On 3 February 2024, Knyaz Pozharsky submarine of the Borey-A class was rolled out of the construction hall at the Sevmash shipbuilding plant.

The construction of the submarine began in December 2016. It is the eight submarine of the Project 955/955A (Borey/Borey-A) series and the fourth serial production Borey-A submarine. Two more submarines of this class are under construction - Dmitry Donskoy and Knyaz Potemkin - both laid down in August 2021.

According to the original plan, the production of this series was supposed to stop at eight submarines. The decision to order two additional ships was reportedly made in 2018. The contract with Sevmash was signed in July 2020.

Russia began deployment of the EKS/Kupol space-based segment of its early-warning system in 2015, with a launch of Cosmos-2510 on 17 November 2015. That was the first of six Tundra launches - Cosmos-2518 in May 2017, Cosmos-2541 in September 2019, Cosmos-2546 in May 2020, Cosmos-2552 in November 2021, and Cosmos-2563 in November 2022. It appeared that the Air and Space Forces would launch one satellite annually, but I don't see a launch in 2023.

The first two satellites worked for about five years. Their station-keeping maneuvered ended in late 2020 and late 2021 respectively. This leaves the system with four operational satellites. Although the full system is supposed to include ten satellites, I believe that four can provide sufficient coverage. They appear to have true look-down capability, adequately covering everything north of the equator. Since the satellites are deployed on highly elliptical orbits, they replace each other at the apogee, so there is probably at least one satellite that is in a position to see a launch.

The system does not need ten to provide continuous coverage. Rather, the idea is to have more than one satellite looking at each point. That helps reduce false positives. Ideally one would need three to almost completely eliminate them, but it's not absolutely necessary. Having one means that operators should be on guard regarding false positives, and since they know the capability of the system, they probably are. It is also worth keeping in mind that the role of space-based early warning in Russia is quite different from that in the US. As I explained elsewhere, it's a matter of geography. So, even if there were no satellites at all, the basic function of the early-warning system would not change dramatically.

If Russia keeps the current deployment rate, about one satellite a year, and assuming that the service life stays at five years, getting to a full constellation of ten will be a challenge. Something will have to change.

At some point there was a talk about a geostationary early-warning satellite, but we haven't heard anything about it for quite some time.

Artificial Intelligence (AI) and its potentially dangerous link to nuclear weapons is a quite popular topic these days. Some of it is because nobody really knows what the role of AI can be. It is a (relatively) new and quite exciting technology and it seems to offer some benefits in assessing complex situations. People also intuitively understand that there is a potential danger there - since we don't (normally) know how an AI system arrives to its conclusions, we cannot be certain that its assessment of a situation or its recommendations are correct (whatever that means).

Given that when is comes to nuclear weapons the cost of an error can be rather high (which is a serious understatement), one can easily see why people usually like the idea that, quoting Antony Blinken, "artificial intelligence should not be in the loop or making the decisions about how and when a nuclear weapon is used".

This is all good, but the issue seems to be a bit more complex than just keeping a human in the loop (or AI out, for that matter). After all, people make their decisions regarding nuclear weapons based on information that is processed by computers one way or another. Whether some of this processing was done by AI is not necessarily important, in my view. All technologies have some magic element to them, and it's possible that in the case of AI, the difference is just a matter of degree. This difference may be important or it may not be. I must say I haven't done a literature review, so if there is a good analysis of the role of AI in nuclear decisions, please send me the link.

I believe that one of the issues we are dealing with here is the interaction between people, organizations, and information. And we have some examples of how this interaction works, specifically when it was about real-world decisions regarding nuclear weapons. Not many, but some. And they can tell us something. One of these examples is the series of US false warning accidents in June 1980. This is not the only one accident, of course, and it has been studied by others in some detail. (Again, if you have a particularly good study in mind, please send me the link. Scott Sagan, of course, covered it in "Limits of Safety," but he was looking at the safety aspects of the event and he had no access to the documents declassified by the National Security Archive since then.) This is an attempt to reconstruct the June 1980 accidents, largely to get a better picture of what happened.

Documents

The National Security Archive has done a great job compiling a set of declassified documents in its collection "False Warnings of Soviet Missile Attacks Put U.S. Forces on Alert in 1979-1980." There is also the Hart and Goldwater report to the Senate (HGR below). There are some differences between different accounts, some of which will be noted below.

The key documents from the NSA collection used here are the Secretary of Defense Harold Brown's memo to President Carter from 7 June 1980 (HB below), the talking points prepared by the Office of NORAD Deputy Chief of Staff dated 21 July 1980 (NRD below), and the Department of Defense "Fact Sheet" (DoD below)

Background

This largely follows the Hart and Goldwater report that provides a useful summary of the situation and the key players.

There were four key command centers, the main one being North American Aerospace Defense Command (NORAD). Then there were two National Military Command Centers - the National Military Command Center (NMCC) in the Pentagon and the Alternative National Military Command Center (ANMCC), located in Fort Ritchie, Maryland. There was the command center of the Strategic Air Command, at the Offutt AFB, Nebraska.

2023-11-19 AI and 1980.png

This schematic representation of the structure of command centers and sensors is from HGR. It does not seem to be entirely accurate, but it gives you an idea. NORAD is receiving data from all early warning sensors - satellites and radars. The other centers are getting data directly from only those sensors that are tasked with detecting SLBMs - satellites and PAVE PAWS radars. NORAD provides the lower-level centers with its analysis of the attack data, presumably based on the entirety of information that it receives. This means that duty officers at the lower-level centers are looking at two sets of displays - one with direct data from some of the sensors and the other one with the NORAD analysis of the data from all sensors.

If there is an indication of a threat, the four centers initiate a conference call. There are three types of conferences:

The first one, Missile Display Conference (MDC), is rather common event. HGR reports that there were about 1500-2000 events a year that resulted in MDC in 1979-1980. So, these are very common events, and only a fraction of them, less than 100 a year, is evaluated as potentially threatening North America.

One interesting detail (HGR) is that all 3000+ MDCs convened in 1979-1980 resulted from some external physical signal. But in addition to this, there were events where "a computer or a piece of communication equipment will transmit a false piece of information." These would not trigger an MDC and, indeed, were not recorded at all before June 1980. NORAD told HGR that these kinds of events happened about "two or three times a year." Who exactly determined that these are "random failures within the computer and communication equipment" and how this determination was made is not entirely clear.

It appears that any command center can start a conference, but it is not quite clear at what point others are asked to join. I would assume that once one center initiates an MDC, all centers, including NORAD, would be on the call. But there will be a question about this later.

The next level is a Threat Assessment Conference (TAC) that involves higher-level people (up to the Chairman of the Joint Chiefs of Staff). It appears that the TAC protocol involved "preliminary steps to enhance force survivability," such as launch of airborne command posts. The top-level conference is a Missile Attack Conference, with the President brought in. This has never been convened before 1980 (and probably after).

In addition, the Strategic Air Command (SAC) has its own procedure that runs in parallel to the conferences process. Even if the data are ambiguous, SAC can implement certain survivability enhancing measures. These measures include directing bomber and tanker crews to board their aircraft and start engines in preparation for take-off, if necessary. As can be understood from the accounts (and from the actions taken afterwards), SAC duty officer ("SAC duty controller") can make this decision on his own discretion, without waiting for any conferences to be convened.

28 May 1980

As it was determined later, the actual start of the chain of events was 28 May 1980 - displays at two command centers showed that a large number of missiles are coming - 2020 at SAC and 9000 at ANMCC. The signals appeared close together [HB], but "at different times" [NRD]. These showed up for only six seconds at SAC and for similarly brief period at ANMCC. No conference was convened by any of the centers. Apparently, these were dismissed as one of those rare "random failures." Not entirely dismissed, though - NORAD began a technical investigation of anomaly. It may well be that this kind of investigation follows each of the 2-3 per year "random failures," but there is no indication of this in the documents.

3 June 1980

The first real accident happened on 3 June 1980. Reconstructing the timeline is a bit difficult. HGR says the first indication appeared "at approximately 2:26am Eastern Daylight Time." NRD places the first "threat" display at 0525. I'm not sure what time zone it is as it doesn't look like GMT or UTC. And definitely not the time in Colorado, where the NORAD HQ was located. It's not particularly important, though and I will use the EDT time zone from HGR but the minutes from NRD. After all, it produced the famous "3am phone call" meme.

In fact, according to NRD, there was an event a bit earlier - at 02:21 NMCC registered "non-threat missiles." Since these were "non-threat" and "the display cleared within seconds" no action was taken. From this one can conclude that there is a separate display for "non-threat" missiles but this point is not elaborated in the documents.

02:25 The accident proper began at 02:25, when the SAC display showed 2 "threat missiles" identified as SLBMs. Eighteen seconds later the SAC display started showing 200 SLBMs [HGR]. According to HGR, at this point SAC personnel called NORAD regarding this display and NORAD told them that they had no indication of any launched SLBMs. However, no other account has this call. One would guess that a call like this would be made as part of a standard Missile Display Conference, but the conference will not be convened until later.

02:27 Whether or not the SAC-NORAD call took place, SAC made a decision to act and "about two minutes later" [HB] or at 02:27 [NRD] "SAC duty controller" directed "all alert crews to move to the alert aircraft [bombers and tankers] and start their engines" [HGR]. As can be understood from the NRD account, sending crews to their aircraft involved what was known as "Fast Klaxon Alert."

02:28 According to NRD account, NORAD issued "ALL CLEAR" - no detection by any sensors. Again, it is not clear how exactly this determination was made and how it was communicated and to whom. It appears that it was still a phone call between NORAD and SAC. HGR also says that at some point "NORAD showed all systems clear."

02:29 SAC issued a directive to assume "Posture 5" [NRD]. The HGR account says that shortly after the order to start engines was issued, the SAC display cleared and "shortly thereafter" the SAC crews were directed to shut their engines but remain in aircraft. This may have been the "Posture 5" order. Note that HB mentions none of this - neither the clearing of displays nor the directive to shut the engines. The bottom line is that the SAC displays cleared and the aircraft engines were shut. DOD states that the decision to shut down aircraft engines was made by the "Commander in Chief, SAC."

02:31 According to HB, six minutes after the first display reading, SAC "began displaying 2020 ICBMs from BMEWS." Note that these were not SLBMs, so SAC would not have a direct signal from sensors, just a display that was supposed to show the information coming from NORAD.

02:37 Twelve minutes after the start of the accident, the display at NMCC began showing 200 SLBMs coming to the United States [HB].

02:39 At this point [NRD], NMCC Duty Officer convenes a Missile Display Conference [HGR]. It's not clear what happened to the SAC display that showed 2020 incoming ICBMs at 02:31. HB reports that "shortly thereafter" (after MDC), the display, probably the one at NMCC, started showing 220 ICBMs. That would be different from the 200 SLBMs displayed earlier. What's interesting is that, according to HB, the display showed that all 220 ICBMs "had already impacted."

02:39-02:49 These must have been some really tense ten minutes. It's not clear what happened to the displays but they probably continued to show something. According to HGR, "all command posts were convinced that the data were erroneous and invalid."

02:49 The NMCC Duty Officer upgraded to conference to a Threat Assessment Conference (the time is from NRD). This decision is hard to explain. If everyone was convinced that the data were erroneous, why upgrade the conference? HGR says that it was done "as a way of terminating the incident and insuring that all parties knew that there were no threatening activities." This is way too generous, in my view. None of the reports asks why the decision to terminate the incident could not have been taken at much earlier time, even before the MDC, and why it required going all the way up to a Threat Assessment Conference. HB says that at the time TAC was convened, "a NORAD assessment was requested." But according to NRD, "NORAD assessed information as FALSE" at 02:40, shortly after the MDC was convened.

02:51 A Threat Assessment Conference is a serious business. It triggers all kinds of actions, one of them is a launch of Airborne National Command Post (ABNCP) aircraft. According to NRD, the command post of the Pacific Command took off at 02:51. The National Emergency Airborne Command Post (NEACP) aircraft at Andrews AFB, was also preparing to take off. According to DOD, the NEACP aircraft "initiated prescribed actions preparatory to emergency launch" when it received notification of the threat of a "large number of SLBMs." That would be the very beginning of the incident, 02:25, when 200 SLBMs were "detected." DOD further reports that the NEACP aircraft "taxied in position for emergency launch," but by that time the SLBM treat was no longer there, which appears to be the 02:29 point, when the SLBM display cleared. At that point, "senior watch officer directed NEACP to hold in place" [DOD]. William Odom in his note to Zbigniew Brzezinski said that "NEACP didn't move," but he probably meant that it didn't take off. It is reasonable to assume that both aircraft received the same order at the same time, but one took off while the other didn't. It appears that the Pacific ABNCP had a different "senior watch officer."

02:54 NORAD issues a formal "NO" output [NRD]. This seems like something everybody was waiting to happen, but it's not clear how this "NO" was different from those that NORAD repeatedly communicated earlier - see the SAC-NORAD call at 02:25, "ALL CLEAR" at 02:28, and the assessment of information as FALSE at 02:40. (In parenthesis, the NRD account also mentions that "CINCLANT incorrectly reported SLBMs indications" at 02:53, but it's hard to see how this fits in the narrative as these indications did not originate from any of the command posts or sensors.)

02:57 Finally, the Threat Assessment Conference is terminated, 32 minutes after the first erroneous reading appeared on the SAC display.

02:58 SAC, of course, had a separate procedure and took another minute to terminate its own alert.

So, the accident was over 33 minutes after it began.

6 June 1980

In response to the 3 June incident, NORAD took some measures, such as communicating with all users, analyzing the data, and installing some "software trap" (whatever that means). At the same time, it also placed computers back to the 3 June configuration [NRD] and tried to "duplicate the error ... hoping to reproduce the erroneous data" [HGR]. Whether as a result of these efforts or by happenstance, the error did appear again.

The 6 June timeline is more confusing. HGR says that the first erroneous reading was displayed at 3:38pm, probably Eastern Daylight Time. The NRD account places the first display at 19:49. Not only the time zone is different, but the minutes are different as well. Since the absolute time doesn't matter that much, the description below will follow the NRD times.

19:49 As reported by NRD, the display at SAC showed 2000 incoming ICBMs. HB adds that this was followed "in a few seconds" by displays of 6 missiles at NMCC and 2020 missiles at ANMCC. NRD also mentions the NMCC and ANMCC displays, but doesn't say anything about them other than that they were there. HGR reports that these were ICBMs as well. HGR doesn't say it directly, but one gets an impression that operators, at least at NORAD, were aware of the effort to reproduce the error.

19:51 At this time, SAC again sounded its Fast Klaxon Alert, which sent crews to their aircraft and directed them to start their engines [NRD, HGR]. HGR reports that they were directed to shut down engines (but remain in the aircraft) shortly thereafter.

19:51 While SAC does its own thing, NMCC convenes a Missile Display Conference. During the conference NORAD apparently says that there are no signs of an actual attack [NRD]

19:52:30 Here is the moment when NORAD formally says "NO" [NRD].

19:53 MDC is formally terminated. That was four minutes after the first displays at SAC, NMCC, and ANMCC.

20:03 That's when the "spurious indications" finally stopped [NRD].

20:06 According to HB, it took SAC 13 more minutes to terminate its alert - "17 minutes after the first false display appeared at SAC" [HB]. It appears that SAC waited until everything is truly over.

After the incident was over, NORAD switched its computers. According to DOD, the backup computer used "completely different hardware and software from the system that caused the problem." (In parenthesis, the May 1981 GAO report "NORAD's Missile Warning System: What Went Wrong?" says, apparently incorrectly, that there was a Threat Assessment Conference on June 6, 1980).

Some lessons

This part of the story is reasonably well known - the culprit was a 47 cents computer chip that randomly inserted number 2 into the communication signal that went from NORAD to lower-level command centers (although this doesn't quite explain the 6 missiles display at 19:49 on 6 June or 9000 missiles display on 28 May).

It's certainly worth noting that the idea of constantly sending a message that would show the number of incoming missiles was designed as a clever feature. That message supposed to "to have a continuous check on the condition of the circuits." It wasn't quite a safety feature, but it was designed to make the system more efficient in some way. But, of course, what it did was it introduced a new point of failure (NORAD changed the format of the message after the incident).

So, what does this accident tell us? Most importantly, in my view, is that having a human in the loop does not really guarantee anything. Human operators have their checklists to go through and procedures to follow. It is telling that even though operators had access to the data from satellites and radars that were telling them that there is no attack underway, they still put a lot of weight in that display that showed them some random numbers. Imagine that it were not a numeric display but some situation assessment screen generated by a presumably sophisticated AI algorithm. A call to the upper-level (NORAD) center may not resolve the situation if that center does not really know how that screen is generated.

The HGR authors asked what appears to be the right question, which is whether it is possible to develop a checklist that would cover all possible scenarios or to tell operators to find balance between reliance of checklist and application of sound judgement. They left the question hanging but seemed to be skeptical about a comprehensive checklist. And they had a point.

It appears that they had more faith in the balance between checklists and "sound judgement." But that's not quite straightforward. First, the entire episode showed that it is too easy for the checklist to prevail. I do not see a reasonable explanation to why the episodes were not terminated much earlier. If everything went as described, the Missile Display Conference should not have been convened on either June 3rd or June 6th. And there is no reasonable explanation for the Threat Assessment Conference on the 3rd.

It may have helped had the checklist included the option like "I don't trust this thing and have no idea why it behaves like this." But it didn't and the operators apparently did not feel that they create one on the spot.

The SAC procedures deserve a separate mention. HGR says that SAC's decision to send crews to their aircraft "was not an untoward move." Perhaps. It was arguably a reversible step, which didn't have an escalatory potential on its own. But one would hope that someone would think about sounding that Fast Klaxon Alert on June 6, when everybody knew that the system generates erroneous messages. And definitely it's hard to justify waiting for 13 minutes after the June 6th MDC concluded that the alert is over.

The accident showed that the assumptions that go into your procedures matter a great deal. If your assumption is that the Soviet Union can attack you any minute you design your procedures accordingly. You can try, of course, to include certain safeguards, but in the end this assumption will dominate your thinking and your checklists.

And, more importantly, it will affect your presumably "sound judgement." For example, HGR noted that "there seemed to be an air of confusion" after the alarm was over on June 3rd. Of course there was. But HGR authors worried about this confusion for an interesting reason. For them, it pointed at a possibility of what we would probably call a cyber attack these days. The scenario would be that the adversary would introduce some "stray and erroneous data" into the system, which would confuse everyone to the point of undermining the effectiveness of the entire system. If this is something that the operators are trained to keep in mind, one can see how this can seriously affect their judgement.

I don't really have a good bottom line here. Maybe it's that the technology that is used in nuclear command and control, whether it's something old-fashioned or sophisticated AI, doesn't matter that much. The basic design of the command and control network and the underlying assumptions that you made are more important. Yes, it is vital to keep humans in the loop, but we shouldn't overestimate their role. If your human operator cannot conclude that nobody starts a nuclear war with five missiles, as Colonel Petrov apparently did (even if it's a bit more complicated), then having them there won't really help you.

Anyway, the issue of AI and nuclear weapons is going to be around for some time. I hope that this attempt to describe the 1980 accidents will help inform the discussion of the issue. I will also try to put together a post on what we can learn from the Soviet accidents (that we know about). It can be very interesting in my view.

Note 20.11.2023: The post was updated to add references to the DOD document.

Something started happening to the unique IDs assigned to Russian strategic bombers. These are the big, usually red, numbers painted on the nose gear door, sometimes called "бортовой" or "тактический" number. For example, one of the Tu-95MS bombers shown taking off during the October 2023 exercise had "68 red" as its UID number (enhanced screenshot from an MoD video).

2023-11-16 Tu-95MS 68 red.jpg The problem is that this number hasn't been seen before. Piotr Butowski says that it's not the first time - the Tu-95MS shown to Kim Jong Un in Knevichi in September 2023 appears to be "79 red" and it is also not on the list (it's the 88s in the video) This may not be too big of a deal, but one problem with this is that these numbers used to serve as Unique IDs in New START (and it was, in my view, one of the clever things in the treaty). There are other way to designate an aircraft, like the RF registration number, but I have it on (very) good authority that New START used the big two-digit ones (occasionally with a third digit after a slash) to designate heavy bombers. And I had it confirmed that no one has seen the "68 red" Tu-95MS during inspections.

2023-11-16 Tu-95MS 79.jpg It is rather puzzling why would Russia start doing this. All New START inspections and data exchanges have been suspended anyway. And as far as I can tell, normally an aircraft would get this number for life. It is supposed to be a unique ID after all.

Some numbers are still there, though - for example, "49 red" and "60 red" that appeared in a recent MoD photos.

2023-11-05 Bulava.pngOn 5 November 2023, Imperator Alexander III, a submarine of the Project 955A/Borey-A class, conducted a successful launch of a Bulava missile. The submarine was deployed in the White Sea, the warheads reached their targets at the Kura test site.

The launch is part of the acceptance tests of the submarine. It is expected to enter service by the end of 2023. The construction of the submarine began in December 2015, according to the original plan, it was expected to enter service in 2020.

On October 27, 2023 at 09:04 MSK (06:04 UTC) the crews of the Air and Space Forces conducted a successful launch of a Soyuz-2.1b launcher from the launch pad 43/4 of the Plesetsk launch site. The launcher delivered into orbit two satellites - Cosmos-2570 and Cosmos-2571.

As it was the case with previous launches, the primary satellite of the mission, Cosmos-2570, released what appears to be a smaller satellite, presumably be named Cosmos-2571. The separation took place around 02:16 UTC on October 29. The satellites received international designations 2023-165A and 2023-165C respectively. Their NORAD numbers are 58148 and 58172. The satellites were deployed in a nearly circular orbit with altitude of about 900 km. Cosmos-2370 is believed to be a Lotos-S1 electronic reconnaissance satellite of the Liana system. Previous satellite of this class, Cosmos-2565, was launched in December 2022.

On October 25, 2023 Russian armed forces conducted an exercise of strategic forces. This is an annual exercise that is traditionally held in the fall (one exception was the 2021 exercise that was moved to February 2022). As in previous years, the exercise tested procedures of "a massive nuclear strike in response to a nuclear strike by an adversary."

The 2023 scenario repeated the one from previous year in almost all its elements, although it was a nighttime exercise this year. Like in 2022, the exercise included a launch of a Yars missile from a mobile launcher in Plesetsk, a launch of a Sineva missile from the Tula submarine of the Project 667BDRM/Delta IV class from the Barents Sea, and launches of ALCMs conducted by two Tu-95MS bombers. (One of these bombers shown on the video, appears to be "68 red".)

The fall exercise is sometimes referred to as Grom (Thunder). However, no official name was announced this time. In 2022, the exercise took place on 26 October 2022.

On 16 October 2023, the Generalissimus Suvorov submarine of the Borey-A/Project 955A class arrived in Vilyuchinsk in Kamchatka where it joined the 25th submarine division. The submarine, the sixths in the Project 955 line and the third Project 955A/Borey-A submarine, was officially accepted for service on 29 December 2022.

The Air and Space Forces conducted a successful launch of a Soyuz-2.1b rocket from the launch pad No. 3 of the launch complex No. 43 of the Plesetsk space launch site. The launch took place at 16:19:25 MSK (13:19:25 UTC) on 7 August 2023. The satellite that the rocket and its Fregat boost stage delivered into orbit is a Glonass-K2 navigation satellite No. 13L.

The satellite was designated Cosmos-2569. It received international designation 2023-114A and was registered by NORAD as object 57517.

This is the first satellite of the Glonass-K2 type. The last launch of its previous modification, Glonass-K, took place in October 2022. The most recent Glonass-M launch was conducted in November 2022.

The Strategic Rocket Forces appear to be set to complete the retirement of SS-25 Topol-M mobile missiles. According to the account of the 22 July 2023 meeting of the RVSN military council, the rearmament of the Bologoye division (Vypolzovo in START) will be completed by the end of 2023. The 7th Guards Missile Division in Bologoye was the last SS-25 Topol division.

Topol-based command missiles in Yur'ya have also been replaced by Yars-based Signal-M missiles.

The same account reports that the rearmament of the divisions in Kozelsk (silo Yars), Yasnyy/Dombarovskyy (Avangard), and Uzhur (Sarmat) will continue.