Minuteman III nuclear ballistic missile control room in a nuclear silo
For a decade and a half, from the height of the Cuban Missile Crisis until 1977, the launch code for the United States’ Minuteman intercontinental ballistic missiles was not a complex, indestructible sequence of digits. Nothing like that: it was the simplest code possible: eight zeros.
This surprising fact remained a well-kept secret until Bruce Blaira former Air Force launch officer and nuclear policy expert, revealed it in the 2010s. And it wasn’t a technical error: it was a deliberate decision.
The story begins in 1962remember . Alarmed by the possibility of accidental or unauthorized nuclear launches, the president John F. Kennedy signed National Security Action Memorandum 160.
This memorandum determined the installation of security devices known as Permissive Action Links (PALs) on all US nuclear weapons.
The system was designed as a technical safeguard: a missile could only be “activated” for launch after the team receives a secret code and correct command from higher command — a code that the team itself would not know in advance.
But the leadership of Strategic Air Command (SAC). the military branch responsible for nuclear bomber and missile fleets. looked at Kennedy’s PALs with deep distrust.
Your biggest fear was not an unauthorized launchbut rather a failed retaliation. They feared that the process would take too long and that, in the event of communication failures, the nuclear response did not happen.
The “solution” found was simple: set the code to 00000000. According to Blair, who served as launch officer in the 1970s, this was standard practice at the time.
In practice, anyone with access to the control panel and authorization to launch just needed to turn a keyknowing that the code needed to activate the missiles was already set to the most basic combination possible.
Thus, contrary to expectations, there was no external code transmitted by higher authorities to validate the launch order.
At the time, SAC insisted that the Minuteman system’s security measures were foolproof. Later evidence shows that this it was far from true.
The main human security mechanism was the so-called “two-man rule”, the “two man rule“, which required the presence and agreement of two qualified members for any critical action. However, this rule was often contoured.
Blair’s investigations and the testimony of other officers describe a culture in which crews, subjected to long, monotonous shifts, often ignored protocols. It was common for a member to sleep while the other had full access to launch controls.
In this context, a single individualknowing that the code was eight zeros, could theoretically start a launch sequence.
This precarious situation remained until 1977when SAC implemented an important reform in procedures, known as Rivet Save.
As part of this initiative, new control panels designated Launch Enable Control Groupwhich required the team to enter an unlock code received through a Emergency Action Messagand (EAM) sent by higher command, before being able to activate the missiles.
Instead of relying on a predefined code with zeros, the new procedure introduced a dynamic code, typically something like P7P7P7P7P7P7transmitted only during a authenticated release order.
Without this code, even the correct key rotation sequence would not allow the launch, and there was two reasons for this change.
On the one hand, SAC wanted reduce the number of launch teams to cut costs, which implied most frequent shifts for the remaining staff. To mitigate fatigue and the risk of human error, members were allowed to rest during shifts, requiring a technical solution that maintained the security even with just one element agreed.
On the other hand, the change responded to concerns about the vulnerability of the Minuteman system to accidental or unauthorized releases.
It took fifteen years to correct a glaring vulnerability — a delay that, from a distance, seems alarming, but which must have seemed so at the time. Even worse: the fact was deliberately hidden by some people responsible.
Blair’s revelations remind us that, for much of the Cold War, the fate of global security was hanging on incredibly fragile threads — like a launch code that anyone could guess.
The code is no longer composed of zeros, but it remains a legitimate question: to what extent is global stability still based on layers of security? surprisingly thin?
