Toggle Menu

The ‘Nightmare Scenario’

Y2K is coming, ready or not. Right now, mostly not.

Kevin Sanders

February 25, 1999

Y2K is coming, ready or not. Right now, mostly not. And despite desperate efforts to correct the monumentally shortsighted failure to program the world’s computers and computer chips with complete date codes, some disruption is now inevitable when the clocks tick over at midnight at the end of the year.

Most worrisome, because of their vast potential for destruction, are the world’s nuclear weapons arsenals and nuclear power plants. For if the network of interconnected systems collapses and cascades into systemic infrastructure failures, power and communications could be lost worldwide. Restoration may be delayed or even impossible in a world where everything else has snapped to a halt. In the chaos and confusion that would follow no one knows what would happen to nuclear bombs and nuclear reactors. In the truly worst-case scenario, accidental nuclear war and/or reactor meltdowns could release enough deadly radioactivity to return the planet to the insects.

Probably nothing will happen immediately. All the world’s 36,000 nuclear weapons could simply cease to function as the Y2K wave rolls over them. But a newly released report from the respected and independently funded British American Security Information Council (BASIC) warns of the possibility of accidental or mistaken launch of nuclear weapons. The authors acknowledge that this is highly improbable. Most nuclear launch systems require manual activation. But given the existing hairtrigger, launch-on-warning systems on which so many nuclear weapons are still balanced, such a launch, however implausible, could take place within ninety seconds of computer failure in the warning systems. If all military warning, tracking and interception systems were down, bombs could be hitting targets within minutes. The US military is aware of the danger and is working desperately to establish cooperative procedures with Russia, China and other nuclear powers to avert what Deputy Defense Secretary John Hamre has called “the nightmare condition.”

The greatest danger comes from Russian and Chinese missiles. Currently, at least thirteen Chinese nuclear missiles are thought to be capable of reaching the West Coast of the United States. Until Clinton’s visit to China last June, some of the Chinese missiles were reportedly targeted on US cities. As a result of recent understandings, both nations have agreed to de-target their nuclear missiles. But such an agreement is currently unverified and provides flimsy protection, since missiles can be retargeted in ten seconds. As the Y2K digital tsunami moves west from the international date line in the Pacific, China and Russia will become the first nuclear nations to face possible computer failures–almost half a day earlier than the United States. All contact and communications could be lost or disrupted. Launch-site commanders could be left literally in the dark, trying to read the meaning of silence.

On a recent visit to Russia, Defense Secretary William Cohen offered to share early-warning information and exchange up to eighty observers, who would be stationed at the Russian and US launch and communications centers during Y2K. Russian Defense Minister Igor Sergeyev rejected the proposal with a bland assurance that “there is no such danger [for nuclear weapons] since in the Strategic Missile Forces we use special technologies.”

However, according to a number of Russian scientists currently working in the United States, the financially starved Russian military and its dilapidated computer systems are even more prone to Y2K failure than those in the United States. The BASIC report quotes Sergei Fradkov, a former Soviet satellite control technician now working for a Wall Street software developer, who says, “Russia is extremely vulnerable to the Year 2000 problem…. If the date shifts to 0 for a brief moment…that fools the system into thinking there is a high probability of an attack in progress.”

Russia’s nuclear command and control system is linked in what, until recently, was a top-secret program called Perimeter. Although exact details are still not known, Perimeter is reminiscent of the “Doomsday Device” in the sixties black-comedy film Dr. Strangelove, which triggered an automatic massive Soviet retaliation. The US government did not even know of the existence of Perimeter until it was first reported in the New York Times on October 8, 1993. At the time, former Director of Central Intelligence Robert Gates said such a system was “unlikely.” However, Jane’s Intelligence Review, the world’s most authoritative weapons journal, has since confirmed the existence of Perimeter and revealed more details. According to Jane’s, if Moscow were to be attacked, or even if there was “interruption of command links to key Soviet leadership,” Perimeter would automatically trigger a low-frequency radio signal that would launch a communications missile that would, in turn, transmit to all launch complexes the codes that would launch thousands of Russia’s nuclear weapons. The present status of Perimeter is unclear.

Like China, Russia has de-targeted its nuclear missiles. But they can be back on target in ten seconds. Whether this could happen as the result of an automatic or accidental computer default is not known. Sites in the United States, of course, would be programmed into the Russian and Chinese computers as primary targets. No doubt also programmed into Russian computers would be target options for sites in China, France, Germany, Britain and all the NATO countries. Already NATO nations have begun cooperative nuclear security arrangements with Russia. The dangers may not be limited just to the Northern Hemisphere. Probably both Russia and China have computer programs to target the United States’ biggest offshore communications system: the Pine Gap satellite spy base in the middle of the Australian desert.

British Minister of State for Defense Procurement Lord Gilbert says that his government is “not complacent” about the possible impact of Y2K on nuclear weapons aboard British submarines. “We have been in close contact with the US and France over this issue. The year 2000 [problem] has also been raised with Russia and China,” Gilbert said. “I can assure you that our procedures for control of our nuclear deterrent are robust enough to preclude any possibility of an accidental launch of a Trident missile through equipment malfunction.” According to a BASIC research report, Britain has become the first nuclear power to begin de-alerting its nuclear missiles from the cold war hairtrigger. The time it takes to fire missiles on British nuclear submarines has been moved from “a few minutes” to “several days.” According to BASIC this could serve as a precedent and “have important implications for all nuclear forces globally.”

The US military faces a daunting challenge, for it is dealing with the largest interconnected computer network in the world, with 1.5 million computers and 28,000 automated systems. It utilizes more than seventy different computer languages, some of them so obscure there is no one alive who can even read them. And all military systems are riddled with embedded computer chips. These chips are an especially vexing Y2K problem, perhaps an even greater challenge than the computers themselves. Tens of billions of chips are built into everything from toasters and video players to bombs and missiles, some programmed to shut down if they misread the date. There are probably more embedded chips in the US military system than in any other system in the world.

The military continues to offer reassurances that the Y2K problem can be handled. Capt. Allan Toole, who now heads the Pentagon’s Y2K Special Weapons Agency, says, “I have a good feeling about Y2K in this agency.” A good feeling may not be enough. A more reflective response came from Deputy Defense Secretary Hamre, who admitted last October, “Probably one out of five days I wake up in a cold sweat thinking [Y2K] is much bigger than we think, and then the other four days I think maybe we really are on top of it. Everything is so interconnected, it’s very hard to know with any precision that we’ve got it fixed.”

Last March the London Sunday Times quoted John Koskinen, head of the White House Y2K conversion council, saying there was concern “if the data doesn’t function and [the missiles] actually go off.” However, he added, “it’s more likely that they won’t function.” Koskinen now says that since US missiles are launched by humans, they could not be fired accidentally. Diane Shields, vice president of CACI, a government contractor testing nuclear bomb launch systems in US submarines for Y2K problems, told a group of computer experts last year that the systems would fail in their present condition. Hamre warns that the military’s concern is not that their computer screens will all go blank on 2000. “That’s kind of good news,” he said, “because then we’ll know we have a problem. Our bigger fear is going to be that the system seems to work fine, but the data is unreliable. That’s a far worse problem.” Hamre has observed that “the Year 2000 problem is the electronic equivalent of El Niño.”

John Pike of the independent, nonprofit Federation of American Scientists warns, “The fundamental problem is that we don’t know what could happen…. There’s a real risk though that we could see the sort of computer malfunctions that we’ve seen in previous years, where the command and control systems erroneously report that an attack is in progress [and] erroneously direct missiles to shoot at the wrong target.” Pike continues, “There is a small, finite risk that this could lead to an accidental nuclear war.”

Pike says the US military is already starting to classify information to cover up the vulnerability of nuclear weapons to Y2K disruption. According to a Congressional staff member quoted in the BASIC report, “These decisions constitute a concerted effort to censor information on Y2K progress. If there’s anything bad, the immediate response is to cover it up, rather than taking care of the problem.”

In the introduction to the BASIC report, former US disarmament negotiator Paul Warnke concludes: “The only prudent course may be to de-alert or even de-activate those nuclear missile systems where date-related malfunctioning in associated command, control, and communications systems poses even a remote possibility of accidental launch.” The BASIC report has formally called for nuclear bombs and missiles to be de-targeted, taken off alert, de-coupled from their launch vehicles and brought under independent international verification.

Verification will be the real challenge. The prospects are not encouraging for achieving the unprecedented level of multinational cooperation and voluntary transparency that will be required to secure all the world’s nuclear bombs in the next ten months. Belatedly, the United States and Russia have opened talks. On a recent visit to Moscow a top-level Pentagon team discussed establishing a joint missile-warning center to prevent accidental launch of nuclear missiles during Y2K disruptions.

Nor do we know what will happen when Y2K strikes the 432 nuclear reactors around the planet. A growing number of experts are concerned that at least some of them will fail, causing a shutdown or, in the worst case, even a meltdown. When the giant three-reactor Oskarshamn utility in Sweden was tested last year, it automatically shut down as soon as the clock reached 2000.

In an open letter to President Clinton and the Nuclear Regulatory Commission (NRC), Leon Kappelman, professor of computer science at the University of North Texas and co-chair of the Society for Information Management Year 2000 Working Group, warned that reactors could be a threat to public safety during Y2K. Kappelman wrote, “Although the NRC publicly acknowledges century-date-related computer-processing risks that are profoundly threatening to human lives and the environment, they refuse to require or take any action.” When pressed on the issue the NRC admitted, “In a worst case scenario…a plant trip could result in a loss of off-site power and subsequent complications in tracking post-shut-down plant status and recovery due to loss of emergency data collection and communications.” This has never happened, and it is not clear how serious it could become.

An audit of the Seabrook reactor in New Hampshire released by the NRC this past November found that in this single power plant 1,304 separate software items and embedded chips would be affected by the Y2K bug. Twelve were described as having “safety implications.” Another thirteen could cause the reactor to trip off. Of the more than seventy reactor sites under the authority of the NRC, only twelve audits were planned. Nine of these audits have been completed and published. Contingency planning has just begun.

Emergency petitions presented by the Washington, DC-based Nuclear Information Resource Service (NIRS) this past December called on the NRC to close by December 1999 any reactor that cannot be proved Y2K-compliant by full testing. In the second petition NIRS calls for additional backup power units to insure a steady and continuing supply of power to the reactors and cooling facilities. The third NIRS emergency petition calls for full-scale emergency response exercises during 1999 to prepare for possible problems. NIRS executive director Michael Mariotte warned, “The unpredictability of how systems may respond to Y2K bugs, questions of the reliability of off-site emergency responders, including telecommunications, fire, police and other officials, all beg for additional training and practice.”

Most of the world’s reactors have large diesel backup systems for emergency power; even if the reactors have been turned off, permanent cooling must be maintained over the reactor cores to avoid meltdowns. Diesels are not ideal backup systems for Y2K problems. Many have embedded computer chips that may fail during the clickover. And if the loss of normal power and support services is prolonged, the supply of diesel fuel could run out. Resupply may be impossible in a world paralyzed by Y2K. Paul Gunter, director of the NIRS Reactor Watchdog Project, reported to the NRC that existing backup systems “frequently don’t work and are subject to multitudes of problems.” Gunter warned, “This is just the tip of the iceberg, our investigation of these generators is continuing and we are finding they are even less reliable than we had believed.”

We do know all too well what would happen if normal or emergency power were lost to the high-level atomic waste fuel pools in which irradiated fuel rods from the reactor cores are kept cool. If Y2K brings down the national power grid for even a few days and the cooling systems stop working, the water will boil off and lethal radioactivity will be released. Although most pools are located onsite, near the reactors, many are not even connected to the emergency power systems. Mary Olson, the NIRS radioactive waste specialist, notes, “The NRC currently does not even require that these fuel pools have backup power.” Evidently, the NRC has always assumed that in the event of a loss of power there would be plenty of time either to get the power back up or bring in additional emergency power systems before the danger point is reached. Some reactors even have plans to use firehoses in a cooling pool emergency. But with Y2K, even the pumps on the firehoses might not work. And if Y2K brings down the nation’s electric power grid, it could take weeks or longer to restore power. According to Olson, the recently loaded rods–those loaded in the past two years–could begin to melt down within forty-eight hours of power loss.

Recent statements from the US power industry claiming that the risk of a power grid failure is “not as serious” as first feared and “can be fixed in time” have been viewed with skepticism by critics. In a nationwide questionnaire this past September by the North American Electric Reliability Council (NERC) to determine the state of nationwide Y2K preparedness, 25 percent of the more than 200 bulk-power utilities did not even bother to respond. Since all the utilities are interconnected in the major power grids, a computer failure anywhere can “cascade” into failure everywhere. Thus, with a quarter of the utilities not reporting back, there can be no assurance that the grid will not collapse.

Russian reactors present an even more alarming problem, given that nation’s economic crisis. Unpaid workers at some nuclear reactors have actually gone on strike. Neighboring European nations are terrified at the possibility that Y2K could precipitate more Chernobyls. Finland, which shares a border with Russia, has offered to help the Russians check out their reactor computer systems and to help close down and secure any reactors that are not Y2K compliant. This past November, the Times of London quoted intelligence sources saying they feared a possible nuclear meltdown in the former Soviet-bloc nations. These sources believed at least some of the sixty-five Soviet-made nuclear plants could malfunction during Y2K. “Russia’s nuclear industry is in desperate straits. Throw in Y2K and you could have a giant Chernobyl on your hands,” said one source quoted in the Times article.

In the United States the NRC warned early last year that any reactors not confirmed to be Y2K compliant will be ordered to close down before the end of the year. Rick Cowles, former manager of the Y2K program for Digital Equipment Corporation, predicts that most US reactors will have to be shut down before the millennium. Cowles, author of the book Electric Utilities and Y2K and arguably the world’s leading authority on the subject, has become increasingly gloomy about the prospects of a serious power loss. When asked recently what could be done to keep the electric power systems going, Cowles responded, “The truth is, I don’t have any good advice.” Michael Harden, author of Millennium Minefields: Embedded Systems and the Year 2000 Problem, predicts that all nuclear plants will have to shut down, at least briefly, on New Year’s Day.

There are solutions to all these nuclear problems. But there is not much time, and the nuclear industry and nuclear militaries have been slow to react to the challenge. In the latest Congressional gradings of Y2K compliance in government departments, the NRC got a C-, with only 69 percent of its computers expected to be compliant by March. The Defense Department got a D-, with only 59 percent. And the Energy Department got an F, with only 55 percent. They are so far behind there is no way they will be ready and tested by January 1. Representative Stephen Horn, chairman of the House Subcommittee on Government Management, Information and Technology, which grades the departments, says the Energy Department’s status is a source of “deep anxiety.” He complained, “Who wants an ‘F’ student managing nuclear material?”

At a December 1998 Y2K conference sponsored by the World Future Society in Washington, DC, Dr. Harrison Fox, an adviser to Representative Horn’s subcommittee, expressed “great concern” about state of Y2K compliance at the Pentagon, citing nuclear weapons management as the most critical problem. Two weeks later, stung by mounting criticism, the Pentagon announced that it had suddenly achieved 81 percent Y2K “readiness” and will be Y2K “ready” by 2000. Deputy Defense Secretary Hamre announced on December 31 that minor glitches are still likely to crop up on January 1, 2000, but he said, “I think it’s going to clearly be in a category of nuisance…. I’m very confident we won’t have major problems.” However, he acknowledged “some nervousness” in Washington about potential computer problems in Russia. “They don’t seem to have the same level of urgency that we have had over it,” he warned. The Pentagon report will be studied closely–and if past reports are any guide, skeptically–by the General Accounting Office in its scheduled March 1999 survey.

As for concern over reactors, the NRC has published the NIRS petitions in the Federal Register for public comment. The commission says, however, that at this point it will not support the petitions because it is not convinced it needs to “mandate” that utilities insure that their emergency diesel generators are operable and have sufficient fuel onsite. And in apparent re-evaluation of its own earlier rulings, the NRC saw “no reason to mandate that non-Y2K-compliant reactors should be shut down by December.” This too will be studied closely by the GAO in March.

In Russia some experts now say that even if their nuclear reactors are discovered to be prone to Y2K disruptions, they cannot be turned off because hundreds of thousands of people might freeze in the depths of winter. Russia is belatedly moving to deal with the weapons danger. This month Aleksandr Krupnov, chairman of the State Communications Committee, announced that Russia will need $3 billion to fix the Y2K problem and appealed to the United States and other NATO nations for advice and money to help make Russia’s nuclear launch system safe for the year 2000. In the present condition, Krupnov says, “Who knows if the country will be ready? I can’t give any guarantees.”

Of course, if the Y2K danger prods the world into a cooperative effort to defuse the bombs, it could reinvigorate the cause of world nuclear disarmament and boost awareness of the need for safe, sustainable energy sources. Y2K and potential nuclear problems will be discussed March 8 at a daylong seminar given by BASIC and NIRS for Congress, NGOs and academics. Meanwhile, the perils of Y2K in the nuclear age give new urgency to the warning offered nearly twenty years ago by Arthur C. Clarke: “War may no longer begin just in the minds of men, it could begin in the circuits of computers.

Kevin SandersKevin Sanders, a former CNN science editor, is currently director of special projects at the New York City-based War & Peace Foundation. In 1996 he wrote, produced and presented Judgment in The Hague, a documentary report on the World Court hearings on the legality of nuclear weapons.


Latest from the nation