of Nuclear War with Permissive Action Links. In: Barry M. Blechman, David K. Boren (Eds.): Technology and the Limitation of International Conflict. Johns Hopkins Foreign Policy Institute, Washington, D.C. 2000, ISBN 978-0-941700-42-9.
- "Permissive Action Links". Retrieved April 19, 2016.
- Douglas C. Waller: Practicing For Doomsday
- David W. Plummer, William H. Greenwood: History of Nuclear Weapon Safety Devices. Sandia National Laboratories, Albuquerque 1998. Presented at the 34th AIAA/ASME/SAE/ASEE Joint Propulsion Conference, Cleveland, July 1998. (PDF; 1,3 MB, accessed September 23, 2010).
- Donald R. Cotter: "Peacetime Operations: Safety and Security." In: Ashton B. Carter, John D. Steinbruner, Charles A. Zraket (Eds.): Managing Nuclear Operations. Brookings Institution Press, Washington, D.C. 1987, ISBN 978-0-8157-1313-5.
- Sidney D. Drell: Addendum on Nuclear Warhead Safety. In: In the Shadow of the Bomb: Physics and Arms Control. American Institute of Physics, New York 1993, ISBN 978-1-56396-058-1.
- Thomas B. Cochran, William M. Arkin, Milton M. Hoenig: Nuclear Weapons Databook: Volume I - U.S. Nuclear Forces and Capabilities. Ballinger Publishing Company, Pensacola 1984, ISBN 978-0-88410-173-4.
- Steven M. Bellovin: Permissive Action Links, Nuclear Weapons, and the Prehistory of Public Key Cryptography. Department of Computer Science, Columbia University, April 2006. (PDF; 0.1 MB, retrieved on February 4, 2009).
- "Budapest Memorandums on Security Assurances, 1994". Council on Foreign Relations. December 5, 1994. Archived from the original on March 17, 2014. Retrieved March 2, 2014.
- William C. Martel (1998). "Why Ukraine gave up nuclear weapons : nonproliferation incentives and disincentives". In Barry R. Schneider, William L. Dowdy. Pulling Back from the Nuclear Brink: Reducing and Countering Nuclear Threats. Psychology Press. pp. 88–104. ISBN 9780714648569. Retrieved 6 August 2014.
There are some reports that Ukraine had established effective custody, but not operational control, of the cruise missiles and gravity bombs. ... By early 1994 the only barrier to Ukraine's ability to exercise full operational control over the nuclear weapons on missiles and bombers deployed on its soil was its inability to circumvent Russian permissive action links (PALs).
- Alexander A. Pikayev (Spring–Summer 1994). "Post-Soviet Russia and Ukraine: Who can push the Button?" (PDF). The Nonproliferation Review. 1 (3). doi:10.1080/10736709408436550. Retrieved 6 August 2014.
- "Programmes | Newsnight | British nukes were protected by bike locks". BBC News. November 15, 2007. Retrieved April 29, 2010.
- Sanger, David E. (2009). The Inheritance. London, UK: Bantam Press. p. 224. ISBN 978-0-593-06417-7.
- New York Times: U.S. Secretly Aids Pakistan in Guarding Nuclear Arms, Accessed on February 4, 2009.
- "Principles of Nuclear Weapons Security and Safety". Nuclearweaponarchive.org. October 1, 1997. Retrieved April 29, 2010.
- "Permissive Action Links". Cs.columbia.edu. Retrieved April 29, 2010.
- The JCAE and the Development of the Permissive Action Link
- Keeping Presidents in the Nuclear Dark
- Security Engineering, Chapter 11: Nuclear Command and Control, Ross Anderson, ISBN 0-471-38922-6
- "BBC News (video)". Retrieved April 29, 2010.
- The Dr. Strangelove scenario - a BBC Newsnight report featuring the lack of security features on the WE.177 (streaming video)