Matt Blaze's
Science, Security, Curiosity
Notes from the No Lone Zone
A computer scientist looks at ICBM security.

If you can climb a fifteen foot ladder and fit through a two foot diameter hole, you can, with a bit of advance planning, take an extensive "top-to-bottom" tour of a Titan II ICBM launch complex, complete with missile silo and missile. Best of all, you no longer have to trespass or join the Air Force to do it.

And so I just returned from Sahuarita, AZ and the Titan Missile Museum, a place known during most of the cold war as SMS Launch Site 571-7. I spent the better part of the day beneath the surface of the earth, part of a group of six hardy nuclear tourists under the direction of Lt. Col. Chuck Smith (USAF, retired, a former "missileer" at the site), exploring the nuts, bolts and welds of Armageddon.

At the peak of the cold war, there were over 1,000 nuclear missiles in buried silos located throughout sparsely populated areas of the continental United States, all fueled and ready to be launched toward the Soviet Union on a few minutes notice. From 1963 through 1984, this included 54 Titan II missiles at sites in Arizona, Arkansas and Kansas, each equipped with a W-53 warhead capable of delivering a nine megaton thermonuclear yield. Nine megatons is horrifically destructive even by the outsized standards of atomic bombs, capable of leveling a good size city in a single blast. And the Soviets had at least as many similar weapons aimed right back at us.

How did we keep from blowing ourselves up for all those years?  

Intercontinental ballistic missiles like the Titans were the chief instruments of MAD, the cold war doctrine of mutually assured destruction. With enough megatons at our collective disposal, we could obliterate them and they could obliterate us, and so, we all hoped, neither would dare try. MAD may well be the most perfectly evocative acronym in the English language, but for 40 years, it actually seemed to work. Leaders on both sides evidently knew a Nash equilibrium when they saw one.

But if MAD results in a stable balance of power, it also harbors a Strangelovian paradox. The threat of swift and total retaliation, the theory goes, has to be credible and definite -- each side has to be willing and able to launch a devastating counter-attack at the first indication of aggression by the other. It must therefore be fast and easy to launch nuclear missiles, even after the normal command structure has been destroyed in a surprise attack. But the other side's weapons are on the same hair-trigger response, and so even a single missile -- authorized or not -- has the capacity to set off a chain of events that could very well bring about the end of civilization. Under MAD, mistakes and misuse involving nuclear weapons become not just terrible, but unthinkable.

MAD keeps us safe, in other words, only if attacking with nuclear weapons is reflexively easy on the one hand and yet impossibly difficult on the other.

The control of strategic nuclear weapons can thus be considered an extreme case study in one of the most difficult -- and in this case most dramatic -- tradeoffs in designing secure systems: balancing high availability with strong access control. Less dire versions of this problem arise in far more mundane and familiar settings. Consider, for example, balancing the need to keep files confidential with encryption against the need to ensure that we can still read them ourselves even if we lose the keys. And so as a student of computer security, I was especially interested to see first hand how this most high stakes of control systems worked.

The most prominent security mechanism at the Titan site, aside from the multiple layers of thick blast-proof entry doors and the fact that the entire complex is buried underground, was procedural: almost all activities required two person control. Everywhere outside of the kitchen, sleeping quarters and toilet were "no lone zones" where a second person had to be present at all times, even for on-duty members of the launch crews. Stenciled signs served to remind us when we were in "SAC TWO MAN POLICY MANDATORY" areas (though missile crews that included women presumably could get by without both people literally being men).

Two-person control is also used outside of the military and nuclear weapons. Variants of the procedure can be found in banks, casinos, and other places where even the most trusted staff might occasionally yield to temptation. Large financial transactions require a second signature, bank vaults require the entry of two combinations, and fiddling with a missile requires that someone else be keeping an eye on you at all times.

Many organizations that require two person control also employ a second procedural safeguard: making it difficult to predict who the second person will be. Employees in positions of trust can be rotated through different positions and daily jobs assigned at the last minute, limiting the opportunities for co-workers to conspire to exploit their access together.

This safeguard did not appear to have been used in the Titan program. Missile crews, who worked 24 hour shifts, typically trained together, scheduled shifts and time off together, and worked in the same job assignments with each other for months and even years on end. While launching (or refusing to launch) an ICBM is hardly in the same category as robbing a bank, it seems at least plausible that the effects of "groupthink" could make close co-workers susceptible to the same temptations, weaknesses and irrationalities as one another. On the other hand, maintaining and launching a nuclear missile is a complex enterprise highly dependent on fast-paced teamwork, and so presumably the Air Force wanted to err on the side of having cohesive teams that worked well together.

Almost every critical procedure required the active participation of at least two people, which was sometimes enforced by the equipment itself. The "Emergency War Orders" (EWO) safe, for example, which contains the launch keys and codes, is locked not just by a single combination, but also by two padlocks, one belonging to each launch officer.

Most of the physical security mechanisms inside the complex are not especially robust or heavy duty. The EWO safe is typical of this; it appears to be a standard "Class 2" GSA fireproof file container (the one shown at right was made by Diebold) with eyebolts welded to the front. Class 2 safes are rated to withstand forced entry for just five minutes (although actually getting one open in that time would would be no easy task; see this paper [pdf link] for a discussion of safe ratings). The padlocks are of the ordinary, commercial-grade variety, easily manipulated by hand or forced open with small tools. The security mechanisms once past the exterior blast doors appear to have been designed to deter individual malfeasance in the presence of other trusted people, not to resist a sustained military attack or sabotage effort. As with many computers and networks, the focus was on strong perimeter security, with far weaker mechanisms protecting against insider attack.

Once the complex was fully "on alert", launching the missile took only a few minutes following a thirteen step checklist [pdf]. The procedure culminates in what is perhaps the most iconic example of two person control in the public imagination: the officers must simultaneously operate two keyed switches, located on consoles ten feet apart, in order for their missile to fire.

The security of the dual-key launch ritual may be largely symbolic, however. A lone individual with unimpeded access to the control center would not likely find the inability to turn the keys to be a significant barrier to launching the missile. In particular, the launch console maintenance panels appear to be fastened in place with with ordinary screws, and so it would be relatively easy to gain access to the electrical contacts of the keyswitches and bypass the keys with a short length of wire.

There were other safeguards against unauthorized firing besides the two switches, some of which were added after the Titan IIs were first deployed. In the early 1970's, a tamper-resistant locking "butterfly valve" was added to the missile's fuel lines. This valve, which must open in order for a launch to occur, is unlocked by dialing in a six character alphabetic code stored in the EWO safe.

It is unclear exactly what relationship the butterfly valve lock code has to the Permissive Action Link (PAL) codes that control US nuclear warheads. There did not appear to be any provision in the Titan II launch procedure for entering a PAL code, nor any mechanism in the control center for doing so. The butterfly valve controlled only the launch of the missile, not the arming of the warhead, so it was not itself a PAL, although it is still a "use control system".

Most likely, the W-53 warheads used in the Titan IIs were not equipped with PALs at all, relying on the missile's butterfly valve lock as their sole use control mechanism. Another possibility is that the PAL code was entered into the warhead when it was installed in the missile or placed in the silo. Still another possibility is that the warhead's PAL code and the missile's butterfly valve code were always set to the same value, with the mechanism sending the butterfly code to the missile fuel system also sending the same code to the warhead's PAL. (The latter seems unlikely, not least because the declassified literature generally refers to PAL codes as being numeric, while the Titan butterfly valve code is clearly alphabetic).

PALs or not, all of the information required to launch the missile was available within the complex itself. All codes and keys were kept in the EWO safe, allowing the two officers to initiate a launch themselves as soon as they received the order to do so. (According to some reports, current missile installations include a mechanism that requires multiple sites to "vote" before a launch can take place, but that does not appear to have been part of the Titan II system.)

Launch orders (and other communication with the outside world) were received primarily via a variety of radio links, mostly using VHF, shortwave and low frequency signals that can cover long distances without relying on external infrastructure (such as satellites), which might be destroyed during a war.

Encrypted "Emergency Action Messages" were (and still are) periodically broadcast to ICBM sites. In the event of nuclear war, these low-bandwidth messages would authorize particular missile sites to launch as well as identify which of their pre-loaded targets should be used. Beyond receiving orders, the sites could largely operate autonomously.

Titan missiles had three pre-loaded targets, one of which was selected during the launch. If the target locations were to be changed from one of these, new coordinates were loaded into the guidance system through punched paper tape reels, which were delivered to the sites by courier.

Notably, the precise missile destinations were not known to the launch crews, whose roles in targeting were limited to selecting "Target 1", "Target 2" or "Target 3" and setting whether the warhead would detonate as an airburst or a groundburst. (Update: According to a former Titan crew member who emailed me after this was first posted, at certain bases it was possible for crews to find out where their targets were, though not all did.)

The basic "combat launch crew" of a Titan II site consisted of just four people, two missile control officers and two enlisted airmen. They stayed together underground for their entire 24 hour shifts, working around the clock during alerts and drills.

There was enough food and water inside the complex to last four people about 30 days, and enough air for a bit less than that. If there was a launch, of course, it was very likely that the area near the silo would be obliterated, poisoned by fallout. Realistically, ICBM crews stand little chance of surviving the aftermath of a nuclear war.

The former missileers I spoke with told me that they are often asked whether they really would have turned their keys if ordered to do so. (No one has ever actually been put to the test on this point, since no wartime launch order has yet been issued.) All were thoughtful, smart people, well aware of the effects of nuclear weapons. And none had any doubt about what they would do. Based on what I now know about the process of launching an ICBM, I have no trouble imagining how that could be.

The entire launch process is over within a few minutes, during which everyone is busily following complex procedures in which they have drilled and trained to the point of reflex. Every member of the crew has well-defined roles in one checklist and the next, with no provision (or time) for individual preferences. There's no Launch Checklist Step 4a: "Pause and reflect on the enormity of what happens next".

It's impossible not to be impressed by the magnitude of the engineering effort that went in to building and running the Titans. Everything in the underground launch complex is suspended by a system of springs that can absorb the shock of a nearby nuclear blast and of the launch itself. The 140 ton, 103 foot long missile rests near the bottom of its silo on a surprisingly thin concrete ring anchored by four even more surprisingly small shock absorbers. Jets at the bottom of the silo spray water at the exhaust flames during a launch to create steam, which dampens the massive sound and vibration created by the engines, preventing damage to the missile surface as it leaves the silo. A giant wedge positioned beneath the engine vents, 150 feet below ground, deflects the superheated exhaust and flame away from the missile and into vertical ducts that open to the surface. The steel and concrete silo lid, which weighs 740 tons, slides open in less than 20 seconds. The inside of the silo is lined with a system of access doors and retractable platforms, allowing routine maintenance of the missile even while it stood in the silo.

Most impressively to me, all 54 launch sites were built in parallel, without any full prototype having been completed or tested before the work was started. And all of this happened in the early 1960's, without the benefit of microprocessors or the Internet.

Site 571-7, like the rest of the Titan II program, was taken out of service in the early 1980's. Most of the Titan missiles have been destroyed and their launch complexes stripped, razed and left to the elements. The SALT treaties and the end of the cold war have greatly reduced (but not completely eliminated) nuclear ICBMs. To comply with treaty obligations, 571-7's missile was rendered inoperative by cutting holes in its airframe. But otherwise, the site and its missile have been preserved much as they were at the coldest of the cold war, with the addition of a visitor's center and gift shop.

It's worth asking whether displaying a terrible artifact of 40 years on the edge of oblivion for all to see really makes good sense. The author Barbara Kingsolver visited the site after it first opened for public tours and concluded that it doesn't. "If a missile museum," she wrote in her essay In the Belly of the Beast, "can do no more than stop up our mouths with either patriotic silence or desperation, it's a monument the living can't afford. I say slam its doors for good. Tip a cement truck to the silo's gullet and seal in the evil pharaoh..."

I disagree strongly, and not just because I was grateful for the chance to see this horrible and beautiful place for myself and to meet the people who served there. We owe it to them to listen to their stories and to ourselves to learn from them.

But more importantly, a few hundred of the successors to the Titans, the "Minuteman III" missiles, remain active in silos throughout the northern US, run by crews and following procedures essentially similar to those here. ICBMs are not yet history, even if the original motivation for building them now is. The technologies -- and effects -- of nuclear weapons exist on a scale so far removed from ordinary human experience that it's almost impossible to discuss nuclear policy in anything but wildly abstract terms. Being able to see an ICBM and the various machinery that sends it toward its target may not make the complex policy issues completely understandable, but it's a step in that direction. Seeing it up close moves things that much closer to the human scale.

Looking up from the bottom of the silo at the little crack of sunlight 150 feet above, an obvious fact hit home for me. I realized at that moment that these things are actually aimed somewhere, somewhere not at all abstract.

I took all the photos on this page during my visit to the Titan Missile Museum on 12 December 2009 (mostly with a Nikon D3s camera and a Zeiss 21mm/2.8 ZF.2 Distagon lens); all are available under a Creative Commons license . High resolution versions can be found on the Flickr pages to which they link. I took more photos while I was there; many are available in this Flickr set.

Note on sources: Most of the technical information about Titan procedures here is based on my discussions with former missileers at the Titan Museum, but any errors are likely mine. I also relied on two excellent books: Chuck Penson's Titan II Handbook and Chuck Hansen's Swords of Armageddon.