VERIFICATION OF LIMITS ON CONVENTIONAL FORCES IN EUROPE (CFE) by Richard L. Garwin IBM Research Division Thomas J. Watson Research Center P.O. Box 218 Yorktown Heights, NY 10598 (914) 945-2555 (also Adjunct Professor of Physics, Columbia University; Adjunct Research Fellow, CENTER FOR SCIENCE AND INTERNATIONAL AFFAIRS Kennedy School of Government Harvard University) March 15, 1990 Talking paper for meeting of CISAC with group from the Royal Society, London, ENGLAND P067VCFE 030890VCFE DRAFT 4 03/09/90 Views of the author, not of his organizations The purpose of verification of a CFE agreement is to detect militarily significant violations and also to provide political support that would be lacking if one side or the other could have confidence that its violation of the agreement would not be detected. In principle, the nature of the agreement itself should be influenced by the requirement for verification; measures that have no influence at all on military threat may be included in order to ease the problem or reduce the cost of confident verification of compliance with the agreement. Of course, there will be room for unilateral intelligence to detect violations, especially "national technical means" (NTM) as legitimized by the 1972 SALT agreements, but it is anticipated that the requirement for limitations of numbers of treaty limited items (TLI) and (in part) their location, will be accompanied by a requirement to exchange data. Such ancillary requirements then allow a sampling approach to verification, in which the job of verification is to spot-check reality against the declared numbers, with totals obtained by adding the declared numbers rather than by counting all of the TLI in the field. By now, we have a lot of experience with verification of modern arms control agreements, especially with the 1972 U.S.-Soviet ABM Treaty and the accompanying Limited Offensive Agreement of 1972. In addition, the 1987 U.S.-Soviet INF Treaty has very restrictive requirements and intensive verification, which is costing the United States on the order of $100 M per year. This is being handled within the U.S. Department of Defense by the On-site Verification Agency. While there appears to be a lot of activity within the U.S. government regarding verification for START and also for an agreement on chemical weapons, there seems to be very little going on in regard to verification of CFE. The anticipated cost of CFE verification is a problem-- not only that of verification of TLI in active units and in storage, but especially the cost of verification of manufacturing and ancillary capability- expressed in the now-detested term "any time, anywhere." The concern is that readiness for short-warning inspection in the many hundreds or thousands of plants that might be involved with producing TLI such as aircraft, helicopters, or armored vehicles, would involve access to plants where work totally unrelated to the TLI is going on-- work which in the capitalist West may provide advantage over competitors in the commercial as well as military supply industry. Thus, defense contractors (or former defense contractors!) would have to maintain canvas or other materials in readiness for hiding those aspects that should not be viewed by inspectors from the other side (or even from the same side), and will have to practice for inspections which for the most part will never come. For this reason, indeed, it would be desirable to have longer warning of a particular inspection, to avoid the need for practice in the various plants. Furthermore, in the United States at least there is no mechanism to pay for planning and study of an inspection system for CFE. The Armed Services have apparently absorbed the cost of inspection for the INF Treaty. Of course, verification of CFE is certainly not a job for the U.S. and the Soviet Union alone, so other NATO members should be involved in planning, discussions, and support for this process. Among the verification requirements for INF are witnessed destruction of the INF missiles themselves (which are being reduced to zero worldwide in U.S. and Soviet inventories), perimeter and portal monitoring (PPM) of plants formerly involved in manufacture of the banned missiles, and the like. In regard to the forthcoming START agreement, there will also be strict verification requirements. In support of START, wide use will be made of physical tags (reflective-particle tag-- RPT) attached to the TLI themselves in a fashion such that removal cannot reasonably be done without destroying the legitimacy of the tag; nor can the tag reasonably be counterfeited. In discussing CFE verification, it is not necessary to know the precise details of the limits, which are in any event not yet fully negotiated. In any case, however, the limits for each "alliance" will be something like 5000 aircraft, however defined, 20,000 tanks and 3000 Heavy Armored Combat Vehicles in a total of 30,000 Armored Combat Vehicles, 3800 helicopters, and 195,000 troops. Options for Verification. Ensuring compliance by scheduled census is unsatisfactory. First, the cost of a total census is great; the cessation of all activity in order that a simultaneous census could be taken is intolerable from a military point of view; and the standing army that would be required to take the census (but very rarely) is too large. Finally, the scheduling of the census would not give confidence in compliance at times other than those at which the census is scheduled. When the United States was active in Viet Nam, there were occasionally Congressionally mandated or declared limits on U.S. forces in Southeast Asia. These limits were binding at the end of each month, and it was common for personnel to fly out of the theater in order that the limits not be exceeded. At the same time, combat pay for military officers depended upon their presence in the combat theater a certain number of days per month, and there was a lot of flight activity to make sure that they were present for the requisite period to obtain combat pay. These examples are indicative of some of the problems that could appear in verification of a CFE agreement, either by direction from the leadership or as problems that must be encountered in the normal course of military readiness. Unscheduled census, if feasible, would avoid the loss of confidence about compliance at times other than that of the census, since the census could be called at random, and at a time not even forecast by the inspecting side. All of the other negatives apply, and every total census must be rejected as infeasible, excessively costly, and imposing too great vulnerability. Sampling schemes without data exchange are familiar from the use of NTM and other intelligence to estimate the forces on the other side. In addition to statistical error of sampling against an unknown distribution, there can be bias of uncertain magnitude. Independent and simultaneous samples, attempting to be exhaustive in a given region, might be used to estimate the bias, but sampling schemes with data exchange are far preferable and fit easily within the treaty context. In addition to aiding verification, data exchange also contributes political legitimacy and support for the treaty. There is by now the beginning of a respectable literature on verification and conventional arms control. In order to provide ready access to a portion of this, I enclose and reference a sampling. Sketch of Method. For everything except troops, it seems natural to exchange data (and keep it current) on the organization of the limited forces by unit, and the organization within unit by exchange of standard TOE (table of organization and equipment). Exceptions from the standard TOE can be maintained and communicated currently. This provides a natural system of accounting that would allow verification teams to freeze the materiel and personnel of a unit and to verify that it does not exceed its declared strength. Thus, aside from personnel, about which Jonathan Dean has said "All soldiers have to do is to take off their uniforms and put on civilian clothing and they are virtually undetectable," the burden of verification can be borne by an accounting system that keeps track of some 60,000 TLI on each side, organized primarily into military units. I haven't thought enough about verification of personnel limits before this session to have written a prescription. Perhaps by the time of our meeting, I will have something to offer. As for the verification of compliance with limits on materiel, I consider an example in which the holdings of a randomly selected battalion are to be verified. First, a battalion ("Bn") is selected from the declared organization. (At times, a geographical point is selected, and the side to be verified declares which Bn has responsibility for it). The inspected side must also declare the adjacent Bns, the boundaries of the chosen Bn, and any overlaps of other Bns with it. In an analogue to the "envelope method" of K. Jacob, The envelope containing the TOE of the inspected battalion is "opened" by the inspecting side. In actuality, there is no envelope, but rather an encrypted file provided daily by each Bn to its headquarters and communicated to the other side. When decrypted, the lines in the table constitute a list of the TLI with their individual identification numbers. Each Bn (and, if desired, each line in the table) could have a different cryptographic key, so that there need be no valid concern about the inspecting side being able to break the code and obtain clear information about the details of deployment of every one of the TLI. In fact, schemes exist by which additional standard text is encrypted together with the information lines of the table, and alternate bits or characters deleted from the encrypted table, so that the information is just not there, even if the cryptographic key were communicated. Under these circumstances, the information in the table would only be available when provided in the clear by the inspected side. The encryption would serve simply as a means of validation of the clear text-- the test being that the asserted clear text when encrypted by the asserted key gives precisely the deposited cipher text. In principle, this scheme is analogous to a perfectly secure envelope that can be available at any time, that cannot be forged, and that cannot be destroyed. Without tags on the TLI, the verification of the assertion of the inventory would need to be done by scouring the area of responsibility of the Bn, and counting every one of the class of TLI being inspected. If there were supposed to be 200 tanks, no hint of a violation would occur until 200 tanks had been found. A system costing far less in verification personnel is available if each of the permitted TLI has an appropriate individual tag. If these are only class tags (not individually distinguishable), the situation remains the same, and a lot of effort must be expended for verification. Therefore, it is desirable that the tags have individual serial numbers on them, and that they be attached or otherwise closely accompany the TLI. We assume that they are attached (although one could also consider a concept known as the "buddy tag" analogous to a driver's license, which must accompany each TLI and be produced without delay). On the assumption of individual tags, the holdings of a Bn can be verified to within 10% (with 90% confidence) by verifying that a random search of the area producing the first 23 TLI shows every observed identification number to be present in the declared table. Should the tables be required daily, the overall transmission for 60,000 TLI (at about 100 characters or bytes per TLI entry) would be some 6 megabytes-- something that would fit into a modern personal computer. At a very modest data transmission rate of 2400 baud (about 200 bytes per second, net), this would occupy about 50% of the capacity of a single channel for a day. It would require each battalion to communicate from a few seconds to a few minutes per day. In fact, if an incremental approach were taken, and if the central repository were split into several or operated at a reasonable 9600 baud, the communication load could be reduced to some 30 minutes per day. A parallel requirement for verification is, of course, to ensure that every TLI-class item does have a valid tag. This can be accomplished by random inspection, which should never find such an element without a valid tag. Finally, the problem of counterfeiting of tags with sufficient expenditure of time and effort can be countered in substantial part by the issuing of additional individual tags in the requisite numbers, with the requirement that the side to which they are issued apply them to bond with a previous individual tag and report the identity of the two tags as they are affixed. Tags can evolve from simple RPT devices which can be validated only in the field to electronic tags equipped with a fiberoptic attachment seal and split batteries of years longevity, which could be queried remotely (only with the cooperation of the inspected side, which would move a relay receiver/transmitter next to the tag, with which it might communicate by short-range infrared). But for verification of conventional forces in an era of openness and apparent cooperation (which is the only instance in which a CFE treaty will work) inspection by verification staff would be both affordable and desirable. One verification per week for a team of 10 inspectors seems reasonable. One hundred verification visits per year would provide weekly reassurance that TLI holdings had not been increased by more than 10% or so. In fact, an increase by 10% in a week would be noticed in intelligence indicators, and verification plays a role largely in showing that TLI holdings have not been increased beyond the permitted level even by as much as 5% over a period of a year or two. I look forward to discussion of this matter with our colleagues. References 1. "Verifying Conventional Force Reductions" by Lynn Hansen (February 1990). 2. "BASIC Reports from Vienna: A regular update on the CFE and CSBM Negotiations from the British American Security Information Council" (February 22, 1990 - Number 6). 3. "Open Skies Treaty Will Give 23 Nations Surveillance Rights" by David Hughes in Aviation Week & Space Technology (February 19, 1990). 4. "Verification in Conventional Arms Control" by Volker Kunzendorff in ADELPHI PAPERS 245 (Winter 1989). 5. 10/00/88 "Tags and Seals for Verification," by R.L. Garwin published in Bulletin of The Council for Arms Control, LONDON. (100088TASV) 6. 05/01/88 "Using Tags to Monitor Numerical Limits on Weapons in Arms Control Agreements," by T. Garwin and S. Fetter. (050188..TG) 7. 02/00/80 "Tagging Systems for Arms Control Verification," e.g., for mobile missiles, etc. by Thomas M. Garwin (020080..TG) 8. 11/30/88 "Aspects of the Verification of Conventional Arms Control Measures in Europe" presented by K. Jacob, including the WEU "Requirements of a Tag for Conventional Arms Control" dated 07/15/88. (113088..KJ) P067VCFE 030890VCFE DRAFT 4 03/09/90 Views of the author, not of his organizations