Schneier on Security
A blog covering security and security technology.
« E-Mail Accounts More Valuable than Bank Accounts |
| Top Secret America on the Post-9/11 Cycle of Fear and Funding »
June 27, 2012
Russian Nuclear Launch Code Backup Procedure
If the safe doesn't open, use a sledgehammer:
The sledgehammer's existence first came to light in 1980, when a group of inspecting officers from the General Staff visiting Strategic Missile Forces headquarters asked General Georgy Novikov what he would do if he received a missile launch order but the safe containing the launch codes failed to open.
Novikov said he would “knock off the safe’s lock with the sledgehammer” he kept nearby, the spokesman said.
At the time the inspectors severely criticized the general's response, but the General Staff’s top official said Novikov would be acting correctly.
EDITED TO ADD (7/14): British nukes used to be protected by bike locks.
Posted on June 27, 2012 at 6:30 AM
• 40 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I'm curious what was the nature of the criticisms? That the hammer was too primitive a tool for such an important job? That the hammer was kept too close to the safe? That the safe should have been strong enough to withstand a hammer?
It's like the ''Space pen'' - Instead of wasting time and money in order to create a pen that works correctly without gravity, simply use a pencil.
Russian Solutions seems to be the easiest and most efficient at all!
Provided the sledgehammer was kept under safe lock and key -- and/or it was sculpted such that only it (and not a COTS sledgehammer) could open the safe: what's the worry?
Better than having to break open a cola machine to prevent the launch codes.
@Netzblockiere - a pencil seems like a great idea, until in microgravity you get conductive graphite shavings or flakes going somewhere where they're not welcome, such as in delicate electronics.
@ Kai Howells,
until in microgravity you get conductive graphite shavings or flakes going somewhere where they're not welcome
It was not and as far as I'm aware still not a graphhite pencil but a chinagraph pencil.
Chinagraph usually consits of a hard wax base and innert mineral colourant.
Thus providing the wak used was not flamable then the russian solution will be absolutly fine.
@piper - presumably that if you have a functional safe-opening system next to the safe that doesn't require a key - then having the safe is a bit pointless.
You might as well write the codes on the outside of the safe and save everyone the effort
It is not pointless at all. A locked safe still keeps anyone from stealing the codes without anyone else noticing.
Just like a glass liquor cabinet: you know that your kid could break in to it, but he can't do it without someone noticing. And breaking in to a proper safe takes at least some time.
Also, you have to consider the alternative; would country's nuclear arsenal be rendered useless if it is made so safe that you cannot use it even to retaliate if the guy carrying the key cannot fulfill his job? That would make it vulnerable. And you not want the leaders of a nuclear armed country to be in constant fear about their capabilities.
Also, if you're a nearby guard, who has just heard someone hit the safe with a sledgehammer, and you go look and it's not General Novikov, you're probably going to shoot them.
Funny, I guess ... but I wonder if they actually rehearsed this "Plan B"? If the safe is of any remotely adequate quality, it will take a heck of a long time to open with a sledgehammer. Certainly many times longer than the proverbial 4 minutes!
And if the lock is anything like a proper safe lock then "knocking the lock off" with a sledgehammer will achieve precisely nothing, except that you will get a lot of bemused looking Russians standing around saying "Oh, дерьмо, now what!?"
(And if we continue the "Russians are vodka-addled thugs" humour, the next act will involve explosives, a substantial risk of personal injury, and the accidental incineration of the codes.)
The story would make more sense if the "safe" was actually just a cashbox secured with a padlock. But if that is the case, the real story is that Russians didn't really take much care to prevent unauthorised triggering of nuclear holocausts.
Let's be honest, they just knew it wasn't worth worrying about if it ever got to that point. Any finesse or care is probably wasted at that point. Any analysis is going to be debating billions dead, to which one particular anacdote of incompetence is somewhat moot. When the time came to press the button you would probably be doing the world a favour if you just dropped the keys under your chair and fell over drunk.
That was (is?) the UK's nuclear procedure
When they got the order to launch the sub commanders were supposed to surface and listen to see if Radio4 (ie the UK's NPR) was broadcasting - if it wasn't they opened sealed orders put in the safe by the prime minister when he/she came into office.
A former PM revealed that the alternatives were either to launch anyway, to hand the sub over to the Americans, or to jetison the weapons and sail to Australia and live happily in the sunshine.
The idea being if you go to this point the deterrent had failed and killing a few more millions was pointless
Also, you have to consider the alternative; would country's nuclear arsenal be rendered useless...
Actualy this appears to be true for the US system involving PALs.
On set of PALs was like the rotors on an Enigma machine and apparently many of the slip rings were found to be incorrectly set. So that if the right code was put in it actually resulted in the wrong wiring combination so would fail.
Further other tests showed that the "stolen weapons prevention" systems would cause a fizzle or down right failure on something like half the nukes simply because they were to stringently designed and did not age well.
The Russians on the other hand did not have such things in the majority of their smaller nukes and worked on the theory that it was better to use human guards who if they failed in their task knew it was early retirment with a pay of of a half ounce of lead, so they had a good incentive to perform well. Oh the russians also used real chemical weapons during training and planned for between an 8 and 12% attrition rate. And for those that have seen russian NBC kit it used to be like a cross between an old style diving suit and what is sometimes known in certain select circles as a Gimp suit.
The US also had another issue in that their "two man" system did not work. Under realistic testing they found that few would push the button on command of the system and would try to use other communications methods to get confirmation.
So at one point in time considerably less than half the US nukes would be launched in thhe required time window and of those that would have got away the majority would have failed to work satisfactorily...
While I can not read it, I like the photograph accompanying the article.
Isn't that similar to the american system that made sure that the launch code is 000000 ?
I'm almost always a fan of openness and transparency, but isn't it a bit umm stupid to reveal this. Of course it could be a fake story or just a "little sliver", but the "nuclear people" have managed to not blow the world up for awhile now (which amazes me), though we've come very close; let's keep it that way, shall we?
@gal: At a minimum, the safe provides a slow-down for the attacker. I'm assuming that the room with the safe was well-monitored and that they were well prepared to handle an intrusion.
Although, the codes would need be changed if the safe were broken into. Even the insiders couldn't be trusted in such a case. Hopefully they had thought that part thought through too.
@bickerdyke: To be fair, I think it was longer: 000000000000.
Sort of like the "mafia hack". If you can't find the information necessary to get into a system find one who knows and beat it out of him ;)
Wow, Snopes.com could have a field day with the urban legends in this thread!
@roger "Certainly many times longer than the proverbial 4 minutes!" - you are assuming the retaliatory response.
I put it to you, sir, that a pre-emptive strike from the former USSR was the most probable scenario.
Assuming only one SMF HQ issuing the launch commands, gives considerable more that 4 minutes.
This sounds more secure than the security policy that was used around US and British nuclear materials.
My understanding was that SAC changed the codes to "00000000", and that the British nuclear weapons were armed with a bicycle lock.
I think a rogue Soviet officer smashing a safe with a sledgehammer would have a lower chance of success than his Western counterparts.
@roger -- There's a good chance it would have worked instantly. The Russians were known for using 'seal' locks on their safes:
A lock like that would be easily knocked off with a sledgehammer, and after that the safe could be opened instantly. This may be a reason the Russians used such locks -- a mechanical failure wasn't at all catastrophic.
Correct me if I'm wrong, but I thought the launch codes didn't actually launch the missiles, but instead was used by the people "pressing the button" to verify the one who gave the order was legit?
Hmmm, nobody said it yet, but you folk do know that:
The original USAF 'Launch Code' was ALL ZEROS
Right? The launch code was added because the whitehouse demanded control over the ability to launch (hence the presidents famous briefcase of codes) and were worried about rogue officers going crazy and launching, but the USAF didn't trust the chain of command in the event of armageddon, and believed their officers were patriots and flawless.
So the system was built, and the code set to all zeros, and the code was even added to the launch manuals, to ensure that officers could launch if they needed to. Of course, no president said, hand me that briefcase, I want to check what the launch code is set to....
Weirdly, differing points of view based on differing source data and risk assessments ("My password is 'password', nobody will guess that!") is exactly our central challenge in this industry....
Back when I was a graduate student, in the dying days of the text-only CRT terminal, for some unknown reason the grad student computer lab had in it a very hefty 1m long monkey wrench. Thinking like a Soviet general, I put a label on it: "Emergency manual hard reset device."
You don't break open a vending machine. Can you image what that would do to your frame outlook way of life on everything? You shoot the lock off! Shoot, with the gun! That's what the bullets are for!
I went and read snopes space pen story and it actually confirms the legend: the space pen cost a million $ to develop (to Fisher) and the Soviets used pencils. Til 68? Thats bs. They were not going to be buying american pens for their cosmonauts in the middle of the cold war. Give me break.
I strongly believe that the safe and the launching console were (are) guarded 24/7, and the guard was (is) ordered to shoot to kill.
It says "order" on the grey rectangle and "information did not pass" on the red button to the left of the key.
"I put it to you, sir, that a pre-emptive strike from the former USSR was the most probable scenario."
That may or may not be true, but in that case the method of opening the safe is irrelevant. Apart from anything else, they could even drive over to the missile launchers with new codes.
I hadn't known about those, found it very interesting. However: it isn't defeated by a sledgehammer. You can (perhaps) knock the seal lock off with a sledgehammer, but there's still the original safe lock underneath.
@Clive: "The US also had another issue in that their "two man" system did not work. Under realistic testing they found that few would push the button on command of the system and would try to use other communications methods to get confirmation."
I think you're remembering the movie War Games. The way I understand it, the two-man system is to prevent unauthorized launches, not to guarantee launch on command as in the opening scene of that movie.
Do you seriously think there was no trade between Communist countries and the West during the cold war?
Really: Is the sledge hammer for the safe, or for hard heads?
While it might make a good story, I am not sure that I believe it. Well-designed safes contain a relocker mechanism that, in effect, disconnects the lock from the bolts if you try to break in. Hitting the safe with a sledgehammer would make it harder to open, not easier.
Perhaps the real reason for the sledgehammer was that General Novikov planned to sabotage a launch.
Well-designed safes contain a relocker mechanism that, in effect, disconnects the lock from the bolts if you try to break in.
This has been discussed on this blog before. and the plain simple fact is "relockers" are not used in military circles mainly only civilian circles.
The reason for this is the nature of what you are protecting. In the civilian world it is mostly tangible physical objects where relockers have a significant "delaying advantage". In the military world it is mostly intangible information objects where there is absolutly no delay advantage as in effect it becomes a "denial of service attack" or it means prolonged uncertainty niether of which is at all desirable.
British nukes were protected by bike locks
...until the early days of the Blair government the RAF's nuclear bombs were armed by turning a bicycle lock key.
There was no other security on the Bomb itself.
To arm the weapons you just open a panel held by two captive screws - like a battery cover on a radio - using a thumbnail or a coin.
Inside are the arming switch and a series of dials which you can turn with an Allen key to select high yield or low yield, air burst or groundburst and other parameters.
The Bomb is actually armed by inserting a bicycle lock key into the arming switch and turning it through 90 degrees. There is no code which needs to be entered or dual key system to prevent a rogue individual from arming the Bomb.
Actually, relocker or no relocker is irrelevant. Break the "lock" means to smash the dial. That would merely give a bent shaft to try to turn and unlock the safe.
He'd be better off with a hammer and chisel than a sledgehammer.
And trust me, I've WATCHED idiots try to open a military safe with a sledgehammer. They never got it open.
I opened it later. With a shaped charge.
Which shredded the contents, which is what I wanted done anyway. The safe was, of course, off of the property books.
Wzrd1: Why did you want to shred the contents of a Russian Military Safe, and how did you get ahold if it anyway?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.