Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Squidpunk |
| Pentagon May Issue Pocket Lie Detectors to Afghan Soldiers »
April 14, 2008
People and Security Rules
In this article analyzing a security failure resulting in live nuclear warheads being flown over the U.S., there's an interesting commentary on people and security rules:
Indeed, the gaff [sic] that allowed six nukes out over three major American cities (Omaha, Neb., Kansas City, Mo., and Little Rock, Ark.) could have been avoided if the Air Force personnel had followed procedure.
"Let's not forget that the existing rules were pretty tight," says Hans Kristensen, director of the Nuclear Information Project for the Federation of American Scientists. "Much of what went wrong occurred because people didn't follow these tight rules. You can have all sorts of rules and regulations, but they still won't do any good if the people don't follow them."
Procedures are a tough balancing act. If they're too lax, there will be security problems. If they're too tight, people will get around them and there will be security problems.
Posted on April 14, 2008 at 6:47 AM
• 25 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The obvious suggestion to me would be to paint "LIVE NUKE" on the side in big letters. Then you'd know to be careful with them.
This is what frightens me the most:
1) Nuclear warheads and conventional weapons are stored close to each other and 2) Nukes are treated the same as disarmed missiles when it comes to verifying armament.
It's like 1) storing mineral water and muriatic acid bottles in the same cupboard and 2) if I take one bottle at random I assume it's mineral water.
If you want to work real security problems into that particular scenario, you can't avoid looking at all the unexplained "accidents" and "suicides" that took place just prior and immediately after the incident among the relevant USAF personnel.
Or you can, but that's it's own problem.
I simply cannot believe that with all the processes for handling nukes, such things can happen innocently. I'm sure the only "failure" here was that someone noticed.
I still don't buy into the idea that this was an accident. I think it was a deliberate threat being made and the "accident" is just propoganda for the American people who'd be annoyed at our Administration pulling a nuclear stunt.
Point two in the article calls it "Human Error". I don't really see deliberate by-pass of security procedures as an "error", doesn't that fall more under the heading of negligence? Even if it becomes a routine to go around the policy, does that negate the fact that it's still a deliberate act?
One wonders how close they came to sending these munitions out for use in Iraq or Afganistan.
They amount of "collateral damage" possible does not bear thinking about.
Not to play down the seriousness of this incident (which is very serious), but:
Without knowing anything about the specific weapons involved, my bet would be that these are not the kind of bombs that explode when you accidentally bump them into something (like, say, the ground when the airplane crashes). So the immediate danger was not that there would be a 60-hiroshima explosion when the plane would crash, but probably something in the same ballpark as an average "dirty bomb". This, as we all know here, is not very dangerous at all in real numbers, but is more of a fear factor weapon.
Dig deeper and you'll find that's a conspiracy theory. Interesting to see it turn up in the Iranian media.
Agree with Jeroen, at the time I saw this as not a screaming-panic issue, but a procedural failure that's good to expose now, before something actually dangerous happens.
Articles like that linked above make much of it being flown over U.S. cities. During much of the cold war, /live/ (ready to drop on the soviets) nuclear weapons were routinely flown. I live not far from a big strategic bomber base, and am sure nuke-carrying bombers flew over my house when I was younger. So what.
A number of cold-war era nuke bombers did crash, incidentally. Mostly without consequence, but periodically there was a bit of cleanup involved. There is essentially no chance of detonation. List of such accidents, and some other discussion:
> I saw this as not a screaming-panic issue
Especially not after the fact. As long as you're reasonably sure it's not going to happen again the next day, there's little point getting overwrought.
> A number of cold-war era nuke bombers did crash, incidentally. Mostly without consequence, but periodically there was a bit of cleanup involved.
I'd say the main worry is that if nobody knows what's on board, then in the (very unlikely) event of any kind of emergency, incorrect decisions might be made (such as where and how to dump the cargo and/or the plane), and necessary evacuations and cleanup wouldn't be ordered until later than would normally be the case.
So, it's more risky to have a plane in the air that nobody knows is carrying nukes, than one which is known to carry nukes. But the chance of a disaster has to be smaller than the chance of the plane going wrong at all, which itself is pretty small.
"You can have all sorts of rules and regulations, but they still won't do any good if the people don't follow them."
Much like constitutions.
To me, the strangest part of the story is that nuclear missiles look the same as non-nuclear ones, and they rely on signs to tell them which is which. It seems like an obvious and easy precaution would be to paint the nuclear missiles a bright and distinctive color, along with some warning language for good measure ("DANGER - NUCLEAR WARHEAD"). Not only would this reduce the chance of an initial sorting mistake, but it would make it more likely that someone will notice a mistake before the plane takes off.
Is there some security or military reason why you would want nuclear and non-nuclear weapons to look the same?
"Procedures are a tough balancing act. If they're too lax, there will be security problems. If they're too tight, people will get around them and there will be security problems."
I don't think this is the real take-away lesson here. Tight procedures are necessary where they are necessary, and where management of nuclear weapons is concerned, they are necessary.
The real failure here is institutional, not individual. Security is in part culture, and it appears that the Air Force neglected to create, instill, and sustain a culture of secure procedure around nuclear weapons. It should have been somebody's full-time job to verify procedure. That person should have been required to be in a position to report status and location of all Air Force nuclear weapons, with a full audit trail, on half an hour's notice. They should have had a budget and a staff and command authority commensurate with that responsibility.
That job was never created by the Air Force. This is a real scandal, but the heads that should be rolling should be detached from the torsos of generals, not technical sergeants. Unfortunately, judging from the discernible spin imparted to these stories by the AF, it seems likely that low-level "bad apples" will once again take the fall for the failures of their superiors.
I see a lot of "OMG! Something could have gone wrong and the nukes used accidentally!"
The issue is not that there were nuclear and conventional missiles stored next to each other, but rather you had missiles with and without warheads stored next to each other. There exists no conventional warhead version of the missile at issue.
WTF? Is that real? If so, why the hell isn't everyone talking about this. 7 people of a small group dying within a week of the incident is *not coincidental, and in different parts of the country no less. Again, WTF?
The labelling issue was resolved in "Dr Strangelove", the weapons had big letters on them reading:
Handle with Care
hhhmmmmm... and the US complans about how other nations have lax security and controls???
In his novel "The Sum of all Fears", Tom Clancy has the Israelis losing an unmarked nuke, which re-appears over a decade later in a terrorist plot to blow up the superbowl and start a war between the US and Russia. It became lost after a special crew that was mounting the nuke on an airplane became casualties; later, a pilot who had not been briefed on how to identify their nukes took the plane for an urgent mission, and assumed that strange thing hanging below was a fuel or electronics pod, and there wasn't time to remove it...
There are some fairly good reasons the Israelis might want their nuclear bombs, if they have them, to be unmarked. Besides increasing operational security - where the Israelis have the unique problem of having no bases outside the range of long range artillery from sometimes hostile nations - they've avoided ever confirming or denying their possession of nukes, and one telephoto shot of a device painted "LIVE NUKE" hanging from an Israeli jet would end that. And letting every pilot in on how to tell the difference between a nuke and the other pods that the nuke had been built to resemble would have probably eventually resulted in the secret coming out.
Of course, the US does not have these problems; everyone knows we've got nukes, and everyone who is interested can even find out which units carry them. There might be an argument that it's better not to have anyone with a pair of binoculars able to identify the ordnance on an airplane as it flies overhead, but I think that could be achieved while still ensuring that everyone who is likely to be walking around a nuclear-capable aircraft as it is readied for flight would readily recognize a nuke.
Finally, as a former Air Force technician (but never with a nuclear-armed wing), I can second Bruce's main point: if procedures become too cumbersome, they aren't followed and then anything can happen. I've seen it happen. Every time an access panel on an airplane was opened, we had to enter a "red X" in the airplane maintenance forms - and the plane was then down until a supervisor confirmed that every screw on that panel had been tightened properly and signed off the red X. And yet,after everything was signed off and even the aircrew had signed off on their pre-flight inspection, a plane was starting to take off when a ground crewman noticed the red streamer from a bag of screws protruding from an access panel that had been temporarily replaced with just a screw in each corner - just 30 seconds later, that airplane would have sucked the panel and other parts into it's engine, probably crashing and killing the crew. In another incident around the same time, a pilot heard the left engine making noises no jet engine should, so he shut it down and landed on one engine. Naturally, the airplane was red-X for engine inspection and maintenance. That was signed off. Then while it still waited on the ground, a routine periodic inspection that included the engines was signed off. And then a very senior NCO was walking down the flight line at night, happened to shine his flashlight into the engine intake, and could see severe compressor damage from there.
The procedures weren't even that burdensome, considering that every time a plane took off two men's lives depended on it working perfectly. (Our F111's nearly always operated at low altitude with no room for recovery.) They were backed up by far more than normal job rules - they were military orders, and in theory you could go to Leavenworth for willful violations. And yet, many people were just signing off the forms without even looking at the airplane...
Put me in the Tinfoil Hat camp. I've trained for nuclear security, been cleared to enter nuke storage areas, etc., and real warheads are brightly colored, nothing at all like the dummies. This was no sloppy breakdown in procedures. As long as I appear a nutcase, I won't be joining the six airmen. I can't imagine I need comment on MSM failure to cover things certain officials want to remain unnoticed. Oh, the stories I could tell which never hit the press....
I would assume that nukes have enough fancy codes which have to be executed before launch, that there'd be no way to actually launch them. The bombs would just calmly say "we're not ready to blow up, so we're not dropping." Or at worst, they drop hard, but don't blow up, and there's and embarrassing story about a guy with a hole in his roof and lots of hazmat having to hang around for a while. The real issue is that, were such a craft to be forced down in wartime, live undamaged nukes would be handed over to the enemy
@Thom: What? You think we were threatening Louisiana? "Were tired of all these handouts - Fix your own damn city or we'll blow it up!"...?
The more you tighten your grip, the more star systems slip through your fingers.
>> Is there some security or military reason why you would want nuclear and non-nuclear weapons to look the same?
Yes, absolutely. You don't want to make life easy for commandos, thieves and targeting specialists.
Russian military units still have wartime standing orders upon sighting a nuclear-armed unit, to radio in a position report and then immediately attack it despite the apparent hopelessness of the attack. Which would you rather lose, an infantry company or a city?
It's "security through obscurity" to have nuclear weapons unmarked, but it's one time when hiding that particular pea in the pod is a good idea. It's not like conventional munitions are going to be left unsecured . . . one hopes.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.